Skip to content

Commit

Permalink
FOPTS-842 Google Unlabeled Resources Policy (#1536)
Browse files Browse the repository at this point in the history 
* Updated sys_log

* Update GCP info in sys_log

* Add mockup data for testing

* Update label cloud workflow

* Remove mock data and update changelog

* Add default frequency

* Remove tab

* Fix all missed values issue

* Fix incidents not being pushed

* Update readme functional details

* Add comma separators to list of output values
  • Loading branch information
@Rangelmv23
Rangelmv23 authored Oct 26, 2023
1 parent 6c4dfb8 commit 58f00c8
Show file tree
Hide file tree
Showing 3 changed files with 106 additions and 41 deletions.
4 changes: 4 additions & 0 deletions compliance/google/unlabeled_resources/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# Changelog

## v2.5

- Updated label logic to return `Missing Label Keys` as well as `Label Keys with Missing Label Values` in incident

## v2.4

- Modified `sys_log` definition to disable `rs_cm.audit_entry.create` outside Flexera NAM
Expand Down
6 changes: 6 additions & 0 deletions compliance/google/unlabeled_resources/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,12 @@

Find all Google cloud resources(disks, images, instances, snapshots, buckets, vpnGateways) missing any of the user provided labels with the option to update the resources with the missing labels.

## Functional Details

- The policy leverages the Google Cloud API to retrieve a list of all labelable resources across Google Cloud Projects.
- Using the 'List of labels' parameter, the policy identifies all resources that are missing the label keys specified by the user.
- The policy outputs resources missing the specified label keys as well as resources with the specified label keys but are missing label values.

## Input Parameters

This policy has the following input parameters required when launching the policy.
Expand Down
137 changes: 96 additions & 41 deletions compliance/google/unlabeled_resources/unlabeled_resources.pt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,9 @@ type "policy"
short_description "Find all Google Cloud resources(disks, images, instances, snapshots, buckets, vpnGateways), missing any of the user provided labels with the option to update the resources with the missing labels. See the [README](https://github.com/flexera-public/policy_templates/tree/master/compliance/google/unlabeled_resources) and [docs.flexera.com/flexera/EN/Automation](https://docs.flexera.com/flexera/EN/Automation/AutomationGS.htm) to learn more."
category "Compliance"
severity "low"
default_frequency "weekly"
info(
version: "2.4",
version: "2.5",
provider: "Google",
service: "",
policy_set: "Unlabeled Resources"
Expand Down Expand Up @@ -146,31 +147,47 @@ script "js_filter_resources", type: "javascript" do
var obj = gr["all_res"];
if (obj !== undefined && obj.items !== undefined) {
for (var key in obj.items) {
var isResMissedTag = false;
var all_include_label = '';
var labelOrValueMissing = false;
var all_missed_label = '';
var all_missed_values = '';
if (JSON.stringify(obj.items[key]["labels"]) == undefined) {
var labels = "none";
} else {
var labels = obj.items[key]["labels"];
var labels_str = JSON.stringify(labels);
}
for (var j = 0; j < param_label_key_lower.length; j++) {
if (_.isEmpty(labels_str) || (labels_str.toLowerCase().indexOf(param_label_key_lower[j])) == -1) {
isResMissedTag = true;
all_missed_label = all_missed_label + " " + param_label_key_lower[j];
} else {
all_include_label = all_include_label + " " + param_label_key_lower[j];
var labelMissing = true
for (var labelKey in labels) {
if (labelKey.toLowerCase() == param_label_key_lower[j]){
labelMissing = false
if (labels[labelKey] == "" || labels[labelKey] == null) {
labelOrValueMissing = true;
if (all_missed_values == "") {
all_missed_values = param_label_key_lower[j];
} else {
all_missed_values = all_missed_values + ", " + param_label_key_lower[j];
}
}
}
}
if (labelMissing) {
labelOrValueMissing = true;
if (all_missed_label == "") {
all_missed_label = param_label_key_lower[j];
} else {
all_missed_label = all_missed_label + ", " + param_label_key_lower[j];
}
}
}
if (isResMissedTag) {
if (labelOrValueMissing) {
result.push({
id: obj.items[key]["id"],
labels: labels,
labelFingerprint: "labelFingerprint",
selfLink: obj.items[key]["selfLink"],
all_missed_label: all_missed_label,
all_include_label: all_include_label,
all_missed_values: all_missed_values,
labels_str: labels_str,
type: "buckets",
name: obj.items[key]["name"]
Expand All @@ -189,31 +206,47 @@ script "js_filter_resources", type: "javascript" do
if (gr["uri"].indexOf("aggregated") !== -1) {
if (obj.items[key]["warning"] == undefined) {
for (var k in obj.items[key][type]) {
var isResMissedTag = false;
var all_include_label = '';
var labelOrValueMissing = false;
var all_missed_label = '';
var all_missed_values = '';
if (JSON.stringify(obj.items[key][type][k]["labels"]) == undefined) {
var labels = "none";
} else {
var labels = obj.items[key][type][k]["labels"];
var labels_str = JSON.stringify(labels);
}
for (var j = 0; j < param_label_key_lower.length; j++) {
if (_.isEmpty(labels_str) || (labels_str.toLowerCase().indexOf(param_label_key_lower[j])) == -1) {
isResMissedTag = true;
all_missed_label = all_missed_label + " " + param_label_key_lower[j];
} else {
all_include_label = all_include_label + " " + param_label_key_lower[j];
var labelMissing = true
for (var labelKey in labels) {
if (labelKey.toLowerCase() == param_label_key_lower[j]){
labelMissing = false
if (labels[labelKey] == "" || labels[labelKey] == null) {
labelOrValueMissing = true;
if (all_missed_values == "") {
all_missed_values = param_label_key_lower[j]
} else {
all_missed_values = all_missed_values + ", " + param_label_key_lower[j]
}
}
}
}
if (labelMissing) {
labelOrValueMissing = true;
if (all_missed_label == "") {
all_missed_label = param_label_key_lower[j];
} else {
all_missed_label = all_missed_label + ", " + param_label_key_lower[j];
}
}
}
if (isResMissedTag) {
if (labelOrValueMissing) {
result.push({
id: obj.items[key][type][k]["id"],
labels: labels,
labelFingerprint: obj.items[key][type][k]["labelFingerprint"],
selfLink: obj.items[key][type][k]["selfLink"],
all_missed_label: all_missed_label,
all_include_label: all_include_label,
all_missed_values: all_missed_values,
labels_str: labels_str,
type: type,
name: obj.items[key][type][k]["name"]
Expand All @@ -222,31 +255,47 @@ script "js_filter_resources", type: "javascript" do
}
}
} else if (gr["uri"].indexOf("global") !== -1) {
var isResMissedTag = false;
var all_include_label = '';
var labelOrValueMissing = false;
var all_missed_label = '';
var all_missed_values = '';
if (JSON.stringify(obj.items[key]["labels"]) == undefined) {
var labels = "none";
} else {
var labels = obj.items[key]["labels"];
var labels_str = JSON.stringify(labels);
}
for (var j = 0; j < param_label_key_lower.length; j++) {
if (_.isEmpty(labels_str) || (labels_str.toLowerCase().indexOf(param_label_key_lower[j])) == -1) {
isResMissedTag = true;
all_missed_label = all_missed_label + " " + param_label_key_lower[j];
} else {
all_include_label = all_include_label + " " + param_label_key_lower[j];
var labelMissing = true
for (var labelKey in labels) {
if (labelKey.toLowerCase() == param_label_key_lower[j]){
labelMissing = false
if (labels[labelKey] == "" || labels[labelKey] == null) {
labelOrValueMissing = true;
if (all_missed_values == "") {
all_missed_values = param_label_key_lower[j]
} else {
all_missed_values = all_missed_values + ", " + param_label_key_lower[j]
}
}
}
}
if (labelMissing) {
labelOrValueMissing = true;
if (all_missed_label == "") {
all_missed_label = param_label_key_lower[j];
} else {
all_missed_label = all_missed_label + ", " + param_label_key_lower[j];
}
}
}
if (isResMissedTag) {
if (labelOrValueMissing) {
result.push({
id: obj.items[key]["id"],
labels: labels,
labelFingerprint: obj.items[key]["labelFingerprint"],
selfLink: obj.items[key]["selfLink"],
all_missed_label: all_missed_label,
all_include_label: all_include_label,
all_missed_values: all_missed_values,
labels_str: labels_str,
type: type,
name: obj.items[key]["name"]
Expand Down Expand Up @@ -285,7 +334,7 @@ end
# Policy
###############################################################################

