awslimitchecker¶
Master:
Develop:
A script and python module to check your AWS service limits and usage, and warn when usage approaches limits.
Users building out scalable services in Amazon AWS often run into AWS’ service limits - often at the least convenient time (i.e. mid-deploy or when autoscaling fails). Amazon’s Trusted Advisor can help this, but even the version that comes with Business and Enterprise support only monitors a small subset of AWS limits and only alerts weekly. awslimitchecker provides a command line script and reusable package that queries your current usage of AWS resources and compares it to limits (hard-coded AWS defaults that you can override, API-based limits where available, or data from Trusted Advisor where available), notifying you when you are approaching or at your limits.
Full project documentation for the latest release is available at http://awslimitchecker.readthedocs.io/en/latest/.
Status¶
awslimitchecker is mature software, with approximately 9,000 downloads per month and in daily use at numerous organizations.
Development status is being tracked on a board at waffle.io: https://waffle.io/jantman/awslimitchecker
What It Does¶
- Check current AWS resource usage against AWS Service Limits
- Show and inspect current usage
- Override default Service Limits (for accounts with increased limits)
- Compare current usage to limits; return information about limits that exceed thresholds, and (CLI wrapper) exit non-0 if thresholds are exceeded
- Define custom thresholds per-limit
- where possible, pull current limits from Trusted Advisor API
- where possible, pull current limits from each service’s API (for services that provide this information)
- Supports explicitly setting the AWS region
- Supports using STS to assume roles in other accounts, including using
external_id. - Optionally refresh Trusted Advisor “Service Limits” check before polling Trusted Advisor data, and optionally wait for the refresh to complete (up to an optional maximum time limit). See Getting Started - Trusted Advisor for more information.
Requirements¶
- Python 2.7 or 3.4+. Python 2.6 and 3.3 are no longer supported.
- Python VirtualEnv and
pip(recommended installation method; your OS/distribution should have packages for these) - boto3 >= 1.4.6 and its dependency botocore >= 1.6.0.
Installation and Usage¶
See Getting Started.
Credentials¶
See Credentials.
Getting Help and Asking Questions¶
See Getting Help.
For paid support and development options, please see the Enterprise Support Agreements and Contract Development section of the documentation.
There is also a gitter.im chat channel for support and discussion.
Contributions¶
Pull requests are most definitely welcome. Please cut them against the develop branch. For more information, see the development documentation. I’m also happy to accept contributions in the form of bug reports, feature requests, testing, etc.
License¶
awslimitchecker is licensed under the GNU Affero General Public License, version 3 or later. This shouldn’t be much of a concern to most people; see Development / AGPL for more information.
Contents¶
Getting Started¶
What It Does¶
- Check current AWS resource usage against AWS Service Limits
- Show and inspect current usage
- Override default Service Limits (for accounts with increased limits)
- Compare current usage to limits; return information about limits that exceed thresholds, and (CLI wrapper) exit non-0 if thresholds are exceeded
- Define custom thresholds per-limit
- Where possible, pull current limits from Trusted Advisor API
- Supports explicitly setting the AWS region
- Supports using STS
to assume roles in other accounts, including using
external_id. - Optionally refresh Trusted Advisor “Service Limits” check before polling Trusted Advisor data, and optionally wait for the refresh to complete (up to an optional maximum time limit). See Getting Started - Trusted Advisor for more information.
Nomenclature¶
- Service
- An AWS Service or Product, such as EC2, VPC, RDS or ElastiCache. More specifically, Services in AwsLimitChecker correspond to distinct APIs for AWS Services.
- Limit
- An AWS-imposed maximum usage for a certain resource type in AWS. See AWS Service Limits.
Limits are generally either account-wide or per-region. They have AWS global default values, but can be increased by AWS Support. “Limit” is also the term used
within this documentation to describe
AwsLimitobjects, which describe a specific AWS Limit within this program. - Usage
- “Usage” refers to your current usage of a specific resource that has a limit. Usage values/amounts (some integer or floating point number, such as number of VPCs
or GB of IOPS-provisioned storage) are represented by instances of the
AwsLimitUsageclass. Limits that are measured as a subset of some “parent” resource, such as “Subnets per VPC” or “Read Replicas per Master” have their usage tracked per parent resource, so you can easily determine which ones are problematic. - Threshold
- The point at which AwsLimitChecker will consider the current usage for a limit to be problematic. Global thresholds default to usage >= 80% of limit for “warning” severity,
and usage >= 99% of limit for “critical” severity. Limits which have reached or exceeded their threshold will be reported separately for warning and critical (we generally
consider “warning” to be something that will require human intervention in the near future, and “critical” something that is an immediate problem, i.e. should block
automated processes). The
awslimitcheckercommand line wrapper can override the default global thresholds. TheAwsLimitCheckerclass can both override global percentage thresholds, as well as specify per-limit thresholds as a percentage, a fixed usage value, or both. For more information on overriding thresholds, see Python Usage / Setting a Threshold Override as well as the documentation forAwsLimitChecker.check_thresholds()andAwsLimitChecker.set_threshold_override().
Requirements¶
- Python 2.7 or 3.4+. Python 2.6 and 3.3 are no longer supported.
- Python VirtualEnv and
pip(recommended installation method; your OS/distribution should have packages for these) - boto3 >= 1.4.6 and its dependency botocore >= 1.6.0.
Installing¶
It’s recommended that you install into a virtual environment (virtualenv / venv). See the virtualenv usage documentation for more details, but the gist is as follows (the virtualenv name, “limitchecker” here, can be whatever you want):
virtualenv limitchecker
source limitchecker/bin/activate
pip install awslimitchecker
Version Specification¶
If you’re using awslimitchecker in automated tooling that recreates the virtualenv
(such as Jenkins or cron jobs, etc) you’ll probably want to install a specific version
so that the job doesn’t unexpectedly break. It’s recommended that you pin your installation
to a major version. According to awslimitchecker’s versioning policy,
this should ensure that you get the latest awslimitchecker version that’s compatible with
your IAM policy and dependencies and has no backwards-incompatible API changes.
Credentials¶
Aside from STS, awslimitchecker does nothing with AWS credentials, it leaves that to boto itself.
You must either have your credentials configured in one of boto3’s supported config
files or set as environment variables. If your credentials are in the cross-SDK
credentials file (~/.aws/credentials) under a named profile section, you can
use credentials from that profile by specifying the -P / --profile command
lint option. See
boto3 config
and
this project’s documentation
for further information.
Please note that version 0.3.0 of awslimitchecker moved from using boto as its AWS API client to using
boto3. This change is mostly transparent, but there is a minor change in how AWS credentials are handled. In
boto, if the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables were set, and the
region was not set explicitly via awslimitchecker, the AWS region would either be taken from the AWS_DEFAULT_REGION
environment variable or would default to us-east-1, regardless of whether a configuration file (~/.aws/credentials
or ~/.aws/config) was present. With boto3, it appears that the default region from the configuration file will be
used if present, regardless of whether the credentials come from that file or from environment variables.
When using STS, you will need to specify the -r / --region option as well as the -A / --sts-account-id
and -R / --sts-account-role options to specify the Account ID that you want to assume a role in, and the
name of the role you want to assume. If an external ID is required, you can specify it with -E / --external-id.
In addition, when assuming a role STS, you can use a MFA device. simply
specify the device’s serial number with the -M / --mfa-serial-number option and a token generated by the device
with the -T / --mfa-token option. STS credentials will be cached for the lifetime of the program.
Important Note on Session and Federation (Temporary) Credentials: The temporary credentials granted by the AWS IAM
GetFederationToken
and GetSessionToken
API calls will throw errors when trying to access the IAM API (except for Session tokens, which will
work for IAM API calls only if an MFA token is used). Furthermore, Federation tokens cannot make use
of the STS AssumeRole functionality. If you attempt to use awslimitchecker with credentials generated
by these APIs (commonly used by organizations to hand out limited-lifetime credentials), you will likely
encounter errors when checking IAM limits. If this is acceptable, you can use these credentials by setting
the AWS_SESSION_TOKEN environment variable in addition to AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY,
or by otherwise configuring these credentials in a way that’s supported by
boto3 configuration.
Regions¶
To specify the region that awslimitchecker connects to, use the -r / --region
command line option. At this time awslimitchecker can only connect to one region at a time;
to check limits in multiple regions, simply run the script multiple times, once per region.
Trusted Advisor¶
awslimitchecker supports retrieving your current service limits via the
Trusted Advisor
“Service Limits” performance check
, for limits which Trusted Advisor tracks (currently a subset of what awslimitchecker
knows about). The results of this check may not be available via the API for all
accounts; as of December 2016, the Trusted Advisor documentation states that while
this check is available for all accounts, API access is only available to accounts
with Business- or Enterprise-level support plans. If your account does not have
Trusted Advisor access, the API call will result in a SubscriptionRequiredException
and awslimitchecker will log a Cannot check TrustedAdvisor message at
warning level.
Trusted Advisor information is important to awslimitchecker, however, as it provides
the current service limit values for a number of limits that cannot be obtained
any other way. While you can completely disable Trusted Advisor polling via the
--skip-ta command-line option, you will then be left with default service
limit values for many limits.
As of 0.7.0, awslimitchecker also supports programmatically refreshing the “Service Limits” Trusted Advisor check, in order to get updated limit values. If this is not done, the data provided by Trusted Advisor may not be updated unless a human does so via the AWS Console. The refresh logic operates in one of three modes, controlled by command-line options (these are also exposed in the Python API; see the “Internals” link below):
--ta-refresh-wait- The check will be refreshed and awslimitchecker will poll every 30 seconds waiting for the refresh to complete (or untilta_refresh_timeoutseconds have elapsed).--ta-refresh-older INTEGER- This operates like the--ta-refresh-waitoption, but will only refresh the check if its current result data is at leastINTEGERseconds old.--ta-refresh-trigger- The check will be refreshed and the program will continue on immediately, without waiting for the refresh to complete; this will almost certainly result in stale check results in the current run. However, this may be useful if you desire to keepawslimitcheckerruns short, and run it on a regular schedule (i.e. if you runawslimitcheckerevery 6 hours, and are OK with Trusted Advisor check data being 6 hours old).
Additionally, there is a --ta-refresh-timeout option. If this is set (to an integer),
refreshes of the check will time out after that number of seconds. If a timeout
occurs, a message will be logged at error level, but the program will continue
running (most likely using the old result data).
Important: It may take 30 to 60 minutes for the Service Limits check to refresh on large accounts. Please be aware of this when enabling the refresh options.
Using the check refresh options will require the trustedadvisor:RefreshCheck
IAM permission.
See Internals - Trusted Advisor for technical information on the implementation of Trusted Advisor polling.
Required Permissions¶
You can view a sample IAM policy listing the permissions required for awslimitchecker to function properly either via the CLI client:
awslimitchecker --iam-policy
Or as a python dict:
from awslimitchecker.checker import AwsLimitChecker
c = AwsLimitChecker()
iam_policy = c.get_required_iam_policy()
You can also view the required permissions for the current version of awslimitchecker at Required IAM Permissions.
Command Line Usage¶
awslimitchecker ships with a command line script for use outside of
Python environments. awslimitchecker is installed as a
setuptools entry point,
and will be available wherever you install the package (if you install
in a virtual environment as recommended, it will be in the venv’s bin/ directory).
The command line script provides simple access to the most common features, though not full access to all configuration possibilities. In addition, when checking usage, the script will exit 0 of everything is OK, 1 if there are warnings, and 2 if there are critical thresholds exceeded (though the output is not currently suitable for direct use as a Nagios-compatible plugin).
(venv)$ awslimitchecker --help
usage: awslimitchecker [-h] [-S [SERVICE [SERVICE ...]]]
[--skip-service SKIP_SERVICE] [-s] [-l]
[--list-defaults] [-L LIMIT] [-u] [--iam-policy]
[-W WARNING_THRESHOLD] [-C CRITICAL_THRESHOLD]
[-P PROFILE_NAME] [-A STS_ACCOUNT_ID]
[-R STS_ACCOUNT_ROLE] [-E EXTERNAL_ID]
[-M MFA_SERIAL_NUMBER] [-T MFA_TOKEN] [-r REGION]
[--skip-ta]
[--ta-refresh-wait | --ta-refresh-trigger | --ta-refresh-older TA_REFRESH_OLDER]
[--ta-refresh-timeout TA_REFRESH_TIMEOUT] [--no-color]
[--no-check-version] [-v] [-V]
Report on AWS service limits and usage via boto3, optionally warn about any
services with usage nearing or exceeding their limits. For further help, see
<http://awslimitchecker.readthedocs.org/>
optional arguments:
-h, --help show this help message and exit
-S [SERVICE [SERVICE ...]], --service [SERVICE [SERVICE ...]]
perform action for only the specified service name;
see -s|--list-services for valid names
--skip-service SKIP_SERVICE
avoid performing actions for the specified service
name; see -s|--list-services for valid names
-s, --list-services print a list of all AWS service types that
awslimitchecker knows how to check
-l, --list-limits print all AWS effective limits in
"service_name/limit_name" format
--list-defaults print all AWS default limits in
"service_name/limit_name" format
-L LIMIT, --limit LIMIT
override a single AWS limit, specified in
"service_name/limit_name=value" format; can be
specified multiple times.
-u, --show-usage find and print the current usage of all AWS services
with known limits
--iam-policy output a JSON serialized IAM Policy listing the
required permissions for awslimitchecker to run
correctly.
-W WARNING_THRESHOLD, --warning-threshold WARNING_THRESHOLD
default warning threshold (percentage of limit);
default: 80
-C CRITICAL_THRESHOLD, --critical-threshold CRITICAL_THRESHOLD
default critical threshold (percentage of limit);
default: 99
-P PROFILE_NAME, --profile PROFILE_NAME
Name of profile in the AWS cross-sdk credentials file
to use credentials from; similar to the corresponding
awscli option
-A STS_ACCOUNT_ID, --sts-account-id STS_ACCOUNT_ID
for use with STS, the Account ID of the destination
account (account to assume a role in)
-R STS_ACCOUNT_ROLE, --sts-account-role STS_ACCOUNT_ROLE
for use with STS, the name of the IAM role to assume
-E EXTERNAL_ID, --external-id EXTERNAL_ID
External ID to use when assuming a role via STS
-M MFA_SERIAL_NUMBER, --mfa-serial-number MFA_SERIAL_NUMBER
MFA Serial Number to use when assuming a role via STS
-T MFA_TOKEN, --mfa-token MFA_TOKEN
MFA Token to use when assuming a role via STS
-r REGION, --region REGION
AWS region name to connect to; required for STS
--skip-ta do not attempt to pull *any* information on limits
from Trusted Advisor
--ta-refresh-wait If applicable, refresh all Trusted Advisor limit-
related checks, and wait for the refresh to complete
before continuing.
--ta-refresh-trigger If applicable, trigger refreshes for all Trusted
Advisor limit-related checks, but do not wait for them
to finish refreshing; trigger the refresh and continue
on (useful to ensure checks are refreshed before the
next scheduled run).
--ta-refresh-older TA_REFRESH_OLDER
If applicable, trigger refreshes for all Trusted
Advisor limit-related checks with results more than
this number of seconds old. Wait for the refresh to
complete before continuing.
--ta-refresh-timeout TA_REFRESH_TIMEOUT
If waiting for TA checks to refresh, wait up to this
number of seconds before continuing on anyway.
--no-color do not colorize output
--no-check-version do not check latest version at startup
-v, --verbose verbose output. specify twice for debug-level output.
-V, --version print version number and exit.
awslimitchecker is AGPLv3-licensed Free Software. Anyone using this program,
even remotely over a network, is entitled to a copy of the source code. Use
`--version` for information on the source code location.
Examples¶
In the following examples, output has been truncated to simplify documentation.
When running with all services enabled, awslimitchecker will provide many lines
of output. (...) has been inserted in the output below to denote removed
or truncated lines.
Listing Supported Services¶
View the AWS services currently supported by awslimitchecker with the
-s or --list-services option.
(venv)$ awslimitchecker -s
ApiGateway
AutoScaling
CloudFormation
CloudTrail
Directory Service
(...)
Route53
S3
SES
VPC
Listing Default Limits¶
To show the hard-coded default limits, ignoring any limit overrides
or Trusted Advisor data, run with --list-defaults:
(venv)$ awslimitchecker --list-defaults
ApiGateway/API keys per account 500
ApiGateway/Client certificates per account 60
ApiGateway/Custom authorizers per API 10
ApiGateway/Documentation parts per API 2000
ApiGateway/Edge APIs per account 120
(...)
Lambda/Function Count None
(...)
VPC/Subnets per VPC 200
VPC/VPCs 5
VPC/Virtual private gateways 5
Viewing Limits¶
View the limits that awslimitchecker currently knows how to check, and what
the limit value is set as (if you specify limit overrides, they will be used
instead of the default limit) by specifying the -l or --list-limits
option. Limits followed by (TA) have been obtained from Trusted Advisor
and limits followed by (API) have been obtained from the service’s API.
(venv)$ awslimitchecker -l
ApiGateway/API keys per account 500
ApiGateway/Client certificates per account 60
ApiGateway/Custom authorizers per API 10
ApiGateway/Documentation parts per API 2000
ApiGateway/Edge APIs per account 120
(...)
AutoScaling/Auto Scaling groups 1500 (API)
(...)
Lambda/Function Count None
(...)
VPC/Subnets per VPC 200
VPC/VPCs 1000 (TA)
VPC/Virtual private gateways 5
Disabling Trusted Advisor Checks¶
Using the --skip-ta option will disable attempting to query limit information
from Trusted Advisor for all commands.
(venv)$ awslimitchecker -l --skip-ta
ApiGateway/API keys per account 500
ApiGateway/Client certificates per account 60
ApiGateway/Custom authorizers per API 10
ApiGateway/Documentation parts per API 2000
ApiGateway/Edge APIs per account 120
(...)
AutoScaling/Auto Scaling groups 1500 (API)
(...)
Lambda/Function Count None
(...)
VPC/Subnets per VPC 200
VPC/VPCs 5
VPC/Virtual private gateways 5
Disabling Specific Services¶
The --skip-service option can be used to completely disable the specified
service name(s) (as shown by -s / --list-services) for services that are
problematic or you do not wish to query at all.
For example, you can check usage of all services _except_ for Firehose and
EC2:
(venv)$ awslimitchecker --skip-service=Firehose --skip-service EC2
WARNING:awslimitchecker.checker:Skipping service: Firehose
WARNING:awslimitchecker.checker:Skipping service: EC2
... normal output ...
Checking Usage¶
The -u or --show-usage options to awslimitchecker show the current
usage for each limit that awslimitchecker knows about. It will connect to the
AWS API and determine the current usage for each limit. In cases where limits are
per-resource instead of account-wide (i.e. “Rules per VPC security group” or
“Security groups per VPC”), the usage will be reported for each possible resource
in resource_id=value format (i.e. for each VPC security group and each VPC, respectively,
using their IDs).
(venv)$ awslimitchecker -u
ApiGateway/API keys per account 14
ApiGateway/APIs per account 98
ApiGateway/Client certificates per account 2
ApiGateway/Custom authorizers per API max: 0bdkl1u8vk=2 (0bdkl1u8vk=2, 0cyhj26jhb=2 (...)
ApiGateway/Documentation parts per API max: 0bdkl1u8vk=2 (0bdkl1u8vk=2, 0cyhj26jhb=2 (...)
(...)
VPC/Subnets per VPC max: vpc-c89074a9=41 (vpc-ae7bc5cb=1, vpc-7bc (...)
