POL-887 Meta Policy for AWS Lambda Function high error rate (#1376)

* Update CHANGELOG.md Update changelog with recent changes * Update lambda_functions_with_high_error_rate.pt added meta policy functionality and 'auth_flexera' auth definition * Update README.md Updated Credential Configuration section with appropriate IAM permissions and Flexera One Automation permissions * Update meta_parent_policy_compiler.rb Add Lambda Functions With High Error Rate policy template to default templates list * Update Meta Parent Policy Templates (#1377) Co-authored-by: nia-vf1 <nia-vf1@users.noreply.github.com> * Update CHANGELOG.md Updated language in changelog to be more user-friendly * Update lambda_functions_with_high_error_rate.pt Line 386 - Added comment above check function in policy definition --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: nia-vf1 <nia-vf1@users.noreply.github.com>
flexera-public · Jul 26, 2023 · 27b690d · 27b690d
1 parent b7184d6
commit 27b690d
Show file tree

Hide file tree

Showing 5 changed files with 1,114 additions and 59 deletions.
diff --git a/operational/aws/lambda_functions_with_high_error_rate/CHANGELOG.md b/operational/aws/lambda_functions_with_high_error_rate/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## v4.0
+
+- Added logic required for "Meta Policy" use-cases
+- Flexera credential now required to facilitate meta policy use cases.
+
 ## v3.0
 
 - Added parameter to enable Allow or Deny filtering by user entered regions

diff --git a/operational/aws/lambda_functions_with_high_error_rate/README.md b/operational/aws/lambda_functions_with_high_error_rate/README.md
@@ -8,6 +8,43 @@ Checks for lambda functions with errors, and lambda function over the `Error Rat
 
 The policy leverages the AWS ec2 API to examine vpc and flowlog details. When a vpc without flowlogs enabled is detected, an email action is triggered automatically to notify the specified users of the incident.
 
+## Prerequisites
+
+This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) for authenticating to datasources -- in order to apply this policy you must have a Credential registered in the system that is compatible with this policy. If there are no Credentials listed when you apply the policy, please contact your Flexera Org Admin and ask them to register a Credential that is compatible with this policy. The information below should be consulted when creating the credential(s).
+
+- [**AWS Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_1982464505_1121575) (*provider=aws*) which has the following permissions:
+  - `ec2:DescribeRegions`
+  - `lambda:ListFunctions`
+  - `lambda:ListTags`
+  - `cloudwatch:GetMetricStatistics`
+  - `cloudwatch:ListMetrics`
+
+  Example IAM Permission Policy:
+
+  ```json
+  {
+      "Version": "2012-10-17",
+      "Statement": [
+          {
+              "Effect": "Allow",
+              "Action": [
+                  "ec2:DescribeRegions",
+                  "lambda:ListFunctions",
+                  "lambda:ListTags",
+                  "cloudwatch:GetMetricStatistics",
+                  "cloudwatch:ListMetrics"
+              ],
+              "Resource": "*"
+          }
+      ]
+  }
+  ```
+
+- [**Flexera Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) (*provider=flexera*) which has the following roles:
+  - `billing_center_viewer`
+
+The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) page in the docs has detailed instructions for setting up Credentials for the most common providers.
+
 ## Input Parameters
 
 - *Allowed/Denied Regions* - Whether to treat regions parameter as allow or deny list.
@@ -21,61 +58,6 @@ The policy leverages the AWS ec2 API to examine vpc and flowlog details. When a
 
 - Send an email report
 
-## Prerequisites
-
-This policy uses [credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) for connecting to the cloud -- in order to apply this policy you must have a credential registered in the system that is compatible with this policy. If there are no credentials listed when you apply the policy, please contact your cloud admin and ask them to register a credential that is compatible with this policy. The information below should be consulted when creating the credential.
-
-### Credential configuration
-
-For administrators [creating and managing credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) to use with this policy, the following information is needed:
-
-Provider tag value to match this policy: `aws` , `aws_sts`
-
-Required permissions in the provider:
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "cloudwatch:GetMetricStatistics",
-        "cloudwatch:ListMetrics"
-      ],
-      "Resource": "*",
-      "Condition": {
-        "Bool": {
-          "aws:SecureTransport": "true"
-        }
-      }
-    }
-  ]
-}
-```
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "lambda:ListFunctions"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "ec2:DescribeRegions"
-      ],
-      "Resource": "*"
-    }
-  ]
-}
-```
-
 ## Supported Clouds
 
 - AWS

diff --git a/...tional/aws/lambda_functions_with_high_error_rate/lambda_functions_with_high_error_rate.pt b/...tional/aws/lambda_functions_with_high_error_rate/lambda_functions_with_high_error_rate.pt
@@ -7,7 +7,7 @@ category "Operational"
 severity "high"
 default_frequency "hourly"
 info(
-  version: "3.0",
+  version: "4.0",
   provider: "AWS",
   service: "Lambda",
   policy_set: ""
@@ -61,6 +61,7 @@ end
 # Authentication
 ###############################################################################
 
+#AUTHENTICATE WITH AWS
 credentials "auth_aws" do
   schemes "aws","aws_sts"
   label "AWS"
@@ -69,9 +70,18 @@ credentials "auth_aws" do
   aws_account_number $param_aws_account_number
 end
 
