diff --git a/policies/ecc-azure-448-vm_stopped_instance.yml b/policies/ecc-azure-448-vm_stopped_instance.yml new file mode 100644 index 0000000..16c82ea --- /dev/null +++ b/policies/ecc-azure-448-vm_stopped_instance.yml @@ -0,0 +1,29 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-azure-448-vm_stopped_instance + comment: '020002032000' + description: | + Stopped Azure VM instances are not removed after a specified time period + resource: azure.vm + filters: + - or: + - type: instance-view + key: statuses[].code + op: in + value_type: swap + value: PowerState/deallocated + - type: instance-view + key: statuses[].code + op: in + value_type: swap + value: PowerState/stopped + - type: instance-view + key: statuses[0].time + value_type: age + op: greater-than + value: 0.00000006 \ No newline at end of file diff --git a/terraform/ecc-azure-448-vm_stopped_instance/green/provider.tf b/terraform/ecc-azure-448-vm_stopped_instance/green/provider.tf new file mode 100644 index 0000000..f211cfd --- /dev/null +++ b/terraform/ecc-azure-448-vm_stopped_instance/green/provider.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~>4" + } + } +} + +provider "azurerm" { + features {} +} \ No newline at end of file diff --git a/terraform/ecc-azure-448-vm_stopped_instance/green/random.tf b/terraform/ecc-azure-448-vm_stopped_instance/green/random.tf new file mode 100644 index 0000000..b36bd53 --- /dev/null +++ b/terraform/ecc-azure-448-vm_stopped_instance/green/random.tf @@ -0,0 +1,12 @@ +resource "random_password" "this" { + length = 13 + special = true + numeric = true + override_special = "_%@" +} + +resource "random_string" "this" { + length = 8 + numeric = false + special = false +} \ No newline at end of file diff --git a/terraform/ecc-azure-448-vm_stopped_instance/green/resource_group.tf b/terraform/ecc-azure-448-vm_stopped_instance/green/resource_group.tf new file mode 100644 index 0000000..2e0e263 --- /dev/null +++ b/terraform/ecc-azure-448-vm_stopped_instance/green/resource_group.tf @@ -0,0 +1,6 @@ +resource "azurerm_resource_group" "this" { + name = "${var.prefix}-rg-green" + location = var.location + + tags = var.tags +} \ No newline at end of file diff --git a/terraform/ecc-azure-448-vm_stopped_instance/green/terraform.tfvars b/terraform/ecc-azure-448-vm_stopped_instance/green/terraform.tfvars new file mode 100644 index 0000000..fb0d9c7 --- /dev/null +++ b/terraform/ecc-azure-448-vm_stopped_instance/green/terraform.tfvars @@ -0,0 +1,8 @@ +prefix = "448" + +location = "eastus" + +tags = { + CustodianRule = "ecc-azure-448-vm_stopped_instance" + ComplianceStatus = "Green" +} diff --git a/terraform/ecc-azure-448-vm_stopped_instance/green/variables.tf b/terraform/ecc-azure-448-vm_stopped_instance/green/variables.tf new file mode 100644 index 0000000..96b09ef --- /dev/null +++ b/terraform/ecc-azure-448-vm_stopped_instance/green/variables.tf @@ -0,0 +1,11 @@ +variable "prefix" { + type = string +} + +variable "location" { + type = string +} + +variable "tags" { + type = map(string) +} \ No newline at end of file diff --git a/terraform/ecc-azure-448-vm_stopped_instance/green/vm.tf b/terraform/ecc-azure-448-vm_stopped_instance/green/vm.tf new file mode 100644 index 0000000..ecb4160 --- /dev/null +++ b/terraform/ecc-azure-448-vm_stopped_instance/green/vm.tf @@ -0,0 +1,27 @@ +resource "azurerm_linux_virtual_machine" "linuxvm" { + name = "${var.prefix}linuxvmgreen" + resource_group_name = azurerm_resource_group.this.name + location = azurerm_resource_group.this.location + size = "Standard_B1ms" + disable_password_authentication = false + admin_username = random_string.this.result + admin_password = random_password.this.result + + network_interface_ids = [ + azurerm_network_interface.nif1.id, + ] + + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + + source_image_reference { + publisher = "Canonical" + offer = "UbuntuServer" + sku = "16.04-LTS" + version = "latest" + } + + tags = var.tags +} \ No newline at end of file diff --git a/terraform/ecc-azure-448-vm_stopped_instance/green/vnet.tf b/terraform/ecc-azure-448-vm_stopped_instance/green/vnet.tf new file mode 100644 index 0000000..bb8fa3b --- /dev/null +++ b/terraform/ecc-azure-448-vm_stopped_instance/green/vnet.tf @@ -0,0 +1,25 @@ +resource "azurerm_virtual_network" "this" { + name = "${var.prefix}-network-green" + address_space = ["10.0.0.0/16"] + location = azurerm_resource_group.this.location + resource_group_name = azurerm_resource_group.this.name +} + +resource "azurerm_subnet" "this" { + name = "${var.prefix}internal-green" + resource_group_name = azurerm_resource_group.this.name + virtual_network_name = azurerm_virtual_network.this.name + address_prefixes = ["10.0.2.0/24"] +} + +resource "azurerm_network_interface" "nif1" { + name = "${var.prefix}first-green" + location = azurerm_resource_group.this.location + resource_group_name = azurerm_resource_group.this.name + + ip_configuration { + name = "internal" + subnet_id = azurerm_subnet.this.id + private_ip_address_allocation = "Dynamic" + } +} \ No newline at end of file diff --git a/terraform/ecc-azure-448-vm_stopped_instance/iam/ecc-azure-448-vm_stopped_instance.json b/terraform/ecc-azure-448-vm_stopped_instance/iam/ecc-azure-448-vm_stopped_instance.json new file mode 100644 index 0000000..5985da3 --- /dev/null +++ b/terraform/ecc-azure-448-vm_stopped_instance/iam/ecc-azure-448-vm_stopped_instance.json @@ -0,0 +1,19 @@ +{ + "properties": { + "roleName": "Custodian-ecc-azure-448-vm_stopped_instance", + "description": "", + "assignableScopes": [ + "/subscriptions/{subscription_id}" + ], + "permissions": [ + { + "actions": [ + "Microsoft.Compute/virtualMachines/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ] + } +} \ No newline at end of file