In this post, we'll delve into the considerations surrounding policy execution, with a focus on optimizing performance and minimizing potential disruptions.
When executing policies, the default behavior of Cloud Custodian is to call the AWS API to describe all resources of a given type. This process can be slow, resource-intensive, and potentially costly in terms of API calls. To counteract this, Cloud Custodian provides caching capabilities, with a default caching time of 15 minutes. Therefore, to make the most of the cache, a proactive approach is to execute policies for the same resource type in a clustered manner. Executing policies in a cluster can significantly enhance performance, mitigate API throttling risks, and result in cost savings.
Similar to organizing SQL WHERE clauses, the arrangement of filters should prioritize high-performance filters that can quickly reduce the result set. This sequential execution becomes paramount when dealing with multiple filters.
Consider the example of filtering EBS snapshots based on age and usage status. Prioritizing the age filter, which utilizes existing EBS snapshot metadata, before the usage status filter can optimize the process. This strategic arrangement ensures that expensive calls to AWS generated by unused are minimized, contributing to a more efficient policy execution. To identify which filters are more expensive, the best approach is to examine the source code. This process is also highly beneficial for learning programming and design from the best authors.
filters:
- type: age
op: greater-than
days: 90
- type: unused
value: trueWhen defining actions within Cloud Custodian policies, it's imperative to anticipate potential failures and interruptions. Taking the example of actions like notify and mark-for-op, a thoughtful orchestration can enhance the overall reliability of the process.
Considering the potential for action failures, it is advisable to prioritize notification actions before any destructive actions. This ensures that stakeholders are informed before any critical actions take place. When choosing a notification destination, reliability becomes a key factor. Platforms like Slack, known for their robust messaging capabilities, can be a dependable choice compared to destination like Jira/DataDog, which may present unexpected challenges like missing a mondatory field.
actions:
- <<: *notify
subject: AWS ebs-snapshot will be deleted in 14 days [{{ account }} {{ region }}]
- type: mark-for-op
tag: c7n_cleanup
days: 14
op: deleteIn conclusion, orchestrating Cloud Custodian policies involves a thoughtful approach to optimize execution speed, reduce API calls, and enhance overall reliability. By implementing cluster execution, strategic filter and action sequencing, and considering the reliability of notification destinations, you can ensure that your cloud management practices are both efficient and resilient.