From 7750c6b0c141fef7a4113a7c9af0dfd18ddc8266 Mon Sep 17 00:00:00 2001 From: Shawn Huckabay Date: Mon, 14 Oct 2024 12:01:30 -0500 Subject: [PATCH] POL-1378 Linting Updates: Compliance Policies (#2731) * update * fix * update * fix * update * fix * update * update * update * update * update * update * update * update * update * update * update * update --- .dangerfile/readme_tests.rb | 2 +- .../aws/disallowed_regions/CHANGELOG.md | 4 + compliance/aws/disallowed_regions/README.md | 2 +- .../aws_disallowed_regions.pt | 29 +-- .../aws_disallowed_regions_meta_parent.pt | 2 +- compliance/aws/ecs_unused/CHANGELOG.md | 4 + compliance/aws/ecs_unused/README.md | 2 +- .../aws/ecs_unused/aws_unused_ecs_clusters.pt | 4 +- .../aws_unused_ecs_clusters_meta_parent.pt | 2 +- compliance/aws/iam_role_audit/CHANGELOG.md | 4 + compliance/aws/iam_role_audit/README.md | 2 +- .../aws/iam_role_audit/aws_iam_role_audit.pt | 5 +- .../aws_iam_role_audit_meta_parent.pt | 2 +- .../instances_without_fnm_agent/CHANGELOG.md | 4 + .../aws/instances_without_fnm_agent/README.md | 8 +- ...ces_not_running_flexnet_inventory_agent.pt | 5 +- ...ing_flexnet_inventory_agent_meta_parent.pt | 2 +- .../aws/long_stopped_instances/CHANGELOG.md | 4 + .../aws/long_stopped_instances/README.md | 2 +- .../aws_long_stopped_instances.pt | 27 +-- .../aws_long_stopped_instances_meta_parent.pt | 6 +- compliance/aws/missing_scps/CHANGELOG.md | 4 + compliance/aws/missing_scps/README.md | 2 +- .../aws/missing_scps/aws_missing_scps.pt | 3 +- compliance/aws/rds_backup/CHANGELOG.md | 4 + compliance/aws/rds_backup/README.md | 2 +- compliance/aws/rds_backup/aws_rds_backup.pt | 5 +- .../rds_backup/aws_rds_backup_meta_parent.pt | 2 +- .../aws/untagged_resources/CHANGELOG.md | 4 + compliance/aws/untagged_resources/README.md | 2 +- .../aws_untagged_resources.pt | 5 +- .../aws_untagged_resources_meta_parent.pt | 2 +- compliance/azure/ahub_manual/CHANGELOG.md | 4 + compliance/azure/ahub_manual/README.md | 28 +-- ...zure_ahub_utilization_with_manual_entry.pt | 28 ++- ...ilization_with_manual_entry_meta_parent.pt | 2 +- .../azure_disallowed_regions/CHANGELOG.md | 4 + .../azure/azure_disallowed_regions/README.md | 4 +- .../azure_disallowed_regions.pt | 32 ++- .../azure_disallowed_regions_meta_parent.pt | 2 +- .../azure_long_stopped_instances/CHANGELOG.md | 4 + .../azure_long_stopped_instances/README.md | 11 +- .../long_stopped_instances_azure.pt | 32 ++- ...ong_stopped_instances_azure_meta_parent.pt | 4 +- compliance/azure/azure_rg_tags/README.md | 8 +- .../azure/azure_untagged_vms/CHANGELOG.md | 4 + compliance/azure/azure_untagged_vms/README.md | 4 +- .../azure/azure_untagged_vms/untagged_vms.pt | 35 ++- .../untagged_vms_meta_parent.pt | 3 +- compliance/azure/compliance_score/README.md | 2 +- .../instances_without_fnm_agent/README.md | 8 +- .../azure/subscription_access/README.md | 2 +- .../policy_update_notification/README.md | 4 +- .../billing_center_access_report/CHANGELOG.md | 4 + .../billing_center_access_report/README.md | 2 +- .../bc_access_report.pt | 6 +- .../flexera/cmp/disallowed_images/README.md | 8 +- compliance/flexera/cmp/tag_checker/README.md | 4 +- .../cmp/unapproved_instance_types/README.md | 6 +- .../fnms/fnms_licenses_at_risk/README.md | 2 +- .../fnms_low_licenses_available/README.md | 2 +- .../ignored_recent_inventory_dates/README.md | 24 +- .../fnms/overused_licenses/CHANGELOG.md | 4 + .../overused_licenses/overused_licenses.pt | 115 +++++---- .../flexera/fnms/vms_missing_hostid/README.md | 22 +- .../iam/iam_explicit_user_roles/README.md | 2 +- .../CHANGELOG.md | 5 + .../orgs_and_cloud_accounts_report.pt | 228 +++++++++--------- compliance/github/available_seats/README.md | 2 +- .../github/outside_collaborators/README.md | 2 +- .../github/repository_admin_team/README.md | 4 +- .../repository_branch_protection/README.md | 2 +- compliance/github/repository_naming/README.md | 2 +- compliance/github/repository_size/README.md | 2 +- compliance/github/toplevel_teams/README.md | 2 +- .../long_stopped_instances/CHANGELOG.md | 4 + .../google/long_stopped_instances/README.md | 31 ++- .../google_long_stopped_instances.pt | 32 ++- ...ogle_long_stopped_instances_meta_parent.pt | 4 +- .../google/unlabeled_resources/README.md | 2 +- .../master_policy_permissions_list.json | 52 ++-- .../master_policy_permissions_list.yaml | 42 ++-- 82 files changed, 535 insertions(+), 464 deletions(-) diff --git a/.dangerfile/readme_tests.rb b/.dangerfile/readme_tests.rb index a56d4eb293..e7754910d7 100644 --- a/.dangerfile/readme_tests.rb +++ b/.dangerfile/readme_tests.rb @@ -225,7 +225,7 @@ def readme_invalid_credentials?(file, file_lines) flexera_permission_scanning = false if line.start_with?("- [") && (!line.include?("Flexera") && !line.include?("flexera")) flexera_permission_scanning = false if aws_permission_scanning || azure_permission_scanning || google_permission_scanning - flexera_permission_scanning = true if !line.start_with?("This Policy Template uses [Credentials]") && !flexera_permission_stop_scanning && !flexera_permission_scanning && prereq_line_number > 0 && (line.include?("[**Flexera") || line.include?("[**flexera")) && (!line.include?("AWS") && !line.include?("aws")) && (!line.include?("Azure") && !line.include?("azure")) && (!line.include?("Google") && !line.include?("google")) && !file.start_with?("saas/fsm/") + flexera_permission_scanning = true if !line.start_with?("This Policy Template uses [Credentials]") && !flexera_permission_stop_scanning && !flexera_permission_scanning && prereq_line_number > 0 && (line.include?("[**Flexera") || line.include?("[**flexera")) && !line.include?("ITAM") && (!line.include?("AWS") && !line.include?("aws")) && (!line.include?("Azure") && !line.include?("azure")) && (!line.include?("Google") && !line.include?("google")) && !file.start_with?("saas/fsm/") flexera_permission_line = line_number if !flexera_permission_line && flexera_permission_scanning flexera_permission_text << line if flexera_permission_scanning end diff --git a/compliance/aws/disallowed_regions/CHANGELOG.md b/compliance/aws/disallowed_regions/CHANGELOG.md index 92aee702d2..db109c7ee3 100644 --- a/compliance/aws/disallowed_regions/CHANGELOG.md +++ b/compliance/aws/disallowed_regions/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## v5.0.1 + +- Minor code improvements to conform with current standards. Functionality unchanged. + ## v5.0 - Several parameters altered to be more descriptive and human-readable diff --git a/compliance/aws/disallowed_regions/README.md b/compliance/aws/disallowed_regions/README.md index 98038addd5..af1d7d4746 100644 --- a/compliance/aws/disallowed_regions/README.md +++ b/compliance/aws/disallowed_regions/README.md @@ -67,4 +67,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/aws/disallowed_regions/aws_disallowed_regions.pt b/compliance/aws/disallowed_regions/aws_disallowed_regions.pt index 1ddd8e4987..b0b436ce53 100644 --- a/compliance/aws/disallowed_regions/aws_disallowed_regions.pt +++ b/compliance/aws/disallowed_regions/aws_disallowed_regions.pt @@ -7,7 +7,7 @@ category "Compliance" severity "low" default_frequency "weekly" info( - version: "5.0", + version: "5.0.1", provider: "AWS", service: "Compute", policy_set: "Disallowed Regions" @@ -92,15 +92,6 @@ end # Pagination ############################################################################### -pagination "pagination_aws" do - get_page_marker do - body_path jmes_path(response, "NextToken") - end - set_page_marker do - body_field "NextToken" - end -end - ############################################################################### # Datasources & Scripts ############################################################################### @@ -164,12 +155,11 @@ end datasource "ds_get_caller_identity" do request do auth $auth_aws - verb "GET" host "sts.amazonaws.com" path "/" - header "User-Agent", "RS Policies" query "Action", "GetCallerIdentity" query "Version", "2011-06-15" + header "User-Agent", "RS Policies" end result do encoding "xml" @@ -205,7 +195,6 @@ end datasource "ds_describe_regions" do request do auth $auth_aws - verb "GET" host "ec2.amazonaws.com" path "/" query "Action", "DescribeRegions" @@ -252,19 +241,19 @@ datasource "ds_instance_sets" do auth $auth_aws host join(['ec2.', val(iter_item, 'region'), '.amazonaws.com']) path '/' - header 'User-Agent', 'RS Policies' - header 'Content-Type', 'text/xml' query 'Action', 'DescribeInstances' query 'Version', '2016-11-15' query 'Filter.1.Name', 'instance-state-name' query 'Filter.1.Value.1', 'running' + header 'User-Agent', 'RS Policies' + header 'Content-Type', 'text/xml' end result do encoding "xml" collect xpath(response, "//DescribeInstancesResponse/reservationSet/item", "array") do field "instances_set" do collect xpath(col_item,"instancesSet/item","array") do - field "region",val(iter_item, "region") + field "region", val(iter_item, "region") field "instanceId", xpath(col_item, "instanceId") field "imageId", xpath(col_item, "imageId") field "resourceType", xpath(col_item, "instanceType") @@ -272,7 +261,7 @@ datasource "ds_instance_sets" do field "privateDnsName", xpath(col_item, "privateDnsName") field "launchTime", xpath(col_item, "launchTime") field "tags" do - collect xpath(col_item,"tagSet/item", "array") do + collect xpath(col_item, "tagSet/item", "array") do field "key", xpath(col_item, "key") field "value", xpath(col_item, "value") end @@ -498,7 +487,7 @@ define stop_instances($data) do # If we encountered any errors, use `raise` to mark the CWF process as errored if inspect($$errors) != "null" - raise join($$errors,"\n") + raise join($$errors, "\n") end end @@ -516,7 +505,7 @@ define terminate_instances($data) do # If we encountered any errors, use `raise` to mark the CWF process as errored if inspect($$errors) != "null" - raise join($$errors,"\n") + raise join($$errors, "\n") end end @@ -636,7 +625,7 @@ datasource "ds_get_policy" do auth $auth_flexera host rs_governance_host ignore_status [404] - path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id,""), meta_parent_policy_id, policy_id) ]) + path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id, ""), meta_parent_policy_id, policy_id)]) header "Api-Version", "1.0" end result do diff --git a/compliance/aws/disallowed_regions/aws_disallowed_regions_meta_parent.pt b/compliance/aws/disallowed_regions/aws_disallowed_regions_meta_parent.pt index 8d7a74dc4a..bf73dd69c2 100644 --- a/compliance/aws/disallowed_regions/aws_disallowed_regions_meta_parent.pt +++ b/compliance/aws/disallowed_regions/aws_disallowed_regions_meta_parent.pt @@ -7,7 +7,7 @@ category "Meta" default_frequency "15 minutes" info( provider: "AWS", - version: "5.0", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability + version: "5.0.1", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability publish: "true", deprecated: "false" ) diff --git a/compliance/aws/ecs_unused/CHANGELOG.md b/compliance/aws/ecs_unused/CHANGELOG.md index 9a8fe94e82..fd9ee8ba99 100644 --- a/compliance/aws/ecs_unused/CHANGELOG.md +++ b/compliance/aws/ecs_unused/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## v4.0.1 + +- Minor code improvements to conform with current standards. Functionality unchanged. + ## v4.0.0 - Several parameters altered to be more descriptive and human-readable diff --git a/compliance/aws/ecs_unused/README.md b/compliance/aws/ecs_unused/README.md index b75be8e06f..7af4269b33 100644 --- a/compliance/aws/ecs_unused/README.md +++ b/compliance/aws/ecs_unused/README.md @@ -78,4 +78,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/aws/ecs_unused/aws_unused_ecs_clusters.pt b/compliance/aws/ecs_unused/aws_unused_ecs_clusters.pt index 313bde04a6..c46320afca 100644 --- a/compliance/aws/ecs_unused/aws_unused_ecs_clusters.pt +++ b/compliance/aws/ecs_unused/aws_unused_ecs_clusters.pt @@ -7,7 +7,7 @@ severity "low" category "Compliance" default_frequency "weekly" info( - version: "4.0.0", + version: "4.0.1", provider: "AWS", service: "Compute", policy_set: "Unused Containers" @@ -159,7 +159,6 @@ end datasource "ds_get_caller_identity" do request do auth $auth_aws - verb "GET" host "sts.amazonaws.com" path "/" query "Action", "GetCallerIdentity" @@ -200,7 +199,6 @@ end datasource "ds_describe_regions" do request do auth $auth_aws - verb "GET" host "ec2.amazonaws.com" path "/" query "Action", "DescribeRegions" diff --git a/compliance/aws/ecs_unused/aws_unused_ecs_clusters_meta_parent.pt b/compliance/aws/ecs_unused/aws_unused_ecs_clusters_meta_parent.pt index 019e86fae3..004d2c74ad 100644 --- a/compliance/aws/ecs_unused/aws_unused_ecs_clusters_meta_parent.pt +++ b/compliance/aws/ecs_unused/aws_unused_ecs_clusters_meta_parent.pt @@ -7,7 +7,7 @@ category "Meta" default_frequency "15 minutes" info( provider: "AWS", - version: "4.0.0", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability + version: "4.0.1", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability publish: "true", deprecated: "false" ) diff --git a/compliance/aws/iam_role_audit/CHANGELOG.md b/compliance/aws/iam_role_audit/CHANGELOG.md index 687b33daf3..72a303d5a2 100644 --- a/compliance/aws/iam_role_audit/CHANGELOG.md +++ b/compliance/aws/iam_role_audit/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## v3.0.2 + +- Minor code improvements to conform with current standards. Functionality unchanged. + ## v3.0.1 - Add default value for `IAM Role Names/IDs/ARNs` param diff --git a/compliance/aws/iam_role_audit/README.md b/compliance/aws/iam_role_audit/README.md index 4a116aa205..da656da550 100644 --- a/compliance/aws/iam_role_audit/README.md +++ b/compliance/aws/iam_role_audit/README.md @@ -62,4 +62,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/aws/iam_role_audit/aws_iam_role_audit.pt b/compliance/aws/iam_role_audit/aws_iam_role_audit.pt index bed45dcd12..7d8ae8a94e 100644 --- a/compliance/aws/iam_role_audit/aws_iam_role_audit.pt +++ b/compliance/aws/iam_role_audit/aws_iam_role_audit.pt @@ -7,7 +7,7 @@ severity "medium" category "Compliance" default_frequency "daily" info( - version: "3.0.1", + version: "3.0.2", provider:"AWS", service: "IAM", policy_set: "Identity & Access Management" @@ -145,7 +145,6 @@ end datasource "ds_get_caller_identity" do request do auth $auth_aws - verb "GET" host "sts.amazonaws.com" path "/" query "Action", "GetCallerIdentity" @@ -187,7 +186,6 @@ datasource "ds_iam_roles_without_tags" do request do auth $auth_aws pagination $pagination_aws_iam_role_json - verb "GET" host "iam.amazonaws.com" path "/" query "Action", "ListRoles" @@ -231,7 +229,6 @@ datasource "ds_iam_roles" do request do auth $auth_aws pagination $pagination_aws_iam_role_tag_json - verb "GET" host "iam.amazonaws.com" path "/" query "Action", "ListRoleTags" diff --git a/compliance/aws/iam_role_audit/aws_iam_role_audit_meta_parent.pt b/compliance/aws/iam_role_audit/aws_iam_role_audit_meta_parent.pt index 1527a8ffd8..ce6f525e13 100644 --- a/compliance/aws/iam_role_audit/aws_iam_role_audit_meta_parent.pt +++ b/compliance/aws/iam_role_audit/aws_iam_role_audit_meta_parent.pt @@ -7,7 +7,7 @@ category "Meta" default_frequency "15 minutes" info( provider: "AWS", - version: "3.0.1", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability + version: "3.0.2", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability publish: "true", deprecated: "false" ) diff --git a/compliance/aws/instances_without_fnm_agent/CHANGELOG.md b/compliance/aws/instances_without_fnm_agent/CHANGELOG.md index 47957bb558..3842aa8350 100644 --- a/compliance/aws/instances_without_fnm_agent/CHANGELOG.md +++ b/compliance/aws/instances_without_fnm_agent/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## v4.3.2 + +- Minor code improvements to conform with current standards. Functionality unchanged. + ## v4.3.1 - Added default value for parameters that do not require user input diff --git a/compliance/aws/instances_without_fnm_agent/README.md b/compliance/aws/instances_without_fnm_agent/README.md index 302c276a4a..98233749f7 100644 --- a/compliance/aws/instances_without_fnm_agent/README.md +++ b/compliance/aws/instances_without_fnm_agent/README.md @@ -1,12 +1,12 @@ # AWS EC2 Instances not running FlexNet Inventory Agent -## What it does +## What It Does This policy uses the SOAP version of the FlexNet Manager Cloud APIs, checks all EC2 instances running in AWS to determine if the FlexNet Inventory Agent is running on the instance, and reports on any that are missing the agent. The policy is a recommendation only policy, no action is taken during the Policy Escalation. -## Functional Description +## How It Works The policy leverages the cloud API to get all current EC2 instances and the FlexNet Manager report (Custom view) API to get all AWS cloud instances with agent. It cross-checks the two lists to determine if any instances are running on the cloud that aren't known to FlexNet Manager. The policy matches the InstanceCloudID from FlexNet Manager System and the instanceId from AWS. @@ -56,7 +56,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto } ``` -- [**Flexera Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) (*provider=flexera*) which has the following roles: +- [**Flexera ITAM Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) (*provider=flexera*) which has the following roles: - `Web Service` or equivalent role in IT Asset Accounts (for calling ITAM SOAP APIs) The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) page in the docs has detailed instructions for setting up Credentials for the most common providers. @@ -76,7 +76,7 @@ Once saved, note the report number in the URL field : ![Alt text][ReportNumber] ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. [APIToken]: images/APIToken.png "APIToken" diff --git a/compliance/aws/instances_without_fnm_agent/aws_instances_not_running_flexnet_inventory_agent.pt b/compliance/aws/instances_without_fnm_agent/aws_instances_not_running_flexnet_inventory_agent.pt index d586cb2509..dabc3450ec 100644 --- a/compliance/aws/instances_without_fnm_agent/aws_instances_not_running_flexnet_inventory_agent.pt +++ b/compliance/aws/instances_without_fnm_agent/aws_instances_not_running_flexnet_inventory_agent.pt @@ -7,7 +7,7 @@ severity "medium" category "Compliance" default_frequency "weekly" info( - version: "4.3.1", + version: "4.3.2", provider: "AWS", service: "Compute", policy_set: "Instances not running FlexNet Inventory Agent" @@ -105,7 +105,6 @@ datasource "ds_regions_list" do # https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeRegions.html request do auth $auth_aws - verb "GET" host "ec2.amazonaws.com" path "/" query "Action", "DescribeRegions" @@ -173,7 +172,6 @@ datasource "ds_aws_ec2_instances_list" do iterate $ds_regions request do auth $auth_aws - verb "GET" host join(["ec2.", val(iter_item, "region"), ".amazonaws.com"]) path "/" query "Action", "DescribeInstances" @@ -412,4 +410,3 @@ script "js_check_deleted", type: "javascript" do result = {"path":"/"} EOS end - diff --git a/compliance/aws/instances_without_fnm_agent/aws_instances_not_running_flexnet_inventory_agent_meta_parent.pt b/compliance/aws/instances_without_fnm_agent/aws_instances_not_running_flexnet_inventory_agent_meta_parent.pt index c8084da358..78f91f30ed 100644 --- a/compliance/aws/instances_without_fnm_agent/aws_instances_not_running_flexnet_inventory_agent_meta_parent.pt +++ b/compliance/aws/instances_without_fnm_agent/aws_instances_not_running_flexnet_inventory_agent_meta_parent.pt @@ -7,7 +7,7 @@ category "Meta" default_frequency "15 minutes" info( provider: "AWS", - version: "4.3.1", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability + version: "4.3.2", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability publish: "true", deprecated: "false" ) diff --git a/compliance/aws/long_stopped_instances/CHANGELOG.md b/compliance/aws/long_stopped_instances/CHANGELOG.md index 1b2a18a4fb..50ffe23467 100644 --- a/compliance/aws/long_stopped_instances/CHANGELOG.md +++ b/compliance/aws/long_stopped_instances/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## v6.0.1 + +- Minor code improvements to conform with current standards. Functionality unchanged. + ## v6.0 - Added support for regex when filtering resources by tag diff --git a/compliance/aws/long_stopped_instances/README.md b/compliance/aws/long_stopped_instances/README.md index 76dfa7e18e..aebe0edd6e 100644 --- a/compliance/aws/long_stopped_instances/README.md +++ b/compliance/aws/long_stopped_instances/README.md @@ -83,4 +83,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/aws/long_stopped_instances/aws_long_stopped_instances.pt b/compliance/aws/long_stopped_instances/aws_long_stopped_instances.pt index f412454c2e..bef3be9dc3 100644 --- a/compliance/aws/long_stopped_instances/aws_long_stopped_instances.pt +++ b/compliance/aws/long_stopped_instances/aws_long_stopped_instances.pt @@ -7,7 +7,7 @@ severity "low" category "Compliance" default_frequency "weekly" info( - version: "6.0", + version: "6.0.1", provider: "AWS", service: "Compute", policy_set: "Long Stopped Instances" @@ -46,8 +46,8 @@ parameter "param_regions_list" do type "list" category "Filters" label "Allow/Deny Regions List" - allowed_pattern /^([a-zA-Z-_]+-[a-zA-Z0-9-_]+-[0-9-_]+,*|)+$/ description "A list of allowed or denied regions. See the README for more details" + allowed_pattern /^([a-zA-Z-_]+-[a-zA-Z0-9-_]+-[0-9-_]+,*|)+$/ default [] end @@ -73,9 +73,9 @@ parameter "param_stopped_days" do category "Policy Settings" label "Stopped Days" description "The number of days an instance needs to be stopped to include it in the incident report." - default 7 min_value 1 max_value 90 + default 7 end parameter "param_automatic_action" do @@ -169,12 +169,11 @@ end datasource "ds_get_caller_identity" do request do auth $auth_aws - verb "GET" host "sts.amazonaws.com" path "/" - header "User-Agent", "RS Policies" query "Action", "GetCallerIdentity" query "Version", "2011-06-15" + header "User-Agent", "RS Policies" end result do encoding "xml" @@ -210,7 +209,6 @@ end datasource "ds_describe_regions" do request do auth $auth_aws - verb "GET" host "ec2.amazonaws.com" path "/" query "Action", "DescribeRegions" @@ -256,19 +254,19 @@ datasource "ds_instance_sets" do auth $auth_aws host join(['ec2.', val(iter_item, 'region'), '.amazonaws.com']) path '/' - header 'User-Agent', 'RS Policies' - header 'Content-Type', 'text/xml' query 'Action', 'DescribeInstances' query 'Version', '2016-11-15' query 'Filter.1.Name', 'instance-state-name' query 'Filter.1.Value.1', 'stopped' + header 'User-Agent', 'RS Policies' + header 'Content-Type', 'text/xml' end result do encoding "xml" collect xpath(response, "//DescribeInstancesResponse/reservationSet/item", "array") do field "instances_set" do collect xpath(col_item,"instancesSet/item","array") do - field "region",val(iter_item, "region") + field "region", val(iter_item, "region") field "instanceId", xpath(col_item, "instanceId") field "imageId", xpath(col_item, "imageId") field "resourceType", xpath(col_item, "instanceType") @@ -276,7 +274,7 @@ datasource "ds_instance_sets" do field "privateDnsName", xpath(col_item, "privateDnsName") field "launchTime", xpath(col_item, "launchTime") field "tags" do - collect xpath(col_item,"tagSet/item", "array") do + collect xpath(col_item, "tagSet/item", "array") do field "key", xpath(col_item, "key") field "value", xpath(col_item, "value") end @@ -653,11 +651,11 @@ policy "pol_long_stopped_instances" do validate_each $ds_long_stopped_instances do summary_template "{{ with index data 0 }}{{ .policy_name }}{{ end }}: {{ len data }} AWS Long Stopped EC2 Instances Found" detail_template "{{ with index data 0 }}{{ .message }}{{ end }}" + # Policy check fails and incident is created only if data is not empty and the Parent Policy has not been terminated + check logic_or($ds_parent_policy_terminated, eq(val(item, "resourceID"), "")) escalate $esc_email escalate $esc_terminate_instances hash_exclude "message", "tags" - # Policy check fails and incident is created only if data is not empty and the Parent Policy has not been terminated - check logic_or($ds_parent_policy_terminated, eq(val(item, "resourceID"), "")) export do resource_level true field "accountID" do @@ -743,7 +741,7 @@ define terminate_instances($data) do # If we encountered any errors, use `raise` to mark the CWF process as errored if inspect($$errors) != "null" - raise join($$errors,"\n") + raise join($$errors, "\n") end end @@ -831,7 +829,7 @@ datasource "ds_get_policy" do auth $auth_flexera host rs_governance_host ignore_status [404] - path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id,""), meta_parent_policy_id, policy_id) ]) + path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id, ""), meta_parent_policy_id, policy_id)]) header "Api-Version", "1.0" end result do @@ -840,7 +838,6 @@ datasource "ds_get_policy" do end end - datasource "ds_parent_policy_terminated" do run_script $js_decide_if_self_terminate, $ds_get_policy, policy_id, meta_parent_policy_id end diff --git a/compliance/aws/long_stopped_instances/aws_long_stopped_instances_meta_parent.pt b/compliance/aws/long_stopped_instances/aws_long_stopped_instances_meta_parent.pt index 3555be6165..d878481ce1 100644 --- a/compliance/aws/long_stopped_instances/aws_long_stopped_instances_meta_parent.pt +++ b/compliance/aws/long_stopped_instances/aws_long_stopped_instances_meta_parent.pt @@ -7,7 +7,7 @@ category "Meta" default_frequency "15 minutes" info( provider: "AWS", - version: "6.0", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability + version: "6.0.1", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability publish: "true", deprecated: "false" ) @@ -81,8 +81,8 @@ parameter "param_regions_list" do type "list" category "Filters" label "Allow/Deny Regions List" - allowed_pattern /^([a-zA-Z-_]+-[a-zA-Z0-9-_]+-[0-9-_]+,*|)+$/ description "A list of allowed or denied regions. See the README for more details" + allowed_pattern /^([a-zA-Z-_]+-[a-zA-Z0-9-_]+-[0-9-_]+,*|)+$/ default [] end @@ -108,9 +108,9 @@ parameter "param_stopped_days" do category "Policy Settings" label "Stopped Days" description "The number of days an instance needs to be stopped to include it in the incident report." - default 7 min_value 1 max_value 90 + default 7 end parameter "param_automatic_action" do diff --git a/compliance/aws/missing_scps/CHANGELOG.md b/compliance/aws/missing_scps/CHANGELOG.md index 6e37861422..328627d120 100644 --- a/compliance/aws/missing_scps/CHANGELOG.md +++ b/compliance/aws/missing_scps/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## v3.0.1 + +- Minor code improvements to conform with current standards. Functionality unchanged. + ## v3.0.0 - Changed policy template name to `AWS Accounts Missing Service Control Policies` to better reflect its functionality diff --git a/compliance/aws/missing_scps/README.md b/compliance/aws/missing_scps/README.md index d73dcdae14..fe9db34a00 100644 --- a/compliance/aws/missing_scps/README.md +++ b/compliance/aws/missing_scps/README.md @@ -55,4 +55,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/aws/missing_scps/aws_missing_scps.pt b/compliance/aws/missing_scps/aws_missing_scps.pt index eab0432256..cbc6d41ed5 100644 --- a/compliance/aws/missing_scps/aws_missing_scps.pt +++ b/compliance/aws/missing_scps/aws_missing_scps.pt @@ -5,8 +5,9 @@ short_description "Checks to see if the specified service control policies are a long_description "" category "Compliance" severity "medium" +default_frequency "daily" info( - version: "3.0.0", + version: "3.0.1", provider: "AWS", service: "Organization", policy_set: "" diff --git a/compliance/aws/rds_backup/CHANGELOG.md b/compliance/aws/rds_backup/CHANGELOG.md index 6d60dc1c79..d8a3c38e31 100644 --- a/compliance/aws/rds_backup/CHANGELOG.md +++ b/compliance/aws/rds_backup/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## v3.0.1 + +- Minor code improvements to conform with current standards. Functionality unchanged. + ## v3.0.0 - Policy template category changed to `Compliance` diff --git a/compliance/aws/rds_backup/README.md b/compliance/aws/rds_backup/README.md index 2f7472be58..1914858e00 100644 --- a/compliance/aws/rds_backup/README.md +++ b/compliance/aws/rds_backup/README.md @@ -72,4 +72,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/aws/rds_backup/aws_rds_backup.pt b/compliance/aws/rds_backup/aws_rds_backup.pt index 08b509f688..f19f932f50 100644 --- a/compliance/aws/rds_backup/aws_rds_backup.pt +++ b/compliance/aws/rds_backup/aws_rds_backup.pt @@ -7,7 +7,7 @@ category "Compliance" severity "medium" default_frequency "weekly" info( - version: "3.0.0", + version: "3.0.1", provider: "AWS", service: "RDS", policy_set: "" @@ -172,7 +172,6 @@ end # Get AWS RDS instance sizes datasource "ds_aws_instance_size_map" do request do - verb "GET" host "raw.githubusercontent.com" path "/flexera-public/policy_templates/master/data/aws/instance_types.json" header "User-Agent", "RS Policies" @@ -200,7 +199,6 @@ end datasource "ds_get_caller_identity" do request do auth $auth_aws - verb "GET" host "sts.amazonaws.com" path "/" query "Action", "GetCallerIdentity" @@ -241,7 +239,6 @@ end datasource "ds_describe_regions" do request do auth $auth_aws - verb "GET" host "ec2.amazonaws.com" path "/" query "Action", "DescribeRegions" diff --git a/compliance/aws/rds_backup/aws_rds_backup_meta_parent.pt b/compliance/aws/rds_backup/aws_rds_backup_meta_parent.pt index bf928494c3..4c1595f3c5 100644 --- a/compliance/aws/rds_backup/aws_rds_backup_meta_parent.pt +++ b/compliance/aws/rds_backup/aws_rds_backup_meta_parent.pt @@ -7,7 +7,7 @@ category "Meta" default_frequency "15 minutes" info( provider: "AWS", - version: "3.0.0", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability + version: "3.0.1", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability publish: "true", deprecated: "false" ) diff --git a/compliance/aws/untagged_resources/CHANGELOG.md b/compliance/aws/untagged_resources/CHANGELOG.md index 8b2ac51c46..ec9d6f52b1 100644 --- a/compliance/aws/untagged_resources/CHANGELOG.md +++ b/compliance/aws/untagged_resources/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## v5.3.1 + +- Minor code improvements to conform with current standards. Functionality unchanged. + ## v5.3.0 - Added option to include the AWS account in the results alongside AWS resources diff --git a/compliance/aws/untagged_resources/README.md b/compliance/aws/untagged_resources/README.md index 3eed0159c3..c0dac9aee2 100644 --- a/compliance/aws/untagged_resources/README.md +++ b/compliance/aws/untagged_resources/README.md @@ -88,4 +88,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not launch any instances, and so does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/aws/untagged_resources/aws_untagged_resources.pt b/compliance/aws/untagged_resources/aws_untagged_resources.pt index 9a69a53d15..0b0688ccd3 100644 --- a/compliance/aws/untagged_resources/aws_untagged_resources.pt +++ b/compliance/aws/untagged_resources/aws_untagged_resources.pt @@ -7,7 +7,7 @@ category "Compliance" severity "low" default_frequency "weekly" info( - version: "5.3.0", + version: "5.3.1", provider: "AWS", service: "Compute", policy_set: "Untagged Resources" @@ -282,7 +282,6 @@ datasource "ds_recommendations_all" do iterate $ds_include_savings request do auth $auth_flexera - verb "GET" host rs_optima_host path join(["/recommendations/orgs/", rs_org_id, "/recommendations"]) query "view", "extended" @@ -367,7 +366,6 @@ end datasource "ds_get_caller_identity" do request do auth $auth_aws - verb "GET" host "sts.amazonaws.com" path "/" query "Action", "GetCallerIdentity" @@ -413,7 +411,6 @@ end datasource "ds_describe_regions" do request do auth $auth_aws - verb "GET" host "ec2.amazonaws.com" path "/" query "Action", "DescribeRegions" diff --git a/compliance/aws/untagged_resources/aws_untagged_resources_meta_parent.pt b/compliance/aws/untagged_resources/aws_untagged_resources_meta_parent.pt index 6459f5ddd2..88c4529f71 100644 --- a/compliance/aws/untagged_resources/aws_untagged_resources_meta_parent.pt +++ b/compliance/aws/untagged_resources/aws_untagged_resources_meta_parent.pt @@ -7,7 +7,7 @@ category "Meta" default_frequency "15 minutes" info( provider: "AWS", - version: "5.3.0", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability + version: "5.3.1", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability publish: "true", deprecated: "false" ) diff --git a/compliance/azure/ahub_manual/CHANGELOG.md b/compliance/azure/ahub_manual/CHANGELOG.md index d46c127e3d..46ba1d734d 100644 --- a/compliance/azure/ahub_manual/CHANGELOG.md +++ b/compliance/azure/ahub_manual/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## v4.0.1 + +- Minor code improvements to conform with current standards. Functionality unchanged. + ## v4.0 - Added support for regex when filtering resources by tag diff --git a/compliance/azure/ahub_manual/README.md b/compliance/azure/ahub_manual/README.md index fa3b39bdb1..94afcbc374 100644 --- a/compliance/azure/ahub_manual/README.md +++ b/compliance/azure/ahub_manual/README.md @@ -4,7 +4,7 @@ This policy checks all virtual machines in Azure to determine how many are using AHUB and raises an incident when that number does not match a user-specified number of licenses. -## Functional Details +## How It Works The policy leverages the Azure Resource Manager API to get data for all virtual machines and compares that to the user-specified number of licenses. Each license is good for one virtual machine with up to 16 cores or two virtual machines with up to 8 cores. @@ -12,19 +12,6 @@ The policy leverages the Azure Resource Manager API to get data for all virtual - If more licenses have been consumed than allocated, the policy will report on virtual machines with an AHUB license that may benefit from disabling AHUB. - If license allocation and consumption match exactly, the policy will not report on any virtual machines and no incident will be raised by this policy. -## Prerequisites - -This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) for authenticating to datasources -- in order to apply this policy you must have a Credential registered in the system that is compatible with this policy. If there are no Credentials listed when you apply the policy, please contact your Flexera Org Admin and ask them to register a Credential that is compatible with this policy. The information below should be consulted when creating the credential(s). - -- [**Azure Resource Manager Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_109256743_1124668) (*provider=azure_rm*) which has the following permissions: - - `Microsoft.Compute/virtualMachines/read` - - `Microsoft.Compute/virtualMachines/vmSizes/read` - -- [**Flexera Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) (*provider=flexera*) which has the following roles: - - `billing_center_viewer` - -The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) page in the docs has detailed instructions for setting up Credentials for the most common providers. - ## Input Parameters This policy has the following input parameters required when launching the policy. @@ -50,6 +37,19 @@ The following policy actions are taken on any resources found to be out of compl - Send an email report +## Prerequisites + +This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) for authenticating to datasources -- in order to apply this policy you must have a Credential registered in the system that is compatible with this policy. If there are no Credentials listed when you apply the policy, please contact your Flexera Org Admin and ask them to register a Credential that is compatible with this policy. The information below should be consulted when creating the credential(s). + +- [**Azure Resource Manager Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_109256743_1124668) (*provider=azure_rm*) which has the following permissions: + - `Microsoft.Compute/virtualMachines/read` + - `Microsoft.Compute/virtualMachines/vmSizes/read` + +- [**Flexera Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) (*provider=flexera*) which has the following roles: + - `billing_center_viewer` + +The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) page in the docs has detailed instructions for setting up Credentials for the most common providers. + ## Supported Clouds - Azure diff --git a/compliance/azure/ahub_manual/azure_ahub_utilization_with_manual_entry.pt b/compliance/azure/ahub_manual/azure_ahub_utilization_with_manual_entry.pt index a6256ab61e..94750cab2a 100644 --- a/compliance/azure/ahub_manual/azure_ahub_utilization_with_manual_entry.pt +++ b/compliance/azure/ahub_manual/azure_ahub_utilization_with_manual_entry.pt @@ -7,7 +7,7 @@ severity "medium" category "Compliance" default_frequency "weekly" info( - version: "4.0", + version: "4.0.1", provider: "Azure", service: "Compute", policy_set: "Hybrid Use Benefit" @@ -511,12 +511,24 @@ script "js_ahub_incident", type: "javascript" do // Dummy item to ensure that the check statement in the policy executes at least once result.push({ - resourceID: "", resourceName: "", resourceKind: "", - resourceType: "", region: "", osType: "", - licenseType: "", imagePublisher: "", imageOffer: "", - imageSku: "", imageVersion: "", resourceGroup: "", - accountID: "", accountName: "", tags: "", - cores: "", policy_name: "", summary: "", + resourceID: "", + resourceName: "", + resourceKind: "", + resourceType: "", + region: "", + osType: "", + licenseType: "", + imagePublisher: "", + imageOffer: "", + imageSku: "", + imageVersion: "", + resourceGroup: "", + accountID: "", + accountName: "", + tags: "", + cores: "", + policy_name: "", + summary: "", message: "" }) @@ -614,7 +626,7 @@ datasource "ds_get_policy" do auth $auth_flexera host rs_governance_host ignore_status [404] - path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id,""), meta_parent_policy_id, policy_id) ]) + path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id, ""), meta_parent_policy_id, policy_id)]) header "Api-Version", "1.0" end result do diff --git a/compliance/azure/ahub_manual/azure_ahub_utilization_with_manual_entry_meta_parent.pt b/compliance/azure/ahub_manual/azure_ahub_utilization_with_manual_entry_meta_parent.pt index b91b9b238d..b01ee1c0e1 100644 --- a/compliance/azure/ahub_manual/azure_ahub_utilization_with_manual_entry_meta_parent.pt +++ b/compliance/azure/ahub_manual/azure_ahub_utilization_with_manual_entry_meta_parent.pt @@ -7,7 +7,7 @@ category "Meta" default_frequency "15 minutes" info( provider: "Azure", - version: "4.0", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability + version: "4.0.1", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability publish: "true", deprecated: "false" ) diff --git a/compliance/azure/azure_disallowed_regions/CHANGELOG.md b/compliance/azure/azure_disallowed_regions/CHANGELOG.md index 50cfed079b..5dfeb7b6b2 100644 --- a/compliance/azure/azure_disallowed_regions/CHANGELOG.md +++ b/compliance/azure/azure_disallowed_regions/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## v4.1.1 + +- Minor code improvements to conform with current standards. Functionality unchanged. + ## v4.1 - Fixed error where policy would fail completely when trying to access resources credential does not have access to. Policy will now simply skip these resources. diff --git a/compliance/azure/azure_disallowed_regions/README.md b/compliance/azure/azure_disallowed_regions/README.md index f5d26b5f60..94707cf6e7 100644 --- a/compliance/azure/azure_disallowed_regions/README.md +++ b/compliance/azure/azure_disallowed_regions/README.md @@ -33,7 +33,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto - `Microsoft.Compute/virtualMachines/read` - `Microsoft.Compute/virtualMachines/write`* -\* Only required for taking action; the policy will still function in a read-only capacity without these permissions. + \* Only required for taking action; the policy will still function in a read-only capacity without these permissions. - [**Flexera Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) (*provider=flexera*) which has the following roles: - `billing_center_viewer` @@ -46,4 +46,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/azure/azure_disallowed_regions/azure_disallowed_regions.pt b/compliance/azure/azure_disallowed_regions/azure_disallowed_regions.pt index 0dd17a45b2..be18a6d84b 100644 --- a/compliance/azure/azure_disallowed_regions/azure_disallowed_regions.pt +++ b/compliance/azure/azure_disallowed_regions/azure_disallowed_regions.pt @@ -7,7 +7,7 @@ category "Compliance" severity "low" default_frequency "weekly" info( - version: "4.1", + version: "4.1.1", provider: "Azure", service: "Compute", policy_set: "Disallowed Regions" @@ -211,8 +211,8 @@ datasource "ds_azure_instances" do field "osType", jmes_path(col_item, "properties.storageProfile.osDisk.osType") field "resourceType", jmes_path(col_item, "properties.hardwareProfile.vmSize") field "tags", jmes_path(col_item, "tags") - field "subscriptionId",val(iter_item, "id") - field "subscriptionName",val(iter_item, "name") + field "subscriptionId", val(iter_item, "id") + field "subscriptionName", val(iter_item, "name") end end end @@ -341,11 +341,21 @@ script "js_instances_in_bad_regions", type: "javascript" do // Add a dummy entry to ensure that the policy's check statement executes at least once result.push({ - accountID: "", accountName: "", resourceGroup: "", - resourceName: "", resourceID: "", resourceType: "", - resourceKind: "", region: "", osType: "", - policy_name: "", tags: "", time_stopped: "", - lookbackPeriod: "", recommendationDetails: "", service: "", + accountID: "", + accountName: "", + resourceGroup: "", + resourceName: "", + resourceID: "", + resourceType: "", + resourceKind: "", + region: "", + osType: "", + policy_name: "", + tags: "", + time_stopped: "", + lookbackPeriod: "", + recommendationDetails: "", + service: "", message: "" }) @@ -452,7 +462,7 @@ define poweroff_instances($data, $param_azure_endpoint, $param_skipshutdown) ret end if inspect($$errors) != "null" - raise join($$errors,"\n") + raise join($$errors, "\n") end end @@ -499,7 +509,7 @@ define delete_instances($data, $param_azure_endpoint) return $all_responses do end if inspect($$errors) != "null" - raise join($$errors,"\n") + raise join($$errors, "\n") end end @@ -551,7 +561,7 @@ datasource "ds_get_policy" do auth $auth_flexera host rs_governance_host ignore_status [404] - path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id,""), meta_parent_policy_id, policy_id) ]) + path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id, ""), meta_parent_policy_id, policy_id)]) header "Api-Version", "1.0" end result do diff --git a/compliance/azure/azure_disallowed_regions/azure_disallowed_regions_meta_parent.pt b/compliance/azure/azure_disallowed_regions/azure_disallowed_regions_meta_parent.pt index 9ad92248f4..434e245023 100644 --- a/compliance/azure/azure_disallowed_regions/azure_disallowed_regions_meta_parent.pt +++ b/compliance/azure/azure_disallowed_regions/azure_disallowed_regions_meta_parent.pt @@ -7,7 +7,7 @@ category "Meta" default_frequency "15 minutes" info( provider: "Azure", - version: "4.1", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability + version: "4.1.1", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability publish: "true", deprecated: "false" ) diff --git a/compliance/azure/azure_long_stopped_instances/CHANGELOG.md b/compliance/azure/azure_long_stopped_instances/CHANGELOG.md index f5c1704e7d..eb23910725 100644 --- a/compliance/azure/azure_long_stopped_instances/CHANGELOG.md +++ b/compliance/azure/azure_long_stopped_instances/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## v5.0.1 + +- Minor code improvements to conform with current standards. Functionality unchanged. + ## v5.0 - Added support for regex when filtering resources by tag diff --git a/compliance/azure/azure_long_stopped_instances/README.md b/compliance/azure/azure_long_stopped_instances/README.md index 8163e17bc6..4a1afcc3b0 100644 --- a/compliance/azure/azure_long_stopped_instances/README.md +++ b/compliance/azure/azure_long_stopped_instances/README.md @@ -25,6 +25,13 @@ This policy finds Azure virtual machines which have been stopped for more than a Please note that the "Automatic Actions" parameter contains a list of action(s) that can be performed on the resources. When it is selected, the policy will automatically execute the corresponding action on the data that failed the checks, post incident generation. Please leave it blank for *manual* action. For example if a user selects the "Delete Instances" action while applying the policy, all the resources that didn't satisfy the policy condition will be deleted. +## Policy Actions + +The following policy actions are taken on any resources found to be out of compliance. + +- Sends an email notification +- Delete Azure virtual machines after approval + ## Prerequisites This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) for authenticating to datasources -- in order to apply this policy you must have a Credential registered in the system that is compatible with this policy. If there are no Credentials listed when you apply the policy, please contact your Flexera Org Admin and ask them to register a Credential that is compatible with this policy. The information below should be consulted when creating the credential(s). @@ -33,7 +40,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto - `Microsoft.Compute/virtualMachines/read` - `Microsoft.Compute/virtualMachines/delete`* -\* Only required for taking action; the policy will still function in a read-only capacity without these permissions. + \* Only required for taking action; the policy will still function in a read-only capacity without these permissions. - [**Flexera Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) (*provider=flexera*) which has the following roles: - `billing_center_viewer` @@ -46,4 +53,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/azure/azure_long_stopped_instances/long_stopped_instances_azure.pt b/compliance/azure/azure_long_stopped_instances/long_stopped_instances_azure.pt index 339a6b1c13..221b0bebb0 100644 --- a/compliance/azure/azure_long_stopped_instances/long_stopped_instances_azure.pt +++ b/compliance/azure/azure_long_stopped_instances/long_stopped_instances_azure.pt @@ -7,7 +7,7 @@ category "Compliance" severity "low" default_frequency "weekly" info( - version: "5.0", + version: "5.0.1", provider: "Azure", service: "Compute", policy_set: "Long Stopped Instances" @@ -90,9 +90,9 @@ parameter "param_stopped_days" do category "Policy Settings" label "Stopped Days" description "The number of days an instance needs to be stopped to include it in the incident report." - default 7 min_value 1 max_value 90 + default 7 end parameter "param_automatic_action" do @@ -220,8 +220,8 @@ datasource "ds_azure_instances" do field "osType", jmes_path(col_item, "properties.storageProfile.osDisk.osType") field "resourceType", jmes_path(col_item, "properties.hardwareProfile.vmSize") field "tags", jmes_path(col_item, "tags") - field "subscriptionId",val(iter_item, "id") - field "subscriptionName",val(iter_item, "name") + field "subscriptionId", val(iter_item, "id") + field "subscriptionName", val(iter_item, "name") end end end @@ -437,11 +437,21 @@ script "js_long_stopped_instances", type: "javascript" do // Add a dummy entry to ensure that the policy's check statement executes at least once result.push({ - accountID: "", accountName: "", resourceGroup: "", - resourceName: "", resourceID: "", resourceType: "", - resourceKind: "", region: "", osType: "", - policy_name: "", tags: "", time_stopped: "", - lookbackPeriod: "", recommendationDetails: "", service: "", + accountID: "", + accountName: "", + resourceGroup: "", + resourceName: "", + resourceID: "", + resourceType: "", + resourceKind: "", + region: "", + osType: "", + policy_name: "", + tags: "", + time_stopped: "", + lookbackPeriod: "", + recommendationDetails: "", + service: "", message: "" }) @@ -545,7 +555,7 @@ define delete_instances($data, $param_azure_endpoint) return $all_responses do end if inspect($$errors) != "null" - raise join($$errors,"\n") + raise join($$errors, "\n") end end @@ -597,7 +607,7 @@ datasource "ds_get_policy" do auth $auth_flexera host rs_governance_host ignore_status [404] - path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id,""), meta_parent_policy_id, policy_id) ]) + path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id, ""), meta_parent_policy_id, policy_id)]) header "Api-Version", "1.0" end result do diff --git a/compliance/azure/azure_long_stopped_instances/long_stopped_instances_azure_meta_parent.pt b/compliance/azure/azure_long_stopped_instances/long_stopped_instances_azure_meta_parent.pt index e996709f8b..32c7cf2d73 100644 --- a/compliance/azure/azure_long_stopped_instances/long_stopped_instances_azure_meta_parent.pt +++ b/compliance/azure/azure_long_stopped_instances/long_stopped_instances_azure_meta_parent.pt @@ -7,7 +7,7 @@ category "Meta" default_frequency "15 minutes" info( provider: "Azure", - version: "5.0", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability + version: "5.0.1", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability publish: "true", deprecated: "false" ) @@ -116,9 +116,9 @@ parameter "param_stopped_days" do category "Policy Settings" label "Stopped Days" description "The number of days an instance needs to be stopped to include it in the incident report." - default 7 min_value 1 max_value 90 + default 7 end parameter "param_automatic_action" do diff --git a/compliance/azure/azure_rg_tags/README.md b/compliance/azure/azure_rg_tags/README.md index 2002ace26e..bbe8a80027 100644 --- a/compliance/azure/azure_rg_tags/README.md +++ b/compliance/azure/azure_rg_tags/README.md @@ -1,6 +1,6 @@ # Azure Tag Resources with Resource Group Name -## What it does +## What It Does This Policy Template will scan all resources in an Azure Resource Manager Subscription, and will raise an incident if any resources are not properly tagged with their corresponding Resource Group name. When an incident is raised, the Policy escalation will execute Cloud Workflow to tag the resources with the correct Resource Group name. @@ -26,7 +26,7 @@ The following policy actions are taken on any resources found to be out of compl ## Prerequisites -This policy uses [credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) for connecting to the cloud -- in order to apply this policy you must have a credential registered in the system that is compatible with this policy. If there are no credentials listed when you apply the policy, please contact your cloud admin and ask them to register a credential that is compatible with this policy. The information below should be consulted when creating the credential. +This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) for authenticating to datasources -- in order to apply this policy you must have a Credential registered in the system that is compatible with this policy. If there are no Credentials listed when you apply the policy, please contact your Flexera Org Admin and ask them to register a Credential that is compatible with this policy. The information below should be consulted when creating the credential(s). ### Credential configuration @@ -39,6 +39,8 @@ Required permissions in the provider: - Microsoft.Resources/subscriptions/resources/read - Microsoft.Resources/subscriptions/providers/read +The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) page in the docs has detailed instructions for setting up Credentials for the most common providers. + ## Supported Clouds - Azure Resource Manager @@ -49,4 +51,4 @@ Required permissions in the provider: ## Cost -This Policy Template does not launch any instances, and so does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/azure/azure_untagged_vms/CHANGELOG.md b/compliance/azure/azure_untagged_vms/CHANGELOG.md index 1c7a9927f5..19e04cbaf1 100644 --- a/compliance/azure/azure_untagged_vms/CHANGELOG.md +++ b/compliance/azure/azure_untagged_vms/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## v1.1.1 + +- Minor code improvements to conform with current standards. Functionality unchanged. + ## v1.1 - Fixed error where policy would fail completely when trying to access resources credential does not have access to. Policy will now simply skip these resources. diff --git a/compliance/azure/azure_untagged_vms/README.md b/compliance/azure/azure_untagged_vms/README.md index dd9b3d1959..846ce78ca7 100644 --- a/compliance/azure/azure_untagged_vms/README.md +++ b/compliance/azure/azure_untagged_vms/README.md @@ -6,7 +6,7 @@ This policy template checks for Azure virtual machines missing the user-specifie NOTE: This policy is specific to virtual machines (Microsoft.Compute/virtualMachines). The [Azure Untagged Resources](https://github.com/flexera-public/policy_templates/tree/master/compliance/azure/azure_untagged_resources/) policy is recommended for finding untagged resources that are not virtual machines. -## Functional Details +## How It Works - The policy leverages the Azure API to retrieve a list of all virtual machines in the Azure estate. - The policy then filters that list based on user-specified parameters. @@ -57,7 +57,7 @@ For administrators [creating and managing credentials](https://docs.flexera.com/ - `Microsoft.Compute/virtualMachines/read` - `Microsoft.Compute/virtualMachines/write`* -\* Only required for taking action; the policy will still function in a read-only capacity without these permissions. + \* Only required for taking action; the policy will still function in a read-only capacity without these permissions. - [**Flexera Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) (*provider=flexera*) which has the following roles: - `billing_center_viewer` diff --git a/compliance/azure/azure_untagged_vms/untagged_vms.pt b/compliance/azure/azure_untagged_vms/untagged_vms.pt index f519b24d62..90fc9d6db6 100644 --- a/compliance/azure/azure_untagged_vms/untagged_vms.pt +++ b/compliance/azure/azure_untagged_vms/untagged_vms.pt @@ -7,7 +7,7 @@ category "Compliance" severity "low" default_frequency "weekly" info( - version: "1.1", + version: "1.1.1", provider: "Azure", service: "Compute", policy_set: "Untagged Resources" @@ -219,8 +219,8 @@ datasource "ds_azure_instances" do field "osType", jmes_path(col_item, "properties.storageProfile.osDisk.osType") field "resourceType", jmes_path(col_item, "properties.hardwareProfile.vmSize") field "tags", jmes_path(col_item, "tags") - field "subscriptionId",val(iter_item, "id") - field "subscriptionName",val(iter_item, "name") + field "subscriptionId", val(iter_item, "id") + field "subscriptionName", val(iter_item, "name") end end end @@ -366,10 +366,21 @@ script "js_missing_tags_incident", type: "javascript" do // Dummy item to ensure that the check statement in the policy executes at least once result.push({ - accountID: "", accountName: "", resourceGroup: "", resourceName: "", - resourceID: "", resourceType: "", resourceKind: "", region: "", - osType: "", tags_object: "", service: "", tags: "", - policy_name: "", message: "", missing_tags: "" + accountID: "", + accountName: "", + resourceGroup: "", + resourceName: "", + resourceID: "", + resourceType: "", + resourceKind: "", + region: "", + osType: "", + tags_object: "", + service: "", + tags: "", + policy_name: "", + message: "", + missing_tags: "" }) phrase = "one or more" @@ -383,7 +394,6 @@ script "js_missing_tags_incident", type: "javascript" do EOS end - ############################################################################### # Policy ############################################################################### @@ -469,6 +479,7 @@ escalation "esc_tag_instances" do label "Add Tags (Key:Value)" description "Cloud native tags to add to instances with missing tags. Use Key=Value format. Example: env=production" allowed_pattern /^[^=]+=[^=]+$/ + # No default value, user input required end run "tag_instances", data, $param_azure_endpoint, $param_tags_to_add end @@ -501,7 +512,7 @@ define tag_instances($data, $param_azure_endpoint, $param_tags_to_add) return $a end if inspect($$errors) != "null" - raise join($$errors,"\n") + raise join($$errors, "\n") end end @@ -554,7 +565,7 @@ define poweroff_instances($data, $param_azure_endpoint, $param_skipshutdown) ret end if inspect($$errors) != "null" - raise join($$errors,"\n") + raise join($$errors, "\n") end end @@ -601,7 +612,7 @@ define delete_instances($data, $param_azure_endpoint) return $all_responses do end if inspect($$errors) != "null" - raise join($$errors,"\n") + raise join($$errors, "\n") end end @@ -653,7 +664,7 @@ datasource "ds_get_policy" do auth $auth_flexera host rs_governance_host ignore_status [404] - path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id,""), meta_parent_policy_id, policy_id) ]) + path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id, ""), meta_parent_policy_id, policy_id)]) header "Api-Version", "1.0" end result do diff --git a/compliance/azure/azure_untagged_vms/untagged_vms_meta_parent.pt b/compliance/azure/azure_untagged_vms/untagged_vms_meta_parent.pt index f796b89276..4780aa6eea 100644 --- a/compliance/azure/azure_untagged_vms/untagged_vms_meta_parent.pt +++ b/compliance/azure/azure_untagged_vms/untagged_vms_meta_parent.pt @@ -7,7 +7,7 @@ category "Meta" default_frequency "15 minutes" info( provider: "Azure", - version: "1.1", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability + version: "1.1.1", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability publish: "true", deprecated: "false" ) @@ -900,6 +900,7 @@ escalation "esc_tag_instances" do label "Add Tags (Key:Value)" description "Cloud native tags to add to instances with missing tags. Use Key=Value format. Example: env=production" allowed_pattern /^[^=]+=[^=]+$/ + # No default value, user input required end # Run declaration should go at end, after any parameters that may exist run "esc_tag_instances", data, rs_governance_host, rs_project_id, $param_tags_to_add diff --git a/compliance/azure/compliance_score/README.md b/compliance/azure/compliance_score/README.md index 4656a0869b..45970da97f 100644 --- a/compliance/azure/compliance_score/README.md +++ b/compliance/azure/compliance_score/README.md @@ -38,4 +38,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/azure/instances_without_fnm_agent/README.md b/compliance/azure/instances_without_fnm_agent/README.md index d6bfeda2ac..9253aa997d 100644 --- a/compliance/azure/instances_without_fnm_agent/README.md +++ b/compliance/azure/instances_without_fnm_agent/README.md @@ -1,12 +1,12 @@ # Azure Instances not running FlexNet Inventory Agent -## What it does +## What It Does This policy uses the SOAP version of the FlexNet Manager Cloud APIs, checks all instances running in Azure to determine if the FlexNet Inventory Agent is running on the instance, and reports on any that are missing the agent. The policy is a recommendation only policy, no action is taken during the Policy Escalation. -## Functional Details +## How It Works The policy leverages the cloud API to get all current instances and the FlexNet Manager report (Custom view) API to get all azure cloud instances with agent. It cross-checks the two lists to determine if any instances are running on the cloud that aren't known to FlexNet Manager. The policy matches the ComputerName from FlexNet Manager System and the VirtualMachine.name from Azure. @@ -36,7 +36,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto - [**Azure Resource Manager Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_109256743_1124668) (*provider=azure_rm*) which has the following permissions: - `Microsoft.Compute/virtualMachines/read` -- [**Flexera Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) (*provider=flexera*) which has the following roles: +- [**Flexera ITAM Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) (*provider=flexera*) which has the following roles: - `Web Service` or equivalent role in IT Asset Accounts (for calling ITAM SOAP APIs) The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) page in the docs has detailed instructions for setting up Credentials for the most common providers. @@ -56,7 +56,7 @@ Once saved, note the report number in the URL field : ![Alt text][ReportNumber] ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. [APIToken]: images/APIToken.png "APIToken" diff --git a/compliance/azure/subscription_access/README.md b/compliance/azure/subscription_access/README.md index e7b387bd8a..0a35402e5e 100644 --- a/compliance/azure/subscription_access/README.md +++ b/compliance/azure/subscription_access/README.md @@ -53,4 +53,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/flexera/automation/policy_update_notification/README.md b/compliance/flexera/automation/policy_update_notification/README.md index e126db9ef8..f1e40160af 100644 --- a/compliance/flexera/automation/policy_update_notification/README.md +++ b/compliance/flexera/automation/policy_update_notification/README.md @@ -8,7 +8,7 @@ This policy is no longer being updated. The [Flexera Automation Outdated Applied This Policy Template scans all applied policies in a Flexera account and finds ones that are using an outdated version of a policy template from the Flexera catalog. An incident is raised, and optionally an email is sent, containing a list of these outdated applied policies. -## Functional Details +## How It Works The policy utilizes the Flexera API to get a list of all applied policies in the Flexera account. The same API is then used to get a list of all policy templates in the catalog. An incident is raised with any applied policies whose version number does not match the version number for that same template in the catalog. Applied policies created from templates not in the policy catalog are not included in the results. @@ -35,4 +35,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/flexera/cco/billing_center_access_report/CHANGELOG.md b/compliance/flexera/cco/billing_center_access_report/CHANGELOG.md index 22e1e06dde..8fe25f7ad2 100644 --- a/compliance/flexera/cco/billing_center_access_report/CHANGELOG.md +++ b/compliance/flexera/cco/billing_center_access_report/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## v3.1.1 + +- Minor code improvements to conform with current standards. Functionality unchanged. + ## v3.1 - Updated policy metadata to make it more clear what Flexera service the policy is for diff --git a/compliance/flexera/cco/billing_center_access_report/README.md b/compliance/flexera/cco/billing_center_access_report/README.md index e89854d7e4..ab3e239224 100644 --- a/compliance/flexera/cco/billing_center_access_report/README.md +++ b/compliance/flexera/cco/billing_center_access_report/README.md @@ -31,4 +31,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/flexera/cco/billing_center_access_report/bc_access_report.pt b/compliance/flexera/cco/billing_center_access_report/bc_access_report.pt index 321e41d57d..c044895fe2 100644 --- a/compliance/flexera/cco/billing_center_access_report/bc_access_report.pt +++ b/compliance/flexera/cco/billing_center_access_report/bc_access_report.pt @@ -7,7 +7,7 @@ category "Compliance" severity "low" default_frequency "daily" info( - version: "3.1", + version: "3.1.1", provider: "Flexera", service: "Cloud Cost Optimization", policy_set: "Cloud Cost Optimization" @@ -109,7 +109,7 @@ datasource "ds_billing_center_users" do end result do encoding "json" - collect jmes_path(response,"[*]") do + collect jmes_path(response, "[*]") do field "bc_id", val(iter_item, "id") field "bc_href", val(iter_item, "href") field "bc_name", val(iter_item, "name") @@ -156,7 +156,7 @@ datasource "ds_users_in_groups" do end result do encoding "json" - collect jmes_path(response,"users[*]") do + collect jmes_path(response, "users[*]") do field "user_href", jmes_path(col_item, "href") field "user_email", jmes_path(col_item, "email") field "first_name", jmes_path(col_item, "first_name") diff --git a/compliance/flexera/cmp/disallowed_images/README.md b/compliance/flexera/cmp/disallowed_images/README.md index 2e4c6e8c7c..6052bef39f 100644 --- a/compliance/flexera/cmp/disallowed_images/README.md +++ b/compliance/flexera/cmp/disallowed_images/README.md @@ -4,15 +4,15 @@ This policy is no longer being updated. -## What it does +## What It Does This policy checks all running instances for disallowed cloud images. The user is given the option to Terminate the instance after approval. -## Functional Details +## How It Works The policy leverages the CMP API to check all instances not using the provided list of cloud image resource_uids. Running instance states include any instance with state: running, operational and provisioned. Found instances are terminated after user approval. -### Input Parameters +## Input Parameters - *Email addresses to notify* - Email addresses of the recipients you wish to notify when new incidents are created. - *Exclude Tags* - List of tags that will exclude instances from being evaluated by this policy. Multiple tags are evaluated as an 'OR' condition. Tag must be of the format 'namespace:predicate=value'. Example: 'rs_agent:type=right_link_lite,rs_monitoring:state=auth'. @@ -44,4 +44,4 @@ For example if a user selects the "Terminate Instances" action while applying th ### Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/flexera/cmp/tag_checker/README.md b/compliance/flexera/cmp/tag_checker/README.md index 81ea86f409..317e8dc143 100644 --- a/compliance/flexera/cmp/tag_checker/README.md +++ b/compliance/flexera/cmp/tag_checker/README.md @@ -4,7 +4,7 @@ This policy is no longer being updated. -## What it does +## What It Does This policy will check all instances in state operational, running and provisioned, and all volumes and check for the tags listed in the *Tags' Namespace:Keys List* field. For each resource that doesn't include the tags in the field they will be included in the policy incident report. As new resources are added or tags and included on the resource the incident report will be updated to exclude the resource. For more information on working with tags in RightScale please refer to the [Tagging](https://docs.rightscale.com/cm/rs101/tagging.html#what-is-a-tag-) page. @@ -77,4 +77,4 @@ This policy requires permissions to access RightScale resources (instances, volu ## Cost -This Policy Template does not launch any instances, and so does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/flexera/cmp/unapproved_instance_types/README.md b/compliance/flexera/cmp/unapproved_instance_types/README.md index 9cf01ba72d..c76c675985 100644 --- a/compliance/flexera/cmp/unapproved_instance_types/README.md +++ b/compliance/flexera/cmp/unapproved_instance_types/README.md @@ -4,11 +4,11 @@ This policy is no longer being updated. -## What it does +## What It Does This policy checks for instances that are using instance types that are not in the specified list and stops them after approval. -## Functional Details +## How It Works The policy leverages the RightScale APIs to check instances across all supported clouds. When a non-approved instance type is detected, a report is emailed and the user can choose to Stop the instance after manual approval. @@ -43,4 +43,4 @@ This policy requires permissions to access RightScale resources (instances and t ### Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/flexera/fnms/fnms_licenses_at_risk/README.md b/compliance/flexera/fnms/fnms_licenses_at_risk/README.md index 88df616753..413af9a27e 100644 --- a/compliance/flexera/fnms/fnms_licenses_at_risk/README.md +++ b/compliance/flexera/fnms/fnms_licenses_at_risk/README.md @@ -4,7 +4,7 @@ This policy is no longer being updated. -## What it does +## What It Does This policy uses a Flexnet Manger Cloud/On-premise instance and looks up all FlexNet Manager Licenses that are at risk and lists them. A License at Risk is a License that is unable to cover the current license consumption. diff --git a/compliance/flexera/fnms/fnms_low_licenses_available/README.md b/compliance/flexera/fnms/fnms_low_licenses_available/README.md index 4d3b2f0ed7..a3b79ceb90 100644 --- a/compliance/flexera/fnms/fnms_low_licenses_available/README.md +++ b/compliance/flexera/fnms/fnms_low_licenses_available/README.md @@ -4,7 +4,7 @@ This policy is no longer being updated. -## What it does +## What It Does This policy uses a FlexNet Manger Cloud and looks up all FlexNet Manager Licenses that has lower than user provided percentage. diff --git a/compliance/flexera/fnms/ignored_recent_inventory_dates/README.md b/compliance/flexera/fnms/ignored_recent_inventory_dates/README.md index 74e85a9665..ce388e0efe 100644 --- a/compliance/flexera/fnms/ignored_recent_inventory_dates/README.md +++ b/compliance/flexera/fnms/ignored_recent_inventory_dates/README.md @@ -1,8 +1,21 @@ # ITAM Ignore Recent Inventory Dates +## What It Does + This policy uses the ITAM Inventories API to look up machines, when it finds a machine that is ignored we compare it's `lastInventoryDate` to the current time and if it has reported in during that time period an incident is triggered. +## Input Parameters + +This policy has the following input parameters required when launching the policy. + +- *Days since last inventory* - Number of days since Last Inventory +- *Email addresses of the recipients you wish to notify* - A list of email addresse(s) to notify + +## Policy Actions + +- Send an email report + ## Prerequisites This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) for authenticating to datasources -- in order to apply this policy you must have a Credential registered in the system that is compatible with this policy. If there are no Credentials listed when you apply the policy, please contact your Flexera Org Admin and ask them to register a Credential that is compatible with this policy. The information below should be consulted when creating the credential(s). @@ -12,16 +25,9 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) page in the docs has detailed instructions for setting up Credentials for the most common providers. -## Input Parameters +## Supported Clouds -This policy has the following input parameters required when launching the policy. - -- *Days since last inventory* - Number of days since Last Invenotry -- *Email addresses of the recipients you wish to notify* - A list of email addresse(s) to notify - -## Policy Actions - -- Send an email report +- Flexera ## Cost diff --git a/compliance/flexera/fnms/overused_licenses/CHANGELOG.md b/compliance/flexera/fnms/overused_licenses/CHANGELOG.md index 431cfef649..6f36cfb496 100644 --- a/compliance/flexera/fnms/overused_licenses/CHANGELOG.md +++ b/compliance/flexera/fnms/overused_licenses/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## v2.4.1 + +- Minor code improvements to conform with current standards. Functionality unchanged. + ## v2.4 - Updated policy metadata to make it more clear what Flexera service the policy is for diff --git a/compliance/flexera/fnms/overused_licenses/overused_licenses.pt b/compliance/flexera/fnms/overused_licenses/overused_licenses.pt index dec6a46d48..517b684fd8 100644 --- a/compliance/flexera/fnms/overused_licenses/overused_licenses.pt +++ b/compliance/flexera/fnms/overused_licenses/overused_licenses.pt @@ -7,7 +7,7 @@ severity "medium" category "Compliance" default_frequency "daily" info( - version: "2.4", + version: "2.4.1", provider: "Flexera", service: "IT Asset Management", policy_set: "IT Asset Management" @@ -19,22 +19,25 @@ info( parameter "param_email" do type "list" + category "Policy Settings" label "Email addresses of the recipients you wish to notify" description "A list of email address(es) to notify" + default [] end parameter "param_percentage" do type "number" + category "Policy Settings" label "Percentage of License Usage" description "The percentage of available licenses in use to consider a license overused" default 90 end ############################################################################### -# Credentials +# Authentication ############################################################################### -credentials "auth_flexeraone" do +credentials "auth_flexera" do schemes "oauth2" label "flexera" description "Select FlexeraOne OAuth2 credentials" @@ -42,13 +45,12 @@ credentials "auth_flexeraone" do end ############################################################################### -# Datasources +# Datasources & Scripts ############################################################################### datasource "ds_license_attributes" do request do - auth $auth_flexeraone - verb "GET" + auth $auth_flexera host join(["api.", get(1, split(f1_app_host, "app."))]) path join(["/fnms/v1/orgs/", rs_org_id, "/license-attributes"]) query "offset", "" @@ -58,8 +60,7 @@ end datasource "ds_license_entitlements" do request do - auth $auth_flexeraone - verb "GET" + auth $auth_flexera host join(["api.", get(1, split(f1_app_host, "app."))]) path join(["/fnms/v1/orgs/", rs_org_id, "/license-entitlements"]) query "offset", "" @@ -71,71 +72,67 @@ datasource "ds_licenses" do run_script $js_licenses, $ds_license_attributes, $ds_license_entitlements end -datasource "ds_overused_licenses" do - run_script $js_overused_licenses, $ds_licenses, $param_percentage -end - -############################################################################### -# Scripts -############################################################################### - script "js_licenses", type: "javascript" do parameters "ds_license_attributes", "ds_license_entitlements" result "result" code <<-EOS - license_attributes = [] - license_entitlements = [] - - _.each(ds_license_attributes['values'], function(la) { - license_attributes.push(la) - }) - - _.each(ds_license_entitlements['values'], function(le) { - license_entitlements.push(le) - }) - - result = [] - - _.each(license_attributes, function(la) { - _.each(license_entitlements, function(le) { - if (la['licenseId'] == le['licenseId']) { - available = le['available'] - extra = le['extra'] - consumed = le['consumed'] - - if (available + extra != 0) { - consumption = (consumed / (available + extra)) * 100 + license_attributes = [] + license_entitlements = [] + + _.each(ds_license_attributes['values'], function(la) { + license_attributes.push(la) + }) + + _.each(ds_license_entitlements['values'], function(le) { + license_entitlements.push(le) + }) + + result = [] + + _.each(license_attributes, function(la) { + _.each(license_entitlements, function(le) { + if (la['licenseId'] == le['licenseId']) { + available = le['available'] + extra = le['extra'] + consumed = le['consumed'] + + if (available + extra != 0) { + consumption = (consumed / (available + extra)) * 100 + } else { + if (consumed == 0) { + consumption = 0 } else { - if (consumed == 0) { - consumption = 0 - } else { - consumption = "N/A" - } + consumption = "N/A" } + } - la['consumed'] = le['consumed'] - la['available_extra'] = parseInt(le['available']) + parseInt(le['extra']) - la['consumption'] = consumption - la['id'] = la['licenseId'] + la['consumed'] = le['consumed'] + la['available_extra'] = parseInt(le['available']) + parseInt(le['extra']) + la['consumption'] = consumption + la['id'] = la['licenseId'] - result.push(la) - } - }) + result.push(la) + } }) + }) EOS end +datasource "ds_overused_licenses" do + run_script $js_overused_licenses, $ds_licenses, $param_percentage +end + script "js_overused_licenses", type: "javascript" do parameters "ds_licenses", "param_percentage" result "result" code <<-EOS - result = [] + result = [] - _.each(ds_licenses, function(license) { - if (license['consumption'] > param_percentage || license['consumption'] == "N/A") { - result.push(license) - } - }) + _.each(ds_licenses, function(license) { + if (license['consumption'] > param_percentage || license['consumption'] == "N/A") { + result.push(license) + } + }) EOS end @@ -146,8 +143,8 @@ end policy "pol_overused_licenses" do validate $ds_overused_licenses do summary_template "{{ rs_project_name }} (Account ID: {{ rs_project_id }}): {{ len data }} Overused License(s) Found" - escalate $send_report - check eq(size(data),0) + check eq(size(data), 0) + escalate $esc_email export do resource_level true field "id" do @@ -188,7 +185,7 @@ end # Escalations ############################################################################### -escalation "send_report" do +escalation "esc_email" do automatic true label "Send Email" description "Sends incident email" diff --git a/compliance/flexera/fnms/vms_missing_hostid/README.md b/compliance/flexera/fnms/vms_missing_hostid/README.md index f785b21388..6de7646ef2 100644 --- a/compliance/flexera/fnms/vms_missing_hostid/README.md +++ b/compliance/flexera/fnms/vms_missing_hostid/README.md @@ -1,7 +1,19 @@ # ITAM VMs Missing Host ID +## What It Does + This policy uses the ITAM Inventories API to look up virtual machines and raises an incident if any are found without a Host ID assigned to them. The incident provides a detailed list of the affected machines. +## Input Parameters + +This policy has the following input parameters required when launching the policy. + +- *Email addresses of the recipients you wish to notify* - A list of email address(es) to notify + +## Policy Actions + +- Send an email report + ## Prerequisites This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) for authenticating to datasources -- in order to apply this policy you must have a Credential registered in the system that is compatible with this policy. If there are no Credentials listed when you apply the policy, please contact your Flexera Org Admin and ask them to register a Credential that is compatible with this policy. The information below should be consulted when creating the credential(s). @@ -11,15 +23,9 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) page in the docs has detailed instructions for setting up Credentials for the most common providers. -## Input Parameters +## Supported Clouds -This policy has the following input parameters required when launching the policy. - -- *Email addresses of the recipients you wish to notify* - A list of email address(es) to notify - -## Policy Actions - -- Send an email report +- Flexera ## Cost diff --git a/compliance/flexera/iam/iam_explicit_user_roles/README.md b/compliance/flexera/iam/iam_explicit_user_roles/README.md index ecf2bfccd9..cbcfc6a317 100644 --- a/compliance/flexera/iam/iam_explicit_user_roles/README.md +++ b/compliance/flexera/iam/iam_explicit_user_roles/README.md @@ -30,4 +30,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/flexera/msp/orgs_and_cloud_accounts_report/CHANGELOG.md b/compliance/flexera/msp/orgs_and_cloud_accounts_report/CHANGELOG.md index 7da2289ebd..b2ae53cd24 100644 --- a/compliance/flexera/msp/orgs_and_cloud_accounts_report/CHANGELOG.md +++ b/compliance/flexera/msp/orgs_and_cloud_accounts_report/CHANGELOG.md @@ -1,5 +1,10 @@ # Changelog +## v2.0.0 + +- Minor code improvements to conform with current standards. Functionality unchanged. +- Policy template now requires a valid Flexera credential + ## v1.6 - Updated policy metadata to make it more clear what Flexera service the policy is for diff --git a/compliance/flexera/msp/orgs_and_cloud_accounts_report/orgs_and_cloud_accounts_report.pt b/compliance/flexera/msp/orgs_and_cloud_accounts_report/orgs_and_cloud_accounts_report.pt index 685d6499f2..426f8894fb 100644 --- a/compliance/flexera/msp/orgs_and_cloud_accounts_report/orgs_and_cloud_accounts_report.pt +++ b/compliance/flexera/msp/orgs_and_cloud_accounts_report/orgs_and_cloud_accounts_report.pt @@ -1,73 +1,74 @@ name "Orgs and Clouds Vendor Accounts" rs_pt_ver 20180301 type "policy" -short_description "This policy generates a list of cross organization Cloud Vendor Accounts connected to Flexera Optima based on +short_description "This policy generates a list of cross organization Cloud Vendor Accounts connected to Flexera CCO based on the bill connection settings for Azure and Google, as well as full list of AWS accounts under the payer account connected for each Flexera Organization.\n See [README](https://github.com/flexera-public/policy_templates/tree/master/compliance/flexera/msp/orgs_and_cloud_accounts_report) for more details" long_description "" -severity "low" category "Compliance" +severity "low" +default_frequency "weekly" info( - version: "1.6", + version: "2.0.0", provider: "Flexera", service: "Cloud Cost Optimization", policy_set: "Managed Service Provider", publish: "false" ) -############################################################################### -# Permissions -############################################################################### - ############################################################################### # Parameters ############################################################################### + parameter "param_email" do type "list" + category "Policy Settings" label "Email List" description "Email addresses of the recipients you wish to notify" + default [] end parameter "param_exclude_organizations" do type "list" + category "Policy Settings" label "Excluded Organizations" - description "Names of organizations to exclude. \n - NOTE: use only either 'Excluded Organizations' or 'Exclucded organizations IDs', not both" + description "Names of organizations to exclude. NOTE: use only either 'Excluded Organizations' or 'Exclucded organizations IDs', not both" + default [] end parameter "param_exclude_organizations_ids" do type "list" + category "Policy Settings" label "Excluded Organizations IDs" - description "IDs of organizations to exclude. \n - NOTE: use only either 'Excluded Organizations' or 'Exclucded organizations IDs', not both" + description "IDs of organizations to exclude. NOTE: use only either 'Excluded Organizations' or 'Exclucded organizations IDs', not both" + default [] end - ############################################################################### # Authentication ############################################################################### -auth "auth_rs", type: "rightscale" - -############################################################################### -# Resources -############################################################################### +credentials "auth_flexera" do + schemes "oauth2" + label "flexera" + description "Select FlexeraOne OAuth2 credentials" + tags "provider=flexera" +end ############################################################################### -# Datasources +# Datasources & Scripts ############################################################################### datasource "ds_session" do request do - auth $auth_rs - verb "GET" + auth $auth_flexera host rs_cm_host path "/api/sessions" - header "X-Api-Version", "1.5" query "view", "whoami" + header "X-Api-Version", "1.5" end result do - field "userid", join(["/grs/users/",last(split(first(jmes_path(response, "links[?rel == 'user'].href")),'/'))]) + field "userid", join(["/grs/users/", last(split(first(jmes_path(response, "links[?rel == 'user'].href")), '/'))]) end end @@ -78,32 +79,63 @@ datasource "ds_current_user_organizations" do result do collect jmes_path(response, "orgs") do field "href", jmes_path(col_item, "href") - field "org_id", last(split(jmes_path(col_item, "href"),"/")) + field "org_id", last(split(jmes_path(col_item, "href"), "/")) field "name", jmes_path(col_item, "name") field "cluster", jmes_path(col_item, "starts_with(legacy.account_url, 'https://us-3') && '3' || starts_with(legacy.account_url, 'https://us-4') && '4'") end end end +script "js_current_user_organizations", type: "javascript" do + parameters "ds_session" + result "request" + code <<-EOS + var request = { + "auth": "auth_flexera", + "verb": "GET", + "host": "governance.rightscale.com", + "path": ds_session["userid"], + "headers": {"X-Api-Version": "2.0" }, + "query_params":{"view":"extended"} + } +EOS +end + datasource "ds_filtered_user_organizations" do - run_script $js_filter_organizations, $ds_current_user_organizations, $param_exclude_organizations, $param_exclude_organizations_ids + run_script $js_filtered_user_organizations, $ds_current_user_organizations, $param_exclude_organizations, $param_exclude_organizations_ids +end + +script "js_filtered_user_organizations", type: "javascript" do + parameters "ds_current_user_organizations", "param_exclude_organizations", "param_exclude_organizations_ids" + result "results" + code <<-EOS + var results = _.reject(ds_current_user_organizations, function(org){ + return _.contains(param_exclude_organizations, org["name"]) + }) + + if ( param_exclude_organizations_ids.length > 0) { + var results = _.reject(ds_current_user_organizations, function(org){ + return _.contains(param_exclude_organizations_ids, org["org_id"]) + }) + } +EOS end datasource "ds_bill_connects" do iterate $ds_filtered_user_organizations request do - auth $auth_rs + auth $auth_flexera host "onboarding.rightscale.com" - path join(["/api/onboarding/orgs/",val(iter_item,"org_id"),"/bill_connects"]) + path join(["/api/onboarding/orgs/", val(iter_item, "org_id"), "/bill_connects"]) header "Api-Version", "1.0" header "User-Agent", "RS Policies" end result do encoding "json" - collect jmes_path(response,"[*]") do - field "id", jmes_path(col_item,"id") + collect jmes_path(response, "[*]") do + field "id", jmes_path(col_item, "id") field "cloud_vendor_id", jmes_path(col_item, "cloud_vendor_id") - field "org_id", val(iter_item,"org_id") + field "org_id", val(iter_item, "org_id") field "aws_cloud_vendor_account_name", "" end end @@ -112,18 +144,18 @@ end datasource "ds_bill_connects_csp" do iterate $ds_filtered_user_organizations request do - auth $auth_rs + auth $auth_flexera host rs_optima_host - path join(["/analytics/orgs/",val(iter_item,"org_id"),"/azure_csp_partners"]) + path join(["/analytics/orgs/", val(iter_item, "org_id"), "/azure_csp_partners"]) header "Api-Version", "1.0" header "User-Agent", "RS Policies" end result do encoding "json" - collect jmes_path(response,"[*]") do - field "id", jmes_path(col_item,"id") + collect jmes_path(response, "[*]") do + field "id", jmes_path(col_item, "id") field "cloud_vendor_id", "azure_csp_partners" - field "org_id", val(iter_item,"org_id") + field "org_id", val(iter_item, "org_id") field "aws_cloud_vendor_account_name", "" end end @@ -132,20 +164,20 @@ end datasource "ds_aws_cloud_vendor_accounts" do iterate $ds_filtered_user_organizations request do - auth $auth_rs + auth $auth_flexera host rs_optima_host - path join(["/bill-analysis/orgs/",val(iter_item,"org_id"),"/cloud_vendor_accounts"]) + path join(["/bill-analysis/orgs/", val(iter_item, "org_id"), "/cloud_vendor_accounts"]) + query "cloud_vendor", "aws" header "Api-Version", "0.1" header "User-Agent", "RS Policies" - query "cloud_vendor", "aws" end result do encoding "json" - collect jmes_path(response,"[*]") do - field "id", join(["aws-",jmes_path(col_item,"id")]) + collect jmes_path(response, "[*]") do + field "id", join(["aws-", jmes_path(col_item, "id")]) field "cloud_vendor_id", "aws" - field "org_id", val(iter_item,"org_id") - field "aws_cloud_vendor_account_name", jmes_path(col_item,"name") + field "org_id", val(iter_item, "org_id") + field "aws_cloud_vendor_account_name", jmes_path(col_item, "name") end end end @@ -154,86 +186,44 @@ datasource "ds_bill_connects_without_aws_payer" do run_script $js_bill_connects_without_aws_payer, $ds_bill_connects end -datasource "ds_combined_cloud_accounts" do - run_script $js_combine_cloud_accounts, $ds_bill_connects_without_aws_payer, $ds_bill_connects_csp, $ds_aws_cloud_vendor_accounts -end - -datasource "ds_normalized_cloud_vendor_ids" do - run_script $js_normalize_cloud_vendor_ids, $ds_combined_cloud_accounts -end - - -############################################################################### -# Scripts -############################################################################### -script "js_current_user_organizations", type: "javascript" do - parameters "ds_session" - result "request" - code <<-EOF - var request = { - "auth": "auth_rs", - "verb": "GET", - "host": "governance.rightscale.com", - "path": ds_session["userid"], - "headers": {"X-Api-Version": "2.0" }, - "query_params":{"view":"extended"} - } - EOF -end - -script "js_filter_organizations", type: "javascript" do - parameters "ds_current_user_organizations", "param_exclude_organizations", "param_exclude_organizations_ids" - result "results" - code <<-EOF - var results = _.reject(ds_current_user_organizations, function(org){ - return _.contains(param_exclude_organizations, org["name"]) - }) - if ( param_exclude_organizations_ids.length > 0) { - var results = _.reject(ds_current_user_organizations, function(org){ - return _.contains(param_exclude_organizations_ids, org["org_id"]) - }) - } - EOF -end - -script "js_generate_report", type: "javascript" do - parameters "ds_previous_six_month_costs","param_cost_metric","ds_report","param_graph_dimension","ds_currency_code","ds_currency_reference" - result "report" - code <<-EOS - EOS -end - -# We exclude AWS account from the bill connection as it will later already be listed already in ds_aws_cloud_vendor_accounts script "js_bill_connects_without_aws_payer", type: "javascript" do parameters "ds_bill_connects" result "result" - code <<-EOF - var cloud_vendor_to_exclude = ["aws"] - var result = _.reject(ds_bill_connects, function(account){ - return _.contains(cloud_vendor_to_exclude, account["cloud_vendor_id"]) - }) - EOF + code <<-EOS + var cloud_vendor_to_exclude = ["aws"] + var result = _.reject(ds_bill_connects, function(account){ + return _.contains(cloud_vendor_to_exclude, account["cloud_vendor_id"]) + }) +EOS +end + +datasource "ds_combined_cloud_accounts" do + run_script $js_combined_cloud_accounts, $ds_bill_connects_without_aws_payer, $ds_bill_connects_csp, $ds_aws_cloud_vendor_accounts end -script "js_combine_cloud_accounts", type: "javascript" do +script "js_combined_cloud_accounts", type: "javascript" do parameters "ds_bill_connects_csp", "ds_bill_connects_without_aws_payer", "ds_aws_cloud_vendor_accounts" result "result" - code <<-EOF - var result = "" - if ( ds_bill_connects_csp.length > 0 ) { - result = ds_bill_connects_csp.concat(ds_bill_connects_without_aws_payer) - } - else { - result = ds_bill_connects_without_aws_payer - } - result = result.concat(ds_aws_cloud_vendor_accounts) - EOF + code <<-EOS + var result = "" + if ( ds_bill_connects_csp.length > 0 ) { + result = ds_bill_connects_csp.concat(ds_bill_connects_without_aws_payer) + } + else { + result = ds_bill_connects_without_aws_payer + } + result = result.concat(ds_aws_cloud_vendor_accounts) +EOS end -script "js_normalize_cloud_vendor_ids", type: "javascript" do +datasource "ds_normalized_cloud_vendor_ids" do + run_script $js_normalized_cloud_vendor_ids, $ds_combined_cloud_accounts +end + +script "js_normalized_cloud_vendor_ids", type: "javascript" do parameters "ds_combined_cloud_accounts" result "result" - code <<-EOF + code <<-EOS function dedup(arr) { var hashTable = {}; return arr.filter(function (el) { @@ -247,17 +237,21 @@ script "js_normalize_cloud_vendor_ids", type: "javascript" do } var result = dedup(ds_combined_cloud_accounts); result = _.sortBy(result, 'org_id'); - EOF +EOS end -policy "policy_scheduled_report" do +############################################################################### +# Policy +############################################################################### + +policy "pol_scheduled_report" do validate_each $ds_normalized_cloud_vendor_ids do summary_template "{{ rs_project_name }} (Account ID: {{ rs_project_id }}): {{ len data }} Cloud Accounts Found" detail_template <<-EOS {{ len data }} Cloud Accounts have been generated from: {{ rs_project_name }} (ID: {{ rs_project_id }}) \n EOS - escalate $escalation_send_email - check eq(0,1) + check eq(0, 1) + escalate $esc_email export do field "org_id" do label "Flexera Org ID" @@ -279,13 +273,9 @@ end # Escalations ############################################################################### -escalation "escalation_send_email" do +escalation "esc_email" do automatic true label "Send Email" description "Send incident email" email $param_email end - -############################################################################### -# Cloud Workflow -############################################################################### diff --git a/compliance/github/available_seats/README.md b/compliance/github/available_seats/README.md index 011724d88d..d4ad65048e 100644 --- a/compliance/github/available_seats/README.md +++ b/compliance/github/available_seats/README.md @@ -33,4 +33,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/github/outside_collaborators/README.md b/compliance/github/outside_collaborators/README.md index d6d5fd1454..91d8f73af9 100644 --- a/compliance/github/outside_collaborators/README.md +++ b/compliance/github/outside_collaborators/README.md @@ -34,4 +34,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/github/repository_admin_team/README.md b/compliance/github/repository_admin_team/README.md index 7d96b9b258..f9010390d1 100644 --- a/compliance/github/repository_admin_team/README.md +++ b/compliance/github/repository_admin_team/README.md @@ -1,4 +1,4 @@ -# GitHub Repositories without Admin Team +# GitHub Repositories Without Admin Team ## What It Does @@ -33,4 +33,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/github/repository_branch_protection/README.md b/compliance/github/repository_branch_protection/README.md index 4743f99bb5..9a4c38f1fc 100644 --- a/compliance/github/repository_branch_protection/README.md +++ b/compliance/github/repository_branch_protection/README.md @@ -44,4 +44,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/github/repository_naming/README.md b/compliance/github/repository_naming/README.md index 16bfa58d41..b93e99b961 100644 --- a/compliance/github/repository_naming/README.md +++ b/compliance/github/repository_naming/README.md @@ -34,4 +34,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/github/repository_size/README.md b/compliance/github/repository_size/README.md index dc92c8dd97..b17fe4a7e3 100644 --- a/compliance/github/repository_size/README.md +++ b/compliance/github/repository_size/README.md @@ -35,4 +35,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/github/toplevel_teams/README.md b/compliance/github/toplevel_teams/README.md index a9e52b05f5..473f2e752d 100644 --- a/compliance/github/toplevel_teams/README.md +++ b/compliance/github/toplevel_teams/README.md @@ -32,4 +32,4 @@ The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automati ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/google/long_stopped_instances/CHANGELOG.md b/compliance/google/long_stopped_instances/CHANGELOG.md index af8e168f25..ff6edd9f2a 100644 --- a/compliance/google/long_stopped_instances/CHANGELOG.md +++ b/compliance/google/long_stopped_instances/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## v4.0.1 + +- Minor code improvements to conform with current standards. Functionality unchanged. + ## v4.0 - Added support for regex when filtering resources by label diff --git a/compliance/google/long_stopped_instances/README.md b/compliance/google/long_stopped_instances/README.md index fdd0317fa5..22ea9171a7 100644 --- a/compliance/google/long_stopped_instances/README.md +++ b/compliance/google/long_stopped_instances/README.md @@ -24,7 +24,7 @@ This policy finds Google virtual machines which have been stopped for more than Please note that the "*Automatic Actions*" parameter contains a list of action(s) that can be performed on the resources. When it is selected, the policy will automatically execute the corresponding action on the data that failed the checks, post incident generation. Please leave it blank for *manual* action. For example if a user selects the "Delete VM Instances" action while applying the policy, all the identified stopped instances will be terminated. -## Actions +## Policy Actions The following policy actions are taken on any resources found to be out of compliance. @@ -33,34 +33,33 @@ The following policy actions are taken on any resources found to be out of compl ## Prerequisites -This Policy Template requires that several APIs be enabled in your Google Cloud environment: - -- [Cloud Resource Manager API](https://console.cloud.google.com/flows/enableapi?apiid=cloudresourcemanager.googleapis.com) -- [Compute Engine API](https://console.cloud.google.com/flows/enableapi?apiid=compute.googleapis.com) - This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Automation/ManagingCredentialsExternal.htm) for authenticating to datasources -- in order to apply this policy you must have a Credential registered in the system that is compatible with this policy. If there are no Credentials listed when you apply the policy, please contact your Flexera Org Admin and ask them to register a Credential that is compatible with this policy. The information below should be consulted when creating the credential(s). - [**Google Cloud Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_4083446696_1121577) (*provider=gce*) which has the following: - - Permissions - - `resourcemanager.projects.get` - - `monitoring.metricDescriptors.list` - - `monitoring.timeSeries.list` - - `compute.instances.list` - - `compute.instances.get` - - `compute.instances.stop`* - - `compute.instances.delete`* + - `resourcemanager.projects.get` + - `monitoring.metricDescriptors.list` + - `monitoring.timeSeries.list` + - `compute.instances.list` + - `compute.instances.get` + - `compute.instances.stop`* + - `compute.instances.delete`* -\* Only required for taking action; the policy will still function in a read-only capacity without these permissions. + \* Only required for taking action; the policy will still function in a read-only capacity without these permissions. - [**Flexera Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) (*provider=flexera*) which has the following roles: - `billing_center_viewer` The [Provider-Specific Credentials](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm) page in the docs has detailed instructions for setting up Credentials for the most common providers. +Additionally, this policy template requires that several APIs be enabled in your Google Cloud environment: + +- [Cloud Resource Manager API](https://console.cloud.google.com/flows/enableapi?apiid=cloudresourcemanager.googleapis.com) +- [Compute Engine API](https://console.cloud.google.com/flows/enableapi?apiid=compute.googleapis.com) + ## Supported Clouds - Google ## Cost -This Policy Template does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/compliance/google/long_stopped_instances/google_long_stopped_instances.pt b/compliance/google/long_stopped_instances/google_long_stopped_instances.pt index 0e538e77fc..c0d2a372c0 100644 --- a/compliance/google/long_stopped_instances/google_long_stopped_instances.pt +++ b/compliance/google/long_stopped_instances/google_long_stopped_instances.pt @@ -7,7 +7,7 @@ category "Compliance" severity "low" default_frequency "weekly" info( - version: "4.0", + version: "4.0.1", provider: "Google", service: "Compute", policy_set: "Long Stopped Instances" @@ -81,9 +81,9 @@ parameter "param_stopped_days" do category "Policy Settings" label "Stopped Days" description "The number of days a Google VM needs to be stopped to include it in the incident report." - default 7 min_value 1 max_value 90 + default 7 end parameter "param_automatic_action" do @@ -583,12 +583,24 @@ script "js_long_stopped_instances", type: "javascript" do // Add a dummy entry to ensure that the policy's check statement executes at least once result.push({ - resourceID: "", resourceName: "", description: "", - status: "", selfLink: "", platform: "", - machineType: "", kind: "", lookbackPeriod: "", - accountID: "", accountName: "", projectNumber: "", - zone: "", region: "", policy_name: "", - tags: "", service: "", recommendationDetails: "", + resourceID: "", + resourceName: "", + description: "", + status: "", + selfLink: "", + platform: "", + machineType: "", + kind: "", + lookbackPeriod: "", + accountID: "", + accountName: "", + projectNumber: "", + zone: "", + region: "", + policy_name: "", + tags: "", + service: "", + recommendationDetails: "", message: "" }) @@ -689,7 +701,7 @@ define delete_instances($data) return $all_responses do end if inspect($$errors) != "null" - raise join($$errors,"\n") + raise join($$errors, "\n") end end @@ -737,7 +749,7 @@ datasource "ds_get_policy" do auth $auth_flexera host rs_governance_host ignore_status [404] - path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id,""), meta_parent_policy_id, policy_id) ]) + path join(["/api/governance/projects/", rs_project_id, "/applied_policies/", switch(ne(meta_parent_policy_id, ""), meta_parent_policy_id, policy_id)]) header "Api-Version", "1.0" end result do diff --git a/compliance/google/long_stopped_instances/google_long_stopped_instances_meta_parent.pt b/compliance/google/long_stopped_instances/google_long_stopped_instances_meta_parent.pt index d19dd25e01..8bc485492f 100644 --- a/compliance/google/long_stopped_instances/google_long_stopped_instances_meta_parent.pt +++ b/compliance/google/long_stopped_instances/google_long_stopped_instances_meta_parent.pt @@ -7,7 +7,7 @@ category "Meta" default_frequency "15 minutes" info( provider: "Google", - version: "4.0", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability + version: "4.0.1", # This version of the Meta Parent Policy Template should match the version of the Child Policy Template as it appears in the Catalog for best reliability publish: "true", deprecated: "false" ) @@ -107,9 +107,9 @@ parameter "param_stopped_days" do category "Policy Settings" label "Stopped Days" description "The number of days a Google VM needs to be stopped to include it in the incident report." - default 7 min_value 1 max_value 90 + default 7 end parameter "param_automatic_action" do diff --git a/compliance/google/unlabeled_resources/README.md b/compliance/google/unlabeled_resources/README.md index 4b0d370800..9e59945c13 100644 --- a/compliance/google/unlabeled_resources/README.md +++ b/compliance/google/unlabeled_resources/README.md @@ -75,4 +75,4 @@ Additionally, this Policy Template requires that several APIs be enabled in your ## Cost -This Policy Template does not launch any instances, and so does not incur any cloud costs. +This policy template does not incur any cloud costs. diff --git a/data/policy_permissions_list/master_policy_permissions_list.json b/data/policy_permissions_list/master_policy_permissions_list.json index babc127efd..95f07fd7db 100644 --- a/data/policy_permissions_list/master_policy_permissions_list.json +++ b/data/policy_permissions_list/master_policy_permissions_list.json @@ -324,7 +324,7 @@ { "id": "./compliance/aws/disallowed_regions/aws_disallowed_regions.pt", "name": "AWS Disallowed Regions", - "version": "5.0", + "version": "5.0.1", "providers": [ { "name": "aws", @@ -373,7 +373,7 @@ { "id": "./compliance/aws/ecs_unused/aws_unused_ecs_clusters.pt", "name": "AWS Unused ECS Clusters", - "version": "4.0.0", + "version": "4.0.1", "providers": [ { "name": "aws", @@ -421,7 +421,7 @@ { "id": "./compliance/aws/iam_role_audit/aws_iam_role_audit.pt", "name": "AWS IAM Role Audit", - "version": "3.0.1", + "version": "3.0.2", "providers": [ { "name": "aws", @@ -458,7 +458,7 @@ { "id": "./compliance/aws/instances_without_fnm_agent/aws_instances_not_running_flexnet_inventory_agent.pt", "name": "AWS EC2 Instances not running FlexNet Inventory Agent", - "version": "4.3.1", + "version": "4.3.2", "providers": [ { "name": "aws", @@ -474,23 +474,13 @@ "required": true } ] - }, - { - "name": "flexera", - "permissions": [ - { - "name": "Web Service", - "read_only": true, - "required": true - } - ] } ] }, { "id": "./compliance/aws/long_stopped_instances/aws_long_stopped_instances.pt", "name": "AWS Long Stopped EC2 Instances", - "version": "6.0", + "version": "6.0.1", "providers": [ { "name": "aws", @@ -554,7 +544,7 @@ { "id": "./compliance/aws/missing_scps/aws_missing_scps.pt", "name": "AWS Accounts Missing Service Control Policies", - "version": "3.0.0", + "version": "3.0.1", "providers": [ { "name": "aws", @@ -591,7 +581,7 @@ { "id": "./compliance/aws/rds_backup/aws_rds_backup.pt", "name": "AWS RDS Instances With Unapproved Backup Settings", - "version": "3.0.0", + "version": "3.0.1", "providers": [ { "name": "aws", @@ -633,7 +623,7 @@ { "id": "./compliance/aws/untagged_resources/aws_untagged_resources.pt", "name": "AWS Untagged Resources", - "version": "5.3.0", + "version": "5.3.1", "providers": [ { "name": "aws", @@ -709,7 +699,7 @@ { "id": "./compliance/azure/ahub_manual/azure_ahub_utilization_with_manual_entry.pt", "name": "Azure AHUB Utilization with Manual Entry", - "version": "4.0", + "version": "4.0.1", "providers": [ { "name": "azure_rm", @@ -741,7 +731,7 @@ { "id": "./compliance/azure/azure_disallowed_regions/azure_disallowed_regions.pt", "name": "Azure Disallowed Regions", - "version": "4.1", + "version": "4.1.1", "providers": [ { "name": "azure_rm", @@ -774,7 +764,7 @@ { "id": "./compliance/azure/azure_long_stopped_instances/long_stopped_instances_azure.pt", "name": "Azure Long Stopped Compute Instances", - "version": "5.0", + "version": "5.0.1", "providers": [ { "name": "azure_rm", @@ -877,7 +867,7 @@ { "id": "./compliance/azure/azure_untagged_vms/untagged_vms.pt", "name": "Azure Untagged Virtual Machines", - "version": "1.1", + "version": "1.1.1", "providers": [ { "name": "azure_rm", @@ -948,23 +938,13 @@ "required": true } ] - }, - { - "name": "flexera", - "permissions": [ - { - "name": "Web Service", - "read_only": true, - "required": true - } - ] } ] }, { "id": "./compliance/flexera/cco/billing_center_access_report/bc_access_report.pt", "name": "Billing Center Access Report", - "version": "3.1", + "version": "3.1.1", "providers": [ { "name": "flexera", @@ -1037,7 +1017,7 @@ { "id": "./compliance/flexera/fnms/overused_licenses/overused_licenses.pt", "name": "ITAM Overused Licenses", - "version": "2.4", + "version": "2.4.1", "providers": [ { "name": "flexera", @@ -1088,7 +1068,7 @@ { "id": "./compliance/flexera/msp/orgs_and_cloud_accounts_report/orgs_and_cloud_accounts_report.pt", "name": "Orgs and Clouds Vendor Accounts", - "version": "1.6", + "version": "2.0.0", "providers": [ { "name": "flexera", @@ -1294,7 +1274,7 @@ { "id": "./compliance/google/long_stopped_instances/google_long_stopped_instances.pt", "name": "Google Long Stopped VM Instances", - "version": "4.0", + "version": "4.0.1", "providers": [ { "name": "gce", diff --git a/data/policy_permissions_list/master_policy_permissions_list.yaml b/data/policy_permissions_list/master_policy_permissions_list.yaml index 315b9c4fe4..273ee124ab 100644 --- a/data/policy_permissions_list/master_policy_permissions_list.yaml +++ b/data/policy_permissions_list/master_policy_permissions_list.yaml @@ -178,7 +178,7 @@ required: true - id: "./compliance/aws/disallowed_regions/aws_disallowed_regions.pt" name: AWS Disallowed Regions - version: '5.0' + version: 5.0.1 :providers: - :name: aws :permissions: @@ -208,7 +208,7 @@ required: true - id: "./compliance/aws/ecs_unused/aws_unused_ecs_clusters.pt" name: AWS Unused ECS Clusters - version: 4.0.0 + version: 4.0.1 :providers: - :name: aws :permissions: @@ -236,7 +236,7 @@ required: true - id: "./compliance/aws/iam_role_audit/aws_iam_role_audit.pt" name: AWS IAM Role Audit - version: 3.0.1 + version: 3.0.2 :providers: - :name: aws :permissions: @@ -256,7 +256,7 @@ required: true - id: "./compliance/aws/instances_without_fnm_agent/aws_instances_not_running_flexnet_inventory_agent.pt" name: AWS EC2 Instances not running FlexNet Inventory Agent - version: 4.3.1 + version: 4.3.2 :providers: - :name: aws :permissions: @@ -266,14 +266,9 @@ - name: ec2:DescribeInstances read_only: true required: true - - :name: flexera - :permissions: - - name: Web Service - read_only: true - required: true - id: "./compliance/aws/long_stopped_instances/aws_long_stopped_instances.pt" name: AWS Long Stopped EC2 Instances - version: '6.0' + version: 6.0.1 :providers: - :name: aws :permissions: @@ -312,7 +307,7 @@ required: true - id: "./compliance/aws/missing_scps/aws_missing_scps.pt" name: AWS Accounts Missing Service Control Policies - version: 3.0.0 + version: 3.0.1 :providers: - :name: aws :permissions: @@ -332,7 +327,7 @@ required: true - id: "./compliance/aws/rds_backup/aws_rds_backup.pt" name: AWS RDS Instances With Unapproved Backup Settings - version: 3.0.0 + version: 3.0.1 :providers: - :name: aws :permissions: @@ -355,7 +350,7 @@ required: true - id: "./compliance/aws/untagged_resources/aws_untagged_resources.pt" name: AWS Untagged Resources - version: 5.3.0 + version: 5.3.1 :providers: - :name: aws :permissions: @@ -399,7 +394,7 @@ required: true - id: "./compliance/azure/ahub_manual/azure_ahub_utilization_with_manual_entry.pt" name: Azure AHUB Utilization with Manual Entry - version: '4.0' + version: 4.0.1 :providers: - :name: azure_rm :permissions: @@ -416,7 +411,7 @@ required: true - id: "./compliance/azure/azure_disallowed_regions/azure_disallowed_regions.pt" name: Azure Disallowed Regions - version: '4.1' + version: 4.1.1 :providers: - :name: azure_rm :permissions: @@ -435,7 +430,7 @@ required: true - id: "./compliance/azure/azure_long_stopped_instances/long_stopped_instances_azure.pt" name: Azure Long Stopped Compute Instances - version: '5.0' + version: 5.0.1 :providers: - :name: azure_rm :permissions: @@ -493,7 +488,7 @@ required: true - id: "./compliance/azure/azure_untagged_vms/untagged_vms.pt" name: Azure Untagged Virtual Machines - version: '1.1' + version: 1.1.1 :providers: - :name: azure_rm :permissions: @@ -533,14 +528,9 @@ - name: Microsoft.Compute/virtualMachines/read read_only: true required: true - - :name: flexera - :permissions: - - name: Web Service - read_only: true - required: true - id: "./compliance/flexera/cco/billing_center_access_report/bc_access_report.pt" name: Billing Center Access Report - version: '3.1' + version: 3.1.1 :providers: - :name: flexera :permissions: @@ -579,7 +569,7 @@ required: true - id: "./compliance/flexera/fnms/overused_licenses/overused_licenses.pt" name: ITAM Overused Licenses - version: '2.4' + version: 2.4.1 :providers: - :name: flexera :permissions: @@ -606,7 +596,7 @@ required: true - id: "./compliance/flexera/msp/orgs_and_cloud_accounts_report/orgs_and_cloud_accounts_report.pt" name: Orgs and Clouds Vendor Accounts - version: '1.6' + version: 2.0.0 :providers: - :name: flexera :permissions: @@ -713,7 +703,7 @@ required: true - id: "./compliance/google/long_stopped_instances/google_long_stopped_instances.pt" name: Google Long Stopped VM Instances - version: '4.0' + version: 4.0.1 :providers: - :name: gce :permissions: