awslimitchecker¶

Master:

Develop:

A script and python module to check your AWS service limits and usage, and warn when usage approaches limits.

Users building out scalable services in Amazon AWS often run into AWS’ service limits - often at the least convenient time (i.e. mid-deploy or when autoscaling fails). Amazon’s Trusted Advisor can help this, but even the version that comes with Business and Enterprise support only monitors a small subset of AWS limits and only alerts weekly. The new Service Quotas service can also help with this, but relies on CloudWatch alarms per-limit to notify you when you approach your limits; this cannot easily scale to the hundreds of current service limits. awslimitchecker provides a command line script and reusable Python package that queries your current usage of AWS resources and compares it to limits (hard-coded AWS defaults that you can override, API-based limits where available, Service Quotas data where available, or data from Trusted Advisor where available), notifying you when you are approaching or at your limits.

Full project documentation for the latest release is available at http://awslimitchecker.readthedocs.io/en/latest/.

Status¶

awslimitchecker is mature software, with approximately 13,000 downloads per month and in daily use at numerous organizations.

Development status is being tracked on a board at waffle.io: https://waffle.io/jantman/awslimitchecker

What It Does¶

Check current AWS resource usage against AWS Service Limits
Show and inspect current usage
Override default Service Limits (for accounts with increased limits)
Compare current usage to limits; return information about limits that exceed thresholds, and (CLI wrapper) exit non-0 if thresholds are exceeded
Define custom thresholds per-limit
where possible, pull current limits from Trusted Advisor API
where possible, pull current limits from each service’s API (for services that provide this information)
where possible, pull current limits from the Service Quotas service
Supports explicitly setting the AWS region
Supports using STS to assume roles in other accounts, including using external_id.
Optionally refresh Trusted Advisor “Service Limits” check before polling Trusted Advisor data, and optionally wait for the refresh to complete (up to an optional maximum time limit). See Getting Started - Trusted Advisor for more information.
Optionally send current usage and limit metrics to a metrics store, such as Datadog.
Optionally send warning/critical alerts to notification providers, such as PagerDuty.

Requirements¶

Either Docker in order to run via the docker image, or:

Python 3.5 or newer. Python 2.7 will not be supported as of January 1, 2010.
Python VirtualEnv and pip (recommended installation method; your OS/distribution should have packages for these)
boto3 >= 1.4.6 and its dependency botocore >= 1.6.0.

Installation and Usage¶

See Getting Started.

Credentials¶

See Credentials.

Getting Help and Asking Questions¶

See Getting Help.

For paid support and development options, please see the Enterprise Support Agreements and Contract Development section of the documentation.

There is also a gitter.im chat channel for support and discussion.

Changelog¶

See Changelog.

Contributions¶

Pull requests are most definitely welcome. Please cut them against the develop branch. For more information, see the development documentation. I’m also happy to accept contributions in the form of bug reports, feature requests, testing, etc.

License¶

awslimitchecker is licensed under the GNU Affero General Public License, version 3 or later. This shouldn’t be much of a concern to most people; see Development / AGPL for more information.

Contents¶

Getting Started¶

What It Does¶

Check current AWS resource usage against AWS Service Limits
Show and inspect current usage
Override default Service Limits (for accounts with increased limits)
Compare current usage to limits; return information about limits that exceed thresholds, and (CLI wrapper) exit non-0 if thresholds are exceeded
Define custom thresholds per-limit
Where possible, pull current limits from Trusted Advisor API
Supports explicitly setting the AWS region
Supports using STS to assume roles in other accounts, including using external_id.
Optionally refresh Trusted Advisor “Service Limits” check before polling Trusted Advisor data, and optionally wait for the refresh to complete (up to an optional maximum time limit). See Getting Started - Trusted Advisor for more information.
Supports retrieving current limits from the Service Quotas service. See Service Quotas service for more information.
Optionally send current usage and limit metrics to a metrics store such as Datadog.
Optionally send warning/critical alerts to an alert provider, such as PagerDuty.

Nomenclature¶

Service: An AWS Service or Product, such as EC2, VPC, RDS or ElastiCache. More specifically, Services in AwsLimitChecker correspond to distinct APIs for AWS Services.
Limit: An AWS-imposed maximum usage for a certain resource type in AWS. See AWS Service Limits. Limits are generally either account-wide or per-region. They have AWS global default values, but can be increased by AWS Support. “Limit” is also the term used within this documentation to describe AwsLimit objects, which describe a specific AWS Limit within this program.
Usage: “Usage” refers to your current usage of a specific resource that has a limit. Usage values/amounts (some integer or floating point number, such as number of VPCs or GB of IOPS-provisioned storage) are represented by instances of the AwsLimitUsage class. Limits that are measured as a subset of some “parent” resource, such as “Subnets per VPC” or “Read Replicas per Master” have their usage tracked per parent resource, so you can easily determine which ones are problematic.
Threshold: The point at which AwsLimitChecker will consider the current usage for a limit to be problematic. Global thresholds default to usage >= 80% of limit for “warning” severity, and usage >= 99% of limit for “critical” severity. Limits which have reached or exceeded their threshold will be reported separately for warning and critical (we generally consider “warning” to be something that will require human intervention in the near future, and “critical” something that is an immediate problem, i.e. should block automated processes). The awslimitchecker command line wrapper can override the default global thresholds. The AwsLimitChecker class can both override global percentage thresholds, as well as specify per-limit thresholds as a percentage, a fixed usage value, or both. For more information on overriding thresholds, see Python Usage / Setting a Threshold Override as well as the documentation for AwsLimitChecker.check_thresholds() and AwsLimitChecker.set_threshold_override().

Requirements¶

Either Docker in order to run via the docker image, or:

Python 3.5 or newer. Python 2.7 will not be supported as of January 1, 2010.
Python VirtualEnv and pip (recommended installation method; your OS/distribution should have packages for these)
boto3 >= 1.4.6 and its dependency botocore >= 1.6.0.

Installing¶

awslimitchecker now distributes an official Docker image, which removes the need to install locally. If you wish to run via this method, please see Docker Usage.

If not running via Docker, it’s recommended that you install into a virtual environment (virtualenv / venv). See the virtualenv usage documentation for more details, but the gist is as follows (the virtualenv name, “limitchecker” here, can be whatever you want):

virtualenv limitchecker
source limitchecker/bin/activate
pip install awslimitchecker

Version Specification¶

If you’re using awslimitchecker in automated tooling that recreates the virtualenv (such as Jenkins or cron jobs, etc) you’ll probably want to install a specific version so that the job doesn’t unexpectedly break. It’s recommended that you pin your installation to a major version. According to awslimitchecker’s versioning policy, this should ensure that you get the latest awslimitchecker version that’s compatible with your IAM policy and dependencies and has no backwards-incompatible API changes.

Credentials¶

Aside from STS, awslimitchecker does nothing with AWS credentials, it leaves that to boto itself. You must either have your credentials configured in one of boto3’s supported config files or set as environment variables. If your credentials are in the cross-SDK credentials file (~/.aws/credentials) under a named profile section, you can use credentials from that profile by specifying the -P / --profile command lint option. See boto3 config and this project’s documentation for further information.

Please note that version 0.3.0 of awslimitchecker moved from using boto as its AWS API client to using boto3. This change is mostly transparent, but there is a minor change in how AWS credentials are handled. In boto, if the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables were set, and the region was not set explicitly via awslimitchecker, the AWS region would either be taken from the AWS_DEFAULT_REGION environment variable or would default to us-east-1, regardless of whether a configuration file (~/.aws/credentials or ~/.aws/config) was present. With boto3, it appears that the default region from the configuration file will be used if present, regardless of whether the credentials come from that file or from environment variables.

When using STS, you will need to specify the -r / --region option as well as the -A / --sts-account-id and -R / --sts-account-role options to specify the Account ID that you want to assume a role in, and the name of the role you want to assume. If an external ID is required, you can specify it with -E / --external-id.

In addition, when assuming a role STS, you can use a MFA device. simply specify the device’s serial number with the -M / --mfa-serial-number option and a token generated by the device with the -T / --mfa-token option. STS credentials will be cached for the lifetime of the program.

Important Note on Session and Federation (Temporary) Credentials: The temporary credentials granted by the AWS IAM GetFederationToken and GetSessionToken API calls will throw errors when trying to access the IAM API (except for Session tokens, which will work for IAM API calls only if an MFA token is used). Furthermore, Federation tokens cannot make use of the STS AssumeRole functionality. If you attempt to use awslimitchecker with credentials generated by these APIs (commonly used by organizations to hand out limited-lifetime credentials), you will likely encounter errors when checking IAM limits. If this is acceptable, you can use these credentials by setting the AWS_SESSION_TOKEN environment variable in addition to AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, or by otherwise configuring these credentials in a way that’s supported by boto3 configuration.

Regions¶

To specify the region that awslimitchecker connects to, use the -r / --region command line option. At this time awslimitchecker can only connect to one region at a time; to check limits in multiple regions, simply run the script multiple times, once per region.

Trusted Advisor¶

awslimitchecker supports retrieving your current service limits via the Trusted Advisor “Service Limits” performance check , for limits which Trusted Advisor tracks (currently a subset of what awslimitchecker knows about). The results of this check may not be available via the API for all accounts; as of December 2016, the Trusted Advisor documentation states that while this check is available for all accounts, API access is only available to accounts with Business- or Enterprise-level support plans. If your account does not have Trusted Advisor access, the API call will result in a SubscriptionRequiredException and awslimitchecker will log a Cannot check TrustedAdvisor message at warning level.

Trusted Advisor information is important to awslimitchecker, however, as it provides the current service limit values for a number of limits that cannot be obtained any other way. While you can completely disable Trusted Advisor polling via the --skip-ta command-line option, you will then be left with default service limit values for many limits.

As of 0.7.0, awslimitchecker also supports programmatically refreshing the “Service Limits” Trusted Advisor check, in order to get updated limit values. If this is not done, the data provided by Trusted Advisor may not be updated unless a human does so via the AWS Console. The refresh logic operates in one of three modes, controlled by command-line options (these are also exposed in the Python API; see the “Internals” link below):

--ta-refresh-wait - The check will be refreshed and awslimitchecker will poll every 30 seconds waiting for the refresh to complete (or until ta_refresh_timeout seconds have elapsed).
--ta-refresh-older INTEGER - This operates like the --ta-refresh-wait option, but will only refresh the check if its current result data is at least INTEGER seconds old.
--ta-refresh-trigger - The check will be refreshed and the program will continue on immediately, without waiting for the refresh to complete; this will almost certainly result in stale check results in the current run. However, this may be useful if you desire to keep awslimitchecker runs short, and run it on a regular schedule (i.e. if you run awslimitchecker every 6 hours, and are OK with Trusted Advisor check data being 6 hours old).

Additionally, there is a --ta-refresh-timeout option. If this is set (to an integer), refreshes of the check will time out after that number of seconds. If a timeout occurs, a message will be logged at error level, but the program will continue running (most likely using the old result data).

Important: It may take 30 to 60 minutes for the Service Limits check to refresh on large accounts. Please be aware of this when enabling the refresh options.

Using the check refresh options will require the trustedadvisor:RefreshCheck IAM permission.

See Internals - Trusted Advisor for technical information on the implementation of Trusted Advisor polling.

Service Quotas service¶

AWS’ new Service Quotas service provides a unified interface to retrieve current limits from many AWS services. These limit values are second only to the services’ own APIs (for the services that provide limit information via API), and are much more current and complete than the information provided by Trusted Advisor. The introduction of Service Quotas should greatly reduce the number of limits that need to be retrieved from Trusted Advisor or specified manually.

Required Permissions¶

Important

The required IAM policy output by awslimitchecker includes only the permissions required to check limits and usage. If you are loading limit overrides and/or threshold overrides from S3, you will need to run awslimitchecker with additional permissions to access those objects.

You can view a sample IAM policy listing the permissions required for awslimitchecker to function properly either via the CLI client:

awslimitchecker --iam-policy

Or as a python dict:

from awslimitchecker.checker import AwsLimitChecker
c = AwsLimitChecker()
iam_policy = c.get_required_iam_policy()

You can also view the required permissions for the current version of awslimitchecker at Required IAM Permissions.

Docker Usage¶

As of version 7.1.0, awslimitchecker now ships an official Docker image that can be used instead of installing locally. This image should be suitable both for using locally or using in a Docker-based system such as AWS ECS.

Versions / Tags¶

awslimitchecker has a documented versioning policy intended to prevent your installation from unexpectedly breaking because of changes. It is up to you to decide whether you’d rather have stability at the expense of not receiving bug fixes and feature additions as soon as possible, or receive updates as soon as possible but risk awslimitchecker execution failing without manual intervention.

For each X.Y.Z release version, four Docker images are created with the following tags:

latest
X.Y.Z
X.Y
X

Note that only the full X.Y.Z tag is immutable; the other tags will be updated with subsequent releases.

These tags allow you to specify a Docker image for your particular desired balance of stability vs updates, according to the versioning policy.

Basic Usage¶

The Docker image uses the awslimitchecker CLI as an entrypoint, so you need only to specify the arguments that you would normally pass to the awslimitchecker command for Command Line Usage. For example, to show help:

$ docker run jantman/awslimitchecker --help
usage: awslimitchecker [-h] [-S [SERVICE [SERVICE ...]]]
                       [--skip-service SKIP_SERVICE] [--skip-check SKIP_CHECK]
                       [-s] [-l] [--list-defaults] [-L LIMIT]
                       [--limit-override-json LIMIT_OVERRIDE_JSON]
                       [--threshold-override-json THRESHOLD_OVERRIDE_JSON]
                       [-u] [--iam-policy] [-W WARNING_THRESHOLD]
                       [-C CRITICAL_THRESHOLD] [-P PROFILE_NAME]
                       [-A STS_ACCOUNT_ID] [-R STS_ACCOUNT_ROLE]
                       [-E EXTERNAL_ID] [-M MFA_SERIAL_NUMBER] [-T MFA_TOKEN]
                       [-r REGION] [--role-partition ROLE_PARTITION]
                       [--ta-api-region TA_API_REGION] [--skip-ta]
                       [--skip-quotas]
                       [--ta-refresh-wait | --ta-refresh-trigger | --ta-refresh-older TA_REFRESH_OLDER]
                       [--ta-refresh-timeout TA_REFRESH_TIMEOUT] [--no-color]
                       [--no-check-version] [-v] [-V]
                       [--list-metrics-providers]
                       [--metrics-provider METRICS_PROVIDER]
                       [--metrics-config METRICS_CONFIG]
                       [--list-alert-providers]
                       [--alert-provider ALERT_PROVIDER]
                       [--alert-config ALERT_CONFIG]

Report on AWS service limits and usage via boto3, optionally warn about any
services with usage nearing or exceeding their limits. For further help, see
<http://awslimitchecker.readthedocs.org/>

optional arguments:
  -h, --help            show this help message and exit
  -S [SERVICE [SERVICE ...]], --service [SERVICE [SERVICE ...]]
                        perform action for only the specified service name;
                        see -s|--list-services for valid names
  --skip-service SKIP_SERVICE
                        avoid performing actions for the specified service
                        name; see -s|--list-services for valid names
  --skip-check SKIP_CHECK
                        avoid performing actions for the specified check name
  -s, --list-services   print a list of all AWS service types that
                        awslimitchecker knows how to check
  -l, --list-limits     print all AWS effective limits in
                        "service_name/limit_name" format
  --list-defaults       print all AWS default limits in
                        "service_name/limit_name" format
  -L LIMIT, --limit LIMIT
                        override a single AWS limit, specified in
                        "service_name/limit_name=value" format; can be
                        specified multiple times.
  --limit-override-json LIMIT_OVERRIDE_JSON
                        Absolute or relative path, or s3:// URL, to a JSON
                        file specifying limit overrides. See docs for expected
                        format.
  --threshold-override-json THRESHOLD_OVERRIDE_JSON
                        Absolute or relative path, or s3:// URL, to a JSON
                        file specifying threshold overrides. See docs for
                        expected format.
  -u, --show-usage      find and print the current usage of all AWS services
                        with known limits
  --iam-policy          output a JSON serialized IAM Policy listing the
                        required permissions for awslimitchecker to run
                        correctly.
  -W WARNING_THRESHOLD, --warning-threshold WARNING_THRESHOLD
                        default warning threshold (percentage of limit);
                        default: 80
  -C CRITICAL_THRESHOLD, --critical-threshold CRITICAL_THRESHOLD
                        default critical threshold (percentage of limit);
                        default: 99
  -P PROFILE_NAME, --profile PROFILE_NAME
                        Name of profile in the AWS cross-sdk credentials file
                        to use credentials from; similar to the corresponding
                        awscli option
  -A STS_ACCOUNT_ID, --sts-account-id STS_ACCOUNT_ID
                        for use with STS, the Account ID of the destination
                        account (account to assume a role in)
  -R STS_ACCOUNT_ROLE, --sts-account-role STS_ACCOUNT_ROLE
                        for use with STS, the name of the IAM role to assume
  -E EXTERNAL_ID, --external-id EXTERNAL_ID
                        External ID to use when assuming a role via STS
  -M MFA_SERIAL_NUMBER, --mfa-serial-number MFA_SERIAL_NUMBER
                        MFA Serial Number to use when assuming a role via STS
  -T MFA_TOKEN, --mfa-token MFA_TOKEN
                        MFA Token to use when assuming a role via STS
  -r REGION, --region REGION
                        AWS region name to connect to; required for STS
  --role-partition ROLE_PARTITION
                        AWS partition name to use for account_role when
                        connecting via STS; see documentation for more
                        information (default: "aws")
  --ta-api-region TA_API_REGION
                        Region to use for Trusted Advisor / Support API
                        (default: us-east-1)
  --skip-ta             do not attempt to pull *any* information on limits
                        from Trusted Advisor
  --skip-quotas         Do not attempt to connect to Service Quotas service or
                        use its data for current limits
  --ta-refresh-wait     If applicable, refresh all Trusted Advisor limit-
                        related checks, and wait for the refresh to complete
                        before continuing.
  --ta-refresh-trigger  If applicable, trigger refreshes for all Trusted
                        Advisor limit-related checks, but do not wait for them
                        to finish refreshing; trigger the refresh and continue
                        on (useful to ensure checks are refreshed before the
                        next scheduled run).
  --ta-refresh-older TA_REFRESH_OLDER
                        If applicable, trigger refreshes for all Trusted
                        Advisor limit-related checks with results more than
                        this number of seconds old. Wait for the refresh to
                        complete before continuing.
  --ta-refresh-timeout TA_REFRESH_TIMEOUT
                        If waiting for TA checks to refresh, wait up to this
                        number of seconds before continuing on anyway.
  --no-color            do not colorize output
  --no-check-version    do not check latest version at startup
  -v, --verbose         verbose output. specify twice for debug-level output.
  -V, --version         print version number and exit.
  --list-metrics-providers
                        List available metrics providers and exit
  --metrics-provider METRICS_PROVIDER
                        Metrics provider class name, to enable sending metrics
  --metrics-config METRICS_CONFIG
                        Specify key/value parameters for the metrics provider
                        constructor. See documentation for further
                        information.
  --list-alert-providers
                        List available alert providers and exit
  --alert-provider ALERT_PROVIDER
                        Alert provider class name, to enable sending
                        notifications
  --alert-config ALERT_CONFIG
                        Specify key/value parameters for the alert provider
                        constructor. See documentation for further
                        information.

awslimitchecker is AGPLv3-licensed Free Software. Anyone using this program,
even remotely over a network, is entitled to a copy of the source code. Use
`--version` for information on the source code location.

Or to show the current limits for the ELB service, when using credentials from environment variables:

$ docker run -e AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN jantman/awslimitchecker -l -S ELB
ELB/Application load balancers                  1500 (API)
ELB/Certificates per application load balancer  25
ELB/Classic load balancers                      1500 (API)
ELB/Listeners per application load balancer     50 (API)
ELB/Listeners per load balancer                 100 (API)
ELB/Listeners per network load balancer         50 (API)
ELB/Network load balancers                      20 (API)
ELB/Registered instances per load balancer      1000 (API)
ELB/Rules per application load balancer         100 (API)
ELB/Target groups                               3000 (API)

awslimitchecker 7.0.0 is AGPL-licensed free software; all users have a right to the full source code of this version. See <https://github.com/jantman/awslimitchecker>

AWS Credentials¶

Running awslimitchecker in docker may make it slightly more difficult to provide your AWS credentials. In general, you will have to use one of the following methods, depending on where your credentials are located.

AWS Credential Environment Variables¶

If your AWS credentials are currently set as environment variables, you will need to explicitly pass those in to the container:

$ docker run \
    -e AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION \
    -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
    -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
    -e AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN \
    jantman/awslimitchecker --version

AWS Credentials File¶

If your AWS credentials are currently set in the AWS Credentials File (at ~/.aws/credentials), you will need to mount that in to the container at /root/.aws/credentials:

$ docker run \
    -v $(readlink -f ~/.aws/credentials):/root/.aws/credentials \
    jantman/awslimitchecker --version

EC2 Instance Profile or Task Role Credentials¶

For credentials provided via an EC2 Instance Profile (Role) or an ECS Task Role, they should be automatically recognized so long as nothing is explicitly blocking Docker containers from accessing them. You may still need to set the AWS_DEFAULT_REGION environment variable for the container.

Deployment on ECS Fargate using Terraform¶

An example terraform module, and an example of using the module, to deploy Dockerized awslimitchecker on ECS Fargate with the PagerDuty alert provider and the Datadog metrics store, along with an example Datadog monitor to detect if awslimitchecker hasn’t run in over a day, is available in the GitHub repo at: https://github.com/jantman/awslimitchecker/tree/master/docs/examples/terraform-fargate

Command Line Usage¶

awslimitchecker ships with a command line script for use outside of Python environments. awslimitchecker is installed as a setuptools entry point, and will be available wherever you install the package (if you install in a virtual environment as recommended, it will be in the venv’s bin/ directory).

The command line script provides simple access to the most common features, though not full access to all configuration possibilities. In addition, when checking usage, the script will exit 0 of everything is OK, 1 if there are warnings, and 2 if there are critical thresholds exceeded (though the output is not currently suitable for direct use as a Nagios-compatible plugin).

(venv)$ awslimitchecker --help
usage: awslimitchecker [-h] [-S [SERVICE [SERVICE ...]]]
                       [--skip-service SKIP_SERVICE] [--skip-check SKIP_CHECK]
                       [-s] [-l] [--list-defaults] [-L LIMIT]
                       [--limit-override-json LIMIT_OVERRIDE_JSON]
                       [--threshold-override-json THRESHOLD_OVERRIDE_JSON]
                       [-u] [--iam-policy] [-W WARNING_THRESHOLD]
                       [-C CRITICAL_THRESHOLD] [-P PROFILE_NAME]
                       [-A STS_ACCOUNT_ID] [-R STS_ACCOUNT_ROLE]
                       [-E EXTERNAL_ID] [-M MFA_SERIAL_NUMBER] [-T MFA_TOKEN]
                       [-r REGION] [--role-partition ROLE_PARTITION]
                       [--ta-api-region TA_API_REGION] [--skip-ta]
                       [--skip-quotas]
                       [--ta-refresh-wait | --ta-refresh-trigger | --ta-refresh-older TA_REFRESH_OLDER]
                       [--ta-refresh-timeout TA_REFRESH_TIMEOUT] [--no-color]
                       [--no-check-version] [-v] [-V]
                       [--list-metrics-providers]
                       [--metrics-provider METRICS_PROVIDER]
                       [--metrics-config METRICS_CONFIG]
                       [--list-alert-providers]
                       [--alert-provider ALERT_PROVIDER]
                       [--alert-config ALERT_CONFIG]
Report on AWS service limits and usage via boto3, optionally warn about any
services with usage nearing or exceeding their limits. For further help, see
<http://awslimitchecker.readthedocs.org/>
optional arguments:
  -h, --help            show this help message and exit
  -S [SERVICE [SERVICE ...]], --service [SERVICE [SERVICE ...]]
                        perform action for only the specified service name;
                        see -s|--list-services for valid names
  --skip-service SKIP_SERVICE
                        avoid performing actions for the specified service
                        name; see -s|--list-services for valid names
  --skip-check SKIP_CHECK
                        avoid performing actions for the specified check name
  -s, --list-services   print a list of all AWS service types that
                        awslimitchecker knows how to check
  -l, --list-limits     print all AWS effective limits in
                        "service_name/limit_name" format
  --list-defaults       print all AWS default limits in
                        "service_name/limit_name" format
  -L LIMIT, --limit LIMIT
                        override a single AWS limit, specified in
                        "service_name/limit_name=value" format; can be
                        specified multiple times.
  --limit-override-json LIMIT_OVERRIDE_JSON
                        Absolute or relative path, or s3:// URL, to a JSON
                        file specifying limit overrides. See docs for expected
                        format.
  --threshold-override-json THRESHOLD_OVERRIDE_JSON
                        Absolute or relative path, or s3:// URL, to a JSON
                        file specifying threshold overrides. See docs for
                        expected format.
  -u, --show-usage      find and print the current usage of all AWS services
                        with known limits
  --iam-policy          output a JSON serialized IAM Policy listing the
                        required permissions for awslimitchecker to run
                        correctly.
  -W WARNING_THRESHOLD, --warning-threshold WARNING_THRESHOLD
                        default warning threshold (percentage of limit);
                        default: 80
  -C CRITICAL_THRESHOLD, --critical-threshold CRITICAL_THRESHOLD
                        default critical threshold (percentage of limit);
                        default: 99
  -P PROFILE_NAME, --profile PROFILE_NAME
                        Name of profile in the AWS cross-sdk credentials file
                        to use credentials from; similar to the corresponding
                        awscli option
  -A STS_ACCOUNT_ID, --sts-account-id STS_ACCOUNT_ID
                        for use with STS, the Account ID of the destination
                        account (account to assume a role in)
  -R STS_ACCOUNT_ROLE, --sts-account-role STS_ACCOUNT_ROLE
                        for use with STS, the name of the IAM role to assume
  -E EXTERNAL_ID, --external-id EXTERNAL_ID
                        External ID to use when assuming a role via STS
  -M MFA_SERIAL_NUMBER, --mfa-serial-number MFA_SERIAL_NUMBER
                        MFA Serial Number to use when assuming a role via STS
  -T MFA_TOKEN, --mfa-token MFA_TOKEN
                        MFA Token to use when assuming a role via STS
  -r REGION, --region REGION
                        AWS region name to connect to; required for STS
  --role-partition ROLE_PARTITION
                        AWS partition name to use for account_role when
                        connecting via STS; see documentation for more
                        information (default: "aws")
  --ta-api-region TA_API_REGION
                        Region to use for Trusted Advisor / Support API
                        (default: us-east-1)
  --skip-ta             do not attempt to pull *any* information on limits
                        from Trusted Advisor
  --skip-quotas         Do not attempt to connect to Service Quotas service or
                        use its data for current limits
  --ta-refresh-wait     If applicable, refresh all Trusted Advisor limit-
                        related checks, and wait for the refresh to complete
                        before continuing.
  --ta-refresh-trigger  If applicable, trigger refreshes for all Trusted
                        Advisor limit-related checks, but do not wait for them
                        to finish refreshing; trigger the refresh and continue
                        on (useful to ensure checks are refreshed before the
                        next scheduled run).
  --ta-refresh-older TA_REFRESH_OLDER
                        If applicable, trigger refreshes for all Trusted
                        Advisor limit-related checks with results more than
                        this number of seconds old. Wait for the refresh to
                        complete before continuing.
  --ta-refresh-timeout TA_REFRESH_TIMEOUT
                        If waiting for TA checks to refresh, wait up to this
                        number of seconds before continuing on anyway.
  --no-color            do not colorize output
  --no-check-version    do not check latest version at startup
  -v, --verbose         verbose output. specify twice for debug-level output.
  -V, --version         print version number and exit.
  --list-metrics-providers
                        List available metrics providers and exit
  --metrics-provider METRICS_PROVIDER
                        Metrics provider class name, to enable sending metrics
  --metrics-config METRICS_CONFIG
                        Specify key/value parameters for the metrics provider
                        constructor. See documentation for further
                        information.
  --list-alert-providers
                        List available alert providers and exit
  --alert-provider ALERT_PROVIDER
                        Alert provider class name, to enable sending
                        notifications
  --alert-config ALERT_CONFIG
                        Specify key/value parameters for the alert provider
                        constructor. See documentation for further
                        information.
awslimitchecker is AGPLv3-licensed Free Software. Anyone using this program,
even remotely over a network, is entitled to a copy of the source code. Use
`--version` for information on the source code location.