policy "policy_azure_resource" do
policy "policy_google_resource" do
validate $ds_filtered_resources do
summary_template "{{ len data }} Google Resources out of compliance."
escalate $esc_email
Expand All @@ -303,7 +352,10 @@ policy "policy_azure_resource" do
label "Existing Labels"
end
field "all_missed_label" do
label "Missing Labels"
label "Missing Label Keys"
end
field "all_missed_values" do
label "Label Keys with Missing Label values"
end
field "id" do
label "Resources Id"
Expand Down Expand Up @@ -352,19 +404,22 @@ define label_resources($data, $param_labels_to_add, $$rs_optima_host) return $al
$$log = []
$all_responses = []

$list_of_labels_to_add_foreach_data = []

foreach $item in $data do
$new_labels = {}
if $item["labels"] == "none"
$new_labels = {}
else
$new_labels = $item["labels"]
end

$filtered_labels_to_add_obj = {}
foreach $label in $param_labels_to_add do
if $new_labels != null
$new_labels[first(split($label,"="))]=last(split($label,"="))
$label_key_to_add = first(split( $tag, "=" ))
$label_value_to_add = ""
if $label_key_to_add != last(split( $tag, "="))
$label_value_to_add = last(split( $tag, "="))
end
$$log << "after split: "+$new_labels[first(split($label,"="))]
$filtered_labels_to_add_obj[$label_key_to_add] = $label_value_to_add
end

$list_of_labels_to_add_foreach_data << $filtered_labels_to_add_obj

sub on_error: handle_error($postResponse) do
$$log << "after split: "+join([$item["selfLink"],"/setLabels"])
if $item["type"] != "buckets"
Expand All @@ -376,7 +431,7 @@ define label_resources($data, $param_labels_to_add, $$rs_optima_host) return $al
"content-type": "application/json"
},
body: {
"labels": $new_labels,
"labels": $filtered_labels_to_add_obj,
"labelFingerprint": $item["labelFingerprint"]
}
)
Expand All @@ -389,7 +444,7 @@ define label_resources($data, $param_labels_to_add, $$rs_optima_host) return $al
"content-type": "application/json"
},
body: {
"labels": $new_labels
"labels": $filtered_labels_to_add_obj
}
)
end
Expand Down

0 comments on commit 58f00c8

Please sign in to comment.