+#AUTHENTICATE WITH FLEXERA
+credentials "auth_flexera" do
+  schemes "oauth2"
+  label "Flexera"
+  description "Select Flexera One OAuth2 credentials"
+  tags "provider=flexera"
+end
+
 ###############################################################################
 # Pagination
 ###############################################################################
+
 pagination "pagination_aws_marker" do
   get_page_marker do
     body_path jmes_path(response, "NextMarker")
@@ -98,6 +108,9 @@ datasource "ds_regions_list" do
     query "Filter.1.Name", "opt-in-status"
     query "Filter.1.Value.1", "opt-in-not-required"
     query "Filter.1.Value.2", "opted-in"
+    # Header X-Meta-Flexera has no affect on datasource query, but is required for Meta Policies
+    # Forces `ds_is_deleted` datasource to run first during policy execution
+    header "Meta-Flexera", val($ds_is_deleted, "path")
   end
   result do
     encoding "xml"
@@ -366,11 +379,12 @@ end
 # Policy
 ###############################################################################
 
-policy "policy_functions_in_error" do
+policy "pol_functions_in_error" do
   validate_each $ds_merged_results do
     summary_template "AWS Account ID: {{with index data 0}}{{ .accountId }}{{end}}: {{ len data }} AWS Functions over error percentage"
     escalate $esc_functions_in_error
-    check lt(val(item, "error_percentage"), $param_error_rate)
+    # Policy check fails and incident is created only if data is not empty and the Parent Policy has not been terminated
+    check logic_or($ds_parent_policy_terminated, lt(val(item, "error_percentage"), $param_error_rate))
     export do
       resource_level true
       field "accountId" do
@@ -410,7 +424,97 @@ escalation "esc_functions_in_error" do
   email $param_email
 end
 
-
 ###############################################################################
 # Cloud Workflow
 ###############################################################################
+
+###############################################################################
+# Meta Policy [alpha]
+# Not intended to be modified or used by policy developers
+###############################################################################
+
+# If the meta_parent_policy_id is not set it will evaluate to an empty string and we will look for the policy itself,
+# if it is set we will look for the parent policy.
+datasource "ds_get_policy" do
+  request do
+    auth $auth_flexera
+    host rs_governance_host
+    ignore_status [404]
+    path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id,""), meta_parent_policy_id, policy_id) ])
+    header "Api-Version", "1.0"
+  end
+  result do
+    encoding "json"
+    field "id", jmes_path(response, "id")
+  end
+end
+
+
+datasource "ds_parent_policy_terminated" do
+  run_script $js_decide_if_self_terminate, $ds_get_policy, policy_id, meta_parent_policy_id
+end
+
+# If the policy was applied by a meta_parent_policy we confirm it exists if it doesn't we confirm we are deleting
+# This information is used in two places:
+# - determining whether or not we make a delete call
+# - determining if we should create an incident (we don't want to create an incident on the run where we terminate)
+script "js_decide_if_self_terminate", type: "javascript" do
+  parameters "found", "self_policy_id", "meta_parent_policy_id"
+  result "result"
+  code <<-EOS
+  var result
+  if (meta_parent_policy_id != "" && found.id == undefined) {
+    result = true
+  } else {
+    result = false
+  }
+  EOS
+end
+
+# Two potentials ways to set this up:
+# - this way and make a unneeded 'get' request when not deleting
+# - make the delete request an interate and have it iterate over an empty array when not deleting and an array with one item when deleting
+script "js_make_terminate_request", type: "javascript" do
+  parameters "should_delete", "policy_id", "rs_project_id", "rs_governance_host"
+  result "request"
+  code <<-EOS
+
+  var request = {
+    auth:  'auth_flexera',
+    host: rs_governance_host,
+    path: "/api/governance/projects/" + rs_project_id + "/applied_policies/" + policy_id,
+    headers: {
+      "API-Version": "1.0",
+      "Content-Type":"application/json"
+    },
+  }
+
+  if (should_delete) {
+    request.verb = 'DELETE'
+  }
+  EOS
+end
+
+datasource "ds_terminate_self" do
+  request do
+    run_script $js_make_terminate_request, $ds_parent_policy_terminated, policy_id, rs_project_id, rs_governance_host
+  end
+end
+
+datasource "ds_is_deleted" do
+  run_script $js_check_deleted, $ds_terminate_self
+end
+
+# This is just a way to have the check delete request connect to the farthest leaf from policy.
+# We want the delete check to the first thing the policy does to avoid the policy erroring before it can decide whether or not it needs to self terminate
+# Example a customer deletes a credential and then terminates the parent policy. We still want the children to self terminate
+# The only way I could see this not happening is if the user who applied the parent_meta_policy was offboarded or lost policy access, the policies who are impersonating the user
+# would not have access to self-terminate
+# It may be useful for the backend to enable a mass terminate at some point for all meta_child_policies associated with an id.
+script "js_check_deleted", type: "javascript" do
+  parameters "response"
+  result "result"
+  code <<-EOS
+  result = {"path":"/"}
+  EOS
+end