Examples¶

In the following examples, output has been truncated to simplify documentation. When running with all services enabled, awslimitchecker will provide many lines of output. (...) has been inserted in the output below to denote removed or truncated lines.

Listing Supported Services¶

View the AWS services currently supported by awslimitchecker with the -s or --list-services option.

(venv)$ awslimitchecker -s
ApiGateway
AutoScaling
CloudFormation
CloudTrail
Directory Service
(...)
Route53
S3
SES
VPC

Listing Default Limits¶

To show the hard-coded default limits, ignoring any limit overrides or Trusted Advisor data, run with --list-defaults:

(venv)$ awslimitchecker --list-defaults
ApiGateway/API keys per account                                           500
ApiGateway/Client certificates per account                                60
ApiGateway/Custom authorizers per API                                     10
ApiGateway/Documentation parts per API                                    2000
ApiGateway/Edge APIs per account                                          120
(...)
Lambda/Function Count                                                     None
(...)
VPC/Subnets per VPC                                                       200
VPC/VPCs                                                                  5
VPC/Virtual private gateways                                              5

Viewing Limits¶

View the limits that awslimitchecker currently knows how to check, and what the limit value is set as (if you specify limit overrides, they will be used instead of the default limit) by specifying the -l or --list-limits option. Limits followed by (TA) have been obtained from Trusted Advisor and limits followed by (API) have been obtained from the service’s API.

(venv)$ awslimitchecker -l
ApiGateway/API keys per account                                           500.0 (Quotas)
ApiGateway/Client certificates per account                                60.0 (Quotas)
ApiGateway/Custom authorizers per API                                     10
ApiGateway/Documentation parts per API                                    2000
ApiGateway/Edge APIs per account                                          300.0 (Quotas)
(...)
AutoScaling/Auto Scaling groups                                           1500 (API)
(...)
Lambda/Function Count                                                     None
(...)
VPC/Subnets per VPC                                                       200
VPC/VPCs                                                                  1000.0 (Quotas)
VPC/Virtual private gateways                                              5

Disabling Trusted Advisor Checks¶

Using the --skip-quotas option will disable attempting to query limit information from the Service Quotas service.

(venv)$ awslimitchecker -l --skip-quotas
ApiGateway/API keys per account                                           500
ApiGateway/Client certificates per account                                60
ApiGateway/Custom authorizers per API                                     10
ApiGateway/Documentation parts per API                                    2000
ApiGateway/Edge APIs per account                                          120
(...)
AutoScaling/Auto Scaling groups                                           1500 (API)
(...)
Lambda/Function Count                                                     None
(...)
VPC/Subnets per VPC                                                       200
VPC/VPCs                                                                  1000 (TA)
VPC/Virtual private gateways                                              5

Disabling Service Quotas service¶

Using the --skip-ta option will disable attempting to query limit information from Trusted Advisor for all commands.

(venv)$ awslimitchecker -l --skip-ta
ApiGateway/API keys per account                                           500.0 (Quotas)
ApiGateway/Client certificates per account                                60.0 (Quotas)
ApiGateway/Custom authorizers per API                                     10
ApiGateway/Documentation parts per API                                    2000
ApiGateway/Edge APIs per account                                          300.0 (Quotas)
(...)
AutoScaling/Auto Scaling groups                                           1500 (API)
(...)
Lambda/Function Count                                                     None
(...)
VPC/Subnets per VPC                                                       200
VPC/VPCs                                                                  1000.0 (Quotas)
VPC/Virtual private gateways                                              5

Disabling Specific Services¶

The --skip-service option can be used to completely disable the specified service name(s) (as shown by -s / --list-services) for services that are problematic or you do not wish to query at all.

For example, you can check usage of all services _except_ for Firehose and EC2:

(venv)$ awslimitchecker --skip-service=Firehose --skip-service EC2
 WARNING:awslimitchecker.checker:Skipping service: Firehose
 WARNING:awslimitchecker.checker:Skipping service: EC2
 ... normal output ...

Disabling Specific Checks¶

The --skip-check option can be used to completely disable the specified check name(s).

For example, you can run all the EC2 service checks except the Max launch specifications per spot fleet check with the following command:

(venv)$ awslimitchecker --skip-check='EC2/Max launch specifications per spot fleet'
 ... normal output ...
 EC2/Max launch specifications per spot fleet  (limit 50) WARNING: sfr-98e516f0-62f8-47ad-ada6-444da23fe6c5=42
(venv)$ echo $?
2

# With --skip-check
(venv)$ awslimitchecker --skip-check='EC2/Max launch specifications per spot fleet'
 ... normal output ...
(venv)$ echo $?
0

Checking Usage¶

The -u or --show-usage options to awslimitchecker show the current usage for each limit that awslimitchecker knows about. It will connect to the AWS API and determine the current usage for each limit. In cases where limits are per-resource instead of account-wide (i.e. “Rules per VPC security group” or “Security groups per VPC”), the usage will be reported for each possible resource in resource_id=value format (i.e. for each VPC security group and each VPC, respectively, using their IDs).

(venv)$ awslimitchecker -u
ApiGateway/API keys per account                                           22
ApiGateway/Client certificates per account                                3
ApiGateway/Custom authorizers per API                                     max: 00e87qs7ci=2 (00e87qs (...)
ApiGateway/Documentation parts per API                                    max: 00e87qs7ci=2 (00e87qs (...)
ApiGateway/Edge APIs per account                                          207
(...)
VPC/Subnets per VPC                                                       max: vpc-c89074a9=41 (vpc- (...)
VPC/VPCs                                                                  39
VPC/Virtual private gateways                                              4

Overriding Limits¶

In cases where you’ve been given a limit increase by AWS Support, you can override the default limits with custom ones. Currently, to do this from the command line, you can either specify each limit that you want to override separately using the -L or --limit options, or you can specify a JSON file at either a local path or an S3 URL using the --limit-override-json option (the set_limit_overrides() Python method accepts a dict for easy bulk overrides of limits). Limits for the -L / --limit option are specified in a service_name/limit_name=value format, and must be quoted if the limit name contains spaces.

For example, to override the limits of EC2’s “EC2-Classic Elastic IPs” and “EC2-VPC Elastic IPs” from their defaults of 5, to 10 and 20, respestively:

(venv)$ awslimitchecker -L "AutoScaling/Auto Scaling groups"=321 --limit="AutoScaling/Launch configurations"=456 -l
ApiGateway/API keys per account                                           500.0 (Quotas)
ApiGateway/Client certificates per account                                60.0 (Quotas)
ApiGateway/Custom authorizers per API                                     10
ApiGateway/Documentation parts per API                                    2000
ApiGateway/Edge APIs per account                                          300.0 (Quotas)
(...)
CloudFormation/Stacks                                                     4000 (API)
(...)
Lambda/Function Count                                                     None
(...)
VPC/Subnets per VPC                                                       200
VPC/VPCs                                                                  1000.0 (Quotas)
VPC/Virtual private gateways                                              5

This example simply sets the overrides, and then prints the limits for confirmation.

You could also set the same limit overrides using a JSON file stored at limit_overrides.json, following the format documented for awslimitchecker.checker.AwsLimitChecker.set_limit_overrides():

{
    "AutoScaling": {
        "Auto Scaling groups": 321,
        "Launch configurations": 456
    }
}

Using a command like:

(venv)$ awslimitchecker --limit-override-json=limit_overrides.json -l
ApiGateway/API keys per account                                           500.0 (Quotas)
ApiGateway/Client certificates per account                                60.0 (Quotas)
ApiGateway/Custom authorizers per API                                     10
ApiGateway/Documentation parts per API                                    2000
ApiGateway/Edge APIs per account                                          300.0 (Quotas)
(...)
VPC/Subnets per VPC                                                       200
VPC/VPCs                                                                  1000.0 (Quotas)
VPC/Virtual private gateways                                              5

Check Limits Against Thresholds¶

The default mode of operation for awslimitchecker (when no other action-specific options are specified) is to check the usage of all known limits, compare them against the configured limit values, and then output a message and set an exit code depending on thresholds. The limit values used will be (in order of precedence) explicitly-set overrides, Trusted Advisor data, and hard-coded defaults.

Currently, the awslimitchecker command line script only supports global warning and critical thresholds, which default to 80% and 99% respectively. If any limit’s usage is greater than or equal to 80% of its limit value, this will be included in the output and the program will exit with return code 1. If any limit’s usage is greater than or equal to 99%, it will include that in the output and exit 2. When determining exit codes, critical takes priority over warning. The output will include the specifics of which limits exceeded the threshold, and for limits that are per-resource, the resource IDs.

The Python class allows setting thresholds per-limit as either a percentage, or an integer usage value, or both; this functionality is not currently present in the command line wrapper.

To check all limits against their thresholds (in this example, one limit has crossed the warning threshold only, and another has crossed the critical threshold):

(venv)$ awslimitchecker --no-color
CloudFormation/Stacks                                  (limit 4000) WARNING: 3396
DynamoDB/Local Secondary Indexes                       (limit 5) CRITICAL: some_app_name (...)
DynamoDB/Tables Per Region                             (limit 256) CRITICAL: 554
EBS/Active snapshots                                   (limit 40000.0) WARNING: 33387
EC2/Rules per VPC security group                       (limit 50) CRITICAL: sg-aaaaaaaa=50, sg-bbbb (...)
(...)
VPC/Entries per route table                            (limit 50) WARNING: rtb-aaaaaaaa=43, rtb-bbbb (...)
VPC/NAT Gateways per AZ                                (limit 5) CRITICAL: us-east-1d=5, us-east-1c= (...)
VPC/Virtual private gateways                           (limit 5) WARNING: 4

Set Custom Thresholds¶

To set the warning threshold of 50% and a critical threshold of 75% when checking limits:

(venv)$ awslimitchecker -W 97 --critical=98 --no-color
DynamoDB/Local Secondary Indexes                       (limit 5) CRITICAL: some_app_name (...)
DynamoDB/Tables Per Region                             (limit 256) CRITICAL: 554
EC2/Rules per VPC security group                       (limit 50) CRITICAL: sg-cccccccc=49, sg-eeeee (...)
EC2/Security groups per VPC                            (limit 500) CRITICAL: vpc-dddddddd=726, vpc-c (...)
(...)
RDS/VPC Security Groups                                (limit 5) CRITICAL: 5
S3/Buckets                                             (limit 100) CRITICAL: 946
VPC/NAT Gateways per AZ                                (limit 5) CRITICAL: us-east-1d=5, us-east-1c= (...)

You can also set custom thresholds on a per-limit basis using the --threshold-override-json CLI option, which accepts the path to a JSON file (local or an s3:// URL) matching the format described in awslimitchecker.checker.AwsLimitChecker.set_threshold_overrides(), for example:

{
    "S3": {
        "Buckets": {
            "warning": {
                "percent": 97
            },
            "critical": {
                "percent": 99
            }
        }
    },
    "EC2": {
        "Security groups per VPC": {
            "warning": {
                "percent": 80,
                "count": 800
            },
            "critical": {
                "percent": 90,
                "count": 900
            }
        },
        "VPC security groups per elastic network interface": {
            "warning": {
                "percent": 101
            },
            "critical": {
                "percent": 101
            }
        }
    }
}

Using a command like:

(venv)$ awslimitchecker -W 97 --critical=98 --no-color --threshold-override-json=s3://bucketname/path/overrides.json
DynamoDB/Local Secondary Indexes                       (limit 5) CRITICAL: some_app_name_here=5
DynamoDB/Tables Per Region                             (limit 256) CRITICAL: 554
EC2/Rules per VPC security group                       (limit 50) CRITICAL: sg-aaaaaaaa=49, sg-bbbbb (...)
EC2/Security groups per VPC                            (limit 500) CRITICAL: vpc-cccccccc=726, vpc-c (...)
(...)
RDS/VPC Security Groups                                (limit 5) CRITICAL: 5
S3/Buckets                                             (limit 100) CRITICAL: 946
VPC/NAT Gateways per AZ                                (limit 5) CRITICAL: us-east-1d=5, us-east-1c= (...)

Enable Metrics Provider¶

awslimitchecker is capable of sending metrics for the overall runtime of checking thresholds, as well as the current limit values and current usage, to various metrics stores. The list of metrics providers supported by your version of awslimitchecker can be seen with the --list-metrics-providers option:

(venv)$ awslimitchecker --list-metrics-providers
Available metrics providers:
Datadog
Dummy

The configuration options required by each metrics provider are specified in the providers’ documentation:

For example, to use the Datadog metrics provider which requires an api_key paramater (also accepted as an environment variable) and an optional extra_tags parameter:

(venv)$ awslimitchecker \
    --metrics-provider=Datadog \
    --metrics-config=api_key=123456 \
    --metrics-config=extra_tags=foo,bar,baz:blam

Metrics will be pushed to the provider only when awslimitchecker is done checking all limits.

Enable Alerts Provider¶

awslimitchecker is capable of sending alerts for either warning-level threshold breaches, or critical-level threshold breaches and exceptions checking thresholds, to various alert providers. The list of alert providers supported by your version of awslimitchecker can be seen with the --list-alert-providers option:

(venv)$ awslimitchecker --list-alert-providers
Available alert providers:
Dummy
PagerDutyV1

The configuration options required by each alert provider are specified in the providers’ documentation:

For example, to use the PagerDutyV1 alert provider which requires a critical_service_key paramater (also accepted as an environment variable) and an optional account_alias parameter:

(venv)$ awslimitchecker \
    --alert-provider=PagerDutyV1 \
    --alert-config=critical_service_key=012345 \
    --alert-config=account_alias=myacct

Alerts will be pushed to the provider only when awslimitchecker is done checking all limits, or when an exception is encountered during the checking process.

Required IAM Policy¶

awslimitchecker can also provide the user with an IAM Policy listing the minimum permissions for it to perform all limit checks. This can be viewed with the --iam-policy option:

(venv)$ awslimitchecker --iam-policy
{
  "Statement": [
    {
      "Action": [
        "apigateway:GET",
(...)
    }
  ],
  "Version": "2012-10-17"
}

For the current IAM Policy required by this version of awslimitchecker, see IAM Policy.

Important

The required IAM policy output by awslimitchecker includes only the permissions required to check limits and usage. If you are loading limit overrides and/or threshold overrides from S3, you will need to run awslimitchecker with additional permissions to access those objects.

Connect to a Specific Region¶

To connect to a specific region (i.e. us-west-2), simply specify the region name with the -r or --region options:

(venv)$ awslimitchecker -r us-west-2

Assume a Role in Another Account with STS¶

To assume the “foobar” role in account 123456789012 in region us-west-1, specify the -r / --region option as well as the -A / --sts-account-id and -R / --sts-account-role options:

(venv)$ awslimitchecker -r us-west-1 -A 123456789012 -R foobar

If you also need to specify an external_id of “myid”, you can do that with the -E / --external-id options:

(venv)$ awslimitchecker -r us-west-1 -A 123456789012 -R foobar -E myid

Please note that this assumes that you already have STS configured and working between your account and the 123456789012 destination account; see the documentation for further information.

Partitions and Trusted Advisor Regions¶

awslimitchecker currently supports operating against non-standard partitions, such as GovCloud and AWS China (Beijing). Partition names, as seen in the partition field of ARNs, can be specified with the --role-partition option to awslimitchecker, like --role-partition=aws-cn for the China (Beijing) partition. Similarly, the region name to use for the support API for Trusted Advisor can be specified with the --ta-api-region option, like --ta-api-region=us-gov-west-1.

Handling Throttling and Rate Limiting¶

In some very large and busy AWS accounts, from time to time awslimitchecker might die on unhandled Throttling or RateExceeded exceptions. botocore, the underlying low-level AWS API client library that we use, automatically catches these exceptions and retries them up to a per-AWS-API default number of times (generally four for most APIs) with an exponential backoff. In very busy accounts, it may be desirable to increase the default number of retries.

This can be accomplished on a per-API basis (where the API name is the service_name that would be sent to boto3.session.Session.client() and is set as the api_name attribute on each _AwsService subclass) by setting an environment variable BOTO_MAX_RETRIES_<api_name> to the maximum number of attempts you’d like for that service.

For example, if you have issues with rate limiting of the cloudformation:DescribeStacks still failing after the default of four attempts, and you’d like to use ten (10) attempts instead, you could export BOTO_MAX_RETRIES_cloudformation=10 before running awslimitchecker.

Python Usage¶

The full feature set of awslimitchecker is available through the Python API. This page attempts to document some examples of usage, but the best resources are runner, the command line wrapper, and the API documentation.

Full Jenkins Example¶

A full example of a wrapper script with limit and threshold overrides, and a Jenkins job to run it, is available in the docs/examples directory of awslimitchecker.

See docs/examples/README.rst on GitHub.

Simple Examples¶

Many of these examples use pprint to make output a bit nicer.

Instantiating the Class¶

Here we import and instantiate the AwsLimitChecker class; note that we also setup Python’s logging module, which is used by awslimitchecker. We also import pprint to make the output nicer.

>>> import logging
>>> logging.basicConfig()
>>> logger = logging.getLogger()
>>>
>>> from awslimitchecker.checker import AwsLimitChecker
>>> c = AwsLimitChecker()

Specifying a Region¶

To specify a region (“us-west-2” in this example), specify it as the region string parameter to the class constructor:

>>> import logging
>>> logging.basicConfig()
>>> logger = logging.getLogger()
>>>
>>> from awslimitchecker.checker import AwsLimitChecker
>>> c = AwsLimitChecker(region='us-west-2')

Refreshing Trusted Advisor Check Results¶

Trusted Advisor check refresh behavior is controlled by the ta_refresh_mode and ta_refresh_timeout parameters on the AwsLimitChecker constructor, which are passed through to the TrustedAdvisor constructor. See Internals - Trusted Advisor for details of their possible values and meanings.

The below example shows constructing an AwsLimitChecker class that will refresh Trusted Advisor limit checks only if their data is at least 6 hours (21600 seconds) old, and will allow up to 30 minutes (1800 seconds) for the refresh to complete (if it times out, awslimitchecker will continue on with the old data):

>>> import logging
>>> logging.basicConfig()
>>> logger = logging.getLogger()
>>>
>>> from awslimitchecker.checker import AwsLimitChecker
>>> c = AwsLimitChecker(ta_refresh_mode=21600, ta_refresh_timeout=1800)

Assuming a Role with STS¶

To check limits for another account using a Role assumed via STS, specify the region, account_id and account_role parameters to the class constructor. If an external ID is needed, this can be specified by the external_id parameter. All are strings:

>>> import logging
>>> logging.basicConfig()
>>> logger = logging.getLogger()
>>>
>>> from awslimitchecker.checker import AwsLimitChecker
>>> c = AwsLimitChecker(
>>>     region='us-west-2',
>>>     account_id='012345678901',
>>>     account_role='myRoleName',
>>>     external_id='myid'
>>> )

Setting a Limit Override¶

Override EC2’s “EC2-Classic Elastic IPs” limit from its default to 20, using set_limit_override().

>>> c.set_limit_override('EC2', 'EC2-Classic Elastic IPs', 20)

Setting a Threshold Override¶

awslimitchecker has two sets of thresholds, warning and critical (intended to be used to trigger different levels of alert/alarm or action). The default thresholds for warning and critical are 80% and 99%, respectively; these program-wide defaults can be overridden by passing the warning_threshold and/or critical_threshold arguments to the AwsLimitChecker class constructor.

It is also possible to override these values on a per-limit basis, using the AwsLimitChecker class’s set_threshold_override() (single limit’s threshold override) and set_threshold_overrides() (dict of overrides) methods. When setting threshold overrides, you can specify not only the percent threshold, but also a count of usage; any limits which have a usage of more than this number will be detected as a warning or critical, respectively.

To warn when our EC2-Classic Elastic IPs usage is above 50% (as opposed to the default of 80%) and store a critical alert when it’s above 75% (as opposed to 99%):

>>> c.set_threshold_override('EC2', 'EC2-Classic Elastic IPs', warn_percent=50, crit_percent=75)

Another use could be to warn when certain services are used at all. As of the time of writing, the i2.8xlarge instances cost USD $6.82/hour, or $163/day.

To report a critical status if any i2.8xlarge instances are running:

>>> c.set_threshold_override('EC2', 'Running On-Demand i2.8xlarge instances', crit_count=1)

You do not need to also override the percent thresholds. Because of how check_thresholds() evaluates thresholds, any crossed threshold will be considered an error condition.

Checking Thresholds¶

To check the current usage against limits, use check_thresholds(). The return value is a nested dict of all limits with current usage meeting or exceeding the configured thresholds. Keys are the AWS Service names (string), values are dicts of limit name (string) to AwsLimit instances representing the limit and its current usage.

>>> result = c.check_thresholds()
>>> pprint.pprint(result)
{'EC2': {'Magnetic volume storage (TiB)': <awslimitchecker.limit.AwsLimit object at 0x7f398db62750>,
         'Running On-Demand EC2 instances': <awslimitchecker.limit.AwsLimit object at 0x7f398db55910>,
         'Running On-Demand m3.medium instances': <awslimitchecker.limit.AwsLimit object at 0x7f398db55a10>,
         'Security groups per VPC': <awslimitchecker.limit.AwsLimit object at 0x7f398db62790>}}

Looking at one of the entries, its get_warnings() method tells us that the usage did not exceed its warning threshold:

>>> result['EC2']['Magnetic volume storage (TiB)'].get_warnings()
[]

But its get_criticals() method tells us that it did meet or exceed the critical threshold:

>>> result['EC2']['Magnetic volume storage (TiB)'].get_criticals()
[<awslimitchecker.limit.AwsLimitUsage object at 0x7f2074dfeed0>]

We can then inspect the AwsLimitUsage instance for more information about current usage that crossed the threshold:

In this particular case, there is no resource ID associated with the usage, because it is an aggregate (type-, rather than resource-specific) limit:

>>> result['EC2']['Magnetic volume storage (TiB)'].get_criticals()[0].resource_id
>>>

The usage is of the EC2 Volume resource type (where one exists, we use the CloudFormation Resource Type strings to identify resource types).

>>> result['EC2']['Magnetic volume storage (TiB)'].get_criticals()[0].aws_type
'AWS::EC2::Volume'

We can query the actual numeric usage value:

>>> pprint.pprint(result['EC2']['Magnetic volume storage (TiB)'].get_criticals()[0].get_value())
23.337

Or a string description of it:

>>> print(str(result['EC2']['Magnetic volume storage (TiB)'].get_criticals()[0]))
23.337

The “Security groups per VPC” limit also crossed thresholds, and we can see that it has one critical usage value:

>>> len(result['EC2']['Security groups per VPC'].get_warnings())
0
>>> len(result['EC2']['Security groups per VPC'].get_criticals())
1

As this limit is per-VPC, our string representation of the current usage includes the VPC ID that crossed the critical threshold:

>>> for usage in result['EC2']['Security groups per VPC'].get_criticals():
...     print(str(usage))
...
vpc-c300b9a6=100

Disabling Trusted Advisor¶

To disable querying Trusted Advisor for limit information, call get_limits() or check_thresholds() with use_ta=False:

>>> result = c.check_thresholds(use_ta=False)

Disabling Service Quotas¶

To disable querying the Service Quotas service for current limits, pass skip_quotas=True in to the AwsLimitChecker class constructor:

checker = AwsLimitChecker(skip_quotas=True)

Partitions and Trusted Advisor Regions¶

awslimitchecker currently supports operating against non-standard partitions, such as GovCloud and AWS China (Beijing). Partition names, as seen in the partition field of ARNs, can be specified with the role_partition keyword argument to the AwsLimitChecker class. Similarly, the region name to use for the support API for Trusted Advisor can be specified with the ta_api_region keyword argument to the AwsLimitChecker class.

Skipping Specific Services¶

You can completely disable all interaction with specific Services with the remove_services() method. This method takes a list of string Service names to remove from AwsLimitChecker’s internal services dict, which will prevent those services from being queried or reported on.

To remove the Firehose and EC2 services:

c.remove_services(['Firehose', 'EC2'])

Handling Throttling and Rate Limiting¶

See CLI Usage - Handling Throttling and Rate Limiting; this is handled the same way in Python, though you’d likely set the environment variables using os.environ instead of exporting them outside of Python.

Logging¶

awslimitchecker uses the python logging library for logging, with module-level loggers defined in each file. If you already have a root-level logger defined in your program and are using a simple configuration (i.e. logging.basicConfig()), awslimitchecker logs will be emitted at the same level as that which the root logger is configured.

Assuming you have a root-level logger defined and configured, and you only want to see awslimitchecker log messages of WARNING level and above, you can set the level of awslimitchecker’s logger before instantiating the class:

alc_log = logging.getLogger('awslimitchecker')
alc_log.setLevel(logging.WARNING)
checker = AwsLimitChecker()

It’s _highly_ recommended that you do not suppress log messages of WARNING or above, as these indicate situations where the checker may not present accurate or complete results.

If your application does not define a root-level logger, this becomes a bit more complicated. Assuming your application has a more complex configuration that uses a top-level logger ‘myapp’ with its own handlers defined, you can do something like the following. Note that this is highly specific to your logging setup:

# setup logging for awslimitchecker
alc_log = logging.getLogger('awslimitchecker')
# WARNING or higher should pass through
alc_log.setLevel(logging.WARNING)
# use myapp's handler(s)
for h in logging.getLogger('cm').handlers:
    alc_log.addHandler(h)
# instantiate the class
checker = AwsLimitChecker()

Advanced Examples¶

For more examples, see docs/examples/README.rst on GitHub.

CI / Deployment Checks¶

This example checks usage, logs a message at WARNING level for any warning thresholds surpassed, and logs a message at CRITICAL level for any critical thresholds passed. If any critical thresholds were passed, it exits the script non-zero, i.e. to fail a CI or build job. In this example, we have multiple critical thresholds crossed.

>>> import logging
>>> logging.basicConfig()
>>> logger = logging.getLogger()
>>>
>>> from awslimitchecker.checker import AwsLimitChecker
>>> c = AwsLimitChecker()
>>> result = c.check_thresholds()
>>>
>>> have_critical = False
>>> for service, svc_limits in result.items():
...     for limit_name, limit in svc_limits.items():
...         for warn in limit.get_warnings():
...             logger.warning("{service} '{limit_name}' usage ({u}) exceeds "
...                            "warning threshold (limit={l})".format(
...                                service=service,
...                                limit_name=limit_name,
...                                u=str(warn),
...                                l=limit.get_limit(),
...                            )
...             )
...         for crit in limit.get_criticals():
...             have_critical = True
...             logger.critical("{service} '{limit_name}' usage ({u}) exceeds "
...                            "critical threshold (limit={l})".format(
...                                service=service,
...                                limit_name=limit_name,
...                                u=str(crit),
...                                l=limit.get_limit(),
...                            )
...             )
...
CRITICAL:root:EC2 'Magnetic volume storage (TiB)' usage (23.417) exceeds critical threshold (limit=20)
CRITICAL:root:EC2 'Running On-Demand EC2 instances' usage (97) exceeds critical threshold (limit=20)
WARNING:root:EC2 'Security groups per VPC' usage (vpc-c300b9a6=96) exceeds warning threshold (limit=100)
CRITICAL:root:EC2 'Running On-Demand m3.medium instances' usage (53) exceeds critical threshold (limit=20)
CRITICAL:root:EC2 'EC2-Classic Elastic IPs' usage (5) exceeds critical threshold (limit=5)
>>> if have_critical:
...     raise SystemExit(1)
...
(awslimitchecker)$ echo $?
1

Required IAM Permissions¶

Important

The required IAM policy output by awslimitchecker includes only the permissions required to check limits and usage. If you are loading limit overrides and/or threshold overrides from S3, you will need to run awslimitchecker with additional permissions to access those objects.

Below is the sample IAM policy from this version of awslimitchecker, listing the IAM permissions required for it to function correctly. Please note that in some cases awslimitchecker may cause AWS services to make additional API calls on your behalf (such as when enumerating ElasticBeanstalk resources, the ElasticBeanstalk service itself will make s3:ListBucket and s3:GetBucketLocation calls). The policy below includes only the bare minimum permissions for awslimitchecker to function properly, and does not include permissions for any side-effect calls made by AWS services that do not affect the results of this program.

