cost/azure/unused_vngs/azure_unused_vngs.pt

name "Azure Unused Virtual Network Gateways"
rs_pt_ver 20180301
type "policy"
short_description "Reports unused Azure Virtual Network Gateways and deletes them after approval. See the [README](https://github.com/flexera-public/policy_templates/tree/master/cost/azure/unused_vngs/) and [docs.flexera.com/flexera/EN/Automation](https://docs.flexera.com/flexera/EN/Automation/AutomationGS.htm) to learn more."
long_description ""
category "Cost"
severity "low"
default_frequency "weekly"
info(
  version: "0.1.1",
  provider: "Azure",
  service: "Network",
  policy_set: "Unused Virtual Networks",
  hide_skip_approvals: "true"
)

###############################################################################
# Parameters
###############################################################################

parameter "param_email" do
  type "list"
  category "Policy Settings"
  label "Email Addresses"
  description "A list of email addresses to notify."
  default []
end

parameter "param_azure_endpoint" do
  type "string"
  category "Policy Settings"
  label "Azure Endpoint"
  description "Select the API endpoint to use for Azure. Use default value of management.azure.com unless using Azure China."
  allowed_values "management.azure.com", "management.chinacloudapi.cn"
  default "management.azure.com"
end

parameter "param_subscriptions_allow_or_deny" do
  type "string"
  category "Filters"
  label "Allow/Deny Subscriptions"
  description "Allow or Deny entered Subscriptions. See the README for more details."
  allowed_values "Allow", "Deny"
  default "Allow"
end

parameter "param_subscriptions_list" do
  type "list"
  category "Filters"
  label "Allow/Deny Subscriptions List"
  description "A list of allowed or denied Subscription IDs/names. See the README for more details."
  default []
end

parameter "param_regions_allow_or_deny" do
  type "string"
  category "Filters"
  label "Allow/Deny Regions"
  description "Allow or Deny entered regions. See the README for more details."
  allowed_values "Allow", "Deny"
  default "Allow"
end

parameter "param_regions_list" do
  type "list"
  category "Filters"
  label "Allow/Deny Regions List"
  description "A list of allowed or denied regions. See the README for more details."
  default []
end

parameter "param_exclusion_tags" do
  type "list"
  category "Filters"
  label "Exclusion Tags"
  description "Cloud native tags to ignore resources that you don't want to produce recommendations for. Enter the Key name to filter resources with a specific Key, regardless of Value, and enter Key==Value to filter resources with a specific Key:Value pair. Other operators and regex are supported; please see the README for more details."
  default []
end

parameter "param_exclusion_tags_boolean" do
  type "string"
  category "Filters"
  label "Exclusion Tags: Any / All"
  description "Whether to filter instances containing any of the specified tags or only those that contain all of them. Only applicable if more than one value is entered in the 'Exclusion Tags' field."
  allowed_values "Any", "All"
  default "Any"
end

parameter "param_automatic_action" do
  type "list"
  category "Actions"
  label "Automatic Actions"
  description "When this value is set, this policy will automatically take the selected action."
  allowed_values ["Delete Unused Virtual Network Gateways"]
  default []
end

###############################################################################
# Authentication
###############################################################################

credentials "auth_azure" do
  schemes "oauth2"
  label "Azure"
  description "Select the Azure Resource Manager Credential from the list."
  tags "provider=azure_rm"
end

credentials "auth_flexera" do
  schemes "oauth2"
  label "Flexera"
  description "Select Flexera One OAuth2 credentials"
  tags "provider=flexera"
end

###############################################################################
# Pagination
###############################################################################

pagination "pagination_azure" do
  get_page_marker do
    body_path "nextLink"
  end
  set_page_marker do
    uri true
  end
end

###############################################################################
# Datasources & Scripts
###############################################################################

# Get applied policy metadata for use later
datasource "ds_applied_policy" do
  request do
    auth $auth_flexera
    host rs_governance_host
    path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", policy_id])
    header "Api-Version", "1.0"
  end
end

datasource "ds_azure_subscriptions" do
  request do
    auth $auth_azure
    pagination $pagination_azure
    host $param_azure_endpoint
    path "/subscriptions/"
    query "api-version", "2020-01-01"
    header "User-Agent", "RS Policies"
    # Header X-Meta-Flexera has no affect on datasource query, but is required for Meta Policies
    # Forces `ds_is_deleted` datasource to run first during policy execution
    header "Meta-Flexera", val($ds_is_deleted, "path")
    # Ignore status 400, 403, and 404 which can be returned in certain (legacy) types of Azure Subscriptions
    ignore_status [400, 403, 404]
  end
  result do
    encoding "json"
    collect jmes_path(response, "value[*]") do
      field "id", jmes_path(col_item, "subscriptionId")
      field "name", jmes_path(col_item, "displayName")
      field "state", jmes_path(col_item, "state")
    end
  end
end

