compliance/aws/disallowed_regions/aws_disallowed_regions.pt

name "AWS Disallowed Regions"
rs_pt_ver 20180301
type "policy"
short_description "Check for instances that are outside of an allowed region with the option to stop or terminate them. See the [README](https://github.com/flexera-public/policy_templates/tree/master/compliance/aws/disallowed_regions) and [docs.flexera.com/flexera/EN/Automation](https://docs.flexera.com/flexera/EN/Automation/AutomationGS.htm) to learn more."
long_description ""
category "Compliance"
severity "low"
default_frequency "weekly"
info(
  version: "5.0.2",
  provider: "AWS",
  service: "Compute",
  policy_set: "Disallowed Regions",
  hide_skip_approvals: "true"
)

###############################################################################
# Parameters
###############################################################################

parameter "param_email" do
  type "list"
  category "Policy Settings"
  label "Email Addresses"
  description "Email addresses of the recipients you wish to notify when new incidents are created"
  default []
end

parameter "param_aws_account_number" do
  type "string"
  category "Policy Settings"
  label "Account Number"
  description "Leave blank; this is for automated use with Meta Policies. See README for more details."
  default ""
end

parameter "param_exclusion_tags" do
  type "list"
  category "Filters"
  label "Exclusion Tags (Key:Value)"
  description "Cloud native tags to ignore resources that you don't want to produce recommendations for. Use Key:Value format for specific tag key/value pairs, and Key:* format to match any resource with a particular key, regardless of value. Examples: env:production, DO_NOT_DELETE:*"
  allowed_pattern /(^$)|[\w]*\:.*/
  default []
end

parameter "param_regions_disallow_or_allow" do
  type "string"
  category "Filters"
  label "Disallow/Allow Regions"
  description "Disallow or Allow entered regions. See the README for more details"
  allowed_values "Disallow", "Allow"
  default "Disallow"
end

parameter "param_regions_list" do
  type "list"
  category "Filters"
  label "Disallow/Allow Regions List"
  description "A list of disallowed or allowed regions. See the README for more details"
  allowed_pattern /^[a-z]{2}(-gov)?-[a-z]+-[0-9]+$/
  default []
end

parameter "param_automatic_action" do
  type "list"
  category "Actions"
  label "Automatic Actions"
  description "When this value is set, this policy will automatically take the selected action(s)"
  allowed_values ["Stop Instances", "Terminate Instances"]
  default []
end

###############################################################################
# Authentication
###############################################################################

credentials "auth_aws" do
  schemes "aws", "aws_sts"
  label "AWS"
  description "Select the AWS Credential from the list"
  tags "provider=aws"
  aws_account_number $param_aws_account_number
end

credentials "auth_flexera" do
  schemes "oauth2"
  label "Flexera"
  description "Select Flexera One OAuth2 credentials"
  tags "provider=flexera"
end

###############################################################################
# Pagination
###############################################################################

###############################################################################
# Datasources & Scripts
###############################################################################

# Get applied policy metadata for use later
datasource "ds_applied_policy" do
  request do
    auth $auth_flexera
    host rs_governance_host
    path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", policy_id])
    header "Api-Version", "1.0"
  end
end

# Get region-specific Flexera API endpoints
datasource "ds_flexera_api_hosts" do
  run_script $js_flexera_api_hosts, rs_optima_host
end

script "js_flexera_api_hosts", type: "javascript" do
  parameters "rs_optima_host"
  result "result"
  code <<-'EOS'
  host_table = {
    "api.optima.flexeraeng.com": {
      flexera: "api.flexera.com",
      fsm: "api.fsm.flexeraeng.com"
    },
    "api.optima-eu.flexeraeng.com": {
      flexera: "api.flexera.eu",
      fsm: "api.fsm-eu.flexeraeng.com"
    },
    "api.optima-apac.flexeraeng.com": {
      flexera: "api.flexera.au",
      fsm: "api.fsm-apac.flexeraeng.com"
    }
  }

  result = host_table[rs_optima_host]
EOS
end

# Get AWS account info
datasource "ds_cloud_vendor_accounts" do
  request do
    auth $auth_flexera
    host val($ds_flexera_api_hosts, 'flexera')
    path join(["/finops-analytics/v1/orgs/", rs_org_id, "/cloud-vendor-accounts"])
    header "Api-Version", "1.0"
  end
  result do
    encoding "json"
    collect jmes_path(response, "values[*]") do
      field "id", jmes_path(col_item, "aws.accountId")
      field "name", jmes_path(col_item, "name")
      field "tags", jmes_path(col_item, "tags")
    end
  end
end

