POL-744 Meta Policy for AWS Untagged Resources (Sub-Task 1 POL-890) (#…

…1373) * Update CHANGELOG.md Updated Changelog with relevant changes * Update aws_untagged_resources.pt Added 'flexera_auth' Auth definition, updated template so it can support meta policy functionality * Update README.md Updated Credential Configuration section to include Flexera One Credential * Update meta_parent_policy_compiler.rb Line 18 - Added untagged resources to default_child_policy_template_files * Update Meta Parent Policy Templates (#1374) Co-authored-by: nia-vf1 <nia-vf1@users.noreply.github.com> * Update CHANGELOG.md * Delete aws_untagged_resources_meta_parent.pt removing meta parent as part of this PR as this requires regex fix * Update meta_parent_policy_compiler.rb removed child policy from default child policy template list * Update aws_untagged_resources.pt added comment above check function in policy definition --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: nia-vf1 <nia-vf1@users.noreply.github.com>
flexera-public · Jul 27, 2023 · 233c33a · 233c33a
1 parent b38a0fe
commit 233c33a
Show file tree

Hide file tree

Showing 3 changed files with 150 additions and 34 deletions.
diff --git a/compliance/aws/untagged_resources/CHANGELOG.md b/compliance/aws/untagged_resources/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## v4.0
+
+- Added logic required for "Meta Policy" use-cases
+- Flexera credential now required to facilitate meta policy use cases.
+
 ## v3.0
 
 - Added parameter to enable Allow or Deny filtering by user entered regions

diff --git a/compliance/aws/untagged_resources/README.md b/compliance/aws/untagged_resources/README.md
@@ -10,6 +10,45 @@ This Policy finds all AWS resources missing any of the user provided tags with t
 - Using the 'Tag Keys' parameter, the policy identifies all resources that are missing the tag keys specified by the user.
 - The policy outputs resources missing the specified tag keys as well as resources with the specified tag keys but are missing tag values.
 
+## Prerequisites
+
+This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) for authenticating to datasources -- in order to apply this policy you must have a Credential registered in the system that is compatible with this policy. If there are no Credentials listed when you apply the policy, please contact your Flexera Org Admin and ask them to register a Credential that is compatible with this policy. The information below should be consulted when creating the credential(s).
+
+- [**AWS Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_1982464505_1121575) (*provider=aws*) which has the following permissions:
+  - `tag:GetResources`
+  - `tag:TagResources`
+  - `ec2:DescribeRegions`
+  - `ec2:CreateTags`
+  - `rds:AddTagsToResources`
+  - `config:TagResource`
+
+  Example IAM Permission Policy:
+
+  ```json
+  {
+      "Version": "2012-10-17",
+      "Statement": [
+          {
+              "Effect": "Allow",
+              "Action": [
+                  "tag:GetResources",
+                  "tag:TagResources",
+                  "ec2:DescribeRegions",
+                  "ec2:CreateTags",
+                  "rds:AddTagsToResource",
+                  "config:TagResource"
+              ],
+              "Resource": "*"
+          }
+      ]
+  }
+  ```
+
+- [**Flexera Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) (*provider=flexera*) which has the following roles:
+  - `billing_center_viewer`
+
+The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) page in the docs has detailed instructions for setting up Credentials for the most common providers.
+
 ## Input Parameters
 
 This policy has the following input parameters required when launching the policy.
@@ -27,38 +66,6 @@ The following policy actions are taken on any resources found to be out of compl
 - Send an email report
 - Tag the resource with the provided user input.
 
-## Prerequisites
-
-This policy uses [credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) for connecting to the cloud -- in order to apply this policy you must have a credential registered in the system that is compatible with this policy. If there are no credentials listed when you apply the policy, please contact your cloud admin and ask them to register a credential that is compatible with this policy. The information below should be consulted when creating the credential.
-
-### Credential configuration
-
-For administrators [creating and managing credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) to use with this policy, the following information is needed:
-
-Provider tag value to match this policy: `aws` , `aws_sts`
-
-Required permissions in the provider:
-
-```javascript
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "tag:GetResources",
-        "tag:TagResources",
-        "ec2:DescribeRegions",
-        "ec2:CreateTags",
-        "rds:AddTagsToResource",
-        "config:TagResource"
-      ],
-      "Resource": "*"
-    }
-  ]
-}
-```
-
 ## Supported Clouds
 
 - AWS

diff --git a/compliance/aws/untagged_resources/aws_untagged_resources.pt b/compliance/aws/untagged_resources/aws_untagged_resources.pt
@@ -7,7 +7,7 @@ severity "low"
 category "Compliance"
 default_frequency "weekly"
 info(
-  version: "3.0",
+  version: "4.0",
   provider: "AWS",
   service: "",
   policy_set:"Untagged resources"
@@ -60,6 +60,7 @@ end
 # Authentication
 ###############################################################################
 
