cloud-custodian
Log Group Support for `c7n-org`
Currently trying out c7n-org instead of utilizing custom scripts to run the custodian command multiple times. I see that the ability to send output to S3 is still present, but the option -l or --log-group doesn't work for c7n-org.
I wasn't sure if this just wasn't implemented yet or if it wasn't implemented for a particular reason, as it would be useful for me.
good point, i guess the question on the pass through is that we would normally setup a log group per account, what would you expect as behavior if you pass --log-group into c7n? use it as a prefix?
First thought would be something similar to output_dir handling where it passes the Account Id + Region.
A couple potential solutions that I can think of:
Account Id + Region Added to Log Group Name
Take the Log Group name provided by user and prefix it with Account Id + Region.
Pros:
- Logs split out by Account Id + Region.
Cons:
- (Medium) Users unable to view aggregate of all logs.
- (Minor) Convention based, might cause some confusion for users.
Single Log Group
Specify a single Log Group as part of the CLI command and then the CLI would create Log Streams for each Account Id + Region combination.
Pros:
- Able to aggregate all logs across all accounts and regions easily.
Cons:
- (Major) would require a refactor to how c7n works as it supports passing Log Group, not Log Stream.
- (Medium) Unable to separate out logs for each individual account if desired.
- (Minor) Convention has to be added to CLI for the Log Streams.
Log Group in Accounts Config File
Able to specify the Log Group on a per-account basis within the accounts.yml file.
Pros:
- Configuration instead of convention based.
- Users can either specify the same Log Group or different ones as desired.
Cons:
- (Medium) If a user specifies the same Log Group then Log Streams won't have Account Id + Region in their name so it will be harder to differentiate logs.
