Skip to content

Latest commit

 

History

History
901 lines (649 loc) · 73.6 KB

CHANGES.rst

File metadata and controls

901 lines (649 loc) · 73.6 KB

Changelog

10.0.0 (2020-12-07)

IMPORTANT - Breaking Changes

  • This release makes significant changes to how Trusted Advisor is used; see below.
  • This release requires the following new IAM permissions: eks:ListClusters, eks:DescribeCluster, eks:ListNodegroups, eks:ListFargateProfiles, eks:DescribeFargateProfile, kinesis:DescribeLimits.
  • This release introduces a number of new limits, as well as new services. Please see below for details.
  • This release removes the EC2/Security groups per VPC limit, which no longer exists, and adds the new EC2/VPC security groups per Region limit.

All Changes

  • Issue #466 - Significant changes to Trusted Advisor support.
    • In June 2019, AWS announced the new Service Quotas service (great name) that allows us to retrieve limit/quota information from a unified API. In addition, many individual services now provide limit information via their own APIs. At this point (late 2020) all of the limit/quota information that was previously available via Trusted Advisor is now available via a combination of the individual service APIs and Service Quotas.
    • In February 2020, the layout of Trusted Advisor checks was changed, and the "Performance / Service Limits" check that we previously used to obtain limit information was moved to its own category in Trusted Advisor. While I can't confirm this, as far as I can tell, this change was only made in the standard AWS regions/partitions (i.e. not GovCloud or China).
    • awslimitchecker still has not been updated for this new Trusted Advisor layout.
    • This release disables Trusted Advisor by default outside China and GovCloud, as it provides no additional information outside of these regions/partitions.
    • If you are running in China or GovCloud and have issues with awslimitchecker retrieving information from Trusted Advisor, please open an issue.
    • My current intent is to leave Trusted Advisor support in this state until Service Quotas is available in China and GovCloud, at which point I plan on completely removing all Trusted Advisor support.
  • Migrate CI builds from travis-ci.org to travis-ci.com.
  • Issue #503 - Fix Units set to "None" error when retrieving load balancer data from Service Quotas. We now allow the (A|E)LB per Region quota with a unit of either "Count" (prior to November 2020) or "None" (November 2020 on).
  • Issue #489 / PR #490 - Add missing RDS limits: Manual Cluster Snapshots, Custom Endpoints Per DB Cluster, DB Instance Roles, and DB Cluster Roles. Thanks to sebasrp for this contribution!
  • Issue #472 / PR #494 - Add support for the EKS service, and 8 new limits for it. Thanks to sebasrp for this contribution!
  • Issue #495 / PR #496 - Add support for the Kinesis service, and one new limit for it. Thanks to sebasrp for this contribution!
  • PR #499 - Set quota_name for VPC "Entries per route table" limit, so that the current limit will be automatically retrieved from Service Quotas. Thanks to patuck for this contribution!
  • Issue #498 - Fix multiple issues relating to VPC limits:
    • Update the EC2 / Rules per VPC security group limit to support retrieving the current limit value from Service Quotas.
    • Remove the EC2/Security groups per VPC limit, which no longer exists.
    • Add the new EC2/VPC security groups per Region limit.
  • Issue #501 - Update VPC/Network interfaces per Region limit for new calculation method.
  • Issue #488 / PR #491 - Update new ElastiCache default limits. Thanks to sebasrp for this contribution!

9.0.0 (2020-09-22)

Important: This release requires new IAM permissions: sts:GetCallerIdentity and cloudwatch:GetMetricData

Important: This release includes updates for major changes to ECS limits, which includes the renaming of some existing limits.

  • Issue #477 - EC2 instances running on Dedicated Hosts (tenancy "host") or single-tenant hardware (tenancy "dedicated") do not count towards On-Demand Instances limits. They were previously being counted towards these limits; they are now excluded from the count. Thanks to pritam2277 for reporting this issue and providing details and test data.
  • Issue #477 - For all VPC resources that support the owner-id filter, supply that filter when describing them, set to the current account ID. This will prevent shared resources from other accounts from being counted against the limits. Thanks to pritam2277 for reporting this issue and providing details and test data.
  • Issue #475 - When an Alert Provider is used, only exit non-zero if an exception is encountered. Exit zero even if there are warnings and/or criticals. Thanks to varuzam for this feature request.
  • Issue #467 - Fix the Service Quotas quota name for VPC "NAT Gateways per AZ" limit. Thanks to xRokco for reporting this issue, as well as the required fix.
  • Issue #457 - In the required IAM permissions, replace support:* with the specific permissions that we need.
  • Issue #463 - Updates for the major changes to ECS limits in August 2020. Thanks to vincentclee for reporting this issue.
    • The EC2 Tasks per Service (desired count) limit has been replaced with Tasks per service, which measures the desired count of tasks of all launch types (EC2 or Fargate). The default value of this limit has increased from 1000 to 2000.
    • The default of Clusters has increased from 2,000 to 10,000.
    • The default of Services per Cluster has increased from 1,000 to 2,000.
    • The Fargate Tasks limit has been removed.
    • The Fargate On-Demand resource count limit has been added, with a default quota value of 500. This limit measures the number of ECS tasks and EKS pods running concurrently on Fargate. The current usage for this metric is obtained from CloudWatch.
    • The Fargate Spot resource count limit has been added, with a default quota value of 500. This limit measures the number of ECS tasks running concurrently on Fargate Spot. The current usage for this metric is obtained from CloudWatch.
  • Add internal helper method to :py:class:`~._AwsService` to get Service Quotas usage information from CloudWatch.

8.1.0 (2020-09-18)

  • PR #468 - Fix transposed headings in CLI Usage documentation. Thanks to @owenmann.
  • PR #470 - Fix new EBS "Active snapshots" limit (bumped from 10,000 to 100,000) and Quotas Service name. Thanks to @rashidamiri.
  • Issue #464 - Fix bug where SES was causing ConnectTimeoutError in some regions. This has been added to the list of SES exceptions that we catch and silently ignore. This is a new exception thrown by regions that do not have SES support.
  • Add .dockerignore file to make local builds quite a bit smaller.
  • Issue #465 - Fixed via versionfinder 1.1.1.
  • Internal testing changes:
    • Stop testing under Python 2.7 and Python 3.4.
    • Switch from deprecated pep8 / pytest-pep8 to pycodestyle / pytest-pycodestyle.
    • Pin pytest to <6.0.0 to avoid some breaking changes for now.
    • Switch integration test environment from Python 3.7 to Python 3.8.