VPC/VPCs 22
VPC/Virtual private gateways 5
Overriding Limits¶
In cases where you’ve been given a limit increase by AWS Support, you can override
the default limits with custom ones. Currently, to do this from the command line,
you must specify each limit that you want to override separately (the
set_limit_overrides() Python method accepts a dict for
easy bulk overrides of limits) using the -L or --limit options. Limits are
specified in a service_name/limit_name=value format, and must be quoted if the
limit name contains spaces.
For example, to override the limits of EC2’s “EC2-Classic Elastic IPs” and “EC2-VPC Elastic IPs” from their defaults of 5, to 10 and 20, respestively:
(venv)$ awslimitchecker -L "AutoScaling/Auto Scaling groups"=321 --limit="AutoScaling/Launch configurations"=456 -l
ApiGateway/API keys per account 500
ApiGateway/APIs per account 60
ApiGateway/Client certificates per account 60
ApiGateway/Custom authorizers per API 10
ApiGateway/Documentation parts per API 2000
(...)
CloudFormation/Stacks 2500 (API)
(...)
VPC/Subnets per VPC 200
VPC/VPCs 1000 (TA)
VPC/Virtual private gateways 5
This example simply sets the overrides, and then prints the limits for confirmation.
Check Limits Against Thresholds¶
The default mode of operation for awslimitchecker (when no other action-specific
options are specified) is to check the usage of all known limits, compare them against
the configured limit values, and then output a message and set an exit code depending
on thresholds. The limit values used will be (in order of precedence) explicitly-set
overrides, Trusted Advisor data, and hard-coded defaults.
Currently, the awslimitchecker command line script only supports global warning and
critical thresholds, which default to 80% and 99% respectively. If any limit’s usage is
greater than or equal to 80% of its limit value, this will be included in the output
and the program will exit with return code 1. If any limit’s usage is greater than or
equal to 99%, it will include that in the output and exit 2. When determining exit codes,
critical takes priority over warning. The output will include the specifics of which limits
exceeded the threshold, and for limits that are per-resource, the resource IDs.
The Python class allows setting thresholds per-limit as either a percentage, or an integer usage value, or both; this functionality is not currently present in the command line wrapper.
To check all limits against their thresholds (in this example, one limit has crossed the warning threshold only, and another has crossed the critical threshold):
(venv)$ awslimitchecker --no-color
ApiGateway/APIs per account (limit 60) CRITICAL: 211
DynamoDB/Local Secondary Indexes (limit 5) CRITICAL: something-goes-here-index (...)
DynamoDB/Tables Per Region (limit 256) CRITICAL: 504
EC2/Security groups per VPC (limit 500) CRITICAL: vpc-12345678=674, vpc-c (...)
EC2/VPC security groups per elastic network interface (limit 5) CRITICAL: eni-01234567890123456=5, (...)
(...)
VPC/Entries per route table (limit 50) WARNING: rtb-01234567=40, rtb-6789 (...)
VPC/NAT Gateways per AZ (limit 5) CRITICAL: us-east-1d=9, us-east-1c= (...)
VPC/Virtual private gateways (limit 5) CRITICAL: 6
Set Custom Thresholds¶
To set the warning threshold of 50% and a critical threshold of 75% when checking limits:
(venv)$ awslimitchecker -W 97 --critical=98 --no-color
ApiGateway/APIs per account (limit 60) CRITICAL: 98
DynamoDB/Local Secondary Indexes (limit 5) CRITICAL: sale_setup_draft_vehicles (...)
DynamoDB/Tables Per Region (limit 256) WARNING: 250
EC2/Security groups per VPC (limit 500) CRITICAL: vpc-c89074a9=863
EC2/VPC security groups per elastic network interface (limit 5) CRITICAL: eni-8226ce61=5
(...)
S3/Buckets (limit 100) CRITICAL: 657
VPC/NAT Gateways per AZ (limit 5) CRITICAL: us-east-1d=7, us-east-1c= (...)
VPC/Virtual private gateways (limit 5) CRITICAL: 5
Required IAM Policy¶
awslimitchecker can also provide the user with an IAM Policy listing the minimum
permissions for it to perform all limit checks. This can be viewed with the
--iam-policy option:
(venv)$ awslimitchecker --iam-policy
{
"Statement": [
{
"Action": [
"apigateway:GET",
(...)
}
],
"Version": "2012-10-17"
}
For the current IAM Policy required by this version of awslimitchecker, see IAM Policy.
Connect to a Specific Region¶
To connect to a specific region (i.e. us-west-2), simply specify the region
name with the -r or --region options:
(venv)$ awslimitchecker -r us-west-2
Assume a Role in Another Account with STS¶
To assume the “foobar” role in account 123456789012 in region us-west-1,
specify the -r / --region option as well as the -A / --sts-account-id
and -R / --sts-account-role options:
(venv)$ awslimitchecker -r us-west-1 -A 123456789012 -R foobar
If you also need to specify an external_id of “myid”, you can do that with the
-E / --external-id options:
(venv)$ awslimitchecker -r us-west-1 -A 123456789012 -R foobar -E myid
Please note that this assumes that you already have STS configured and working between your account and the 123456789012 destination account; see the documentation for further information.
Python Usage¶
The full feature set of awslimitchecker is available through the Python API.
This page attempts to document some examples of usage, but the best resources are
runner, the command line wrapper, and the
API documentation.
Full Jenkins Example¶
A full example of a wrapper script with limit and threshold overrides, and a Jenkins job to run it,
is available in the docs/examples directory of awslimitchecker.
Simple Examples¶
Many of these examples use pprint to make output a bit nicer.
Instantiating the Class¶
Here we import and instantiate the AwsLimitChecker class; note that we also setup
Python’s logging module, which is used by awslimitchecker.
We also import pprint to make the output nicer.
>>> import logging
>>> logging.basicConfig()
>>> logger = logging.getLogger()
>>>
>>> from awslimitchecker.checker import AwsLimitChecker
>>> c = AwsLimitChecker()
Specifying a Region¶
To specify a region (“us-west-2” in this example), specify it as the region string
parameter to the class constructor:
>>> import logging
>>> logging.basicConfig()
>>> logger = logging.getLogger()
>>>
>>> from awslimitchecker.checker import AwsLimitChecker
>>> c = AwsLimitChecker(region='us-west-2')
Refreshing Trusted Advisor Check Results¶
Trusted Advisor check refresh behavior is controlled by the ta_refresh_mode
and ta_refresh_timeout parameters on the AwsLimitChecker
constructor, which are passed through to the TrustedAdvisor
constructor. See Internals - Trusted Advisor
for details of their possible values and meanings.
The below example shows constructing an AwsLimitChecker
class that will refresh Trusted Advisor limit checks only if their data is at least
6 hours (21600 seconds) old, and will allow up to 30 minutes (1800 seconds) for
the refresh to complete (if it times out, awslimitchecker will continue on with
the old data):
>>> import logging
>>> logging.basicConfig()
>>> logger = logging.getLogger()
>>>
>>> from awslimitchecker.checker import AwsLimitChecker
>>> c = AwsLimitChecker(ta_refresh_mode=21600, ta_refresh_timeout=1800)
Assuming a Role with STS¶
To check limits for another account using a Role assumed via STS,
specify the region, account_id and account_role parameters to the class constructor. If an external ID is needed,
this can be specified by the external_id parameter. All are strings:
>>> import logging
>>> logging.basicConfig()
>>> logger = logging.getLogger()
>>>
>>> from awslimitchecker.checker import AwsLimitChecker
>>> c = AwsLimitChecker(
>>> region='us-west-2',
>>> account_id='012345678901',
>>> account_role='myRoleName',
>>> external_id='myid'
>>> )
Setting a Limit Override¶
Override EC2’s “EC2-Classic Elastic IPs” limit from its default to 20,
using set_limit_override().
>>> c.set_limit_override('EC2', 'EC2-Classic Elastic IPs', 20)
Setting a Threshold Override¶
awslimitchecker has two sets of thresholds, warning and critical (intended to be used to
trigger different levels of alert/alarm or action). The default thresholds for warning and critical
are 80% and 99%, respectively; these program-wide defaults can be overridden by passing the
warning_threshold and/or critical_threshold arguments to the AwsLimitChecker
class constructor.
It is also possible to override these values on a per-limit basis, using the AwsLimitChecker
class’s set_threshold_override() (single limit’s threshold override)
and set_threshold_overrides() (dict of overrides) methods. When setting
threshold overrides, you can specify not only the percent threshold, but also a count of usage;
any limits which have a usage of more than this number will be detected as a warning or critical,
respectively.
To warn when our EC2-Classic Elastic IPs usage is above 50% (as opposed to the default of 80%)
and store a critical alert when it’s above 75% (as opposed to 99%):
>>> c.set_threshold_override('EC2', 'EC2-Classic Elastic IPs', warn_percent=50, crit_percent=75)
Another use could be to warn when certain services are used at all. As of the time of writing, the i2.8xlarge instances cost USD $6.82/hour, or $163/day.
To report a critical status if any i2.8xlarge instances are running:
>>> c.set_threshold_override('EC2', 'Running On-Demand i2.8xlarge instances', crit_count=1)
You do not need to also override the percent thresholds. Because of how check_thresholds()
evaluates thresholds, any crossed threshold will be considered an error condition.
Checking Thresholds¶
To check the current usage against limits, use check_thresholds(). The
return value is a nested dict of all limits with current usage meeting or exceeding the configured thresholds.
Keys are the AWS Service names (string), values are dicts of limit name (string) to AwsLimit
instances representing the limit and its current usage.
>>> result = c.check_thresholds()
>>> pprint.pprint(result)
{'EC2': {'Magnetic volume storage (TiB)': <awslimitchecker.limit.AwsLimit object at 0x7f398db62750>,
'Running On-Demand EC2 instances': <awslimitchecker.limit.AwsLimit object at 0x7f398db55910>,
'Running On-Demand m3.medium instances': <awslimitchecker.limit.AwsLimit object at 0x7f398db55a10>,
'Security groups per VPC': <awslimitchecker.limit.AwsLimit object at 0x7f398db62790>}}
Looking at one of the entries, its get_warnings() method tells us that the usage
did not exceed its warning threshold:
>>> result['EC2']['Magnetic volume storage (TiB)'].get_warnings()
[]
But its get_criticals() method tells us that it did meet or exceed the critical threshold:
>>> result['EC2']['Magnetic volume storage (TiB)'].get_criticals()
[<awslimitchecker.limit.AwsLimitUsage object at 0x7f2074dfeed0>]
We can then inspect the AwsLimitUsage instance for more information about current usage
that crossed the threshold:
In this particular case, there is no resource ID associated with the usage, because it is an aggregate (type-, rather than resource-specific) limit:
>>> result['EC2']['Magnetic volume storage (TiB)'].get_criticals()[0].resource_id
>>>
The usage is of the EC2 Volume resource type (where one exists, we use the CloudFormation Resource Type strings to identify resource types).
>>> result['EC2']['Magnetic volume storage (TiB)'].get_criticals()[0].aws_type
'AWS::EC2::Volume'
We can query the actual numeric usage value:
>>> pprint.pprint(result['EC2']['Magnetic volume storage (TiB)'].get_criticals()[0].get_value())
23.337
Or a string description of it:
>>> print(str(result['EC2']['Magnetic volume storage (TiB)'].get_criticals()[0]))
23.337
The “Security groups per VPC” limit also crossed thresholds, and we can see that it has one critical usage value:
>>> len(result['EC2']['Security groups per VPC'].get_warnings())
0
>>> len(result['EC2']['Security groups per VPC'].get_criticals())
1
As this limit is per-VPC, our string representation of the current usage includes the VPC ID that crossed the critical threshold:
>>> for usage in result['EC2']['Security groups per VPC'].get_criticals():
... print(str(usage))
...
vpc-c300b9a6=100
Disabling Trusted Advisor¶
To disable querying Trusted Advisor for limit information, simply call get_limits()
or check_thresholds() with use_ta=False:
>>> result = c.check_thresholds(use_ta=False)
Skipping Specific Services¶
You can completely disable all interaction with specific Services with the
remove_services() method. This method takes a list of
string Service names to remove from AwsLimitChecker’s internal services dict,
which will prevent those services from being queried or reported on.
To remove the Firehose and EC2 services:
c.remove_services(['Firehose', 'EC2'])
Logging¶
awslimitchecker uses the python logging library for logging, with module-level loggers
defined in each file. If you already have a root-level logger defined in your program and are using
a simple configuration (i.e. logging.basicConfig()), awslimitchecker logs will be emitted at
the same level as that which the root logger is configured.
Assuming you have a root-level logger defined and configured, and you only want to see awslimitchecker log messages of WARNING level and above, you can set the level of awslimitchecker’s logger before instantiating the class:
alc_log = logging.getLogger('awslimitchecker')
alc_log.setLevel(logging.WARNING)
checker = AwsLimitChecker()
It’s _highly_ recommended that you do not suppress log messages of WARNING or above, as these indicate situations where the checker may not present accurate or complete results.
If your application does not define a root-level logger, this becomes a bit more complicated. Assuming your application has a more complex configuration that uses a top-level logger ‘myapp’ with its own handlers defined, you can do something like the following. Note that this is highly specific to your logging setup:
# setup logging for awslimitchecker
alc_log = logging.getLogger('awslimitchecker')
# WARNING or higher should pass through
alc_log.setLevel(logging.WARNING)
# use myapp's handler(s)
for h in logging.getLogger('cm').handlers:
alc_log.addHandler(h)
# instantiate the class
checker = AwsLimitChecker()
Advanced Examples¶
For more examples, see docs/examples/README.rst on GitHub.
CI / Deployment Checks¶
This example checks usage, logs a message at WARNING level for any warning thresholds surpassed,
and logs a message at CRITICAL level for any critical thresholds passed. If any critical thresholds
were passed, it exits the script non-zero, i.e. to fail a CI or build job. In this example, we have
multiple critical thresholds crossed.
>>> import logging
>>> logging.basicConfig()
>>> logger = logging.getLogger()
>>>
>>> from awslimitchecker.checker import AwsLimitChecker
>>> c = AwsLimitChecker()
>>> result = c.check_thresholds()
>>>
>>> have_critical = False
>>> for service, svc_limits in result.items():
... for limit_name, limit in svc_limits.items():
... for warn in limit.get_warnings():
... logger.warning("{service} '{limit_name}' usage ({u}) exceeds "
... "warning threshold (limit={l})".format(
... service=service,
... limit_name=limit_name,
... u=str(warn),
... l=limit.get_limit(),
... )
... )
... for crit in limit.get_criticals():
... have_critical = True
... logger.critical("{service} '{limit_name}' usage ({u}) exceeds "
... "critical threshold (limit={l})".format(
... service=service,
... limit_name=limit_name,
... u=str(crit),
... l=limit.get_limit(),
... )
... )
...
CRITICAL:root:EC2 'Magnetic volume storage (TiB)' usage (23.417) exceeds critical threshold (limit=20)
CRITICAL:root:EC2 'Running On-Demand EC2 instances' usage (97) exceeds critical threshold (limit=20)
WARNING:root:EC2 'Security groups per VPC' usage (vpc-c300b9a6=96) exceeds warning threshold (limit=100)
CRITICAL:root:EC2 'Running On-Demand m3.medium instances' usage (53) exceeds critical threshold (limit=20)
CRITICAL:root:EC2 'EC2-Classic Elastic IPs' usage (5) exceeds critical threshold (limit=5)
>>> if have_critical:
... raise SystemExit(1)
...
(awslimitchecker)$ echo $?
1
Required IAM Permissions¶
Below is the sample IAM policy from this version of awslimitchecker, listing the IAM
permissions required for it to function correctly. Please note that in some cases
awslimitchecker may cause AWS services to make additional API calls on your behalf
(such as when enumerating ElasticBeanstalk resources, the ElasticBeanstalk service
itself will make s3:ListBucket and s3:GetBucketLocation calls). The policy
below includes only the bare minimum permissions for awslimitchecker to function
properly, and does not include permissions for any side-effect calls made by AWS
services that do not affect the results of this program.
{
"Statement": [
{
"Action": [
"apigateway:GET",
"apigateway:HEAD",
"apigateway:OPTIONS",
"autoscaling:DescribeAccountLimits",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"cloudformation:DescribeAccountLimits",
"cloudformation:DescribeStacks",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"ds:GetDirectoryLimits",
"dynamodb:DescribeLimits",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeReservedInstances",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSpotDatafeedSubscription",
"ec2:DescribeSpotFleetInstances",
"ec2:DescribeSpotFleetRequestHistory",
"ec2:DescribeSpotFleetRequests",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:DescribeVpnGateways",
"ecs:DescribeClusters",
"ecs:DescribeServices",
"ecs:ListClusters",
"ecs:ListServices",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheParameterGroups",
"elasticache:DescribeCacheSecurityGroups",
"elasticache:DescribeCacheSubnetGroups",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DescribeEnvironments",
"elasticfilesystem:DescribeFileSystems",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetGroups",
"firehose:ListDeliveryStreams",
"iam:GetAccountSummary",
"lambda:GetAccountSettings",
"rds:DescribeAccountAttributes",
"rds:DescribeDBInstances",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBSnapshots",
"rds:DescribeDBSubnetGroups",
"rds:DescribeEventSubscriptions",
"rds:DescribeOptionGroups",
"rds:DescribeReservedDBInstances",
"redshift:DescribeClusterSnapshots",
"redshift:DescribeClusterSubnetGroups",
"route53:GetHostedZone",
"route53:GetHostedZoneLimit",
"route53:ListHostedZones",
"s3:ListAllMyBuckets",
"ses:GetSendQuota",
"support:*",
"trustedadvisor:Describe*",
"trustedadvisor:RefreshCheck"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
Supported Limits¶
The section below lists every limit that this version of awslimitchecker knows how to check, and its hard-coded default value (per AWS documentation).
Limits with a ✔ in the “Trusted Advisor” column are comfirmed as being updated by Trusted Advisor. Note that so long as the Service and Limit names used by Trusted Advisor (and returned in its API responses) exactly match those shown below, all limits listed in Trusted Advisor “Service Limit” checks should be automatically used by awslimitchecker. However, limits marked here with a ✔ were detected as being returned by Trusted Advisor as of the last release. Note that not all accounts can access Trusted Advisor, or can access all limits known by Trusted Advisor.
Limits with a ✔ in the “API” column can be retrieved directly from the corresponding Service API; this information should be the most accurate and up-to-date, as it is retrieved directly from the service that evaluates and enforces limits. Limits retrieved via service API take precedence over Trusted Advisor and default limits.
