Skip to content

Commit

Permalink
NVF/POL-918 Add Long Running Instances (AWS and Azure), AWS Long Stop…
Browse files Browse the repository at this point in the history 
…ped EC2 Instances (#1820)

* Updated Permissions list to include AWS Long Running Instances and Azure Long Running Instances

* Updated Permissions list to include AWS Long Stopped EC2 Instances
  • Loading branch information
@nia-vf1
nia-vf1 authored Feb 13, 2024
1 parent 6987e7b commit 18ac6ad
Show file tree
Hide file tree
Showing 3 changed files with 248 additions and 0 deletions.
152 changes: 152 additions & 0 deletions data/policy_permissions_list/master_policy_permissions_list.json
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,69 @@
{
"values": [
{
"id": "./compliance/aws/long_stopped_instances/aws_long_stopped_instances.pt",
"name": "AWS Long Stopped EC2 Instances",
"version": "5.0",
"providers": [
{
"name": "aws",
"permissions": [
{
"name": "ec2:DescribeRegions",
"read_only": true,
"required": true
},
{
"name": "ec2:DescribeInstances",
"read_only": true,
"required": true
},
{
"name": "ec2:DescribeInstanceStatus",
"read_only": false,
"required": false,
"description": "Only required for taking action (termination); the policy will still function in a read-only capacity without these permissions."
},
{
"name": "ec2:TerminateInstances",
"read_only": false,
"required": false,
"description": "Only required for taking action (termination); the policy will still function in a read-only capacity without these permissions."
},
{
"name": "cloudwatch:GetMetricStatistics",
"read_only": true,
"required": true
},
{
"name": "cloudwatch:GetMetricData",
"read_only": true,
"required": true
},
{
"name": "cloudwatch:ListMetrics",
"read_only": true,
"required": true
},
{
"name": "sts:GetCallerIdentity",
"read_only": true,
"required": true
}
]
},
{
"name": "flexera",
"permissions": [
{
"name": "billing_center_viewer",
"read_only": true,
"required": true
}
]
}
]
},
{
"id": "./compliance/aws/untagged_resources/aws_untagged_resources.pt",
"name": "AWS Untagged Resources",
Expand Down Expand Up @@ -1479,6 +1543,61 @@
}
]
},
{
"id": "./operational/aws/long_running_instances/long_running_instances.pt",
"name": "AWS Long Running Instances",
"version": "4.3",
"providers": [
{
"name": "aws",
"permissions": [
{
"name": "ec2:DescribeRegions",
"read_only": true,
"required": true
},
{
"name": "ec2:DescribeInstances",
"read_only": true,
"required": true
},
{
"name": "ec2:DescribeInstanceStatus",
"read_only": false,
"required": false,
"description": "Only required for taking action (stopping or terminating instances); the policy will still function in a read-only capacity without these permissions."
},
{
"name": "ec2:StopInstances",
"read_only": false,
"required": false,
"description": "Only required for taking action (stopping or terminating instances); the policy will still function in a read-only capacity without these permissions."
},
{
"name": "ec2:TerminateInstances",
"read_only": false,
"required": false,
"description": "Only required for taking action (stopping or terminating instances); the policy will still function in a read-only capacity without these permissions."
},
{
"name": "sts:GetCallerIdentity",
"read_only": true,
"required": true
}
]
},
{
"name": "flexera",
"permissions": [
{
"name": "billing_center_viewer",
"read_only": true,
"required": true
}
]
}
]
},
{
"id": "./operational/aws/tag_cardinality/aws_tag_cardinality.pt",
"name": "AWS Tag Cardinality Report",
Expand Down Expand Up @@ -1511,6 +1630,39 @@
}
]
},
{
"id": "./operational/azure/azure_long_running_instances/azure_long_running_instances.pt",
"name": "Azure Long Running Instances",
"version": "5.1",
"providers": [
{
"name": "azure_rm",
"permissions": [
{
"name": "Microsoft.Compute/virtualMachines/read",
"read_only": true,
"required": true
},
{
"name": "Microsoft.Compute/virtualMachines/write",
"read_only": false,
"required": false,
"description": "Only required for taking action (powering off or deleting); the policy will still function in a read-only capacity without these permissions."
}
]
},
{
"name": "flexera",
"permissions": [
{
"name": "billing_center_viewer",
"read_only": true,
"required": true
}
]
}
]
},
{
"id": "./operational/azure/tag_cardinality/azure_tag_cardinality.pt",
"name": "Azure Tag Cardinality Report",
Expand Down
93 changes: 93 additions & 0 deletions data/policy_permissions_list/master_policy_permissions_list.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,44 @@
---
:values:
- id: "./compliance/aws/long_stopped_instances/aws_long_stopped_instances.pt"
name: AWS Long Stopped EC2 Instances
version: '5.0'
:providers:
- :name: aws
:permissions:
- name: ec2:DescribeRegions
read_only: true
required: true
- name: ec2:DescribeInstances
read_only: true
required: true