datasource "ds_azure_subscriptions_filtered" do
  run_script $js_azure_subscriptions_filtered, $ds_azure_subscriptions, $param_subscriptions_allow_or_deny, $param_subscriptions_list
end

script "js_azure_subscriptions_filtered", type: "javascript" do
  parameters "ds_azure_subscriptions", "param_subscriptions_allow_or_deny", "param_subscriptions_list"
  result "result"
  code <<-EOS
  if (param_subscriptions_list.length > 0) {
    result = _.filter(ds_azure_subscriptions, function(subscription) {
      include_subscription = _.contains(param_subscriptions_list, subscription['id']) || _.contains(param_subscriptions_list, subscription['name'])

      if (param_subscriptions_allow_or_deny == "Deny") {
        include_subscription = !include_subscription
      }

      return include_subscription
    })
  } else {
    result = ds_azure_subscriptions
  }
EOS
end

datasource "ds_azure_vngs" do
  iterate $ds_azure_subscriptions_filtered
  request do
    auth $auth_azure
    pagination $pagination_azure
    host $param_azure_endpoint
    path join(["/subscriptions/", val(iter_item, "id"), "/providers/Microsoft.Network/virtualNetworkGateways"])
    query "api-version", "2024-01-01"
    header "User-Agent", "RS Policies"
    # Ignore status 400, 403, and 404 which can be returned in certain (legacy) types of Azure Subscriptions
    ignore_status [400, 403, 404]
  end
  result do
    encoding "json"
    collect jmes_path(response, "value") do
      field "id", jmes_path(col_item, "id")
      field "name", jmes_path(col_item, "name")
      field "type", jmes_path(col_item, "type")
      field "region", jmes_path(col_item, "location")
      field "sku", jmes_path(col_item, "properties.sku")
      field "provisioningState", jmes_path(col_item, "properties.provisioningState")
      field "ipConfigurations", jmes_path(col_item, "properties.ipConfigurations")
      field "natRules", jmes_path(col_item, "properties.natRules")
      field "gatewayType", jmes_path(col_item, "properties.gatewayType")
      field "vpnType", jmes_path(col_item, "properties.vpnType")
      field "allowVirtualWanTraffic", jmes_path(col_item, "properties.allowVirtualWanTraffic")
      field "allowRemoteVnetTraffic", jmes_path(col_item, "properties.allowRemoteVnetTraffic")
      field "resourceGroup", get(4, split(jmes_path(col_item, "id"), "/"))
      field "subscriptionId", val(iter_item, "id")
      field "subscriptionName", val(iter_item, "name")
    end
  end
end

datasource "ds_azure_vngs_tag_filtered" do
  run_script $js_azure_vngs_tag_filtered, $ds_azure_vngs, $param_exclusion_tags, $param_exclusion_tags_boolean
end

script "js_azure_vngs_tag_filtered", type: "javascript" do
  parameters "ds_azure_vngs", "param_exclusion_tags", "param_exclusion_tags_boolean"
  result "result"
  code <<-EOS
  comparators = _.map(param_exclusion_tags, function(item) {
    if (item.indexOf('==') != -1) {
      return { comparison: '==', key: item.split('==')[0], value: item.split('==')[1], string: item }
    }

    if (item.indexOf('!=') != -1) {
      return { comparison: '!=', key: item.split('!=')[0], value: item.split('!=')[1], string: item }
    }

    if (item.indexOf('=~') != -1) {
      value = item.split('=~')[1]
      regex = new RegExp(value.slice(1, value.length - 1))
      return { comparison: '=~', key: item.split('=~')[0], value: regex, string: item }
    }

    if (item.indexOf('!~') != -1) {
      value = item.split('!~')[1]
      regex = new RegExp(value.slice(1, value.length - 1))
      return { comparison: '!~', key: item.split('!~')[0], value: regex, string: item }
    }

    // If = is present but none of the above are, assume user error and that the user intended ==
    if (item.indexOf('=') != -1) {
      return { comparison: '==', key: item.split('=')[0], value: item.split('=')[1], string: item }
    }

