How to filter resource by OU tag with c7n-org

[jmreicha]

I have a use case where I’d like to control policies being run against a set of accounts using c7n-org. I noticed that the OU gets generated as a tag in accounts.yaml so I was thinking of using it as a condition or filter in my policy but I can’t seem to get the logic right to get it working.

Is it possible to filter resources based on OU like this or is there some other better way of handling this?

Here’s an example policy for reference, the tag comes from account.yaml.

policies:
  - name: cost-a-cloudwatch-set-log-group-retention
    description: Set the default log group retention
    resource: aws.log-group
    mode:
      role: arn:aws:iam::{account_id}:role/foo
      schedule: "rate(1 day)"
      type: periodic
      tags:
        owner: infra
    filters:
      - and:
          - type: value
            key: retentionInDays
            value: null
          - type: value
            key: "tag:provisioner"
            value: absent
    conditions:
      - or:
          - type: value
            key: "tag:path"
            value: "/Stage" # <- this is pulled from account.yaml
	      - type: value
	        key: account_id
	        op: in
	        value:
	          - '111111111111'
	          - '222222222222'
    actions:
      - type: retention
        days: 365

[ajkerrigan]

When you use execution conditions, there's an account key that has account details from the c7n-org configuration. So if you want to filter based on tags, you can use the account.tags key in your condition filter. In your case, something like this should work:

conditions:
  - or:
      - type: value
        key: account.tags
        op: contains
        value: "path:/Stage" # <- this is pulled from account.yaml
      - type: value
        key: account_id
        op: in
        value:
          - "111111111111"
          - "222222222222"

---

c7n-org also provides the ability to select accounts by tag at the command line. So rather than building that condition into your policy, you could run:

c7n-org run --dryrun --verbose --tags 'path:/Stage' --config c7n-org-cfg.yml --use my-policy.yml

On the plus side, that means you don't have to hardcode conditions into your policy. But if you try this for your case you'd need two separate runs:

c7n-org run --dryrun --verbose --tags 'path:/Stage' --config c7n-org-cfg.yml --use my-policy.yml
c7n-org run --dryrun --verbose --accounts '111111111111,222222222222' --config c7n-org-cfg.yml --use my-policy.yml

Because combining --tags and --accounts will only run against accounts that fit both selectors.

[jmreicha]

Thank you, that is exactly what I was looking for. Tested and works 🎉