Skip to content
This repository has been archived by the owner on Jun 8, 2023. It is now read-only.

Policy to stop a VM #66

Open
diegosucaria opened this issue Feb 11, 2021 · 2 comments
Open

Policy to stop a VM #66

diegosucaria opened this issue Feb 11, 2021 · 2 comments

Comments

@diegosucaria
Copy link

Hello, we want to create a policy that stops VMs. (we are using real-time-enforcer)

We are facing issues on finding the proper way of doing it...

On the remediate steps section of the rego policy, we specify the params needed by the GcpComputeInstance class, and an empty body as it is stated on the stop API: https://cloud.google.com/compute/docs/reference/rest/v1/instances/stop

But, looking at the code, I think that the call is going to the parent endpoint, not with "stop"

How can we easily do this? is there a way we can "hardcode" the API endpoint in the rego policy, so RPE can use it?
@jceresini
Copy link
Contributor

Remediation spec v2 allows you to call methods generated by the python discovery-based client. You're limited to methods on that same "resource" (resource here being the python client's understanding, not rpelibs), but this your use case should be possible. The best way to figure out the syntax for the remediation step, is the google-api-python-client documentation located here: https://github.com/googleapis/google-api-python-client/blob/master/docs/dyn/index.md

For methods available on compute instances, the document you want is here: https://googleapis.github.io/google-api-python-client/docs/dyn/compute_v1.instances.html

The stop method takes these arguments according to the documentation:

  • project: string, Project ID for this request. (required)
  • zone: string, The name of the zone for this request. (required)
  • instance: string, Name of the instance resource to stop. (required)
  • requestId: string, An optional request ID to identify requests.

You would need to set the remediation method to stop, and build the rest of those fields from the input we have. We can pull this information from the selfLink returned by the API. There's a utility function to help with that as well.

Without testing it, I think this is what you want:

# Somewhere in the policy, import this utility package
import data.rpe.gcp.util as gcputil


# Note: the input.resource.selfLink should look something like this:
# `projects/some-project-id/zones/some-zone-name/instances/my-instance-name`

# The function `resource_from_collection_path` takes a forward-slash delimited
# string, and a collection name. It returns the piece after that collection name.

remediate = {
        "_remediation_spec": "v2",
        "steps": [
            "method": "stop",
            "params": {
                    "project": gcputil.resource_from_collection_path(resource.selfLink, "projects"),
                    "zone": gcputil.resource_from_collection_path(resource.selfLink, "zones"),
                    "instance": input.resource.name,
                }
        ]
}

@diegosucaria
Copy link
Author

Yes! you're right! that did work in fact!
I figured that out after doing some tests earlier today. Thanks for giving us the whole "why" background.
Thanks!!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jceresini @diegosucaria