    // Assume we're just testing for a key if none of the comparators are found
    return { comparison: 'key', key: item, value: null, string: item }
  })

  if (param_exclusion_tags.length > 0) {
    result = _.reject(ds_azure_vngs, function(resource) {
      resource_tags = {}
      if (typeof(resource['tags']) == 'object') { resource_tags = resource['tags'] }

      // Store a list of found tags
      found_tags = []

      _.each(comparators, function(comparator) {
        comparison = comparator['comparison']
        value = comparator['value']
        string = comparator['string']
        resource_tag = resource_tags[comparator['key']]

        if (comparison == 'key' && resource_tag != undefined) { found_tags.push(string) }
        if (comparison == '==' && resource_tag == value) { found_tags.push(string) }
        if (comparison == '!=' && resource_tag != value) { found_tags.push(string) }

        if (comparison == '=~') {
          if (resource_tag != undefined && value.test(resource_tag)) { found_tags.push(string) }
        }

        if (comparison == '!~') {
          if (resource_tag == undefined) { found_tags.push(string) }
          if (resource_tag != undefined && value.test(resource_tag)) { found_tags.push(string) }
        }
      })

      all_tags_found = found_tags.length == comparators.length
      any_tags_found = found_tags.length > 0 && param_exclusion_tags_boolean == 'Any'

      return all_tags_found || any_tags_found
    })
  } else {
    result = ds_azure_vngs
  }
EOS
end

datasource "ds_azure_vngs_region_filtered" do
  run_script $js_azure_vngs_region_filtered, $ds_azure_vngs_tag_filtered, $param_regions_allow_or_deny, $param_regions_list
end

script "js_azure_vngs_region_filtered", type: "javascript" do
  parameters "ds_azure_vngs_tag_filtered", "param_regions_allow_or_deny", "param_regions_list"
  result "result"
  code <<-EOS
  if (param_regions_list.length > 0) {
    result = _.filter(ds_azure_vngs_tag_filtered, function(resource) {
      include_resource = _.contains(param_regions_list, resource['region'])
      if (param_regions_allow_or_deny == "Deny") { include_resource = !include_resource }
      return include_resource
    })
  } else {
    result = ds_azure_vngs_tag_filtered
  }
EOS
end

datasource "ds_azure_vng_connections" do
  iterate $ds_azure_vngs_region_filtered
  request do
    auth $auth_azure
    pagination $pagination_azure
    host $param_azure_endpoint
    path join([val(iter_item, "id"), "/connections"])
    query "api-version", "2024-01-01"
    header "User-Agent", "RS Policies"
    # Ignore status 400, 403, and 404 which can be returned in certain (legacy) types of Azure Subscriptions
    ignore_status [400, 403, 404]
  end
  result do
    encoding "json"
    collect jmes_path(response, "value") do
      field "id", jmes_path(col_item, "id")
      field "name", jmes_path(col_item, "name")
      field "type", jmes_path(col_item, "type")
      field "provisioningState", jmes_path(col_item, "properties.provisioningState")
      field "connectionType", jmes_path(col_item, "properties.connectionType")
      field "routingWeight", jmes_path(col_item, "properties.routingWeight")
      field "enableBgp", jmes_path(col_item, "properties.enableBgp")
      field "virtualNetworkGateway1", jmes_path(col_item, "properties.virtualNetworkGateway1.id")
      field "virtualNetworkGateway2", jmes_path(col_item, "properties.virtualNetworkGateway2.id")
      field "ingressBytesTransferred", jmes_path(col_item, "properties.ingressBytesTransferred")
      field "egressBytesTransferred", jmes_path(col_item, "properties.egressBytesTransferred")
      field "usePolicyBasedTrafficSelectors", jmes_path(col_item, "properties.usePolicyBasedTrafficSelectors")
      field "vngId", val(iter_item, "id")
      field "region", val(iter_item, "region")
      field "resourceGroup", val(iter_item, "resourceGroup")
      field "subscriptionId", val(iter_item, "subscriptionId")
      field "subscriptionName", val(iter_item, "subscriptionName")
    end
  end
end

datasource "ds_bad_azure_vngs" do
  run_script $js_bad_azure_vngs, $ds_azure_vngs_region_filtered, $ds_azure_vng_connections, $ds_applied_policy
end

script "js_bad_azure_vngs", type: "javascript" do
  parameters "ds_azure_vngs_region_filtered", "ds_azure_vng_connections", "ds_applied_policy"
  result "result"
  code <<-'EOS'
  bad_vngs = _.reject(ds_azure_vngs_region_filtered, function(vng) {
    return _.contains(_.pluck(ds_azure_vng_connections, 'vngId'), vng['id']) && vng['provisioningState'] == "Succeeded"
  })

