compliance/aws/long_stopped_instances/aws_long_stopped_instances.pt

name "AWS Long Stopped EC2 Instances"
rs_pt_ver 20180301
type "policy"
short_description "Check for EC2 instances that have been stopped for a long time with the option to terminate them after approval. See the [README](https://github.com/flexera-public/policy_templates/tree/master/compliance/aws/long_stopped_instances) and [docs.flexera.com/flexera/EN/Automation](https://docs.flexera.com/flexera/EN/Automation/AutomationGS.htm) to learn more."
long_description ""
severity "low"
category "Compliance"
default_frequency "weekly"
info(
  version: "6.0.2",
  provider: "AWS",
  service: "Compute",
  policy_set: "Long Stopped Instances",
  hide_skip_approvals: "true"
)

###############################################################################
# Parameters
###############################################################################

parameter "param_email" do
  type "list"
  category "Policy Settings"
  label "Email Addresses"
  description "Email addresses of the recipients you wish to notify when new incidents are created"
  default []
end

parameter "param_aws_account_number" do
  type "string"
  category "Policy Settings"
  label "Account Number"
  description "Leave blank; this is for automated use with Meta Policies. See README for more details."
  default ""
end

parameter "param_regions_allow_or_deny" do
  type "string"
  category "Filters"
  label "Allow/Deny Regions"
  description "Allow or Deny entered regions. See the README for more details"
  allowed_values "Allow", "Deny"
  default "Allow"
end

parameter "param_regions_list" do
  type "list"
  category "Filters"
  label "Allow/Deny Regions List"
  description "A list of allowed or denied regions. See the README for more details"
  allowed_pattern /^([a-zA-Z-_]+-[a-zA-Z0-9-_]+-[0-9-_]+,*|)+$/
  default []
end

parameter "param_exclusion_tags" do
  type "list"
  category "Filters"
  label "Exclusion Tags"
  description "Cloud native tags to ignore resources that you don't want to produce recommendations for. Enter the Key name to filter resources with a specific Key, regardless of Value, and enter Key==Value to filter resources with a specific Key:Value pair. Other operators and regex are supported; please see the README for more details."
  default []
end

parameter "param_exclusion_tags_boolean" do
  type "string"
  category "Filters"
  label "Exclusion Tags: Any / All"
  description "Whether to filter instances containing any of the specified tags or only those that contain all of them. Only applicable if more than one value is entered in the 'Exclusion Tags' field."
  allowed_values "Any", "All"
  default "Any"
end

parameter "param_stopped_days" do
  type "number"
  category "Policy Settings"
  label "Stopped Days"
  description "The number of days an instance needs to be stopped to include it in the incident report."
  min_value 1
  max_value 90
  default 7
end

parameter "param_automatic_action" do
  type "list"
  category "Actions"
  label "Automatic Actions"
  description "When this value is set, this policy will automatically take the selected action(s)"
  allowed_values ["Terminate Instances"]
  default []
end

###############################################################################
# Authentication
###############################################################################

credentials "auth_aws" do
  schemes "aws", "aws_sts"
  label "AWS"
  description "Select the AWS Credential from the list"
  tags "provider=aws"
  aws_account_number $param_aws_account_number
end

credentials "auth_flexera" do
  schemes "oauth2"
  label "Flexera"
  description "Select Flexera One OAuth2 credentials"
  tags "provider=flexera"
end

###############################################################################
# Datasources & Scripts
###############################################################################

# Get applied policy metadata for use later
datasource "ds_applied_policy" do
  request do
    auth $auth_flexera
    host rs_governance_host
    path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", policy_id])
    header "Api-Version", "1.0"
  end
end