ApiGateway¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| API keys per account | 500 | ||
| Client certificates per account | 60 | ||
| Custom authorizers per API | 10 | ||
| Documentation parts per API | 2000 | ||
| Edge APIs per account | 120 | ||
| Private APIs per account | 600 | ||
| Regional APIs per account | 600 | ||
| Resources per API | 300 | ||
| Stages per API | 10 | ||
| Usage plans per account | 300 | ||
| VPC Links per account | 5 |
AutoScaling¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| Auto Scaling groups | ✔ | ✔ | 200 |
| Launch configurations | ✔ | ✔ | 200 |
CloudFormation¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| Stacks | ✔ | ✔ | 200 |
CloudTrail¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| Data Resources Per Trail | 250 | ||
| Event Selectors Per Trail | 5 | ||
| Trails Per Region | 5 |
Directory Service¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| CloudOnlyDirectories | ✔ | 10 | |
| CloudOnlyMicrosoftAD | ✔ | 10 | |
| ConnectedDirectories | ✔ | 10 |
DynamoDB¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| Account Max Read Capacity Units | ✔ | 80000 | |
| Account Max Write Capacity Units | ✔ | 80000 | |
| Global Secondary Indexes | 5 | ||
| Local Secondary Indexes | 5 | ||
| Table Max Read Capacity Units | ✔ | 40000 | |
| Table Max Write Capacity Units | ✔ | 40000 | |
| Tables Per Region | 256 |
EBS¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| Active snapshots | ✔ | 10000 | |
| Active volumes | ✔ | 5000 | |
| Cold (HDD) volume storage (GiB) | 307200 | ||
| General Purpose (SSD) volume storage (GiB) | ✔ | 102400 | |
| Magnetic volume storage (GiB) | ✔ | 20480 | |
| Provisioned IOPS | ✔ | 200000 | |
| Provisioned IOPS (SSD) storage (GiB) | ✔ | 102400 | |
| Throughput Optimized (HDD) volume storage (GiB) | 307200 |
EC2¶
Note on On-Demand vs Reserved Instances: The EC2 limits for “Running On-Demand” EC2 Instances apply only to On-Demand instances, not Reserved Instances. If you list all EC2 instances that are running in the Console or API, you’ll get back instances of all types (On-Demand, Reserved, etc.). The value that awslimitchecker reports for Running On-Demand Instances current usage will not match the number of instances you see in the Console or API.
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| Elastic IP addresses (EIPs) | ✔ | ✔ | 5 |
| Max active spot fleets per region | 1000 | ||
| Max launch specifications per spot fleet | 50 | ||
| Max spot instance requests per region | 20 | ||
| Max target capacity for all spot fleets in region | 5000 | ||
| Max target capacity per spot fleet | 3000 | ||
| Rules per VPC security group | 50 | ||
| Running On-Demand EC2 instances | ✔ | 20 | |
| Running On-Demand a1.2xlarge instances | 20 | ||
| Running On-Demand a1.4xlarge instances | 20 | ||
| Running On-Demand a1.large instances | 20 | ||
| Running On-Demand a1.medium instances | 20 | ||
| Running On-Demand a1.xlarge instances | 20 | ||
| Running On-Demand c1.medium instances | 20 | ||
| Running On-Demand c1.xlarge instances | 20 | ||
| Running On-Demand c3.2xlarge instances | ✔ | 20 | |
| Running On-Demand c3.4xlarge instances | 20 | ||
| Running On-Demand c3.8xlarge instances | 20 | ||
| Running On-Demand c3.large instances | ✔ | 20 | |
| Running On-Demand c3.xlarge instances | ✔ | 20 | |
| Running On-Demand c4.2xlarge instances | ✔ | 20 | |
| Running On-Demand c4.4xlarge instances | ✔ | 10 | |
| Running On-Demand c4.8xlarge instances | 5 | ||
| Running On-Demand c4.large instances | ✔ | 20 | |
| Running On-Demand c4.xlarge instances | ✔ | 20 | |
| Running On-Demand c5.18xlarge instances | 5 | ||
| Running On-Demand c5.2xlarge instances | ✔ | 20 | |
| Running On-Demand c5.4xlarge instances | 10 | ||
| Running On-Demand c5.9xlarge instances | 5 | ||
| Running On-Demand c5.large instances | ✔ | 20 | |
| Running On-Demand c5.xlarge instances | 20 | ||
| Running On-Demand c5d.18xlarge instances | 20 | ||
| Running On-Demand c5d.2xlarge instances | 20 | ||
| Running On-Demand c5d.4xlarge instances | 20 | ||
| Running On-Demand c5d.9xlarge instances | 20 | ||
| Running On-Demand c5d.large instances | 20 | ||
| Running On-Demand c5d.xlarge instances | 20 | ||
| Running On-Demand c5n.18xlarge instances | 20 | ||
| Running On-Demand c5n.2xlarge instances | 20 | ||
| Running On-Demand c5n.4xlarge instances | 20 | ||
| Running On-Demand c5n.9xlarge instances | 20 | ||
| Running On-Demand c5n.large instances | 20 | ||
| Running On-Demand c5n.xlarge instances | 20 | ||
| Running On-Demand cc1.4xlarge instances | 20 | ||
| Running On-Demand cc2.8xlarge instances | 20 | ||
| Running On-Demand cg1.4xlarge instances | 2 | ||
| Running On-Demand cr1.8xlarge instances | 2 | ||
| Running On-Demand d2.2xlarge instances | 20 | ||
| Running On-Demand d2.4xlarge instances | 10 | ||
| Running On-Demand d2.8xlarge instances | 5 | ||
| Running On-Demand d2.xlarge instances | 20 | ||
| Running On-Demand f1.16xlarge instances | 20 | ||
| Running On-Demand f1.2xlarge instances | 20 | ||
| Running On-Demand f1.4xlarge instances | 20 | ||
| Running On-Demand g2.2xlarge instances | 5 | ||
| Running On-Demand g2.8xlarge instances | 2 | ||
| Running On-Demand g3.16xlarge instances | 1 | ||
| Running On-Demand g3.4xlarge instances | 1 | ||
| Running On-Demand g3.8xlarge instances | 1 | ||
| Running On-Demand g3s.xlarge instances | 20 | ||
| Running On-Demand h1.16xlarge instances | 5 | ||
| Running On-Demand h1.2xlarge instances | 20 | ||
| Running On-Demand h1.4xlarge instances | 20 | ||
| Running On-Demand h1.8xlarge instances | 10 | ||
| Running On-Demand hi1.4xlarge instances | 2 | ||
| Running On-Demand hs1.8xlarge instances | 2 | ||
| Running On-Demand i2.2xlarge instances | 8 | ||
| Running On-Demand i2.4xlarge instances | 4 | ||
| Running On-Demand i2.8xlarge instances | 2 | ||
| Running On-Demand i2.xlarge instances | 8 | ||
| Running On-Demand i3.16xlarge instances | 2 | ||
| Running On-Demand i3.2xlarge instances | 2 | ||
| Running On-Demand i3.4xlarge instances | 2 | ||
| Running On-Demand i3.8xlarge instances | 2 | ||
| Running On-Demand i3.large instances | 2 | ||
| Running On-Demand i3.metal instances | 20 | ||
| Running On-Demand i3.xlarge instances | 2 | ||
| Running On-Demand m1.large instances | 20 | ||
| Running On-Demand m1.medium instances | 20 | ||
| Running On-Demand m1.small instances | ✔ | 20 | |
| Running On-Demand m1.xlarge instances | 20 | ||
| Running On-Demand m2.2xlarge instances | 20 | ||
| Running On-Demand m2.4xlarge instances | 20 | ||
| Running On-Demand m2.xlarge instances | 20 | ||
| Running On-Demand m3.2xlarge instances | ✔ | 20 | |
| Running On-Demand m3.large instances | ✔ | 20 | |
| Running On-Demand m3.medium instances | ✔ | 20 | |
| Running On-Demand m3.xlarge instances | ✔ | 20 | |
| Running On-Demand m4.10xlarge instances | 5 | ||
| Running On-Demand m4.16xlarge instances | 5 | ||
| Running On-Demand m4.2xlarge instances | ✔ | 20 | |
| Running On-Demand m4.4xlarge instances | ✔ | 10 | |
| Running On-Demand m4.large instances | ✔ | 20 | |
| Running On-Demand m4.xlarge instances | ✔ | 20 | |
| Running On-Demand m5.12xlarge instances | 5 | ||
| Running On-Demand m5.24xlarge instances | 5 | ||
| Running On-Demand m5.2xlarge instances | 20 | ||
| Running On-Demand m5.4xlarge instances | 10 | ||
| Running On-Demand m5.large instances | ✔ | 20 | |
| Running On-Demand m5.xlarge instances | ✔ | 20 | |
| Running On-Demand m5a.12xlarge instances | 20 | ||
| Running On-Demand m5a.24xlarge instances | 20 | ||
| Running On-Demand m5a.2xlarge instances | 20 | ||
| Running On-Demand m5a.4xlarge instances | 20 | ||
| Running On-Demand m5a.large instances | 20 | ||
| Running On-Demand m5a.xlarge instances | 20 | ||
| Running On-Demand m5d.12xlarge instances | 20 | ||
| Running On-Demand m5d.24xlarge instances | 20 | ||
| Running On-Demand m5d.2xlarge instances | 20 | ||
| Running On-Demand m5d.4xlarge instances | 20 | ||
| Running On-Demand m5d.large instances | 20 | ||
| Running On-Demand m5d.xlarge instances | 20 | ||
| Running On-Demand p2.16xlarge instances | 1 | ||
| Running On-Demand p2.8xlarge instances | 1 | ||
| Running On-Demand p2.xlarge instances | 1 | ||
| Running On-Demand p3.16xlarge instances | 1 | ||
| Running On-Demand p3.2xlarge instances | 1 | ||
| Running On-Demand p3.8xlarge instances | 1 | ||
| Running On-Demand p3dn.24xlarge instances | 1 | ||
| Running On-Demand r3.2xlarge instances | ✔ | 20 | |
| Running On-Demand r3.4xlarge instances | ✔ | 10 | |
| Running On-Demand r3.8xlarge instances | 5 | ||
| Running On-Demand r3.large instances | 20 | ||
| Running On-Demand r3.xlarge instances | 20 | ||
| Running On-Demand r4.16xlarge instances | 1 | ||
| Running On-Demand r4.2xlarge instances | 20 | ||
| Running On-Demand r4.4xlarge instances | 10 | ||
| Running On-Demand r4.8xlarge instances | 5 | ||
| Running On-Demand r4.large instances | ✔ | 20 | |
| Running On-Demand r4.xlarge instances | ✔ | 20 | |
| Running On-Demand r5.12xlarge instances | 20 | ||
| Running On-Demand r5.16xlarge instances | 20 | ||
| Running On-Demand r5.24xlarge instances | 20 | ||
| Running On-Demand r5.2xlarge instances | 20 | ||
| Running On-Demand r5.4xlarge instances | 20 | ||
| Running On-Demand r5.8xlarge instances | 20 | ||
| Running On-Demand r5.large instances | 20 | ||
| Running On-Demand r5.metal instances | 20 | ||
| Running On-Demand r5.xlarge instances | 20 | ||
| Running On-Demand r5a.12xlarge instances | 20 | ||
| Running On-Demand r5a.24xlarge instances | 20 | ||
| Running On-Demand r5a.2xlarge instances | 20 | ||
| Running On-Demand r5a.4xlarge instances | 20 | ||
| Running On-Demand r5a.large instances | 20 | ||
| Running On-Demand r5a.xlarge instances | 20 | ||
| Running On-Demand r5d.12xlarge instances | 20 | ||
| Running On-Demand r5d.16xlarge instances | 20 | ||
| Running On-Demand r5d.24xlarge instances | 20 | ||
| Running On-Demand r5d.2xlarge instances | 20 | ||
| Running On-Demand r5d.4xlarge instances | 20 | ||
| Running On-Demand r5d.8xlarge instances | 20 | ||
| Running On-Demand r5d.large instances | 20 | ||
| Running On-Demand r5d.metal instances | 20 | ||
| Running On-Demand r5d.xlarge instances | 20 | ||
| Running On-Demand t1.micro instances | ✔ | 20 | |
| Running On-Demand t2.2xlarge instances | 20 | ||
| Running On-Demand t2.large instances | ✔ | 20 | |
| Running On-Demand t2.medium instances | ✔ | 20 | |
| Running On-Demand t2.micro instances | ✔ | 20 | |
| Running On-Demand t2.nano instances | ✔ | 20 | |
| Running On-Demand t2.small instances | ✔ | 20 | |
| Running On-Demand t2.xlarge instances | ✔ | 20 | |
| Running On-Demand t3.2xlarge instances | 20 | ||
| Running On-Demand t3.large instances | ✔ | 20 | |
| Running On-Demand t3.medium instances | ✔ | 20 | |
| Running On-Demand t3.micro instances | 20 | ||
| Running On-Demand t3.nano instances | 20 | ||
| Running On-Demand t3.small instances | 20 | ||
| Running On-Demand t3.xlarge instances | 20 | ||
| Running On-Demand x1.16xlarge instances | 20 | ||
| Running On-Demand x1.32xlarge instances | 20 | ||
| Running On-Demand x1e.16xlarge instances | 20 | ||
| Running On-Demand x1e.2xlarge instances | 20 | ||
| Running On-Demand x1e.32xlarge instances | 20 | ||
| Running On-Demand x1e.4xlarge instances | 20 | ||
| Running On-Demand x1e.8xlarge instances | 20 | ||
| Running On-Demand x1e.xlarge instances | 20 | ||
| Running On-Demand z1d.12xlarge instances | 20 | ||
| Running On-Demand z1d.2xlarge instances | 20 | ||
| Running On-Demand z1d.3xlarge instances | 20 | ||
| Running On-Demand z1d.6xlarge instances | 20 | ||
| Running On-Demand z1d.large instances | 20 | ||
| Running On-Demand z1d.xlarge instances | 20 | ||
| Security groups per VPC | 500 | ||
| VPC Elastic IP addresses (EIPs) | ✔ | ✔ | 5 |
| VPC security groups per elastic network interface | ✔ | 5 |
ECS¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| Clusters | 2000 | ||
| Container Instances per Cluster | 2000 | ||
| EC2 Tasks per Service (desired count) | 1000 | ||
| Fargate Tasks | 50 | ||
| Services per Cluster | 1000 |
EFS¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| File systems | 70 |
ELB¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| Active load balancers | ✔ | ✔ | 20 |
| Certificates per application load balancer | 25 | ||
| Listeners per application load balancer | ✔ | 50 | |
| Listeners per load balancer | ✔ | 100 | |
| Listeners per network load balancer | ✔ | 50 | |
| Network load balancers | ✔ | 20 | |
| Registered instances per load balancer | ✔ | 1000 | |
| Rules per application load balancer | ✔ | 100 | |
| Target groups | ✔ | 3000 |
ElastiCache¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| Nodes | 100 | ||
| Nodes per Cluster | 20 | ||
| Parameter Groups | 20 | ||
| Security Groups | 50 | ||
| Subnet Groups | 50 | ||
| Subnets per subnet group | 20 |
ElasticBeanstalk¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| Application versions | 1000 | ||
| Applications | 75 | ||
| Environments | 200 |
Firehose¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| Delivery streams per region | 50 |
IAM¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| Groups | ✔ | ✔ | 300 |
| Instance profiles | ✔ | ✔ | 1000 |
| Policies | ✔ | ✔ | 1500 |
| Policy Versions In Use | ✔ | 10000 | |
| Roles | ✔ | ✔ | 1000 |
| Server certificates | ✔ | ✔ | 20 |
| Users | ✔ | ✔ | 5000 |
Lambda¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| Code Size Unzipped (MiB) per Function | ✔ | 250 | |
| Code Size Zipped (MiB) per Function | ✔ | 50 | |
| Concurrent Executions | ✔ | 1000 | |
| Function Count | None | ||
| Total Code Size (MiB) | ✔ | 76800 | |
| Unreserved Concurrent Executions | ✔ | 1000 |
RDS¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| DB Cluster Parameter Groups | ✔ | ✔ | 50 |
| DB Clusters | ✔ | ✔ | 40 |
| DB instances | ✔ | ✔ | 40 |
| DB parameter groups | ✔ | ✔ | 50 |
| DB security groups | ✔ | ✔ | 25 |
| DB snapshots per user | ✔ | ✔ | 100 |
| Event Subscriptions | ✔ | ✔ | 20 |
| Max auths per security group | ✔ | ✔ | 20 |
| Option Groups | ✔ | 20 | |
| Read replicas per master | ✔ | ✔ | 5 |
| Reserved Instances | ✔ | 40 | |
| Storage quota (GB) | ✔ | ✔ | 100000 |
| Subnet Groups | ✔ | ✔ | 50 |
| Subnets per Subnet Group | ✔ | ✔ | 20 |
| VPC Security Groups | 5 |
Redshift¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| Redshift manual snapshots | 20 | ||
| Redshift subnet groups | 20 |
Route53¶
Note on Route53 Limits: The Route53 limit values (maxima) are set per-hosted zone, and can be increased by AWS support per-hosted zone. As such, each zone may have a different limit value.
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| Record sets per hosted zone | ✔ | 10000 | |
| VPC associations per hosted zone | ✔ | 100 |
S3¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| Buckets | 100 |
SES¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| Daily sending quota | ✔ | ✔ | 200 |
VPC¶
| Limit | Trusted Advisor | API | Default |
|---|---|---|---|
| Entries per route table | 50 | ||
| Internet gateways | ✔ | 5 | |
| NAT Gateways per AZ | 5 | ||
| Network ACLs per VPC | 200 | ||
| Network interfaces per Region | ✔ | 350 | |
| Route tables per VPC | 200 | ||
| Rules per network ACL | 20 | ||
| Subnets per VPC | 200 | ||
| VPCs | ✔ | 5 | |
| Virtual private gateways | 5 |
Getting Help¶
If you have a quick question or need some simple assistance, you can try the gitter.im chat channel.
Enterprise Support Agreements and Contract Development¶
For Commercial or Enterprise support agreements for awslimitchecker, or for paid as-needed feature development or bug fixes, please contact Jason Antman at jason@jasonantman.com.
Reporting Bugs and Asking Questions¶
Questions, bug reports and feature requests are happily accepted via the GitHub Issue Tracker. Pull requests are welcome; see the Development documentation for information on PRs. Issues that don’t have an accompanying pull request will be worked on as my time and priority allows, and I’ll do my best to complete feature requests as quickly as possible. Please take into account that I work on this project solely in my personal time, I don’t get paid to work on it and I can’t work on it for my day job, so there may be some delay in getting things implemented.
Guidelines for Reporting Issues¶
Opening a new issue on GitHub should pre-populate the issue description with a template of the following:
Feature Requests¶
If your feature request is for support of a service or limit not currently
supported by awslimitchecker, you can simply title the issue add support for
<name of service, or name of service and limit> and add a simple description.
For anything else, please follow these guidelines:
- Describe in detail the feature you would like to see implemented, especially how it would work from a user perspective and what benefits it adds. Your description should be detailed enough to be used to determine if code written for the feature adequately solves the problem.
- Describe one or more use cases for why this feature will be useful.
- Indicate whether or not you will be able to assist in testing pre-release code for the feature.
Bug Reports¶
When reporting a bug in awslimitchecker, please provide all of the following information, as well as any additional details that may be useful in reproducing or fixing the issue:
- awslimitchecker version, as reported by
awslimitchecker --version. - How was awslimitchecker installed (provide as much detail as possible, ideally the exact command used and whether it was installed in a virtualenv or not).
- The output of
python --versionandvirtualenv --versionin the environment that awslimitchecker is running in. - Your operating system type and version.
- The output of awslimitchecker, run with the
-vv(debug-level output) flag that shows the issue. - The output that you expected (what’s wrong).
- If the bug/issue is related to TrustedAdvisor, which support contract your account has.
- Whether or not you are willing and able to assist in testing pre-release code intended to fix the issue.
Development¶
Any and all contributions to awslimitchecker are welcome. Guidelines for submitting code contributions in the form of pull requests on GitHub can be found below. For guidelines on submitting bug reports or feature requests, please see the Getting Help documentation. For any contributions that don’t fall into the above categories, please open an issue for further assistance.
Pull Requests¶
Please cut all pull requests against the “develop” branch. I’ll do my best to merge them as quickly as possible. If they pass all unit tests and have 100% coverage, it’ll certainly be easier. I work on this project only in my personal time, so I can’t always get things merged as quickly as I’d like. That being said, I’m committed to doing my best, and please call me out on it if you feel like I’m not.
