How Cloud Custodian compute the filter?

[dehamzah]

In generic filter, we can pass multiple filter parameters to query the resources, is the order of the filter defined matter? How it works behind the scene?

[ajkerrigan]

Short Answer

• Yes, the order matters - filters are evaluated top-down in the order they're defined in the policy
• Each filter sees only the resources that have matched the filters that came before it
• "Put value filters first!" is a good rule of thumb

How Does it Work Behind the Scenes

While the details vary a bit based on a policy's execution mode, eventually custodian calls filter_resources() which loops through filters in order.

Each filter has a chance to trim the list of resources that will be passed into the next filter in the list.

How This Factors Into Policy Authoring

The "cost" of evaluating a filter can vary quite a bit. The generic filters you mentioned already have all the data they need, so they're usually pretty quick and easy to evaluate. Others (like the metrics filter) need to make additional API calls to get the data they need.

If we're looking at unused RDS instances for example, this filter setup has to fetch CloudWatch metrics for all RDS instances:

filters:
  - type: metrics
    name: DatabaseConnections
    days: 14
    value: 0
    op: equal
  - type: value
    value_type: age
    key: InstanceCreateTime
    value: 21
    op: gte

While this one only has to fetch metrics for instances that are over 21 days old, making it a more efficient policy:

filters:
  - type: value
    value_type: age
    key: InstanceCreateTime
    value: 21
    op: gte
  - type: metrics
    name: DatabaseConnections
    days: 14
    value: 0
    op: equal

So as a rule of thumb... put those value filters first!

Note: If you have two different value filters, the order doesn't typically matter so much. So go with whatever makes the policy the most readable/sensible to you and your fellow policy readers/writers.