# Get region-specific Flexera API endpoints
datasource "ds_flexera_api_hosts" do
  run_script $js_flexera_api_hosts, rs_optima_host
end

script "js_flexera_api_hosts", type: "javascript" do
  parameters "rs_optima_host"
  result "result"
  code <<-EOS
  host_table = {
    "api.optima.flexeraeng.com": {
      flexera: "api.flexera.com",
      fsm: "api.fsm.flexeraeng.com"
    },
    "api.optima-eu.flexeraeng.com": {
      flexera: "api.flexera.eu",
      fsm: "api.fsm-eu.flexeraeng.com"
    },
    "api.optima-apac.flexeraeng.com": {
      flexera: "api.flexera.au",
      fsm: "api.fsm-apac.flexeraeng.com"
    }
  }

  result = host_table[rs_optima_host]
EOS
end

# Get AWS account info
datasource "ds_cloud_vendor_accounts" do
  request do
    auth $auth_flexera
    host val($ds_flexera_api_hosts, 'flexera')
    path join(["/finops-analytics/v1/orgs/", rs_org_id, "/cloud-vendor-accounts"])
    header "Api-Version", "1.0"
  end
  result do
    encoding "json"
    collect jmes_path(response, "values[*]") do
      field "id", jmes_path(col_item, "aws.accountId")
      field "name", jmes_path(col_item, "name")
      field "tags", jmes_path(col_item, "tags")
    end
  end
end

datasource "ds_get_caller_identity" do
  request do
    auth $auth_aws
    host "sts.amazonaws.com"
    path "/"
    query "Action", "GetCallerIdentity"
    query "Version", "2011-06-15"
    header "User-Agent", "RS Policies"
  end
  result do
    encoding "xml"
    collect xpath(response, "//GetCallerIdentityResponse/GetCallerIdentityResult") do
      field "account", xpath(col_item, "Account")
    end
  end
end

datasource "ds_aws_account" do
  run_script $js_aws_account, $ds_cloud_vendor_accounts, $ds_get_caller_identity
end

script "js_aws_account", type:"javascript" do
  parameters "ds_cloud_vendor_accounts", "ds_get_caller_identity"
  result "result"
  code <<-EOS
  result = _.find(ds_cloud_vendor_accounts, function(account) {
    return account['id'] == ds_get_caller_identity[0]['account']
  })

  // This is in case the API does not return the relevant account info
  if (result == undefined) {
    result = {
      id: ds_get_caller_identity[0]['account'],
      name: "",
      tags: {}
    }
  }
EOS
end

datasource "ds_describe_regions" do
  request do
    auth $auth_aws
    host "ec2.amazonaws.com"
    path "/"
    query "Action", "DescribeRegions"
    query "Version", "2016-11-15"
    query "Filter.1.Name", "opt-in-status"
    query "Filter.1.Value.1", "opt-in-not-required"
    query "Filter.1.Value.2", "opted-in"
    # Header X-Meta-Flexera has no affect on datasource query, but is required for Meta Policies
    # Forces `ds_is_deleted` datasource to run first during policy execution
    header "Meta-Flexera", val($ds_is_deleted, "path")
  end
  result do
    encoding "xml"
    collect xpath(response, "//DescribeRegionsResponse/regionInfo/item", "array") do
      field "region", xpath(col_item, "regionName")
    end
  end
end

datasource "ds_regions" do
  run_script $js_regions, $ds_describe_regions, $param_regions_list, $param_regions_allow_or_deny
end

script "js_regions", type:"javascript" do
  parameters "ds_describe_regions", "param_regions_list", "param_regions_allow_or_deny"
  result "result"
  code <<-EOS
  allow_deny_test = { "Allow": true, "Deny": false }

  if (param_regions_list.length > 0) {
    result = _.filter(ds_describe_regions, function(item) {
      return _.contains(param_regions_list, item['region']) == allow_deny_test[param_regions_allow_or_deny]
    })
  } else {
    result = ds_describe_regions
  }
EOS
end