Pull Request Guidelines¶
- All pull requests should be made against the
developbranch, NOT master. - If you have not contributed to the project before, all pull requests must include a statement that your contribution is being made under the same license as the awslimitchecker project (or any subsequent version of that license if adopted by awslimitchecker), may perpetually be included in and distributed with awslimitchecker, and that you have the legal power to agree to these terms.
- Code should conform to the Guidelines below.
- If you have difficulty writing tests for the code, feel free to ask for help or submit the PR without tests. This will increase the amount of time it takes to get merged, but I’d rather write tests for your code than write all the code myself.
- You’ve rebuilt the documentation using
tox -e docs
Installing for Development¶
To setup awslimitchecker for development:
- Fork the awslimitchecker repository on GitHub
- Create a
virtualenvto run the code in:
$ virtualenv awslimitchecker
$ cd awslimitchecker
$ source bin/activate
- Install your fork in the virtualenv as an editable git clone and install development dependencies:
$ pip install -e git+git@github.com:YOUR_NAME/awslimitchecker.git#egg=awslimitchecker
$ cd src/awslimitchecker
$ pip install -r dev/requirements_dev.txt
- Check out a new git branch. If you’re working on a GitHub issue you opened, your branch should be called “issues/N” where N is the issue number.
Guidelines¶
- pep8 compliant with some exceptions (see pytest.ini)
- 100% test coverage with pytest (with valid tests)
- Complete, correctly-formatted documentation for all classes, functions and methods.
- Connections to the AWS services should only be made by the class’s
connect()andconnect_resource()methods, inherited from theConnectablemixin. - All modules should have (and use) module-level loggers.
- See the section on the AGPL license below.
- Commit messages should be meaningful, and reference the Issue number if you’re working on a GitHub issue (i.e. “issue #x - <message>”). Please refrain from using the “fixes #x” notation unless you are sure that the the issue is fixed in that commit.
- Unlike many F/OSS projects on GitHub, there is no reason to squash your commits; this just loses valuable history and insight into the development process, which could prove valuable if a bug is introduced by your work. Until GitHub fixes this, we’ll live with a potentially messy git log in order to keep the history.
Adding New EC2 Instance Types¶
- Run
dev/missing_instance_types.pyto find all EC2 Instance types listed in the EC2 Pricing API that aren’t present in awslimitchecker and output a list of them. - In
services/ec2.pyupdate the constants in_instance_types()accordingly. - Check the EC2 Instance Type limits page
for any new types that have non-default limits, and update
_get_limits_instances()accordingly. - Update
tests/services/test_ec2.pyas needed.
Adding New Limits and Checks to Existing Services¶
First, note that all calls to boto3 client (“low-level”) methods that return a dict response that can
include ‘NextToken’ or another pagination marker, should be called through
paginate_dict() with the appropriate parameters.
- Add a new
AwsLimitinstance to the return value of the Service class’sget_limits()method. If Trusted Advisor returns data for this limit, be sure the service and limit names match those returned by Trusted Advisor. - In the Service class’s
find_usage()method (or a method called by that, in the case of large or complex services), get the usage information viaself.connand/orself.resource_connand pass it to the appropriate AwsLimit object via its_add_current_usage()method. For anything more than trivial services (those with only 2-3 limits),find_usage()should be broken into multiple methods, generally one per AWS API call. - If the service has an API call that retrieves current limit values, and its results
include your new limit, ensure that this value is updated in the limit via its
_set_api_limit()method. This should be done in the Service class’s_update_limits_from_api()method. - Ensure complete test coverage for the above.
In cases where the AWS service API has a different name than what is reported
by Trusted Advisor, or legacy cases where Trusted Advisor support is retroactively
added to a limit already in awslimitchecker, you must pass the
ta_service_name and ta_limit_name parameters to the AwsLimit
constructor, specifying the string values that are returned by Trusted Advisor.
Note on services with per-resource limits: Some AWS services, such as Route53,
set limits on each individual resource (i.e. each Hosted Zone, for Route53) instead
of globally for all resources in a region or account. When this is done, the per-resource
limit should be provided as the maximum argument to the AwsLimitUsage
class; AwsLimit will then properly determine warnings/criticals for the
limit. For further information, see the 5.0.0 release notes
and PR #345 where this was initially implemented.
Adding New Services¶
All Services are sublcasses of _AwsService
using the abc module.
First, note that all calls to boto3 client (“low-level”) methods that return a dict response that can
include ‘NextToken’ or another pagination marker, should be called through
paginate_dict() with the appropriate parameters.
- The new service name should be in CamelCase, preferably one word (if not one word, it should be underscore-separated).
In
awslimitchecker/services, use theaddservicescript; this will create a templated service class in the current directory, and create a templated (but far from complete) unit test file inawslimitchecker/tests/services:
./addservice ServiceName
- Find all “TODO” comments in the newly-created files; these have instructions on things to change for new services. Add yourself to the Authors section in the header if desired.
- Add an import line for the new service in
awslimitchecker/services/__init__.py. - Be sure to set the class’s
api_nameattribute to the correct name of the AWS service API (i.e. the parameter passed to boto3.client). This string can typically be found at the top of the Service page in the boto3 docs. - Write at least high-level tests; TDD is greatly preferred.
- Implement all abstract methods from
_AwsServiceand any other methods you need; small, easily-testable methods are preferred. Ensure all methods have full documentation. For simple services, you need only to search for “TODO” in the new service class you created (#1). See Adding New Limits for further information. - If your service has an API action to retrieve limit/quota information (i.e.
DescribeAccountAttributesfor EC2 and RDS), ensure that the service class has an_update_limits_from_api()method which makes this API call and updates each relevant AwsLimit via its_set_api_limit()method. - Test your code; 100% test coverage is expected, and mocks should be using
autospecorspec_set. - Ensure the
required_iam_permissions()method of your new class returns a list of all IAM permissions required for it to work. - Run all tox jobs, or at least one python version, docs and coverage.
- Commit the updated documentation to the repository.
- As there is no programmatic way to validate IAM policies, once you are done writing your service, grab the
output of
awslimitchecker --iam-policy, login to your AWS account, and navigate to the IAM page. Click through to create a new policy, paste the output of the--iam-policycommand, and click the “Validate Policy” button. Correct any errors that occur; for more information, see the AWS IAM docs on Using Policy Validator. It would also be a good idea to run any policy changes through the Policy Simulator. - Submit your pull request.
Trusted Advisor Checks¶
So long as the Service and Limit name strings returned by the Trusted Advisor (Support) API exactly match
how they are set on the corresponding _AwsService and AwsLimit objects, no code changes
are needed to support new limit checks from TA.
For further information, see Internals / Trusted Advisor.
Unit Testing¶
Testing is done via pytest, driven by tox.
- testing is as simple as:
pip install tox==2.7.0tox
- If you want to see code coverage:
tox -e cov- this produces two coverage reports - a summary on STDOUT and a full report in the
htmlcov/directory
- this produces two coverage reports - a summary on STDOUT and a full report in the
- If you want to pass additional arguments to pytest, add them to the tox command line after “–”. i.e., for verbose pytext output on py27 tests:
tox -e py27 -- -v
Note that while boto currently doesn’t have python3 support, we still run tests against py3 to ensure that this package is ready for it when boto is.
Integration Testing¶
Integration tests are automatically run in TravisCI for all non-pull request branches. You can run them manually from your local machine using:
tox -r -e integration,integration3
These tests simply run awslimitchecker’s CLI script for both usage and limits, for all services and each service individually. Note that this covers a very small amount of the code, as the account that I use for integration tests has virtually no resources in it.
If integration tests fail, check the required IAM permissions. The IAM user for Travis integration tests is configured via Terraform, which must be re-run after policy changes.
Building Docs¶
Much like the test suite, documentation is build using tox:
$ tox -e docs
Output will be in the docs/build/html directory under the project root.
AGPL License¶
awslimitchecker is licensed under the GNU Affero General Public License, version 3 or later.
Pursuant to Sections 5(b) and 13 of the license, all users of awslimitchecker - including those interacting with it remotely over a network - have a right to obtain the exact, unmodified running source code. We have done as much as possible to make this transparent to developers, with no additional work needed. See the guidelines below for information.
- If you’re simply running awslimitchecker via the command line, there’s nothing to worry about; just use it like any other software.
- If you’re using awslimitchecker in your own software in a way that allows users to interact with it over the network (i.e. in your
deployment or monitoring systems), but not modifying it, you also don’t need to do anything special; awslimitchecker will log a
WARNING-level message indicating where the source code of the currently-running version can be obtained. So long as you’ve installed
awslimitchecker via Python’s packaging system (i.e. with
pip), its current version and source will be automatically detected. This suffices for the AGPL source code offer provision, so long as it’s displayed to users and the currently-running source is unmodified. - If you wish to modify the source code of awslimitchecker, you need to do is ensure that
_get_version_info()always returns correct and accurate information (a publicly-accessible URL to the exact version of the running source code, and a version number). If you install your modified version directly from an editable (i.e.pip install -e), publicly-accessible Git repository, and ensure that changes are available in the repository before they are present in the code running for your users, this should be automatically detected by awslimitchecker and the correct URL provided. It is strongly recommended that any such repository is a fork of the project’s original GitHub repository. It is solely your responsibility to ensure that the URL and version information presented to users is accurate and reflects source code identical to what is running. - If you’re distributing awslimitchecker with modifications or as part of your own software (as opposed to simply an editable requirement that gets installed with pip), please read the license and ensure that you comply with its terms.
- If you are running awslimitchecker as part of a hosted service that users somehow interact with, please ensure that the source code URL and version is correct and visible in the output given to users.
Handling Issues and PRs¶
All PRs and new work should be based off of the develop branch.
PRs can be merged if they look good, and CHANGES.rst updated after the merge.
For issues:
- Cut a
issues/numberbranch off ofdevelop. - Work the issue, come up with a fix. Commit early and often, and mention “issue #x - <message>” in your commit messages.
- When you believe you have a working fix, build docs (
tox -e docs) and push to origin. Ensure all Travis tests pass. - Ensure that coverage has increased or stayed the same.
- Update
CHANGES.rstfor the fix; commit this with a message like “fixes #x - <message>” and push to origin. - Open a new pull request against the develop branch for this change; once all tests pass, merge it to develop.
- Assign the “unreleased fix” label to the issue. It should be closed automatically when develop is merged to master for a release, but this lets us track which issues have unreleased fixes.
Versioning Policy¶
As of version 1.0.0, awslimitchecker strives to follow semver 2.0.0 for versioning, with some specific clarifications:
- Major version bumps (backwards-incompatible changes):
- Any additional required IAM permissions, beyond the minimum policy from the last major version.
- Renaming (any change to the case-sensitive strings) any existing services or limits.
- Changing the signatures or argument types of any public methods.
- Any changes to direct dependencies or direct dependency version requirements.
- Any changes that would cause the documented usage examples (Python or CLI) to cease functioning.
- Minor version bumps (backwards-compatible feature additions and changes):
- Adding new limits or services that don’t require any IAM policy changes.
- New functionality that doesn’t change existing APIs or CLI arguments.
- Patch version bumps:
- Bug fixes
- Documentation, development/support tooling, or anything else that isn’t user-executed code.
This means that after 1.0.0, major version numbers will likely increase rather quickly.
Release Checklist¶
To perform a release, run dev/release.py.
Internals¶
Overall Program Flow¶
AwsLimitChecker provides the full and only public interface to this
project; it’s used by the awslimitchecker command line script (entry point to runner)
and should be the only portion directly used by external code.
Each AWS Service is represented by a subclass of the _AwsService abstract base
class; these Service Classes are responsible for knowing which limits exist for the service they represent, what the
default values for these limits are, querying current limits from the service’s API (if supported),
and how to check the current usage via the AWS API (boto3). When the
Service Classes are instantiated, they build a dict of all of their limits, correlating a string key (the “limit name”)
with an AwsLimit object. The Service Class constructors must not make any network
connections; connections are created lazily as needed and stored as a class attribute. This allows us to inspect the
services, limits and default limit values without ever connecting to AWS (this is also used to generate the
Supported Limits documentation automatically).
All calls to boto3 client (“low-level”) methods that return a dict response that can
include ‘NextToken’ or another pagination marker, should be called through
paginate_dict() with the appropriate parameters.
When AwsLimitChecker is instantiated, it imports services
which in turn creates instances of all awslimitchecker.services.* classes and adds them to a dict mapping the
string Service Name to the Service Class instance. These instances are used for all interaction with the services.
So, once an instance of AwsLimitChecker is created, we should have instant access
to the services and limits without any connection to AWS. This is utilized by the --list-services and
--list-defaults options for the command line client.
Trusted Advisor¶
When AwsLimitChecker is initialized, it also initializes an instance of
TrustedAdvisor. In get_limits(),
find_usage() and check_thresholds(), when called with
use_ta == True (the default), update_limits() is called on the TrustedAdvisor
instance.
update_limits() polls Trusted Advisor data from the Support API via
_poll(); this will retrieve the limits for all “flaggedResources” items in the
Service Limits Trusted Advisor check result for the current AWS account. It then calls
_update_services(), passing in the Trusted Advisor check results and the
dict of _AwsService objects it was called with (from AwsLimitChecker).
_update_services() iterates over the Services in the Trusted Advisor check result
and attempts to find a matching _AwsService (by string service name) in the dict passed
in from AwsLimitChecker. If a match is found, it iterates over all limits for that service
in the TA result and attempts to call the Service’s _set_ta_limit() method.
If a matching Service is not found, or if _set_ta_limit raises a ValueError (matching Limit not found
for that Service), an error is logged.
When AwsLimitChecker initializes
TrustedAdvisor, it passes in the
self.services dictionary of all services and limits. At initialization time,
TrustedAdvisor iterates all services
and limits, and builds a new dictionary mapping the limit objects by the return
values of their ta_service_name()
and ta_limit_name() properties. This
allows limits to override the Trusted Advisor service and limit name that their
data comes from. In the default case, their service and limit names will be used
as they are set in the awslimitchecker code, and limits which have matching
Trusted Advisor data will be automatically populated.
In the TrustedAdvisor class’s
_poll() method,
_get_refreshed_check_result() is used to retrieve the
check result data from Trusted Advisor. This method also implements the check
refresh logic. See the comments in the source code for the specific logic. There
are three methods of refreshing checks (refresh modes), which are controlled
by the ta_refresh_mode parameter to TrustedAdvisor:
- If
ta_refresh_modeis the string “wait”, the check will be refreshed and awslimitchecker will poll for the refresh result every 30 seconds, waiting for the refresh to complete (or untilta_refresh_timeoutseconds have elapsed). This is exposed via the CLI as the--ta-refresh-waitoption. - If
ta_refresh_modeis an integer, it will operate like the “wait” mode above, but only if the current result data for the check is more thanta_refresh_modeseconds old. This is exposed via the CLI as the--ta-refresh-olderoption. - If
ta_refresh_modeis the string “trigger”, the check will be refreshed and the program will continue on immediately, without waiting for the refresh to complete; this will almost certainly result in stale check results in the current run. However, this may be useful if you desire to keepawslimitcheckerruns short, and run it on a regular schedule (i.e. if you runawslimitcheckerevery 6 hours, and are OK with Trusted Advisor check data being 6 hours old). This is exposed via the CLI as the--ta-refresh-triggeroption.
Additionally, TrustedAdvisor has a
ta_refresh_timeout parameter. If this is set to a non-None value (an integer),
refreshes of the check will time out after that number of seconds. If a timeout
occurs, a message will be logged at error level, but the program will continue
running (most likely using the old result data). This parameter is exposed via
the CLI as the --ta-refresh-timeout option.
Important: It may take 30 to 60 minutes for the Service Limits check to refresh on large accounts. Please be aware of this when enabling the refresh options.
Using the check refresh options will require the trustedadvisor:RefreshCheck
IAM permission.
For use via Python, these same parameters (ta_refresh_mode and ta_refresh_timeout)
are exposed as parameters on the
AwsLimitChecker constructor.
Service API Limit Information¶
Some services provide API calls to retrieve at least some of the current limits, such as the DescribeAccountAttributes
API calls for RDS
and EC2. Services that
support such calls should make them in a _update_limits_from_api() method, which will be automatically called from
get_limits(). The _update_limits_from_api() method should make the API call, and then
update all relevant limits via the AwsLimit class’s _set_api_limit() method.
Limit Value Precedence¶
The value used for a limit is the first match in the following list:
- Limit Override (set at runtime)
- API Limit
- Trusted Advisor
- Hard-coded default
Threshold Overrides¶
For more information on overriding thresholds, see
Python Usage / Setting a Threshold Override as well as the
documentation for AwsLimitChecker.check_thresholds() and AwsLimitChecker.set_threshold_override().
awslimitchecker¶
awslimitchecker package¶
Subpackages¶
awslimitchecker.services package¶
Submodules¶
-
class
awslimitchecker.services.apigateway._ApigatewayService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__module__= 'awslimitchecker.services.apigateway'¶
-
_find_usage_apis()[source]¶ Find usage on APIs / RestAPIs, and resources that are limited per-API. Update self.limits.
-
api_name= 'apigateway'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'ApiGateway'¶
-
class
awslimitchecker.services.autoscaling._AutoscalingService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__module__= 'awslimitchecker.services.autoscaling'¶
-
_update_limits_from_api()[source]¶ Query EC2’s DescribeAccountAttributes API action, and update limits with the quotas returned. Updates
self.limits.
-
api_name= 'autoscaling'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'AutoScaling'¶
-
class
awslimitchecker.services.base._AwsService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.connectable.ConnectableDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__init__(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Describes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) –
The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) –
AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) –
the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) –
(optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__metaclass__¶ alias of
abc.ABCMeta
-
__module__= 'awslimitchecker.services.base'¶
-
_set_ta_limit(limit_name, value)[source]¶ Set the value for the limit as reported by Trusted Advisor, for the specified limit.
This method should only be called by
TrustedAdvisor.Parameters: Raises: ValueError if limit_name is not known to this service
-
api_name= 'baseclass'¶
-
check_thresholds()[source]¶ Checks current usage against configured thresholds for all limits for this service.
Returns: a dict of limit name to AwsLimitinstance for all limits that crossed one or more of their thresholds.Return type: dictofAwsLimit
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update the
current_usageproperty of each correspondingAwsLimitinstance.This method MUST set
self._have_usage = True.If the boto3 method being called returns a dict response that can include ‘NextToken’ or another pagination marker, it should be called through
paginate_dict()with the appropriate parameters.
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.All limits must have
self.warning_thresholdandself.critical_thresholdpassed into them.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'baseclass'¶
-
set_limit_override(limit_name, value, override_ta=True)[source]¶ Set a new limit
valuefor the specified limit, overriding the default. Ifoverride_tais True, also use this value instead of any found by Trusted Advisor. This method simply passes the data through to theset_limit_override()method of the underlyingAwsLimitinstance.Parameters: Raises: ValueError if limit_name is not known to this service
-
set_threshold_override(limit_name, warn_percent=None, warn_count=None, crit_percent=None, crit_count=None)[source]¶ Override the default warning and critical thresholds used to evaluate the specified limit’s usage. Theresholds can be specified as a percentage of the limit, or as a usage count, or both.
Parameters:
-
class
awslimitchecker.services.cloudformation._CloudformationService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__module__= 'awslimitchecker.services.cloudformation'¶
-
_update_limits_from_api()[source]¶ Call the service’s API action to retrieve limit/quota information, and update AwsLimit objects in
self.limitswith this information.
