Skip to content

Latest commit

 

History

History
89 lines (78 loc) · 4.91 KB

POLICIES.md

File metadata and controls

89 lines (78 loc) · 4.91 KB

This tool support the following policies: policy

AWS Polices

  • instance_idle: Monitor the idle instances based on the instance metrics for the last 7 days.

    • CPU Percent < 2%
    • Network < 5KiB

  • instance_run: List the running ec2 instances.

  • unattached_volume: Identify and remove the available EBS volumes.

  • zombie_cluster_resource: Identify the non-live cluster resource and delete those resources by resolving dependency. We are deleting more than 20 cluster resources.

    • Ebs, Snapshots, AMI, Load Balancer
    • VPC, Subnets, Route tables, DHCP, Internet Gateway, NatGateway, Network Interface, ElasticIp, Network ACL, Security Group, VPC Endpoint
    • S3
    • IAM User, IAM Role

  • ip_unattached: Identify the unattached public IPv4 addresses.

  • zombie_snapshots: Identify the snapshots, which are abandoned by the AMI.

  • unused_nat_gateway: Identify the unused NatGateway by monitoring the active connection count.

  • s3_inactive: Identify the empty s3 buckets, causing the resource quota issues.

  • empty_roles: Identify the empty roles that do not have any attached policies to them.

  • ebs_in_use: list in use volumes.

  • tag_resources: Update cluster and non cluster resource tags fetching from the user tags or from the mandatory tags

  • tag_non_cluster: tag ec2 resources (instance, volume, ami, snapshot) by instance name

  • tag_iam_user: update the user tags from the csv file

  • cost_explorer: Get data from cost explorer and upload to ElasticSearch

  • gitleaks: scan GitHub repository git leak (security scan)

  • cost_over_usage: send mail to aws user if over usage cost

Azure policies

  • instance_idle: Monitor the idle instances based on the instance metrics.
    • CPU Percent < 2%
    • Network < 5KiB
  • unattached_volume: Identify and remove the available disks.
  • ip_unattached: Identify the unattached public IPv4 addresses.
  • unused_nat_gateway: Identify the unused NatGateway by monitoring the active connection count.

IBM policies

  • resource_instances
  • virtual_servers
  • schematics_workspaces
  • classic_baremetals
  • classic_virtual_machines

Environment Variables required:

KeyName Value Description
IBM_CUSTOM_TAGS_LIST string pass string with separated with comma. i.e: "cost-center: test, env: test"
RESOURCE_TO_TAG (optional) string pass the resource name to tag. ex: virtual_servers
IBM_CLOUD_API_KEY string IBM Cloud API Key
IBM_API_KEY string IBM Classic infrastructure key ( SoftLayer )
IBM_API_USERNAME string IBM API Username ( SoftLayer )
IBM_ACCOUNT_ID string IBM Account Id 
# Run tag_resources policy in IBM Cloud
podman run --rm --name cloud-governance \
-e PUBLIC_CLOUD_NAME="IBM" \
-e policy="tag_resources" \
-e account="${ACCOUNT_NAME}" \
-e IBM_CLOUD_API_KEY="${IBM_CLOUD_API_KEY}" \
-e IBM_CUSTOM_TAGS_LIST="cost-center:675, env:test" \
-e IBM_ACCOUNT_ID="${IBM_ACCOUNT_ID}" \
-e IBM_API_USERNAME="${IBM_API_USERNAME}" \
-e IBM_API_KEY="${IBM_API_KEY}" \
quay.io/cloud-governance/cloud-governance:latest