datasource "ds_instance_sets" do
  iterate $ds_regions
  request do
    auth $auth_aws
    host join(['ec2.', val(iter_item, 'region'), '.amazonaws.com'])
    path '/'
    query 'Action', 'DescribeInstances'
    query 'Version', '2016-11-15'
    query 'Filter.1.Name', 'instance-state-name'
    query 'Filter.1.Value.1', 'stopped'
    header 'User-Agent', 'RS Policies'
    header 'Content-Type', 'text/xml'
  end
  result do
    encoding "xml"
    collect xpath(response, "//DescribeInstancesResponse/reservationSet/item", "array") do
      field "instances_set" do
        collect xpath(col_item,"instancesSet/item","array") do
          field "region", val(iter_item, "region")
          field "instanceId", xpath(col_item, "instanceId")
          field "imageId", xpath(col_item, "imageId")
          field "resourceType", xpath(col_item, "instanceType")
          field "platform", xpath(col_item, "platformDetails")
          field "privateDnsName", xpath(col_item, "privateDnsName")
          field "launchTime", xpath(col_item, "launchTime")
          field "tags" do
            collect xpath(col_item, "tagSet/item", "array") do
              field "key", xpath(col_item, "key")
              field "value", xpath(col_item, "value")
            end
          end
        end
      end
    end
  end
end

datasource "ds_instances_tag_filtered" do
  run_script $js_instances_tag_filtered, $ds_instance_sets, $param_exclusion_tags, $param_exclusion_tags_boolean
end

script "js_instances_tag_filtered", type: "javascript" do
  parameters "ds_instance_sets", "param_exclusion_tags", "param_exclusion_tags_boolean"
  result "result"
  code <<-EOS
  comparators = _.map(param_exclusion_tags, function(item) {
    if (item.indexOf('==') != -1) {
      return { comparison: '==', key: item.split('==')[0], value: item.split('==')[1], string: item }
    }

    if (item.indexOf('!=') != -1) {
      return { comparison: '!=', key: item.split('!=')[0], value: item.split('!=')[1], string: item }
    }

    if (item.indexOf('=~') != -1) {
      value = item.split('=~')[1]
      regex = new RegExp(value.slice(1, value.length - 1))
      return { comparison: '=~', key: item.split('=~')[0], value: regex, string: item }
    }

    if (item.indexOf('!~') != -1) {
      value = item.split('!~')[1]
      regex = new RegExp(value.slice(1, value.length - 1))
      return { comparison: '!~', key: item.split('!~')[0], value: regex, string: item }
    }

    // If = is present but none of the above are, assume user error and that the user intended ==
    if (item.indexOf('=') != -1) {
      return { comparison: '==', key: item.split('=')[0], value: item.split('=')[1], string: item }
    }

    // Assume we're just testing for a key if none of the comparators are found
    return { comparison: 'key', key: item, value: null, string: item }
  })

  result = []

  _.each(ds_instance_sets, function(item) {
    if (param_exclusion_tags.length > 0) {
      filtered_instances = _.reject(item['instances_set'], function(resource) {
        resource_tags = {}

        if (typeof(resource['tags']) == 'object') {
          _.each(resource['tags'], function(tag) {
            resource_tags[tag['key']] = tag['value']
          })
        }

        // Store a list of found tags
        found_tags = []

        _.each(comparators, function(comparator) {
          comparison = comparator['comparison']
          value = comparator['value']
          string = comparator['string']
          resource_tag = resource_tags[comparator['key']]

          if (comparison == 'key' && resource_tag != undefined) { found_tags.push(string) }
          if (comparison == '==' && resource_tag == value) { found_tags.push(string) }
          if (comparison == '!=' && resource_tag != value) { found_tags.push(string) }

          if (comparison == '=~') {
            if (resource_tag != undefined && value.test(resource_tag)) { found_tags.push(string) }
          }

          if (comparison == '!~') {
            if (resource_tag == undefined) { found_tags.push(string) }
            if (resource_tag != undefined && value.test(resource_tag)) { found_tags.push(string) }
          }
        })

        all_tags_found = found_tags.length == comparators.length
        any_tags_found = found_tags.length > 0 && param_exclusion_tags_boolean == 'Any'

        return all_tags_found || any_tags_found
      })

      result = result.concat(filtered_instances)
    } else {
      result = result.concat(item['instances_set'])
    }
  })
EOS
end

datasource "ds_instances" do
  run_script $js_instances, $ds_instances_tag_filtered, $param_stopped_days
end