{
  "Statement": [
    {
      "Action": [
        "apigateway:GET",
        "apigateway:HEAD",
        "apigateway:OPTIONS",
        "autoscaling:DescribeAccountLimits",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribeLaunchConfigurations",
        "cloudformation:DescribeAccountLimits",
        "cloudformation:DescribeStacks",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetEventSelectors",
        "ds:GetDirectoryLimits",
        "dynamodb:DescribeLimits",
        "dynamodb:DescribeTable",
        "dynamodb:ListTables",
        "ec2:DescribeAccountAttributes",
        "ec2:DescribeAddresses",
        "ec2:DescribeInstances",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeNatGateways",
        "ec2:DescribeNetworkAcls",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeReservedInstances",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSnapshots",
        "ec2:DescribeSpotDatafeedSubscription",
        "ec2:DescribeSpotFleetInstances",
        "ec2:DescribeSpotFleetRequestHistory",
        "ec2:DescribeSpotFleetRequests",
        "ec2:DescribeSpotInstanceRequests",
        "ec2:DescribeSpotPriceHistory",
        "ec2:DescribeSubnets",
        "ec2:DescribeVolumes",
        "ec2:DescribeVpcs",
        "ec2:DescribeVpnGateways",
        "ecs:DescribeClusters",
        "ecs:DescribeServices",
        "ecs:ListClusters",
        "ecs:ListServices",
        "elasticache:DescribeCacheClusters",
        "elasticache:DescribeCacheParameterGroups",
        "elasticache:DescribeCacheSecurityGroups",
        "elasticache:DescribeCacheSubnetGroups",
        "elasticbeanstalk:DescribeApplicationVersions",
        "elasticbeanstalk:DescribeApplications",
        "elasticbeanstalk:DescribeEnvironments",
        "elasticfilesystem:DescribeFileSystems",
        "elasticloadbalancing:DescribeAccountLimits",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeRules",
        "elasticloadbalancing:DescribeTargetGroups",
        "firehose:ListDeliveryStreams",
        "iam:GetAccountSummary",
        "lambda:GetAccountSettings",
        "rds:DescribeAccountAttributes",
        "rds:DescribeDBInstances",
        "rds:DescribeDBParameterGroups",
        "rds:DescribeDBSecurityGroups",
        "rds:DescribeDBSnapshots",
        "rds:DescribeDBSubnetGroups",
        "rds:DescribeEventSubscriptions",
        "rds:DescribeOptionGroups",
        "rds:DescribeReservedDBInstances",
        "redshift:DescribeClusterSnapshots",
        "redshift:DescribeClusterSubnetGroups",
        "route53:GetHostedZone",
        "route53:GetHostedZoneLimit",
        "route53:ListHostedZones",
        "s3:ListAllMyBuckets",
        "servicequotas:ListServiceQuotas",
        "ses:GetSendQuota",
        "support:*",
        "trustedadvisor:Describe*",
        "trustedadvisor:RefreshCheck"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
}

Supported Limits¶

The section below lists every limit that this version of awslimitchecker knows how to check, and its hard-coded default value (per AWS documentation).

Limits with a ✔ in the “Trusted Advisor” column are comfirmed as being updated by Trusted Advisor. Note that so long as the Service and Limit names used by Trusted Advisor (and returned in its API responses) exactly match those shown below, all limits listed in Trusted Advisor “Service Limit” checks should be automatically used by awslimitchecker. However, limits marked here with a ✔ were detected as being returned by Trusted Advisor as of the last release. Note that not all accounts can access Trusted Advisor, or can access all limits known by Trusted Advisor.

Limits with a ✔ in the “Quotas” column can be retrieved from the Service Quotas service; this information is supposed to be accurate and up-to-date, but is likely less accurate than the service’s own API. Limits retrieved from Service Quotas take precedence over Trusted Advisor and default limits.

Limits with a ✔ in the “API” column can be retrieved directly from the corresponding Service API; this information should be the most accurate and up-to-date, as it is retrieved directly from the service that evaluates and enforces limits. Limits retrieved via service API take precedence over Trusted Advisor, Service Quotas, and default limits.

ApiGateway¶

Limit	Quotas	Default
API keys per account	✔	500
Client certificates per account	✔	60
Custom authorizers per API		10
Documentation parts per API		2000
Edge APIs per account	✔	120
Private APIs per account	✔	600
Regional APIs per account	✔	600
Resources per API	✔	300
Stages per API	✔	10
Usage plans per account	✔	300
VPC Links per account	✔	5

AutoScaling¶

Limit	Trusted Advisor	Quotas	API	Default
Auto Scaling groups	✔	✔	✔	200
Launch configurations	✔	✔	✔	200

CloudFormation¶

Limit	Trusted Advisor	Quotas	API	Default
Stacks	✔	✔	✔	200

CloudTrail¶

Limit	Trusted Advisor	Quotas	API	Default
Data Resources Per Trail				250
Event Selectors Per Trail				5
Trails Per Region				5

Directory Service¶

Limit	API	Default
CloudOnlyDirectories	✔	10
CloudOnlyMicrosoftAD	✔	10
ConnectedDirectories	✔	10

DynamoDB¶

Limit	Quotas	API	Default
Account Max Read Capacity Units	✔	✔	80000
Account Max Write Capacity Units	✔	✔	80000
Global Secondary Indexes			20
Local Secondary Indexes			5
Table Max Read Capacity Units	✔	✔	40000
Table Max Write Capacity Units	✔	✔	40000
Tables Per Region			256

EBS¶

Limit	Trusted Advisor	Quotas	Default
Active snapshots	✔	✔	10000
Active volumes			5000
Cold (HDD) volume storage (GiB)		✔	307200
General Purpose (SSD) volume storage (GiB)	✔	✔	307200
Magnetic volume storage (GiB)	✔	✔	307200
Provisioned IOPS	✔	✔	200000
Provisioned IOPS (SSD) storage (GiB)	✔	✔	307200
Throughput Optimized (HDD) volume storage (GiB)		✔	307200

EC2¶

As of October 2019, the “standard” EC2 regions use the new vCPU-based limits, while the China (cn-) and GovCloud (us-gov-) regions still use the old per-instance-type limits. Please see the sections for either EC2 - Standard Regions or EC2 - China and GovCloud for details.

EC2 - Standard Regions¶

Note on On-Demand vs Reserved Instances: The EC2 limits for “Running On-Demand” EC2 Instances apply only to On-Demand instances, not Reserved Instances. If you list all EC2 instances that are running in the Console or API, you’ll get back instances of all types (On-Demand, Reserved, etc.). The value that awslimitchecker reports for Running On-Demand Instances current usage will not match the number of instances you see in the Console or API.

Important: The limits for Running On-Demand Instances are now measured in vCPU count per instance family, not instance count per instance type.

Limit	Trusted Advisor	Quotas	API	Default
Elastic IP addresses (EIPs)	✔	✔	✔	5
Max active spot fleets per region				1000
Max launch specifications per spot fleet				50
Max spot instance requests per region				20
Max target capacity for all spot fleets in region				5000
Max target capacity per spot fleet				3000
Rules per VPC security group				50
Running On-Demand All F instances		✔		128
Running On-Demand All G instances		✔		128
Running On-Demand All P instances		✔		128
Running On-Demand All Standard (A, C, D, H, I, M, R, T, Z) instances		✔		1152
Running On-Demand All X instances		✔		128
Security groups per VPC				500
VPC Elastic IP addresses (EIPs)	✔	✔	✔	5
VPC security groups per elastic network interface			✔	5

EC2 - China and GovCloud¶

Note on On-Demand vs Reserved Instances: The EC2 limits for “Running On-Demand” EC2 Instances apply only to On-Demand instances, not Reserved Instances. If you list all EC2 instances that are running in the Console or API, you’ll get back instances of all types (On-Demand, Reserved, etc.). The value that awslimitchecker reports for Running On-Demand Instances current usage will not match the number of instances you see in the Console or API.

Limit	Trusted Advisor	API	Default
Elastic IP addresses (EIPs)	✔	✔	5
Max active spot fleets per region			1000
Max launch specifications per spot fleet			50
Max spot instance requests per region			20
Max target capacity for all spot fleets in region			5000
Max target capacity per spot fleet			3000
Rules per VPC security group			50
Running On-Demand EC2 instances		✔	20
Running On-Demand a1.2xlarge instances			20
Running On-Demand a1.4xlarge instances			20
Running On-Demand a1.large instances			20
Running On-Demand a1.medium instances			20
Running On-Demand a1.metal instances			20
Running On-Demand a1.xlarge instances			20
Running On-Demand c1.medium instances			20
Running On-Demand c1.xlarge instances			20
Running On-Demand c3.2xlarge instances			20
Running On-Demand c3.4xlarge instances			20
Running On-Demand c3.8xlarge instances			20
Running On-Demand c3.large instances	✔		20
Running On-Demand c3.xlarge instances	✔		20
Running On-Demand c4.2xlarge instances	✔		20
Running On-Demand c4.4xlarge instances	✔		10
Running On-Demand c4.8xlarge instances	✔		5
Running On-Demand c4.large instances	✔		20
Running On-Demand c4.xlarge instances	✔		20
Running On-Demand c5.12xlarge instances			20
Running On-Demand c5.18xlarge instances			5
Running On-Demand c5.24xlarge instances			20
Running On-Demand c5.2xlarge instances	✔		20
Running On-Demand c5.4xlarge instances	✔		10
Running On-Demand c5.9xlarge instances			5
Running On-Demand c5.large instances	✔		20
Running On-Demand c5.metal instances			20
Running On-Demand c5.xlarge instances			20
Running On-Demand c5d.12xlarge instances			20
Running On-Demand c5d.18xlarge instances			20
Running On-Demand c5d.24xlarge instances			20
Running On-Demand c5d.2xlarge instances			20
Running On-Demand c5d.4xlarge instances			20
Running On-Demand c5d.9xlarge instances			20
Running On-Demand c5d.large instances			20
Running On-Demand c5d.metal instances			20
Running On-Demand c5d.xlarge instances			20
Running On-Demand c5n.18xlarge instances			20
Running On-Demand c5n.2xlarge instances			20
Running On-Demand c5n.4xlarge instances			20
Running On-Demand c5n.9xlarge instances			20
Running On-Demand c5n.large instances			20
Running On-Demand c5n.metal instances			20
Running On-Demand c5n.xlarge instances			20
Running On-Demand cc1.4xlarge instances			20
Running On-Demand cc2.8xlarge instances			20
Running On-Demand cg1.4xlarge instances			2
Running On-Demand cr1.8xlarge instances			2
Running On-Demand d2.2xlarge instances			20
Running On-Demand d2.4xlarge instances			10
Running On-Demand d2.8xlarge instances			5
Running On-Demand d2.xlarge instances			20
Running On-Demand f1.16xlarge instances			20
Running On-Demand f1.2xlarge instances			20
Running On-Demand f1.4xlarge instances			20
Running On-Demand g2.2xlarge instances			5
Running On-Demand g2.8xlarge instances			2
Running On-Demand g3.16xlarge instances			1
Running On-Demand g3.4xlarge instances			1
Running On-Demand g3.8xlarge instances			1
Running On-Demand g3s.xlarge instances			20
Running On-Demand g4dn.12xlarge instances			20
Running On-Demand g4dn.16xlarge instances			20
Running On-Demand g4dn.2xlarge instances			20
Running On-Demand g4dn.4xlarge instances			20
Running On-Demand g4dn.8xlarge instances			20
Running On-Demand g4dn.metal instances			20
Running On-Demand g4dn.xlarge instances			20
Running On-Demand h1.16xlarge instances			5
Running On-Demand h1.2xlarge instances			20
Running On-Demand h1.4xlarge instances			20
Running On-Demand h1.8xlarge instances			10
Running On-Demand hi1.4xlarge instances			2
Running On-Demand hs1.8xlarge instances			2
Running On-Demand i2.2xlarge instances			8
Running On-Demand i2.4xlarge instances			4
Running On-Demand i2.8xlarge instances			2
Running On-Demand i2.xlarge instances			8
Running On-Demand i3.16xlarge instances			2
Running On-Demand i3.2xlarge instances			2
Running On-Demand i3.4xlarge instances			2
Running On-Demand i3.8xlarge instances			2
Running On-Demand i3.large instances			2
Running On-Demand i3.metal instances			20
Running On-Demand i3.xlarge instances			2
Running On-Demand i3en.12xlarge instances			20
Running On-Demand i3en.24xlarge instances			20
Running On-Demand i3en.2xlarge instances			20
Running On-Demand i3en.3xlarge instances			20
Running On-Demand i3en.6xlarge instances			20
Running On-Demand i3en.large instances			20
Running On-Demand i3en.xlarge instances			20
Running On-Demand m1.large instances			20
Running On-Demand m1.medium instances			20
Running On-Demand m1.small instances	✔		20
Running On-Demand m1.xlarge instances			20
Running On-Demand m2.2xlarge instances			20
Running On-Demand m2.4xlarge instances			20
Running On-Demand m2.xlarge instances			20
Running On-Demand m3.2xlarge instances	✔		20
Running On-Demand m3.large instances	✔		20
Running On-Demand m3.medium instances	✔		20
Running On-Demand m3.xlarge instances	✔		20
Running On-Demand m4.10xlarge instances			5
Running On-Demand m4.16xlarge instances	✔		5
Running On-Demand m4.2xlarge instances	✔		20
Running On-Demand m4.4xlarge instances	✔		10
Running On-Demand m4.large instances	✔		20
Running On-Demand m4.xlarge instances	✔		20
Running On-Demand m5.12xlarge instances			5
Running On-Demand m5.16xlarge instances			20
Running On-Demand m5.24xlarge instances			5
Running On-Demand m5.2xlarge instances			20
Running On-Demand m5.4xlarge instances			10
Running On-Demand m5.8xlarge instances			20
Running On-Demand m5.large instances	✔		20
Running On-Demand m5.metal instances			20
Running On-Demand m5.xlarge instances			20
Running On-Demand m5a.12xlarge instances			20
Running On-Demand m5a.16xlarge instances			20
Running On-Demand m5a.24xlarge instances			20
Running On-Demand m5a.2xlarge instances			20
Running On-Demand m5a.4xlarge instances			20
Running On-Demand m5a.8xlarge instances			20
Running On-Demand m5a.large instances			20
Running On-Demand m5a.xlarge instances			20
Running On-Demand m5ad.12xlarge instances			20
Running On-Demand m5ad.16xlarge instances			20
Running On-Demand m5ad.24xlarge instances			20
Running On-Demand m5ad.2xlarge instances			20
Running On-Demand m5ad.4xlarge instances			20
Running On-Demand m5ad.8xlarge instances			20
Running On-Demand m5ad.large instances			20
Running On-Demand m5ad.xlarge instances			20
Running On-Demand m5d.12xlarge instances			20
Running On-Demand m5d.16xlarge instances			20
Running On-Demand m5d.24xlarge instances			20
Running On-Demand m5d.2xlarge instances			20
Running On-Demand m5d.4xlarge instances			20
Running On-Demand m5d.8xlarge instances			20
Running On-Demand m5d.large instances			20
Running On-Demand m5d.metal instances			20
Running On-Demand m5d.xlarge instances			20
Running On-Demand m5dn.12xlarge instances			20
Running On-Demand m5dn.16xlarge instances			20
Running On-Demand m5dn.24xlarge instances			20
Running On-Demand m5dn.2xlarge instances			20
Running On-Demand m5dn.4xlarge instances			20
Running On-Demand m5dn.8xlarge instances			20
Running On-Demand m5dn.large instances			20
Running On-Demand m5dn.metal instances			20
Running On-Demand m5dn.xlarge instances			20
Running On-Demand m5n.12xlarge instances			20
Running On-Demand m5n.16xlarge instances			20
Running On-Demand m5n.24xlarge instances			20
Running On-Demand m5n.2xlarge instances			20
Running On-Demand m5n.4xlarge instances			20
Running On-Demand m5n.8xlarge instances			20
Running On-Demand m5n.large instances			20
Running On-Demand m5n.metal instances			20
Running On-Demand m5n.xlarge instances			20
Running On-Demand p2.16xlarge instances			1
Running On-Demand p2.8xlarge instances			1
Running On-Demand p2.xlarge instances			1
Running On-Demand p3.16xlarge instances			1
Running On-Demand p3.2xlarge instances			1
Running On-Demand p3.8xlarge instances			1
Running On-Demand p3dn.24xlarge instances			1
Running On-Demand r3.2xlarge instances	✔		20
Running On-Demand r3.4xlarge instances			10
Running On-Demand r3.8xlarge instances			5
Running On-Demand r3.large instances			20
Running On-Demand r3.xlarge instances			20
Running On-Demand r4.16xlarge instances			1
Running On-Demand r4.2xlarge instances			20
Running On-Demand r4.4xlarge instances			10
Running On-Demand r4.8xlarge instances			5
Running On-Demand r4.large instances	✔		20
Running On-Demand r4.xlarge instances	✔		20
Running On-Demand r5.12xlarge instances			20
Running On-Demand r5.16xlarge instances			20
Running On-Demand r5.24xlarge instances			20
Running On-Demand r5.2xlarge instances			20
Running On-Demand r5.4xlarge instances			20
Running On-Demand r5.8xlarge instances			20
Running On-Demand r5.large instances			20
Running On-Demand r5.metal instances			20
Running On-Demand r5.xlarge instances	✔		20
Running On-Demand r5a.12xlarge instances			20
Running On-Demand r5a.16xlarge instances			20
Running On-Demand r5a.24xlarge instances			20
Running On-Demand r5a.2xlarge instances			20
Running On-Demand r5a.4xlarge instances			20
Running On-Demand r5a.8xlarge instances			20
Running On-Demand r5a.large instances			20
Running On-Demand r5a.xlarge instances			20
Running On-Demand r5ad.12xlarge instances			20
Running On-Demand r5ad.16xlarge instances			20
Running On-Demand r5ad.24xlarge instances			20
Running On-Demand r5ad.2xlarge instances			20
Running On-Demand r5ad.4xlarge instances			20
Running On-Demand r5ad.8xlarge instances			20
Running On-Demand r5ad.large instances			20
Running On-Demand r5ad.xlarge instances			20
Running On-Demand r5d.12xlarge instances			20
Running On-Demand r5d.16xlarge instances			20
Running On-Demand r5d.24xlarge instances			20
Running On-Demand r5d.2xlarge instances			20
Running On-Demand r5d.4xlarge instances			20
Running On-Demand r5d.8xlarge instances			20
Running On-Demand r5d.large instances			20
Running On-Demand r5d.metal instances			20
Running On-Demand r5d.xlarge instances			20
Running On-Demand r5dn.12xlarge instances			20
Running On-Demand r5dn.16xlarge instances			20
Running On-Demand r5dn.24xlarge instances			20
Running On-Demand r5dn.2xlarge instances			20
Running On-Demand r5dn.4xlarge instances			20
Running On-Demand r5dn.8xlarge instances			20
Running On-Demand r5dn.large instances			20
Running On-Demand r5dn.metal instances			20
Running On-Demand r5dn.xlarge instances			20
Running On-Demand r5n.12xlarge instances			20
Running On-Demand r5n.16xlarge instances			20
Running On-Demand r5n.24xlarge instances			20
Running On-Demand r5n.2xlarge instances			20
Running On-Demand r5n.4xlarge instances			20
Running On-Demand r5n.8xlarge instances			20
Running On-Demand r5n.large instances			20
Running On-Demand r5n.metal instances			20
Running On-Demand r5n.xlarge instances			20
Running On-Demand t1.micro instances	✔		20
Running On-Demand t2.2xlarge instances			20
Running On-Demand t2.large instances	✔		20
Running On-Demand t2.medium instances	✔		20
Running On-Demand t2.micro instances	✔		20
Running On-Demand t2.nano instances	✔		20
Running On-Demand t2.small instances	✔		20
Running On-Demand t2.xlarge instances	✔		20
Running On-Demand t3.2xlarge instances			20
Running On-Demand t3.large instances	✔		20
Running On-Demand t3.medium instances	✔		20
Running On-Demand t3.micro instances			20
Running On-Demand t3.nano instances			20
Running On-Demand t3.small instances	✔		20
Running On-Demand t3.xlarge instances			20
Running On-Demand t3a.2xlarge instances			20
Running On-Demand t3a.large instances			20
Running On-Demand t3a.medium instances			20
Running On-Demand t3a.micro instances			20
Running On-Demand t3a.nano instances			20
Running On-Demand t3a.small instances			20
Running On-Demand t3a.xlarge instances			20
Running On-Demand u-18tb1.metal instances			20
Running On-Demand u-24tb1.metal instances			20
Running On-Demand x1.16xlarge instances			20
Running On-Demand x1.32xlarge instances			20
Running On-Demand x1e.16xlarge instances			20
Running On-Demand x1e.2xlarge instances			20
Running On-Demand x1e.32xlarge instances			20
Running On-Demand x1e.4xlarge instances			20
Running On-Demand x1e.8xlarge instances			20
Running On-Demand x1e.xlarge instances			20
Running On-Demand z1d.12xlarge instances			20
Running On-Demand z1d.2xlarge instances			20
Running On-Demand z1d.3xlarge instances			20
Running On-Demand z1d.6xlarge instances			20
Running On-Demand z1d.large instances			20
Running On-Demand z1d.xlarge instances			20
Security groups per VPC			500
VPC Elastic IP addresses (EIPs)	✔	✔	5
VPC security groups per elastic network interface		✔	5

ECS¶

Limit	Trusted Advisor	Quotas	API	Default
Clusters				2000
Container Instances per Cluster				2000
EC2 Tasks per Service (desired count)				1000
Fargate Tasks				50
Services per Cluster				1000

EFS¶

Limit	Trusted Advisor	Quotas	API	Default
File systems		✔		1000

ELB¶

Limit	Quotas	API	Default
Application load balancers	✔	✔	20
Certificates per application load balancer			25
Classic load balancers	✔	✔	20
Listeners per application load balancer		✔	50
Listeners per load balancer		✔	100
Listeners per network load balancer		✔	50
Network load balancers		✔	20
Registered instances per load balancer		✔	1000
Rules per application load balancer		✔	100
Target groups		✔	3000

ElastiCache¶

Limit	Trusted Advisor	Quotas	API	Default
Nodes				100
Nodes per Cluster				20
Parameter Groups				20
Security Groups				50
Subnet Groups				50
Subnets per subnet group				20

ElasticBeanstalk¶

Limit	Trusted Advisor	Quotas	API	Default
Application versions				1000
Applications				75
Environments				200

Firehose¶

Limit	Trusted Advisor	Quotas	API	Default
Delivery streams per region		✔		50

IAM¶

Limit	Trusted Advisor	Quotas	API	Default
Groups	✔	✔	✔	300
Instance profiles	✔	✔	✔	1000
Policies	✔	✔	✔	1500
Policy Versions In Use			✔	10000
Roles	✔	✔	✔	1000
Server certificates	✔	✔	✔	20
Users	✔	✔	✔	5000

Lambda¶

Limit	API	Default
Code Size Unzipped (MiB) per Function	✔	250
Code Size Zipped (MiB) per Function	✔	50
Concurrent Executions	✔	1000
Function Count		None
Total Code Size (MiB)	✔	76800
Unreserved Concurrent Executions	✔	1000

RDS¶

Limit	Trusted Advisor	Quotas	API	Default
DB Cluster Parameter Groups	✔	✔	✔	50
DB Clusters	✔	✔	✔	40
DB instances	✔	✔	✔	40
DB parameter groups	✔	✔	✔	50
DB security groups	✔	✔	✔	25
DB snapshots per user		✔	✔	100
Event Subscriptions	✔	✔	✔	20
Max auths per security group	✔	✔	✔	20
Option Groups		✔	✔	20
Read replicas per master	✔	✔	✔	5
Reserved Instances		✔	✔	40
Storage quota (GB)	✔	✔	✔	100000
Subnet Groups	✔	✔	✔	50
Subnets per Subnet Group	✔	✔	✔	20
VPC Security Groups				5

Redshift¶

Limit	Trusted Advisor	Quotas	API	Default
Redshift manual snapshots				20
Redshift subnet groups				20

Route53¶

Note on Route53 Limits: The Route53 limit values (maxima) are set per-hosted zone, and can be increased by AWS support per-hosted zone. As such, each zone may have a different limit value.

Limit	Trusted Advisor	Quotas	API	Default
Record sets per hosted zone			✔	10000
VPC associations per hosted zone			✔	100

S3¶

Limit	Trusted Advisor	Quotas	API	Default
Buckets				100

SES¶

Limit	Trusted Advisor	Quotas	API	Default
Daily sending quota	✔		✔	200

VPC¶

Limit	Trusted Advisor	Quotas	API	Default
Entries per route table				50
Internet gateways	✔	✔		5
NAT Gateways per AZ				5
Network ACLs per VPC				200
Network interfaces per Region			✔	350
Route tables per VPC				200
Rules per network ACL				20
Subnets per VPC				200
VPCs	✔	✔		5
Virtual private gateways				5

Getting Help¶

If you have a quick question or need some simple assistance, you can try the gitter.im chat channel.

Enterprise Support Agreements and Contract Development¶

For Commercial or Enterprise support agreements for awslimitchecker, or for paid as-needed feature development or bug fixes, please contact Jason Antman at jason@jasonantman.com.

Reporting Bugs and Asking Questions¶

Questions, bug reports and feature requests are happily accepted via the GitHub Issue Tracker. Pull requests are welcome; see the Development documentation for information on PRs. Issues that don’t have an accompanying pull request will be worked on as my time and priority allows, and I’ll do my best to complete feature requests as quickly as possible. Please take into account that I work on this project solely in my personal time, I don’t get paid to work on it and I can’t work on it for my day job, so there may be some delay in getting things implemented.

Guidelines for Reporting Issues¶

Opening a new issue on GitHub should pre-populate the issue description with a template of the following:

Feature Requests¶

If your feature request is for support of a service or limit not currently supported by awslimitchecker, you can simply title the issue add support for <name of service, or name of service and limit> and add a simple description. For anything else, please follow these guidelines:

Describe in detail the feature you would like to see implemented, especially how it would work from a user perspective and what benefits it adds. Your description should be detailed enough to be used to determine if code written for the feature adequately solves the problem.
Describe one or more use cases for why this feature will be useful.
Indicate whether or not you will be able to assist in testing pre-release code for the feature.

Bug Reports¶

When reporting a bug in awslimitchecker, please provide all of the following information, as well as any additional details that may be useful in reproducing or fixing the issue:

awslimitchecker version, as reported by awslimitchecker --version.
How was awslimitchecker installed (provide as much detail as possible, ideally the exact command used and whether it was installed in a virtualenv or not).
The output of python --version and virtualenv --version in the environment that awslimitchecker is running in.
Your operating system type and version.
The output of awslimitchecker, run with the -vv (debug-level output) flag that shows the issue.
The output that you expected (what’s wrong).
If the bug/issue is related to TrustedAdvisor, which support contract your account has.
Whether or not you are willing and able to assist in testing pre-release code intended to fix the issue.

Development¶

Any and all contributions to awslimitchecker are welcome. Guidelines for submitting code contributions in the form of pull requests on GitHub can be found below. For guidelines on submitting bug reports or feature requests, please see the Getting Help documentation. For any contributions that don’t fall into the above categories, please open an issue for further assistance.

Pull Requests¶

Please cut all pull requests against the “develop” branch. I’ll do my best to merge them as quickly as possible. If they pass all unit tests and have 100% coverage, it’ll certainly be easier. I work on this project only in my personal time, so I can’t always get things merged as quickly as I’d like. That being said, I’m committed to doing my best, and please call me out on it if you feel like I’m not.

