Cloud Custodian in a Container

Using Capitol One Cloud Custodian in a container
Continuing with my desire to containerize as many services as possible ... I
created a container profile for Cloud Custodian
[]  (c7n) and c7n-org that I use successfully
every day. Both on my local machine and on deployed web servers.

As with any other AWS Service you will need to declare permissions. You have a
choice of asserting Access Keys on your machine or leveraging the power of Roles
and thus limiting the risks associated with unauthorized access and usage.

On your controlling machine you need to set some AWS permissions. Custodian will
by default look for the default AWS Credentials configurations. Thus creating
the following files and configuring them accordingly.





Example usage:

custodian run --profile sandbox-playground --output-dir . --verbose asg.yml

Let's look at some code

# Dockerfile 
FROM python:3.7-alpine

RUN pip install c7n c7n-org \
    && mkdir -p /scripts/

Note the absence of ENTRYPOINT  and CMD  in this Dockerfile. This allows the
passing of commands making the usage more general. This will be better
understood as we get to the Usage section below.

Build script
docker build -t="custodian" .

## NOTE ## Make sure to update the path (/sr/custodian/run) to the full path of the directory in which you place these files. 
## The following will create a SymLink (Symbolic Link) to the run file saving you the hassle of referencing the full path 
## each time you execute the command.
ln -sf /srv/custodian/run /usr/local/bin/custodian

Run Script
The "$@" appends ALL the verbiage following the $ custodian  command. Reference
the Usage section below for examples.

docker run -v "${PWD}:/policies" -v "${HOME}/.aws/:/root/.aws/" -v "/tmp/custodian:/tmp" -e AWS_PROFILE -it --rm custodian "$@"

Yes, it would be more readable as below. However I have experienced too many
issues of it not being interpreted properly and use the above without issues.
Keeping in mind that I cross multiple platforms daily.

docker run \
  -v "${PWD}:/policies" \
  -v "${HOME}/.aws/:/root/.aws/" \
  -v "/tmp/custodian:/tmp" \
  -it --rm \
  custodian "$@"
$ custodian run --region us-east-1 --output-dir . --verbose custodian_aws_asg.yml

# NOTE the usage of the alias c7n
$ c7n custodian_aws_asg.yml

# NOTE the usage of the alias c7n-org
$ c7n-org run --config accounts.yml --output-dir . --tags path:/myEnv/Sandbox --dryrun --use custodian_aws_asg.yml

Aliases that I use
I use many aliases on my machines. These are meant to reduce the amount of
typing and increase efficiency not having to remember every key switch or the
unintended typos costing time to correct, etc. Here is an example alias as shown
in the Usage section above.

alias c7n='custodian run --output-dir=/tmp '
alias c7n-org='custodian c7n-org'
Example AWS User Data
apt-get update -y --fix-missing
apt-get install -y unzip python python-pip python3 python3-pip
pip3 install awscli --upgrade

# Install Docker
curl -sSL | sh
systemctl enable docker; systemctl start docker

aws s3 cp s3://%% YOUR BUCKET %%/ /tmp/
mkdir -p /srv/custodian/
unzip /tmp/ -d /srv/custodian/
mkdir -p /root/.aws/
mv /srv/custodian/aws/* /root/.aws/
cd /srv/custodian/ && chmod +x run && sh build
ln -s /srv/custodian/run /usr/local/bin/custodian