script "js_instances", type: "javascript" do
  parameters "ds_instances_tag_filtered", "param_stopped_days"
  result "result"
  code <<-EOS
  if (param_stopped_days > 0) {
    today = new Date()

    result = _.filter(ds_instances_tag_filtered, function(db) {
      created = new Date(db['launchTime'])
      age = Math.round((today - created) / 1000 / 60 / 60 / 24)

      return age >= param_stopped_days
    })
  } else {
    result = ds_instances_tag_filtered
  }
EOS
end

datasource "ds_cloudwatch_queries" do
  run_script $js_cloudwatch_queries, $ds_instances, $param_stopped_days
end

script "js_cloudwatch_queries", type: "javascript" do
  parameters "ds_instances", "param_stopped_days"
  result "result"
  code <<-EOS
  // Create the various queries we're going to send to CloudWatch for each instance
  result = {}

  _.each(ds_instances, function(instance) {
    // Make sure the queries object has an array for the region to push items to
    if (result[instance['region']] == undefined || result[instance['region']] == null) {
      result[instance['region']] = []
    }

    query = {
      "Id": instance['instanceId'].replace('-', '_') + "_cpuAverage",
      "MetricStat": {
        "Metric": {
          "Namespace": "AWS/EC2",
          "MetricName": "CPUUtilization",
          "Dimensions": [
            { "Name": "InstanceId", "Value": instance['instanceId'] }
          ]
        },
        "Period": param_stopped_days * 86400,
        "Stat": "Average"
      },
      "ReturnData": true
    }

    result[instance['region']].push(query)
  })
EOS
end

# Combine queries into 500 item blocks so we can make bulk requests to Cloudwatch
datasource "ds_instances_requests" do
  run_script $js_instances_requests, $ds_cloudwatch_queries, $param_stopped_days
end

script "js_instances_requests", type: "javascript" do
  parameters "ds_cloudwatch_queries", "param_stopped_days"
  result "result"
  code <<-EOS
  // Organize the queries into discrete requests to send in.
  // Queries are first sorted by region and then split into 500 item blocks.
  result = []
  query_block_size = 500

  // Round down to beginning of the hour to avoid getting multiple values
  // from CloudWatch due to how the data is sliced
  end_date = new Date()
  end_date.setMinutes(0, 0, 0)
  end_date = parseInt(end_date.getTime() / 1000)

  start_date = new Date()
  start_date.setDate(start_date.getDate() - param_stopped_days)
  start_date.setMinutes(0, 0, 0)
  start_date = parseInt(start_date.getTime() / 1000)

  _.each(Object.keys(ds_cloudwatch_queries), function(region) {
    for (i = 0; i < ds_cloudwatch_queries[region].length; i += query_block_size) {
      chunk = ds_cloudwatch_queries[region].slice(i, i + query_block_size)

      result.push({
        body: {
          "StartTime": start_date,
          "EndTime": end_date,
          "MetricDataQueries": chunk
        },
        region: region
      })
    }
  })
EOS
end

datasource "ds_cloudwatch_data" do
  iterate $ds_instances_requests
  request do
    run_script $js_cloudwatch_data, val(iter_item, "region"), val(iter_item, "body")
  end
  result do
    encoding "json"
    collect jmes_path(response, "MetricDataResults[*]") do
      field "region", val(iter_item, "region")
      field "id", jmes_path(col_item, "Id")
      field "label", jmes_path(col_item, "Label")
      field "values", jmes_path(col_item, "Values")
    end
  end
end

script "js_cloudwatch_data", type: "javascript" do
  parameters "region", "body"
  result "request"
  code <<-EOS
  // Slow down rate of requests to prevent
  api_wait = 5
  var now = new Date().getTime()
  while(new Date().getTime() < now + (api_wait * 1000)) { /* Do nothing */ }