Pull Request Guidelines¶

All pull requests should be made against the develop branch, NOT master.
If you have not contributed to the project before, all pull requests must include a statement that your contribution is being made under the same license as the awslimitchecker project (or any subsequent version of that license if adopted by awslimitchecker), may perpetually be included in and distributed with awslimitchecker, and that you have the legal power to agree to these terms.
Code should conform to the Guidelines below.
If you have difficulty writing tests for the code, feel free to ask for help or submit the PR without tests. This will increase the amount of time it takes to get merged, but I’d rather write tests for your code than write all the code myself.
You’ve rebuilt the documentation using tox -e docs

Installing for Development¶

To setup awslimitchecker for development:

Fork the awslimitchecker repository on GitHub
Create a virtualenv (using Python 3.5 or later) to run the code in:

$ virtualenv awslimitchecker
$ cd awslimitchecker
$ source bin/activate

Install your fork in the virtualenv as an editable git clone and install development dependencies:

$ pip install -e git+git@github.com:YOUR_NAME/awslimitchecker.git#egg=awslimitchecker
$ cd src/awslimitchecker
$ pip install -r dev/requirements_dev.txt

Check out a new git branch. If you’re working on a GitHub issue you opened, your branch should be called “issues/N” where N is the issue number.

Guidelines¶

pep8 compliant with some exceptions (see pytest.ini)
100% test coverage with pytest (with valid tests)
Complete, correctly-formatted documentation for all classes, functions and methods.
Connections to the AWS services should only be made by the class’s connect() and connect_resource() methods, inherited from the Connectable mixin.
All modules should have (and use) module-level loggers.
See the section on the AGPL license below.
Commit messages should be meaningful, and reference the Issue number if you’re working on a GitHub issue (i.e. “issue #x - <message>”). Please refrain from using the “fixes #x” notation unless you are sure that the the issue is fixed in that commit.
Unlike many F/OSS projects on GitHub, there is no reason to squash your commits; this just loses valuable history and insight into the development process, which could prove valuable if a bug is introduced by your work. Until GitHub fixes this, we’ll live with a potentially messy git log in order to keep the history.

Adding New EC2 Instance Types¶

Run dev/missing_instance_types.py to find all EC2 Instance types listed in the EC2 Pricing API that aren’t present in awslimitchecker and output a list of them.
In services/ec2.py update the constants in _instance_types() accordingly.
Check the EC2 Instance Type limits page for any new types that have non-default limits, and update _get_limits_instances_nonvcpu() accordingly.
Update tests/services/test_ec2.py as needed.

Adding New Limits and Checks to Existing Services¶

First, note that all calls to boto3 client (“low-level”) methods that return a dict response that can include ‘NextToken’ or another pagination marker, should be called through paginate_dict() with the appropriate parameters if the boto3 client can’t paginate the call itself.

Add a new AwsLimit instance to the return value of the Service class’s get_limits() method. If Trusted Advisor returns data for this limit, be sure the service and limit names match those returned by Trusted Advisor.
In the Service class’s find_usage() method (or a method called by that, in the case of large or complex services), get the usage information via self.conn and/or self.resource_conn and pass it to the appropriate AwsLimit object via its _add_current_usage() method. For anything more than trivial services (those with only 2-3 limits), find_usage() should be broken into multiple methods, generally one per AWS API call.
If the service has an API call that retrieves current limit values, and its results include your new limit, ensure that this value is updated in the limit via its _set_api_limit() method. This should be done in the Service class’s _update_limits_from_api() method.
If Service Quotas returns data for this limit, be sure that the parent _AwsService class has its quotas_service_code attribute set appropriately and specify the quotas_name argument to the AwsLimit constructor if the quota name is different from the limit name.
Ensure complete test coverage for the above.

In cases where the AWS service API has a different name than what is reported by Trusted Advisor, or legacy cases where Trusted Advisor support is retroactively added to a limit already in awslimitchecker, you must pass the ta_service_name and ta_limit_name parameters to the AwsLimit constructor, specifying the string values that are returned by Trusted Advisor.

Note on services with per-resource limits: Some AWS services, such as Route53, set limits on each individual resource (i.e. each Hosted Zone, for Route53) instead of globally for all resources in a region or account. When this is done, the per-resource limit should be provided as the maximum argument to the AwsLimitUsage class; AwsLimit will then properly determine warnings/criticals for the limit. For further information, see the 5.0.0 release notes and PR #345 where this was initially implemented.

Adding New Services¶

All Services are sublcasses of _AwsService using the abc module.

First, note that all calls to boto3 client (“low-level”) methods that return a dict response that can include ‘NextToken’ or another pagination marker, should be called through paginate_dict() with the appropriate parameters.

The new service name should be in CamelCase, preferably one word (if not one word, it should be underscore-separated). In awslimitchecker/services, use the addservice script; this will create a templated service class in the current directory, and create a templated (but far from complete) unit test file in awslimitchecker/tests/services:

./addservice ServiceName

Find all “TODO” comments in the newly-created files; these have instructions on things to change for new services. Add yourself to the Authors section in the header if desired.
Add an import line for the new service in awslimitchecker/services/__init__.py.
Be sure to set the class’s api_name attribute to the correct name of the AWS service API (i.e. the parameter passed to boto3.client). This string can typically be found at the top of the Service page in the boto3 docs.
Write at least high-level tests; TDD is greatly preferred.
Implement all abstract methods from _AwsService and any other methods you need; small, easily-testable methods are preferred. Ensure all methods have full documentation. For simple services, you need only to search for “TODO” in the new service class you created (#1). See Adding New Limits for further information.
If your service has an API action to retrieve limit/quota information (i.e. DescribeAccountAttributes for EC2 and RDS), ensure that the service class has an _update_limits_from_api() method which makes this API call and updates each relevant AwsLimit via its _set_api_limit() method.
If the Service Quotas service returns information on limits for your service, be sure you set the quotas_service_code attribute appropriately, and also pass the quota_name keyword argument to the constructor of any AwsLimit classes which have information available via Service Quotas.
Test your code; 100% test coverage is expected, and mocks should be using autospec or spec_set.
Ensure the required_iam_permissions() method of your new class returns a list of all IAM permissions required for it to work.
Run all tox jobs, or at least one python version, docs and coverage.
Commit the updated documentation to the repository.
As there is no programmatic way to validate IAM policies, once you are done writing your service, grab the output of awslimitchecker --iam-policy, login to your AWS account, and navigate to the IAM page. Click through to create a new policy, paste the output of the --iam-policy command, and click the “Validate Policy” button. Correct any errors that occur; for more information, see the AWS IAM docs on Using Policy Validator. It would also be a good idea to run any policy changes through the Policy Simulator.
Submit your pull request.

Trusted Advisor Checks¶

So long as the Service and Limit name strings returned by the Trusted Advisor (Support) API exactly match how they are set on the corresponding _AwsService and AwsLimit objects, no code changes are needed to support new limit checks from TA.

For further information, see Internals / Trusted Advisor.

Adding Metrics Providers¶

Metrics providers are subclasses of MetricsProvider that take key/value configuration items via constructor keyword arguments and implement a flush() method to send all metrics to the configured provider. It is probably easiest to look at the other existing providers for an example of how to implement a new one, but there are a few important things to keep in mind:

All configuration must be able to be passed as keyword arguments to the class constructor (which come from --metrics-config=key=value CLI arguments). It is recommended that any secrets/API keys also be able to be set via environment variables, but the CLI arguments should have precedence.
All dependency imports must be made inside the constructor, not at the module level.
If the provider requires additional dependencies, they should be added as extras but installed in the Docker image.
The constructor should do as much validation (i.e. authentication test) as possible.
Metrics provider classes should be in a module with the same name.

Adding Alert Providers¶

Alert providers are subclasses of AlertProvider that take key/value configuration items via constructor keyword arguments and implement three methods for sending alerts depending on the type of situation: on_warning() for runs that resulted in warning thresholds crossed, on_critical() for runs that resulted in critical thresholds crossed or raised an exception, or on_success() for successful runs with no thresholds crossed (mainly for automatically resolving incidents, when supported). It is probably easiest to look at the other existing providers for an example of how to implement a new one, but there are a few important things to keep in mind:

All configuration must be able to be passed as keyword arguments to the class constructor (which come from --alert-config=key=value CLI arguments). It is recommended that any secrets/API keys also be able to be set via environment variables, but the CLI arguments should have precedence.
All dependency imports must be made inside the constructor, not at the module level.
If the provider requires additional dependencies, they should be added as extras but installed in the Docker image.
The constructor should do as much validation (i.e. authentication test) as possible.
Alert provider classes should be in a module with the same name.

Unit Testing¶

Testing is done via pytest, driven by tox.

testing is as simple as:
- pip install tox==2.7.0
- tox
If you want to see code coverage: tox -e cov
- this produces two coverage reports - a summary on STDOUT and a full report in the htmlcov/ directory
If you want to pass additional arguments to pytest, add them to the tox command line after “–”. i.e., for verbose pytext output on py27 tests: tox -e py27 -- -v

Note that while boto currently doesn’t have python3 support, we still run tests against py3 to ensure that this package is ready for it when boto is.

Integration Testing¶

Integration tests are automatically run in TravisCI for all non-pull request branches. You can run them manually from your local machine using:

tox -r -e integration,integration3

These tests simply run awslimitchecker’s CLI script for both usage and limits, for all services and each service individually. Note that this covers a very small amount of the code, as the account that I use for integration tests has virtually no resources in it.

If integration tests fail, check the required IAM permissions. The IAM user for Travis integration tests is configured via Terraform, which must be re-run after policy changes.

Building Docs¶

Much like the test suite, documentation is build using tox:

$ tox -e docs

Output will be in the docs/build/html directory under the project root.

Building the Docker Image¶

The Docker image is normally built by TravisCI (for testing) and Docker Hub Automated Builds (for the release). To build locally, run tox -e docker.

AGPL License¶

awslimitchecker is licensed under the GNU Affero General Public License, version 3 or later.

Pursuant to Sections 5(b) and 13 of the license, all users of awslimitchecker - including those interacting with it remotely over a network - have a right to obtain the exact, unmodified running source code. We have done as much as possible to make this transparent to developers, with no additional work needed. See the guidelines below for information.

If you’re simply running awslimitchecker via the command line, there’s nothing to worry about; just use it like any other software.
If you’re using awslimitchecker in your own software in a way that allows users to interact with it over the network (i.e. in your deployment or monitoring systems), but not modifying it, you also don’t need to do anything special; awslimitchecker will log a WARNING-level message indicating where the source code of the currently-running version can be obtained. So long as you’ve installed awslimitchecker via Python’s packaging system (i.e. with pip), its current version and source will be automatically detected. This suffices for the AGPL source code offer provision, so long as it’s displayed to users and the currently-running source is unmodified.
If you wish to modify the source code of awslimitchecker, you need to do is ensure that _get_version_info() always returns correct and accurate information (a publicly-accessible URL to the exact version of the running source code, and a version number). If you install your modified version directly from an editable (i.e. pip install -e), publicly-accessible Git repository, and ensure that changes are available in the repository before they are present in the code running for your users, this should be automatically detected by awslimitchecker and the correct URL provided. It is strongly recommended that any such repository is a fork of the project’s original GitHub repository. It is solely your responsibility to ensure that the URL and version information presented to users is accurate and reflects source code identical to what is running.
If you’re distributing awslimitchecker with modifications or as part of your own software (as opposed to simply an editable requirement that gets installed with pip), please read the license and ensure that you comply with its terms.
If you are running awslimitchecker as part of a hosted service that users somehow interact with, please ensure that the source code URL and version is correct and visible in the output given to users.

Handling Issues and PRs¶

All PRs and new work should be based off of the develop branch.

PRs can be merged if they look good, and CHANGES.rst updated after the merge.

For issues:

Cut a issues/number branch off of develop.
Work the issue, come up with a fix. Commit early and often, and mention “issue #x - <message>” in your commit messages.
When you believe you have a working fix, build docs (tox -e docs) and push to origin. Ensure all Travis tests pass.
Ensure that coverage has increased or stayed the same.
Update CHANGES.rst for the fix; commit this with a message like “fixes #x - <message>” and push to origin.
Open a new pull request against the develop branch for this change; once all tests pass, merge it to develop.
Assign the “unreleased fix” label to the issue. It should be closed automatically when develop is merged to master for a release, but this lets us track which issues have unreleased fixes.

Versioning Policy¶

As of version 1.0.0, awslimitchecker strives to follow semver 2.0.0 for versioning, with some specific clarifications:

Major version bumps (backwards-incompatible changes):
- Any additional required IAM permissions, beyond the minimum policy from the last major version.
- Renaming (any change to the case-sensitive strings) any existing services or limits.
- Changing the signatures or argument types of any public methods.
- Any changes to direct dependencies or direct dependency version requirements.
- Any changes that would cause the documented usage examples (Python or CLI) to cease functioning.
Minor version bumps (backwards-compatible feature additions and changes):
- Adding new limits or services that don’t require any IAM policy changes.
- New functionality that doesn’t change existing APIs or CLI arguments.
Patch version bumps:
- Bug fixes
- Documentation, development/support tooling, or anything else that isn’t user-executed code.

This means that after 1.0.0, major version numbers will likely increase rather quickly.

Release Checklist¶

To perform a release, run dev/release.py.

Internals¶

Overall Program Flow¶

AwsLimitChecker provides the full and only public interface to this project; it’s used by the awslimitchecker command line script (entry point to runner) and should be the only portion directly used by external code.

Each AWS Service is represented by a subclass of the _AwsService abstract base class; these Service Classes are responsible for knowing which limits exist for the service they represent, what the default values for these limits are, querying current limits from the service’s API (if supported), and how to check the current usage via the AWS API (boto3). When the Service Classes are instantiated, they build a dict of all of their limits, correlating a string key (the “limit name”) with an AwsLimit object. The Service Class constructors must not make any network connections; connections are created lazily as needed and stored as a class attribute. This allows us to inspect the services, limits and default limit values without ever connecting to AWS (this is also used to generate the Supported Limits documentation automatically).

All calls to boto3 client (“low-level”) methods that return a dict response that can include ‘NextToken’ or another pagination marker, should be called through paginate_dict() with the appropriate parameters.

When AwsLimitChecker is instantiated, it imports services which in turn creates instances of all awslimitchecker.services.* classes and adds them to a dict mapping the string Service Name to the Service Class instance. These instances are used for all interaction with the services.

So, once an instance of AwsLimitChecker is created, we should have instant access to the services and limits without any connection to AWS. This is utilized by the --list-services and --list-defaults options for the command line client.

Trusted Advisor¶

When AwsLimitChecker is initialized, it also initializes an instance of TrustedAdvisor. In get_limits(), find_usage() and check_thresholds(), when called with use_ta == True (the default), update_limits() is called on the TrustedAdvisor instance.

update_limits() polls Trusted Advisor data from the Support API via _poll(); this will retrieve the limits for all “flaggedResources” items in the Service Limits Trusted Advisor check result for the current AWS account. It then calls _update_services(), passing in the Trusted Advisor check results and the dict of _AwsService objects it was called with (from AwsLimitChecker).

_update_services() iterates over the Services in the Trusted Advisor check result and attempts to find a matching _AwsService (by string service name) in the dict passed in from AwsLimitChecker. If a match is found, it iterates over all limits for that service in the TA result and attempts to call the Service’s _set_ta_limit() method. If a matching Service is not found, or if _set_ta_limit raises a ValueError (matching Limit not found for that Service), an error is logged.

When AwsLimitChecker initializes TrustedAdvisor, it passes in the self.services dictionary of all services and limits. At initialization time, TrustedAdvisor iterates all services and limits, and builds a new dictionary mapping the limit objects by the return values of their ta_service_name() and ta_limit_name() properties. This allows limits to override the Trusted Advisor service and limit name that their data comes from. In the default case, their service and limit names will be used as they are set in the awslimitchecker code, and limits which have matching Trusted Advisor data will be automatically populated.

In the TrustedAdvisor class’s _poll() method, _get_refreshed_check_result() is used to retrieve the check result data from Trusted Advisor. This method also implements the check refresh logic. See the comments in the source code for the specific logic. There are three methods of refreshing checks (refresh modes), which are controlled by the ta_refresh_mode parameter to TrustedAdvisor:

If ta_refresh_mode is the string “wait”, the check will be refreshed and awslimitchecker will poll for the refresh result every 30 seconds, waiting for the refresh to complete (or until ta_refresh_timeout seconds have elapsed). This is exposed via the CLI as the --ta-refresh-wait option.
If ta_refresh_mode is an integer, it will operate like the “wait” mode above, but only if the current result data for the check is more than ta_refresh_mode seconds old. This is exposed via the CLI as the --ta-refresh-older option.
If ta_refresh_mode is the string “trigger”, the check will be refreshed and the program will continue on immediately, without waiting for the refresh to complete; this will almost certainly result in stale check results in the current run. However, this may be useful if you desire to keep awslimitchecker runs short, and run it on a regular schedule (i.e. if you run awslimitchecker every 6 hours, and are OK with Trusted Advisor check data being 6 hours old). This is exposed via the CLI as the --ta-refresh-trigger option.

Additionally, TrustedAdvisor has a ta_refresh_timeout parameter. If this is set to a non-None value (an integer), refreshes of the check will time out after that number of seconds. If a timeout occurs, a message will be logged at error level, but the program will continue running (most likely using the old result data). This parameter is exposed via the CLI as the --ta-refresh-timeout option.

Important: It may take 30 to 60 minutes for the Service Limits check to refresh on large accounts. Please be aware of this when enabling the refresh options.

Using the check refresh options will require the trustedadvisor:RefreshCheck IAM permission.

For use via Python, these same parameters (ta_refresh_mode and ta_refresh_timeout) are exposed as parameters on the AwsLimitChecker constructor.

Service Quotas service¶

Unless use of Serivce Quotas is disabled with the --skip-quotas command line option or by passing skip_quotas=False to the AwsLimitChecker constructor, awslimitchecker will retrieve all relevant data from the Service Quotas service. In the AwsLimitChecker constructor (so long as skip_quotas is True), an instance of the ServiceQuotasClient class is constructed, passing in our boto3 connection keyword arguments for the current region. This client class instance is then passed to the constructor of every Service class (_AwsService subclass) when the class is created, via the quotas_client argument. Each _AwsService class stores this as the _quotas_client instance variable.

As the AwsLimitChecker class iterates over all (configured) services in its get_limits(), find_usage(), and check_thresholds() methods, it will call the service class’s _update_service_quotas() method after calling update_limits() and the service class’s _update_limits_from_api() method (if present), and before the actual operation of getting limits, finding usage, or checking thresholds.

The _AwsService._update_service_quotas() method will iterate through all limits (AwsLimit) for the service and call the get_quota_value() method for each. Assuming it returns a non-None result, that result will be passed to the limit’s _set_quotas_limit() method for later use in get_limit().

When retrieving values from Service Quotas, the ServiceCode is taken from the _AwsService.quotas_service_code attribute on the Service class. If that is set to None, Service Quotas will not be consulted for that service. The ServiceCode can also be overridden on a per-limit basis via the quotas_service_code argument to the AwsLimit constructor. The QuotaName used by each limit defaults to the limit name itself (AwsLimit instance variable name) but can be overridden with the quota_name argument to the AwsLimit constructor.

Note that quota names are stored and compared in lower case.

Service API Limit Information¶

Some services provide API calls to retrieve at least some of the current limits, such as the DescribeAccountAttributes API calls for RDS and EC2. Services that support such calls should make them in a _update_limits_from_api() method, which will be automatically called from get_limits(). The _update_limits_from_api() method should make the API call, and then update all relevant limits via the AwsLimit class’s _set_api_limit() method.

Limit Value Precedence¶

The value used for a limit is the first match in the following list:

Limit Override (set at runtime)
API Limit
Service Quotas
Trusted Advisor
Hard-coded default

Threshold Overrides¶

For more information on overriding thresholds, see Python Usage / Setting a Threshold Override as well as the documentation for AwsLimitChecker.check_thresholds() and AwsLimitChecker.set_threshold_override().

awslimitchecker¶

awslimitchecker package¶

Subpackages¶

awslimitchecker.alerts package¶

Submodules¶

awslimitchecker.alerts.base module¶

class awslimitchecker.alerts.base.AlertProvider(region_name)[source]¶

Bases: object

Initialize an AlertProvider class. This MUST be overridden by subclasses. All configuration must be passed as keyword arguments to the class constructor (these come from --alert-config CLI arguments). Any dependency imports must be made in the constructor. The constructor should do as much as possible to validate configuration.

Parameters:	region_name (str) – the name of the region we’re connected to

__dict__ = mappingproxy({'__module__': 'awslimitchecker.alerts.base', '__metaclass__': <class 'abc.ABCMeta'>, '__init__': <function AlertProvider.__init__>, 'on_success': <function AlertProvider.on_success>, 'on_critical': <function AlertProvider.on_critical>, 'on_warning': <function AlertProvider.on_warning>, 'providers_by_name': <staticmethod object>, 'get_provider_by_name': <staticmethod object>, '__dict__': <attribute '__dict__' of 'AlertProvider' objects>, '__weakref__': <attribute '__weakref__' of 'AlertProvider' objects>, '__doc__': None})¶

__init__(region_name)[source]¶

Initialize an AlertProvider class. This MUST be overridden by subclasses. All configuration must be passed as keyword arguments to the class constructor (these come from --alert-config CLI arguments). Any dependency imports must be made in the constructor. The constructor should do as much as possible to validate configuration.

Parameters:	region_name (str) – the name of the region we’re connected to

__metaclass__¶: alias of abc.ABCMeta

__module__ = 'awslimitchecker.alerts.base'¶

__weakref__¶: list of weak references to the object (if defined)

static get_provider_by_name(name)[source]¶

Get a reference to the provider class with the specified name.

Parameters:	name (str) – name of the AlertProvider subclass
Returns:	AlertProvider subclass
Return type:	`class`
Raises:	RuntimeError

on_critical(problems, problem_str, exc=None, duration=None)[source]¶

Method called when the run encountered errors, or at least one critical threshold was met or crossed.

Parameters:

problems (dict or None) – dict of service name to nested dict of limit name to limit, same format as the return value of check_thresholds(). None if exc is specified.
problem_str (str or None) – String representation of problems, as displayed in awslimitchecker command line output. None if exc is specified.
exc (Exception) – Exception object that was raised during the run (optional)
duration (float) – duration of the run

on_success(duration=None)[source]¶

Method called when no thresholds were breached, and run completed successfully. Should resolve any open incidents (if the service supports that functionality) or else simply return.

Parameters:	duration (float) – duration of the usage/threshold checking run

on_warning(problems, problem_str, duration=None)[source]¶

Method called when one or more warning thresholds were crossed, but no criticals and the run did not encounter any errors.

Parameters:	problems (dict or None) – dict of service name to nested dict of limit name to limit, same format as the return value of `check_thresholds()`. problem_str (str or None) – String representation of `problems`, as displayed in `awslimitchecker` command line output. duration (float) – duration of the run

static providers_by_name()[source]¶

Return a dict of available AlertProvider subclass names to the class objects.

Returns:	AlertProvider class names to classes
Return type:	dict

awslimitchecker.alerts.dummy module¶

class awslimitchecker.alerts.dummy.Dummy(region_name, **_)[source]¶

Bases: awslimitchecker.alerts.base.AlertProvider

Initialize an AlertProvider class. This MUST be overridden by subclasses. All configuration must be passed as keyword arguments to the class constructor (these come from --alert-config CLI arguments). Any dependency imports must be made in the constructor. The constructor should do as much as possible to validate configuration.

Parameters:	region_name (str) – the name of the region we’re connected to

__init__(region_name, **_)[source]¶

Initialize an AlertProvider class. This MUST be overridden by subclasses. All configuration must be passed as keyword arguments to the class constructor (these come from --alert-config CLI arguments). Any dependency imports must be made in the constructor. The constructor should do as much as possible to validate configuration.

Parameters:	region_name (str) – the name of the region we’re connected to

__module__ = 'awslimitchecker.alerts.dummy'¶

on_critical(problems, problem_str, exc=None, duration=None)[source]¶

Method called when the run encountered errors, or at least one critical threshold was met or crossed.

Parameters:

problems (dict or None) – dict of service name to nested dict of limit name to limit, same format as the return value of check_thresholds(). None if exc is specified.
problem_str (str or None) – String representation of problems, as displayed in awslimitchecker command line output. None if exc is specified.
exc (Exception) – Exception object that was raised during the run (optional)
duration (float) – duration of the run

on_success(duration=None)[source]¶

Method called when no thresholds were breached, and run completed successfully. Should resolve any open incidents (if the service supports that functionality) or else simply return.

Parameters:	duration (float) – duration of the usage/threshold checking run

on_warning(problems, problem_str, duration=None)[source]¶

Method called when one or more warning thresholds were crossed, but no criticals and the run did not encounter any errors.

Parameters:	problems (dict or None) – dict of service name to nested dict of limit name to limit, same format as the return value of `check_thresholds()`. problem_str (str or None) – String representation of `problems`, as displayed in `awslimitchecker` command line output. duration (float) – duration of the run

awslimitchecker.alerts.pagerdutyv1 module¶

class awslimitchecker.alerts.pagerdutyv1.PagerDutyV1(region_name, account_alias=None, critical_service_key=None, warning_service_key=None, incident_key=None)[source]¶

Bases: awslimitchecker.alerts.base.AlertProvider

Initialize PagerDutyV1 alert provider.

Parameters:

region_name (str) – the name of the region we’re connected to
account_alias – Optional; an alias for the account that awslimitchecker is currently running against, to use in the default incident_key and description.
critical_service_key (str) – Required; the PagerDuty Integration Key for sending Critical events. Can also be specified via the PAGERDUTY_SERVICE_KEY_CRIT environment variable.
warning_service_key (str) – Required; the PagerDuty Integration Key for sending Warning events. Can also be specified via the PAGERDUTY_SERVICE_KEY_WARN environment variable. If omitted, alerts will not be sent for warnings.
incident_key (str) – Optional; the PagerDuty incident/routing key to use, for de-duplication and resolving alerts. This string will have any occurrences of {account_alias} replaced with the account alias (or an empty string, if not specified) and any occurrences of {region_name} replaced with the current region name. If not specified, this will default to awslimitchecker-{account_alias}-{region_name}.

__init__(region_name, account_alias=None, critical_service_key=None, warning_service_key=None, incident_key=None)[source]¶

Initialize PagerDutyV1 alert provider.

Parameters:

region_name (str) – the name of the region we’re connected to
account_alias – Optional; an alias for the account that awslimitchecker is currently running against, to use in the default incident_key and description.
critical_service_key (str) – Required; the PagerDuty Integration Key for sending Critical events. Can also be specified via the PAGERDUTY_SERVICE_KEY_CRIT environment variable.
warning_service_key (str) – Required; the PagerDuty Integration Key for sending Warning events. Can also be specified via the PAGERDUTY_SERVICE_KEY_WARN environment variable. If omitted, alerts will not be sent for warnings.
incident_key (str) – Optional; the PagerDuty incident/routing key to use, for de-duplication and resolving alerts. This string will have any occurrences of {account_alias} replaced with the account alias (or an empty string, if not specified) and any occurrences of {region_name} replaced with the current region name. If not specified, this will default to awslimitchecker-{account_alias}-{region_name}.

__module__ = 'awslimitchecker.alerts.pagerdutyv1'¶

_event_dict()[source]¶

Return a skeleton dictionary for the PagerDuty V1 Event.

Returns:	skeleton of Event
Return type:	dict

_problems_dict(problems)[source]¶

Make a dict of problems suitable for inclusion in Event details.

Parameters:	problems (dict) – dict of service name to nested dict of limit name to limit, same format as the return value of `check_thresholds()`. `None` if `exc` is specified.
Returns:	problems summary suitable for Event details
Return type:	dict

_send_event(service_key, payload)[source]¶

Send an event to PagerDuty.

Parameters:	service_key (str) – service key to send to payload (dict) – data to send with event

on_critical(problems, problem_str, exc=None, duration=None)[source]¶

Method called when the run encountered errors, or at least one critical threshold was met or crossed.

Parameters:

problems (dict or None) – dict of service name to nested dict of limit name to limit, same format as the return value of check_thresholds(). None if exc is specified.
problem_str (str or None) – String representation of problems, as displayed in awslimitchecker command line output. None if exc is specified.
exc (Exception) – Exception object that was raised during the run (optional)
duration (float) – duration of the run

on_success(duration=None)[source]¶

Method called when no thresholds were breached, and run completed successfully. Should resolve any open incidents (if the service supports that functionality) or else simply return.

Parameters:	duration (float) – duration of the usage/threshold checking run

on_warning(problems, problem_str, duration=None)[source]¶

Method called when one or more warning thresholds were crossed, but no criticals and the run did not encounter any errors.