- name: ec2:DescribeInstanceStatus
read_only: false
required: false
description: Only required for taking action (termination); the policy will
still function in a read-only capacity without these permissions.
- name: ec2:TerminateInstances
read_only: false
required: false
description: Only required for taking action (termination); the policy will
still function in a read-only capacity without these permissions.
- name: cloudwatch:GetMetricStatistics
read_only: true
required: true
- name: cloudwatch:GetMetricData
read_only: true
required: true
- name: cloudwatch:ListMetrics
read_only: true
required: true
- name: sts:GetCallerIdentity
read_only: true
required: true
- :name: flexera
:permissions:
- name: billing_center_viewer
read_only: true
required: true
- id: "./compliance/aws/untagged_resources/aws_untagged_resources.pt"
name: AWS Untagged Resources
version: '5.0'
Expand Down Expand Up @@ -910,6 +949,41 @@
- name: billing_center_viewer
read_only: true
required: true
- id: "./operational/aws/long_running_instances/long_running_instances.pt"
name: AWS Long Running Instances
version: '4.3'
:providers:
- :name: aws
:permissions:
- name: ec2:DescribeRegions
read_only: true
required: true
- name: ec2:DescribeInstances
read_only: true
required: true
- name: ec2:DescribeInstanceStatus
read_only: false
required: false
description: Only required for taking action (stopping or terminating instances);
the policy will still function in a read-only capacity without these permissions.
- name: ec2:StopInstances
read_only: false
required: false
description: Only required for taking action (stopping or terminating instances);
the policy will still function in a read-only capacity without these permissions.
- name: ec2:TerminateInstances
read_only: false
required: false
description: Only required for taking action (stopping or terminating instances);
the policy will still function in a read-only capacity without these permissions.
- name: sts:GetCallerIdentity
read_only: true
required: true
- :name: flexera
:permissions:
- name: billing_center_viewer
read_only: true
required: true
- id: "./operational/aws/tag_cardinality/aws_tag_cardinality.pt"
name: AWS Tag Cardinality Report
version: '3.0'
Expand All @@ -928,6 +1002,25 @@
- name: organizations:ListTagsForResource
read_only: true
required: true
- id: "./operational/azure/azure_long_running_instances/azure_long_running_instances.pt"
name: Azure Long Running Instances
version: '5.1'
:providers:
- :name: azure_rm
:permissions:
- name: Microsoft.Compute/virtualMachines/read
read_only: true
required: true
- name: Microsoft.Compute/virtualMachines/write
read_only: false
required: false
description: Only required for taking action (powering off or deleting); the
policy will still function in a read-only capacity without these permissions.
- :name: flexera
:permissions:
- name: billing_center_viewer
read_only: true
required: true
- id: "./operational/azure/tag_cardinality/azure_tag_cardinality.pt"
name: Azure Tag Cardinality Report
version: '3.1'
Expand Down
3 changes: 3 additions & 0 deletions tools/policy_master_permission_generation/validated_policy_templates.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
# - The `data/policy_permissions_list/master_policy_permissions_list` datasets contains all permissions from the README.md -- this confirms generate_policy_master_permissions.rb script parses README as expected
validated_policy_templates:
# AWS
- "./compliance/aws/long_stopped_instances/aws_long_stopped_instances.pt"
- "./compliance/aws/untagged_resources/aws_untagged_resources.pt"
- "./cost/aws/rightsize_ec2_instances/aws_rightsize_ec2_instances.pt"
- "./cost/aws/rightsize_rds_instances/aws_rightsize_rds_instances.pt"
Expand All @@ -14,6 +15,7 @@ validated_policy_templates:
- "./cost/aws/rightsize_rds_instances/aws_rightsize_rds_instances.pt"
- "./cost/aws/rightsize_ebs_volumes/aws_volumes_rightsizing.pt"
- "./operational/aws/tag_cardinality/aws_tag_cardinality.pt"
- "./operational/aws/long_running_instances/long_running_instances.pt"
# Azure
- "./compliance/azure/azure_long_stopped_instances/long_stopped_instances_azure.pt"
- "./compliance/azure/azure_untagged_resources/untagged_resources.pt"
Expand All @@ -29,6 +31,7 @@ validated_policy_templates:
- "./cost/azure/rightsize_sql_instances/azure_rightsize_sql_instances.pt"
- "./cost/azure/rightsize_managed_disks/azure_rightsize_managed_disks.pt"
- "./operational/azure/tag_cardinality/azure_tag_cardinality.pt"
- "./operational/azure/azure_long_running_instances/azure_long_running_instances.pt"
# Google
- "./compliance/google/unlabeled_resources/unlabeled_resources.pt"
- "./cost/google/rightsize_vm_recommendations/google_rightsize_vm_recommendations.pt"
Expand Down

0 comments on commit 18ac6ad

Please sign in to comment.