The above worked, thanks. I have another question:
So using the same policy file:
policies:
- name: security-groups-unused
resource: security-group
filters:
- unused
I run the following at the command line:
custodian report --output-dir c7n-output my-sg-policy.yml
This outputs the unused SGs as expected. I then login to my AWS console and remove one of the unused SGs.
I now rerun the above command, but I get an error:
blah...
blah...
blah...
File "/Users/alyasgul/custodian/lib/python3.9/site-packages/botocore/client.py", line 745, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidGroup.NotFound) when calling the DescribeSecurityGroupReferences operation: The security group ID 'sg-XXXXXXXXXXX' does not exist
2022-06-06 11:29:12,740: custodian.commands:ERROR The following policies had errors while executing
- security-groups-unused
I.E error states the SG i removed does not exist.
I get the same, if I run the command leaving the c7n-output sub-dir in place or first removing it.
Can anyone provide a fix?
Why should Cloud Custodian care if the SG is removed, I just need it to reported on the currently configured SGs.
Thanks in advance.