8.0.2 (2020-03-03)

  • PR #458 - Fix for ZeroDivisionError on some Service Quotas limits that report as having a limit of zero. Thanks to @deimosfr.

8.0.1 (2019-12-28)

  • Fixes issue #453 - remove version constraint on dateutil dependency.
  • Fixes issue #454 - remove version constraint on botocore dependency.
  • Update tox docs, localdocs, and docker environments to use Python 3.8.
  • Fixes issue #451 - Fix default Rules Per VPC Security Group limit.

8.0.0 (2019-11-03)

Important: This release includes major changes to the EC2 On-Demand Instances service limits! For most users, this means the 175 Instance-type-specific limits will be removed and replaced with five (5) limits. Please see the :ref:`changelog.8_0_0_vcpu_limits` section below for further details, as this will especially impact anyone using limit or threshold overrides, or post-processing awslimitchecker's output. This is also a time to remind all users that this project adheres to a strict :ref:`development.versioning_policy` and if occasional breakage due to limit or IAM policy changes is unacceptable, you should pin to a major version.

Important: Python versions prior to 3.5, including 2.7, are now pending deprecation. As of January 1, 2020, they will no longer be tested or supported, and awslimitchecker will require Python 3.5 or newer. Please see below for details. Also take note that running via the official Docker image is a way to ensure the best version of Python is always used.

Important: This release requires a new IAM permission, servicequotas:ListServiceQuotas.

  • Issue #400 / PR #434 - Support GovCloud region and alternate partitions in STS assumed roles and Trusted Advisor. Thanks to @djkiourtsis.
  • Issue #432 - Update EC2 limit handling for new vCPU-based limits in regions other than cn-* and us-gov-* (which still use old per-instance-type limits). See :ref:`section below <changelog.8_0_0_vcpu_limits>` for further information. For regions other than cn-* and us-gov-*, this will remove all 175 Running On-Demand <type> instances and the Running On-Demand EC2 instances limit, and replace them with:
    • Running On-Demand All F instances
    • Running On-Demand All G instances
    • Running On-Demand All P instances
    • Running On-Demand All X instances
    • Running On-Demand All Standard (A, C, D, H, I, M, R, T, Z) instances
  • Issue #429 - add 87 missing EC2 instance types. This will now only impact cn-* and us-gov-* regions.
  • Issue #433 - Fix broken links in the docs; waffle.io and landscape.io are both gone, sadly.
  • Issue #441 - Fix critical bug where awslimitchecker would die with an unhandled botocore.exceptions.ParamValidationError exception in accounts that have Trusted Advisor but do not have a "Service Limits" check in the "performance" category.
  • Issue #439 - Fix unhandled exception in CloudTrail service when attempting to call GetEventSelectors on an Organization trail. When calling DescribeTrails, we will now pass includeShadowTrails as False, to not include replications of trails in different regions or organization trails in member accounts (relevant API documentation).
  • Issue #438 - Per PEP 373, Python 2.7 will officially end support on January 1, 2020. As such, and in keeping with reasoning explained at python3statement.org, awslimitchecker will stop supporting and testing against Python 2.7 on January 1, 2020. At that point, all new versions will be free to use Python features introduced in 3.5. As of this version, a PendingDeprecationWarning will be emitted when running awslimitchecker under Python 2.7.
  • Issue #437 - Per PEP 429, Python 3.4 reached end-of-life on March 18, 2019 and is now officially retired. Add a PendingDeprecationWarning for users running under this version, announcing that support for Python 3.4 will be removed on January 1, 2020.
  • In following with the above two issues, raise a DeprecationWarning when running on any Python2 version prior to 2.7 or any Python3 version prior to 3.4, in accorance with the published end-of-life dates of those versions.
  • Issue #436 - Begin testing under Python 3.8 and base our Docker image on python:3.8-alpine.
  • Issue #435 - Allow configuring the botocore maximum retries for Throttling / RateExceeded errors on a per-AWS-API basis via environment variables. See the relevant sections of the :ref:`CLI Usage <cli_usage.throttling>` or :ref:`Python Usage <python_usage.throttling>` documentation for further details.
  • Issue #431 - Fix a major under-calculation of usage for the EC2 Rules per VPC security group limit. We were previously calculating the number of "Rules" (from port / to port / protocol combinations) in a Security Group, but the limit is actually based on the number of permissions granted. See this comment on the issue for further details.
  • Issue #413 - Add support for retrieving limits from the new Service Quotas service where available. See the :ref:`changelog.8_0_0_service_quotas` section below for more information.
  • Bump boto3 minimum version requirement from 1.4.6 to 1.9.175 and botocore minimum version requirement from 1.6.0 to 1.12.175, in order to support Service Quotas.

New EC2 vCPU Limits

AWS has announced new, completely different handling of EC2 On-Demand Instances service limits. Instead of having a limit per instance type (currently 261 limits), there will now be only five limits, based on the number of vCPUs for instance families: one each for "F", "G", "P", and "X" family instances (defaulting to a total of 128 vCPUs each) and one limit for all other "Standard" instance families (currently A, C, D, H, I, M, R, T, and Z) defaulting to a combined total of 1152 vCPUs. Please see the link, and the EC2 On-Demand Instance Limits section of the AWS FAQ for further information.

This greatly simplifies handling of the EC2 On-Demand limits, but does mean that any existing code that references EC2 Running On-Demand limit names, including any limit and/or threshold overrides, will need to be updated for this change.

