mark-for-op action is not working in cloud custodian

Question

I have been setting up a cloud custodian policy for automatically terminating the ec2 instances after a certain amount of time. But unfortunately it is not working fine. Filters and mod are working fine in the policy, But action is not getting executed. Kindly let us know if you have any solution.

Policy:
policies:
  - name: ec2-terminate-instance
    resource: ec2
    description: |
      Mark any stopped ec2 instance for deletion in 60 days
      If an instance has not been started for 60 days or over
      then they will be deleted similar to internal policies as it wont be patched.
    filters:
      - "tag:expiration": present
      - "State.Name": stopped
    mode:
      schedule: "rate(15 minutes)"
      type: periodic
      role: arn:aws:iam::xxxxxxxxxxxx:role/cloud-custodian-role
    actions:
      - type: mark-for-op
        tag: c7n_stopped_instance
        op: terminate
        hours: 0.5

Answer 1

Your policy looks right, despite what has been mentioned about custom tags for the delayed operation mark-for-op.

The details are important here, if you are not seeing the instance terminated with this policy, that is because you would need a second follow up policy that filters on the marked resources and a corresponding action of terminating those discovered instances.

  - name: ec2-terminate-instance
    resource: aws.ec2
    description: |
      Delete any marked instances in the previous policy based on the tag c7n_stopped_instance
    filters:
      - type: marked-for-op
        tag: c7n_stopped_instance 
        op: terminate
    actions:
      - type: terminate

So you:

• mark-for-op as a future delayed action by tagging resources
• filter on these resources using the marked-for-op filter type, and in your actions perform the terminate action.

ref: https://www.cloudcustodian.io/docs/azure/examples/resourcegroupsdelayedoperation-general.html#azure-example-delayedoperation