datasource "ds_get_caller_identity" do
  request do
    auth $auth_aws
    host "sts.amazonaws.com"
    path "/"
    query "Action", "GetCallerIdentity"
    query "Version", "2011-06-15"
    header "User-Agent", "RS Policies"
  end
  result do
    encoding "xml"
    collect xpath(response, "//GetCallerIdentityResponse/GetCallerIdentityResult") do
      field "account", xpath(col_item, "Account")
    end
  end
end

datasource "ds_aws_account" do
  run_script $js_aws_account, $ds_cloud_vendor_accounts, $ds_get_caller_identity
end

script "js_aws_account", type:"javascript" do
  parameters "ds_cloud_vendor_accounts", "ds_get_caller_identity"
  result "result"
  code <<-'EOS'
  result = _.find(ds_cloud_vendor_accounts, function(account) {
    return account['id'] == ds_get_caller_identity[0]['account']
  })

  // This is in case the API does not return the relevant account info
  if (result == undefined) {
    result = {
      id: ds_get_caller_identity[0]['account'],
      name: "",
      tags: {}
    }
  }
EOS
end

datasource "ds_describe_regions" do
  request do
    auth $auth_aws
    host "ec2.amazonaws.com"
    path "/"
    query "Action", "DescribeRegions"
    query "Version", "2016-11-15"
    query "Filter.1.Name", "opt-in-status"
    query "Filter.1.Value.1", "opt-in-not-required"
    query "Filter.1.Value.2", "opted-in"
    # Header X-Meta-Flexera has no affect on datasource query, but is required for Meta Policies
    # Forces `ds_is_deleted` datasource to run first during policy execution
    header "Meta-Flexera", val($ds_is_deleted, "path")
  end
  result do
    encoding "xml"
    collect xpath(response, "//DescribeRegionsResponse/regionInfo/item", "array") do
      field "region", xpath(col_item, "regionName")
    end
  end
end

datasource "ds_regions" do
  run_script $js_regions, $ds_describe_regions, $param_regions_list, $param_regions_disallow_or_allow
end

script "js_regions", type:"javascript" do
  parameters "ds_describe_regions", "param_regions_list", "param_regions_disallow_or_allow"
  result "result"
  code <<-'EOS'
  result = []

  // Inverted from other policies since we're looking for instances outside of these regions
  allow_deny_test = { "Allow": false, "Disallow": true }

  if (param_regions_list.length > 0) {
    result = _.filter(ds_describe_regions, function(item) {
      return _.contains(param_regions_list, item['region']) == allow_deny_test[param_regions_disallow_or_allow]
    })
  }
EOS
end

datasource "ds_instance_sets" do
  iterate $ds_regions
  request do
    auth $auth_aws
    host join(['ec2.', val(iter_item, 'region'), '.amazonaws.com'])
    path '/'
    query 'Action', 'DescribeInstances'
    query 'Version', '2016-11-15'
    query 'Filter.1.Name', 'instance-state-name'
    query 'Filter.1.Value.1', 'running'
    header 'User-Agent', 'RS Policies'
    header 'Content-Type', 'text/xml'
  end
  result do
    encoding "xml"
    collect xpath(response, "//DescribeInstancesResponse/reservationSet/item", "array") do
      field "instances_set" do
        collect xpath(col_item,"instancesSet/item","array") do
          field "region", val(iter_item, "region")
          field "instanceId", xpath(col_item, "instanceId")
          field "imageId", xpath(col_item, "imageId")
          field "resourceType", xpath(col_item, "instanceType")
          field "platform", xpath(col_item, "platformDetails")
          field "privateDnsName", xpath(col_item, "privateDnsName")
          field "launchTime", xpath(col_item, "launchTime")
          field "tags" do
            collect xpath(col_item, "tagSet/item", "array") do
              field "key", xpath(col_item, "key")
              field "value", xpath(col_item, "value")
            end
          end
        end
      end
    end
  end
end

datasource "ds_instances" do
  run_script $js_instances, $ds_instance_sets, $param_exclusion_tags
end

script "js_instances", type: "javascript" do
  parameters "ds_instance_sets", "param_exclusion_tags"
  result "result"
  code <<-'EOS'
  result = []

