Default value filters do not seem to work properly for app-elb matching

[85matthew]

Describe the bug
Default value filters do not seem to work properly for app-elb matching

To Reproduce
See example below

Expected behavior
Match using the default filter and perform action against the matched resources

Background (please complete the following information):

• Container:
  cloudcustodian/c7n latest ccb73dcf0065 4 weeks ago 469MB

• Policy: [please exclude any account/sensitive information]

policies: 
    - name: app-elb-mark-unused-for-deletion
    resource: app-elb
    description: |
      Mark any ELB with no instances attached for deletion in 14 days.
      Also send an email to the ELB resource owner informing them its unused.
    filters:
      - Listeners: []
    actions:
      - type: mark-for-op
        tag: maid_status
        op: delete
        days: 14

# Using different notation
  - name: app-elb-mark-unused-for-deletion
    resource: app-elb
    description: |
      Mark any ELB with no instances attached for deletion in 14 days.
      Also send an email to the ELB resource owner informing them its unused.
    filters:
      - Listeners: empty
    actions:
      - type: mark-for-op
        tag: maid_status
        op: delete
        days: 14

• Traceback: [if applicable, please exclude sensitive/account information]
• custodian version --debug output

Additional context

When there is no target group/listener attached, these policies don't work.

bash-3.2$ docker run -it   -v $(pwd)/output:/home/custodian/output  -v $(pwd)/:/home/custodian/   --env-file <(env | grep "^AWS\|^AZURE\|^GOOGLE")   cloudcustodian/c7n run -c elb-cleanup.yml -s output --cache-period 0 -v
2020-08-07 13:41:32,778: custodian.cache:DEBUG Disabling cache
2020-08-07 13:41:32,779: custodian.commands:DEBUG Loaded file elb-cleanup.yml. Contains 1 policies
2020-08-07 13:41:32,790: custodian.aws:DEBUG using default region:us-east-1 from boto
2020-08-07 13:41:33,127: custodian.output:DEBUG Storing output with <LogFile file://output/app-elb-mark-unused-for-deletion/custodian-run.log>
2020-08-07 13:41:33,143: custodian.policy:DEBUG Running policy:app-elb-mark-unused-for-deletion resource:app-elb region:us-east-1 c7n:0.9.4
2020-08-07 13:41:33,790: custodian.resources.appelb:DEBUG Filtered from 1 to 0 appelb   <----- *****THIS HERE SHOWS NO MATCH ON "Listeners: []" *****
2020-08-07 13:41:33,791: custodian.policy:INFO policy:app-elb-mark-unused-for-deletion resource:app-elb region:us-east-1 count:0 time:0.65
2020-08-07 13:41:33,810: custodian.output:DEBUG metric:ResourceCount Count:0 policy:app-elb-mark-unused-for-deletion restype:app-elb scope:policy
2020-08-07 13:41:33,810: custodian.output:DEBUG metric:ApiCalls Count:2 policy:app-elb-mark-unused-for-deletion restype:app-elb

2nd Notation

bash-3.2$ docker run -it   -v $(pwd)/output:/home/custodian/output  -v $(pwd)/:/home/custodian/   --env-file <(env | grep "^AWS\|^AZURE\|^GOOGLE")   cloudcustodian/c7n run -c elb-cleanup.yml -s output --cache-period 0 -v
2020-08-07 13:41:42,448: custodian.cache:DEBUG Disabling cache
2020-08-07 13:41:42,451: custodian.commands:DEBUG Loaded file elb-cleanup.yml. Contains 1 policies
2020-08-07 13:41:42,466: custodian.aws:DEBUG using default region:us-east-1 from boto
2020-08-07 13:41:42,799: custodian.output:DEBUG Storing output with <LogFile file://output/app-elb-mark-unused-for-deletion/custodian-run.log>
2020-08-07 13:41:42,812: custodian.policy:DEBUG Running policy:app-elb-mark-unused-for-deletion resource:app-elb region:us-east-1 c7n:0.9.4
2020-08-07 13:41:43,383: custodian.resources.appelb:DEBUG Filtered from 1 to 1 appelb  <------ **** DOES SHOW A MATCH HERE ****
2020-08-07 13:41:43,384: custodian.policy:INFO policy:app-elb-mark-unused-for-deletion resource:app-elb region:us-east-1 count:1 time:0.57
2020-08-07 13:41:43,389: custodian.actions:INFO Tagging 1 resources for delete on 2020/08/21  <----- **** DOES SHOW THAT IT IS APPLYING A TAG HERE ****
2020-08-07 13:41:43,669: custodian.policy:INFO policy:app-elb-mark-unused-for-deletion action:appelbmarkforopaction resources:1 execution_time:0.28
2020-08-07 13:41:43,675: custodian.output:DEBUG metric:ResourceCount Count:1 policy:app-elb-mark-unused-for-deletion restype:app-elb scope:policy
2020-08-07 13:41:43,676: custodian.output:DEBUG metric:ApiCalls Count:3 policy:app-elb-mark-unused-for-deletion restype:app-elb

