POL-1430 Automate Updating AWS CloudFormation Template (#2883)

* update * fix * update * fix * update * fix * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update
flexera-public · Dec 13, 2024 · 809776a · 809776a
1 parent 80021ce
commit 809776a
Show file tree

Hide file tree

Showing 15 changed files with 4,178 additions and 673 deletions.
diff --git a/.github/workflows/cfn-lint.yaml b/.github/workflows/cfn-lint.yaml
@@ -8,6 +8,9 @@ on:
     branches:
       - master
 
+  # Workflow dispatch trigger allows manually running workflow
+  workflow_dispatch: {}
+
 jobs:
   cloudformation-linter:
     runs-on: ubuntu-latest
@@ -16,8 +19,13 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
 
-      - name: Setup Cloud Formation Linter with Latest Version
-        uses: scottbrenner/cfn-lint-action@v2
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+
+      - name: Install cfn-lint
+        run: pip install cfn-lint
 
       - name: Print the Cloud Formation Linter Version & run Linter.
         run: |

diff --git a/.github/workflows/cfn-test.yaml b/.github/workflows/cfn-test.yaml
@@ -19,25 +19,20 @@ jobs:
       matrix:
         # matrix.template_files is a list of template files to test
         template_files:
-          - ./cost/aws/FlexeraReadOnlyPolicy.template
           - ./tools/cloudformation-template/FlexeraAutomationPolicies.template
-
-          # TODO: Fix wildcard/dynamic release list
-          # - ./tools/cloudformation-template/releases/*.template
-
-          # Staticly define release templates for now
-          - ./tools/cloudformation-template/releases/FlexeraAutomationPolicies_v0.1.0.template
-          - ./tools/cloudformation-template/releases/FlexeraAutomationPolicies_v0.1.1.template
-          - ./tools/cloudformation-template/releases/FlexeraAutomationPolicies_v0.2.0.template
-          - ./tools/cloudformation-template/releases/FlexeraAutomationPolicies_v0.2.1.template
-          - ./tools/cloudformation-template/releases/FlexeraAutomationPolicies_v0.3.0.template
-          - ./tools/cloudformation-template/releases/FlexeraAutomationPolicies_v0.4.0.template
+          - ./tools/cloudformation-template/FlexeraAutomationPoliciesReadOnly.template
+          - ./tools/cloudformation-template/FlexeraAutomationPoliciesSimple.template
     steps:
       - name: Checkout
         uses: actions/checkout@v2
 
-      - name: Setup Cloud Formation Linter with Latest Version
-        uses: scottbrenner/cfn-lint-action@v2
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+
+      - name: Install cfn-lint
+        run: pip install cfn-lint
 
       - name: Run Cloudformation Linter
         id: cfn-lint

diff --git a/.github/workflows/generate-aws-cloudformation-template.yaml b/.github/workflows/generate-aws-cloudformation-template.yaml
@@ -1,4 +1,4 @@
-name: Generate Meta Parent Policy Templates
+name: Generate AWS CloudFormation Template
 
 on:
   # Trigger this workflow on pushes to master
@@ -31,10 +31,10 @@ jobs:
         id: cpr
         uses: peter-evans/create-pull-request@v4
         with:
-          commit-message: "Update AWS CloudFormation Template"
-          title: "Update AWS CloudFormation Template"
-          body: "Update AWS CloudFormation Template from GitHub Actions Workflow [${{ github.workflow }}](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})"
-          branch: "task/update-aws-cloudformation-template"
+          commit-message: "Generate AWS CloudFormation Template"
+          title: "Generate AWS CloudFormation Template"
+          body: "Generate AWS CloudFormation Template from GitHub Actions Workflow [${{ github.workflow }}](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})"
+          branch: "task/generate-aws-cloudformation-template"
           delete-branch: true
           labels: "automation"
 

diff --git a/.github/workflows/update-aws-cloudformation-template.yaml b/.github/workflows/update-aws-cloudformation-template.yaml
@@ -0,0 +1,51 @@
+name: Update AWS CloudFormation Template Release
+
+on:
+  schedule:
+    #        ┌───────────── minute (0 - 59)
+    #        │  ┌───────────── hour (0 - 23)
+    #        │  │ ┌───────────── day of the month (1 - 31)
+    #        │  │ │ ┌───────────── month (1 - 12 or JAN-DEC)
+    #        │  │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT)
+    #        │  │ │ │ │
+    #        │  │ │ │ │
+    #        │  │ │ │ │
+    #        *  * * * *
+    # At 12am daily
+    - cron: "0 0 * * *"
+
+  # Workflow dispatch trigger allows manually running workflow
+  workflow_dispatch: {}
+
+jobs:
+  meta-parent-policy-templates:
+    name: "Update AWS CloudFormation Template"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # Speed up checkout by not fetching history
+
+      - uses: ruby/setup-ruby@v1
+
+      - name: Update AWS CloudFormation Template
+        working-directory: tools/cloudformation-template
+        run: |
+          ruby aws_cft_new_release.rb
+
+      - name: Create Pull Request
+        id: cpr
+        uses: peter-evans/create-pull-request@v4
+        with:
+          commit-message: "Update AWS CloudFormation Template Release"
+          title: "Update AWS CloudFormation Template Release"
+          body: "Update AWS CloudFormation Template Release from GitHub Actions Workflow [${{ github.workflow }}](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})"
+          branch: "task/update-aws-cloudformation-template-release"
+          delete-branch: true
+          labels: "automation"
+
+      - name: Check outputs
+        if: ${{ steps.cpr.outputs.pull-request-number }}
+        run: |
+          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
+          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
diff --git a/cost/aws/s3_lifecycle/README.md b/cost/aws/s3_lifecycle/README.md
@@ -34,7 +34,7 @@ For administrators [creating and managing credentials](https://docs.flexera.com/
   - `s3:ListAllMyBuckets`
   - `s3:GetBucketLocation`
   - `s3:GetBucketTagging`
-  - `s3:GetBucketLifecycleConfiguration`
+  - `s3:GetLifecycleConfiguration`
   - `sts:GetCallerIdentity`
 