-
api_name= 'cloudformation'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'CloudFormation'¶
-
class
awslimitchecker.services.cloudtrail._CloudTrailService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__module__= 'awslimitchecker.services.cloudtrail'¶
-
api_name= 'cloudtrail'¶
-
aws_type= 'AWS::CloudTrail::Trail'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'CloudTrail'¶
-
class
awslimitchecker.services.directoryservice._DirectoryserviceService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__module__= 'awslimitchecker.services.directoryservice'¶
-
_update_limits_from_api()[source]¶ Call the service’s API action to retrieve limit/quota information, and update AwsLimit objects in
self.limitswith this information.
-
api_name= 'ds'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'Directory Service'¶
-
class
awslimitchecker.services.dynamodb._DynamodbService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__module__= 'awslimitchecker.services.dynamodb'¶
-
_update_limits_from_api()[source]¶ Query DynamoDB’s DescribeLimits API action, and update limits with the quotas returned. Updates
self.limits.
-
api_name= 'dynamodb'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'DynamoDB'¶
-
class
awslimitchecker.services.ebs._EbsService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__module__= 'awslimitchecker.services.ebs'¶
-
_get_limits_ebs()[source]¶ Return a dict of EBS-related limits only. This method should only be used internally by :py:meth:~.get_limits`.
Return type: dict
-
api_name= 'ec2'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'EBS'¶
-
class
awslimitchecker.services.ec2._Ec2Service(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__module__= 'awslimitchecker.services.ec2'¶
-
_get_limits_instances()[source]¶ Return a dict of limits for EC2 instances only. This method should only be used internally by :py:meth:~.get_limits`.
Return type: dict
-
_get_limits_networking()[source]¶ Return a dict of VPC-related limits only. This method should only be used internally by :py:meth:~.get_limits`.
Return type: dict
-
_get_limits_spot()[source]¶ Return a dict of limits for spot requests only. This method should only be used internally by :py:meth:~.get_limits`.
Return type: dict
-
_get_reserved_instance_count()[source]¶ For each availability zone, get the count of current instance reservations of each instance type. Return as a nested dict of AZ name to dict of instance type to reservation count.
Return type: dict
-
_instance_types()[source]¶ Return a list of all known EC2 instance types
Returns: list of all valid known EC2 instance types Return type: list
-
_instance_usage()[source]¶ Find counts of currently-running EC2 Instances (On-Demand or Reserved) by placement (Availability Zone) and instance type (size). Return as a nested dict of AZ name to dict of instance type to count.
Return type: dict
-
_update_limits_from_api()[source]¶ Query EC2’s DescribeAccountAttributes API action, and update limits with the quotas returned. Updates
self.limits.
-
api_name= 'ec2'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'EC2'¶
-
class
awslimitchecker.services.ecs._EcsService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__module__= 'awslimitchecker.services.ecs'¶
-
_find_usage_clusters()[source]¶ Find the ECS service usage for clusters. Calls
_find_usage_one_cluster()for each cluster.
-
_find_usage_one_cluster(cluster_name)[source]¶ Find usage for services in each cluster.
Parameters: cluster_name (str) – name of the cluster to find usage for
-
api_name= 'ecs'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().__NOTE__ that the “EC2 Tasks per Service (desired count)” limit uses non-standard resource IDs, as service names and ARNs aren’t unique by account or region, but only by cluster. i.e. the only way to uniquely identify an ECS Service is by the combination of service and cluster. As such, the
resource_idfield for usage values of the “EC2 Tasks per Service (desired count)” limit is a string of the formcluster=CLUSTER-NAME; service=SERVICE-NAME.
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'ECS'¶
-
class
awslimitchecker.services.efs._EfsService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__module__= 'awslimitchecker.services.efs'¶
-
_update_limits_from_api()[source]¶ Call
connect()and then check what region we’re running in; adjust default limits as required for regions that differ (us-east-1).
-
api_name= 'efs'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Note: we can’t make connections to AWS in this method. So, the
_update_limits_from_api()method fixes this limit if we’re in us-east-1, which has a lower default limit.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'EFS'¶
-
class
awslimitchecker.services.elasticache._ElastiCacheService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__module__= 'awslimitchecker.services.elasticache'¶
-
api_name= 'elasticache'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'ElastiCache'¶
-
class
awslimitchecker.services.elasticbeanstalk._ElasticBeanstalkService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__module__= 'awslimitchecker.services.elasticbeanstalk'¶
-
api_name= 'elasticbeanstalk'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'ElasticBeanstalk'¶
-
awslimitchecker.services.elb.ELBV2_MAX_RETRY_ATTEMPTS= 12¶ Override the elbv2 API maximum retry attempts
-
class
awslimitchecker.services.elb._ElbService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__module__= 'awslimitchecker.services.elb'¶
-
_find_usage_elbv1()[source]¶ Find usage for ELBv1 / Classic ELB and update the appropriate limits.
Returns: number of Classic ELBs in use Return type: int
-
_find_usage_elbv2()[source]¶ Find usage for ELBv2 / Application LB and update the appropriate limits.
Returns: number of Application LBs in use Return type: int
-
_update_limits_from_api()[source]¶ Query ELB’s DescribeAccountLimits API action, and update limits with the quotas returned. Updates
self.limits.
-
_update_usage_for_alb(conn, alb_arn, alb_name)[source]¶ Update usage for a single ALB.
Parameters: - conn (
ElasticLoadBalancing.Client) – elbv2 API connection - alb_arn (str) – Load Balancer ARN
- alb_name (str) – Load Balancer Name
- conn (
-
_update_usage_for_nlb(conn, nlb_arn, nlb_name)[source]¶ Update usage for a single NLB.
Parameters: - conn (
ElasticLoadBalancing.Client) – elbv2 API connection - nlb_arn (str) – Load Balancer ARN
- nlb_name (str) – Load Balancer Name
- conn (
-
api_name= 'elb'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'ELB'¶
-
class
awslimitchecker.services.firehose._FirehoseService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__module__= 'awslimitchecker.services.firehose'¶
-
api_name= 'firehose'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'Firehose'¶
-
class
awslimitchecker.services.iam._IamService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
API_TO_LIMIT_NAME= {'Groups': 'Groups', 'InstanceProfiles': 'Instance profiles', 'Policies': 'Policies', 'PolicyVersionsInUse': 'Policy Versions In Use', 'Roles': 'Roles', 'ServerCertificates': 'Server certificates', 'Users': 'Users'}¶
-
__module__= 'awslimitchecker.services.iam'¶
-
_update_limits_from_api()[source]¶ Call the service’s API action to retrieve limit/quota information, and update AwsLimit objects in
self.limitswith this information.
-
api_name= 'iam'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'IAM'¶
-
class
awslimitchecker.services.lambdafunc._LambdaService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__module__= 'awslimitchecker.services.lambdafunc'¶
-
_update_limits_from_api()[source]¶ Query Lambda’s DescribeLimits API action, and update limits with the quotas returned. Updates
self.limits.
-
api_name= 'lambda'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'Lambda'¶
-
class
awslimitchecker.services.rds._RDSService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
API_NAME_TO_LIMIT= {'AllocatedStorage': 'Storage quota (GB)', 'AuthorizationsPerDBSecurityGroup': 'Max auths per security group', 'DBClusterParameterGroups': 'DB Cluster Parameter Groups', 'DBClusters': 'DB Clusters', 'DBInstances': 'DB instances', 'DBParameterGroups': 'DB parameter groups', 'DBSecurityGroups': 'DB security groups', 'DBSubnetGroups': 'Subnet Groups', 'EventSubscriptions': 'Event Subscriptions', 'ManualSnapshots': 'DB snapshots per user', 'OptionGroups': 'Option Groups', 'ReadReplicasPerMaster': 'Read replicas per master', 'ReservedDBInstances': 'Reserved Instances', 'SubnetsPerDBSubnetGroup': 'Subnets per Subnet Group'}¶
-
__module__= 'awslimitchecker.services.rds'¶
-
_update_limits_from_api()[source]¶ Query RDS’s DescribeAccountAttributes API action, and update limits with the quotas returned. Updates
self.limits.We ignore the usage information from the API,
-
api_name= 'rds'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'RDS'¶
-
class
awslimitchecker.services.redshift._RedshiftService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__module__= 'awslimitchecker.services.redshift'¶
-
api_name= 'redshift'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'Redshift'¶
-
class
awslimitchecker.services.route53._Route53Service(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
MAX_RRSETS_BY_ZONE= {'default_limit': 10000, 'name': 'Record sets per hosted zone', 'type': 'MAX_RRSETS_BY_ZONE'}¶
-
MAX_VPCS_ASSOCIATED_BY_ZONE= {'default_limit': 100, 'name': 'VPC associations per hosted zone', 'type': 'MAX_VPCS_ASSOCIATED_BY_ZONE'}¶
-
__module__= 'awslimitchecker.services.route53'¶
-
_find_limit_hosted_zone()[source]¶ Calculate the max recordsets and vpc associations and the current values per hosted zone
-
_get_hosted_zone_limit(limit_type, hosted_zone_id)[source]¶ Return a hosted zone limit [recordsets|vpc_associations]
Return type: dict
-
_get_hosted_zones()[source]¶ Return all available hosted zones
Returns: dict of hosted zones Return type: dict
-
_update_limits_from_api()[source]¶ Query Route53’s GetHostedZoneLimit API action, and update limits with the quotas returned. Updates
self.limits.
-
api_name= 'route53'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Limits from: docs.aws.amazon.com/Route53/latest/DeveloperGuide/DNSLimitations.html
Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'Route53'¶
-
class
awslimitchecker.services.s3._S3Service(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__module__= 'awslimitchecker.services.s3'¶
-
api_name= 's3'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'S3'¶
-
class
awslimitchecker.services.ses._SesService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__module__= 'awslimitchecker.services.ses'¶
-
_update_limits_from_api()[source]¶ Call the service’s API action to retrieve limit/quota information, and update AwsLimit objects in
self.limitswith this information.
-
api_name= 'ses'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'SES'¶
-
class
awslimitchecker.services.vpc._VpcService(warning_threshold, critical_threshold, boto_connection_kwargs={})[source]¶ Bases:
awslimitchecker.services.base._AwsServiceDescribes an AWS service and its limits, and provides methods to query current utilization.
Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.
Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
-
__module__= 'awslimitchecker.services.vpc'¶
-
_find_usage_nat_gateways(subnet_to_az)[source]¶ find usage for NAT Gateways
Parameters: subnet_to_az (dict) – dict mapping subnet ID to AZ
-
_update_limits_from_api()[source]¶ Query EC2’s DescribeAccountAttributes API action and update the network interface limit, as needed. Updates
self.limits.More info on the network interface limit, from the docs: ‘This limit is the greater of either the default limit (350) or your On-Demand Instance limit multiplied by 5. The default limit for On-Demand Instances is 20.’
-
api_name= 'ec2'¶
-
find_usage()[source]¶ Determine the current usage for each limit of this service, and update corresponding Limit via
_add_current_usage().
-
get_limits()[source]¶ Return all known limits for this service, as a dict of their names to
AwsLimitobjects.Returns: dict of limit names to AwsLimitobjectsReturn type: dict
-
required_iam_permissions()[source]¶ Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.
Returns: list of IAM Action strings Return type: list
-
service_name= 'VPC'¶
Submodules¶
awslimitchecker.checker module¶
-
class
awslimitchecker.checker.AwsLimitChecker(warning_threshold=80, critical_threshold=99, profile_name=None, account_id=None, account_role=None, region=None, external_id=None, mfa_serial_number=None, mfa_token=None, ta_refresh_mode=None, ta_refresh_timeout=None, check_version=True)[source]¶ Bases:
objectMain AwsLimitChecker class - this should be the only externally-used portion of awslimitchecker.
Constructor builds
self.servicesas a dict of service_name (str) to_AwsServiceinstance, and sets limit thresholds.Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
- ta_refresh_mode (
strorintorNone) – How to handle refreshing Trusted Advisor checks; this is either None (do not refresh at all), the string “wait” (trigger refresh of all limit-related checks and wait for the refresh to complete), the string “trigger” (trigger refresh of all limit-related checks but do not wait for the refresh to complete), or an integer, which causes any limit-related checks more than this number of seconds old to be refreshed, waiting for the refresh to complete. Note that “trigger” will likely result in the current run getting stale data, but the check being refreshed in time for the next run. - ta_refresh_timeout (
intorNone) – Ifta_refresh_modeis “wait” or an integer (any mode that will wait for the refresh to complete), if this parameter is not None, only wait up to this number of seconds for the refresh to finish before continuing on anyway. - check_version (bool) – Whether or not to check for latest version of awslimitchecker on PyPI during instantiation.
-
__dict__= mappingproxy({'find_usage': <function AwsLimitChecker.find_usage>, '_get_sts_token': <function AwsLimitChecker._get_sts_token>, 'set_threshold_overrides': <function AwsLimitChecker.set_threshold_overrides>, '_boto_conn_kwargs': <property object>, 'set_limit_overrides': <function AwsLimitChecker.set_limit_overrides>, '__weakref__': <attribute '__weakref__' of 'AwsLimitChecker' objects>, '__dict__': <attribute '__dict__' of 'AwsLimitChecker' objects>, 'get_project_url': <function AwsLimitChecker.get_project_url>, 'get_limits': <function AwsLimitChecker.get_limits>, 'get_version': <function AwsLimitChecker.get_version>, '__init__': <function AwsLimitChecker.__init__>, 'set_threshold_override': <function AwsLimitChecker.set_threshold_override>, 'get_service_names': <function AwsLimitChecker.get_service_names>, '__doc__': None, 'set_limit_override': <function AwsLimitChecker.set_limit_override>, 'get_required_iam_policy': <function AwsLimitChecker.get_required_iam_policy>, 'remove_services': <function AwsLimitChecker.remove_services>, 'check_thresholds': <function AwsLimitChecker.check_thresholds>, '__module__': 'awslimitchecker.checker'})¶
-
__init__(warning_threshold=80, critical_threshold=99, profile_name=None, account_id=None, account_role=None, region=None, external_id=None, mfa_serial_number=None, mfa_token=None, ta_refresh_mode=None, ta_refresh_timeout=None, check_version=True)[source]¶ Main AwsLimitChecker class - this should be the only externally-used portion of awslimitchecker.
Constructor builds
self.servicesas a dict of service_name (str) to_AwsServiceinstance, and sets limit thresholds.Parameters: - warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
- critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
- profile_name (str) –
The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) –
AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) –
the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) –
(optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
- ta_refresh_mode (
strorintorNone) – How to handle refreshing Trusted Advisor checks; this is either None (do not refresh at all), the string “wait” (trigger refresh of all limit-related checks and wait for the refresh to complete), the string “trigger” (trigger refresh of all limit-related checks but do not wait for the refresh to complete), or an integer, which causes any limit-related checks more than this number of seconds old to be refreshed, waiting for the refresh to complete. Note that “trigger” will likely result in the current run getting stale data, but the check being refreshed in time for the next run. - ta_refresh_timeout (
intorNone) – Ifta_refresh_modeis “wait” or an integer (any mode that will wait for the refresh to complete), if this parameter is not None, only wait up to this number of seconds for the refresh to finish before continuing on anyway. - check_version (bool) – Whether or not to check for latest version of awslimitchecker on PyPI during instantiation.
-
__module__= 'awslimitchecker.checker'¶
-
__weakref__¶ list of weak references to the object (if defined)
-
_boto_conn_kwargs¶ Generate keyword arguments for boto3 connection functions.
If
self.account_idis defined, this will call_get_sts_token()to get STS token credentials using boto3.STS.Client.assume_role and include those credentials in the return value.If
self.profile_nameis defined, this will call boto3.Session() <http://boto3.readthedocs.io/en/latest/reference/core/session.html> with that profile and include those credentials in the return value.Returns: keyword arguments for boto3 connection functions Return type: dict
-
_get_sts_token()[source]¶ Assume a role via STS and return the credentials.
First connect to STS via
boto3.client(), then assume a role using boto3.STS.Client.assume_role usingself.account_idandself.account_role(and optionallyself.external_id,self.mfa_serial_number,self.mfa_token). Return the resultingConnectableCredentialsobject.Returns: STS assumed role credentials Return type: ConnectableCredentials
-
check_thresholds(service=None, use_ta=True)[source]¶ Check all limits and current usage against their specified thresholds; return all
AwsLimitinstances that have crossed one or more of their thresholds.If
serviceis specified, the returned dict has one element, the service name, whose value is a nested dict as described below; otherwise it includes all known services.The returned
AwsLimitobjects can be interrogated for their limits (get_limit()) as well as the details of usage that crossed the thresholds (get_warnings()andget_criticals()).See
AwsLimit.check_thresholds().Parameters: Returns: dict of service name (string) to nested dict of limit name (string) to limit (
AwsLimit)Return type:
-
find_usage(service=None, use_ta=True)[source]¶ For each limit in the specified service (or all services if
serviceisNone), query the AWS API viaboto3and find the current usage amounts for that limit.This method updates the
current_usageattribute of theAwsLimitobjects for each service, which can then be queried usingget_limits().Parameters: - service (
None, orlistservice names to get) – list of_AwsServicename(s), orNoneto check all services. - use_ta (bool) – check Trusted Advisor for information on limits
- service (
-
get_limits(service=None, use_ta=True)[source]¶ Return all
AwsLimitobjects for the given service name, or for all services ifserviceis None.If
serviceis specified, the returned dict has one element, the service name, whose value is a nested dict as described below.Parameters: Returns: dict of service name (string) to nested dict of limit name (string) to limit (
AwsLimit)Return type:
-
get_project_url()[source]¶ Return the URL for the awslimitchecker project.
Returns: URL of where to find awslimitchecker Return type: str
-
get_required_iam_policy()[source]¶ Return an IAM policy granting all of the permissions needed for awslimitchecker to fully function. This returns a dict suitable for json serialization to a valid IAM policy.
Internally, this calls
required_iam_permissions()on each_AwsServiceinstance.Returns: dict representation of IAM Policy Return type: dict
-
get_service_names()[source]¶ Return a list of all known service names
Returns: list of service names Return type: list
-
get_version()[source]¶ Return the version of awslimitchecker currently running.
Returns: current awslimitchecker version Return type: str
-
remove_services(services_to_remove=[])[source]¶ Remove all service names specified in
services_to_removefromself.services. This allows explicitly removing certain services from ever being checked or otherwise handled.By default, the various methods that work on Services (i.e.
get_limits(),find_usage()andcheck_thresholds()) operate on either all known services, or one specified service name at a time. This method allows you to remove one or more problematic or undesirable services from the dict of all services, and then operate on the remaining ones.Parameters: services_to_remove – the name(s) of one or more services to permanently exclude from future calls to this instance
-
set_limit_override(service_name, limit_name, value, override_ta=True)[source]¶ Set a manual override on an AWS service limits, i.e. if you had limits increased by AWS support.