When I do attach a target group, the policy appears to match the resource even though it shouldn't because the target group/listeners are no longer EMPTY.

Trace from 1st policy above with target group attached

bash-3.2$ docker run -it   -v $(pwd)/output:/home/custodian/output  -v $(pwd)/:/home/custodian/   --env-file <(env | grep "^AWS\|^AZURE\|^GOOGLE")   cloudcustodian/c7n run -c elb-cleanup.yml -s output --cache-period 0 -v
2020-08-07 13:50:23,072: custodian.cache:DEBUG Disabling cache
2020-08-07 13:50:23,073: custodian.commands:DEBUG Loaded file elb-cleanup.yml. Contains 1 policies
2020-08-07 13:50:23,087: custodian.aws:DEBUG using default region:us-east-1 from boto
2020-08-07 13:50:23,427: custodian.output:DEBUG Storing output with <LogFile file://output/app-elb-mark-unused-for-deletion/custodian-run.log>
2020-08-07 13:50:23,442: custodian.policy:DEBUG Running policy:app-elb-mark-unused-for-deletion resource:app-elb region:us-east-1 c7n:0.9.4
2020-08-07 13:50:24,059: custodian.resources.appelb:DEBUG Filtered from 1 to 1 appelb <----- **** SUCCESSFUL MATCH WHEN IT SHOULDN'T BE. ****
2020-08-07 13:50:24,060: custodian.policy:INFO policy:app-elb-mark-unused-for-deletion resource:app-elb region:us-east-1 count:1 time:0.62
2020-08-07 13:50:24,066: custodian.actions:INFO Tagging 1 resources for delete on 2020/08/21 <---- **** DOES SUCCESSFULLY TAG THE ALB AS I WOULD HAVE EXPECTED WITHOUT TG ATTACHED
2020-08-07 13:50:24,318: custodian.policy:INFO policy:app-elb-mark-unused-for-deletion action:appelbmarkforopaction resources:1 execution_time:0.25
2020-08-07 13:50:24,325: custodian.output:DEBUG metric:ResourceCount Count:1 policy:app-elb-mark-unused-for-deletion restype:app-elb scope:policy
2020-08-07 13:50:24,325: custodian.output:DEBUG metric:ApiCalls Count:3 policy:app-elb-mark-unused-for-deletion restype:app-elb

Trace from 2nd policy above with target group attached

bash-3.2$ docker run -it   -v $(pwd)/output:/home/custodian/output  -v $(pwd)/:/home/custodian/   --env-file <(env | grep "^AWS\|^AZURE\|^GOOGLE")   cloudcustodian/c7n run -c elb-cleanup.yml -s output --cache-period 0 -v
2020-08-07 13:52:05,088: custodian.cache:DEBUG Disabling cache
2020-08-07 13:52:05,088: custodian.commands:DEBUG Loaded file elb-cleanup.yml. Contains 1 policies
2020-08-07 13:52:05,098: custodian.aws:DEBUG using default region:us-east-1 from boto
2020-08-07 13:52:05,460: custodian.output:DEBUG Storing output with <LogFile file://output/app-elb-mark-unused-for-deletion/custodian-run.log>
2020-08-07 13:52:05,476: custodian.policy:DEBUG Running policy:app-elb-mark-unused-for-deletion resource:app-elb region:us-east-1 c7n:0.9.4
2020-08-07 13:52:06,111: custodian.resources.appelb:DEBUG Filtered from 1 to 0 appelb <---- STILL NO MATCH HERE WITH TARGET GROUP ATTACHED NOW (EXPECTED)
2020-08-07 13:52:06,112: custodian.policy:INFO policy:app-elb-mark-unused-for-deletion resource:app-elb region:us-east-1 count:0 time:0.64
2020-08-07 13:52:06,123: custodian.output:DEBUG metric:ResourceCount Count:0 policy:app-elb-mark-unused-for-deletion restype:app-elb scope:policy
2020-08-07 13:52:06,124: custodian.output:DEBUG metric:ApiCalls Count:2 policy:app-elb-mark-unused-for-deletion restype:app-elb

[kapilt]

its worthwhile to look at the resources.json output when you don't have a filter. In this case the Listeners attribute is not present at all in the returned resource. In gitter, you referenced its an empty array but thats not the case they key doesn't exist, so you can use the following to assert that.