This change is only going into effect in the "standard" AWS regions/partitions, i.e. not in the China partition (cn- regions) or GovCloud (us-gov- regions). It is a phased rollout from October 24 to November 7, 2019 based on the first character of your account ID (see the "How will the transition to vCPU limits happen?" entry in the FAQ linked above for exact dates). Unfortunately, there is no clear way to determine via API if a given account is using the new vCPU limits or the old per-instance-type limits. As a result, and given that this release is being made already part-way through the rollout window, the current behavior of awslimitchecker is as follows:

  • When running against region names beginning with cn- or us-gov-, use the old per-instance-type limits, unless the USE_VCPU_LIMITS environment variable is set to true.
  • Otherwise use the new vCPU-based limits, unless the USE_VCPU_LIMITS environment variable is set to something other than true.

As such, if you install this release before November 7, 2019 and need to force your non-China, non-GovCloud accout to use the older per-instance-type limits, setting the USE_VCPU_LIMITS environment variable to false will accomplish this until your account switches over to the new vCPU limits. Alternatively, you can leave awslimitchecker as-is and accept possibly-slightly-inaccurate limit calculations for a few days.

Please also note that with the change to vCPU limits, there is no longer an overall Running On-Demand EC2 instances limit for accounts that use the new vCPU limits.

I have not yet implemented Trusted Advisor (TA) support for these new limits, as they're presented in a different category of Trusted Advisor checks from the previous EC2 limits. I'm not going to be implementing TA for these limits, in favor of spending the time instead on implementing Service Quotas support via Issue #413.

Calculation of current usage for the vCPU limits is based on the EC2 Optimizing CPU Options documentation which specifies, "The number of vCPUs for the instance is the number of CPU cores multiplied by the threads per core." The CpuOptions field of the EC2 DescribeInstances API specifies the core and thread count for each running instance.

Service Quotas

AWS' new Service Quotas service provides a unified interface to retrieve current limits from many AWS services. These limit values are second only to the services' own APIs (for the services that provide limit information via API), and are much more current and complete than the information provided by Trusted Advisor. The introduction of Service Quotas should greatly reduce the number of limits that need to be retrieved from Trusted Advisor or specified manually.

If you currently have any Limit Overrides set (via either the :ref:`CLI <cli_usage.limit_overrides>` or :ref:`Python API <python_usage.limit_overrides>`), please verify on the :ref:`limits` page whether Service Quotas data is now available for those limits. You should be able to remove manual overrides for the limits that now retrieve data from Service Quotas.

7.1.0 (2019-09-10)

7.0.0 (2019-08-13)

This release removes one limit and adds two new limits!

  • Issue #412 / PR #414 - Since some time in June 2019, the former ELB Service Active load balancers limit is now two separate limits, Classic load balancers and Application load balancers. Anyone who was using the "Active load balancers" limit name (e.g. in overrides or custom code) must update their code accordingly. This release removes the Active load balancers limit and adds two new limits, Classic load balancers and Application load balancers, to match how AWS now calculates and exposes these limits.
  • Issue #410 - Documentation fix for missing Trusted Advisor information on Limits page.
  • Fix some test failures related to exception objects in pytest 5.0.0.

6.1.7 (2019-05-17)

  • Issue #406 - Fix for unhandled exception when a Trusted Advisor check has a null timestamp.

6.1.6 (2019-04-19)

  • PR #402 - Add --skip-check command line option for ignoring specific checks based on service and check name. Thanks to @ddelnano.

6.1.5 (2019-03-06)

  • Issue #397 - Fix unhandled exception checking SES in some regions. Issue #375 in 6.0.1 handled an uncaught ClientError when checking SES in some regions, but some regions such as ap-southeast-2 are now returning a 503 Service Unavailable for SES instead. Handle this case as well. Thanks to @TimGebert for reporting the issue and bergkampsliew for verifying.

6.1.4 (2019-03-01)

  • PR #394 - Fix bug in calculation of VPC "Network interfaces per Region" limit, added in 6.1.0 (PR #379), that resulted in reporting the limit 5x lower than it actually is in some cases. Thanks to @TimGebert.

6.1.3 (2019-02-26)

6.1.2 (2019-02-19)

6.1.1 (2019-02-15)

6.1.0 (2019-01-30)

6.0.1 (2019-01-27)

6.0.0 (2019-01-01)

This release requires new IAM permissions:

  • lambda:GetAccountSettings

Important: This release removes the ApiGateway APIs per account limit in favor of more-specific limits; see below.

  • Issue #363 - Add support for the Lambda limits and usages.
  • Clarify support for "unlimited" limits (limits where :py:meth:`awslimitchecker.limit.AwsLimit.get_limit` returns None).
  • Add support for 26 new EC2 instance types.
  • Update default limits for ECS service.
  • ApiGateway service now has three ReST API limits (Regional API keys per account, Private API keys per account, and Edge API keys per account) in place of the previous single APIs per account to reflect the current documented service limits.
  • API Gateway service - add support for VPC Links per account limit.
  • Add support for Network Load Balancer limits Network load balancers and Listeners per network load balancer.
  • Add support for Application Load Balancer limits Certificates per application load balancer.
  • Add support for Classic ELB (ELBv1) Registered instances per load balancer limit.
  • Rename dev/terraform.py to dev/update_integration_iam_policy.py and move from using terraform to manage integration test IAM policy to pure Python.
  • Note that I've left out the Targets per application load balancer and Targets per network load balancer limits. Checking usage for these requires iterating over DescribeTargetHealth for each target group, so I've opted to leave it out at this time for performance reasons and because I'd guess that the number of people with 500 or 1000 targets per LB is rather small. Please open an issue if you'd like to see usage calculation for these limits.

Important Note on Limit Values

awslimitchecker has had documented support for Limits that are unlimited/"infinite" since 0.5.0 by returning None from :py:meth:`awslimitchecker.limit.AwsLimit.get_limit`. Until now, that edge case was only triggered when Trusted Advisor returned "Unlimited" for a limit. It will now also be returned for the Lambda service's Function Count Limit. Please be aware of this if you're using the Python API and assuming Limit values are all numeric.

If you are relying on the output format of the command line awslimitchecker script, please use the Python API instead.