Parameters:	problems (dict or None) – dict of service name to nested dict of limit name to limit, same format as the return value of `check_thresholds()`. problem_str (str or None) – String representation of `problems`, as displayed in `awslimitchecker` command line output. duration (float) – duration of the run

pd_url = 'https://events.pagerduty.com/generic/2010-04-15/create_event.json'¶

awslimitchecker.metrics package¶

Submodules¶

awslimitchecker.metrics.base module¶

class awslimitchecker.metrics.base.MetricsProvider(region_name)[source]¶

Bases: object

Initialize a MetricsProvider class. This MUST be overridden by subclasses. All configuration must be passed as keyword arguments to the class constructor (these come from --metrics-config CLI arguments). Any dependency imports must be made in the constructor. The constructor should do as much as possible to validate configuration.

Parameters:	region_name (str) – the name of the region we’re connected to

__dict__ = mappingproxy({'__module__': 'awslimitchecker.metrics.base', '__metaclass__': <class 'abc.ABCMeta'>, '__init__': <function MetricsProvider.__init__>, 'set_run_duration': <function MetricsProvider.set_run_duration>, 'add_limit': <function MetricsProvider.add_limit>, 'flush': <function MetricsProvider.flush>, 'providers_by_name': <staticmethod object>, 'get_provider_by_name': <staticmethod object>, '__dict__': <attribute '__dict__' of 'MetricsProvider' objects>, '__weakref__': <attribute '__weakref__' of 'MetricsProvider' objects>, '__doc__': None})¶

__init__(region_name)[source]¶

Initialize a MetricsProvider class. This MUST be overridden by subclasses. All configuration must be passed as keyword arguments to the class constructor (these come from --metrics-config CLI arguments). Any dependency imports must be made in the constructor. The constructor should do as much as possible to validate configuration.

Parameters:	region_name (str) – the name of the region we’re connected to

__metaclass__¶: alias of abc.ABCMeta

__module__ = 'awslimitchecker.metrics.base'¶

__weakref__¶: list of weak references to the object (if defined)

add_limit(limit)[source]¶

Cache a given limit for later sending to the metrics store.

Parameters:	limit (AwsLimit) – a limit to cache

flush()[source]¶: Flush all metrics to the provider. This is the method that actually sends data to your metrics provider/store. It should iterate over self._limits and send metrics for them, as well as for self._duration.

static get_provider_by_name(name)[source]¶

Get a reference to the provider class with the specified name.

Parameters:	name (str) – name of the MetricsProvider subclass
Returns:	MetricsProvider subclass
Return type:	`class`
Raises:	RuntimeError

static providers_by_name()[source]¶

Return a dict of available MetricsProvider subclass names to the class objects.

Returns:	MetricsProvider class names to classes
Return type:	dict

set_run_duration(duration)[source]¶

Set the duration for the awslimitchecker run (the time taken to check usage against limits).

Parameters:	duration (float) – time taken to check limits

awslimitchecker.metrics.datadog module¶

class awslimitchecker.metrics.datadog.Datadog(region_name, prefix='awslimitchecker.', api_key=None, extra_tags=None)[source]¶

Bases: awslimitchecker.metrics.base.MetricsProvider

Initialize the Datadog metrics provider. This class does not have any additional requirements. You must specify at least the api_key configuration option.

Parameters:

region_name (str) – the name of the region we’re connected to. This parameter is automatically passed in by the Runner class.
prefix (str) – Datadog metric prefix
api_key (str) – Datadog API key. May alternatively be specified by the DATADOG_API_KEY environment variable.
extra_tags (str) – CSV list of additional tags to send with metrics. All metrics will automatically be tagged with region:<region name>

__init__(region_name, prefix='awslimitchecker.', api_key=None, extra_tags=None)[source]¶

Initialize the Datadog metrics provider. This class does not have any additional requirements. You must specify at least the api_key configuration option.

Parameters:

region_name (str) – the name of the region we’re connected to. This parameter is automatically passed in by the Runner class.
prefix (str) – Datadog metric prefix
api_key (str) – Datadog API key. May alternatively be specified by the DATADOG_API_KEY environment variable.
extra_tags (str) – CSV list of additional tags to send with metrics. All metrics will automatically be tagged with region:<region name>

__module__ = 'awslimitchecker.metrics.datadog'¶

_name_for_metric(service, limit)[source]¶

Return a metric name that’s safe for datadog

Parameters:	service (str) – service name limit (str) – limit name
Returns:	datadog metric name
Return type:	str

_validate_auth(api_key)[source]¶

flush()[source]¶: Flush all metrics to the provider. This is the method that actually sends data to your metrics provider/store. It should iterate over self._limits and send metrics for them, as well as for self._duration.

awslimitchecker.metrics.dummy module¶

class awslimitchecker.metrics.dummy.Dummy(region_name, **_)[source]¶

Bases: awslimitchecker.metrics.base.MetricsProvider

Just writes metrics to STDOUT; mainly used for testing.

__init__(region_name, **_)[source]¶

Initialize a MetricsProvider class. This MUST be overridden by subclasses. All configuration must be passed as keyword arguments to the class constructor (these come from --metrics-config CLI arguments). Any dependency imports must be made in the constructor. The constructor should do as much as possible to validate configuration.

Parameters:	region_name (str) – the name of the region we’re connected to

__module__ = 'awslimitchecker.metrics.dummy'¶

flush()[source]¶: Flush all metrics to the provider. This is the method that actually sends data to your metrics provider/store. It should iterate over self._limits and send metrics for them, as well as for self._duration.

awslimitchecker.services package¶

Submodules¶

awslimitchecker.services.apigateway module¶

class awslimitchecker.services.apigateway._ApigatewayService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__module__ = 'awslimitchecker.services.apigateway'¶

_find_usage_api_keys()[source]¶: Find usage on API Keys. Update self.limits.

_find_usage_apis()[source]¶: Find usage on APIs / RestAPIs, and resources that are limited per-API. Update self.limits.

_find_usage_certs()[source]¶: Find usage on Client Certificates. Update self.limits.

_find_usage_plans()[source]¶: Find usage on Usage Plans and plans per API Key. Update self.limits.

_find_usage_vpc_links()[source]¶: Find usage on VPC Links. Update self.limits.

api_name = 'apigateway'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

quotas_service_code = 'apigateway'¶

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'ApiGateway'¶

awslimitchecker.services.autoscaling module¶

class awslimitchecker.services.autoscaling._AutoscalingService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__module__ = 'awslimitchecker.services.autoscaling'¶

_update_limits_from_api()[source]¶: Query EC2’s DescribeAccountAttributes API action, and update limits with the quotas returned. Updates self.limits.

api_name = 'autoscaling'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

quotas_service_code = 'autoscaling'¶

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'AutoScaling'¶

awslimitchecker.services.base module¶

class awslimitchecker.services.base._AwsService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.connectable.Connectable

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__init__(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__metaclass__¶: alias of abc.ABCMeta

__module__ = 'awslimitchecker.services.base'¶

_set_ta_limit(limit_name, value)[source]¶

Set the value for the limit as reported by Trusted Advisor, for the specified limit.

This method should only be called by TrustedAdvisor.

Parameters:	limit_name (str) – the name of the limit to override the value for value (int) – the Trusted Advisor limit value
Raises:	ValueError if limit_name is not known to this service

_update_service_quotas()[source]¶: Update all limits for this service via the Service Quotas service.

api_name = 'baseclass'¶: the AWS API name for the service

check_thresholds()[source]¶

Checks current usage against configured thresholds for all limits for this service.

Returns:	a dict of limit name to `AwsLimit` instance for all limits that crossed one or more of their thresholds.
Return type:	`dict` of `AwsLimit`

find_usage()[source]¶

Determine the current usage for each limit of this service, and update the current_usage property of each corresponding AwsLimit instance.

This method MUST set self._have_usage = True.

If the boto3 method being called returns a dict response that can include ‘NextToken’ or another pagination marker, it should be called through paginate_dict() with the appropriate parameters.

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

All limits must have self.warning_threshold and self.critical_threshold passed into them.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

quotas_service_code = None¶: the service code for Service Quotas, or None

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'baseclass'¶: awslimitchecker’s name for the service

set_limit_override(limit_name, value, override_ta=True)[source]¶

Set a new limit value for the specified limit, overriding the default. If override_ta is True, also use this value instead of any found by Trusted Advisor. This method simply passes the data through to the set_limit_override() method of the underlying AwsLimit instance.

Parameters:	limit_name (str) – the name of the limit to override the value for value (int) – the new value to set for the limit override_ta (bool) – whether or not to also override Trusted Advisor information
Raises:	ValueError if limit_name is not known to this service

set_threshold_override(limit_name, warn_percent=None, warn_count=None, crit_percent=None, crit_count=None)[source]¶

Override the default warning and critical thresholds used to evaluate the specified limit’s usage. Theresholds can be specified as a percentage of the limit, or as a usage count, or both.

Parameters:	warn_percent (int) – new warning threshold, percentage used warn_count (int) – new warning threshold, actual count/number crit_percent (int) – new critical threshold, percentage used crit_count (int) – new critical threshold, actual count/number

awslimitchecker.services.cloudformation module¶

class awslimitchecker.services.cloudformation._CloudformationService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__module__ = 'awslimitchecker.services.cloudformation'¶

_update_limits_from_api()[source]¶: Call the service’s API action to retrieve limit/quota information, and update AwsLimit objects in self.limits with this information.

api_name = 'cloudformation'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

quotas_service_code = 'cloudformation'¶

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'CloudFormation'¶

awslimitchecker.services.cloudtrail module¶

class awslimitchecker.services.cloudtrail._CloudTrailService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__module__ = 'awslimitchecker.services.cloudtrail'¶

_find_usage_cloudtrail()[source]¶: Calculate current usage for CloudTrail related metrics

api_name = 'cloudtrail'¶

aws_type = 'AWS::CloudTrail::Trail'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'CloudTrail'¶

awslimitchecker.services.directoryservice module¶

class awslimitchecker.services.directoryservice._DirectoryserviceService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__module__ = 'awslimitchecker.services.directoryservice'¶

_update_limits_from_api()[source]¶: Call the service’s API action to retrieve limit/quota information, and update AwsLimit objects in self.limits with this information.

api_name = 'ds'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'Directory Service'¶

awslimitchecker.services.dynamodb module¶

class awslimitchecker.services.dynamodb._DynamodbService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__module__ = 'awslimitchecker.services.dynamodb'¶

_find_usage_dynamodb()[source]¶: calculates current usage for all DynamoDB limits

_update_limits_from_api()[source]¶: Query DynamoDB’s DescribeLimits API action, and update limits with the quotas returned. Updates self.limits.

api_name = 'dynamodb'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

quotas_service_code = 'dynamodb'¶

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'DynamoDB'¶

awslimitchecker.services.ebs module¶

class awslimitchecker.services.ebs._EbsService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__module__ = 'awslimitchecker.services.ebs'¶

_find_usage_ebs()[source]¶: calculate usage for all EBS limits and update Limits

_find_usage_snapshots()[source]¶: find snapshot usage

_get_limits_ebs()[source]¶

Return a dict of EBS-related limits only. This method should only be used internally by :py:meth:~.get_limits`.

Return type:	dict

api_name = 'ec2'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

quotas_service_code = 'ebs'¶

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'EBS'¶

awslimitchecker.services.ebs.convert_TiB_to_GiB(value, in_unit, out_unit)[source]¶

awslimitchecker.services.ec2 module¶

class awslimitchecker.services.ec2._Ec2Service(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__module__ = 'awslimitchecker.services.ec2'¶

_find_usage_instances_nonvcpu()[source]¶: calculate On-Demand instance usage for all types and update Limits

_find_usage_instances_vcpu()[source]¶

_find_usage_networking_eips()[source]¶

_find_usage_networking_eni_sg()[source]¶

_find_usage_networking_sgs()[source]¶: calculate usage for VPC-related things

_find_usage_spot_fleets()[source]¶: calculate spot fleet request usage and update Limits

_find_usage_spot_instances()[source]¶: calculate spot instance request usage and update Limits

_get_limits_instances_nonvcpu()[source]¶

Return a dict of limits for EC2 instances only, for regions using non-vCPU-based (old-style) On Demand Instances limits. This method should only be used internally by :py:meth:~.get_limits`.

Return type:	dict

_get_limits_instances_vcpu()[source]¶

Return a dict of limits for EC2 instances only, for regions using vCPU-based (new-style) On Demand Instances limits. This method should only be used internally by :py:meth:~.get_limits`.

Return type:	dict

_get_limits_networking()[source]¶

Return a dict of VPC-related limits only. This method should only be used internally by :py:meth:~.get_limits`.

Return type:	dict

_get_limits_spot()[source]¶

Return a dict of limits for spot requests only. This method should only be used internally by :py:meth:~.get_limits`.

Return type:	dict

_get_reserved_instance_count()[source]¶

For each availability zone, get the count of current instance reservations of each instance type. Return as a nested dict of AZ name to dict of instance type to reservation count.

Return type:	dict

_instance_types()[source]¶

Return a list of all known EC2 instance types

Returns:	list of all valid known EC2 instance types
Return type:	list

_instance_usage()[source]¶

Find counts of currently-running EC2 Instances (On-Demand or Reserved) by placement (Availability Zone) and instance type (size). Return as a nested dict of AZ name to dict of instance type to count.

Return type:	dict

_instance_usage_vcpu(ris)[source]¶

Find counts of currently-running EC2 Instance vCPUs (On-Demand or Reserved) by instance family. Return as a dict of instance family letter to count.

Parameters:	ris (dict) – nested dict of reserved instances, as returned by `_get_reserved_instance_count()`
Return type:	dict

_update_limits_from_api()[source]¶: Query EC2’s DescribeAccountAttributes API action, and update limits with the quotas returned. Updates self.limits.

_use_vcpu_limits¶

Return whether or not to use the new vCPU-based limits.

Returns:	whether to use vCPU-based limits (True) or older per-instance-type limits (False)
Return type:	bool

api_name = 'ec2'¶

default_limit_name = 'Running On-Demand All Standard (A, C, D, H, I, M, R, T, Z) instances'¶: Name of default limit for all other (standard) instance families.

default_quota_name = 'Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances'¶: Name of default Service Quota for all other (standard) families.

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

instance_family_to_limit_name = {'f': 'Running On-Demand All F instances', 'g': 'Running On-Demand All G instances', 'p': 'Running On-Demand All P instances', 'x': 'Running On-Demand All X instances'}¶: Mapping of lower-case instance family character (instance type first character) to limit name for that family.

instance_family_to_quota_name = {'f': 'Running On-Demand F instances', 'g': 'Running On-Demand G instances', 'p': 'Running On-Demand P instances', 'x': 'Running On-Demand X instances'}¶: Mapping of lower-case instance family character to Service Quotas quota name for that family.

no_quotas_types = ['c5d.12xlarge', 'c5d.24xlarge', 'c5d.metal', 'cc1.4xlarge', 'cg1.4xlarge', 'cr1.8xlarge', 'g4dn.metal', 'hi1.4xlarge', 'hs1.8xlarge', 'm5dn.metal', 'm5n.metal', 'r5dn.metal', 'r5n.metal', 'u-18tb1.metal', 'u-24tb1.metal']¶: List of instance types that aren’t exposed via Service Quotas

quotas_service_code = 'ec2'¶

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'EC2'¶

awslimitchecker.services.ecs module¶

class awslimitchecker.services.ecs._EcsService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__module__ = 'awslimitchecker.services.ecs'¶

_find_usage_clusters()[source]¶: Find the ECS service usage for clusters. Calls _find_usage_one_cluster() for each cluster.

_find_usage_one_cluster(cluster_name)[source]¶

Find usage for services in each cluster.

Parameters:	cluster_name (str) – name of the cluster to find usage for

api_name = 'ecs'¶

find_usage()[source]¶

Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

__NOTE__ that the “EC2 Tasks per Service (desired count)” limit uses non-standard resource IDs, as service names and ARNs aren’t unique by account or region, but only by cluster. i.e. the only way to uniquely identify an ECS Service is by the combination of service and cluster. As such, the resource_id field for usage values of the “EC2 Tasks per Service (desired count)” limit is a string of the form cluster=CLUSTER-NAME; service=SERVICE-NAME.

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'ECS'¶

awslimitchecker.services.efs module¶

class awslimitchecker.services.efs._EfsService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__module__ = 'awslimitchecker.services.efs'¶

_find_usage_filesystems()[source]¶

api_name = 'efs'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

quotas_service_code = 'elasticfilesystem'¶

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'EFS'¶

awslimitchecker.services.elasticache module¶

class awslimitchecker.services.elasticache._ElastiCacheService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__module__ = 'awslimitchecker.services.elasticache'¶

_find_usage_nodes()[source]¶: find usage for cache nodes

_find_usage_parameter_groups()[source]¶: find usage for elasticache parameter groups

_find_usage_security_groups()[source]¶: find usage for elasticache security groups

_find_usage_subnet_groups()[source]¶: find usage for elasticache subnet groups

api_name = 'elasticache'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'ElastiCache'¶

awslimitchecker.services.elasticbeanstalk module¶

class awslimitchecker.services.elasticbeanstalk._ElasticBeanstalkService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__module__ = 'awslimitchecker.services.elasticbeanstalk'¶

_find_usage_application_versions()[source]¶: find usage for ElasticBeanstalk application verions

_find_usage_applications()[source]¶: find usage for ElasticBeanstalk applications

_find_usage_environments()[source]¶: find usage for ElasticBeanstalk environments

api_name = 'elasticbeanstalk'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'ElasticBeanstalk'¶

awslimitchecker.services.elb module¶

awslimitchecker.services.elb.ELBV2_MAX_RETRY_ATTEMPTS = 12¶: Override the elbv2 API maximum retry attempts

class awslimitchecker.services.elb._ElbService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__module__ = 'awslimitchecker.services.elb'¶

_find_usage_elbv1()[source]¶

Find usage for ELBv1 / Classic ELB and update the appropriate limits.

Returns:	number of Classic ELBs in use
Return type:	int

_find_usage_elbv2()[source]¶

Find usage for ELBv2 / Application LB and update the appropriate limits.

Returns:	number of Application LBs in use
Return type:	int

_update_limits_from_api()[source]¶: Query ELB’s DescribeAccountLimits API action, and update limits with the quotas returned. Updates self.limits.

_update_usage_for_alb(conn, alb_arn, alb_name)[source]¶

Update usage for a single ALB.

Parameters:	conn (`ElasticLoadBalancing.Client`) – elbv2 API connection alb_arn (str) – Load Balancer ARN alb_name (str) – Load Balancer Name

_update_usage_for_nlb(conn, nlb_arn, nlb_name)[source]¶

Update usage for a single NLB.

Parameters:	conn (`ElasticLoadBalancing.Client`) – elbv2 API connection nlb_arn (str) – Load Balancer ARN nlb_name (str) – Load Balancer Name

api_name = 'elb'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

quotas_service_code = 'elasticloadbalancing'¶

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'ELB'¶

awslimitchecker.services.firehose module¶

class awslimitchecker.services.firehose._FirehoseService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__module__ = 'awslimitchecker.services.firehose'¶

_find_delivery_streams()[source]¶

api_name = 'firehose'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

quotas_service_code = 'firehose'¶

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'Firehose'¶

awslimitchecker.services.iam module¶

class awslimitchecker.services.iam._IamService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

API_TO_LIMIT_NAME = {'Groups': 'Groups', 'InstanceProfiles': 'Instance profiles', 'Policies': 'Policies', 'PolicyVersionsInUse': 'Policy Versions In Use', 'Roles': 'Roles', 'ServerCertificates': 'Server certificates', 'Users': 'Users'}¶

__module__ = 'awslimitchecker.services.iam'¶

_update_limits_from_api()[source]¶: Call the service’s API action to retrieve limit/quota information, and update AwsLimit objects in self.limits with this information.

api_name = 'iam'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

quotas_service_code = 'iam'¶

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'IAM'¶

awslimitchecker.services.lambdafunc module¶

class awslimitchecker.services.lambdafunc._LambdaService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__module__ = 'awslimitchecker.services.lambdafunc'¶

_construct_limits()[source]¶

_update_limits_from_api()[source]¶: Query Lambda’s DescribeLimits API action, and update limits with the quotas returned. Updates self.limits.

api_name = 'lambda'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'Lambda'¶

awslimitchecker.services.rds module¶

class awslimitchecker.services.rds._RDSService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

API_NAME_TO_LIMIT = {'AllocatedStorage': 'Storage quota (GB)', 'AuthorizationsPerDBSecurityGroup': 'Max auths per security group', 'DBClusterParameterGroups': 'DB Cluster Parameter Groups', 'DBClusters': 'DB Clusters', 'DBInstances': 'DB instances', 'DBParameterGroups': 'DB parameter groups', 'DBSecurityGroups': 'DB security groups', 'DBSubnetGroups': 'Subnet Groups', 'EventSubscriptions': 'Event Subscriptions', 'ManualSnapshots': 'DB snapshots per user', 'OptionGroups': 'Option Groups', 'ReadReplicasPerMaster': 'Read replicas per master', 'ReservedDBInstances': 'Reserved Instances', 'SubnetsPerDBSubnetGroup': 'Subnets per Subnet Group'}¶

__module__ = 'awslimitchecker.services.rds'¶

_find_usage_instances()[source]¶: find usage for DB Instances and related limits

_find_usage_security_groups()[source]¶: find usage for security groups

_find_usage_subnet_groups()[source]¶: find usage for subnet groups

_update_limits_from_api()[source]¶

Query RDS’s DescribeAccountAttributes API action, and update limits with the quotas returned. Updates self.limits.

We ignore the usage information from the API,

api_name = 'rds'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

quotas_service_code = 'rds'¶

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'RDS'¶

awslimitchecker.services.redshift module¶

class awslimitchecker.services.redshift._RedshiftService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__module__ = 'awslimitchecker.services.redshift'¶

_find_cluster_manual_snapshots()[source]¶

_find_cluster_subnet_groups()[source]¶

api_name = 'redshift'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'Redshift'¶

awslimitchecker.services.route53 module¶

class awslimitchecker.services.route53._Route53Service(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

MAX_RRSETS_BY_ZONE = {'default_limit': 10000, 'name': 'Record sets per hosted zone', 'type': 'MAX_RRSETS_BY_ZONE'}¶

MAX_VPCS_ASSOCIATED_BY_ZONE = {'default_limit': 100, 'name': 'VPC associations per hosted zone', 'type': 'MAX_VPCS_ASSOCIATED_BY_ZONE'}¶

__module__ = 'awslimitchecker.services.route53'¶

_find_limit_hosted_zone()[source]¶: Calculate the max recordsets and vpc associations and the current values per hosted zone

_get_hosted_zone_limit(limit_type, hosted_zone_id)[source]¶

Return a hosted zone limit [recordsets|vpc_associations]

Return type:	dict

_get_hosted_zones()[source]¶

Return all available hosted zones

Returns:	dict of hosted zones
Return type:	dict

_update_limits_from_api()[source]¶: Query Route53’s GetHostedZoneLimit API action, and update limits with the quotas returned. Updates self.limits.

api_name = 'route53'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Limits from: docs.aws.amazon.com/Route53/latest/DeveloperGuide/DNSLimitations.html

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'Route53'¶

awslimitchecker.services.s3 module¶

class awslimitchecker.services.s3._S3Service(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__module__ = 'awslimitchecker.services.s3'¶

api_name = 's3'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'S3'¶

awslimitchecker.services.ses module¶

class awslimitchecker.services.ses._SesService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__module__ = 'awslimitchecker.services.ses'¶

_update_limits_from_api()[source]¶: Call the service’s API action to retrieve limit/quota information, and update AwsLimit objects in self.limits with this information.

api_name = 'ses'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'SES'¶

awslimitchecker.services.vpc module¶

class awslimitchecker.services.vpc._VpcService(warning_threshold, critical_threshold, boto_connection_kwargs, quotas_client)[source]¶

Bases: awslimitchecker.services.base._AwsService

Describes an AWS service and its limits, and provides methods to query current utilization.

Constructors of _AwsService subclasses must not make any external connections; these must be made lazily as needed in other methods. _AwsService subclasses should be usable without any external network connections.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
boto_connection_kwargs (dict) – Dictionary of keyword arguments to pass to boto connection methods.
quotas_client (ServiceQuotasClient or None) – Instance of ServiceQuotasClient

__module__ = 'awslimitchecker.services.vpc'¶

_find_usage_ACLs()[source]¶: find usage for ACLs

_find_usage_gateways()[source]¶: find usage for Internet Gateways

_find_usage_nat_gateways(subnet_to_az)[source]¶

find usage for NAT Gateways

Parameters:	subnet_to_az (dict) – dict mapping subnet ID to AZ

_find_usage_network_interfaces()[source]¶: find usage of network interfaces

_find_usage_route_tables()[source]¶: find usage for route tables

_find_usage_subnets()[source]¶: find usage for Subnets; return dict of SubnetId to AZ

_find_usage_vpcs()[source]¶: find usage for VPCs

_find_usages_vpn_gateways()[source]¶: find usage of vpn gateways

_update_limits_from_api()[source]¶

Query EC2’s DescribeAccountAttributes API action and update the network interface limit, as needed. Updates self.limits.

More info on the network interface limit, from the docs: ‘This limit is the greater of either the default limit (350) or your On-Demand Instance limit multiplied by 5. The default limit for On-Demand Instances is 20.’

api_name = 'ec2'¶

find_usage()[source]¶: Determine the current usage for each limit of this service, and update corresponding Limit via _add_current_usage().

get_limits()[source]¶

Return all known limits for this service, as a dict of their names to AwsLimit objects.

Returns:	dict of limit names to `AwsLimit` objects
Return type:	dict

quotas_service_code = 'vpc'¶

required_iam_permissions()[source]¶

Return a list of IAM Actions required for this Service to function properly. All Actions will be shown with an Effect of “Allow” and a Resource of “*”.

Returns:	list of IAM Action strings
Return type:	list

service_name = 'VPC'¶

Submodules¶

awslimitchecker.checker module¶

class awslimitchecker.checker.AwsLimitChecker(warning_threshold=80, critical_threshold=99, profile_name=None, account_id=None, account_role=None, role_partition='aws', region=None, external_id=None, mfa_serial_number=None, mfa_token=None, ta_refresh_mode=None, ta_refresh_timeout=None, ta_api_region='us-east-1', check_version=True, skip_quotas=False)[source]¶

Bases: object

Main AwsLimitChecker class - this should be the only externally-used portion of awslimitchecker.

Constructor builds self.services as a dict of service_name (str) to _AwsService instance, and sets limit thresholds.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
account_role (str) – the name of an IAM Role (in the destination account) to assume
region (str) – AWS region name to connect to
role_partition (str) – AWS role partition for the account_role to connect via STS
external_id (str) – (optional) the External ID string to use when assuming a role via STS.
mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
ta_refresh_mode (str or int or None) – How to handle refreshing Trusted Advisor checks; this is either None (do not refresh at all), the string “wait” (trigger refresh of all limit-related checks and wait for the refresh to complete), the string “trigger” (trigger refresh of all limit-related checks but do not wait for the refresh to complete), or an integer, which causes any limit-related checks more than this number of seconds old to be refreshed, waiting for the refresh to complete. Note that “trigger” will likely result in the current run getting stale data, but the check being refreshed in time for the next run.
ta_refresh_timeout (int or None) – If ta_refresh_mode is “wait” or an integer (any mode that will wait for the refresh to complete), if this parameter is not None, only wait up to this number of seconds for the refresh to finish before continuing on anyway.
ta_api_region (str) – The AWS region used for calls to the TrustedAdvisor API. This is always us-east-1 for non GovCloud accounts.
check_version (bool) – Whether or not to check for latest version of awslimitchecker on PyPI during instantiation.
skip_quotas (bool) – If set to True, do not connect to Service Quotas service or use it to obtain current limits.