This method calls
_AwsService.set_limit_override()on the corresponding _AwsService instance.Explicitly set limit overrides using this method will take precedence over default limits. They will also take precedence over limit information obtained via Trusted Advisor, unless
override_tais set toFalse.Parameters: Raises: ValueErrorif limit_name is not known to the service instance
-
set_limit_overrides(override_dict, override_ta=True)[source]¶ Set manual overrides on AWS service limits, i.e. if you had limits increased by AWS support. This takes a dict in the same form as that returned by
get_limits(), i.e. service_name (str) keys to nested dict of limit_name (str) to limit value (int) like:{ 'EC2': { 'Running On-Demand t2.micro Instances': 1000, 'Running On-Demand r3.4xlarge Instances': 1000, } }
Internally, for each limit override for each service in
override_dict, this method calls_AwsService.set_limit_override()on the corresponding _AwsService instance.Explicitly set limit overrides using this method will take precedence over default limits. They will also take precedence over limit information obtained via Trusted Advisor, unless
override_tais set toFalse.Parameters: Raises: ValueErrorif limit_name is not known to the service instance
-
set_threshold_override(service_name, limit_name, warn_percent=None, warn_count=None, crit_percent=None, crit_count=None)[source]¶ Set a manual override on the threshold (used for determining warning/critical status) for a specific limit. See
AwsLimitCheckerfor information on Warning and Critical thresholds.See
AwsLimit.set_threshold_override().Parameters: - service_name (str) – the name of the service to override limit for
- limit_name (str) – the name of the limit to override:
- warn_percent (int) – new warning threshold, percentage used
- warn_count (int) – new warning threshold, actual count/number
- crit_percent (int) – new critical threshold, percentage used
- crit_count (int) – new critical threshold, actual count/number
-
set_threshold_overrides(override_dict)[source]¶ Set manual overrides on the threshold (used for determining warning/critical status) a dict of limits. See
AwsLimitCheckerfor information on Warning and Critical thresholds.Dict is composed of service name keys (string) to dict of limit names (string), to dict of threshold specifications. Each threhold specification dict can contain keys ‘warning’ or ‘critical’, each having a value of a dict containing keys ‘percent’ or ‘count’, to an integer value.
Example:
{ 'EC2': { 'SomeLimit': { 'warning': { 'percent': 80, 'count': 8, }, 'critical': { 'percent': 90, 'count': 9, } } } }
See
AwsLimit.set_threshold_override().Parameters: override_dict (dict) – nested dict of threshold overrides
awslimitchecker.connectable module¶
-
class
awslimitchecker.connectable.Connectable[source]¶ Bases:
objectMix-in helper class for connecting to AWS APIs. Centralizes logic of connecting via regions and/or STS.
-
__dict__= mappingproxy({'__dict__': <attribute '__dict__' of 'Connectable' objects>, '__weakref__': <attribute '__weakref__' of 'Connectable' objects>, 'connect': <function Connectable.connect>, '__doc__': '\n Mix-in helper class for connecting to AWS APIs. Centralizes logic of\n connecting via regions and/or STS.\n ', '__module__': 'awslimitchecker.connectable', 'connect_resource': <function Connectable.connect_resource>})¶
-
__module__= 'awslimitchecker.connectable'¶
-
__weakref__¶ list of weak references to the object (if defined)
-
connect()[source]¶ Connect to an AWS API via boto3 low-level client and set
self.connto the boto3.client object (abotocore.client.*instance). Ifself.connis not None, do nothing. This connects to the API name given byself.api_name.Returns: None
-
connect_resource()[source]¶ Connect to an AWS API via boto3 high-level resource connection and set
self.resource_connto the boto3.resource object (aboto3.resources.factory.*.ServiceResourceinstance). Ifself.resource_connis not None, do nothing. This connects to the API name given byself.api_name.Returns: None
-
-
class
awslimitchecker.connectable.ConnectableCredentials(creds_dict)[source]¶ Bases:
objectboto’s (2.x)
boto.sts.STSConnection.assume_role()returns aboto.sts.credentials.Credentialsobject, but boto3’s boto3.sts.STSConnection.assume_role just returns a dict. This class provides a compatible interface for boto3.We also maintain an
account_idattribute that can be set to the account ID, to ensure that credentials are updated when switching accounts.-
__dict__= mappingproxy({'__init__': <function ConnectableCredentials.__init__>, '__dict__': <attribute '__dict__' of 'ConnectableCredentials' objects>, '__weakref__': <attribute '__weakref__' of 'ConnectableCredentials' objects>, '__doc__': "\n boto's (2.x) :py:meth:`boto.sts.STSConnection.assume_role` returns a\n :py:class:`boto.sts.credentials.Credentials` object, but boto3's\n `boto3.sts.STSConnection.assume_role <https://boto3.readthedocs.org/en/\n latest/reference/services/sts.html#STS.Client.assume_role>`_ just returns\n a dict. This class provides a compatible interface for boto3.\n\n We also maintain an ``account_id`` attribute that can be set to the\n account ID, to ensure that credentials are updated when switching accounts.\n ", '__module__': 'awslimitchecker.connectable'})¶
-
__module__= 'awslimitchecker.connectable'¶
-
__weakref__¶ list of weak references to the object (if defined)
-
awslimitchecker.limit module¶
-
class
awslimitchecker.limit.AwsLimit(name, service, default_limit, def_warning_threshold, def_critical_threshold, limit_type=None, limit_subtype=None, ta_service_name=None, ta_limit_name=None)[source]¶ Bases:
objectDescribes one specific AWS service limit, as well as its current utilization, default limit, thresholds, and any Trusted Advisor information about this limit.
Parameters: - name (str) – the name of this limit (may contain spaces); if possible, this should be the name used by AWS, i.e. TrustedAdvisor
- service (
_AwsService) – the_AwsServiceclass that this limit is for - default_limit (
int, orNoneif unlimited) – the default value of this limit for new accounts - def_warning_threshold (int) – the default warning threshold, as an integer percentage.
- def_critical_threshold (int) – the default critical threshold, as an integer percentage.
- limit_type – the type of resource this limit describes, specified as one of the type names used in CloudFormation # noqa such as “AWS::EC2::Instance” or “AWS::RDS::DBSubnetGroup”.
- limit_subtype (str) – resource sub-type for this limit, if applicable, such as “t2.micro” or “SecurityGroup”
- ta_service_name (str) – The service name returned by Trusted Advisor
for this limit, if different from the name of
service - ta_limit_name (str) – The limit name returned by Trusted Advisor for
this limit, if different from
name.
Raises: ValueError
-
__dict__= mappingproxy({'ta_service_name': <property object>, 'get_limit': <function AwsLimit.get_limit>, 'has_resource_limits': <function AwsLimit.has_resource_limits>, '_add_current_usage': <function AwsLimit._add_current_usage>, 'get_limit_source': <function AwsLimit.get_limit_source>, '__dict__': <attribute '__dict__' of 'AwsLimit' objects>, '__doc__': None, '__init__': <function AwsLimit.__init__>, 'get_criticals': <function AwsLimit.get_criticals>, 'ta_limit_name': <property object>, 'get_current_usage': <function AwsLimit.get_current_usage>, '_set_api_limit': <function AwsLimit._set_api_limit>, '_set_ta_unlimited': <function AwsLimit._set_ta_unlimited>, '__weakref__': <attribute '__weakref__' of 'AwsLimit' objects>, '_get_thresholds': <function AwsLimit._get_thresholds>, 'check_thresholds': <function AwsLimit.check_thresholds>, 'get_current_usage_str': <function AwsLimit.get_current_usage_str>, '_reset_usage': <function AwsLimit._reset_usage>, 'get_warnings': <function AwsLimit.get_warnings>, 'set_limit_override': <function AwsLimit.set_limit_override>, '_set_ta_limit': <function AwsLimit._set_ta_limit>, 'set_threshold_override': <function AwsLimit.set_threshold_override>, '__module__': 'awslimitchecker.limit'})¶
-
__init__(name, service, default_limit, def_warning_threshold, def_critical_threshold, limit_type=None, limit_subtype=None, ta_service_name=None, ta_limit_name=None)[source]¶ Describes one specific AWS service limit, as well as its current utilization, default limit, thresholds, and any Trusted Advisor information about this limit.
Parameters: - name (str) – the name of this limit (may contain spaces); if possible, this should be the name used by AWS, i.e. TrustedAdvisor
- service (
_AwsService) – the_AwsServiceclass that this limit is for - default_limit (
int, orNoneif unlimited) – the default value of this limit for new accounts - def_warning_threshold (int) – the default warning threshold, as an integer percentage.
- def_critical_threshold (int) – the default critical threshold, as an integer percentage.
- limit_type –
the type of resource this limit describes, specified as one of the type names used in CloudFormation # noqa such as “AWS::EC2::Instance” or “AWS::RDS::DBSubnetGroup”.
- limit_subtype (str) – resource sub-type for this limit, if applicable, such as “t2.micro” or “SecurityGroup”
- ta_service_name (str) – The service name returned by Trusted Advisor
for this limit, if different from the name of
service - ta_limit_name (str) – The limit name returned by Trusted Advisor for
this limit, if different from
name.
Raises: ValueError
-
__module__= 'awslimitchecker.limit'¶
-
__weakref__¶ list of weak references to the object (if defined)
-
_add_current_usage(value, maximum=None, resource_id=None, aws_type=None)[source]¶ Add a new current usage value for this limit.
Creates a new
AwsLimitUsageinstance and appends it to the internal list. If more than one usage value is given to this service, they should haveidandaws_typeset.This method should only be called from the
_AwsServiceinstance that created and manages this Limit.Parameters: - value (
intorfloat) – the numeric usage value - resource_id (str) – If there can be multiple usage values for one limit, an AWS ID for the resource this instance describes
- aws_type (str) –
if
idis not None, the AWS resource type that ID represents. As a convention, we use the AWS Resource Type names used by CloudFormation # noqa
- value (
-
_get_thresholds()[source]¶ Get the warning and critical thresholds for this Limit.
Return type is a 4-tuple of:
- warning integer (usage) threshold, or None
- warning percent threshold
- critical integer (usage) threshold, or None
- critical percent threshold
Return type: tuple
-
_set_api_limit(limit_value)[source]¶ Set the value for the limit as reported by the service’s API.
This method should only be called from the Service class.
Parameters: limit_value (int) – the API limit value
-
_set_ta_limit(limit_value)[source]¶ Set the value for the limit as reported by Trusted Advisor.
This method should only be called by
TrustedAdvisor.Parameters: limit_value (int) – the Trusted Advisor limit value
-
_set_ta_unlimited()[source]¶ Set state to indicate that TrustedAdvisor reports this limit as having no maximum (unlimited).
This method should only be called by
TrustedAdvisor.
-
check_thresholds()[source]¶ Check this limit’s current usage against the specified default thresholds, and any custom theresholds that have been set on the class instance. Return True if usage is within thresholds, or false if warning or critical thresholds have been surpassed.
This method sets internal variables in this instance which can be queried via
get_warnings()andget_criticals()to obtain further details about the thresholds that were crossed.Note This function returns False if any thresholds were crossed. Please be aware of this when setting threshold overrides to suppress alerts. Each threshold (
warn_percent,warn_count,crit_percent,crit_count) that has been set is evaluated individually and the result appended to a list of warnings or criticals, respectively. If any of these evaluations failed, the method returns False.Returns: False if any thresholds were crossed, True otherwise Return type: bool
-
get_criticals()[source]¶ Return a list of
AwsLimitUsageinstances that crossed the critical threshold. These objects are comparable and can be sorted.Return type: list
-
get_current_usage()[source]¶ Get the current usage for this limit, as a list of
AwsLimitUsageinstances.Returns: list of current usage values Return type: listofAwsLimitUsage
-
get_current_usage_str()[source]¶ Get the a string describing the current usage for this limit.
If no usage has been added for this limit, the result will be “<unknown>”.
If the limit has only one current usage instance, this will be that instance’s
__str__()value.If the limit has more than one current usage instance, this will be the a string of the form
max: X (Y)whereXis the__str__()value of the instance with the maximum value, andYis a comma-separated list of the__str__()values of all usage instances in ascending order.Returns: representation of current usage Return type: str
-
get_limit()[source]¶ Returns the effective limit value for this Limit, taking into account limit overrides and Trusted Advisor data. None is returned for limits that are explicitly unlimited.
Returns: effective limit value, intorNone
-
get_limit_source()[source]¶ Return
SOURCE_DEFAULTifget_limit()returns the default limit,SOURCE_OVERRIDEif it returns a manually-overridden limit,SOURCE_TAif it returns a limit from Trusted Advisor, orSOURCE_APIif it returns a limit retrieved from the service’s API.Returns: one of SOURCE_DEFAULT,SOURCE_OVERRIDE, orSOURCE_TA, orSOURCE_APIReturn type: int
-
get_warnings()[source]¶ Return a list of
AwsLimitUsageinstances that crossed the warning threshold. These objects are comparable and can be sorted.Return type: list
-
has_resource_limits()[source]¶ Determines if this limit contains usages with a specified maximum. Some AWS resources have a limit that is a different for each item.
Returns: whether of not some resources have a defined maximum Return type: bool
-
set_limit_override(limit_value, override_ta=True)[source]¶ Set a new value for this limit, to override the default (such as when AWS Support has increased a limit of yours). If
override_tais True, this value will also supersede any found through Trusted Advisor.Parameters:
-
set_threshold_override(warn_percent=None, warn_count=None, crit_percent=None, crit_count=None)[source]¶ Override the default warning and critical thresholds used to evaluate this limit’s usage. Theresholds can be specified as a percentage of the limit, or as a usage count, or both.
Note: The percent thresholds (
warn_percentandcrit_percent) have default values that are set globally for awslimitchecker, unlike the count thresholds. When setting threshold overrides to quiet or suppress alerts for a limit, you must set the percent thresholds. If you only set overrides for thecountthresholds, the percent thresholds will continue to be evaluated at their awslimitchecker-wide default, and likely prevent alerts from being suppressed.see
check_thresholds()for further information on threshold evaluation.Parameters:
-
class
awslimitchecker.limit.AwsLimitUsage(limit, value, maximum=None, resource_id=None, aws_type=None)[source]¶ Bases:
objectThis object describes the usage of an AWS resource, with the capability of containing information about the resource beyond an integer usage.
The simplest case is an account- / region-wide count, such as the number of running EC2 Instances, in which case a simple integer value is sufficient. In this case, the
AwsLimitwould have one instance of this class for the single value.In more complex cases, such as the “Subnets per VPC”, the limit is applied by AWS on multiple resources (once per VPC). In this case, the
AwsLimitshould have one instance of this class per VPC, so we can determine which VPCs have crossed thresholds.AwsLimitUsage objects are comparable based on their numeric
value.Parameters: - limit (
AwsLimit) – the AwsLimit that this instance describes - value (
intorfloat) – the numeric usage value - maximum (
intorfloat) – the numeric maximum value - resource_id (str) – If there can be multiple usage values for one limit, an AWS ID for the resource this instance describes
- aws_type (str) –
if
idis not None, the AWS resource type that ID represents. As a convention, we use the AWS Resource Type names used by CloudFormation # noqa
-
__dict__= mappingproxy({'get_value': <function AwsLimitUsage.get_value>, '__lt__': <function AwsLimitUsage.__lt__>, '__dict__': <attribute '__dict__' of 'AwsLimitUsage' objects>, '__gt__': <function AwsLimitUsage.__gt__>, '__weakref__': <attribute '__weakref__' of 'AwsLimitUsage' objects>, '__ne__': <function AwsLimitUsage.__ne__>, '__str__': <function AwsLimitUsage.__str__>, 'get_maximum': <function AwsLimitUsage.get_maximum>, '__init__': <function AwsLimitUsage.__init__>, '__hash__': None, '__doc__': None, '__eq__': <function AwsLimitUsage.__eq__>, '__module__': 'awslimitchecker.limit', '__ge__': <function AwsLimitUsage.__ge__>})¶
-
__hash__= None¶
-
__init__(limit, value, maximum=None, resource_id=None, aws_type=None)[source]¶ This object describes the usage of an AWS resource, with the capability of containing information about the resource beyond an integer usage.
The simplest case is an account- / region-wide count, such as the number of running EC2 Instances, in which case a simple integer value is sufficient. In this case, the
AwsLimitwould have one instance of this class for the single value.In more complex cases, such as the “Subnets per VPC”, the limit is applied by AWS on multiple resources (once per VPC). In this case, the
AwsLimitshould have one instance of this class per VPC, so we can determine which VPCs have crossed thresholds.AwsLimitUsage objects are comparable based on their numeric
value.Parameters: - limit (
AwsLimit) – the AwsLimit that this instance describes - value (
intorfloat) – the numeric usage value - maximum (
intorfloat) – the numeric maximum value - resource_id (str) – If there can be multiple usage values for one limit, an AWS ID for the resource this instance describes
- aws_type (str) –
if
idis not None, the AWS resource type that ID represents. As a convention, we use the AWS Resource Type names used by CloudFormation # noqa
- limit (
-
__module__= 'awslimitchecker.limit'¶
-
__str__()[source]¶ Return a string representation of this object.
If
idis not set, returnvalueformatted as a string; otherwise, return a string of the formatid=value.Return type: str
-
__weakref__¶ list of weak references to the object (if defined)
- limit (
-
awslimitchecker.limit.SOURCE_API= 3¶ indicates a limit value that came from the service’s API
-
awslimitchecker.limit.SOURCE_DEFAULT= 0¶ indicates a limit value that came from hard-coded defaults in awslimitchecker
-
awslimitchecker.limit.SOURCE_OVERRIDE= 1¶ indicates a limit value that came from user-defined limit overrides
-
awslimitchecker.limit.SOURCE_TA= 2¶ indicates a limit value that came from Trusted Advisor
awslimitchecker.runner module¶
-
class
awslimitchecker.runner.Runner[source]¶ Bases:
object-
__dict__= mappingproxy({'check_thresholds': <function Runner.check_thresholds>, 'list_defaults': <function Runner.list_defaults>, 'iam_policy': <function Runner.iam_policy>, 'show_usage': <function Runner.show_usage>, '__weakref__': <attribute '__weakref__' of 'Runner' objects>, '__dict__': <attribute '__dict__' of 'Runner' objects>, '__doc__': None, 'parse_args': <function Runner.parse_args>, '__init__': <function Runner.__init__>, 'print_issue': <function Runner.print_issue>, '__module__': 'awslimitchecker.runner', 'color_output': <function Runner.color_output>, 'list_limits': <function Runner.list_limits>, 'set_limit_overrides': <function Runner.set_limit_overrides>, 'console_entry_point': <function Runner.console_entry_point>, 'list_services': <function Runner.list_services>})¶
-
__module__= 'awslimitchecker.runner'¶
-
__weakref__¶ list of weak references to the object (if defined)
-
parse_args(argv)[source]¶ parse arguments/options
Parameters: argv (list) – argument list to parse, usually sys.argv[1:]Returns: parsed arguments Return type: argparse.Namespace
-
awslimitchecker.trustedadvisor module¶
-
class
awslimitchecker.trustedadvisor.TrustedAdvisor(all_services, boto_connection_kwargs, ta_refresh_mode=None, ta_refresh_timeout=None)[source]¶ Bases:
awslimitchecker.connectable.ConnectableClass to contain all TrustedAdvisor-related logic.
Parameters: - all_services (dict) –
AwsLimitCheckerservicesdictionary. - profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) – the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) – (optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
- ta_refresh_mode (
strorintorNone) – How to handle refreshing Trusted Advisor checks; this is either None (do not refresh at all), the string “wait” (trigger refresh of all limit-related checks and wait for the refresh to complete), the string “trigger” (trigger refresh of all limit-related checks but do not wait for the refresh to complete), or an integer, which causes any limit-related checks more than this number of seconds old to be refreshed, waiting for the refresh to complete. Note that “trigger” will likely result in the current run getting stale data, but the check being refreshed in time for the next run. - ta_refresh_timeout (
intorNone) – Ifta_refresh_modeis “wait” or an integer (any mode that will wait for the refresh to complete), if this parameter is not None, only wait up to this number of seconds for the refresh to finish before continuing on anyway.
-
__init__(all_services, boto_connection_kwargs, ta_refresh_mode=None, ta_refresh_timeout=None)[source]¶ Class to contain all TrustedAdvisor-related logic.