  var request = {
    auth: "auth_aws",
    host: 'monitoring.' + region + '.amazonaws.com',
    verb: "POST",
    path: "/",
    headers: {
      "User-Agent": "RS Policies",
      "Content-Type": "application/json",
      "x-amz-target": "GraniteServiceVersion20100801.GetMetricData",
      "Accept": "application/json",
      "Content-Encoding": "amz-1.0"
    }
    query_params: {
      'Action': 'GetMetricData',
      'Version': '2010-08-01'
    },
    body: JSON.stringify(body)
  }
EOS
end

datasource "ds_cloudwatch_data_sorted" do
  run_script $js_cloudwatch_data_sorted, $ds_cloudwatch_data
end

script "js_cloudwatch_data_sorted", type: "javascript" do
  parameters "ds_cloudwatch_data"
  result "result"
  code <<-EOS
  // Sort the CloudWatch data into an object with keys for regions and instance names.
  // This eliminates the need to "double loop" later on to match it with our instances list.
  result = {}

  _.each(ds_cloudwatch_data, function(item) {
    region = item['region']
    instance_name = item['id'].split('_')[0] + '-' + item['id'].split('_')[1]

    if (result[region] == undefined) { result[region] = {} }

    result[region][instance_name] = item['values']
  })
EOS
end

datasource "ds_long_stopped_instances" do
  run_script $js_long_stopped_instances, $ds_instances, $ds_cloudwatch_data_sorted, $ds_aws_account, $ds_applied_policy, $param_stopped_days
end

script "js_long_stopped_instances", type: "javascript" do
  parameters "ds_instances", "ds_cloudwatch_data_sorted", "ds_aws_account", "ds_applied_policy", "param_stopped_days"
  result "result"
  code <<-'EOS'
  result = []

  _.each(ds_instances, function(instance) {
    // Determine if instance is long stopped by seeing if it has any CPU metrics.
    long_stopped = true

    region = instance['region']
    id = instance['instanceId']

    if (ds_cloudwatch_data_sorted[region] != undefined) {
      if (ds_cloudwatch_data_sorted[region][id] != undefined) {
        if (ds_cloudwatch_data_sorted[region][id].length > 0) {
          long_stopped = false
        }
      }
    }

    if (long_stopped) {
      // Tidy up tags so they display nicely in the incident
      tags = []
      resourceName = ""

      if (instance['tags'] != undefined && instance['tags'] != null) {
        _.each(instance['tags'], function(tag) {
          tags.push([tag['key'], tag['value']].join('='))
          if (tag['key'].toLowerCase() == 'name') { resourceName = tag['value'] }
        })
      }

      recommendationDetails = [
        "Terminate EC2 instance ", instance['instanceId'], " ",
        "in AWS Account ", ds_aws_account['name'], " ",
        "(", ds_aws_account['id'], ")"
      ].join('')

      result.push({
        platform: instance['platform'],
        privateDnsName: instance['privateDnsName'],
        launchTime: instance['launchTime'],
        hostname: instance['privateDnsName'].split('.')[0],
        resourceType: instance['resourceType'],
        accountID: ds_aws_account['id'],
        accountName: ds_aws_account['name'],
        policy_name: ds_applied_policy['name']
        tags: tags.join(', '),
        lookbackPeriod: param_stopped_days,
        region: region,
        id: id,
        resourceID: id,
        resourceName: resourceName,
        recommendationDetails: recommendationDetails,
        message: ""
        service: "EC2"
      })
    }
  })

  instances_total = ds_instances.length.toString()
  long_stopped_instances_total = result.length.toString()
  long_stopped_percentage = (long_stopped_instances_total / instances_total * 100).toFixed(2).toString() + '%'

  instance_noun = "instances"
  if (instances_total == 1) { instance_noun = "instance" }

  instance_verb = "are"
  if (long_stopped_instances_total == 1) { instance_verb = "is" }

  findings = [
    "Out of ", instances_total, " EC2 ", instance_noun, " analyzed, ",
    long_stopped_instances_total, " (", long_stopped_percentage,
    ") ", instance_verb, " long stopped and recommended for termination. "
  ].join('')

  day_noun = "days"
  if (param_stopped_days == 1) { day_noun = "day" }

  analysis = [
    "An EC2 instance is considered long stopped if it has been stopped ",
    "for at least ", param_stopped_days, " ", day_noun, ".\n\n"
  ].join('')

  disclaimer = "The above settings can be modified by editing the applied policy and changing the appropriate parameters."