5.1.0 (2018-09-23)

  • Issue #358 - Update EFS with new default limit for number of File systems: 70 in us-east-1 and 125 in other regions.
  • PR #359 - Add support for t3 EC2 instance types (thanks to chafouin).
  • Switch py37 TravisCI tests from py37-dev to py37 (release).

5.0.0 (2018-07-30)

This release requires new IAM permissions:

  • cloudtrail:DescribeTrails
  • cloudtrail:GetEventSelectors
  • route53:GetHostedZone
  • route53:ListHostedZones
  • route53:GetHostedZoneLimit

This release officially drops support for Python 2.6 and 3.3.

  • PR #345 / Issue #349 - Add Route53 service and checks for "Record sets per hosted zone" and "VPC associations per hosted zone" limits (the latter only for private zones). (thanks to julienduchesne).
  • Support Per-Resource Limits (see below). Note that this includes some changes to the ``awslimitchecker`` CLI output format and some minor API changes.
  • Issue #317 - Officially drop support for Python 2.6 and 3.3. Also, begin testing py37.
  • Issue #346 - Update documentation for S3 API calls made by ElasticBeanstalk while retrieving EB limits (thanks to fenichelar for finding this).
  • PR #350 - Add support for CloudTrail limits (thanks to fpiche).
  • Issue #352 - Update version check PyPI URL and set User-Agent when performing version check.
  • Issue #351 - Add support for forty two (42) missing EC2 instance types including the new c5d/m5d/r5d/z1d series instances.

Per-Resource Limits

Some Limits (:py:class:`~.AwsLimit`) now have limits/maxima that are per-resource rather than shared across all resources of a given type. The first limit of this kind that awslimitchecker supports is Route53, where the "Record sets per hosted zone" and "VPC associations per hosted zone" limits are set on a per-resource (per-zone) basis rather than globally to all zones in the account. Limits of this kind are also different since, as they are per-resource, they can only be enumerated at runtime. Supporting limits of this kind required some changes to the internals of awslimitchecker (specifically the :py:class:`~.AwsLimit` and :py:class:`~.AwsLimitUsage` classes) as well as to the output of the command line script/entrypoint.

For limits which support different maxima/limit values per-resource, the command line awslimitchecker script -l / --list-limits functionality will now display them in Service/Limit/ResourceID format, i.e.:

Route53/Record sets per hosted zone/foo.com                  10000 (API)
Route53/Record sets per hosted zone/bar.com                  10000 (API)
Route53/Record sets per hosted zone/local.                   15000 (API)
Route53/VPC associations per hosted zone/local.              100 (API)

As opposed to the Service/Limit format used for all existing limits, i.e.:

IAM/Groups             300 (API)
IAM/Instance profiles  2000 (API)

If you are relying on the output format of the command line awslimitchecker script, please use the Python API instead.

For users of the Python API, please take note of the new :py:meth:`.AwsLimit.has_resource_limits` and :py:meth:`~.AwsLimitUsage.get_maximum` methods which assist in how to identify limits that have per-resource maxima. Existing code that only surfaces awslimitchecker's warnings/criticals (the result of :py:meth:`~.AwsLimitChecker.check_thresholds`) will work without modification, but any code that displays or uses the current limit values themselves may need to be updated.

4.0.2 (2018-03-22)

This is a minor bugfix release for one issue:

  • Issue #341 - The Trusted Advisor EBS checks for General Purpose (SSD) volume storage (GiB) and Magnetic volume storage (GiB) have been renamed to to General Purpose SSD (gp2) volume storage (GiB) and Magnetic (standard) volume storage (GiB), respectively, to provide more unified naming. This change was made on March 19th or 20th without any public announcement, and resulted in awslimitchecker being unable to determine the current values for these limits from Trusted Advisor. Users relying on Trusted Advisor for these values saw the limit values incorrectly revert to the global default. This is an internal-only change to map the new Trusted Advisor check names to the awslimitchecker limit names.

4.0.1 (2018-03-09)

This is a minor bugfix release for a few issues that users have reported recently.

  • Fix Issue #337 where sometimes an account even with Business-level support will not have a Trusted Advisor result for the Service Limits check, and will return a result with status: not_available or a missing flaggedResources key.
  • Fix Issue #335 where runs against the EFS service in certain unsupported regions result in either a connection timeout or an AccessDeniedException.

4.0.0 (2018-02-17)

This release requires new IAM permissions:

  • ds:GetDirectoryLimits
  • ecs:DescribeClusters
  • ecs:DescribeServices
  • ecs:ListClusters
  • ecs:ListServices
  • Fix various docstring problems causing documentation build to fail.
  • PR #328 - Add support for Directory Service and ECS (thanks to di1214).
    • NOTE the "EC2 Tasks per Service (desired count)" limit uses non-standard resource IDs, as service names and ARNs aren't unique by account or region, but only by cluster. i.e. the only way to uniquely identify an ECS Service is by the combination of service and cluster. As such, the resource_id field for usage values of the "EC2 Tasks per Service (desired count)" limit is a string of the form cluster=CLUSTER-NAME; service=SERVICE-NAME.
  • PR #330 - Update numerous no-longer-correct default limits (thanks to GitHub user KingRogue).
    • AutoScaling
      • Auto Scaling groups - 20 to 200
      • Launch configurations - 100 to 200
    • EBS
      • Provisioned IOPS - 40000 to 200000
      • Provisioned IOPS (SSD) storage (GiB) - 20480 to 102400 (100 TiB)
      • General Purpose (SSD) volume storage (GiB) - 20480 to 102400 (100 TiB)
      • Throughput Optimized (HDD) volume storage (GiB) - 20480 to 307200 (300 TiB)
      • Cold (HDD) volume storage (GiB) - 20480 to 307200 (300 TiB)
    • ElasticBeanstalk
      • Applications - 25 to 75
      • Application versions - 500 to 1000
    • IAM
      • Groups - 100 to 300
      • Roles - 250 to 1000
      • Instance profiles - 100 to 1000
      • Policies - 1000 to 1500
  • Fix dev/terraform.py and dev/integration_test_iam.tf for integration tests.
  • Fix date and incorrect project name in some file/copyright headers.
  • Issue #331 - Change layout of the generated Supported Limits documentation page to be more clear about which limits are supported, and include API and Trusted Advisor data in the same table as the limits and their defaults.

