POL-998 AWS Schedule Instance Revamp (#1808)

* schedule

* update

* update

* update

* CHANGELOG

* update

* update

* update

* update

* update

* update

* update

* update

* update

* tweak

* update

* update

* update

* updated permissions formatting in README, updated permissions list to include AWS Schedule Instances

* edit dangerfile to ignore meta policy when looking for new datasources (test)

* update

* update

* update if condition to replace "==false" with "!" (test)

* test with just original code surrounded in parenthesis

* retest if statement with added condition for ignoring meta parent policy templates

---------

Co-authored-by: Nia Velinor-Fraser <NVelinorFraser@flexera.com>

cost/aws/schedule_instance/CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog
 
+## v5.0
+
+- Several parameters altered to be more descriptive and human-readable
+- Added ability to specify custom tag keys for tracking instance schedules
+- Added ability to filter resources by multiple tag key:value pairs
+- Added ability for user to start and stop instances directly
+- Normalized incident export to be consistent with other policies
+- Added additional fields to incident export for additional context
+- Streamlined code for better readability and faster execution
+- Policy action error logging modernized and now works as expected in EU/APAC
+
 ## v4.2
 
 - Improved logging, and error capture/handling

cost/aws/schedule_instance/README.md

@@ -1,34 +1,39 @@
 # AWS Schedule Instance
 
-## What it does
+## What It Does
 
-This Policy Template allows you to schedule start and stop times for your instance, along with the option to terminate instance, update and delete schedule.
+This policy schedules AWS EC2 instances to start and stop at specific times based on a configuration stored in the instance's tags. The user can also perform a variety of ad hoc actions on the instance from the incident page.
 
-## How to Use
+## How To Use
 
-This policy relies on a tag with format 'schedule' to stop and start instances based on a schedule. The tag value defines the schedule with a start hour, stop hour and days of the week. The start and stop hour are in 24 hour format, and the days of the week are two character abbreviation for example: MO, TU, WE. See full example below.. Use a Timezone TZ value to indicate a timezone to stop/start the instance(s)
+This policy uses the schedule tag value (default key: schedule) for scheduling the instance. The appropriate value should be added to as a tag to every instance you want to manage via this policy.
 
-## Schedule Tag Example
+This value is a string consisting of 3 semicolon-separated substrings:
 
-Start and Stop hours are 24 hour format: for example 8:15-17:30 is start at 8:15am, and stop at 5:30pm.
+- *Hours* - Start and stop hours are 24 hour format. For example, a value of `8:15-17:30` will start instances at 8:15 and stop them at 17:30 (5:30 pm). If the minute field is left blank, the minute value of `00` will be assumed.
+- *Days of the Week* - Comma-separated list of days indicated by their two-letter abbreviation value from the following list: SU,MO,TU,WE,TH,FR,SA. For example, a value of `MO,TU,WE,TH,FR` will start and stop the instances on weekdays but not on weekends.
+- *Timezone* - Timezone in [tz database format](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). For example, a value of `America/New_York` would specify US Eastern Time. Defaults to UTC if no Timezone field is provided.
 
-Days of the week: SU,MO,TU,WE,TH,FR,SA
+**Example Value:** 8:15-17:30;MO,TU,WE,TH,FR;America/New_York
 
-Timezone: Use the TZ database name from the timezone list. For example use America/New_York for Eastern time.
+- Starts instances at 8:15am
+- Stops instance at 5:30pm
+- Monday - Friday, US Eastern Time.
 
-Example: schedule=8:15-17:30;MO,TU,WE,TH,FR;America/New_York. Starts instances at 8:15am, stops instance at 5:30pm, Monday - Friday, Eastern Time.
-
-Instances are off during the weekend and start back up on Monday morning at 8:15am and are off at 5:30pm every weekday. Times are UTC unless the Timezone field is provided.
+In the above example, instances are off during the weekend and start back up on Monday morning at 8:15am and are off at 5:30pm every weekday. Times are UTC unless the Timezone field is provided.
 
 ## Input Parameters
 
 This policy has the following input parameters required when launching the policy.
 