   Example IAM Permission Policy:
@@ -49,7 +49,7 @@ For administrators [creating and managing credentials](https://docs.flexera.com/
                   "s3:ListAllMyBuckets",
                   "s3:GetBucketLocation",
                   "s3:GetBucketTagging",
-                  "s3:GetBucketLifecycleConfiguration",
+                  "s3:GetLifecycleConfiguration",
                   "sts:GetCallerIdentity"
               ],
               "Resource": "*"

diff --git a/data/policy_permissions_list/master_policy_permissions_list.json b/data/policy_permissions_list/master_policy_permissions_list.json
@@ -2537,7 +2537,7 @@
               "required": true
             },
             {
-              "name": "s3:GetBucketLifecycleConfiguration",
+              "name": "s3:GetLifecycleConfiguration",
               "read_only": true,
               "required": true
             },
@@ -2953,72 +2953,6 @@
         }
       ]
     },
-    {
-      "id": "./cost/aws/superseded_instances/aws_superseded_instances.pt",
-      "name": "AWS Superseded EC2 Instances",
-      "version": "2.3.3",
-      "providers": [
-        {
-          "name": "aws",
-          "permissions": [
-            {
-              "name": "ec2:DescribeRegions",
-              "read_only": true,
-              "required": true
-            },
-            {
-              "name": "ec2:DescribeInstances",
-              "read_only": true,
-              "required": true
-            },
-            {
-              "name": "ec2:DescribeInstanceStatus",
-              "read_only": false,
-              "required": false,
-              "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions."
-            },
-            {
-              "name": "ec2:DescribeTags",
-              "read_only": true,
-              "required": true
-            },
-            {
-              "name": "ec2:ModifyInstanceAttribute",
-              "read_only": false,
-              "required": false,
-              "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions."
-            },
-            {
-              "name": "ec2:StartInstances",
-              "read_only": false,
-              "required": false,
-              "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions."
-            },
-            {
-              "name": "ec2:StopInstances",
-              "read_only": false,
-              "required": false,
-              "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions."
-            },
-            {
-              "name": "sts:GetCallerIdentity",
-              "read_only": true,
-              "required": true
-            }
-          ]
-        },
-        {
-          "name": "flexera",
-          "permissions": [
-            {
-              "name": "billing_center_viewer",
-              "read_only": true,
-              "required": true
-            }
-          ]
-        }
-      ]
-    },
     {
       "id": "./cost/aws/unused_albs/aws_unused_albs.pt",
       "name": "AWS Unused Application Load Balancers",
@@ -10176,4 +10110,4 @@
       ]
     }
   ]
-}
+}
diff --git a/data/policy_permissions_list/master_policy_permissions_list.yaml b/data/policy_permissions_list/master_policy_permissions_list.yaml
@@ -1458,7 +1458,7 @@
     - name: s3:GetBucketTagging
       read_only: true
       required: true
-    - name: s3:GetBucketLifecycleConfiguration
+    - name: s3:GetLifecycleConfiguration
       read_only: true
       required: true
     - name: sts:GetCallerIdentity
@@ -1700,49 +1700,6 @@
     - name: billing_center_viewer
       read_only: true
       required: true
-- id: "./cost/aws/superseded_instances/aws_superseded_instances.pt"
-  name: AWS Superseded EC2 Instances
-  version: 2.3.3
-  :providers:
-  - :name: aws
-    :permissions:
-    - name: ec2:DescribeRegions
-      read_only: true
-      required: true
-    - name: ec2:DescribeInstances
-      read_only: true
-      required: true
-    - name: ec2:DescribeInstanceStatus
-      read_only: false
-      required: false
-      description: Only required for taking action; the policy will still function
-        in a read-only capacity without these permissions.
-    - name: ec2:DescribeTags
-      read_only: true
-      required: true
-    - name: ec2:ModifyInstanceAttribute
-      read_only: false
-      required: false
-      description: Only required for taking action; the policy will still function
-        in a read-only capacity without these permissions.
-    - name: ec2:StartInstances
-      read_only: false
-      required: false
-      description: Only required for taking action; the policy will still function
-        in a read-only capacity without these permissions.
-    - name: ec2:StopInstances
-      read_only: false
-      required: false
-      description: Only required for taking action; the policy will still function
-        in a read-only capacity without these permissions.
-    - name: sts:GetCallerIdentity
-      read_only: true
-      required: true
-  - :name: flexera
-    :permissions:
-    - name: billing_center_viewer
-      read_only: true
-      required: true
 - id: "./cost/aws/unused_albs/aws_unused_albs.pt"
   name: AWS Unused Application Load Balancers
   version: 0.2.3