__dict__ = mappingproxy({'__module__': 'awslimitchecker.checker', '__init__': <function AwsLimitChecker.__init__>, '_check_python_version': <function AwsLimitChecker._check_python_version>, '_boto_conn_kwargs': <property object>, 'get_version': <function AwsLimitChecker.get_version>, 'get_project_url': <function AwsLimitChecker.get_project_url>, 'remove_services': <function AwsLimitChecker.remove_services>, 'get_limits': <function AwsLimitChecker.get_limits>, 'get_service_names': <function AwsLimitChecker.get_service_names>, '_get_sts_token': <function AwsLimitChecker._get_sts_token>, 'find_usage': <function AwsLimitChecker.find_usage>, 'set_limit_overrides': <function AwsLimitChecker.set_limit_overrides>, 'set_limit_override': <function AwsLimitChecker.set_limit_override>, 'set_threshold_overrides': <function AwsLimitChecker.set_threshold_overrides>, 'set_threshold_override': <function AwsLimitChecker.set_threshold_override>, 'check_thresholds': <function AwsLimitChecker.check_thresholds>, 'get_required_iam_policy': <function AwsLimitChecker.get_required_iam_policy>, 'region_name': <property object>, '__dict__': <attribute '__dict__' of 'AwsLimitChecker' objects>, '__weakref__': <attribute '__weakref__' of 'AwsLimitChecker' objects>, '__doc__': None})¶

__init__(warning_threshold=80, critical_threshold=99, profile_name=None, account_id=None, account_role=None, role_partition='aws', region=None, external_id=None, mfa_serial_number=None, mfa_token=None, ta_refresh_mode=None, ta_refresh_timeout=None, ta_api_region='us-east-1', check_version=True, skip_quotas=False)[source]¶

Main AwsLimitChecker class - this should be the only externally-used portion of awslimitchecker.

Constructor builds self.services as a dict of service_name (str) to _AwsService instance, and sets limit thresholds.

Parameters:

warning_threshold (int) – the default warning threshold, as an integer percentage, for any limits without a specifically-set threshold.
critical_threshold (int) – the default critical threshold, as an integer percentage, for any limits without a specifically-set threshold.
profile_name (str) –
The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
account_id (str) –
AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
account_role (str) –
the name of an IAM Role (in the destination account) to assume
region (str) – AWS region name to connect to
role_partition (str) –
AWS role partition for the account_role to connect via STS
external_id (str) –
(optional) the External ID string to use when assuming a role via STS.
mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
ta_refresh_mode (str or int or None) – How to handle refreshing Trusted Advisor checks; this is either None (do not refresh at all), the string “wait” (trigger refresh of all limit-related checks and wait for the refresh to complete), the string “trigger” (trigger refresh of all limit-related checks but do not wait for the refresh to complete), or an integer, which causes any limit-related checks more than this number of seconds old to be refreshed, waiting for the refresh to complete. Note that “trigger” will likely result in the current run getting stale data, but the check being refreshed in time for the next run.
ta_refresh_timeout (int or None) – If ta_refresh_mode is “wait” or an integer (any mode that will wait for the refresh to complete), if this parameter is not None, only wait up to this number of seconds for the refresh to finish before continuing on anyway.
ta_api_region (str) – The AWS region used for calls to the TrustedAdvisor API. This is always us-east-1 for non GovCloud accounts.
check_version (bool) – Whether or not to check for latest version of awslimitchecker on PyPI during instantiation.
skip_quotas (bool) – If set to True, do not connect to Service Quotas service or use it to obtain current limits.

__module__ = 'awslimitchecker.checker'¶

__weakref__¶: list of weak references to the object (if defined)

_boto_conn_kwargs¶

Generate keyword arguments for boto3 connection functions.

If self.account_id is defined, this will call _get_sts_token() to get STS token credentials using boto3.STS.Client.assume_role and include those credentials in the return value.

If self.profile_name is defined, this will call boto3.Session() <http://boto3.readthedocs.io/en/latest/reference/core/session.html> with that profile and include those credentials in the return value.

Returns:	keyword arguments for boto3 connection functions
Return type:	dict

_check_python_version()[source]¶: Check that we are running under a supported Python version, and emit a warning otherwise.

_get_sts_token()[source]¶

Assume a role via STS and return the credentials.

First connect to STS via boto3.client(), then assume a role using boto3.STS.Client.assume_role using self.account_id and self.account_role (and optionally self.external_id, self.mfa_serial_number, self.mfa_token). Return the resulting ConnectableCredentials object.

Returns:	STS assumed role credentials
Return type:	`ConnectableCredentials`

check_thresholds(service=None, use_ta=True)[source]¶

Check all limits and current usage against their specified thresholds; return all AwsLimit instances that have crossed one or more of their thresholds.

If service is specified, the returned dict has one element, the service name, whose value is a nested dict as described below; otherwise it includes all known services.

The returned AwsLimit objects can be interrogated for their limits (get_limit()) as well as the details of usage that crossed the thresholds (get_warnings() and get_criticals()).

See AwsLimit.check_thresholds().

Parameters:	service (list) – the name(s) of one or more service(s) to return results for use_ta (bool) – check Trusted Advisor for information on limits
Returns:	dict of service name (string) to nested dict of limit name (string) to limit (`AwsLimit`)
Return type:	dict

find_usage(service=None, use_ta=True)[source]¶

For each limit in the specified service (or all services if service is None), query the AWS API via boto3 and find the current usage amounts for that limit.

This method updates the current_usage attribute of the AwsLimit objects for each service, which can then be queried using get_limits().

Parameters:	service (`None`, or `list` service names to get) – list of `_AwsService` name(s), or `None` to check all services. use_ta (bool) – check Trusted Advisor for information on limits

get_limits(service=None, use_ta=True)[source]¶

Return all AwsLimit objects for the given service name, or for all services if service is None.

If service is specified, the returned dict has one element, the service name, whose value is a nested dict as described below.

Parameters:	service (list) – the name(s) of one or more services to return limits for use_ta (bool) – check Trusted Advisor for information on limits
Returns:	dict of service name (string) to nested dict of limit name (string) to limit (`AwsLimit`)
Return type:	dict

get_project_url()[source]¶

Return the URL for the awslimitchecker project.

Returns:	URL of where to find awslimitchecker
Return type:	str

get_required_iam_policy()[source]¶

Return an IAM policy granting all of the permissions needed for awslimitchecker to fully function. This returns a dict suitable for json serialization to a valid IAM policy.

Internally, this calls required_iam_permissions() on each _AwsService instance.

Returns:	dict representation of IAM Policy
Return type:	dict

get_service_names()[source]¶

Return a list of all known service names

Returns:	list of service names
Return type:	list

get_version()[source]¶

Return the version of awslimitchecker currently running.

Returns:	current awslimitchecker version
Return type:	str

region_name¶

Return the name of the AWS region that we’re checking.

Returns:	AWS region name
Return type:	str

remove_services(services_to_remove=[])[source]¶

Remove all service names specified in services_to_remove from self.services. This allows explicitly removing certain services from ever being checked or otherwise handled.

By default, the various methods that work on Services (i.e. get_limits(), find_usage() and check_thresholds()) operate on either all known services, or one specified service name at a time. This method allows you to remove one or more problematic or undesirable services from the dict of all services, and then operate on the remaining ones.

Parameters:	services_to_remove – the name(s) of one or more services to permanently exclude from future calls to this instance

set_limit_override(service_name, limit_name, value, override_ta=True)[source]¶

Set a manual override on an AWS service limits, i.e. if you had limits increased by AWS support.

This method calls _AwsService.set_limit_override() on the corresponding _AwsService instance.

Explicitly set limit overrides using this method will take precedence over default limits. They will also take precedence over limit information obtained via Trusted Advisor, unless override_ta is set to False.

Parameters:	service_name (str) – the name of the service to override limit for limit_name (str) – the name of the limit to override: value (int) – the new (overridden) limit value) override_ta (bool) – whether or not to use this value even if Trusted Advisor supplies limit information
Raises:	`ValueError` if limit_name is not known to the service instance

set_limit_overrides(override_dict, override_ta=True)[source]¶

Set manual overrides on AWS service limits, i.e. if you had limits increased by AWS support. This takes a dict in the same form as that returned by get_limits(), i.e. service_name (str) keys to nested dict of limit_name (str) to limit value (int) like:

{
    'EC2': {
      'Running On-Demand t2.micro Instances': 1000,
      'Running On-Demand r3.4xlarge Instances': 1000,
    }
}

Internally, for each limit override for each service in override_dict, this method calls _AwsService.set_limit_override() on the corresponding _AwsService instance.

Explicitly set limit overrides using this method will take precedence over default limits. They will also take precedence over limit information obtained via Trusted Advisor, unless override_ta is set to False.

Parameters:	override_dict (dict) – dict of overrides to default limits override_ta (bool) – whether or not to use this value even if Trusted Advisor supplies limit information
Raises:	`ValueError` if limit_name is not known to the service instance

set_threshold_override(service_name, limit_name, warn_percent=None, warn_count=None, crit_percent=None, crit_count=None)[source]¶

Set a manual override on the threshold (used for determining warning/critical status) for a specific limit. See AwsLimitChecker for information on Warning and Critical thresholds.

See AwsLimit.set_threshold_override().

Parameters:

service_name (str) – the name of the service to override limit for
limit_name (str) – the name of the limit to override:
warn_percent (int) – new warning threshold, percentage used
warn_count (int) – new warning threshold, actual count/number
crit_percent (int) – new critical threshold, percentage used
crit_count (int) – new critical threshold, actual count/number

set_threshold_overrides(override_dict)[source]¶

Set manual overrides on the threshold (used for determining warning/critical status) a dict of limits. See AwsLimitChecker for information on Warning and Critical thresholds.

Dict is composed of service name keys (string) to dict of limit names (string), to dict of threshold specifications. Each threhold specification dict can contain keys ‘warning’ or ‘critical’, each having a value of a dict containing keys ‘percent’ or ‘count’, to an integer value.

Example:

{
    'EC2': {
        'SomeLimit': {
            'warning': {
                'percent': 80,
                'count': 8,
            },
            'critical': {
                'percent': 90,
                'count': 9,
            }
        }
    }
}

See AwsLimit.set_threshold_override().

Parameters:	override_dict (dict) – nested dict of threshold overrides

awslimitchecker.connectable module¶

class awslimitchecker.connectable.Connectable[source]¶

Bases: object

Mix-in helper class for connecting to AWS APIs. Centralizes logic of connecting via regions and/or STS.

__dict__ = mappingproxy({'__module__': 'awslimitchecker.connectable', '__doc__': '\n Mix-in helper class for connecting to AWS APIs. Centralizes logic of\n connecting via regions and/or STS.\n ', '_max_retries_config': <property object>, 'connect': <function Connectable.connect>, 'connect_resource': <function Connectable.connect_resource>, '__dict__': <attribute '__dict__' of 'Connectable' objects>, '__weakref__': <attribute '__weakref__' of 'Connectable' objects>})¶

__module__ = 'awslimitchecker.connectable'¶

__weakref__¶: list of weak references to the object (if defined)

_max_retries_config¶

If a BOTO_MAX_RETRIES_<self.api_name> environment variable is set, return a new botocore.config.Config instance using that number as the retries max_attempts value.

Return type:	`botocore.config.Config` or None

connect()[source]¶

Connect to an AWS API via boto3 low-level client and set self.conn to the boto3.client object (a botocore.client.* instance). If self.conn is not None, do nothing. This connects to the API name given by self.api_name.

Returns:	None

connect_resource()[source]¶

Connect to an AWS API via boto3 high-level resource connection and set self.resource_conn to the boto3.resource object (a boto3.resources.factory.*.ServiceResource instance). If self.resource_conn is not None, do nothing. This connects to the API name given by self.api_name.

Returns:	None

class awslimitchecker.connectable.ConnectableCredentials(creds_dict)[source]¶

Bases: object

boto’s (2.x) boto.sts.STSConnection.assume_role() returns a boto.sts.credentials.Credentials object, but boto3’s boto3.sts.STSConnection.assume_role just returns a dict. This class provides a compatible interface for boto3.

We also maintain an account_id attribute that can be set to the account ID, to ensure that credentials are updated when switching accounts.

__dict__ = mappingproxy({'__module__': 'awslimitchecker.connectable', '__doc__': "\n boto's (2.x) :py:meth:`boto.sts.STSConnection.assume_role` returns a\n :py:class:`boto.sts.credentials.Credentials` object, but boto3's\n `boto3.sts.STSConnection.assume_role <https://boto3.readthedocs.org/en/\n latest/reference/services/sts.html#STS.Client.assume_role>`_ just returns\n a dict. This class provides a compatible interface for boto3.\n\n We also maintain an ``account_id`` attribute that can be set to the\n account ID, to ensure that credentials are updated when switching accounts.\n ", '__init__': <function ConnectableCredentials.__init__>, '__dict__': <attribute '__dict__' of 'ConnectableCredentials' objects>, '__weakref__': <attribute '__weakref__' of 'ConnectableCredentials' objects>})¶

__init__(creds_dict)[source]¶: Initialize self. See help(type(self)) for accurate signature.

__module__ = 'awslimitchecker.connectable'¶

__weakref__¶: list of weak references to the object (if defined)

awslimitchecker.limit module¶

class awslimitchecker.limit.AwsLimit(name, service, default_limit, def_warning_threshold, def_critical_threshold, limit_type=None, limit_subtype=None, ta_service_name=None, ta_limit_name=None, quotas_service_code=None, quotas_name=None, quotas_unit='None', quotas_unit_converter=None)[source]¶

Bases: object

Describes one specific AWS service limit, as well as its current utilization, default limit, thresholds, and any Trusted Advisor information about this limit.

Parameters:

name (str) – the name of this limit (may contain spaces); if possible, this should be the name used by AWS, i.e. TrustedAdvisor
service (_AwsService) – the _AwsService class that this limit is for
default_limit (int, or None if unlimited) – the default value of this limit for new accounts
def_warning_threshold (int) – the default warning threshold, as an integer percentage.
def_critical_threshold (int) – the default critical threshold, as an integer percentage.
limit_type – the type of resource this limit describes, specified as one of the type names used in CloudFormation # noqa such as “AWS::EC2::Instance” or “AWS::RDS::DBSubnetGroup”.
limit_subtype (str) – resource sub-type for this limit, if applicable, such as “t2.micro” or “SecurityGroup”
ta_service_name (str) – The service name returned by Trusted Advisor for this limit, if different from the name of service
ta_limit_name (str) – The limit name returned by Trusted Advisor for this limit, if different from name.
quotas_service_code (str or None) – the Service Quotas service code to retrieve this limit from, if different from the quotas_service_code attribute of service.
quotas_name (str or None) – the Service Quotas quota name to use for this limit, if different from the limit name.
quotas_unit (str) – the Service Quotas quota unit that we need our limit value to be, for quotas that use units. This must be one of the units supported by ServiceQuotasClient. It defaults to the string “None”, which (for some strange reason) is what’s returned by the Service Quotas API.
quotas_unit_converter (callable) – A callable to be passed to get_quota_value() for unit conversion. Must take three positional arguments: the Service Quotas value for this quota (float), the quota Unit str, and the return value of quotas_unit(). This callable is responsible for converting the quota value from the quota Unit to this class’s expected unit. If they cannot be converted, it should log an error and return None.

Raises:

ValueError

__dict__ = mappingproxy({'__module__': 'awslimitchecker.limit', '__init__': <function AwsLimit.__init__>, 'set_limit_override': <function AwsLimit.set_limit_override>, '_set_ta_limit': <function AwsLimit._set_ta_limit>, '_set_ta_unlimited': <function AwsLimit._set_ta_unlimited>, '_set_api_limit': <function AwsLimit._set_api_limit>, '_set_quotas_limit': <function AwsLimit._set_quotas_limit>, 'get_limit_source': <function AwsLimit.get_limit_source>, 'get_limit': <function AwsLimit.get_limit>, 'has_resource_limits': <function AwsLimit.has_resource_limits>, 'get_current_usage': <function AwsLimit.get_current_usage>, 'get_current_usage_str': <function AwsLimit.get_current_usage_str>, '_add_current_usage': <function AwsLimit._add_current_usage>, '_reset_usage': <function AwsLimit._reset_usage>, '_get_thresholds': <function AwsLimit._get_thresholds>, 'set_threshold_override': <function AwsLimit.set_threshold_override>, 'check_thresholds': <function AwsLimit.check_thresholds>, 'get_warnings': <function AwsLimit.get_warnings>, 'get_criticals': <function AwsLimit.get_criticals>, 'ta_service_name': <property object>, 'ta_limit_name': <property object>, 'quotas_service_code': <property object>, 'quota_name': <property object>, 'quotas_unit': <property object>, '__dict__': <attribute '__dict__' of 'AwsLimit' objects>, '__weakref__': <attribute '__weakref__' of 'AwsLimit' objects>, '__doc__': None})¶

__init__(name, service, default_limit, def_warning_threshold, def_critical_threshold, limit_type=None, limit_subtype=None, ta_service_name=None, ta_limit_name=None, quotas_service_code=None, quotas_name=None, quotas_unit='None', quotas_unit_converter=None)[source]¶

Describes one specific AWS service limit, as well as its current utilization, default limit, thresholds, and any Trusted Advisor information about this limit.

Parameters:

name (str) – the name of this limit (may contain spaces); if possible, this should be the name used by AWS, i.e. TrustedAdvisor
service (_AwsService) – the _AwsService class that this limit is for
default_limit (int, or None if unlimited) – the default value of this limit for new accounts
def_warning_threshold (int) – the default warning threshold, as an integer percentage.
def_critical_threshold (int) – the default critical threshold, as an integer percentage.
limit_type –
the type of resource this limit describes, specified as one of the type names used in CloudFormation # noqa such as “AWS::EC2::Instance” or “AWS::RDS::DBSubnetGroup”.
limit_subtype (str) – resource sub-type for this limit, if applicable, such as “t2.micro” or “SecurityGroup”
ta_service_name (str) – The service name returned by Trusted Advisor for this limit, if different from the name of service
ta_limit_name (str) – The limit name returned by Trusted Advisor for this limit, if different from name.
quotas_service_code (str or None) – the Service Quotas service code to retrieve this limit from, if different from the quotas_service_code attribute of service.
quotas_name (str or None) – the Service Quotas quota name to use for this limit, if different from the limit name.
quotas_unit (str) – the Service Quotas quota unit that we need our limit value to be, for quotas that use units. This must be one of the units supported by ServiceQuotasClient. It defaults to the string “None”, which (for some strange reason) is what’s returned by the Service Quotas API.
quotas_unit_converter (callable) – A callable to be passed to get_quota_value() for unit conversion. Must take three positional arguments: the Service Quotas value for this quota (float), the quota Unit str, and the return value of quotas_unit(). This callable is responsible for converting the quota value from the quota Unit to this class’s expected unit. If they cannot be converted, it should log an error and return None.

Raises:

ValueError

__module__ = 'awslimitchecker.limit'¶

__weakref__¶: list of weak references to the object (if defined)

_add_current_usage(value, maximum=None, resource_id=None, aws_type=None)[source]¶

Add a new current usage value for this limit.

Creates a new AwsLimitUsage instance and appends it to the internal list. If more than one usage value is given to this service, they should have id and aws_type set.

This method should only be called from the _AwsService instance that created and manages this Limit.

Parameters:	value (`int` or `float`) – the numeric usage value resource_id (str) – If there can be multiple usage values for one limit, an AWS ID for the resource this instance describes aws_type (str) – if `id` is not None, the AWS resource type that ID represents. As a convention, we use the AWS Resource Type names used by CloudFormation # noqa

_get_thresholds()[source]¶

Get the warning and critical thresholds for this Limit.

Return type is a 4-tuple of:

warning integer (usage) threshold, or None
warning percent threshold
critical integer (usage) threshold, or None
critical percent threshold

Return type:	tuple

_reset_usage()[source]¶: Discard all current usage data.

_set_api_limit(limit_value)[source]¶

Set the value for the limit as reported by the service’s API.

This method should only be called from the Service class.

Parameters:	limit_value (int) – the API limit value

_set_quotas_limit(limit_value)[source]¶

Set the value for the limit as reported by the Service Quotas service.

This method should only be called from the Service class.

Parameters:	limit_value (float) – the Service Quotas limit value

_set_ta_limit(limit_value)[source]¶

Set the value for the limit as reported by Trusted Advisor.

This method should only be called by TrustedAdvisor.

Parameters:	limit_value (int) – the Trusted Advisor limit value

_set_ta_unlimited()[source]¶

Set state to indicate that TrustedAdvisor reports this limit as having no maximum (unlimited).

This method should only be called by TrustedAdvisor.

check_thresholds()[source]¶

Check this limit’s current usage against the specified default thresholds, and any custom theresholds that have been set on the class instance. Return True if usage is within thresholds, or false if warning or critical thresholds have been surpassed.

This method sets internal variables in this instance which can be queried via get_warnings() and get_criticals() to obtain further details about the thresholds that were crossed.

Note This function returns False if any thresholds were crossed. Please be aware of this when setting threshold overrides to suppress alerts. Each threshold (warn_percent, warn_count, crit_percent, crit_count) that has been set is evaluated individually and the result appended to a list of warnings or criticals, respectively. If any of these evaluations failed, the method returns False.

Returns:	False if any thresholds were crossed, True otherwise
Return type:	bool

get_criticals()[source]¶

Return a list of AwsLimitUsage instances that crossed the critical threshold. These objects are comparable and can be sorted.

Return type:	list

get_current_usage()[source]¶

Get the current usage for this limit, as a list of AwsLimitUsage instances.

Returns:	list of current usage values
Return type:	`list` of `AwsLimitUsage`

get_current_usage_str()[source]¶

Get the a string describing the current usage for this limit.

If no usage has been added for this limit, the result will be “<unknown>”.

If the limit has only one current usage instance, this will be that instance’s __str__() value.

If the limit has more than one current usage instance, this will be the a string of the form max: X (Y) where X is the __str__() value of the instance with the maximum value, and Y is a comma-separated list of the __str__() values of all usage instances in ascending order.

Returns:	representation of current usage
Return type:	str

get_limit()[source]¶

Returns the effective limit value for this Limit, taking into account limit overrides and Trusted Advisor data. None is returned for limits that are explicitly unlimited.

Returns:	effective limit value, `int` or `None`

get_limit_source()[source]¶

Return SOURCE_DEFAULT if get_limit() returns the default limit, SOURCE_OVERRIDE if it returns a manually-overridden limit, SOURCE_TA if it returns a limit from Trusted Advisor, SOURCE_API if it returns a limit retrieved from the service’s API, or SOURCE_QUOTAS if it returns a limit from the Service Quotas service.

Returns:	one of `SOURCE_DEFAULT`, `SOURCE_OVERRIDE`, or `SOURCE_TA`, or `SOURCE_API`, or `SOURCE_QUOTAS`
Return type:	int

get_warnings()[source]¶

Return a list of AwsLimitUsage instances that crossed the warning threshold. These objects are comparable and can be sorted.

Return type:	list

has_resource_limits()[source]¶

Determines if this limit contains usages with a specified maximum. Some AWS resources have a limit that is a different for each item.

Returns:	whether of not some resources have a defined maximum
Return type:	bool

quota_name¶

Return the Service Quotas quota name to use for this limit.

Returns:	Service Quotas quota name
Return type:	str

quotas_service_code¶

Return the Service Quotas service code to use for this limit.

Returns:	Service Quotas service code
Return type:	str

quotas_unit¶

Return the Service Quotas unit to use for this limit.

Returns:	Service Quotas unit
Return type:	str

set_limit_override(limit_value, override_ta=True)[source]¶

Set a new value for this limit, to override the default (such as when AWS Support has increased a limit of yours). If override_ta is True, this value will also supersede any found through Trusted Advisor.

Parameters:	limit_value (int) – the new limit value override_ta (bool) – whether or not to also override Trusted Advisor information

set_threshold_override(warn_percent=None, warn_count=None, crit_percent=None, crit_count=None)[source]¶

Override the default warning and critical thresholds used to evaluate this limit’s usage. Theresholds can be specified as a percentage of the limit, or as a usage count, or both.

Note: The percent thresholds (warn_percent and crit_percent) have default values that are set globally for awslimitchecker, unlike the count thresholds. When setting threshold overrides to quiet or suppress alerts for a limit, you must set the percent thresholds. If you only set overrides for the count thresholds, the percent thresholds will continue to be evaluated at their awslimitchecker-wide default, and likely prevent alerts from being suppressed.

see check_thresholds() for further information on threshold evaluation.

Parameters:	warn_percent (int) – new warning threshold, percentage used warn_count (int) – new warning threshold, actual count/number crit_percent (int) – new critical threshold, percentage used crit_count (int) – new critical threshold, actual count/number

ta_limit_name¶

Return the effective Trusted Advisor limit name that this limit’s data will have. This should be self._ta_limit_name if set, otherwise self.name.

Returns:	Trusted Advisor limit data name
Return type:	str

ta_service_name¶

Return the effective Trusted Advisor service name that this limit’s data will have. This should be self._ta_service_name if set, otherwise the name of self.service.

Returns:	Trusted Advisor service data name
Return type:	str

class awslimitchecker.limit.AwsLimitUsage(limit, value, maximum=None, resource_id=None, aws_type=None)[source]¶

Bases: object

This object describes the usage of an AWS resource, with the capability of containing information about the resource beyond an integer usage.

The simplest case is an account- / region-wide count, such as the number of running EC2 Instances, in which case a simple integer value is sufficient. In this case, the AwsLimit would have one instance of this class for the single value.

In more complex cases, such as the “Subnets per VPC”, the limit is applied by AWS on multiple resources (once per VPC). In this case, the AwsLimit should have one instance of this class per VPC, so we can determine which VPCs have crossed thresholds.

AwsLimitUsage objects are comparable based on their numeric value.

Parameters:

limit (AwsLimit) – the AwsLimit that this instance describes
value (int or float) – the numeric usage value
maximum (int or float) – the numeric maximum value
resource_id (str) – If there can be multiple usage values for one limit, an AWS ID for the resource this instance describes
aws_type (str) –
if id is not None, the AWS resource type that ID represents. As a convention, we use the AWS Resource Type names used by CloudFormation # noqa

__dict__ = mappingproxy({'__module__': 'awslimitchecker.limit', '__init__': <function AwsLimitUsage.__init__>, 'get_value': <function AwsLimitUsage.get_value>, 'get_maximum': <function AwsLimitUsage.get_maximum>, '__str__': <function AwsLimitUsage.__str__>, '__eq__': <function AwsLimitUsage.__eq__>, '__ne__': <function AwsLimitUsage.__ne__>, '__gt__': <function AwsLimitUsage.__gt__>, '__lt__': <function AwsLimitUsage.__lt__>, '__ge__': <function AwsLimitUsage.__ge__>, '__dict__': <attribute '__dict__' of 'AwsLimitUsage' objects>, '__weakref__': <attribute '__weakref__' of 'AwsLimitUsage' objects>, '__doc__': None, '__hash__': None})¶

__eq__(other)[source]¶: Return self==value.

__ge__(other)[source]¶: Return self>=value.

__gt__(other)[source]¶: Return self>value.

__hash__ = None¶

__init__(limit, value, maximum=None, resource_id=None, aws_type=None)[source]¶

This object describes the usage of an AWS resource, with the capability of containing information about the resource beyond an integer usage.

The simplest case is an account- / region-wide count, such as the number of running EC2 Instances, in which case a simple integer value is sufficient. In this case, the AwsLimit would have one instance of this class for the single value.

In more complex cases, such as the “Subnets per VPC”, the limit is applied by AWS on multiple resources (once per VPC). In this case, the AwsLimit should have one instance of this class per VPC, so we can determine which VPCs have crossed thresholds.

AwsLimitUsage objects are comparable based on their numeric value.

Parameters:

limit (AwsLimit) – the AwsLimit that this instance describes
value (int or float) – the numeric usage value
maximum (int or float) – the numeric maximum value
resource_id (str) – If there can be multiple usage values for one limit, an AWS ID for the resource this instance describes
aws_type (str) –
if id is not None, the AWS resource type that ID represents. As a convention, we use the AWS Resource Type names used by CloudFormation # noqa

__lt__(other)[source]¶: Return self<value.

__module__ = 'awslimitchecker.limit'¶

__ne__(other)[source]¶: Return self!=value.

__str__()[source]¶

Return a string representation of this object.

If id is not set, return value formatted as a string; otherwise, return a string of the format id=value.