  result = _.map(bad_vngs, function(vng) {
    tags = []

    if (typeof(vng['tags']) == 'object') {
      tags = _.map(_.keys(vng['tags']), function(key) { return key + "=" + vng['tags'][key] })
    }

    recommendationDetails = [
      "Delete Azure Virtual Network Gateway ", vng["name"], " ",
      "in Azure Subscription ", vng["subscriptionName"],
      " (", vng["subscriptionId"], ")"
    ].join('')

    connections = 0

    if (_.contains(_.pluck(ds_azure_vng_connections, 'vngId'), vng['id'])) {
      connection_list = _.filter(ds_azure_vng_connections, function(item) { return item['vngId'] == vng['id'] })
      connections = connection_list.length
    }

    return {
      accountID: vng['subscriptionId'],
      accountName: vng['subscriptionName'],
      resourceGroup: vng['resourceGroup'],
      resourceID: vng['id'],
      resourceName: vng['name'],
      type: vng['type'],
      region: vng['region'],
      state: vng['provisioningState'],
      gatewayType: vng['gatewayType'],
      vpnType: vng['vpnType'],
      tags: tags.join(', '),
      service: "Microsoft.Network",
      connections: connections,
      recommendationDetails: recommendationDetails,
      policy_name: ds_applied_policy['name'],
      message: ""
    }
  })

  // Message for incident output
  total_vngs = ds_azure_vngs_region_filtered.length.toString()
  total_unused_vngs = result.length.toString()
  unused_vngs_percentage = (total_unused_vngs / total_vngs * 100).toFixed(2).toString() + '%'

  findings = [
    "Out of ", total_vngs, " Azure Virtual Network Gateways analyzed, ",
    total_unused_vngs, " (", unused_vngs_percentage,
    ") either failed to provision or have no connections configured ",
    "and are recommended for deletion.\n\n"
  ].join('')

  // Dummy item to ensure that the check statement in the policy executes at least once
  result.push({
    accountID: "",
    accountName: "",
    resourceGroup: "",
    resourceID: "",
    resourceName: "",
    type: "",
    region: "",
    state: "",
    gatewayType: "",
    vpnType: "",
    tags: "",
    service: "",
    connections: "",
    recommendationDetails: "",
    policy_name: "",
    message: ""
  })

  result[0]['message'] = findings
EOS
end

###############################################################################
# Policy
###############################################################################

policy "pol_azure_unused_vngs" do
  validate_each $ds_bad_azure_vngs do
    summary_template "{{ with index data 0 }}{{ .policy_name }}{{ end }}: {{ len data }} Azure Unused Virtual Network Gateways Found"
    detail_template <<-'EOS'
    {{ with index data 0 }}{{ .message }}{{ end }}
    EOS
    check logic_or($ds_parent_policy_terminated, eq(val(item, "resourceID"), ""))
    escalate $esc_email
    escalate $esc_delete_vng
    hash_exclude "message", "tags"
    export do
      resource_level true
      field "accountID" do
        label "Subscription ID"
      end
      field "accountName" do
        label "Subscription Name"
      end
      field "resourceGroup" do
        label "Resource Group"
      end
      field "resourceName" do
        label "Resource Name"
      end
      field "tags" do
        label "Resource Tags"
      end
      field "region" do
        label "Region"
      end
      field "state" do
        label "Provisioning State"
      end
      field "connections" do
        label "Connections (#)"
      end
      field "recommendationDetails" do
        label "Recommendation"
      end
      field "type" do
        label "Resource Type"
      end
      field "gatewayType" do
        label "Gateway Type"
      end
      field "vpnType" do
        label "VPN Type"
      end
      field "service" do
        label "Service"
      end
      field "resourceID" do
        label "Resource ID"
      end
      field "id" do
        label "ID"
        path "resourceID"
      end
    end
  end
end

###############################################################################
# Escalations
###############################################################################

escalation "esc_email" do
  automatic true
  label "Send Email"
  description "Send incident email"
  email $param_email
end

escalation "esc_delete_vng" do
  automatic contains($param_automatic_action, "Delete Unused Virtual Network Gateways")
  label "Delete Unused Virtual Network Gateways"
  description "Approval to delete all selected Azure Virtual Network Gateways"
  run "delete_vngs", data, $param_azure_endpoint
end

