Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'unused' filter for EBS Snapshot does not detect snapshots in use by disabled AMI's #9444

Open
ScottDarvill opened this issue Apr 18, 2024 · 0 comments
Open

'unused' filter for EBS Snapshot does not detect snapshots in use by disabled AMI's #9444

ScottDarvill opened this issue Apr 18, 2024 · 0 comments
Labels
kind/bug

Comments

@ScottDarvill
Copy link

Describe the bug

When using the unused filter set to true for EBS Snapshots we get an error deleting snapshots as they are still in use by a disabled AMI.

What did you expect to happen?

I expected that setting the unused filter to true would exclude all used snapshots.

Cloud Provider

Amazon Web Services (AWS)

Cloud Custodian version and dependency information

Custodian:   0.9.33
Python:      3.10.9 (main, Nov 10 2023, 10:56:46) [Clang 14.0.3 (clang-1403.0.22.14.1)]
Using venv:  True
Docker: False
Installed:

argcomplete==3.1.6
attrs==23.1.0
boto3==1.33.1
botocore==1.33.1
docutils==0.18.1
importlib-metadata==5.2.0
jmespath==1.0.1
jsonschema==4.20.0
jsonschema-specifications==2023.11.1
python-dateutil==2.8.2
pyyaml==6.0.1
referencing==0.31.0
rpds-py==0.13.1
s3transfer==0.8.0
six==1.16.0
tabulate==0.9.0
urllib3==1.26.18
zipp==3.17.0

Policy

policies:
  - name: ebs-snapshot-expiration
    resource: ebs-snapshot
    filters:
      - type: unused
        value: true
      - type: age
        days: 90
        op: ge
    actions:
      - type: delete

Relevant log/traceback output

Cloud custodian error;
custodian.actions:ERROR Exception deleting snapshot set

AWS Error from Cloud Trail Logs;
eventSource:ec2.amazonaws.com
eventName:DeleteSnapshot
errorCode:Client.InvalidSnapshot.InUse
errorMessage:The snapshot snap-* is currently in use by ami-*, including some disabled AMIs.
requestParameters:{"snapshotId":"snap-*","force":false}

Extra information or context

The describe_images API in boto3 has a filter to include deprecated and disabled AMIs in the response. This defaults to false, so I assume that when Cloud Custodian is pulling the snapshots used by AMIs the filter is not being set to true and disabled and deprecated AMIs and their snapshots are not being included in the unused filter.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ScottDarvill