POL-918 Create Master Policy Permissions List (2) Continued (#1816)

* NVF/POL-918 Add Azure Untagged Virtual Machines (#1815) * added policy permissions ruby script for parsing readmes for permissions * added github workflow yaml file to automate running ruby script to create master policy permissions json file * minor update to syntax to support older versions of ruby * adding fileutils library to create the directory for the json file * added exclude in gitignore for policy permissions json * try using dist * removed generated json file * revert to ignoring the required "data/*" directory rather than dist * test change * add pull request in workflow * Update Master Policy Permissions List (#1675) Co-authored-by: nia-vf1 <nia-vf1@users.noreply.github.com> * test revert back to original gitignore * reverting as addition to .gitignore file is required for now * Update Master Policy Permissions List (#1676) Co-authored-by: nia-vf1 <nia-vf1@users.noreply.github.com> * Update Master Policy Permissions List (#1680) Co-authored-by: XOmniverse <XOmniverse@users.noreply.github.com> * Delete data/policy_permissions_list/master_policy_permissions_list.json * changed name of workflow yaml file * Update Master Policy Permissions List (#1685) Co-authored-by: nia-vf1 <nia-vf1@users.noreply.github.com> * Delete data/policy_permissions_list directory * updated name of workflow, and updated name of ruby script * fix * Update Policy Master Permissions List (#1687) Co-authored-by: nia-vf1 <nia-vf1@users.noreply.github.com> * remove master_policy_permissions json * update ruby script to capture read-only field for permissions and roles * add output to log * fix read-only field for permissions/roles * add logic to get description field, and correct boolean values for required and read-only permissions * update json to not show "providers" field if no providers exist for a given policy template * Update Policy Master Permissions List (#1724) Co-authored-by: nia-vf1 <nia-vf1@users.noreply.github.com> * task: use a statically defined list * volumes (#1752) * task: add aws_rightsize_rds_instances.pt (#1754) * snapshot * add aws_unused_ip_addresses.pt (#1757) * task: add aws_unused_ip_addresses.pt * rm character * done (#1758) * add aws_rightsize_ec2_instances.pt * done (#1759) * POL-918 AWS RI Recommendations (#1760) * added aws ri recs to list * remove json * unused volumes (#1761) * add azure_compute_rightsizing.pt (#1762) * task: add `,` * add azure_compute_rightsizing.pt * update (#1764) * add azure unused sql to list (#1763) * add azure_delete_old_snapshots.pt (#1765) * docs: Add missing permissions * add azure_delete_old_snapshots.pt * push latest datasets * done (#1766) * good (#1768) * push latest dataset * add azure_savings_plan_recommendations.pt (#1769) * push latest dataset * rightsize (#1771) * add permission json and yaml * google (#1773) * cloud sql (#1774) * feat: Add warning for new datasources and checking README for new permissions * update (#1776) * Add test new datasource * fix test * add debug loggin * done (#1777) * fix: update regex for new datasource blocks * feat: Add check for new datasources and a warning to check README * test: revert change to PT for testing * feat: only check PT files * fix: install ruby using feature in devcontainer * move PT files list to separate file * task: run ruby tools/policy_master_permission_generation/generate_policy_master_permissions.rb * feat: sort output datasets using id mitigate/prevent large diffs between runs * task: run ruby tools/policy_master_permission_generation/generate_policy_master_permissions.rb * fix: rm nvm from post commands * feat: add error if PT not yet enabled * test: add tmp test datasource * fix: use fail instead of error * task: update error message * task: update wording in fail * test: rm temporary test trigger * test: add tmp datasource to test warning trigger * fix: use include? to check if file matches * test: rm test trigger * docs: add README for policy permission generation * docs: update branch name * NVF/POL-918 1705958339 - Validate Google CUD Recommender permissions (#1783) * add google cud recommender policy to permissions list * tested and add google cud recommender policy to permissions list * updated json, yaml to reflect most recent repository changes * Updated permissions list to include AWS Rightsize RDS Instances and Azure Rightsize SQL Instances (#1809) * Updated permissions list to include AWS Rightsize EBS Volumes and Azure Rightsize Managed Disks (#1810) * Updated permissions list to include Azure Reserved Instances Utilization (#1811) * Updated permissions list to include AWS Untagged Resources and Azure Untagged Resources (#1812) * updated permissions Azure Rightsize Compute Instances README to remove white space before asterisk * NVF/POL-918 Add Google Unlabeled Resources (#1814) * updated Permissions list to include Google Unlabeled Resources * POL-1057 Google Unlabeled Resources - Update Permissions in README (#1813) * Update README.md * Sort permissions alphabetically in README * Update README.md Remove redundant IAM Role from Credential Configuration list * Update README.md Remove whitespace on line 53 * reran script with updated Google Unlabeled Resources README to produce correct Permissions list * Updated permissions list to include Azure Untagged VMs --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: nia-vf1 <nia-vf1@users.noreply.github.com> Co-authored-by: XOmniverse <XOmniverse@users.noreply.github.com> Co-authored-by: Bryan Karaffa <bryankaraffa@gmail.com> Co-authored-by: Shawn Huckabay <shuckabay@flexera.com> * Updated trigger in github yaml workflow file to reflect new POL-918 branch * Updated script to support policy templates with more than one set of special notes * tidy up script * NVF/POL-918 Add Long Running Instances (AWS and Azure), AWS Long Stopped EC2 Instances (#1820) * Updated Permissions list to include AWS Long Running Instances and Azure Long Running Instances * Updated Permissions list to include AWS Long Stopped EC2 Instances * update dangerfile to ignore meta parent policies when checking for new datasources * update dangerfile to ignore meta parent policy templates when looking for new datasources --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: nia-vf1 <nia-vf1@users.noreply.github.com> Co-authored-by: XOmniverse <XOmniverse@users.noreply.github.com> Co-authored-by: Bryan Karaffa <bryankaraffa@gmail.com> Co-authored-by: Shawn Huckabay <shuckabay@flexera.com>
flexera-public · Feb 13, 2024 · 6c6959b · 6c6959b
1 parent 126079f
commit 6c6959b
Show file tree