  _.each(ds_instance_sets, function(item) {
    if (param_exclusion_tags.length > 0) {
      filtered_instances = _.reject(item['instances_set'], function(instance) {
        instance_tags = []

        if (instance['tags'] != null && instance['tags'] != undefined) {
          _.each(instance['tags'], function(tag) {
            instance_tags.push([tag['key'], tag['value']].join(':'))
            instance_tags.push([tag['key'], '*'].join(':'))
          })
        }

        exclude_instance = false

        _.each(param_exclusion_tags, function(exclusion_tag) {
          if (_.contains(instance_tags, exclusion_tag)) {
            exclude_instance = true
          }
        })

        return exclude_instance
      })

      result = result.concat(filtered_instances)
    } else {
      result = result.concat(item['instances_set'])
    }
  })
EOS
end

datasource "ds_instances_in_bad_regions" do
  run_script $js_instances_in_bad_regions, $ds_instances, $ds_aws_account, $ds_applied_policy, $param_regions_disallow_or_allow, $param_regions_list
end

script "js_instances_in_bad_regions", type: "javascript" do
  parameters "ds_instances", "ds_aws_account", "ds_applied_policy", "param_regions_disallow_or_allow", "param_regions_list"
  result "result"
  code <<-'EOS'
  result = _.map(ds_instances, function(instance) {
    tags = []
    resourceName = ""

    if (instance['tags'] != undefined && instance['tags'] != null) {
      _.each(instance['tags'], function(tag) {
        tags.push([tag['key'], tag['value']].join('='))

        if (tag['key'].toLowerCase() == 'name') { resourceName = tag['value'] }
      })
    }

    recommendationDetails = [
      "Terminate EC2 instance ", instance["resourceID"], " ",
      "in AWS Account ", ds_aws_account['name'], " ",
      "(", ds_aws_account['id'], ")"
    ].join('')

    return {
      accountID: ds_aws_account['id'],
      accountName: ds_aws_account['name'],
      resourceID: instance['instanceId'],
      resourceName: resourceName,
      tags: tags.join(', '),
      recommendationDetails: recommendationDetails,
      resourceType: instance['resourceType'],
      region: instance['region'],
      platform: instance['platform'],
      hostname: instance['privateDnsName'].split('.')[0],
      launchTime: instance['launchTime'],
      service: "EC2",
      policy_name: ds_applied_policy['name'],
      message: ""
    }
  })

  total_instances = result.length

  instance_phrase = "instances were"
  if (total_instances == 1) { instance_phrase = "instance was" }

  region_phrase = "in"
  if (param_regions_disallow_or_allow == 'Allow') { region_phrase = "outside of" }

  region_adj = "disallowed"
  if (param_regions_disallow_or_allow == 'Allow') { region_adj = "allowed" }

  findings = [
    total_instances, " AWS EC2 ", instance_phrase,
    " found ", region_phrase, " the following ", region_adj,
    " regions: ", param_regions_list.join(', '), ".\n\n"
  ].join('')

  disclaimer = "The above settings can be modified by editing the applied policy and changing the appropriate parameters."

  // Dummy entry to ensure validation occurs at least once
  result.push({ resourceID: "", tags: "", policy_name: "", message: "" })

  result[0]['message'] = findings + disclaimer
EOS
end

###############################################################################
# Policy
###############################################################################

policy "pol_disallowed_regions" do
  validate_each $ds_instances_in_bad_regions do
    summary_template "{{ with index data 0 }}{{ .policy_name }}{{ end }}: {{ len data }} AWS EC2 Instances In Disallowed Regions Found"
    detail_template "{{ with index data 0 }}{{ .message }}{{ end }}"
    check logic_or($ds_parent_policy_terminated, eq(val(item, "resourceID"), ""))
    escalate $esc_email
    escalate $esc_stop_instances
    escalate $esc_terminate_instances
    hash_exclude "message", "tags"
    export do
      resource_level true
      field "accountID" do
        label "Account ID"
      end
      field "accountName" do
        label "Account Name"
      end
      field "resourceID" do
        label "Resource ID"
      end
      field "resourceName" do
        label "Resource Name"
      end
      field "tags" do
        label "Resource Tags"
      end
      field "recommendationDetails" do
        label "Recommendation"
      end
      field "resourceType" do
        label "Instance Size"
      end
      field "region" do
        label "Region"
      end
      field "platform" do
        label "Platform"
      end
      field "hostname" do
        label "Hostname"
      end
      field "launchTime" do
        label "Launch Time"
      end
      field "service" do
        label "Service"
      end
      field "id" do
        label "ID"
        path "resourceID"
      end
    end
  end
end