Parameters: - all_services (dict) –
AwsLimitCheckerservicesdictionary. - profile_name (str) –
The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
- account_id (str) –
AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
- account_role (str) –
the name of an IAM Role (in the destination account) to assume
- region (str) – AWS region name to connect to
- external_id (str) –
(optional) the External ID string to use when assuming a role via STS.
- mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
- mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
- ta_refresh_mode (
strorintorNone) – How to handle refreshing Trusted Advisor checks; this is either None (do not refresh at all), the string “wait” (trigger refresh of all limit-related checks and wait for the refresh to complete), the string “trigger” (trigger refresh of all limit-related checks but do not wait for the refresh to complete), or an integer, which causes any limit-related checks more than this number of seconds old to be refreshed, waiting for the refresh to complete. Note that “trigger” will likely result in the current run getting stale data, but the check being refreshed in time for the next run. - ta_refresh_timeout (
intorNone) – Ifta_refresh_modeis “wait” or an integer (any mode that will wait for the refresh to complete), if this parameter is not None, only wait up to this number of seconds for the refresh to finish before continuing on anyway.
- all_services (dict) –
-
__module__= 'awslimitchecker.trustedadvisor'¶
-
_can_refresh_check(check_id)[source]¶ Determine if the given check_id can be refreshed yet.
Parameters: check_id (str) – the Trusted Advisor check ID Returns: whether or not the check can be refreshed yet Return type: bool
-
_get_check_result(check_id)[source]¶ Directly wrap
Support.Client.describe_trusted_advisor_check_result(); return a 2-tuple of the result dict and the last refresh DateTime.Parameters: check_id (str) – the Trusted Advisor check ID Returns: 2-tuple of (result dict, last refresh DateTime). If the last refresh time can’t be parsed from the response, the second element will be None. Return type: tuple
-
_get_limit_check_id()[source]¶ Query currently-available TA checks, return the check ID and metadata of the ‘performance/Service Limits’ check.
Returns: 2-tuple of Service Limits TA check ID (string), metadata (list), or (None, None). Return type: tuple
-
_get_refreshed_check_result(check_id)[source]¶ Given the
check_id, return the dict of Trusted Advisor check results. This handles refreshing the Trusted Advisor check, if desired, according toself.refresh_modeandself.refresh_timeout.Parameters: check_id (str) – the Trusted Advisor check ID Returns: dict check result. The return value of Support.Client.describe_trusted_advisor_check_result()Return type: dict
-
_make_ta_service_dict()[source]¶ Build our service and limits dict. This is laid out identical to
self.all_services, but keys limits by theirta_service_nameandta_limit_nameproperties.Returns: dict of TA service names to TA limit names to AwsLimit objects.
-
_poll()[source]¶ Poll Trusted Advisor (Support) API for limit checks.
Return a dict of service name (string) keys to nested dict vals, where each key is a limit name and each value the current numeric limit.
e.g.:
{ 'EC2': { 'SomeLimit': 10, } }
-
_poll_for_refresh(check_id)[source]¶ Given a Trusted Advisor check_id that has just been refreshed, poll until the refresh is complete. Once complete, return the check result.
Parameters: check_id (str) – the Trusted Advisor check ID Returns: dict check result. The return value of Support.Client.describe_trusted_advisor_check_result()Return type: dict
-
_update_services(ta_results)[source]¶ Given a dict of TrustedAdvisor check results from
_poll()and a dict of Service objects passed in toupdate_limits(), updated the TrustedAdvisor limits for all services.Parameters:
-
api_name= 'support'¶
-
service_name= 'TrustedAdvisor'¶
-
update_limits()[source]¶ Poll ‘Service Limits’ check results from Trusted Advisor, if possible. Iterate over all
AwsLimitobjects for the given services and update their limits from TA if present in TA checks.Parameters: services (dict) – dict of service name (string) to _AwsServiceobjects
- all_services (dict) –
-
awslimitchecker.trustedadvisor.datetime_now()[source]¶ Helper function for testing; return
datetime.datetime.now().Returns: datetime.datetime.now()Return type: datetime.datetime
awslimitchecker.utils module¶
-
class
awslimitchecker.utils.StoreKeyValuePair(option_strings, dest, nargs=None, const=None, default=None, type=None, choices=None, required=False, help=None, metavar=None)[source]¶ Bases:
argparse.ActionStore key=value options in a dict as {‘key’: ‘value’}.
Supports specifying the option multiple times, but NOT with
nargs.See
Action.-
__init__(option_strings, dest, nargs=None, const=None, default=None, type=None, choices=None, required=False, help=None, metavar=None)[source]¶ Initialize self. See help(type(self)) for accurate signature.
-
__module__= 'awslimitchecker.utils'¶
-
-
awslimitchecker.utils._get_dict_value_by_path(d, path)[source]¶ Given a dict (
d) and a list specifying the hierarchical path to a key in that dict (path), return the value at that path or None if it does not exist.Parameters:
-
awslimitchecker.utils._get_latest_version()[source]¶ Attempt to retrieve the latest awslimitchecker version from PyPI, timing out after 4 seconds. If the version can be retrieved and is greater than the currently running version, return it as a string. If the version cannot be retrieved or is not greater than the currently running version, return None.
This function MUST not ever raise an exception.
Returns: latest version from PyPI, if newer than current version Return type: str or None
-
awslimitchecker.utils._set_dict_value_by_path(d, val, path)[source]¶ Given a dict (
d), a value (val), and a list specifying the hierarchical path to a key in that dict (path), set the value indatpathtoval.Parameters: Raises: TypeError if the path is too short
Returns: the modified dict
-
awslimitchecker.utils.dict2cols(d, spaces=2, separator=' ')[source]¶ Take a dict of string keys and string values, and return a string with them formatted as two columns separated by at least
spacesnumber ofseparatorcharacters.Parameters:
-
awslimitchecker.utils.paginate_dict(function_ref, *argv, **kwargs)[source]¶ Paginate through a query that returns a dict result, and return the combined result.
Note that this function requires some special kwargs to be passed in:
- __alc_marker_path__ - The dictionary path to the Marker for the next result set. If this path does not exist, the raw result will be returned.
- __alc_data_path__ - The dictionary path to the list containing the query results. This will be updated with the results of subsequent queries.
- __alc_marker_param__ - The parameter name to pass to
function_refwith the marker value.
These paths should be lists, in a form usable by
_get_dict_value_by_path().Parameters:
awslimitchecker.version module¶
-
class
awslimitchecker.version.AWSLimitCheckerVersion(release, url, commit=None, tag=None)[source]¶ Bases:
object-
__dict__= mappingproxy({'__init__': <function AWSLimitCheckerVersion.__init__>, '__repr__': <function AWSLimitCheckerVersion.__repr__>, '__dict__': <attribute '__dict__' of 'AWSLimitCheckerVersion' objects>, '__weakref__': <attribute '__weakref__' of 'AWSLimitCheckerVersion' objects>, 'version_str': <property object>, '__doc__': None, '__module__': 'awslimitchecker.version', '__str__': <function AWSLimitCheckerVersion.__str__>})¶
-
__init__(release, url, commit=None, tag=None)[source]¶ Initialize self. See help(type(self)) for accurate signature.
-
__module__= 'awslimitchecker.version'¶
-
__repr__()[source]¶ Return a representation of this object that is valid Python and will create an idential AWSLimitCheckerVersion object.
Return type: str
-
__str__()[source]¶ Human-readable string representation of this version object, in the format: “version_str <url>”
Return type: str
-
__weakref__¶ list of weak references to the object (if defined)
-
Changelog¶
6.1.0 (2019-01-30)¶
- PR #379 - Add support for EC2/VPC
Network interfaces per Regionlimit. Thanks to @nadlerjessie.
6.0.1 (2019-01-27)¶
- Issue #375 - Fix uncaught
ClientErrorexception when checking SES Send Quota in certain regions. Thanks to bergkampsliew for PR #376.
6.0.0 (2019-01-01)¶
This release requires new IAM permissions:
lambda:GetAccountSettings
Important: This release removes the ApiGateway APIs per account limit in favor of more-specific limits; see below.
- Issue #363 - Add support for the Lambda limits and usages.
- Clarify support for “unlimited” limits (limits where
awslimitchecker.limit.AwsLimit.get_limit()returnsNone). - Add support for 26 new EC2 instance types.
- Update default limits for ECS service.
ApiGatewayservice now has three ReST API limits (Regional API keys per account,Private API keys per account, andEdge API keys per account) in place of the previous singleAPIs per accountto reflect the current documented service limits.- API Gateway service - add support for
VPC Links per accountlimit. - Add support for Network Load Balancer limits
Network load balancersandListeners per network load balancer. - Add support for Application Load Balancer limits
Certificates per application load balancer. - Add support for Classic ELB (ELBv1)
Registered instances per load balancerlimit. - Rename
dev/terraform.pytodev/update_integration_iam_policy.pyand move from using terraform to manage integration test IAM policy to pure Python. - Note that I’ve left out the
Targets per application load balancerandTargets per network load balancerlimits. Checking usage for these requires iterating overDescribeTargetHealthfor each target group, so I’ve opted to leave it out at this time for performance reasons and because I’d guess that the number of people with 500 or 1000 targets per LB is rather small. Please open an issue if you’d like to see usage calculation for these limits.
Important Note on Limit Values¶
awslimitchecker has had documented support for Limits that are unlimited/”infinite” since 0.5.0 by returning None from awslimitchecker.limit.AwsLimit.get_limit(). Until now, that edge case was only triggered when Trusted Advisor returned “Unlimited” for a limit. It will now also be returned for the Lambda service’s Function Count Limit. Please be aware of this if you’re using the Python API and assuming Limit values are all numeric.
If you are relying on the output format of the command line awslimitchecker script, please use the Python API instead.
5.1.0 (2018-09-23)¶
- Issue #358 - Update EFS with new default limit for number of File systems: 70 in us-east-1 and 125 in other regions.
- PR #359 - Add support for
t3EC2 instance types (thanks to chafouin). - Switch
py37TravisCI tests from py37-dev to py37 (release).
5.0.0 (2018-07-30)¶
This release requires new IAM permissions:
cloudtrail:DescribeTrailscloudtrail:GetEventSelectorsroute53:GetHostedZoneroute53:ListHostedZonesroute53:GetHostedZoneLimit
This release officially drops support for Python 2.6 and 3.3.
- PR #345 / Issue #349 - Add Route53 service and checks for “Record sets per hosted zone” and “VPC associations per hosted zone” limits (the latter only for private zones). (thanks to julienduchesne).
- Support Per-Resource Limits (see below). Note that this includes some changes to the ``awslimitchecker`` CLI output format and some minor API changes.
- Issue #317 - Officially drop support for Python 2.6 and 3.3. Also, begin testing py37.
- Issue #346 - Update documentation for S3 API calls made by ElasticBeanstalk while retrieving EB limits (thanks to fenichelar for finding this).
- PR #350 - Add support for CloudTrail limits (thanks to fpiche).
- Issue #352 - Update version check PyPI URL and set User-Agent when performing version check.
- Issue #351 - Add support for forty two (42) missing EC2 instance types including the new c5d/m5d/r5d/z1d series instances.
Per-Resource Limits¶
Some Limits (AwsLimit) now have limits/maxima that are per-resource rather than shared across all resources of a given type. The first limit of this kind that awslimitchecker supports is Route53, where the “Record sets per hosted zone” and “VPC associations per hosted zone” limits are set on a per-resource (per-zone) basis rather than globally to all zones in the account. Limits of this kind are also different since, as they are per-resource, they can only be enumerated at runtime. Supporting limits of this kind required some changes to the internals of awslimitchecker (specifically the AwsLimit and AwsLimitUsage classes) as well as to the output of the command line script/entrypoint.
For limits which support different maxima/limit values per-resource, the command line awslimitchecker script -l / --list-limits functionality will now display them in Service/Limit/ResourceID format, i.e.:
Route53/Record sets per hosted zone/foo.com 10000 (API)
Route53/Record sets per hosted zone/bar.com 10000 (API)
Route53/Record sets per hosted zone/local. 15000 (API)
Route53/VPC associations per hosted zone/local. 100 (API)
As opposed to the Service/Limit format used for all existing limits, i.e.:
IAM/Groups 300 (API)
IAM/Instance profiles 2000 (API)
If you are relying on the output format of the command line awslimitchecker script, please use the Python API instead.
For users of the Python API, please take note of the new AwsLimit.has_resource_limits() and get_maximum() methods which assist in how to identify limits that have per-resource maxima. Existing code that only surfaces awslimitchecker’s warnings/criticals (the result of check_thresholds()) will work without modification, but any code that displays or uses the current limit values themselves may need to be updated.
4.0.2 (2018-03-22)¶
This is a minor bugfix release for one issue:
- Issue #341 - The Trusted Advisor EBS checks for
General Purpose (SSD) volume storage (GiB)andMagnetic volume storage (GiB)have been renamed to toGeneral Purpose SSD (gp2) volume storage (GiB)andMagnetic (standard) volume storage (GiB), respectively, to provide more unified naming. This change was made on March 19th or 20th without any public announcement, and resulted in awslimitchecker being unable to determine the current values for these limits from Trusted Advisor. Users relying on Trusted Advisor for these values saw the limit values incorrectly revert to the global default. This is an internal-only change to map the new Trusted Advisor check names to the awslimitchecker limit names.
4.0.1 (2018-03-09)¶
This is a minor bugfix release for a few issues that users have reported recently.
- Fix Issue #337 where sometimes an account even with Business-level support will not have a Trusted Advisor result for the Service Limits check, and will return a result with
status: not_availableor a missingflaggedResourceskey. - Fix Issue #335 where runs against the EFS service in certain unsupported regions result in either a connection timeout or an AccessDeniedException.
4.0.0 (2018-02-17)¶
This release requires new IAM permissions:
ds:GetDirectoryLimitsecs:DescribeClustersecs:DescribeServicesecs:ListClustersecs:ListServices- Fix various docstring problems causing documentation build to fail.
- PR #328 - Add support for Directory Service and ECS (thanks to di1214).
- NOTE the “EC2 Tasks per Service (desired count)” limit uses non-standard resource IDs, as service names and ARNs aren’t unique by account or region, but only by cluster. i.e. the only way to uniquely identify an ECS Service is by the combination of service and cluster. As such, the
resource_idfield for usage values of the “EC2 Tasks per Service (desired count)” limit is a string of the formcluster=CLUSTER-NAME; service=SERVICE-NAME.
- NOTE the “EC2 Tasks per Service (desired count)” limit uses non-standard resource IDs, as service names and ARNs aren’t unique by account or region, but only by cluster. i.e. the only way to uniquely identify an ECS Service is by the combination of service and cluster. As such, the
- PR #330 - Update numerous no-longer-correct default limits (thanks to GitHub user KingRogue).
- AutoScaling
- Auto Scaling groups - 20 to 200
- Launch configurations - 100 to 200
- EBS
- Provisioned IOPS - 40000 to 200000
- Provisioned IOPS (SSD) storage (GiB) - 20480 to 102400 (100 TiB)
- General Purpose (SSD) volume storage (GiB) - 20480 to 102400 (100 TiB)
- Throughput Optimized (HDD) volume storage (GiB) - 20480 to 307200 (300 TiB)
- Cold (HDD) volume storage (GiB) - 20480 to 307200 (300 TiB)
- ElasticBeanstalk
- Applications - 25 to 75
- Application versions - 500 to 1000
- IAM
- Groups - 100 to 300
- Roles - 250 to 1000
- Instance profiles - 100 to 1000
- Policies - 1000 to 1500
- AutoScaling
- Fix
dev/terraform.pyanddev/integration_test_iam.tffor integration tests. - Fix date and incorrect project name in some file/copyright headers.
- Issue #331 - Change layout of the generated Supported Limits documentation page to be more clear about which limits are supported, and include API and Trusted Advisor data in the same table as the limits and their defaults.
3.0.0 (2017-12-02)¶
Important Notice for python 2.6 and 3.3 users:
Python 2.6 reached its end of life in October 2013. Python 3.3 officially reached its end of life in September 2017, five years after development was ceased. The test framework used by awslimitchecker, pytest, has dropped support for Python 2.6 and 3.3 in its latest release. According to the PyPI download statistics (which unfortunately don’t take into account mirrors or caching proxies), awslimitchecker has only ever had one download reported as Python 3.3 and has a very, very small number reporting as Python 2.6 (likely only a handful of users). The next release of awslimitchecker will officially drop support for Python 2.6 and 3.3, changing the required Python version to 2.7 or >= 3.4. If you are one of the very few (perhaps only one) users running on Python 2.6, you can either run with a newer Python version or see Issue 301 for information on building a Docker container based on Python 3.5.
- Fix test failures caused by dependency updates.
- Pin
pytestdevelopment to 3.2.5 to continue python 2.6 and 3.3 support. - Issue #314 - Update RDS service default limits;
DB snapshots per userdefault limit increased from 50 to 100 andSubnet Groupslimit increased from 20 to 50. This should not have affected any users, as these limits are retrieved in realtime via the RDS API. - Issue #293 - Increase maximum number of retries (boto3/botocore) for
elbv2API calls, to attempt to deal with the large number of calls we have to make in order to count the ALB listeners and rules. This requires botocore >= 1.6.0, which requires boto3 >= 1.4.6. - Issue #315 - Add new instance types: ‘c5.18xlarge’, ‘c5.2xlarge’, ‘c5.4xlarge’, ‘c5.9xlarge’, ‘c5.large’, ‘c5.xlarge’, ‘g3.16xlarge’, ‘g3.4xlarge’, ‘g3.8xlarge’, ‘h1.16xlarge’, ‘h1.2xlarge’, ‘h1.4xlarge’, ‘h1.8xlarge’, ‘m5.12xlarge’, ‘m5.24xlarge’, ‘m5.2xlarge’, ‘m5.4xlarge’, ‘m5.large’, ‘m5.xlarge’, ‘p3.16xlarge’, ‘p3.2xlarge’, ‘p3.8xlarge’, ‘x1e.32xlarge’, ‘x1e.xlarge’
- Issue #316 - Automate release process.
2.0.0 (2017-10-12)¶
- Update README with correct boto version requirement. (Thanks to nadlerjessie for the contribution.)
- Update minimum
boto3version requirement from 1.2.3 to 1.4.4; the code for Issue #268 released in 0.11.0 requires boto3 >= 1.4.4 to make the ElasticLoadBalancingDescribeAccountLimitscall. - Bug fix for “Running On-Demand EC2 instances” limit - Issue #308 - The fix for Issue #215 / PR #223, released in 0.6.0 on November 11, 2016 was based on incorrect information about how Regional Benefit Reserved Instances (RIs) impact the service limit. The code implemented at that time subtracted Regional Benefit RIs from the count of running instances that we use to establish usage. Upon further review, as well as confirmation from AWS Support, some AWS TAMs, and the relevant AWS documentation, only Zonal RIs (AZ-specific) are exempt from the Running On-Demand Instances limit. Regional Benefit RIs are counted the same as any other On-Demand Instances, as they don’t have reserved capacity. This release stops subtracting Regional Benefit RIs from the count of Running Instances, which was causing awslimitchecker to report inaccurately low Running Instances usage.
1.0.0 (2017-09-21)¶
This release requires new IAM permissions:
apigateway:GETapigateway:HEADapigateway:OPTIONSec2:DescribeVpnGatewaysdynamodb:DescribeLimitsdynamodb:DescribeTabledynamodb:ListTables
Changes in this release:
- Issue #254 - Officially adopt SemVer for this project, and document our versioning policy.
- Issue #294 - Ignore NAT Gateways that are not in “available” or “pending” state.
