Negating a Regex Operation - Help with creating a policy!

[gabfelp]

Hi! I made a policy and I wanted to know if this makes sense:

name: check-tag-ec2
resource: ec2
filters:
- type: offhour
  opt-out: true
  default_tz: pt
  offhour: '15'
- tag:one-tag: present
- not:
  - type: value
    key: InstanceId
    op: regex
    value: "^.*flag.*$"
actions:
- type: remove-tag
  tags:
  - some-tag

This policy is "compiling" with the library, but this not-regex operation doesn't seem to be working in filter.

To summarize what I want to do, I want to define a regex for resources that need to be "ignored" by the policy (should not execute the policy). In this case if the InstanceId of the EC2 resource has the substring flag in its composition, I don't want to run the policy on it.

I know that my application uses regex in a counterintuitive way, but I haven't found any other way to accomplish this with a single policy (I believe it is possible to use two policies, one to tag the elements having the regex first and a second one to run things only on those without this specific tag), but anyway, is there a simpler way?

Thanks!

[ajkerrigan]

The idea of negating a regex is fine, though regex matches against InstanceId seem unlikely to be useful (you have no control over an instance id, and i-abcd12345 isn't exactly human-readable).

If you have a specific list of resources you want to exclude, something like this is more common:

filters:
  - type: value
    key: InstanceId
    op: not-in
    value:
      - i-12345
      - i-23456
      - i-34567
      - ...

Often using value_from to maintain a skip list outside the policy.

If you're matching based on patterns rather than explicit IDs, you can look for regex patterns the way you mentioned. Maybe you want to skip resources with a certain string in their Name tags:

filters:
  - not:
    - type: value
      key: tag:Name
      op: glob
      value: *flag*  # or op: regex, value: .*flag.*

If things aren't behaving as expected, it might be helpful to include sanitized examples of resources you expect to match and not match your filter.

[gabfelp]

Thanks for the quick reply @ajkerrigan.

Yes, I do understand that Instances have unreadable IDs, but I was just trying this policy and I used that as an example in my environment.

In any case, I tried again after updating c7n to version 0.9.26 in Python (I was using 0.9.14) and it just worked! 😕 So I don't know if it was just the update or if I was doing something else wrong.

In any case, thank you so much for the clear explanation!

[ajkerrigan]

Cool, that makes sense. "...and it just worked" is always fun!