  // Dummy entry to ensure validation runs at least once
  result.push({ resourceID: "", policy_name: "", message: "", tags: "" })

  result[0]['message'] = findings + analysis + disclaimer
EOS
end

###############################################################################
# Policy
###############################################################################

policy "pol_long_stopped_instances" do
  validate_each $ds_long_stopped_instances do
    summary_template "{{ with index data 0 }}{{ .policy_name }}{{ end }}: {{ len data }} AWS Long Stopped EC2 Instances Found"
    detail_template "{{ with index data 0 }}{{ .message }}{{ end }}"
    # Policy check fails and incident is created only if data is not empty and the Parent Policy has not been terminated
    check logic_or($ds_parent_policy_terminated, eq(val(item, "resourceID"), ""))
    escalate $esc_email
    escalate $esc_terminate_instances
    hash_exclude "message", "tags"
    export do
      resource_level true
      field "accountID" do
        label "Account ID"
      end
      field "accountName" do
        label "Account Name"
      end
      field "resourceID" do
        label "Resource ID"
      end
      field "resourceName" do
        label "Resource Name"
      end
      field "tags" do
        label "Resource Tags"
      end
      field "recommendationDetails" do
        label "Recommendation"
      end
      field "resourceType" do
        label "Instance Size"
      end
      field "region" do
        label "Region"
      end
      field "platform" do
        label "Platform"
      end
      field "hostname" do
        label "Hostname"
      end
      field "launchTime" do
        label "Launch Time"
      end
      field "lookbackPeriod" do
        label "Look Back Period (Days)"
      end
      field "service" do
        label "Service"
      end
      field "id" do
        label "ID"
        path "resourceID"
      end
    end
  end
end

###############################################################################
# Escalations
###############################################################################

escalation "esc_email" do
  automatic true
  label "Send Email"
  description "Send incident email"
  email $param_email
end

escalation "esc_terminate_instances" do
  automatic contains($param_automatic_action, "Terminate Instances")
  label "Terminate Instances"
  description "Approval to terminate all selected instances"
  run "terminate_instances", data
end

###############################################################################
# Cloud Workflow
###############################################################################

# Core CWF function to terminate instances
define terminate_instances($data) do
  foreach $instance in $data do
    sub on_error: handle_error() do
      call get_instance_state($instance) retrieve $initial_state

      if $initial_state != "terminated" && $initial_state != "pending"
        call terminate_instance($instance)
      end
    end
  end

  # If we encountered any errors, use `raise` to mark the CWF process as errored
  if inspect($$errors) != "null"
    raise join($$errors, "\n")
  end
end

# CWF function to terminate an instance
define terminate_instance($instance) return $response do
  task_label("Terminating Instance: " + $instance["id"])
  $response = http_request(
    auth: $$auth_aws,
    https: true,
    verb: "post",
    href: "/",
    host: "ec2." + $instance["region"] + ".amazonaws.com",
    query_strings: {
      "Action": "TerminateInstances",
      "Version": "2016-11-15",
      "InstanceId.1": $instance["id"]
    }
  )
  call handle_response($response)

  task_label("Checking for expected response code for Terminate Instance: " + $instance["id"])
  if $response["code"] != 202 && $response["code"] != 200
    raise 'Unexpected response Terminate Instance: '+to_json($response)
  else
    task_label("Successful Terminate Instance: " + $instance["id"])
    call get_instance_state($instance) retrieve $instance_state
    while $instance_state != "terminated" do
      call get_instance_state($instance) retrieve $instance_state
      task_label("Waiting for Terminate Instance: " + $instance["id"] +" "+ $instance_state)
      sleep(10)
    end
    task_label("Completed Modify Instance: " + $instance["id"])
  end
end