Return type:	str

__weakref__¶: list of weak references to the object (if defined)

get_maximum()[source]¶

Get the current maximum value

Returns:	current maximum value
Return type:	`int` or `float`

get_value()[source]¶

Get the current usage value

Returns:	current usage value
Return type:	`int` or `float`

awslimitchecker.limit.SOURCE_API = 3¶: indicates a limit value that came from the service’s API

awslimitchecker.limit.SOURCE_DEFAULT = 0¶: indicates a limit value that came from hard-coded defaults in awslimitchecker

awslimitchecker.limit.SOURCE_OVERRIDE = 1¶: indicates a limit value that came from user-defined limit overrides

awslimitchecker.limit.SOURCE_QUOTAS = 4¶: indicates a limit value that came from the Service Quotas service

awslimitchecker.limit.SOURCE_TA = 2¶: indicates a limit value that came from Trusted Advisor

awslimitchecker.quotas module¶

class awslimitchecker.quotas.ServiceQuotasClient(boto_connection_kwargs)[source]¶

Bases: awslimitchecker.connectable.Connectable

Client for the AWS Service Quotas service, that manages retrieving quotas information and updating AwsLimit instances for them. This class is also intended to cache Service Quotas responses.

Parameters:	boto_connection_kwargs (dict) – keyword arguments to pass to boto3 connection methods.

__init__(boto_connection_kwargs)[source]¶

Client for the AWS Service Quotas service, that manages retrieving quotas information and updating AwsLimit instances for them. This class is also intended to cache Service Quotas responses.

Parameters:	boto_connection_kwargs (dict) – keyword arguments to pass to boto3 connection methods.

__module__ = 'awslimitchecker.quotas'¶

api_name = 'service-quotas'¶

get_quota_value(service_code, quota_name, units='None', converter=None)[source]¶

Return a given quota value, or None if it cannot be found. If units is a value other than None, attempt to convert the value to the specified units.

Parameters:	service_code (str) – the service code to get a quota from quota_name (str) – the quota name to get units (str) – the units for the value, or the string “None” converter (`callable`) – A callable for unit conversion. Must take three positional arguments: the Service Quotas value for this quota (float), the quota `Unit` str, and the return value of `quotas_unit()`. This callable is responsible for converting the quota value from the quota Unit to this class’s expected unit. If they cannot be converted, it should log an error and return None.
Returns:	the quota value
Return type:	float or None

quotas_for_service(service_code)[source]¶

Return this account’s current quotas for the specified service code. Also cache them on this class instance.

Parameters:	service_code (str) – the service code to get quotas for
Returns:	QuotaName to dictionary of quota information returned by the service
Return type:	dict

awslimitchecker.runner module¶

class awslimitchecker.runner.Runner[source]¶

Bases: object

__dict__ = mappingproxy({'__module__': 'awslimitchecker.runner', '__init__': <function Runner.__init__>, 'parse_args': <function Runner.parse_args>, 'list_services': <function Runner.list_services>, 'list_limits': <function Runner.list_limits>, 'list_defaults': <function Runner.list_defaults>, 'iam_policy': <function Runner.iam_policy>, 'show_usage': <function Runner.show_usage>, 'check_thresholds': <function Runner.check_thresholds>, 'set_limit_overrides': <function Runner.set_limit_overrides>, 'load_json': <function Runner.load_json>, 'set_limit_overrides_from_json': <function Runner.set_limit_overrides_from_json>, 'set_threshold_overrides_from_json': <function Runner.set_threshold_overrides_from_json>, 'console_entry_point': <function Runner.console_entry_point>, '__dict__': <attribute '__dict__' of 'Runner' objects>, '__weakref__': <attribute '__weakref__' of 'Runner' objects>, '__doc__': None})¶

__init__()[source]¶: Initialize self. See help(type(self)) for accurate signature.

__module__ = 'awslimitchecker.runner'¶

__weakref__¶: list of weak references to the object (if defined)

check_thresholds(metrics=None)[source]¶

console_entry_point()[source]¶

iam_policy()[source]¶

list_defaults()[source]¶

list_limits()[source]¶

list_services()[source]¶

load_json(path)[source]¶: Load JSON from either a local file or S3

parse_args(argv)[source]¶

parse arguments/options

Parameters:	argv (list) – argument list to parse, usually `sys.argv[1:]`
Returns:	parsed arguments
Return type:	`argparse.Namespace`

set_limit_overrides(overrides)[source]¶

set_limit_overrides_from_json(path)[source]¶

set_threshold_overrides_from_json(path)[source]¶

show_usage()[source]¶

awslimitchecker.runner.console_entry_point()[source]¶

awslimitchecker.trustedadvisor module¶

class awslimitchecker.trustedadvisor.TrustedAdvisor(all_services, boto_connection_kwargs, ta_refresh_mode=None, ta_refresh_timeout=None, ta_api_region='us-east-1')[source]¶

Bases: awslimitchecker.connectable.Connectable

Class to contain all TrustedAdvisor-related logic.

Parameters:

all_services (dict) – AwsLimitChecker services dictionary.
profile_name (str) – The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
account_id (str) – AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
account_role (str) – the name of an IAM Role (in the destination account) to assume
region (str) – AWS region name to connect to
external_id (str) – (optional) the External ID string to use when assuming a role via STS.
mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
ta_refresh_mode (str or int or None) – How to handle refreshing Trusted Advisor checks; this is either None (do not refresh at all), the string “wait” (trigger refresh of all limit-related checks and wait for the refresh to complete), the string “trigger” (trigger refresh of all limit-related checks but do not wait for the refresh to complete), or an integer, which causes any limit-related checks more than this number of seconds old to be refreshed, waiting for the refresh to complete. Note that “trigger” will likely result in the current run getting stale data, but the check being refreshed in time for the next run.
ta_refresh_timeout (int or None) – If ta_refresh_mode is “wait” or an integer (any mode that will wait for the refresh to complete), if this parameter is not None, only wait up to this number of seconds for the refresh to finish before continuing on anyway.
ta_api_region (str) – The AWS region used for calls to the TrustedAdvisor API. This is always us-east-1 for non GovCloud accounts.

__init__(all_services, boto_connection_kwargs, ta_refresh_mode=None, ta_refresh_timeout=None, ta_api_region='us-east-1')[source]¶

Class to contain all TrustedAdvisor-related logic.

Parameters:

all_services (dict) – AwsLimitChecker services dictionary.
profile_name (str) –
The name of a profile in the cross-SDK shared credentials file for boto3 to retrieve AWS credentials from.
account_id (str) –
AWS Account ID (12-digit string, currently numeric) for the account to connect to (destination) via STS
account_role (str) –
the name of an IAM Role (in the destination account) to assume
region (str) – AWS region name to connect to
external_id (str) –
(optional) the External ID string to use when assuming a role via STS.
mfa_serial_number (str) – (optional) the MFA Serial Number string to use when assuming a role via STS.
mfa_token (str) – (optional) the MFA Token string to use when assuming a role via STS.
ta_refresh_mode (str or int or None) – How to handle refreshing Trusted Advisor checks; this is either None (do not refresh at all), the string “wait” (trigger refresh of all limit-related checks and wait for the refresh to complete), the string “trigger” (trigger refresh of all limit-related checks but do not wait for the refresh to complete), or an integer, which causes any limit-related checks more than this number of seconds old to be refreshed, waiting for the refresh to complete. Note that “trigger” will likely result in the current run getting stale data, but the check being refreshed in time for the next run.
ta_refresh_timeout (int or None) – If ta_refresh_mode is “wait” or an integer (any mode that will wait for the refresh to complete), if this parameter is not None, only wait up to this number of seconds for the refresh to finish before continuing on anyway.
ta_api_region (str) – The AWS region used for calls to the TrustedAdvisor API. This is always us-east-1 for non GovCloud accounts.

__module__ = 'awslimitchecker.trustedadvisor'¶

_can_refresh_check(check_id)[source]¶

Determine if the given check_id can be refreshed yet.

Parameters:	check_id (str) – the Trusted Advisor check ID
Returns:	whether or not the check can be refreshed yet
Return type:	bool

_get_check_result(check_id)[source]¶

Directly wrap Support.Client.describe_trusted_advisor_check_result(); return a 2-tuple of the result dict and the last refresh DateTime.

Parameters:	check_id (str) – the Trusted Advisor check ID
Returns:	2-tuple of (result dict, last refresh DateTime). If the last refresh time can’t be parsed from the response, the second element will be None.
Return type:	tuple

_get_limit_check_id()[source]¶

Query currently-available TA checks, return the check ID and metadata of the ‘performance/Service Limits’ check.

Returns:	2-tuple of Service Limits TA check ID (string), metadata (list), or (None, None).
Return type:	tuple

_get_refreshed_check_result(check_id)[source]¶

Given the check_id, return the dict of Trusted Advisor check results. This handles refreshing the Trusted Advisor check, if desired, according to self.refresh_mode and self.refresh_timeout.

Parameters:	check_id (str) – the Trusted Advisor check ID
Returns:	dict check result. The return value of `Support.Client.describe_trusted_advisor_check_result()`
Return type:	dict

_make_ta_service_dict()[source]¶

Build our service and limits dict. This is laid out identical to self.all_services, but keys limits by their ta_service_name and ta_limit_name properties.

Returns:	dict of TA service names to TA limit names to AwsLimit objects.

_poll()[source]¶

Poll Trusted Advisor (Support) API for limit checks.

Return a dict of service name (string) keys to nested dict vals, where each key is a limit name and each value the current numeric limit.

e.g.:

{
    'EC2': {
        'SomeLimit': 10,
    }
}

_poll_for_refresh(check_id)[source]¶

Given a Trusted Advisor check_id that has just been refreshed, poll until the refresh is complete. Once complete, return the check result.

Parameters:	check_id (str) – the Trusted Advisor check ID
Returns:	dict check result. The return value of `Support.Client.describe_trusted_advisor_check_result()`
Return type:	dict

_update_services(ta_results)[source]¶

Given a dict of TrustedAdvisor check results from _poll() and a dict of Service objects passed in to update_limits(), updated the TrustedAdvisor limits for all services.

Parameters:	ta_results (dict) – results returned by `_poll()` services (dict) – dict of service names to _AwsService objects

api_name = 'support'¶

service_name = 'TrustedAdvisor'¶

update_limits()[source]¶

Poll ‘Service Limits’ check results from Trusted Advisor, if possible. Iterate over all AwsLimit objects for the given services and update their limits from TA if present in TA checks.

Parameters:	services (dict) – dict of service name (string) to `_AwsService` objects

awslimitchecker.trustedadvisor.datetime_now()[source]¶

Helper function for testing; return datetime.datetime.now().

Returns:	`datetime.datetime.now()`
Return type:	datetime.datetime

awslimitchecker.utils module¶

class awslimitchecker.utils.StoreKeyValuePair(option_strings, dest, nargs=None, const=None, default=None, type=None, choices=None, required=False, help=None, metavar=None)[source]¶

Bases: argparse.Action

Store key=value options in a dict as {‘key’: ‘value’}.

Supports specifying the option multiple times, but NOT with nargs.

See Action.

__call__(parser, namespace, values, option_string=None)[source]¶: Call self as a function.

__init__(option_strings, dest, nargs=None, const=None, default=None, type=None, choices=None, required=False, help=None, metavar=None)[source]¶: Initialize self. See help(type(self)) for accurate signature.

__module__ = 'awslimitchecker.utils'¶

awslimitchecker.utils._get_dict_value_by_path(d, path)[source]¶

Given a dict (d) and a list specifying the hierarchical path to a key in that dict (path), return the value at that path or None if it does not exist.

Parameters:	d (dict) – the dict to search in path (list) – the path to the key in the dict

awslimitchecker.utils._get_latest_version()[source]¶

Attempt to retrieve the latest awslimitchecker version from PyPI, timing out after 4 seconds. If the version can be retrieved and is greater than the currently running version, return it as a string. If the version cannot be retrieved or is not greater than the currently running version, return None.

This function MUST not ever raise an exception.

Returns:	latest version from PyPI, if newer than current version
Return type:	str or None

awslimitchecker.utils._set_dict_value_by_path(d, val, path)[source]¶

Given a dict (d), a value (val), and a list specifying the hierarchical path to a key in that dict (path), set the value in d at path to val.

Parameters:	d (dict) – the dict to search in path (list) – the path to the key in the dict
Raises:	TypeError if the path is too short
Returns:	the modified dict

awslimitchecker.utils.color_output(s, color, colorize=True)[source]¶

awslimitchecker.utils.dict2cols(d, spaces=2, separator=' ')[source]¶

Take a dict of string keys and string values, and return a string with them formatted as two columns separated by at least spaces number of separator characters.

Parameters:	d (dict) – dict of string keys, string values spaces (int) – number of spaces to separate columns by separator (str) – character to fill in between columns

awslimitchecker.utils.issue_string_tuple(service_name, limit, crits, warns, colorize=True)[source]¶

Return a 2-tuple of key (service/limit name)/value (usage) strings describing a limit that has crossed its threshold.

Parameters:	service_name (str) – the name of the service limit (`AwsLimit`) – the Limit this relates to crits – the specific usage values that crossed the critical threshold crits – the specific usage values that crossed the warning threshold colorize (bool) – whether or not to colorize output; passed through to `color_output()`.
Returns:	2-tuple of strings describing crossed thresholds, first describing the service and limit name and second listing the limit and usage
Return type:	tuple

awslimitchecker.utils.paginate_dict(function_ref, *argv, **kwargs)[source]¶

Paginate through a query that returns a dict result, and return the combined result.

Note that this function requires some special kwargs to be passed in:

__alc_marker_path__ - The dictionary path to the Marker for the next result set. If this path does not exist, the raw result will be returned.
__alc_data_path__ - The dictionary path to the list containing the query results. This will be updated with the results of subsequent queries.
__alc_marker_param__ - The parameter name to pass to function_ref with the marker value.

These paths should be lists, in a form usable by _get_dict_value_by_path().

Parameters:	function_ref (`function`) – the function to call argv (tuple) – the parameters to pass to the function kwargs (dict) – keyword arguments to pass to the function

awslimitchecker.version module¶

class awslimitchecker.version.AWSLimitCheckerVersion(release, url, commit=None, tag=None)[source]¶

Bases: object

__dict__ = mappingproxy({'__module__': 'awslimitchecker.version', '__init__': <function AWSLimitCheckerVersion.__init__>, 'version_str': <property object>, '__str__': <function AWSLimitCheckerVersion.__str__>, '__repr__': <function AWSLimitCheckerVersion.__repr__>, '__dict__': <attribute '__dict__' of 'AWSLimitCheckerVersion' objects>, '__weakref__': <attribute '__weakref__' of 'AWSLimitCheckerVersion' objects>, '__doc__': None})¶

__init__(release, url, commit=None, tag=None)[source]¶: Initialize self. See help(type(self)) for accurate signature.

__module__ = 'awslimitchecker.version'¶

__repr__()[source]¶

Return a representation of this object that is valid Python and will create an idential AWSLimitCheckerVersion object.

Return type:	str

__str__()[source]¶

Human-readable string representation of this version object, in the format: “version_str <url>”

Return type:	str

__weakref__¶: list of weak references to the object (if defined)

version_str¶

The version string for the currently-running awslimitchecker; includes git branch and tag information.

Return type:	str

awslimitchecker.version._get_version_info()[source]¶

Returns the currently-installed awslimitchecker version, and a best-effort attempt at finding the origin URL and commit/tag if installed from an editable git clone.

Returns:	awslimitchecker version
Return type:	str

Changelog¶

8.0.0 (2019-11-03)¶

Important: This release includes major changes to the EC2 On-Demand Instances service limits! For most users, this means the 175 Instance-type-specific limits will be removed and replaced with five (5) limits. Please see the New EC2 vCPU Limits section below for further details, as this will especially impact anyone using limit or threshold overrides, or post-processing awslimitchecker’s output. This is also a time to remind all users that this project adheres to a strict Versioning Policy and if occasional breakage due to limit or IAM policy changes is unacceptable, you should pin to a major version.

Important: Python versions prior to 3.5, including 2.7, are now pending deprecation. As of January 1, 2020, they will no longer be tested or supported, and awslimitchecker will require Python 3.5 or newer. Please see below for details. Also take note that running via the official Docker image is a way to ensure the best version of Python is always used.

Important: This release requires a new IAM permission, servicequotas:ListServiceQuotas.

Issue #400 / PR #434 - Support GovCloud region and alternate partitions in STS assumed roles and Trusted Advisor. Thanks to @djkiourtsis.
Issue #432 - Update EC2 limit handling for new vCPU-based limits in regions other than cn-* and us-gov-* (which still use old per-instance-type limits). See section below for further information. For regions other than cn-* and us-gov-*, this will remove all 175 Running On-Demand <type> instances and the Running On-Demand EC2 instances limit, and replace them with:
- Running On-Demand All F instances
- Running On-Demand All G instances
- Running On-Demand All P instances
- Running On-Demand All X instances
- Running On-Demand All Standard (A, C, D, H, I, M, R, T, Z) instances
Issue #429 - add 87 missing EC2 instance types. This will now only impact cn-* and us-gov-* regions.
Issue #433 - Fix broken links in the docs; waffle.io and landscape.io are both gone, sadly.
Issue #441 - Fix critical bug where awslimitchecker would die with an unhandled botocore.exceptions.ParamValidationError exception in accounts that have Trusted Advisor but do not have a “Service Limits” check in the “performance” category.
Issue #439 - Fix unhandled exception in CloudTrail service when attempting to call GetEventSelectors on an Organization trail. When calling DescribeTrails, we will now pass includeShadowTrails as False, to not include replications of trails in different regions or organization trails in member accounts (relevant API documentation).
Issue #438 - Per PEP 373, Python 2.7 will officially end support on January 1, 2020. As such, and in keeping with reasoning explained at python3statement.org, awslimitchecker will stop supporting and testing against Python 2.7 on January 1, 2020. At that point, all new versions will be free to use Python features introduced in 3.5. As of this version, a PendingDeprecationWarning will be emitted when running awslimitchecker under Python 2.7.
Issue #437 - Per PEP 429, Python 3.4 reached end-of-life on March 18, 2019 and is now officially retired. Add a PendingDeprecationWarning for users running under this version, announcing that support for Python 3.4 will be removed on January 1, 2020.
In following with the above two issues, raise a DeprecationWarning when running on any Python2 version prior to 2.7 or any Python3 version prior to 3.4, in accorance with the published end-of-life dates of those versions.
Issue #436 - Begin testing under Python 3.8 and base our Docker image on python:3.8-alpine.
Issue #435 - Allow configuring the botocore maximum retries for Throttling / RateExceeded errors on a per-AWS-API basis via environment variables. See the relevant sections of the CLI Usage or Python Usage documentation for further details.
Issue #431 - Fix a major under-calculation of usage for the EC2 Rules per VPC security group limit. We were previously calculating the number of “Rules” (from port / to port / protocol combinations) in a Security Group, but the limit is actually based on the number of permissions granted. See this comment on the issue for further details.
Issue #413 - Add support for retrieving limits from the new Service Quotas service where available. See the Service Quotas section below for more information.
Bump boto3 minimum version requirement from 1.4.6 to 1.9.175 and botocore minimum version requirement from 1.6.0 to 1.12.175, in order to support Service Quotas.

New EC2 vCPU Limits¶

AWS has announced new, completely different handling of EC2 On-Demand Instances service limits. Instead of having a limit per instance type (currently 261 limits), there will now be only five limits, based on the number of vCPUs for instance families: one each for “F”, “G”, “P”, and “X” family instances (defaulting to a total of 128 vCPUs each) and one limit for all other “Standard” instance families (currently A, C, D, H, I, M, R, T, and Z) defaulting to a combined total of 1152 vCPUs. Please see the link, and the EC2 On-Demand Instance Limits section of the AWS FAQ for further information.

This greatly simplifies handling of the EC2 On-Demand limits, but does mean that any existing code that references EC2 Running On-Demand limit names, including any limit and/or threshold overrides, will need to be updated for this change.

This change is only going into effect in the “standard” AWS regions/partitions, i.e. not in the China partition (cn- regions) or GovCloud (us-gov- regions). It is a phased rollout from October 24 to November 7, 2019 based on the first character of your account ID (see the “How will the transition to vCPU limits happen?” entry in the FAQ linked above for exact dates). Unfortunately, there is no clear way to determine via API if a given account is using the new vCPU limits or the old per-instance-type limits. As a result, and given that this release is being made already part-way through the rollout window, the current behavior of awslimitchecker is as follows:

When running against region names beginning with cn- or us-gov-, use the old per-instance-type limits, unless the USE_VCPU_LIMITS environment variable is set to true.
Otherwise use the new vCPU-based limits, unless the USE_VCPU_LIMITS environment variable is set to something other than true.

As such, if you install this release before November 7, 2019 and need to force your non-China, non-GovCloud accout to use the older per-instance-type limits, setting the USE_VCPU_LIMITS environment variable to false will accomplish this until your account switches over to the new vCPU limits. Alternatively, you can leave awslimitchecker as-is and accept possibly-slightly-inaccurate limit calculations for a few days.

Please also note that with the change to vCPU limits, there is no longer an overall Running On-Demand EC2 instances limit for accounts that use the new vCPU limits.

I have not yet implemented Trusted Advisor (TA) support for these new limits, as they’re presented in a different category of Trusted Advisor checks from the previous EC2 limits. I’m not going to be implementing TA for these limits, in favor of spending the time instead on implementing Service Quotas support via Issue #413.

Calculation of current usage for the vCPU limits is based on the EC2 Optimizing CPU Options documentation which specifies, “The number of vCPUs for the instance is the number of CPU cores multiplied by the threads per core.” The CpuOptions field of the EC2 DescribeInstances API specifies the core and thread count for each running instance.

Service Quotas¶

AWS’ new Service Quotas service provides a unified interface to retrieve current limits from many AWS services. These limit values are second only to the services’ own APIs (for the services that provide limit information via API), and are much more current and complete than the information provided by Trusted Advisor. The introduction of Service Quotas should greatly reduce the number of limits that need to be retrieved from Trusted Advisor or specified manually.

If you currently have any Limit Overrides set (via either the CLI or Python API), please verify on the Supported Limits page whether Service Quotas data is now available for those limits. You should be able to remove manual overrides for the limits that now retrieve data from Service Quotas.

7.1.0 (2019-09-10)¶

Issue #301 - Distribute an official Docker image for awslimitchecker.
Issue #421
- Stop referencing deprecated botocore.vendored.requests.exceptions.ConnectTimeout in favor of new, and higher-level, botocore.exceptions.ConnectionError
- In awslimitchecker.utils._get_latest_version(), replace use of botocore.vendored.requests with urllib3.
Issue #324 - Support loading limit overrides and/or threshold overrides from a JSON file either stored locally or in S3 via new --limit-override-json and --threshold-override-json CLI options.
Issue #418 - Add support for sending runtime, limits, and usage to <metric providers such as Datadog.
Issue #419 - Add support for alerts/notifications of thresholds crossed or failed runs (exceptions) via <alert providers such as PagerDuty.

7.0.0 (2019-08-13)¶

This release removes one limit and adds two new limits!

Issue #412 / PR #414 - Since some time in June 2019, the former ELB Service Active load balancers limit is now two separate limits, Classic load balancers and Application load balancers. Anyone who was using the “Active load balancers” limit name (e.g. in overrides or custom code) must update their code accordingly. This release removes the Active load balancers limit and adds two new limits, Classic load balancers and Application load balancers, to match how AWS now calculates and exposes these limits.
Issue #410 - Documentation fix for missing Trusted Advisor information on Limits page.
Fix some test failures related to exception objects in pytest 5.0.0.

6.1.7 (2019-05-17)¶

Issue #406 - Fix for unhandled exception when a Trusted Advisor check has a null timestamp.

6.1.6 (2019-04-19)¶

PR #402 - Add --skip-check command line option for ignoring specific checks based on service and check name. Thanks to @ddelnano.

6.1.5 (2019-03-06)¶

Issue #397 - Fix unhandled exception checking SES in some regions. Issue #375 in 6.0.1 handled an uncaught ClientError when checking SES in some regions, but some regions such as ap-southeast-2 are now returning a 503 Service Unavailable for SES instead. Handle this case as well. Thanks to @TimGebert for reporting the issue and bergkampsliew for verifying.

6.1.4 (2019-03-01)¶

PR #394 - Fix bug in calculation of VPC “Network interfaces per Region” limit, added in 6.1.0 (PR #379), that resulted in reporting the limit 5x lower than it actually is in some cases. Thanks to @TimGebert.

6.1.3 (2019-02-26)¶

PR #391 / Issue #390 - Update for some recently-increased DynamoDB and EFS default limits. Thanks to bergkampsliew.

6.1.2 (2019-02-19)¶

PR #387 - Fix bug in calculation of VPC “Network interfaces per Region” limit, added in 6.1.0 (PR #379). Thanks to @nadlerjessie.

6.1.1 (2019-02-15)¶

PR #381 / Issue #382 - Revised fix for Issue #375, uncaught ClientError exception when checking SES Send Quota in certain regions. Thanks to bergkampsliew.

6.1.0 (2019-01-30)¶

PR #379 - Add support for EC2/VPC Network interfaces per Region limit. Thanks to @nadlerjessie.

6.0.1 (2019-01-27)¶

Issue #375 - Fix uncaught ClientError exception when checking SES Send Quota in certain regions. Thanks to bergkampsliew for PR #376.

6.0.0 (2019-01-01)¶

This release requires new IAM permissions:

lambda:GetAccountSettings

Important: This release removes the ApiGateway APIs per account limit in favor of more-specific limits; see below.

Issue #363 - Add support for the Lambda limits and usages.
Clarify support for “unlimited” limits (limits where awslimitchecker.limit.AwsLimit.get_limit() returns None).
Add support for 26 new EC2 instance types.
Update default limits for ECS service.
ApiGateway service now has three ReST API limits (Regional API keys per account, Private API keys per account, and Edge API keys per account) in place of the previous single APIs per account to reflect the current documented service limits.
API Gateway service - add support for VPC Links per account limit.
Add support for Network Load Balancer limits Network load balancers and Listeners per network load balancer.
Add support for Application Load Balancer limits Certificates per application load balancer.
Add support for Classic ELB (ELBv1) Registered instances per load balancer limit.
Rename dev/terraform.py to dev/update_integration_iam_policy.py and move from using terraform to manage integration test IAM policy to pure Python.
Note that I’ve left out the Targets per application load balancer and Targets per network load balancer limits. Checking usage for these requires iterating over DescribeTargetHealth for each target group, so I’ve opted to leave it out at this time for performance reasons and because I’d guess that the number of people with 500 or 1000 targets per LB is rather small. Please open an issue if you’d like to see usage calculation for these limits.

Important Note on Limit Values¶

awslimitchecker has had documented support for Limits that are unlimited/”infinite” since 0.5.0 by returning None from awslimitchecker.limit.AwsLimit.get_limit(). Until now, that edge case was only triggered when Trusted Advisor returned “Unlimited” for a limit. It will now also be returned for the Lambda service’s Function Count Limit. Please be aware of this if you’re using the Python API and assuming Limit values are all numeric.

If you are relying on the output format of the command line awslimitchecker script, please use the Python API instead.

5.1.0 (2018-09-23)¶

Issue #358 - Update EFS with new default limit for number of File systems: 70 in us-east-1 and 125 in other regions.
PR #359 - Add support for t3 EC2 instance types (thanks to chafouin).
Switch py37 TravisCI tests from py37-dev to py37 (release).

5.0.0 (2018-07-30)¶

This release requires new IAM permissions:

cloudtrail:DescribeTrails
cloudtrail:GetEventSelectors
route53:GetHostedZone
route53:ListHostedZones
route53:GetHostedZoneLimit

This release officially drops support for Python 2.6 and 3.3.

PR #345 / Issue #349 - Add Route53 service and checks for “Record sets per hosted zone” and “VPC associations per hosted zone” limits (the latter only for private zones). (thanks to julienduchesne).
Support Per-Resource Limits (see below). Note that this includes some changes to the ``awslimitchecker`` CLI output format and some minor API changes.
Issue #317 - Officially drop support for Python 2.6 and 3.3. Also, begin testing py37.
Issue #346 - Update documentation for S3 API calls made by ElasticBeanstalk while retrieving EB limits (thanks to fenichelar for finding this).
PR #350 - Add support for CloudTrail limits (thanks to fpiche).
Issue #352 - Update version check PyPI URL and set User-Agent when performing version check.
Issue #351 - Add support for forty two (42) missing EC2 instance types including the new c5d/m5d/r5d/z1d series instances.