+#AUTHENTICATE WITH AWS
 credentials "auth_aws" do
   schemes "aws","aws_sts"
   label "AWS"
@@ -68,6 +69,14 @@ credentials "auth_aws" do
   aws_account_number $param_aws_account_number
 end
 
+#AUTHENTICATE WITH FLEXERA
+credentials "auth_flexera" do
+  schemes "oauth2"
+  label "Flexera"
+  description "Select Flexera One OAuth2 credentials"
+  tags "provider=flexera"
+end
+
 ###############################################################################
 # Pagination
 ###############################################################################
@@ -98,6 +107,9 @@ datasource "ds_regions_list" do
     query "Filter.1.Name", "opt-in-status"
     query "Filter.1.Value.1", "opt-in-not-required"
     query "Filter.1.Value.2", "opted-in"
+    # Header X-Meta-Flexera has no affect on datasource query, but is required for Meta Policies
+    # Forces `ds_is_deleted` datasource to run first during policy execution
+    header "Meta-Flexera", val($ds_is_deleted, "path")
   end
   result do
     encoding "xml"
@@ -282,7 +294,8 @@ policy "policy_untagged_resources" do
     summary_template "{{ rs_project_name }} (Account ID: {{ rs_project_id }}): {{ len data }} AWS untagged resources found."
     escalate $esc_email
     escalate $esc_add_tags
-    check eq(size(data),0)
+    # Policy check fails and incident is created only if data is not empty and the Parent Policy has not been terminated
+    check logic_or($ds_parent_policy_terminated, eq(size(data),0))
     export do
       resource_level true
       field "region" do
@@ -381,3 +394,94 @@ define skip_error_and_append($subject) do
   $$errors << "Unexpected error for " + $subject + "\n  " + to_s($_error)
   $_error_behavior = "skip"
 end
+
+###############################################################################
+# Meta Policy [alpha]
+# Not intended to be modified or used by policy developers
+###############################################################################
+
+# If the meta_parent_policy_id is not set it will evaluate to an empty string and we will look for the policy itself,
+# if it is set we will look for the parent policy.
+datasource "ds_get_policy" do
+  request do
+    auth $auth_flexera
+    host rs_governance_host
+    ignore_status [404]
+    path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id,""), meta_parent_policy_id, policy_id) ])
+    header "Api-Version", "1.0"
+  end
+  result do
+    encoding "json"
+    field "id", jmes_path(response, "id")
+  end
+end
+
+
+datasource "ds_parent_policy_terminated" do
+  run_script $js_decide_if_self_terminate, $ds_get_policy, policy_id, meta_parent_policy_id
+end
+
+# If the policy was applied by a meta_parent_policy we confirm it exists if it doesn't we confirm we are deleting
+# This information is used in two places:
+# - determining whether or not we make a delete call
+# - determining if we should create an incident (we don't want to create an incident on the run where we terminate)
+script "js_decide_if_self_terminate", type: "javascript" do
+  parameters "found", "self_policy_id", "meta_parent_policy_id"
+  result "result"
+  code <<-EOS
+  var result
+  if (meta_parent_policy_id != "" && found.id == undefined) {
+    result = true
+  } else {
+    result = false
+  }
+  EOS
+end
+
+# Two potentials ways to set this up:
+# - this way and make a unneeded 'get' request when not deleting
+# - make the delete request an interate and have it iterate over an empty array when not deleting and an array with one item when deleting
+script "js_make_terminate_request", type: "javascript" do
+  parameters "should_delete", "policy_id", "rs_project_id", "rs_governance_host"
+  result "request"
+  code <<-EOS
+
+  var request = {
+    auth:  'auth_flexera',
+    host: rs_governance_host,
+    path: "/api/governance/projects/" + rs_project_id + "/applied_policies/" + policy_id,
+    headers: {
+      "API-Version": "1.0",
+      "Content-Type":"application/json"
+    },
+  }
+
+  if (should_delete) {
+    request.verb = 'DELETE'
+  }
+  EOS
+end
+
+datasource "ds_terminate_self" do
+  request do
+    run_script $js_make_terminate_request, $ds_parent_policy_terminated, policy_id, rs_project_id, rs_governance_host
+  end
+end
+
+datasource "ds_is_deleted" do
+  run_script $js_check_deleted, $ds_terminate_self
+end
+
+# This is just a way to have the check delete request connect to the farthest leaf from policy.
+# We want the delete check to the first thing the policy does to avoid the policy erroring before it can decide whether or not it needs to self terminate
+# Example a customer deletes a credential and then terminates the parent policy. We still want the children to self terminate
+# The only way I could see this not happening is if the user who applied the parent_meta_policy was offboarded or lost policy access, the policies who are impersonating the user
+# would not have access to self-terminate
+# It may be useful for the backend to enable a mass terminate at some point for all meta_child_policies associated with an id.
+script "js_check_deleted", type: "javascript" do
+  parameters "response"
+  result "result"
+  code <<-EOS
+  result = {"path":"/"}
+  EOS
+end