- Issue #253 - Check latest awslimitchecker version on PyPI at class instantiation; log warning if a newer version is available. Add Python API and CLI options to disable this.
- Pin tox version to 2.7.0 as workaround for parsing change.
- Issue #292 - Add support for API Gateway limits.
- PR #302 - Add support for VPC VPN Gateways limit. (Thanks to andrewmichael for the contribution.)
- Issue #280 / PR #297 - Add support for DynamoDB limits. (Thanks to saratlingamarla for the contribution.)
0.11.0 (2017-08-06)¶
This release requires new IAM permissions:
elasticfilesystem:DescribeFileSystemselasticloadbalancing:DescribeAccountLimitselasticloadbalancing:DescribeListenerselasticloadbalancing:DescribeTargetGroupselasticloadbalancing:DescribeRules
Changes in this release:
- Issue #287 / PR #288 - Add support for Elastic Filesystem number of filesystems limit. (Thanks to nicksantamaria for the contribution.)
- Issue #268 - Add support for ELBv2 (Application Load Balancer) limits; get ELBv1 (Classic) and ELBv2 (Application) limits from the DescribeAccountLimits API calls.
0.10.0 (2017-06-25)¶
This release removes the ElastiCache Clusters limit, which no longer exists.
- Issue #283 - Add gitter.im chat link to README and docs.
- Issue #282 - versionfinder caused awslimitchecker to die unexpectedly on systems without a
gitbinary on the PATH. Bump versionfinder requirement to>= 0.1.1. - Issue #284 - Fix ElastiCache limits to reflect what AWS Support and the current documentation say, instead of a support ticket from July 2015.
- Remove the “Clusters” limit, which no longer exists.
- “Nodes per Cluster” limit is Memcached only.
- Add “Subnets per subnet group” limit.
- Issue #279 - Add Github release to release process.
0.9.0 (2017-06-11)¶
- Issue #269 - set Trusted Advisor limit name overrides for some RDS limits that were recently added to TA, but with different names than what awslimitchecker uses.
- Fix bug Issue #270 - do not count propagated routes towards the VPC “Entries per route table” limit, per clarification in VPC service limits documentation (“This is the limit for the number of non-propagated entries per route table.”)
- PR #276 /
Issue #275 - Add new
--skip-serviceCLI option andAwsLimitChecker.remove_servicesto allow skipping of one or more specific services during runs. (Thanks to tamsky for this contribution.) - PR #274 /
Issue #273 - Add support
for new
i3EC2 Instance types. (Thanks to tamsky) for this contribution.) - Fix broken docs build due to changes Intersphinx reference to ValueError in python2 docs
- Add hack to
docs/source/conf.pyas workaround for https://github.com/sphinx-doc/sphinx/issues/3860 - Issue #267 - Firehose is only
available in
us-east-1,us-west-2andeu-west-1. Omit the traceback from the log message for FirehoseEndpointConnectionErrorand log at warning instead of error.
0.8.0 (2017-03-11)¶
This release includes a breaking API change. Please see the first bullet point below. Note that once 1.0.0 is released (which should be relatively soon), such API changes will only come with a major version increment.
This release requires new IAM permissions: redshift:DescribeClusterSnapshots and redshift:DescribeClusterSubnetGroups.
This release removes Python 3.2 support. This was deprecated in 0.7.0. As of this release, awslimitchecker may still work on Python 3.2, but it is no longer tested and any support tickets or bug reports specific to 3.2 will be closed.
- PR #250 - Allow the
--servicecommand line option to accept multiple values. This is a breaking public API change; theawslimitchecker.checker.AwsLimitCheckerawslimitchecker.checker.AwsLimitChecker.check_thresholds,awslimitchecker.checker.AwsLimitChecker.find_usage, andawslimitchecker.checker.AwsLimitChecker.get_limitsmethods now take an optionalservicelist keyword argument instead of a string for a single service name. - PR #251 - Handle GovCloud-specific edge cases; specifically, UnsupportedOperation errors for EC2 Spot Instance-related API calls, and limits returned as 0 by the DescribeAccountAttributes EC2 API action.
- PR #249 - Add support for RedShift limits (Redshift subnet groups and Redshift manual snapshots).
This requires the
redshift:DescribeClusterSnapshotsandredshift:DescribeClusterSubnetGroupsIAM permissions. - Issue #259 - remove duplicates from required IAM policy returned by
awslimitchecker.checker.AwsLimitChecker.get_required_iam_policyandawslimitchecker --iam-policy. - Various TravisCI/tox build fixes:
- Fix pip caching; use default pip cache directory
- Add python 3.6 tox env and Travis env, now that it’s released
- Switch integration3 tox env from py3.4 to py3.6
- PR #256 - Add example of wrapping awslimitchecker in a script to send metrics to Prometheus.
- Issue #236 - Drop support for Python 3.2; stop testing under py32.
- Issue #257 - Handle ElastiCache DescribeCacheCluster responses that are missing
CacheNodeskey in a cluster description. - Issue #200 - Remove EC2 Spot Instances/Fleets limits from experimental status.
- Issue #123 - Update documentation on using session tokens (Session or Federation temporary creds).
0.7.0 (2017-01-15)¶
This release deprecates support for Python 3.2. It will be removed in the next release.
This release introduces support for automatically refreshing Trusted Advisor
checks on accounts that support this. If you use this new feature,
awslimitchecker will require a new permission, trustedadvisor:RefreshCheck.
See Getting Started - Trusted Advisor for further information.
- #231 - add support for new f1, r4 and t2.(xlarge|2xlarge) instance types, introduced in November 2016.
- #230 - replace the
built-in
versioncheck.pywith versionfinder. Remove all of the many versioncheck tests. - #233 - refactor tests to replace yield-based tests with parametrize, as yield-based tests are deprecated and will be removed in pytest 4.
- #235 - Deprecate Python 3.2 support. There don’t appear to have been any downloads on py32 in the last 6 months, and the effort to support it is too high.
- A bunch of Sphinx work to use README.rst in the generated documentation.
- Changed DEBUG-level logging format to include timestamp.
- #239 - Support refreshing Trusted Advisor check results during the run, and optionally waiting for refresh to finish. See Getting Started - Trusted Advisor for further information.
- #241 / PR #242 - Fix default ElastiCache/Nodes limit from 50 to 100, as that’s now what the docs say.
- #220 / PR #243 /
PR #245 - Fix for ExpiredTokenException Errors.
awslimitchecker.connectable.credentials has been removed.
In previous releases, awslimitchecker had been using a
Connectable.credentialsclass attribute to store AWS API credentials and share them betweenConnectablesubclass instances. The side-effect of this was that AWS credentials were set at the start of the Python process and never changed. For users taking advantage of the Python API and either using short-lived STS credentials or using long-running or threaded implementations, the same credentials persisted for the life of the process, and would often result in ExpiredTokenExceptions. The fix was to move _boto_conn_kwargs and _get_sts_token from connectable to the top-level AwsLimitChecker class itself, get the value of the_boto_conn_kwargsproperty in the constructor, and pass that value in to allConnectablesubclasses. This means that each instance of AwsLimitChecker has its own unique connection-related kwargs and credentials, and constructing a new instance will work intuitively - either use the newly-specified credentials, or regenerate STS credentials if configured to use them. I have to extend my deepest gratitude to the folks who identified and fixed this issue, specifically cstewart87 for the initial bug report and description, aebie for the tireless and relentlessly thorough investigation and brainstorming and for coordinating work for a fix, and willusher for the final implementation and dealing (wonderfully) with the dizzying complexity of many of the unit tests (and even matching the existing style).
0.6.0 (2016-11-12)¶
This release has a breaking change. The VPC NAT gateways has been renamed
to NAT Gateways per AZ and its get_current_usage() method will now return
a list with multiple items. See the changelog entry for #214 below.
This release requires the following new IAM permissions to function:
firehose:ListDeliveryStreams- #217 - add support
for new/missing EC2 instance types:
m4.16xlarge,x1.16xlarge,x1.32xlarge,p2.xlarge,p2.8xlarge,p2.16xlarge. - #215 - support “Regional Benefit” Reserved Instances that have no specific AZ set on them. Per AWS, these are exempt from On-Demand Running Instances limits like all other RIs.
- #214 - The VPC “NAT gateways” limit incorrectly calculated usage for the entire region, while the limit is actually per-AZ. It also had strange capitalization that confused users. The name has been changed to “NAT Gateways per AZ” and the usage is now correctly calculated per-AZ instead of region-wide.
- #221 /
PR #222 - Fix bug
in handling of STS Credentials where they are cached permanently in
connectable.Connectable.credentials, and new AwsLimitChecker instances in the same Python process reuse the first set of STS credentials. This is fixed by storing the Account ID as part ofconnectable.ConnectableCredentialsand getting new STS creds if the cached account ID does not match the currentaccount_idon theConnectableobject. - PR #216 - add new “Firehose” service with support for “Delivery streams per region” limit.
- #213 /
PR #188 - support
AWS cross-sdk credential file profiles via
-P/--profile, like awscli.
0.5.1 (2016-09-25)¶
This release requires the following new IAM permissions to function:
ec2:DescribeSpot*or more specifically:ec2:DescribeSpotDatafeedSubscriptionec2:DescribeSpotFleetInstancesec2:DescribeSpotFleetRequestHistoryec2:DescribeSpotFleetRequestsec2:DescribeSpotInstanceRequestsec2:DescribeSpotPriceHistory
ec2:DescribeNatGateways- #51 / PR #201 - Add experimental support for Spot Instance and Spot Fleet limits (only the ones explicitly documented by AWS). This is currently experimental, as the documentation is not terribly clear or detailed, and the author doesn’t have access to any accounts that make use of spot instances. This will be kept experimental until multiple users validate it. For more information, see the EC2 limit documentation.
- PR #204 contributed by hltbra to add support for VPC NAT Gateways limit.
- Add README and Docs link to waffle.io board.
- Fix bug where
--skip-tacommand line flag was ignored inshow_usage()(when running with-u/--show-usageaction). - Add link to waffle.io Kanban board
- #202 - Adds management of integration test IAM policy via Terraform.
- #211 - Add working download stats to README and docs
- Fix broken landscape.io badges in README and docs
- #194 - On Limits page of docs, clarify that Running On-Demand Instances does not include Reserved Instances.
- Multiple
tox.inichanges:- simplify integration and unit/versioncheck testenv blocks using factors and reuse
- py26 testenv was completely unused, and py26-unit was running and working with mock==2.0.0
- use pytest<3.0.0 in py32 envs
- #208 - fix KeyError when
timestampkey is missing from TrustedAdvisor check result dict
0.5.0 (2016-07-06)¶
This release includes a change to awslimitchecker’s Python API. awslimitchecker.limit.AwsLimit.get_limit can now return either an int or None, as TrustedAdvisor now lists some service limits as being explicitly “unlimited”.
- #195 - Handle TrustedAdvisor explicitly reporting some limits as “unlimited”. This introduces the concept of unlimited limits, where the effective limit is
None.
0.4.4 (2016-06-27)¶
0.4.3 (2016-05-08)¶
- PR #184 Fix default VPC/Security groups per VPC limit from 100 to 500, per VPC limits documentation (this limit was increased at some point recently). Thanks to Travis Thieman for this contribution.
0.4.2 (2016-04-27)¶
This release requires the following new IAM permissions to function:
elasticbeanstalk:DescribeApplicationselasticbeanstalk:DescribeApplicationVersionselasticbeanstalk:DescribeEnvironments- #70 Add support for ElasicBeanstalk service.
- #177 Integration tests weren’t being properly skipped for PRs.
- #175 the simplest and most clear contributor license agreement I could come up with.
- #172 add an integration test running against sa-east-1, which has fewer services than the popular US regions.
0.4.1 (2016-03-15)¶
0.4.0 (2016-03-14)¶
This release requires the following new IAM permissions to function:
rds:DescribeAccountAttributesiam:GetAccountSummarys3:ListAllMyBucketsses:GetSendQuotacloudformation:DescribeAccountLimitscloudformation:DescribeStacks
Issues addressed:
#150 add CHANGES.rst to Sphinx docs
-
- add support for RDS ‘DB Clusters’ and ‘DB Cluster Parameter Groups’ limits
- use API to retrieve RDS limits
- switch RDS from calculating usage to using the DescribeAccountAttributes usage information, for all limits other than those which are per-resource and need resource IDs (Max auths per security group, Read replicas per master, Subnets per Subnet Group)
- awslimitchecker now requires an additional IAM permission,
rds:DescribeAccountAttributes
#157 fix for TrustedAdvisor polling multiple times - have TA set an instance variable flag when it updates services after a poll, and skip further polls and updates if the flag is set. Also add an integration test to confirm this.
#50 Add support for IAM service with a subset of its limits (Groups, Instance Profiles, Policies, Policy Versions In Use, Roles, Server Certificates, Users), using both limits and usage information from the GetAccountSummary API action. This requires an additional IAM permission,
iam:GetAccountSummary.#48 Add support for S3 Buckets limit. This requires an additional IAM permission,
s3:ListAllMyBuckets.#71 Add support for SES service (daily sending limit). This requires an additional IAM permission,
ses:GetSendQuota.#69 Add support for CloudFormation service Stacks limit. This requires additional IAM permissions,
cloudformation:DescribeAccountLimitsandcloudformation:DescribeStacks.#166 Speed up TravisCI tests by dropping testing for PyPy and PyPy3, and only running the -versioncheck tests for two python interpreters instead of 8.
0.3.2 (2016-03-11)¶
- #155 Bug fix for uncaught KeyError on accounts with Trusted Advisor (business-level support and above). This was caused by an undocumented change released by AWS between Thu, 10 Mar 2016 07:00:00 GMT and Fri, 11 Mar 2016 07:00:00 GMT, where five new IAM-related checks were introduced that lack the
regiondata field (which the TrustedAdvisorResourceDetail API docs still list as a required field).
0.3.1 (2016-03-04)¶
- #117 fix Python 3.5 TravisCI tests and re-enable automatic testing for 3.5.
- #116 add t2.nano EC2 instance type; fix typo - “m4.8xlarge” should have been “m4.10xlarge”; update default limits for m4.(4|10)xlarge
- #134 Minor update to project description in docs and setup.py; use only _VERSION (not git) when building in RTD; include short description in docs HTML title; set meta description on docs index.rst.
- #128 Update Development and Getting Help documentation; add GitHub CONTRIBUTING.md file with link back to docs, as well as Issue and PR templates.
- #131 Refactor TrustedAdvisor interaction with limits for special naming cases (limits where the TrustedAdvisor service or limit name doesn’t match that of the awslimitchecker limit); enable newly-available TrustedAdvisor data for some EC2 on-demand instance usage.
0.3.0 (2016-02-18)¶
- Add coverage for one code branch introduced in PR #100 that wasn’t covered by tests.
- #112 fix a bug in the versioncheck integration tests, and a bug uncovered in versioncheck itself, both dealing with checkouts that are on a un-cloned branch.
- #105 build and upload wheels in addition to sdist
- #95 major refactor to convert AWS client library from boto to boto3. This also includes significant changes to the internal connection logic and some of the internal (private) API. Pagination has been moved to boto3 wherever possible, and handling of API request throttling has been removed from awslimitchecker, as boto3 handles this itself. This also introduces full, official support for python3.
- Add separate
localdocstox env for generating documentation and updating output examples. - #113 update, expand and clarify documentation around threshold overrides; ignore some sites from docs linkcheck.
- #114 expanded automatic integration tests
- Please note that version 0.3.0 of awslimitchecker moved from using
botoas its AWS API client to usingboto3. This change is mostly transparent, but there is a minor change in how AWS credentials are handled. Inboto, if theAWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYenvironment variables were set, and the region was not set explicitly via awslimitchecker, the AWS region would either be taken from theAWS_DEFAULT_REGIONenvironment variable or would default to us-east-1, regardless of whether a configuration file (~/.aws/credentialsor~/.aws/config) was present. With boto3, it appears that the default region from the configuration file will be used if present, regardless of whether the credentials come from that file or from environment variables.
0.2.3 (2015-12-16)¶
0.2.2 (2015-12-02)¶
0.2.1 (2015-12-01)¶
0.2.0 (2015-11-29)¶
- #86 wrap all AWS API queries in
awslimitchecker.utils.boto_query_wrapperto retry queries with an exponential backoff when API request throttling/rate limiting is encountered - Attempt at fixing #47 where versioncheck acceptance tests fail under TravisCI, when testing master after a tagged release (when there’s a tag for the current commit)
- Fix #73 versioncheck.py reports incorrect information when package is installed in a virtualenv inside a git repository
- Fix #87 run coverage in all unit test Tox environments, not a dedicated env
- Fix #75 re-enable py26 Travis builds now that pytest-dev/pytest#1035 is fixed (pytest >= 2.8.3)
- Fix #13 re-enable Sphinx documentation linkcheck
- Fix #40 add support for pagination of API responses (to get all results) and handle pagination for all current services
- Fix #88 add support for API-derived limits. This is a change to the public API for
awslimitchecker.limit.AwsLimitand the CLI output. - Fix #72 add support for some new limits returned by Trusted Advisor. This renames the following limits:
*
EC2/EC2-VPC Elastic IPstoEC2/VPC Elastic IP addresses (EIPs)*RDS/Read Replicas per MastertoRDS/Read replicas per master*RDS/Parameter GroupstoRDS/DB parameter groups - Fix #84 pull some EC2 limits from the API’s DescribeAccountAttributes action
- Fix #94 pull AutoScaling limits from the API’s DescribeAccountLimits action
- Add
autoscaling:DescribeAccountLimitsandec2:DescribeAccountAttributesto required IAM permissions. - Ignore
AccountLimitsobjects from result pagination
0.1.3 (2015-10-04)¶
- Update trove classifier Development Status in setup.py to Beta
- Fix markup formatting issue in
docs/source/getting_started.rst - temporarily disable py26 testenv in Travis; failing due to upstream bug https://github.com/pytest-dev/pytest/issues/1035
- PR #64 and #68 -
support [STS](http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html) and regions
* Add support for passing in a region to connect to via
-r/--region* Add support for using STS to check resources in another account, including support forexternal_id* Major refactor of how service classes connect to AWS API - #74 add support for EC2 t2.large instance type
- #65 handle case where ElastiCache API returns CacheCluster response with CacheNodes None
- #63 update Python usage documentation
- #49 clean up badges in README.rst and sphinx index.rst; PyPi downloads and version badges broken (switch to shields.io)
- #67 fix typo in required IAM policy; comma missing in list returned from _Ec2Service.required_iam_permissions()
- #76 default limits for EBS volume usage were in TiB not GiB, causing invalid default limits on accounts without Trusted Advisor
- Changes to some tests in
test_versioncheck.pyto aid in debugging #47 where Travis tests fail on master because of git tag from release (if re-run after release)
0.1.2 (2015-08-13)¶
0.1.1 (2015-08-13)¶
- #54 - For ‘RDS/DB snapshots per user’ limit, only count manual snapshots.
- PR #58 - Fix issue where BotoServerError exception is unhandled when checking ElastiCache limits on new accounts without EC2-Classic.
- #55 - use .version instead of .parsed_version to fix version information when using pip<6
- #46 - versioncheck integration test fixes
* Rename
-integrationtox environments to-versioncheck* Skip versioncheck git install integration tests on PRs, since they’ll fail - #56 - logging fixes * change the AGPL warning message to write directly to STDERR instead of logging * document logging configuration for library use * move boto log suppression from checker to runner
- Add contributing docs
0.1.0 (2015-07-25)¶
- initial released version