3.0.0 (2017-12-02)

Important Notice for python 2.6 and 3.3 users:

Python 2.6 reached its end of life in October 2013. Python 3.3 officially reached its end of life in September 2017, five years after development was ceased. The test framework used by awslimitchecker, pytest, has dropped support for Python 2.6 and 3.3 in its latest release. According to the PyPI download statistics (which unfortunately don't take into account mirrors or caching proxies), awslimitchecker has only ever had one download reported as Python 3.3 and has a very, very small number reporting as Python 2.6 (likely only a handful of users). The next release of awslimitchecker will officially drop support for Python 2.6 and 3.3, changing the required Python version to 2.7 or >= 3.4. If you are one of the very few (perhaps only one) users running on Python 2.6, you can either run with a newer Python version or see Issue 301 for information on building a Docker container based on Python 3.5.

  • Fix test failures caused by dependency updates.
  • Pin pytest development to 3.2.5 to continue python 2.6 and 3.3 support.
  • Issue #314 - Update RDS service default limits; DB snapshots per user default limit increased from 50 to 100 and Subnet Groups limit increased from 20 to 50. This should not have affected any users, as these limits are retrieved in realtime via the RDS API.
  • Issue #293 - Increase maximum number of retries (boto3/botocore) for elbv2 API calls, to attempt to deal with the large number of calls we have to make in order to count the ALB listeners and rules. This requires botocore >= 1.6.0, which requires boto3 >= 1.4.6.
  • Issue #315 - Add new instance types: 'c5.18xlarge', 'c5.2xlarge', 'c5.4xlarge', 'c5.9xlarge', 'c5.large', 'c5.xlarge', 'g3.16xlarge', 'g3.4xlarge', 'g3.8xlarge', 'h1.16xlarge', 'h1.2xlarge', 'h1.4xlarge', 'h1.8xlarge', 'm5.12xlarge', 'm5.24xlarge', 'm5.2xlarge', 'm5.4xlarge', 'm5.large', 'm5.xlarge', 'p3.16xlarge', 'p3.2xlarge', 'p3.8xlarge', 'x1e.32xlarge', 'x1e.xlarge'
  • Issue #316 - Automate release process.

2.0.0 (2017-10-12)

  • Update README with correct boto version requirement. (Thanks to nadlerjessie for the contribution.)
  • Update minimum boto3 version requirement from 1.2.3 to 1.4.4; the code for Issue #268 released in 0.11.0 requires boto3 >= 1.4.4 to make the ElasticLoadBalancing DescribeAccountLimits call.
  • Bug fix for "Running On-Demand EC2 instances" limit - Issue #308 - The fix for Issue #215 / PR #223, released in 0.6.0 on November 11, 2016 was based on incorrect information about how Regional Benefit Reserved Instances (RIs) impact the service limit. The code implemented at that time subtracted Regional Benefit RIs from the count of running instances that we use to establish usage. Upon further review, as well as confirmation from AWS Support, some AWS TAMs, and the relevant AWS documentation, only Zonal RIs (AZ-specific) are exempt from the Running On-Demand Instances limit. Regional Benefit RIs are counted the same as any other On-Demand Instances, as they don't have reserved capacity. This release stops subtracting Regional Benefit RIs from the count of Running Instances, which was causing awslimitchecker to report inaccurately low Running Instances usage.

1.0.0 (2017-09-21)

This release requires new IAM permissions:

  • apigateway:GET
  • apigateway:HEAD
  • apigateway:OPTIONS
  • ec2:DescribeVpnGateways
  • dynamodb:DescribeLimits
  • dynamodb:DescribeTable
  • dynamodb:ListTables

Changes in this release:

0.11.0 (2017-08-06)

This release requires new IAM permissions:

  • elasticfilesystem:DescribeFileSystems
  • elasticloadbalancing:DescribeAccountLimits
  • elasticloadbalancing:DescribeListeners
  • elasticloadbalancing:DescribeTargetGroups
  • elasticloadbalancing:DescribeRules

Changes in this release:

  • Issue #287 / PR #288 - Add support for Elastic Filesystem number of filesystems limit. (Thanks to nicksantamaria for the contribution.)
  • Issue #268 - Add support for ELBv2 (Application Load Balancer) limits; get ELBv1 (Classic) and ELBv2 (Application) limits from the DescribeAccountLimits API calls.

0.10.0 (2017-06-25)

This release removes the ElastiCache Clusters limit, which no longer exists.

  • Issue #283 - Add gitter.im chat link to README and docs.
  • Issue #282 - versionfinder caused awslimitchecker to die unexpectedly on systems without a git binary on the PATH. Bump versionfinder requirement to >= 0.1.1.
  • Issue #284 - Fix ElastiCache limits to reflect what AWS Support and the current documentation say, instead of a support ticket from July 2015.
    • Remove the "Clusters" limit, which no longer exists.
    • "Nodes per Cluster" limit is Memcached only.
    • Add "Subnets per subnet group" limit.
  • Issue #279 - Add Github release to release process.

0.9.0 (2017-06-11)

  • Issue #269 - set Trusted Advisor limit name overrides for some RDS limits that were recently added to TA, but with different names than what awslimitchecker uses.
  • Fix bug Issue #270 - do not count propagated routes towards the VPC "Entries per route table" limit, per clarification in VPC service limits documentation ("This is the limit for the number of non-propagated entries per route table.")
  • PR #276 / Issue #275 - Add new --skip-service CLI option and AwsLimitChecker.remove_services to allow skipping of one or more specific services during runs. (Thanks to tamsky for this contribution.)
  • PR #274 / Issue #273 - Add support for new i3 EC2 Instance types. (Thanks to tamsky) for this contribution.)
  • Fix broken docs build due to changes Intersphinx reference to ValueError in python2 docs
  • Add hack to docs/source/conf.py as workaround for sphinx-doc/sphinx#3860
  • Issue #267 - Firehose is only available in us-east-1, us-west-2 and eu-west-1. Omit the traceback from the log message for Firehose EndpointConnectionError and log at warning instead of error.