###############################################################################
# Cloud Workflow
###############################################################################

define delete_vngs($data, $param_azure_endpoint) return $all_responses do
  $$all_responses = []

  foreach $instance in $data do
    sub on_error: handle_error() do
      call delete_vng($instance, $param_azure_endpoint) retrieve $delete_response
    end
  end

  if inspect($$errors) != "null"
    raise join($$errors, "\n")
  end
end

define delete_vng($instance, $param_azure_endpoint) return $response do
  $host = $param_azure_endpoint
  $href = $instance["id"]
  $params = "?api-version=2024-01-01"
  $url = $host + $href + $params
  task_label("DELETE " + $url)

  $response = http_request(
    auth: $$auth_azure,
    https: true,
    verb: "delete",
    host: $host,
    href: $href,
    query_strings: { "api-version": "2024-01-01" }
  )

  task_label("Delete Azure Virtual Network Gateway response: " + $instance["id"] + " " + to_json($response))
  $$all_responses << to_json({"req": "DELETE " + $url, "resp": $response})

  if $response["code"] != 204 && $response["code"] != 202 && $response["code"] != 200
    raise "Unexpected response deleting Azure Virtual Network Gateway: "+ $instance["id"] + " " + to_json($response)
  else
    task_label("Delete Azure Virtual Network Gateway successful: " + $instance["id"])
  end
end

define handle_error() do
  if !$$errors
    $$errors = []
  end
  $$errors << $_error["type"] + ": " + $_error["message"]
  # We check for errors at the end, and raise them all together
  # Skip errors handled by this definition
  $_error_behavior = "skip"
end

###############################################################################
# Meta Policy [alpha]
# Not intended to be modified or used by policy developers
###############################################################################

# If the meta_parent_policy_id is not set it will evaluate to an empty string and we will look for the policy itself,
# if it is set we will look for the parent policy.
datasource "ds_get_policy" do
  request do
    auth $auth_flexera
    host rs_governance_host
    ignore_status [404]
    path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id, ""), meta_parent_policy_id, policy_id)])
    header "Api-Version", "1.0"
  end
  result do
    encoding "json"
    field "id", jmes_path(response, "id")
  end
end

datasource "ds_parent_policy_terminated" do
  run_script $js_decide_if_self_terminate, $ds_get_policy, policy_id, meta_parent_policy_id
end

# If the policy was applied by a meta_parent_policy we confirm it exists if it doesn't we confirm we are deleting
# This information is used in two places:
# - determining whether or not we make a delete call
# - determining if we should create an incident (we don't want to create an incident on the run where we terminate)
script "js_decide_if_self_terminate", type: "javascript" do
  parameters "found", "self_policy_id", "meta_parent_policy_id"
  result "result"
  code <<-EOS
  var result
  if (meta_parent_policy_id != "" && found.id == undefined) {
    result = true
  } else {
    result = false
  }
  EOS
end

# Two potentials ways to set this up:
# - this way and make a unneeded 'get' request when not deleting
# - make the delete request an interate and have it iterate over an empty array when not deleting and an array with one item when deleting
script "js_make_terminate_request", type: "javascript" do
  parameters "should_delete", "policy_id", "rs_project_id", "rs_governance_host"
  result "request"
  code <<-EOS

  var request = {
    auth:  'auth_flexera',
    host: rs_governance_host,
    path: "/api/governance/projects/" + rs_project_id + "/applied_policies/" + policy_id,
    headers: {
      "API-Version": "1.0",
      "Content-Type":"application/json"
    },
  }

  if (should_delete) {
    request.verb = 'DELETE'
  }
  EOS
end

datasource "ds_terminate_self" do
  request do
    run_script $js_make_terminate_request, $ds_parent_policy_terminated, policy_id, rs_project_id, rs_governance_host
  end
end

datasource "ds_is_deleted" do
  run_script $js_check_deleted, $ds_terminate_self
end

# This is just a way to have the check delete request connect to the farthest leaf from policy.
# We want the delete check to the first thing the policy does to avoid the policy erroring before it can decide whether or not it needs to self terminate
# Example a customer deletes a credential and then terminates the parent policy. We still want the children to self terminate
# The only way I could see this not happening is if the user who applied the parent_meta_policy was offboarded or lost policy access, the policies who are impersonating the user
# would not have access to self-terminate
# It may be useful for the backend to enable a mass terminate at some point for all meta_child_policies associated with an id.
script "js_check_deleted", type: "javascript" do
  parameters "response"
  result "result"
  code <<-EOS
  result = {"path":"/"}
  EOS
end