Per-Resource Limits¶

Some Limits (AwsLimit) now have limits/maxima that are per-resource rather than shared across all resources of a given type. The first limit of this kind that awslimitchecker supports is Route53, where the “Record sets per hosted zone” and “VPC associations per hosted zone” limits are set on a per-resource (per-zone) basis rather than globally to all zones in the account. Limits of this kind are also different since, as they are per-resource, they can only be enumerated at runtime. Supporting limits of this kind required some changes to the internals of awslimitchecker (specifically the AwsLimit and AwsLimitUsage classes) as well as to the output of the command line script/entrypoint.

For limits which support different maxima/limit values per-resource, the command line awslimitchecker script -l / --list-limits functionality will now display them in Service/Limit/ResourceID format, i.e.:

Route53/Record sets per hosted zone/foo.com                  10000 (API)
Route53/Record sets per hosted zone/bar.com                  10000 (API)
Route53/Record sets per hosted zone/local.                   15000 (API)
Route53/VPC associations per hosted zone/local.              100 (API)

As opposed to the Service/Limit format used for all existing limits, i.e.:

IAM/Groups             300 (API)
IAM/Instance profiles  2000 (API)

If you are relying on the output format of the command line awslimitchecker script, please use the Python API instead.

For users of the Python API, please take note of the new AwsLimit.has_resource_limits() and get_maximum() methods which assist in how to identify limits that have per-resource maxima. Existing code that only surfaces awslimitchecker’s warnings/criticals (the result of check_thresholds()) will work without modification, but any code that displays or uses the current limit values themselves may need to be updated.

4.0.2 (2018-03-22)¶

This is a minor bugfix release for one issue:

Issue #341 - The Trusted Advisor EBS checks for General Purpose (SSD) volume storage (GiB) and Magnetic volume storage (GiB) have been renamed to to General Purpose SSD (gp2) volume storage (GiB) and Magnetic (standard) volume storage (GiB), respectively, to provide more unified naming. This change was made on March 19th or 20th without any public announcement, and resulted in awslimitchecker being unable to determine the current values for these limits from Trusted Advisor. Users relying on Trusted Advisor for these values saw the limit values incorrectly revert to the global default. This is an internal-only change to map the new Trusted Advisor check names to the awslimitchecker limit names.

4.0.1 (2018-03-09)¶

This is a minor bugfix release for a few issues that users have reported recently.

Fix Issue #337 where sometimes an account even with Business-level support will not have a Trusted Advisor result for the Service Limits check, and will return a result with status: not_available or a missing flaggedResources key.
Fix Issue #335 where runs against the EFS service in certain unsupported regions result in either a connection timeout or an AccessDeniedException.

4.0.0 (2018-02-17)¶

This release requires new IAM permissions:

ds:GetDirectoryLimits
ecs:DescribeClusters
ecs:DescribeServices
ecs:ListClusters
ecs:ListServices
Fix various docstring problems causing documentation build to fail.
PR #328 - Add support for Directory Service and ECS (thanks to di1214).
- NOTE the “EC2 Tasks per Service (desired count)” limit uses non-standard resource IDs, as service names and ARNs aren’t unique by account or region, but only by cluster. i.e. the only way to uniquely identify an ECS Service is by the combination of service and cluster. As such, the resource_id field for usage values of the “EC2 Tasks per Service (desired count)” limit is a string of the form cluster=CLUSTER-NAME; service=SERVICE-NAME.
PR #330 - Update numerous no-longer-correct default limits (thanks to GitHub user KingRogue).
- AutoScaling
  - Auto Scaling groups - 20 to 200
  - Launch configurations - 100 to 200
- EBS
  - Provisioned IOPS - 40000 to 200000
  - Provisioned IOPS (SSD) storage (GiB) - 20480 to 102400 (100 TiB)
  - General Purpose (SSD) volume storage (GiB) - 20480 to 102400 (100 TiB)
  - Throughput Optimized (HDD) volume storage (GiB) - 20480 to 307200 (300 TiB)
  - Cold (HDD) volume storage (GiB) - 20480 to 307200 (300 TiB)
- ElasticBeanstalk
  - Applications - 25 to 75
  - Application versions - 500 to 1000
- IAM
  - Groups - 100 to 300
  - Roles - 250 to 1000
  - Instance profiles - 100 to 1000
  - Policies - 1000 to 1500
Fix dev/terraform.py and dev/integration_test_iam.tf for integration tests.
Fix date and incorrect project name in some file/copyright headers.
Issue #331 - Change layout of the generated Supported Limits documentation page to be more clear about which limits are supported, and include API and Trusted Advisor data in the same table as the limits and their defaults.

3.0.0 (2017-12-02)¶

Important Notice for python 2.6 and 3.3 users:

Python 2.6 reached its end of life in October 2013. Python 3.3 officially reached its end of life in September 2017, five years after development was ceased. The test framework used by awslimitchecker, pytest, has dropped support for Python 2.6 and 3.3 in its latest release. According to the PyPI download statistics (which unfortunately don’t take into account mirrors or caching proxies), awslimitchecker has only ever had one download reported as Python 3.3 and has a very, very small number reporting as Python 2.6 (likely only a handful of users). The next release of awslimitchecker will officially drop support for Python 2.6 and 3.3, changing the required Python version to 2.7 or >= 3.4. If you are one of the very few (perhaps only one) users running on Python 2.6, you can either run with a newer Python version or see Issue 301 for information on building a Docker container based on Python 3.5.

Fix test failures caused by dependency updates.
Pin pytest development to 3.2.5 to continue python 2.6 and 3.3 support.
Issue #314 - Update RDS service default limits; DB snapshots per user default limit increased from 50 to 100 and Subnet Groups limit increased from 20 to 50. This should not have affected any users, as these limits are retrieved in realtime via the RDS API.
Issue #293 - Increase maximum number of retries (boto3/botocore) for elbv2 API calls, to attempt to deal with the large number of calls we have to make in order to count the ALB listeners and rules. This requires botocore >= 1.6.0, which requires boto3 >= 1.4.6.
Issue #315 - Add new instance types: ‘c5.18xlarge’, ‘c5.2xlarge’, ‘c5.4xlarge’, ‘c5.9xlarge’, ‘c5.large’, ‘c5.xlarge’, ‘g3.16xlarge’, ‘g3.4xlarge’, ‘g3.8xlarge’, ‘h1.16xlarge’, ‘h1.2xlarge’, ‘h1.4xlarge’, ‘h1.8xlarge’, ‘m5.12xlarge’, ‘m5.24xlarge’, ‘m5.2xlarge’, ‘m5.4xlarge’, ‘m5.large’, ‘m5.xlarge’, ‘p3.16xlarge’, ‘p3.2xlarge’, ‘p3.8xlarge’, ‘x1e.32xlarge’, ‘x1e.xlarge’
Issue #316 - Automate release process.

2.0.0 (2017-10-12)¶

Update README with correct boto version requirement. (Thanks to nadlerjessie for the contribution.)
Update minimum boto3 version requirement from 1.2.3 to 1.4.4; the code for Issue #268 released in 0.11.0 requires boto3 >= 1.4.4 to make the ElasticLoadBalancing DescribeAccountLimits call.
Bug fix for “Running On-Demand EC2 instances” limit - Issue #308 - The fix for Issue #215 / PR #223, released in 0.6.0 on November 11, 2016 was based on incorrect information about how Regional Benefit Reserved Instances (RIs) impact the service limit. The code implemented at that time subtracted Regional Benefit RIs from the count of running instances that we use to establish usage. Upon further review, as well as confirmation from AWS Support, some AWS TAMs, and the relevant AWS documentation, only Zonal RIs (AZ-specific) are exempt from the Running On-Demand Instances limit. Regional Benefit RIs are counted the same as any other On-Demand Instances, as they don’t have reserved capacity. This release stops subtracting Regional Benefit RIs from the count of Running Instances, which was causing awslimitchecker to report inaccurately low Running Instances usage.

1.0.0 (2017-09-21)¶

This release requires new IAM permissions:

apigateway:GET
apigateway:HEAD
apigateway:OPTIONS
ec2:DescribeVpnGateways
dynamodb:DescribeLimits
dynamodb:DescribeTable
dynamodb:ListTables

Changes in this release:

Issue #254 - Officially adopt SemVer for this project, and document our versioning policy.
Issue #294 - Ignore NAT Gateways that are not in “available” or “pending” state.
Issue #253 - Check latest awslimitchecker version on PyPI at class instantiation; log warning if a newer version is available. Add Python API and CLI options to disable this.
Pin tox version to 2.7.0 as workaround for parsing change.
Issue #292 - Add support for API Gateway limits.
PR #302 - Add support for VPC VPN Gateways limit. (Thanks to andrewmichael for the contribution.)
Issue #280 / PR #297 - Add support for DynamoDB limits. (Thanks to saratlingamarla for the contribution.)

0.11.0 (2017-08-06)¶

This release requires new IAM permissions:

elasticfilesystem:DescribeFileSystems
elasticloadbalancing:DescribeAccountLimits
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeTargetGroups
elasticloadbalancing:DescribeRules

Changes in this release:

Issue #287 / PR #288 - Add support for Elastic Filesystem number of filesystems limit. (Thanks to nicksantamaria for the contribution.)
Issue #268 - Add support for ELBv2 (Application Load Balancer) limits; get ELBv1 (Classic) and ELBv2 (Application) limits from the DescribeAccountLimits API calls.

0.10.0 (2017-06-25)¶

This release removes the ElastiCache Clusters limit, which no longer exists.

Issue #283 - Add gitter.im chat link to README and docs.
Issue #282 - versionfinder caused awslimitchecker to die unexpectedly on systems without a git binary on the PATH. Bump versionfinder requirement to >= 0.1.1.
Issue #284 - Fix ElastiCache limits to reflect what AWS Support and the current documentation say, instead of a support ticket from July 2015.
- Remove the “Clusters” limit, which no longer exists.
- “Nodes per Cluster” limit is Memcached only.
- Add “Subnets per subnet group” limit.
Issue #279 - Add Github release to release process.

0.9.0 (2017-06-11)¶

Issue #269 - set Trusted Advisor limit name overrides for some RDS limits that were recently added to TA, but with different names than what awslimitchecker uses.
Fix bug Issue #270 - do not count propagated routes towards the VPC “Entries per route table” limit, per clarification in VPC service limits documentation (“This is the limit for the number of non-propagated entries per route table.”)
PR #276 / Issue #275 - Add new --skip-service CLI option and AwsLimitChecker.remove_services to allow skipping of one or more specific services during runs. (Thanks to tamsky for this contribution.)
PR #274 / Issue #273 - Add support for new i3 EC2 Instance types. (Thanks to tamsky) for this contribution.)
Fix broken docs build due to changes Intersphinx reference to ValueError in python2 docs
Add hack to docs/source/conf.py as workaround for https://github.com/sphinx-doc/sphinx/issues/3860
Issue #267 - Firehose is only available in us-east-1, us-west-2 and eu-west-1. Omit the traceback from the log message for Firehose EndpointConnectionError and log at warning instead of error.

0.8.0 (2017-03-11)¶

This release includes a breaking API change. Please see the first bullet point below. Note that once 1.0.0 is released (which should be relatively soon), such API changes will only come with a major version increment.

This release requires new IAM permissions: redshift:DescribeClusterSnapshots and redshift:DescribeClusterSubnetGroups.

This release removes Python 3.2 support. This was deprecated in 0.7.0. As of this release, awslimitchecker may still work on Python 3.2, but it is no longer tested and any support tickets or bug reports specific to 3.2 will be closed.

PR #250 - Allow the --service command line option to accept multiple values. This is a breaking public API change; the awslimitchecker.checker.AwsLimitChecker awslimitchecker.checker.AwsLimitChecker.check_thresholds, awslimitchecker.checker.AwsLimitChecker.find_usage, and awslimitchecker.checker.AwsLimitChecker.get_limits methods now take an optional service list keyword argument instead of a string for a single service name.
PR #251 - Handle GovCloud-specific edge cases; specifically, UnsupportedOperation errors for EC2 Spot Instance-related API calls, and limits returned as 0 by the DescribeAccountAttributes EC2 API action.
PR #249 - Add support for RedShift limits (Redshift subnet groups and Redshift manual snapshots). This requires the redshift:DescribeClusterSnapshots and redshift:DescribeClusterSubnetGroups IAM permissions.
Issue #259 - remove duplicates from required IAM policy returned by awslimitchecker.checker.AwsLimitChecker.get_required_iam_policy and awslimitchecker --iam-policy.
Various TravisCI/tox build fixes:
- Fix pip caching; use default pip cache directory
- Add python 3.6 tox env and Travis env, now that it’s released
- Switch integration3 tox env from py3.4 to py3.6
PR #256 - Add example of wrapping awslimitchecker in a script to send metrics to Prometheus.
Issue #236 - Drop support for Python 3.2; stop testing under py32.
Issue #257 - Handle ElastiCache DescribeCacheCluster responses that are missing CacheNodes key in a cluster description.
Issue #200 - Remove EC2 Spot Instances/Fleets limits from experimental status.
Issue #123 - Update documentation on using session tokens (Session or Federation temporary creds).

0.7.0 (2017-01-15)¶

This release deprecates support for Python 3.2. It will be removed in the next release.

This release introduces support for automatically refreshing Trusted Advisor checks on accounts that support this. If you use this new feature, awslimitchecker will require a new permission, trustedadvisor:RefreshCheck. See Getting Started - Trusted Advisor for further information.

#231 - add support for new f1, r4 and t2.(xlarge|2xlarge) instance types, introduced in November 2016.
#230 - replace the built-in versioncheck.py with versionfinder. Remove all of the many versioncheck tests.
#233 - refactor tests to replace yield-based tests with parametrize, as yield-based tests are deprecated and will be removed in pytest 4.
#235 - Deprecate Python 3.2 support. There don’t appear to have been any downloads on py32 in the last 6 months, and the effort to support it is too high.
A bunch of Sphinx work to use README.rst in the generated documentation.
Changed DEBUG-level logging format to include timestamp.
#239 - Support refreshing Trusted Advisor check results during the run, and optionally waiting for refresh to finish. See Getting Started - Trusted Advisor for further information.
#241 / PR #242 - Fix default ElastiCache/Nodes limit from 50 to 100, as that’s now what the docs say.
#220 / PR #243 / PR #245 - Fix for ExpiredTokenException Errors. awslimitchecker.connectable.credentials has been removed. In previous releases, awslimitchecker had been using a Connectable.credentials class attribute to store AWS API credentials and share them between Connectable subclass instances. The side-effect of this was that AWS credentials were set at the start of the Python process and never changed. For users taking advantage of the Python API and either using short-lived STS credentials or using long-running or threaded implementations, the same credentials persisted for the life of the process, and would often result in ExpiredTokenExceptions. The fix was to move _boto_conn_kwargs and _get_sts_token from connectable to the top-level AwsLimitChecker class itself, get the value of the _boto_conn_kwargs property in the constructor, and pass that value in to all Connectable subclasses. This means that each instance of AwsLimitChecker has its own unique connection-related kwargs and credentials, and constructing a new instance will work intuitively - either use the newly-specified credentials, or regenerate STS credentials if configured to use them. I have to extend my deepest gratitude to the folks who identified and fixed this issue, specifically cstewart87 for the initial bug report and description, aebie for the tireless and relentlessly thorough investigation and brainstorming and for coordinating work for a fix, and willusher for the final implementation and dealing (wonderfully) with the dizzying complexity of many of the unit tests (and even matching the existing style).

0.6.0 (2016-11-12)¶

This release has a breaking change. The VPC NAT gateways has been renamed to NAT Gateways per AZ and its get_current_usage() method will now return a list with multiple items. See the changelog entry for #214 below.

This release requires the following new IAM permissions to function:

firehose:ListDeliveryStreams
#217 - add support for new/missing EC2 instance types: m4.16xlarge, x1.16xlarge, x1.32xlarge, p2.xlarge, p2.8xlarge, p2.16xlarge.
#215 - support “Regional Benefit” Reserved Instances that have no specific AZ set on them. Per AWS, these are exempt from On-Demand Running Instances limits like all other RIs.
#214 - The VPC “NAT gateways” limit incorrectly calculated usage for the entire region, while the limit is actually per-AZ. It also had strange capitalization that confused users. The name has been changed to “NAT Gateways per AZ” and the usage is now correctly calculated per-AZ instead of region-wide.
#221 / PR #222 - Fix bug in handling of STS Credentials where they are cached permanently in connectable.Connectable.credentials, and new AwsLimitChecker instances in the same Python process reuse the first set of STS credentials. This is fixed by storing the Account ID as part of connectable.ConnectableCredentials and getting new STS creds if the cached account ID does not match the current account_id on the Connectable object.
PR #216 - add new “Firehose” service with support for “Delivery streams per region” limit.
#213 / PR #188 - support AWS cross-sdk credential file profiles via -P / --profile, like awscli.

0.5.1 (2016-09-25)¶

This release requires the following new IAM permissions to function:

ec2:DescribeSpot* or more specifically:
- ec2:DescribeSpotDatafeedSubscription
- ec2:DescribeSpotFleetInstances
- ec2:DescribeSpotFleetRequestHistory
- ec2:DescribeSpotFleetRequests
- ec2:DescribeSpotInstanceRequests
- ec2:DescribeSpotPriceHistory
ec2:DescribeNatGateways
#51 / PR #201 - Add experimental support for Spot Instance and Spot Fleet limits (only the ones explicitly documented by AWS). This is currently experimental, as the documentation is not terribly clear or detailed, and the author doesn’t have access to any accounts that make use of spot instances. This will be kept experimental until multiple users validate it. For more information, see the EC2 limit documentation.
PR #204 contributed by hltbra to add support for VPC NAT Gateways limit.
Add README and Docs link to waffle.io board.
Fix bug where --skip-ta command line flag was ignored in show_usage() (when running with -u / --show-usage action).
Add link to waffle.io Kanban board
#202 - Adds management of integration test IAM policy via Terraform.
#211 - Add working download stats to README and docs
Fix broken landscape.io badges in README and docs
#194 - On Limits page of docs, clarify that Running On-Demand Instances does not include Reserved Instances.
Multiple tox.ini changes:
- simplify integration and unit/versioncheck testenv blocks using factors and reuse
- py26 testenv was completely unused, and py26-unit was running and working with mock==2.0.0
- use pytest<3.0.0 in py32 envs
#208 - fix KeyError when timestamp key is missing from TrustedAdvisor check result dict

0.5.0 (2016-07-06)¶

This release includes a change to awslimitchecker’s Python API. awslimitchecker.limit.AwsLimit.get_limit can now return either an int or None, as TrustedAdvisor now lists some service limits as being explicitly “unlimited”.

#195 - Handle TrustedAdvisor explicitly reporting some limits as “unlimited”. This introduces the concept of unlimited limits, where the effective limit is None.

0.4.4 (2016-06-27)¶

PR #190 / #189 - Add support for EBS st1 and sc1 volume types (adds “EBS/Throughput Optimized (HDD) volume storage (GiB)” and “EBS/Cold (HDD) volume storage (GiB)” limits).

0.4.3 (2016-05-08)¶

PR #184 Fix default VPC/Security groups per VPC limit from 100 to 500, per VPC limits documentation (this limit was increased at some point recently). Thanks to Travis Thieman for this contribution.

0.4.2 (2016-04-27)¶

This release requires the following new IAM permissions to function:

elasticbeanstalk:DescribeApplications
elasticbeanstalk:DescribeApplicationVersions
elasticbeanstalk:DescribeEnvironments
#70 Add support for ElasicBeanstalk service.
#177 Integration tests weren’t being properly skipped for PRs.
#175 the simplest and most clear contributor license agreement I could come up with.
#172 add an integration test running against sa-east-1, which has fewer services than the popular US regions.

0.4.1 (2016-03-15)¶

#170 Critical bug fix in implementation of #71 - SES only supports three regions (us-east-1, us-west-2, eu-west-1) and causes an unhandled connection error if used in another region.

0.4.0 (2016-03-14)¶

This release requires the following new IAM permissions to function:

rds:DescribeAccountAttributes
iam:GetAccountSummary
s3:ListAllMyBuckets
ses:GetSendQuota
cloudformation:DescribeAccountLimits
cloudformation:DescribeStacks

Issues addressed:

#150 add CHANGES.rst to Sphinx docs
#85 and #154
- add support for RDS ‘DB Clusters’ and ‘DB Cluster Parameter Groups’ limits
- use API to retrieve RDS limits
- switch RDS from calculating usage to using the DescribeAccountAttributes usage information, for all limits other than those which are per-resource and need resource IDs (Max auths per security group, Read replicas per master, Subnets per Subnet Group)
- awslimitchecker now requires an additional IAM permission, rds:DescribeAccountAttributes
#157 fix for TrustedAdvisor polling multiple times - have TA set an instance variable flag when it updates services after a poll, and skip further polls and updates if the flag is set. Also add an integration test to confirm this.
#50 Add support for IAM service with a subset of its limits (Groups, Instance Profiles, Policies, Policy Versions In Use, Roles, Server Certificates, Users), using both limits and usage information from the GetAccountSummary API action. This requires an additional IAM permission, iam:GetAccountSummary.
#48 Add support for S3 Buckets limit. This requires an additional IAM permission, s3:ListAllMyBuckets.
#71 Add support for SES service (daily sending limit). This requires an additional IAM permission, ses:GetSendQuota.
#69 Add support for CloudFormation service Stacks limit. This requires additional IAM permissions, cloudformation:DescribeAccountLimits and cloudformation:DescribeStacks.
#166 Speed up TravisCI tests by dropping testing for PyPy and PyPy3, and only running the -versioncheck tests for two python interpreters instead of 8.

0.3.2 (2016-03-11)¶

#155 Bug fix for uncaught KeyError on accounts with Trusted Advisor (business-level support and above). This was caused by an undocumented change released by AWS between Thu, 10 Mar 2016 07:00:00 GMT and Fri, 11 Mar 2016 07:00:00 GMT, where five new IAM-related checks were introduced that lack the region data field (which the TrustedAdvisorResourceDetail API docs still list as a required field).

0.3.1 (2016-03-04)¶

#117 fix Python 3.5 TravisCI tests and re-enable automatic testing for 3.5.
#116 add t2.nano EC2 instance type; fix typo - “m4.8xlarge” should have been “m4.10xlarge”; update default limits for m4.(4|10)xlarge
#134 Minor update to project description in docs and setup.py; use only _VERSION (not git) when building in RTD; include short description in docs HTML title; set meta description on docs index.rst.
#128 Update Development and Getting Help documentation; add GitHub CONTRIBUTING.md file with link back to docs, as well as Issue and PR templates.
#131 Refactor TrustedAdvisor interaction with limits for special naming cases (limits where the TrustedAdvisor service or limit name doesn’t match that of the awslimitchecker limit); enable newly-available TrustedAdvisor data for some EC2 on-demand instance usage.

0.3.0 (2016-02-18)¶

Add coverage for one code branch introduced in PR #100 that wasn’t covered by tests.
#112 fix a bug in the versioncheck integration tests, and a bug uncovered in versioncheck itself, both dealing with checkouts that are on a un-cloned branch.
#105 build and upload wheels in addition to sdist
#95 major refactor to convert AWS client library from boto to boto3. This also includes significant changes to the internal connection logic and some of the internal (private) API. Pagination has been moved to boto3 wherever possible, and handling of API request throttling has been removed from awslimitchecker, as boto3 handles this itself. This also introduces full, official support for python3.
Add separate localdocs tox env for generating documentation and updating output examples.
#113 update, expand and clarify documentation around threshold overrides; ignore some sites from docs linkcheck.
#114 expanded automatic integration tests
Please note that version 0.3.0 of awslimitchecker moved from using boto as its AWS API client to using boto3. This change is mostly transparent, but there is a minor change in how AWS credentials are handled. In boto, if the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables were set, and the region was not set explicitly via awslimitchecker, the AWS region would either be taken from the AWS_DEFAULT_REGION environment variable or would default to us-east-1, regardless of whether a configuration file (~/.aws/credentials or ~/.aws/config) was present. With boto3, it appears that the default region from the configuration file will be used if present, regardless of whether the credentials come from that file or from environment variables.

0.2.3 (2015-12-16)¶

PR #100 support MFA tokens when using STS assume role
#107 add support to explicitly disable pagination, and use for TrustedAdvisor to prevent pagination warnings

0.2.2 (2015-12-02)¶

#83 remove the “v” prefix from version tags so ReadTheDocs will build them automatically.
#21 run simple integration tests of -l and -u for commits to main repo branches.

0.2.1 (2015-12-01)¶

#101 Ignore stopped and terminated instances from EC2 Running On-Demand Instances usage count.
#47 In VersionCheck git -e tests, explicitly fetch git tags at beginning of test.

0.2.0 (2015-11-29)¶

#86 wrap all AWS API queries in awslimitchecker.utils.boto_query_wrapper to retry queries with an exponential backoff when API request throttling/rate limiting is encountered
Attempt at fixing #47 where versioncheck acceptance tests fail under TravisCI, when testing master after a tagged release (when there’s a tag for the current commit)
Fix #73 versioncheck.py reports incorrect information when package is installed in a virtualenv inside a git repository
Fix #87 run coverage in all unit test Tox environments, not a dedicated env
Fix #75 re-enable py26 Travis builds now that pytest-dev/pytest#1035 is fixed (pytest >= 2.8.3)
Fix #13 re-enable Sphinx documentation linkcheck
Fix #40 add support for pagination of API responses (to get all results) and handle pagination for all current services
Fix #88 add support for API-derived limits. This is a change to the public API for awslimitchecker.limit.AwsLimit and the CLI output.
Fix #72 add support for some new limits returned by Trusted Advisor. This renames the following limits: * EC2/EC2-VPC Elastic IPs to EC2/VPC Elastic IP addresses (EIPs) * RDS/Read Replicas per Master to RDS/Read replicas per master * RDS/Parameter Groups to RDS/DB parameter groups
Fix #84 pull some EC2 limits from the API’s DescribeAccountAttributes action
Fix #94 pull AutoScaling limits from the API’s DescribeAccountLimits action
Add autoscaling:DescribeAccountLimits and ec2:DescribeAccountAttributes to required IAM permissions.
Ignore AccountLimits objects from result pagination

0.1.3 (2015-10-04)¶

Update trove classifier Development Status in setup.py to Beta
Fix markup formatting issue in docs/source/getting_started.rst
temporarily disable py26 testenv in Travis; failing due to upstream bug https://github.com/pytest-dev/pytest/issues/1035
PR #64 and #68 - support [STS](http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html) and regions * Add support for passing in a region to connect to via -r / --region * Add support for using STS to check resources in another account, including support for external_id * Major refactor of how service classes connect to AWS API
#74 add support for EC2 t2.large instance type
#65 handle case where ElastiCache API returns CacheCluster response with CacheNodes None
#63 update Python usage documentation
#49 clean up badges in README.rst and sphinx index.rst; PyPi downloads and version badges broken (switch to shields.io)
#67 fix typo in required IAM policy; comma missing in list returned from _Ec2Service.required_iam_permissions()
#76 default limits for EBS volume usage were in TiB not GiB, causing invalid default limits on accounts without Trusted Advisor
Changes to some tests in test_versioncheck.py to aid in debugging #47 where Travis tests fail on master because of git tag from release (if re-run after release)

0.1.2 (2015-08-13)¶

#62 - For ‘RDS/DB snapshots per user’ limit, only count manual snapshots. (fix bug in fix for #54)

0.1.1 (2015-08-13)¶

#54 - For ‘RDS/DB snapshots per user’ limit, only count manual snapshots.
PR #58 - Fix issue where BotoServerError exception is unhandled when checking ElastiCache limits on new accounts without EC2-Classic.
#55 - use .version instead of .parsed_version to fix version information when using pip<6
#46 - versioncheck integration test fixes * Rename -integration tox environments to -versioncheck * Skip versioncheck git install integration tests on PRs, since they’ll fail
#56 - logging fixes * change the AGPL warning message to write directly to STDERR instead of logging * document logging configuration for library use * move boto log suppression from checker to runner
Add contributing docs

0.1.0 (2015-07-25)¶

initial released version