0.8.0 (2017-03-11)

This release includes a breaking API change. Please see the first bullet point below. Note that once 1.0.0 is released (which should be relatively soon), such API changes will only come with a major version increment.

This release requires new IAM permissions: redshift:DescribeClusterSnapshots and redshift:DescribeClusterSubnetGroups.

This release removes Python 3.2 support. This was deprecated in 0.7.0. As of this release, awslimitchecker may still work on Python 3.2, but it is no longer tested and any support tickets or bug reports specific to 3.2 will be closed.

  • PR #250 - Allow the --service command line option to accept multiple values. This is a breaking public API change; the awslimitchecker.checker.AwsLimitChecker check_thresholds, find_usage, and get_limits methods now take an optional service list keyword argument instead of a string for a single service name.
  • PR #251 - Handle GovCloud-specific edge cases; specifically, UnsupportedOperation errors for EC2 Spot Instance-related API calls, and limits returned as 0 by the DescribeAccountAttributes EC2 API action.
  • PR #249 - Add support for RedShift limits (Redshift subnet groups and Redshift manual snapshots). This requires the redshift:DescribeClusterSnapshots and redshift:DescribeClusterSubnetGroups IAM permissions.
  • Issue #259 - remove duplicates from required IAM policy returned by awslimitchecker.checker.AwsLimitChecker.get_required_iam_policy and awslimitchecker --iam-policy.
  • Various TravisCI/tox build fixes:
    • Fix pip caching; use default pip cache directory
    • Add python 3.6 tox env and Travis env, now that it's released
    • Switch integration3 tox env from py3.4 to py3.6
  • PR #256 - Add example of wrapping awslimitchecker in a script to send metrics to Prometheus.
  • Issue #236 - Drop support for Python 3.2; stop testing under py32.
  • Issue #257 - Handle ElastiCache DescribeCacheCluster responses that are missing CacheNodes key in a cluster description.
  • Issue #200 - Remove EC2 Spot Instances/Fleets limits from experimental status.
  • Issue #123 - Update documentation on using session tokens (Session or Federation temporary creds).

0.7.0 (2017-01-15)

This release deprecates support for Python 3.2. It will be removed in the next release.

This release introduces support for automatically refreshing Trusted Advisor checks on accounts that support this. If you use this new feature, awslimitchecker will require a new permission, trustedadvisor:RefreshCheck. See Getting Started - Trusted Advisor for further information.

  • #231 - add support for new f1, r4 and t2.(xlarge|2xlarge) instance types, introduced in November 2016.
  • #230 - replace the built-in versioncheck.py with versionfinder. Remove all of the many versioncheck tests.
  • #233 - refactor tests to replace yield-based tests with parametrize, as yield-based tests are deprecated and will be removed in pytest 4.
  • #235 - Deprecate Python 3.2 support. There don't appear to have been any downloads on py32 in the last 6 months, and the effort to support it is too high.
  • A bunch of Sphinx work to use README.rst in the generated documentation.
  • Changed DEBUG-level logging format to include timestamp.
  • #239 - Support refreshing Trusted Advisor check results during the run, and optionally waiting for refresh to finish. See Getting Started - Trusted Advisor for further information.
  • #241 / PR #242 - Fix default ElastiCache/Nodes limit from 50 to 100, as that's now what the docs say.
  • #220 / PR #243 / PR #245 - Fix for ExpiredTokenException Errors. awslimitchecker.connectable.credentials has been removed. In previous releases, awslimitchecker had been using a Connectable.credentials class attribute to store AWS API credentials and share them between Connectable subclass instances. The side-effect of this was that AWS credentials were set at the start of the Python process and never changed. For users taking advantage of the Python API and either using short-lived STS credentials or using long-running or threaded implementations, the same credentials persisted for the life of the process, and would often result in ExpiredTokenExceptions. The fix was to move _boto_conn_kwargs and _get_sts_token from connectable to the top-level AwsLimitChecker class itself, get the value of the _boto_conn_kwargs property in the constructor, and pass that value in to all Connectable subclasses. This means that each instance of AwsLimitChecker has its own unique connection-related kwargs and credentials, and constructing a new instance will work intuitively - either use the newly-specified credentials, or regenerate STS credentials if configured to use them. I have to extend my deepest gratitude to the folks who identified and fixed this issue, specifically cstewart87 for the initial bug report and description, aebie for the tireless and relentlessly thorough investigation and brainstorming and for coordinating work for a fix, and willusher for the final implementation and dealing (wonderfully) with the dizzying complexity of many of the unit tests (and even matching the existing style).

0.6.0 (2016-11-12)

This release has a breaking change. The VPC NAT gateways has been renamed to NAT Gateways per AZ and its get_current_usage() method will now return a list with multiple items. See the changelog entry for #214 below.

This release requires the following new IAM permissions to function:

  • firehose:ListDeliveryStreams
  • #217 - add support for new/missing EC2 instance types: m4.16xlarge, x1.16xlarge, x1.32xlarge, p2.xlarge, p2.8xlarge, p2.16xlarge.
  • #215 - support "Regional Benefit" Reserved Instances that have no specific AZ set on them. Per AWS, these are exempt from On-Demand Running Instances limits like all other RIs.
  • #214 - The VPC "NAT gateways" limit incorrectly calculated usage for the entire region, while the limit is actually per-AZ. It also had strange capitalization that confused users. The name has been changed to "NAT Gateways per AZ" and the usage is now correctly calculated per-AZ instead of region-wide.
  • #221 / PR #222 - Fix bug in handling of STS Credentials where they are cached permanently in connectable.Connectable.credentials, and new AwsLimitChecker instances in the same Python process reuse the first set of STS credentials. This is fixed by storing the Account ID as part of connectable.ConnectableCredentials and getting new STS creds if the cached account ID does not match the current account_id on the Connectable object.
  • PR #216 - add new "Firehose" service with support for "Delivery streams per region" limit.
  • #213 / PR #188 - support AWS cross-sdk credential file profiles via -P / --profile, like awscli.