- Listeners: absent

[85matthew]

Thanks again for the response @kapilt .

Correct. When I run with absent it matches everything because that Listeners block is not in the resource.json

- Listeners: absent

It matches on all my ALBs. When I look at the resources.json, it shows matched on the filter and I don't see anything in the json.

    "c7n:MatchedFilters": [
      "Listeners"
    ]

So this brings me back to the original question in the first issue I opened. Is there a way to match on an app-elb that does not have any target groups/listeners attached?
#6015

Perhaps that is simply not a capability today?

( Since neither of the suggested methods seem to work since there is "Listeners" in the resource.json)

- Listeners: []

- Listeners: empty

[85matthew]

Hi Kapil. Any suggestions on if this capability should work today? I'm not
clear if this is a bug or if it is simply not supported

on an app-elb,

- Listeners: empty
or
- Listeners: []

[klauern]

I am facing this same issue. Do we know if this is a bug or weird behavior in how the app-elb is constructed? I tried digging into the code, but I don't quite understand how the nesting works between the app-elb and the target-group to the targets that it would be querying for.

[ajkerrigan]

I think both the listener and target-group filters are a bit tricky to use as-is, since they both match against lists of child resources but work differently. listener performs a value filter check against every listener on an ALB. That makes it a bit awkward to match a case where there are no listeners, but this filter would match any listener:

- type: listener
  key: "@"
  value: present

(In English: Match a listener if it exists. The @ means current node in JMESPath speak).

So we can tuck that inside a not block to find ALBs with no listeners:

filters:
  - not:
    - type: listener
      key: "@"
      value: present

---

target-group behaves like a value filter targeting the list of target groups associated with an ALB. So we could see if that list is empty:

filters:
  - type: target-group
    key: "@"
    value: empty

Or get a little more picky by only matching if we have no healthy targets:

filters:
  - type: target-group
    key: "[].TargetHealthDescriptions[?TargetHealth.State == 'healthy'][]"
    value: empty

(In something closer to English: build a flat list of healthy targets across all target groups used by this ALB. Match the ALB if that list is empty.)

---

Both of these filters were in place before the list-item filter existed. They could both probably stand to be refactored to derive from that filter.

I imagine we'd want to deprecate the existing behavior because it's pretty awkward, but we would also want to avoid breaking existing policies.

[klauern]

As a small follow-up question, any reason why

filters:
  - not:
    - type: listener
      key: "@"
      value: present

doesn't work the same as

filters:
  - type: listener
    key: "@"
    value: absent

I thought it would, but it appears to miss finding load balancers with no listeners or target groups assigned to them with the second form, but not the first one, and I don't understand the difference.

[klauern]

Thank you @ajkerrigan , that helps a lot. One question I have about this is that we're looking for listeners, but what if we do not have listeners defined, but we still have targets created to target groups on the ALB? I'm not too much of an expert in ELB, but wouldn't that be a situation where it could "in theory" be active (although you'd still need to create the listener, maybe it was deleted for some reason), but still be in a semi-valid or easily fixable state that you could re-enable the ELB to work? What if I want to be absolutely certain that the ALB doesn't have any targets at all to them, irrespective of whether they have a listener defined?

[ajkerrigan]

It's possible to break an ALB by deleting its listeners, sure. In that case there wouldn't be any lingering target group references though, because the ALB<-->target group association comes from an ALB listener rule forwarding traffic to a target group.

So if you start with an ALB that has listener rules forwarding traffic to a target group with registered/healthy targets, then you delete the ALB listeners, the target group can still have registered/healthy targets. That target group wouldn't display any association to the ALB with the deleted listeners, though it still could have ties to other ALBs.

I'm not sure that's helpful though, I'm losing track of exactly what we're trying to filter for now 😅