# CWF function to get the current state of an instance
define get_instance_state($instance) return $instance_state do
  task_label("Getting Instance State: " + $instance["id"])
  $response = http_request(
    auth: $$auth_aws,
    https: true,
    verb: "post",
    href: "/",
    host: "ec2." + $instance["region"] + ".amazonaws.com",
    query_strings: {
      "Action": "DescribeInstanceStatus",
      "Version": "2016-11-15",
      "IncludeAllInstances": "true",
      "InstanceId.1": $instance["id"]
    }
  )
  call handle_response($response)
  $instance_state = $response["body"]["DescribeInstanceStatusResponse"]["instanceStatusSet"]["item"]["instanceState"]["name"]
end

# CWF function to handle errors
define handle_error() do
  if !$$errors
    $$errors = []
  end
  $$errors << $_error["type"] + ": " + $_error["message"]
  # We check for errors at the end, and raise them all together
  # Skip errors handled by this definition
  $_error_behavior = "skip"
end

# CWF function to handle responses
define handle_response($response) do
  if !$$all_responses
    $$all_responses = []
  end
  # Convert response object to JSON string.  Easier to interpret
  $$all_responses << to_json($response)
end

###############################################################################
# Meta Policy [alpha]
# Not intended to be modified or used by policy developers
###############################################################################

# If the meta_parent_policy_id is not set it will evaluate to an empty string and we will look for the policy itself,
# if it is set we will look for the parent policy.
datasource "ds_get_policy" do
  request do
    auth $auth_flexera
    host rs_governance_host
    ignore_status [404]
    path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id, ""), meta_parent_policy_id, policy_id)])
    header "Api-Version", "1.0"
  end
  result do
    encoding "json"
    field "id", jmes_path(response, "id")
  end
end

datasource "ds_parent_policy_terminated" do
  run_script $js_decide_if_self_terminate, $ds_get_policy, policy_id, meta_parent_policy_id
end

# If the policy was applied by a meta_parent_policy we confirm it exists if it doesn't we confirm we are deleting
# This information is used in two places:
# - determining whether or not we make a delete call
# - determining if we should create an incident (we don't want to create an incident on the run where we terminate)
script "js_decide_if_self_terminate", type: "javascript" do
  parameters "found", "self_policy_id", "meta_parent_policy_id"
  result "result"
  code <<-EOS
  var result
  if (meta_parent_policy_id != "" && found.id == undefined) {
    result = true
  } else {
    result = false
  }
  EOS
end

# Two potentials ways to set this up:
# - this way and make a unneeded 'get' request when not deleting
# - make the delete request an interate and have it iterate over an empty array when not deleting and an array with one item when deleting
script "js_make_terminate_request", type: "javascript" do
  parameters "should_delete", "policy_id", "rs_project_id", "rs_governance_host"
  result "request"
  code <<-EOS

  var request = {
    auth:  'auth_flexera',
    host: rs_governance_host,
    path: "/api/governance/projects/" + rs_project_id + "/applied_policies/" + policy_id,
    headers: {
      "API-Version": "1.0",
      "Content-Type":"application/json"
    },
  }

  if (should_delete) {
    request.verb = 'DELETE'
  }
  EOS
end

datasource "ds_terminate_self" do
  request do
    run_script $js_make_terminate_request, $ds_parent_policy_terminated, policy_id, rs_project_id, rs_governance_host
  end
end

datasource "ds_is_deleted" do
  run_script $js_check_deleted, $ds_terminate_self
end

# This is just a way to have the check delete request connect to the farthest leaf from policy.
# We want the delete check to the first thing the policy does to avoid the policy erroring before it can decide whether or not it needs to self terminate
# Example a customer deletes a credential and then terminates the parent policy. We still want the children to self terminate
# The only way I could see this not happening is if the user who applied the parent_meta_policy was offboarded or lost policy access, the policies who are impersonating the user
# would not have access to self-terminate
# It may be useful for the backend to enable a mass terminate at some point for all meta_child_policies associated with an id.
script "js_check_deleted", type: "javascript" do
  parameters "response"
  result "result"
  code <<-EOS
  result = {"path":"/"}
  EOS
end