0.5.1 (2016-09-25)

This release requires the following new IAM permissions to function:

  • ec2:DescribeSpot* or more specifically:
    • ec2:DescribeSpotDatafeedSubscription
    • ec2:DescribeSpotFleetInstances
    • ec2:DescribeSpotFleetRequestHistory
    • ec2:DescribeSpotFleetRequests
    • ec2:DescribeSpotInstanceRequests
    • ec2:DescribeSpotPriceHistory
  • ec2:DescribeNatGateways
  • #51 / PR #201 - Add experimental support for Spot Instance and Spot Fleet limits (only the ones explicitly documented by AWS). This is currently experimental, as the documentation is not terribly clear or detailed, and the author doesn't have access to any accounts that make use of spot instances. This will be kept experimental until multiple users validate it. For more information, see the EC2 limit documentation.
  • PR #204 contributed by hltbra to add support for VPC NAT Gateways limit.
  • Add README and Docs link to waffle.io board.
  • Fix bug where --skip-ta command line flag was ignored in :py:meth:`~.Runner.show_usage` (when running with -u / --show-usage action).
  • Add link to waffle.io Kanban board
  • #202 - Adds management of integration test IAM policy via Terraform.
  • #211 - Add working download stats to README and docs
  • Fix broken landscape.io badges in README and docs
  • #194 - On Limits page of docs, clarify that Running On-Demand Instances does not include Reserved Instances.
  • Multiple tox.ini changes:
    • simplify integration and unit/versioncheck testenv blocks using factors and reuse
    • py26 testenv was completely unused, and py26-unit was running and working with mock==2.0.0
    • use pytest<3.0.0 in py32 envs
  • #208 - fix KeyError when timestamp key is missing from TrustedAdvisor check result dict

0.5.0 (2016-07-06)

This release includes a change to awslimitchecker's Python API. awslimitchecker.limit.AwsLimit.get_limit can now return either an int or None, as TrustedAdvisor now lists some service limits as being explicitly "unlimited".

  • #195 - Handle TrustedAdvisor explicitly reporting some limits as "unlimited". This introduces the concept of unlimited limits, where the effective limit is None.

0.4.4 (2016-06-27)

  • PR #190 / #189 - Add support for EBS st1 and sc1 volume types (adds "EBS/Throughput Optimized (HDD) volume storage (GiB)" and "EBS/Cold (HDD) volume storage (GiB)" limits).

0.4.3 (2016-05-08)

0.4.2 (2016-04-27)

This release requires the following new IAM permissions to function:

  • elasticbeanstalk:DescribeApplications
  • elasticbeanstalk:DescribeApplicationVersions
  • elasticbeanstalk:DescribeEnvironments
  • #70 Add support for ElasicBeanstalk service.
  • #177 Integration tests weren't being properly skipped for PRs.
  • #175 the simplest and most clear contributor license agreement I could come up with.
  • #172 add an integration test running against sa-east-1, which has fewer services than the popular US regions.

0.4.1 (2016-03-15)

  • #170 Critical bug fix in implementation of #71 - SES only supports three regions (us-east-1, us-west-2, eu-west-1) and causes an unhandled connection error if used in another region.

0.4.0 (2016-03-14)

This release requires the following new IAM permissions to function:

  • rds:DescribeAccountAttributes
  • iam:GetAccountSummary
  • s3:ListAllMyBuckets
  • ses:GetSendQuota
  • cloudformation:DescribeAccountLimits
  • cloudformation:DescribeStacks

Issues addressed:

  • #150 add CHANGES.rst to Sphinx docs

  • #85 and #154

    • add support for RDS 'DB Clusters' and 'DB Cluster Parameter Groups' limits
    • use API to retrieve RDS limits
    • switch RDS from calculating usage to using the DescribeAccountAttributes usage information, for all limits other than those which are per-resource and need resource IDs (Max auths per security group, Read replicas per master, Subnets per Subnet Group)
    • awslimitchecker now requires an additional IAM permission, rds:DescribeAccountAttributes
  • #157 fix for TrustedAdvisor polling multiple times - have TA set an instance variable flag when it updates services after a poll, and skip further polls and updates if the flag is set. Also add an integration test to confirm this.

  • #50 Add support for IAM service with a subset of its limits (Groups, Instance Profiles, Policies, Policy Versions In Use, Roles, Server Certificates, Users), using both limits and usage information from the GetAccountSummary API action. This requires an additional IAM permission, iam:GetAccountSummary.

  • #48 Add support for S3 Buckets limit. This requires an additional IAM permission, s3:ListAllMyBuckets.

  • #71 Add support for SES service (daily sending limit). This requires an additional IAM permission, ses:GetSendQuota.

  • #69 Add support for CloudFormation service Stacks limit. This requires additional IAM permissions, cloudformation:DescribeAccountLimits and cloudformation:DescribeStacks.

  • #166 Speed up TravisCI tests by dropping testing for PyPy and PyPy3, and only running the -versioncheck tests for two python interpreters instead of 8.

0.3.2 (2016-03-11)

  • #155 Bug fix for uncaught KeyError on accounts with Trusted Advisor (business-level support and above). This was caused by an undocumented change released by AWS between Thu, 10 Mar 2016 07:00:00 GMT and Fri, 11 Mar 2016 07:00:00 GMT, where five new IAM-related checks were introduced that lack the region data field (which the TrustedAdvisorResourceDetail API docs still list as a required field).

