Skip to content

Commit

Permalink
POL-941 Meta Policy Extension (#1534)
Browse files Browse the repository at this point in the history
* first

* meta

* gp3

* unencrypted

* update

* tweak

* rds

* update

* update

* disallowed

* long

* update
  • Loading branch information
XOmniverse authored Oct 24, 2023
1 parent 853a66d commit d23dbd9
Show file tree
Hide file tree
Showing 39 changed files with 10,960 additions and 185 deletions.
5 changes: 5 additions & 0 deletions compliance/aws/disallowed_regions/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# Changelog

## v4.0

- Added logic required for "Meta Policy" use-cases
- To facilitate "Meta Policy" use-cases, policy now requires a Flexera credential

## v3.1

- Changed service metadata to "Compute" to ensure proper incident scraping
Expand Down
49 changes: 28 additions & 21 deletions compliance/aws/disallowed_regions/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,27 +30,34 @@ For example if a user selects the "Terminate Instances" action while applying th

## Prerequisites

This policy uses [credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) for connecting to the cloud -- in order to apply this policy you must have a credential registered in the system that is compatible with this policy. If there are no credentials listed when you apply the policy, please contact your cloud admin and ask them to register a credential that is compatible with this policy. The information below should be consulted when creating the credential.

### Credential configuration

For administrators [creating and managing credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) to use with this policy, the following information is needed:

Provider tag value to match this policy: `aws`

Required permissions in the provider:

```javascript
{
"Version": "2016-11-15",
"Statement":[{
"Effect":"Allow",
"Action":["ecs: DescribeInstances"],
"Resource":"*"
}
]
}
```
This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) for authenticating to datasources -- in order to apply this policy you must have a Credential registered in the system that is compatible with this policy. If there are no Credentials listed when you apply the policy, please contact your Flexera Org Admin and ask them to register a Credential that is compatible with this policy. The information below should be consulted when creating the credential(s).

- [**AWS Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_1982464505_1121575) (*provider=aws*) which has the following permissions:
- `ecs:DescribeInstances`

\* Only required for taking action (deletion); the policy will still function in a read-only capacity without these permissions.

Example IAM Permission Policy:

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances"
],
"Resource": "*"
}
]
}
```

- [**Flexera Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) (*provider=flexera*) which has the following roles:
- `billing_center_viewer`

The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) page in the docs has detailed instructions for setting up Credentials for the most common providers.

## Supported Clouds

Expand Down
106 changes: 104 additions & 2 deletions compliance/aws/disallowed_regions/aws_disallowed_regions.pt
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ category "Compliance"
severity "low"
default_frequency "weekly"
info(
version: "3.1",
version: "4.0",
provider: "AWS",
service: "Compute",
policy_set: "Disallowed Regions"
Expand Down Expand Up @@ -74,6 +74,13 @@ credentials "auth_aws" do
aws_account_number $param_aws_account_number
end

credentials "auth_flexera" do
schemes "oauth2"
label "Flexera"
description "Select Flexera One OAuth2 credentials"
tags "provider=flexera"
end

###############################################################################
# Pagination
###############################################################################
Expand Down Expand Up @@ -104,6 +111,9 @@ datasource "ds_regions_list" do
query "Filter.1.Name", "opt-in-status"
query "Filter.1.Value.1", "opt-in-not-required"
query "Filter.1.Value.2", "opted-in"
# Header X-Meta-Flexera has no affect on datasource query, but is required for Meta Policies
# Forces `ds_is_deleted` datasource to run first during policy execution
header "Meta-Flexera", val($ds_is_deleted, "path")
end
result do
encoding "xml"
Expand Down Expand Up @@ -277,7 +287,8 @@ policy "pol_list_aws_instances" do
label "Tags"
end
end
check eq(size(data),0)
# Policy check fails and incident is created only if data is not empty and the Parent Policy has not been terminated
check logic_or($ds_parent_policy_terminated, eq(size(data),0))
escalate $esc_email
escalate $esc_terminate_instances_disallowed_region
end
Expand Down Expand Up @@ -343,3 +354,94 @@ define skip_error_and_append($subject) do
$$errors << "Unexpected error for " + $subject + "\n " + to_s($_error)
$_error_behavior = "skip"
end

###############################################################################
# Meta Policy [alpha]
# Not intended to be modified or used by policy developers
###############################################################################

# If the meta_parent_policy_id is not set it will evaluate to an empty string and we will look for the policy itself,
# if it is set we will look for the parent policy.
datasource "ds_get_policy" do
request do
auth $auth_flexera
host rs_governance_host
ignore_status [404]
path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id,""), meta_parent_policy_id, policy_id) ])
header "Api-Version", "1.0"
end
result do
encoding "json"
field "id", jmes_path(response, "id")
end
end


datasource "ds_parent_policy_terminated" do
run_script $js_decide_if_self_terminate, $ds_get_policy, policy_id, meta_parent_policy_id
end

# If the policy was applied by a meta_parent_policy we confirm it exists if it doesn't we confirm we are deleting
# This information is used in two places:
# - determining whether or not we make a delete call
# - determining if we should create an incident (we don't want to create an incident on the run where we terminate)
script "js_decide_if_self_terminate", type: "javascript" do
parameters "found", "self_policy_id", "meta_parent_policy_id"
result "result"
code <<-EOS
var result
if (meta_parent_policy_id != "" && found.id == undefined) {
result = true
} else {
result = false
}
EOS
end

# Two potentials ways to set this up:
# - this way and make a unneeded 'get' request when not deleting
# - make the delete request an interate and have it iterate over an empty array when not deleting and an array with one item when deleting
script "js_make_terminate_request", type: "javascript" do
parameters "should_delete", "policy_id", "rs_project_id", "rs_governance_host"
result "request"
code <<-EOS
var request = {
auth: 'auth_flexera',
host: rs_governance_host,
path: "/api/governance/projects/" + rs_project_id + "/applied_policies/" + policy_id,
headers: {
"API-Version": "1.0",
"Content-Type":"application/json"
},
}
if (should_delete) {
request.verb = 'DELETE'
}
EOS
end

datasource "ds_terminate_self" do
request do
run_script $js_make_terminate_request, $ds_parent_policy_terminated, policy_id, rs_project_id, rs_governance_host
end
end

datasource "ds_is_deleted" do
run_script $js_check_deleted, $ds_terminate_self
end

# This is just a way to have the check delete request connect to the farthest leaf from policy.
# We want the delete check to the first thing the policy does to avoid the policy erroring before it can decide whether or not it needs to self terminate
# Example a customer deletes a credential and then terminates the parent policy. We still want the children to self terminate
# The only way I could see this not happening is if the user who applied the parent_meta_policy was offboarded or lost policy access, the policies who are impersonating the user
# would not have access to self-terminate
# It may be useful for the backend to enable a mass terminate at some point for all meta_child_policies associated with an id.
script "js_check_deleted", type: "javascript" do
parameters "response"
result "result"
code <<-EOS
result = {"path":"/"}
EOS
end
Loading

0 comments on commit d23dbd9

Please sign in to comment.