###############################################################################
# Escalations
###############################################################################

escalation "esc_email" do
  automatic true
  label "Send Email"
  description "Send incident email"
  email $param_email
end

escalation "esc_stop_instances" do
  automatic contains($param_automatic_action, "Stop Instances")
  label "Stop Instances"
  description "Approval to stop all selected instances"
  run "stop_instances", data
end

escalation "esc_terminate_instances" do
  automatic contains($param_automatic_action, "Terminate Instances")
  label "Terminate Instances"
  description "Approval to terminate all selected instances"
  run "terminate_instances", data
end

###############################################################################
# Cloud Workflow
###############################################################################

# Core CWF function to stop instances
define stop_instances($data) do
  foreach $instance in $data do
    sub on_error: handle_error() do
      call get_instance_state($instance) retrieve $initial_state

      if $initial_state != "terminated" && $initial_state != "pending"
        if $initial_state != "stopped"
          call stop_instance($instance)
        end
      end
    end
  end

  # If we encountered any errors, use `raise` to mark the CWF process as errored
  if inspect($$errors) != "null"
    raise join($$errors, "\n")
  end
end

# Core CWF function to terminate instances
define terminate_instances($data) do
  foreach $instance in $data do
    sub on_error: handle_error() do
      call get_instance_state($instance) retrieve $initial_state

      if $initial_state != "terminated" && $initial_state != "pending"
        call terminate_instance($instance)
      end
    end
  end

  # If we encountered any errors, use `raise` to mark the CWF process as errored
  if inspect($$errors) != "null"
    raise join($$errors, "\n")
  end
end

# CWF function to get the current state of an instance
define get_instance_state($instance) return $instance_state do
  task_label("Getting Instance State: " + $instance["id"])
  $response = http_request(
    auth: $$auth_aws,
    https: true,
    verb: "post",
    href: "/",
    host: "ec2." + $instance["region"] + ".amazonaws.com",
    query_strings: {
      "Action": "DescribeInstanceStatus",
      "Version": "2016-11-15",
      "IncludeAllInstances": "true",
      "InstanceId.1": $instance["id"]
    }
  )
  call handle_response($response)
  $instance_state = $response["body"]["DescribeInstanceStatusResponse"]["instanceStatusSet"]["item"]["instanceState"]["name"]
end

# CWF function to stop an instance
define stop_instance($instance) return $response do
  task_label("Stopping Instance: " + $instance["id"])
  $response = http_request(
    auth: $$auth_aws,
    https: true,
    verb: "post",
    href: "/",
    host: "ec2." + $instance['region'] + ".amazonaws.com",
    query_strings: {
      "Action": "StopInstances",
      "Version": "2016-11-15",
      "InstanceId.1": $instance["id"]
    }
  )
  call handle_response($response)

  task_label("Checking for expected response code for Stop Instance: " + $instance["id"])
  if $response["code"] != 202 && $response["code"] != 200
    raise 'Unexpected response Stop Instance: '+to_json($response)
  else
    task_label("Successful Stop Instance: " + $instance["id"])
    call get_instance_state($instance) retrieve $instance_state
    while $instance_state != "stopped" do
      call get_instance_state($instance) retrieve $instance_state
      task_label("Waiting for Stop.. Instance State: " + $instance["id"] +" "+ $instance_state)
      sleep(10)
    end
    task_label("Completed Stop Instance: " + $instance["id"])
  end
end

