POL-918 Create Master Policy Permissions List

.devcontainer/devcontainer.json

@@ -9,8 +9,10 @@
   "features": {
 		"ghcr.io/devcontainers/features/node:1": {},
 		"ghcr.io/devcontainers/features/python:1": {},
-		"ghcr.io/devcontainers/features/ruby:1": {},
-		"ghcr.io/eitsupi/devcontainer-features/jq-likes:1": {},
+		"ghcr.io/devcontainers/features/ruby:1": {
+      "version": "2.7"
+    },
+		"ghcr.io/eitsupi/devcontainer-features/jq-likes:2": {},
 		"ghcr.io/devcontainers/features/aws-cli:1": {},
 		"ghcr.io/devcontainers/features/azure-cli:1": {},
 		"ghcr.io/devcontainers/features/docker-in-docker:2": {},
@@ -23,7 +25,7 @@
 	// "forwardPorts": [],
 
   // Use 'postCreateCommand' to run commands after the container is created.
-	"postCreateCommand": "rvm install `cat /workspaces/policy_templates/.ruby-version` && git clone https://github.com/flexera-public/policy_sdk /tmp/policy_sdk && cd /tmp/policy_sdk/cmd/fpt && go build -o fpt && sudo mv fpt /usr/local/bin/fpt && rm -rf /tmp/policy_sdk",
+	"postCreateCommand": "npm install && bundle install --without documentation --path bundle && git clone https://github.com/flexera-public/policy_sdk /tmp/policy_sdk && cd /tmp/policy_sdk/cmd/fpt && go build -o fpt && sudo mv fpt /usr/local/bin/fpt && rm -rf /tmp/policy_sdk",
 
 	// Configure tool-specific properties.
 	"customizations": {

.github/workflows/generate-policy-master-permissions-json.yaml

@@ -0,0 +1,50 @@
+name: Generate Policy Master Permissions JSON 
+
+on:
+  # Trigger this workflow on pushes to master
+  push:
+    branches:
+      - master
+      - POL-918-create-master-policy-perm-list
+
+
+  # Workflow dispatch trigger allows manually running workflow
+  workflow_dispatch:
+    branches:
+      - master
+      - POL-918-create-master-policy-perm-list
+
+
+jobs:
+  master-policy-permissions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # Speed up checkout by not fetching history
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+
+      - name: Run Generate Policy Master Permissions Script
+        id: policy_permissions_json
+        run: |
+          ruby tools/policy_master_permission_generation/generate_policy_master_permissions.rb
+
+      - name: Create Pull Request
+        id: cpr
+        uses: peter-evans/create-pull-request@v4
+        with:
+          commit-message: "Update Policy Master Permissions List"
+          title: "Update Policy Master Permissions List"
+          body: "Update Policy Master Permissions List from GitHub Actions Workflow [${{ github.workflow }}](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})"
+          branch: "task/update-policy-master-permissions"
+          delete-branch: true
+          labels: "automation"
+
+      - name: Check outputs
+        if: ${{ steps.cpr.outputs.pull-request-number }}
+        run: |
+          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
+          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"

.gitignore

@@ -1,7 +1,6 @@
 dist/
 .DS_Store
 *.log
-**/*.json
 !.devcontainer/**
 !.github/**
 *.js
@@ -11,6 +10,12 @@ node_modules/
 !package-lock.json
 !.vscode/*.json
 
+# Ignore all JSON files at this level of directory
+**/*.json
+
+# But exclude JSON files in this specific directory
+!data/policy_permissions_list/*.json
+
 # Bundler Artifacts
 bundle/
 

Dangerfile

@@ -1,4 +1,6 @@
 require 'uri'
+require 'yaml'
+
 require_relative 'tools/lib/policy_parser'
 # DangerFile
 # https://danger.systems/reference.html
@@ -192,3 +194,34 @@ changed_files.each do |file|
     fail "Textlint failed on #{file}"
   end
 end
+
+# check for new datasources
+# print warning if new datasource is added to ensure the README permissions have been updated
+permissions_verified_pt_file_yaml = YAML.load_file('tools/policy_master_permission_generation/validated_policy_templates.yaml')
+has_app_changes.each do |file|
+  if file.end_with? ".pt"
+    # Get the diff to see only the new changes
+    diff = git.diff_for_file(file)
+
+    # Use regex to look for blocks that have a "datasource", "request", and "auth" sections of the datasource
+    # Example String:
+    #   "diff --git a/cost/aws/rightsize_ec2_instances/aws_rightsize_ec2_instances.pt b/cost/aws/rightsize_ec2_instances/aws_rightsize_ec2_instances.pt\nindex 14b3236f..bf6a161d 100644\n--- a/cost/aws/rightsize_ec2_instances/aws_rightsize_ec2_instances.pt\n+++ b/cost/aws/rightsize_ec2_instances/aws_rightsize_ec2_instances.pt\n@@ -193,6 +193,16 @@ datasource \"ds_applied_policy\" do\n   end\n end\n \n+datasource \"ds_applied_policy_test_will_be_removed_later\" do\n+  request do\n+    auth $auth_flexera\n+    host rs_governance_host\n+    path join([\"/api/governance/projects/\", rs_project_id, \"/applied_policies/\", policy_id])\n+    header \"Api-Version\", \"1.0\"\n+    header \"Test\", \"True\"\n+  end\n+end\n+\n # Get region-specific Flexera API endpoints\n datasource \"ds_flexera_api_hosts\" do\n   run_script $js_flexera_api_hosts, rs_optima_host"
+    regex = /datasource.*do(\s)+.*request.*do(\s)+.*auth.*([\s\S])+end([\s\+])+end/
+
+    # Print some debug info about diff patch
+    # puts "Diff Patch:"
+    # puts diff.patch
+    # puts "---"
+
+    # First check if the PT file has been manually validated and enabled for permission generation
+    pt_file_enabled = permissions_verified_pt_file_yaml["validated_policy_templates"].select { |pt| pt.include?(file) }
+    if pt_file_enabled.empty?
+      # If the PT file has not been manually validated, then print an error message which will block the PR from being merged
+      # This will help improve coverage as we touch more PT files
+      fail "Policy Template file `#{file}` has **not** yet been enabled for automated permission generation.  Please help us improve coverage by [following the steps documented in `tools/policy_master_permission_generation/`](https://github.com/flexera-public/policy_templates/tree/master/tools/policy_master_permission_generation) to resolve this"
+    elsif diff && diff.patch =~ regex
+      # If the PT file has been manually validated, but there are new datasources, then print a warning message
+      warn("Detected new request datasource in Policy Template file `#{file}`.  Please verify the README.md has any new permissions that may be required.")
+    end
+  end
+end

compliance/google/unlabeled_resources/README.md

@@ -1,6 +1,6 @@
 # Google Unlabeled Resources
 
-## What it does
+## What It does
 
 Find all Google cloud resources(disks, images, instances, snapshots, buckets, vpnGateways) missing any of the user provided labels with the option to update the resources with the missing labels.
 
@@ -26,33 +26,32 @@ The following policy actions are taken on any resources found to be out of compl
 
 ## Prerequisites
 
-This policy uses [credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) for connecting to the cloud -- in order to apply this policy you must have a credential registered in the system that is compatible with this policy. If there are no credentials listed when you apply the policy, please contact your cloud admin and ask them to register a credential that is compatible with this policy. The information below should be consulted when creating the credential.
-
-### Credential configuration
-
-For administrators [creating and managing credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) to use with this policy, the following information is needed:
-
-Provider tag value to match this policy: `gce`
-
-Required permissions in the provider:
-
-- The `Monitoring Viewer` Role
-- The `compute.disks.list` permission
-- The `compute.instances.list` permission
-- The `compute.disks.setLabels` permission
-- The `compute.externalVpnGateways.list` permission
-- The `compute.images.list` permission
-- The `compute.externalVpnGateways.setLabels` permission
-- The `compute.images.setLabels` permission
-- The `compute.instances.setLabels` permission
-- The `compute.snapshots.list` permission
-- The `compute.snapshots.setLabels` permission
-- The `compute.vpnGateways.list` permission
-- The `compute.vpnGateways.setLabels` permission
-- The `compute.images.setLabels` permission
-- The `storage.buckets.list` permission
-- The `storage.buckets.update` permission
-- The `resourcemanager.projects.get` permission
+This Policy Template requires that several APIs be enabled in your Google Cloud environment:
+
+- [Cloud Resource Manager API](https://console.cloud.google.com/flows/enableapi?apiid=cloudresourcemanager.googleapis.com)
+- [Compute Engine API](https://console.cloud.google.com/flows/enableapi?apiid=compute.googleapis.com)
+
+This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) for authenticating to datasources -- in order to apply this policy you must have a Credential registered in the system that is compatible with this policy. If there are no Credentials listed when you apply the policy, please contact your Flexera Org Admin and ask them to register a Credential that is compatible with this policy. The information below should be consulted when creating the credential(s).
+
+- [**Google Cloud Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_4083446696_1121577) (*provider=gce*) which has the following:
+  - Permissions
+    - `compute.disks.list`
+    - `compute.disks.setLabels`
+    - `compute.externalVpnGateways.list`
+    - `compute.externalVpnGateways.setLabels`
+    - `compute.images.list`
+    - `compute.images.setLabels`
+    - `compute.instances.list`
+    - `compute.instances.setLabels`
+    - `compute.snapshots.list`
+    - `compute.snapshots.setLabels`
+    - `compute.vpnGateways.list`
+    - `compute.vpnGateways.setLabels`
+    - `resourcemanager.projects.get`
+    - `storage.buckets.list`
+    - `storage.buckets.update`
+
+The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) page in the docs has detailed instructions for setting up Credentials for the most common providers.
 
 ## Supported Clouds
 

cost/aws/unused_ip_addresses/README.md

@@ -12,7 +12,7 @@ The policy utilizes the AWS EC2 API to get a list of unattached IP addresses and
 
 The policy includes the estimated monthly savings. The estimated monthly savings is recognized if the resource is terminated.
 
-- The `Estimated Monthly Savings` is calculated using the per hour price of unused IPs, obtained from the AWS Pricing API, multiplied by 24 and then 30.44 to get an estimated monthly price.
+- The `Estimated Monthly Savings` is calculated using the per hour price of unused IPs, obtained from the AWS Pricing API, multiplied by 24 and then 30.44 to get an estimated monthly price.
 - Since the prices of individual resources are *not* obtained from Flexera CCO, they will *not* take into account any Flexera adjustment rules or cloud provider discounts present in the Flexera platform.
 - The incident message detail includes the sum of each resource `Estimated Monthly Savings` as `Potential Monthly Savings`.
 - If the Flexera organization is configured to use a currency other than USD, the savings values will be converted from USD using the exchange rate at the time that the policy executes.
@@ -50,6 +50,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto
   - `ec2:ReleaseAddress`*
   - `pricing:GetProducts`
   - `sts:GetCallerIdentity`
+  - `cloudtrail:LookupEvents`
 
   \* Only required for taking action (releasing an IP address); the policy will still function in a read-only capacity without these permissions.
 

cost/azure/rightsize_compute_instances/README.md

@@ -64,6 +64,9 @@ For administrators [creating and managing credentials](https://docs.flexera.com/
 - [**Azure Resource Manager Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_109256743_1124668) (*provider=azure_rm*) which has the following permissions:
   - `Microsoft.Compute/virtualMachines/read`
   - `Microsoft.Compute/virtualMachines/write`*
+  - `Microsoft.Compute/virtualMachines/powerOff/action`*
+  - `Microsoft.Compute/virtualMachines/start/action`*
+  - `Microsoft.Compute/virtualMachines/delete`*
   - `Microsoft.Compute/skus/read`
   - `Microsoft.Insights/metrics/read`
 

data/policy_permissions_list/README.md

@@ -0,0 +1,5 @@
+# Policy Permissions List
+
+The files in this directory are generated automatically and should **NOT** be manually modified.
+
+Please see [`tools/policy_master_permission_generation`](../../tools/policy_master_permission_generation/) for details