0.3.1 (2016-03-04)

  • #117 fix Python 3.5 TravisCI tests and re-enable automatic testing for 3.5.
  • #116 add t2.nano EC2 instance type; fix typo - "m4.8xlarge" should have been "m4.10xlarge"; update default limits for m4.(4|10)xlarge
  • #134 Minor update to project description in docs and setup.py; use only _VERSION (not git) when building in RTD; include short description in docs HTML title; set meta description on docs index.rst.
  • #128 Update Development and Getting Help documentation; add GitHub CONTRIBUTING.md file with link back to docs, as well as Issue and PR templates.
  • #131 Refactor TrustedAdvisor interaction with limits for special naming cases (limits where the TrustedAdvisor service or limit name doesn't match that of the awslimitchecker limit); enable newly-available TrustedAdvisor data for some EC2 on-demand instance usage.

0.3.0 (2016-02-18)

  • Add coverage for one code branch introduced in PR #100 that wasn't covered by tests.
  • #112 fix a bug in the versioncheck integration tests, and a bug uncovered in versioncheck itself, both dealing with checkouts that are on a un-cloned branch.
  • #105 build and upload wheels in addition to sdist
  • #95 major refactor to convert AWS client library from boto to boto3. This also includes significant changes to the internal connection logic and some of the internal (private) API. Pagination has been moved to boto3 wherever possible, and handling of API request throttling has been removed from awslimitchecker, as boto3 handles this itself. This also introduces full, official support for python3.
  • Add separate localdocs tox env for generating documentation and updating output examples.
  • #113 update, expand and clarify documentation around threshold overrides; ignore some sites from docs linkcheck.
  • #114 expanded automatic integration tests
  • Please note that version 0.3.0 of awslimitchecker moved from using boto as its AWS API client to using boto3. This change is mostly transparent, but there is a minor change in how AWS credentials are handled. In boto, if the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables were set, and the region was not set explicitly via awslimitchecker, the AWS region would either be taken from the AWS_DEFAULT_REGION environment variable or would default to us-east-1, regardless of whether a configuration file (~/.aws/credentials or ~/.aws/config) was present. With boto3, it appears that the default region from the configuration file will be used if present, regardless of whether the credentials come from that file or from environment variables.

0.2.3 (2015-12-16)

  • PR #100 support MFA tokens when using STS assume role
  • #107 add support to explicitly disable pagination, and use for TrustedAdvisor to prevent pagination warnings

0.2.2 (2015-12-02)

  • #83 remove the "v" prefix from version tags so ReadTheDocs will build them automatically.
  • #21 run simple integration tests of -l and -u for commits to main repo branches.

0.2.1 (2015-12-01)

  • #101 Ignore stopped and terminated instances from EC2 Running On-Demand Instances usage count.
  • #47 In VersionCheck git -e tests, explicitly fetch git tags at beginning of test.

0.2.0 (2015-11-29)

  • #86 wrap all AWS API queries in awslimitchecker.utils.boto_query_wrapper to retry queries with an exponential backoff when API request throttling/rate limiting is encountered
  • Attempt at fixing #47 where versioncheck acceptance tests fail under TravisCI, when testing master after a tagged release (when there's a tag for the current commit)
  • Fix #73 versioncheck.py reports incorrect information when package is installed in a virtualenv inside a git repository
  • Fix #87 run coverage in all unit test Tox environments, not a dedicated env
  • Fix #75 re-enable py26 Travis builds now that pytest-dev/pytest#1035 is fixed (pytest >= 2.8.3)
  • Fix #13 re-enable Sphinx documentation linkcheck
  • Fix #40 add support for pagination of API responses (to get all results) and handle pagination for all current services
  • Fix #88 add support for API-derived limits. This is a change to the public API for awslimitchecker.limit.AwsLimit and the CLI output.
  • Fix #72 add support for some new limits returned by Trusted Advisor. This renames the following limits: * EC2/EC2-VPC Elastic IPs to EC2/VPC Elastic IP addresses (EIPs) * RDS/Read Replicas per Master to RDS/Read replicas per master * RDS/Parameter Groups to RDS/DB parameter groups
  • Fix #84 pull some EC2 limits from the API's DescribeAccountAttributes action
  • Fix #94 pull AutoScaling limits from the API's DescribeAccountLimits action
  • Add autoscaling:DescribeAccountLimits and ec2:DescribeAccountAttributes to required IAM permissions.
  • Ignore AccountLimits objects from result pagination

0.1.3 (2015-10-04)

  • Update trove classifier Development Status in setup.py to Beta
  • Fix markup formatting issue in docs/source/getting_started.rst
  • temporarily disable py26 testenv in Travis; failing due to upstream bug pytest-dev/pytest#1035
  • PR #64 and #68 - support [STS](http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html) and regions * Add support for passing in a region to connect to via -r / --region * Add support for using STS to check resources in another account, including support for external_id * Major refactor of how service classes connect to AWS API
  • #74 add support for EC2 t2.large instance type
  • #65 handle case where ElastiCache API returns CacheCluster response with CacheNodes None
  • #63 update Python usage documentation
  • #49 clean up badges in README.rst and sphinx index.rst; PyPi downloads and version badges broken (switch to shields.io)
  • #67 fix typo in required IAM policy; comma missing in list returned from _Ec2Service.required_iam_permissions()
  • #76 default limits for EBS volume usage were in TiB not GiB, causing invalid default limits on accounts without Trusted Advisor
  • Changes to some tests in test_versioncheck.py to aid in debugging #47 where Travis tests fail on master because of git tag from release (if re-run after release)

0.1.2 (2015-08-13)

  • #62 - For 'RDS/DB snapshots per user' limit, only count manual snapshots. (fix bug in fix for #54)

0.1.1 (2015-08-13)

  • #54 - For 'RDS/DB snapshots per user' limit, only count manual snapshots.
  • PR #58 - Fix issue where BotoServerError exception is unhandled when checking ElastiCache limits on new accounts without EC2-Classic.
  • #55 - use .version instead of .parsed_version to fix version information when using pip<6
  • #46 - versioncheck integration test fixes * Rename -integration tox environments to -versioncheck * Skip versioncheck git install integration tests on PRs, since they'll fail
  • #56 - logging fixes * change the AGPL warning message to write directly to STDERR instead of logging * document logging configuration for library use * move boto log suppression from checker to runner
  • Add contributing docs

0.1.0 (2015-07-25)

  • initial released version