# CWF function to terminate an instance
define terminate_instance($instance) return $response do
  task_label("Terminating Instance: " + $instance["id"])
  $response = http_request(
    auth: $$auth_aws,
    https: true,
    verb: "post",
    href: "/",
    host: "ec2." + $instance["region"] + ".amazonaws.com",
    query_strings: {
      "Action": "TerminateInstances",
      "Version": "2016-11-15",
      "InstanceId.1": $instance["id"]
    }
  )
  call handle_response($response)

  task_label("Checking for expected response code for Terminate Instance: " + $instance["id"])
  if $response["code"] != 202 && $response["code"] != 200
    raise 'Unexpected response Terminate Instance: '+to_json($response)
  else
    task_label("Successful Terminate Instance: " + $instance["id"])
    call get_instance_state($instance) retrieve $instance_state
    while $instance_state != "terminated" do
      call get_instance_state($instance) retrieve $instance_state
      task_label("Waiting for Terminate Instance: " + $instance["id"] +" "+ $instance_state)
      sleep(10)
    end
    task_label("Completed Modify Instance: " + $instance["id"])
  end
end

# CWF function to handle responses
define handle_response($response) do
  if !$$all_responses
    $$all_responses = []
  end
  # Convert response object to JSON string.  Easier to interpret
  $$all_responses << to_json($response)
end

# CWF function to handle errors
define handle_error() do
  if !$$errors
    $$errors = []
  end
  $$errors << $_error["type"] + ": " + $_error["message"]
  # We check for errors at the end, and raise them all together
  # Skip errors handled by this definition
  $_error_behavior = "skip"
end

###############################################################################
# Meta Policy [alpha]
# Not intended to be modified or used by policy developers
###############################################################################

# If the meta_parent_policy_id is not set it will evaluate to an empty string and we will look for the policy itself,
# if it is set we will look for the parent policy.
datasource "ds_get_policy" do
  request do
    auth $auth_flexera
    host rs_governance_host
    ignore_status [404]
    path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id, ""), meta_parent_policy_id, policy_id)])
    header "Api-Version", "1.0"
  end
  result do
    encoding "json"
    field "id", jmes_path(response, "id")
  end
end

datasource "ds_parent_policy_terminated" do
  run_script $js_decide_if_self_terminate, $ds_get_policy, policy_id, meta_parent_policy_id
end

# If the policy was applied by a meta_parent_policy we confirm it exists if it doesn't we confirm we are deleting
# This information is used in two places:
# - determining whether or not we make a delete call
# - determining if we should create an incident (we don't want to create an incident on the run where we terminate)
script "js_decide_if_self_terminate", type: "javascript" do
  parameters "found", "self_policy_id", "meta_parent_policy_id"
  result "result"
  code <<-EOS
  var result
  if (meta_parent_policy_id != "" && found.id == undefined) {
    result = true
  } else {
    result = false
  }
  EOS
end

# Two potentials ways to set this up:
# - this way and make a unneeded 'get' request when not deleting
# - make the delete request an interate and have it iterate over an empty array when not deleting and an array with one item when deleting
script "js_make_terminate_request", type: "javascript" do
  parameters "should_delete", "policy_id", "rs_project_id", "rs_governance_host"
  result "request"
  code <<-EOS

  var request = {
    auth:  'auth_flexera',
    host: rs_governance_host,
    path: "/api/governance/projects/" + rs_project_id + "/applied_policies/" + policy_id,
    headers: {
      "API-Version": "1.0",
      "Content-Type":"application/json"
    },
  }

  if (should_delete) {
    request.verb = 'DELETE'
  }
  EOS
end

datasource "ds_terminate_self" do
  request do
    run_script $js_make_terminate_request, $ds_parent_policy_terminated, policy_id, rs_project_id, rs_governance_host
  end
end

datasource "ds_is_deleted" do
  run_script $js_check_deleted, $ds_terminate_self
end

# This is just a way to have the check delete request connect to the farthest leaf from policy.
# We want the delete check to the first thing the policy does to avoid the policy erroring before it can decide whether or not it needs to self terminate
# Example a customer deletes a credential and then terminates the parent policy. We still want the children to self terminate
# The only way I could see this not happening is if the user who applied the parent_meta_policy was offboarded or lost policy access, the policies who are impersonating the user
# would not have access to self-terminate
# It may be useful for the backend to enable a mass terminate at some point for all meta_child_policies associated with an id.
script "js_check_deleted", type: "javascript" do
  parameters "response"
  result "result"
  code <<-EOS
  result = {"path":"/"}
  EOS
end