-- *Allowed/Denied Regions* - Whether to treat regions parameter as allow or deny list.
-- *Regions* - A list of regions to allow or deny for an AWS account. Please enter the regions code if SCP is enabled, see [Available Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions) in AWS; otherwise, the policy may fail on regions that are disabled via SCP. Leave blank to consider all the regions.
-- *Account Number* - The Account number for use with the AWS STS Cross Account Role. Leave blank when using AWS IAM Access key and secret. It only needs to be passed when the desired AWS account is different than the one associated with the Flexera One credential. [more](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_1982464505_1123608)
-- *Email addresses* - A list of email addresses to notify.
-- *Exclusion Tags* - A list of AWS tags to ignore instances. Format: Key=Value.
+- *Email Addresses* - Email addresses of the recipients you wish to notify when new incidents are created.
+- *Account Number* - The Account number for use with the AWS STS Cross Account Role. Leave blank when using AWS IAM Access key and secret. It only needs to be passed when the desired AWS account is different than the one associated with the Flexera One credential. [More information is available in our documentation.](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_1982464505_1123608)
+- *Schedule Tag Key* - Tag key that schedule information is stored in. Default is recommended for most use cases.
+- *Next Start Tag Key* - Tag key to use for scheduling instance to start. Default is recommended for most use cases.
+- *Next Stop Tag Key* - Tag key to use for scheduling instance to stop. Default is recommended for most use cases.
+- *Allow/Deny Regions* - Whether to treat Allow/Deny Regions List parameter as allow or deny list. Has no effect if Allow/Deny Regions List is left empty.
+- *Allow/Deny Regions List* - A list of regions to allow or deny for an AWS account. Please enter the regions code if SCP is enabled. See [Available Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions) in AWS; otherwise, the policy may fail on regions that are disabled via SCP. Leave blank to consider all the regions.
+- *Exclusion Tags (Key:Value)* - Cloud native tags to ignore resources that you don't want to produce recommendations for. Use Key:Value format for specific tag key/value pairs, and Key:\* format to match any resource with a particular key, regardless of value. Examples: env:production, DO_NOT_DELETE:\*
 - *Automatic Actions* - When this value is set, this policy will automatically take the selected action(s).
 
 Please note that the "*Automatic Actions*" parameter contains a list of action(s) that can be performed on the resources. When it is selected, the policy will automatically execute the corresponding action on the data that failed the checks, post incident generation. Please leave it blank for *manual* action.
@@ -38,22 +43,16 @@ For example if a user selects the "Schedule Instances" action while applying the
 
 The following policy actions are taken on any resources found to be out of compliance.
 
-- Send an email report
-- schedule  - start or stop a selected instance
-- terminate - terminates or deletes the selected instance.
-- update schedule - change existing schedule tag.  input to provide a new stop/start schedule. The format is schedule=new_schedule
-- delete schedule - removes the schedule tag
+- Send an email report.
+- *Execute Schedules* - Power the resources on or off as needed based on their schedules
+- *Update Schedules* - Update the schedule tag on the resources with a new schedule
+- *Delete Schedules* - Delete all schedule tags from the resource so that it is no longer powered on or off by this policy
+- *Start Instances* - Start the resources if they are not currently running.
+- *Stop Instances* - Stop the resources if they are currently running.
+- *Terminate Instances* - Terminate the resources.
 
 ## Prerequisites
 
-### Schedule Tag Format
-
-This policy uses `schedule` tag value for scheduling the instance. The format should be like `8:15-17:30;MO,TU,WE,TH,FR;America/New_York`. Please refer to `Schedule Tag Example` section for more details.
-On leaving the minute field blank, policy will consider the minute as `00` and same will be added to the schedule tag value.
-
-This policy uses [credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) for connecting to the  cloud
--- in order to apply this policy you must have a credential registered in the system that is compatible with this policy. If  there are no credentials listed when you apply the policy, please contact your cloud admin and ask them to register a credential  that is compatible with this policy. The information below should be consulted when creating the credential.
-
 ### Credential configuration
 
 This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) for authenticating to datasources -- in order to apply this policy you must have a Credential registered in the system that is compatible with this policy. If there are no Credentials listed when you apply the policy, please contact your Flexera Org Admin and ask them to register a Credential that is compatible with this policy. The information below should be consulted when creating the credential(s).
@@ -66,10 +65,10 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto
   - `ec2:CreateTags`
   - `ec2:DeleteTags`
   - `ec2:DescribeRegions`
-  - `kms:CreateGrant` `*`
-  - `kms:Decrypt` `*`
+  - `kms:CreateGrant`*
+  - `kms:Decrypt`*
 
-  `*` Only required if using Customer Managed KMS Key on Volumes mounted by EC2 Instance(s)
+  \* Only required if using Customer Managed KMS Key on Volumes mounted by EC2 Instance(s)
 
   Example IAM Permission Policy: