AWS Tag compliance Codebundle

codebundles/aws-c7n-acm-health/.test/terraform/main.tf

@@ -0,0 +1,23 @@
+# Create ACM Certificate
+resource "aws_acm_certificate" "cert" {
+  domain_name       = var.domain_name
+  validation_method = "DNS"
+
+  tags = {
+    Environment = "development"
+    Name        = "${var.domain_name}-certificate"
+  }
+
+  # Add www subdomain as subject alternative name
+  subject_alternative_names = ["www.${var.domain_name}"]
+}
+
+# Output the certificate ARN
+output "certificate_arn" {
+  value = aws_acm_certificate.cert.arn
+}
+
+# Output the DNS validation records
+output "validation_records" {
+  value = aws_acm_certificate.cert.domain_validation_options
+}

codebundles/aws-c7n-acm-health/.test/terraform/variables.tf

@@ -0,0 +1,5 @@
+variable "domain_name" {
+  description = "The domain name for the ACM certificate"
+  type        = string
+  default     = "exampl.com"
+}

codebundles/aws-c7n-tag-compliance/.runwhen/generation-rules/aws-c7n-tag-compliance.yaml

@@ -0,0 +1,22 @@
+apiVersion: runwhen.com/v1
+kind: GenerationRules
+spec:
+  platform: aws
+  generationRules:
+    - resourceTypes:
+        - aws_ec2_security_groups
+      matchRules:
+        - type: pattern
+          pattern: ".+"
+          properties: [name]
+          mode: substring
+      slxs:
+        - baseName: aws-c7n-tag-compliance
+          qualifiers: ["account_id"]
+          baseTemplateName: aws-c7n-tag-compliance
+          levelOfDetail: basic
+          outputItems:
+            - type: slx
+            - type: sli
+            - type: runbook
+              templateName: aws-c7n-tag-compliance-taskset.yaml

codebundles/aws-c7n-tag-compliance/.runwhen/templates/aws-c7n-tag-compliance-sli.yaml

@@ -0,0 +1,51 @@
+apiVersion: runwhen.com/v1
+kind: ServiceLevelIndicator
+metadata:
+  name: {{slx_name}}
+  labels:
+    {% include "common-labels.yaml" %}
+  annotations:
+    {% include "common-annotations.yaml" %}
+spec:
+  displayUnitsLong: OK
+  displayUnitsShort: ok
+  locations:
+      - {{default_location}}
+  description: Checks for missing tags on AWS resources to ensure compliance with tag compliance in AWS account {{match_resource.resource.account_id}}
+  codeBundle:
+    {% if repo_url %}
+    repoUrl: {{repo_url}}
+    {% else %}
+    repoUrl: https://github.com/runwhen-contrib/rw-c7n-codecollection.git
+    {% endif %}
+    {% if ref %}
+    ref: {{ref}}
+    {% else %}
+    ref: main
+    {% endif %}
+    pathToRobot: codebundles/aws-c7n-tag-compliance/sli.robot
+  intervalStrategy: intermezzo
+  intervalSeconds: 600
+  configProvided:
+    - name: AWS_REGION
+      value: "{{match_resource.resource.region}}"
+    - name: AWS_ACCOUNT_ID
+      value: "{{match_resource.resource.account_id}}"
+  secretsProvided:
+    - name: AWS_ACCESS_KEY_ID
+      workspaceKey: {{custom.aws_access_key_id}}
+    - name: AWS_SECRET_ACCESS_KEY
+      workspaceKey: {{custom.aws_secret_access_key}}
+  alerts:
+    warning:
+      operator: '>'
+      threshold: '1'
+      for: '20m'
+    ticket:
+      operator: '>'
+      threshold: '1'
+      for: '40m'
+    page:
+      operator: '=='
+      threshold: '0'
+      for: '' 

codebundles/aws-c7n-tag-compliance/.runwhen/templates/aws-c7n-tag-compliance-slx.yaml

@@ -0,0 +1,21 @@
+apiVersion: runwhen.com/v1
+kind: ServiceLevelX
+metadata:
+  name: {{slx_name}}
+  labels:
+    {% include "common-labels.yaml" %}
+  annotations:
+    {% include "common-annotations.yaml" %}
+spec:
+  imageURL: https://storage.googleapis.com/runwhen-nonprod-shared-images/icons/tag.svg
+  alias: Tagging Compliance Check for AWS account {{match_resource.resource.account_id}}
+  asMeasuredBy: The number of AWS resources missing required tags in AWS account {{match_resource.resource.account_id}}
+  configProvided:
+  - name: SLX_PLACEHOLDER
+    value: SLX_PLACEHOLDER
+  owners:
+  - {{workspace.owner_email}}
+  statement: The total count of AWS resources missing required tags in AWS account {{match_resource.resource.account_id}}
+  additionalContext:
+    region: "{{match_resource.resource.region}}"
+    account_id: "{{match_resource.resource.account_id}}"

codebundles/aws-c7n-tag-compliance/.runwhen/templates/aws-c7n-tag-compliance-taskset.yaml

@@ -0,0 +1,33 @@
+apiVersion: runwhen.com/v1
+kind: Runbook
+metadata:
+  name: {{slx_name}}
+  labels:
+    {% include "common-labels.yaml" %}
+  annotations:
+    {% include "common-annotations.yaml" %}
+spec:
+  location: {{default_location}}
+  description: List Missing AWS Resource Tags in AWS account {{match_resource.resource.account_id}}
+  codeBundle:
+    {% if repo_url %}
+    repoUrl: {{repo_url}}
+    {% else %}
+    repoUrl: https://github.com/runwhen-contrib/rw-c7n-codecollection.git
+    {% endif %}
+    {% if ref %}
+    ref: {{ref}}
+    {% else %}
+    ref: main
+    {% endif %}
+    pathToRobot: codebundles/aws-c7n-tag-compliance/runbook.robot
+  configProvided:
+    - name: AWS_REGION
+      value: "{{match_resource.resource.region}}"
+    - name: AWS_ACCOUNT_ID
+      value: "{{match_resource.resource.account_id}}"
+  secretsProvided:
+    - name: AWS_ACCESS_KEY_ID
+      workspaceKey: {{custom.aws_access_key_id}}
+    - name: AWS_SECRET_ACCESS_KEY
+      workspaceKey: {{custom.aws_secret_access_key}}

codebundles/aws-c7n-tag-compliance/.test/README.md

@@ -0,0 +1,92 @@
+### How to test this codebundle? 
+
+#### IAM User Configuration
+
+We create two distinct AWS IAM users with carefully scoped access:
+
+**CloudCustodian IAM User**
+
+Purpose: Service Level Indicator (SLI) monitoring and runbook automation and configured with least privilege access principles
+
+with the following policy:
+
+```json
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"tag:GetResources",
+				"ec2:Describe*",
+				"s3:List*",
+				"s3:Get*",
+				"rds:Describe*",
+				"iam:List*",
+				"iam:Get*",
+				"vpc:Describe*"
+			],
+			"Resource": "*"
+		}
+	]
+}
+```
+Note: As we add more resources to `${AWS_RESOURCE_PROVIDERS}` in `sli.robot` and `runbook.robot`, we need to update this policy accordingly.
+
+**Infrastructure Deployment User**
+
+Purpose: Cloud infrastructure provisioning and management using Terraform
+
+#### Credential Setup
+
+Navigate to the `.test/terraform` directory and configure two secret files for authentication:
+
+`cb.secret` - CloudCustodian and RunWhen Credentials
+
+Create this file with the following environment variables:
+
+	```sh
+	export RW_PAT=""
+	export RW_WORKSPACE=""
+	export RW_API_URL="papi.beta.runwhen.com"
+
+	export AWS_DEFAULT_REGION="us-west-2"
+	export AWS_ACCESS_KEY_ID=""
+	export AWS_SECRET_ACCESS_KEY=""
+	export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
+	```
+
+
+`tf.secret` - Terraform Deployment Credentials
+
+Create this file with the following environment variables:
+
+	```sh
+	export AWS_DEFAULT_REGION=""
+	export AWS_ACCESS_KEY_ID=""
+	export AWS_SECRET_ACCESS_KEY=""
+	export AWS_SESSION_TOKEN="" # Optional: Include if using temporary credentials
+	```
+
+####  Testing Workflow
+
+1. Build Test Infrastructure:
+   - **Note**: By default, the test environment leverages existing AWS resources such as **VPCs** and **Security Groups** that are untagged. These resources are sufficient to test the codebundle's tagging compliance functionality.
+
+2. Generate RunWhen Configurations
+	```sh
+		tasks
+	```
+
+3. Upload generated SLx to RunWhen Platform
+
+	```sh
+		task upload-slxs
+	```
+
+4. At last, after testing, clean up the test infrastructure.
+
+```sh
+	task clean
+```
+