runwhen-contrib · saurabh3460 · Nov 20, 2024 · Nov 20, 2024 · Nov 20, 2024 · Nov 20, 2024
diff --git a/codebundles/aws-c7n-ec2-health/.runwhen/generation-rules/aws-c7n-ec2-health.yaml b/codebundles/aws-c7n-ec2-health/.runwhen/generation-rules/aws-c7n-ec2-health.yaml
@@ -0,0 +1,22 @@
+apiVersion: runwhen.com/v1
+kind: GenerationRules
+spec:
+  platform: aws
+  generationRules:
+    - resourceTypes:
+        - aws_ec2_instances
+      matchRules:
+        - type: pattern
+          pattern: ".+"
+          properties: [name]
+          mode: substring
+      slxs:
+        - baseName: aws-c7n-ec2-health
+          qualifiers: ["account_id", "region"]
+          baseTemplateName: aws-c7n-ec2-health
+          levelOfDetail: basic
+          outputItems:
+            - type: slx
+            - type: sli
+            - type: runbook
+              templateName: aws-c7n-ec2-health-taskset.yaml
diff --git a/codebundles/aws-c7n-ec2-health/.runwhen/templates/aws-c7n-ec2-health-sli.yaml b/codebundles/aws-c7n-ec2-health/.runwhen/templates/aws-c7n-ec2-health-sli.yaml
@@ -0,0 +1,51 @@
+apiVersion: runwhen.com/v1
+kind: ServiceLevelIndicator
+metadata:
+  name: {{slx_name}}
+  labels:
+    {% include "common-labels.yaml" %}
+  annotations:
+    {% include "common-annotations.yaml" %}
+spec:
+  displayUnitsLong: OK
+  displayUnitsShort: ok
+  locations:
+      - {{default_location}}
+  description: Measures securitiy and health of AWS EC2 Instnaces in this AWS region {{match_resource.resource.region}} and account {{match_resource.resource.account_id}}
+  codeBundle:
+    {% if repo_url %}
+    repoUrl: {{repo_url}}
+    {% else %}
+    repoUrl: https://github.com/runwhen-contrib/rw-c7n-codecollection.git
+    {% endif %}
+    {% if ref %}
+    ref: {{ref}}
+    {% else %}
+    ref: main
+    {% endif %}
+    pathToRobot: codebundles/aws-c7n-ec2-health/sli.robot
+  intervalStrategy: intermezzo
+  intervalSeconds: 600
+  configProvided:
+    - name: AWS_REGION
+      value: "{{match_resource.resource.region}}"
+    - name: AWS_ACCOUNT_ID
+      value: "{{match_resource.resource.account_id}}"
+  secretsProvided:
+    - name: AWS_ACCESS_KEY_ID
+      workspaceKey: {{custom.aws_access_key_id}}
+    - name: AWS_SECRET_ACCESS_KEY
+      workspaceKey: {{custom.aws_secret_access_key}}
+  alerts:
+    warning:
+      operator: <
+      threshold: '1'
+      for: '20m'
+    ticket:
+      operator: <
+      threshold: '1'
+      for: '40m'
+    page:
+      operator: '=='
+      threshold: '0'
+      for: ''
diff --git a/codebundles/aws-c7n-ec2-health/.runwhen/templates/aws-c7n-ec2-health-slx.yaml b/codebundles/aws-c7n-ec2-health/.runwhen/templates/aws-c7n-ec2-health-slx.yaml
@@ -0,0 +1,21 @@
+apiVersion: runwhen.com/v1
+kind: ServiceLevelX
+metadata:
+  name: {{slx_name}}
+  labels:
+    {% include "common-labels.yaml" %}
+  annotations:
+    {% include "common-annotations.yaml" %}
+spec:
+  imageURL: https://PLACEHOLDER
+  alias: AWS EC2 Health For Region {{match_resource.resource.region}} in Account {{match_resource.resource.account_id}}
+  asMeasuredBy: The number of unused and unpatched EC2 instances in region {{match_resource.resource.region}} and account {{match_resource.resource.account_id}}
+  configProvided:
+  - name: SLX_PLACEHOLDER
+    value: SLX_PLACEHOLDER
+  owners:
+  - {{workspace.owner_email}}
+  statement: Helps identify unused and unpatched EC2 instances in the region {{match_resource.resource.region}} for proactive resource cleanup and security.
+  additionalContext:
+    region: "{{match_resource.resource.region}}"
+    account_id: "{{match_resource.resource.account_id}}"
diff --git a/codebundles/aws-c7n-ec2-health/.runwhen/templates/aws-c7n-ec2-health-taskset.yaml b/codebundles/aws-c7n-ec2-health/.runwhen/templates/aws-c7n-ec2-health-taskset.yaml
@@ -0,0 +1,33 @@
+apiVersion: runwhen.com/v1
+kind: Runbook
+metadata:
+  name: {{slx_name}}
+  labels:
+    {% include "common-labels.yaml" %}
+  annotations:
+    {% include "common-annotations.yaml" %}
+spec:
+  location: {{default_location}}
+  description: Runs tasks to identify and triage unused and unpatched AWS EC2 Instances.
+  codeBundle:
+    {% if repo_url %}
+    repoUrl: {{repo_url}}
+    {% else %}
+    repoUrl: https://github.com/runwhen-contrib/rw-c7n-codecollection.git
+    {% endif %}
+    {% if ref %}
+    ref: {{ref}}
+    {% else %}
+    ref: main
+    {% endif %}
+    pathToRobot: codebundles/aws-c7n-ec2-health/runbook.robot
+  configProvided:
+    - name: AWS_REGION
+      value: "{{match_resource.resource.region}}"
+    - name: AWS_ACCOUNT_ID
+      value: "{{match_resource.resource.account_id}}"
+  secretsProvided:
+    - name: AWS_ACCESS_KEY_ID
+      workspaceKey: {{custom.aws_access_key_id}}
+    - name: AWS_SECRET_ACCESS_KEY
+      workspaceKey: {{custom.aws_secret_access_key}}
diff --git a/codebundles/aws-c7n-ec2-health/.test/README.md b/codebundles/aws-c7n-ec2-health/.test/README.md
@@ -0,0 +1,100 @@
+### How to test this codebundle? 
+
+#### IAM User Configuration
+
+We create two distinct AWS IAM users with carefully scoped access:
+
+**CloudCustodian IAM User**
+
+Purpose: Service Level Indicator (SLI) monitoring and runbook automation and configured with least privilege access principles
+
+With the following policy:
+
+```json
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Sid": "VisualEditor0",
+			"Effect": "Allow",
+			"Action": [
+				"tag:GetResources",
+				"ec2:DescribeInstances",
+				"ec2:DescribeTags",
+				"autoscaling:DescribeTags",
+				"autoscaling:DescribeLaunchConfigurations",
+				"ec2:DescribeRegions",
+				"ec2:DescribeSnapshots",
+				"ec2:DescribeVolumeAttribute",
+				"ec2:DescribeSecurityGroups",
+				"ec2:DescribeImages",
+				"ec2:DescribeVolumeStatus",
+				"autoscaling:DescribeAutoScalingGroups",
+				"ec2:DescribeVpcs",
+				"ec2:DescribeVolumes"
+			],
+			"Resource": "*"
+		}
+	]
+}
+```
+
+**Infrastructure Deployment User**
+
+Purpose: Cloud infrastructure provisioning and management using Terraform
+
+#### Credential Setup
+
+Navigate to the `.test/terraform` directory and configure two secret files for authentication:
+
+`cb.secret` - CloudCustodian and RunWhen Credentials
+
+Create this file with the following environment variables:
+
+	```sh
+	export RW_PAT=""
+	export RW_WORKSPACE=""
+	export RW_API_URL="papi.beta.runwhen.com"
+
+	export AWS_DEFAULT_REGION="us-west-2"
+	export AWS_ACCESS_KEY_ID=""
+	export AWS_SECRET_ACCESS_KEY=""
+	export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
+	```
+
+
+`tf.secret` - Terraform Deployment Credentials
+
+Create this file with the following environment variables:
+
+	```sh
+	export AWS_DEFAULT_REGION=""
+	export AWS_ACCESS_KEY_ID=""
+	export AWS_SECRET_ACCESS_KEY=""
+	export AWS_SESSION_TOKEN="" # Optional: Include if using temporary credentials
+	```
+
+####  Testing Workflow
+
+1. Build test infra:
+	```sh
+		task build-infra
+	```	
+
+2. Generate RunWhen Configurations
+	```sh
+		tasks
+	```
+
+3. Upload generated SLx to RunWhen Platform
+
+	```sh
+		task upload-slxs
+	```
+
+4. At last, after testing, clean up the test infrastructure.
+
+    ```sh
+        task clean
+    ```
+