Hide file tree

Showing 6 changed files with 340 additions and 22 deletions.
diff --git a/.github/workflows/generate-policy-master-permissions-json.yaml b/.github/workflows/generate-policy-master-permissions-json.yaml
@@ -5,14 +5,14 @@ on:
   push:
     branches:
       - master
-      - POL-918-create-master-policy-perm-list
+      - POL-918-create-master-policy-perm-list-continued
 
 
   # Workflow dispatch trigger allows manually running workflow
   workflow_dispatch:
     branches:
       - master
-      - POL-918-create-master-policy-perm-list
+      - POL-918-create-master-policy-perm-list-continued
 
 
 jobs:

diff --git a/Dangerfile b/Dangerfile
@@ -199,7 +199,7 @@ end
 # print warning if new datasource is added to ensure the README permissions have been updated
 permissions_verified_pt_file_yaml = YAML.load_file('tools/policy_master_permission_generation/validated_policy_templates.yaml')
 has_app_changes.each do |file|
-  if file.end_with? ".pt"
+  if file.end_with?(".pt") && !file.end_with?("_meta_parent.pt")
     # Get the diff to see only the new changes
     diff = git.diff_for_file(file)
 

diff --git a/data/policy_permissions_list/master_policy_permissions_list.json b/data/policy_permissions_list/master_policy_permissions_list.json
@@ -1,5 +1,69 @@
 {
   "values": [
+    {
+      "id": "./compliance/aws/long_stopped_instances/aws_long_stopped_instances.pt",
+      "name": "AWS Long Stopped EC2 Instances",
+      "version": "5.0",
+      "providers": [
+        {
+          "name": "aws",
+          "permissions": [
+            {
+              "name": "ec2:DescribeRegions",
+              "read_only": true,
+              "required": true
+            },
+            {
+              "name": "ec2:DescribeInstances",
+              "read_only": true,
+              "required": true
+            },
+            {
+              "name": "ec2:DescribeInstanceStatus",
+              "read_only": false,
+              "required": false,
+              "description": "Only required for taking action (termination); the policy will still function in a read-only capacity without these permissions."
+            },
+            {
+              "name": "ec2:TerminateInstances",
+              "read_only": false,
+              "required": false,
+              "description": "Only required for taking action (termination); the policy will still function in a read-only capacity without these permissions."
+            },
+            {
+              "name": "cloudwatch:GetMetricStatistics",
+              "read_only": true,
+              "required": true
+            },
+            {
+              "name": "cloudwatch:GetMetricData",
+              "read_only": true,
+              "required": true
+            },
+            {
+              "name": "cloudwatch:ListMetrics",
+              "read_only": true,
+              "required": true
+            },
+            {
+              "name": "sts:GetCallerIdentity",
+              "read_only": true,
+              "required": true
+            }
+          ]
+        },
+        {
+          "name": "flexera",
+          "permissions": [
+            {
+              "name": "billing_center_viewer",
+              "read_only": true,
+              "required": true
+            }
+          ]
+        }
+      ]
+    },
     {
       "id": "./compliance/aws/untagged_resources/aws_untagged_resources.pt",
       "name": "AWS Untagged Resources",
@@ -131,6 +195,39 @@
         }
       ]
     },
+    {
+      "id": "./compliance/azure/azure_untagged_vms/untagged_vms.pt",
+      "name": "Azure Untagged Virtual Machines",
+      "version": "1.1",
+      "providers": [
+        {
+          "name": "azure_rm",
+          "permissions": [
+            {
+              "name": "Microsoft.Compute/virtualMachines/read",
+              "read_only": true,
+              "required": true
+            },
+            {
+              "name": "Microsoft.Compute/virtualMachines/write",
+              "read_only": false,
+              "required": false,
+              "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions."
+            }
+          ]
+        },
+        {
+          "name": "flexera",
+          "permissions": [
+            {
+              "name": "billing_center_viewer",
+              "read_only": true,
+              "required": true
+            }
+          ]
+        }
+      ]
+    },
     {
       "id": "./compliance/google/unlabeled_resources/unlabeled_resources.pt",
       "name": "Google Unlabeled Resources",
@@ -1356,12 +1453,14 @@
             {
               "name": "recommender.computeInstanceMachineTypeRecommendations.list",
               "read_only": true,
-              "required": true
+              "required": false,
+              "description": "Only the permissions needed for the specific recommendations you're looking to produce are required. If using this policy only for idle recommendations, for example, `recommender.computeInstanceMachineTypeRecommendations.list` is not needed."
             },
             {
               "name": "recommender.computeInstanceIdleResourceRecommendations.list",
               "read_only": true,
-              "required": true
+              "required": false,
+              "description": "Only the permissions needed for the specific recommendations you're looking to produce are required. If using this policy only for idle recommendations, for example, `recommender.computeInstanceMachineTypeRecommendations.list` is not needed."
             },
             {
               "name": "resourcemanager.projects.get",
@@ -1444,6 +1543,61 @@
         }
       ]
     },
+    {
+      "id": "./operational/aws/long_running_instances/long_running_instances.pt",
+      "name": "AWS Long Running Instances",
+      "version": "4.3",
+      "providers": [
+        {
+          "name": "aws",
+          "permissions": [
+            {
+              "name": "ec2:DescribeRegions",
+              "read_only": true,
+              "required": true
+            },
+            {
+              "name": "ec2:DescribeInstances",
+              "read_only": true,
+              "required": true
+            },
+            {
+              "name": "ec2:DescribeInstanceStatus",
+              "read_only": false,
+              "required": false,
+              "description": "Only required for taking action (stopping or terminating instances); the policy will still function in a read-only capacity without these permissions."
+            },
+            {
+              "name": "ec2:StopInstances",
+              "read_only": false,
+              "required": false,
+              "description": "Only required for taking action (stopping or terminating instances); the policy will still function in a read-only capacity without these permissions."
+            },
+            {
+              "name": "ec2:TerminateInstances",
+              "read_only": false,
+              "required": false,
+              "description": "Only required for taking action (stopping or terminating instances); the policy will still function in a read-only capacity without these permissions."
+            },
+            {
+              "name": "sts:GetCallerIdentity",
+              "read_only": true,
+              "required": true
+            }
+          ]
+        },
+        {
+          "name": "flexera",
+          "permissions": [
+            {
+              "name": "billing_center_viewer",
+              "read_only": true,
+              "required": true
+            }
+          ]
+        }
+      ]
+    },
     {
       "id": "./operational/aws/tag_cardinality/aws_tag_cardinality.pt",
       "name": "AWS Tag Cardinality Report",
@@ -1476,6 +1630,39 @@
         }
       ]
     },
+    {
+      "id": "./operational/azure/azure_long_running_instances/azure_long_running_instances.pt",
+      "name": "Azure Long Running Instances",
+      "version": "5.1",
+      "providers": [
+        {
+          "name": "azure_rm",
+          "permissions": [
+            {
+              "name": "Microsoft.Compute/virtualMachines/read",
+              "read_only": true,
+              "required": true
+            },
+            {
+              "name": "Microsoft.Compute/virtualMachines/write",
+              "read_only": false,
+              "required": false,
+              "description": "Only required for taking action (powering off or deleting); the policy will still function in a read-only capacity without these permissions."
+            }
+          ]
+        },
+        {
+          "name": "flexera",
+          "permissions": [
+            {
+              "name": "billing_center_viewer",
+              "read_only": true,
+              "required": true
+            }
+          ]
+        }
+      ]
+    },
     {
       "id": "./operational/azure/tag_cardinality/azure_tag_cardinality.pt",
       "name": "Azure Tag Cardinality Report",