summaryrefslogtreecommitdiff
path: root/python-cloud-governance.spec
diff options
context:
space:
mode:
Diffstat (limited to 'python-cloud-governance.spec')
-rw-r--r--python-cloud-governance.spec767
1 files changed, 767 insertions, 0 deletions
diff --git a/python-cloud-governance.spec b/python-cloud-governance.spec
new file mode 100644
index 0000000..fc37f81
--- /dev/null
+++ b/python-cloud-governance.spec
@@ -0,0 +1,767 @@
+%global _empty_manifest_terminate_build 0
+Name: python-cloud-governance
+Version: 1.1.86
+Release: 1
+Summary: Cloud Governance Tool
+License: Apache License 2.0
+URL: https://github.com/redhat-performance/cloud-governance
+Source0: https://mirrors.nju.edu.cn/pypi/web/packages/1b/ed/e5a0dafff0d99b404738b3f0bc2bb3aa938fb6d104d50532627a3c0aaf86/cloud-governance-1.1.86.tar.gz
+BuildArch: noarch
+
+Requires: python3-attrs
+Requires: python3-azure-identity
+Requires: python3-azure-mgmt-costmanagement
+Requires: python3-azure-mgmt-subscription
+Requires: python3-azure-mgmt-billing
+Requires: python3-botocore
+Requires: python3-boto3
+Requires: python3-elasticsearch
+Requires: python3-elasticsearch-dsl
+Requires: python3-google-api-python-client
+Requires: python3-google-auth-httplib2
+Requires: python3-google-auth-oauthlib
+Requires: python3-google-cloud-billing
+Requires: python3-google-cloud-bigquery
+Requires: python3-ibm-platform-services
+Requires: python3-myst-parser
+Requires: python3-pandas
+Requires: python3-PyGitHub
+Requires: python3-ldap
+Requires: python3-requests
+Requires: python3-retry
+Requires: python3-SoftLayer
+Requires: python3-sphinx
+Requires: python3-sphinx-rtd-theme
+Requires: python3-typing
+Requires: python3-typeguard
+Requires: python3-aiohttp
+Requires: python3-urllib3
+Requires: python3-oauthlib
+
+%description
+
+[![PyPI Latest Release](https://img.shields.io/pypi/v/cloud-governance.svg)](https://pypi.org/project/cloud-governance/)
+[![Container Repository on Quay](https://quay.io/repository/projectquay/quay/status "Container Repository on Quay")](https://quay.io/repository/ebattat/cloud-governance?tab=tags)
+[![Actions Status](https://github.com/redhat-performance/cloud-governance/workflows/Build/badge.svg)](https://github.com/redhat-performance/cloud-governance/actions)
+[![Coverage Status](https://coveralls.io/repos/github/redhat-performance/cloud-governance/badge.svg?branch=main)](https://coveralls.io/github/redhat-performance/cloud-governance?branch=main)
+[![Documentation Status](https://readthedocs.org/projects/cloud-governance/badge/?version=latest)](https://cloud-governance.readthedocs.io/en/latest/?badge=latest)
+[![python](https://img.shields.io/pypi/pyversions/cloud-governance.svg?color=%2334D058)](https://pypi.org/project/cloud-governance)
+[![License](https://img.shields.io/pypi/l/cloud-governance.svg)](https://github.com/redhat-performance/cloud-governance/blob/main/LICENSE)
+
+
+# Cloud Governance
+
+![](images/cloud_governance.png)
+
+## What is it?
+
+**Cloud Governance** tool provides a lightweight and flexible framework for deploying cloud management policies focusing on cost optimize and security.
+
+This tool support the following policies:
+[policy](cloud_governance/policy)
+
+[AWS Polices](cloud_governance/policy/aws)
+
+* Real time Openshift Cluster cost, User cost
+* [ec2_idle](cloud_governance/policy/aws/ec2_idle.py): idle ec2 in last 4 days, cpu < 2% & network < 5mb.
+* [ec2_run](cloud_governance/policy/aws/ec2_run.py): running ec2.
+* [ebs_unattached](cloud_governance/policy/aws/ebs_unattached.py): volumes that did not connect to instance, volume in available status.
+* [ebs_in_use](cloud_governance/policy/aws/ebs_in_use.py): in use volumes.
+* [tag_resources](cloud_governance/policy/policy_operations/aws/tag_cluster): Update cluster and non cluster resource tags fetching from the user tags or from the mandatory tags
+* [zombie_cluster_resource](cloud_governance/policy/aws/zombie_cluster_resource.py): Delete cluster's zombie resources
+* [tag_non_cluster](cloud_governance/policy/policy_operations/aws/tag_non_cluster): tag ec2 resources (instance, volume, ami, snapshot) by instance name
+* [tag_iam_user](cloud_governance/policy/policy_operations/aws/tag_user): update the user tags from the csv file
+* [cost_explorer](cloud_governance/policy/aws/cost_explorer.py): Get data from cost explorer and upload to ElasticSearch
+* [ip_unattached](cloud_governance/policy/aws/ip_unattached.py): Get the unattached IP and delete it after 7 days.
+* [s3_inactive](cloud_governance/policy/aws/s3_inactive.py): Get the inactive/empty buckets and delete them after 7 days.
+* [empty_roles](cloud_governance/policy/aws/empty_roles.py): Get empty roles and delete it after 7 days.
+* [zombie_snapshots](cloud_governance/policy/aws/zombie_snapshots.py): Get the zombie snapshots and delete it after 7 days.
+* [nat_gateway_unused](cloud_governance/policy/aws/nat_gateway_unused.py): Get the unused nat gateways and deletes it after 7 days.
+* gitleaks: scan Github repository git leak (security scan)
+* [cost_over_usage](cloud_governance/policy/aws/cost_over_usage.py): send mail to aws user if over usage cost
+
+[IBM policies](cloud_governance/policy/ibm)
+
+* [tag_baremetal](cloud_governance/policy/ibm/tag_baremetal.py): Tag IBM baremetal machines
+* [tag_vm](cloud_governance/policy/ibm/tag_vm.py): Tga IBM Virtual Machines machines
+
+** You can write your own policy using [Cloud-Custodian](https://cloudcustodian.io/docs/quickstart/index.html)
+ and run it (see 'custom cloud custodian policy' in [Policy workflows](#policy-workloads)).
+
+
+![](images/cloud_governance1.png)
+![](images/demo.gif)
+
+![](images/cloud_governance2.png)
+
+Reference:
+* The cloud-governance package is placed in [PyPi](https://pypi.org/project/cloud-governance/)
+* The cloud-governance container image is placed in [Quay.io](https://quay.io/repository/ebattat/cloud-governance)
+* The cloud-governance readthedocs link is [ReadTheDocs](https://cloud-governance.readthedocs.io/en/latest/)
+![](images/cloud_governance3.png)
+
+_**Table of Contents**_
+
+<!-- TOC -->
+- [Installation](#installation)
+- [Configuration](#configuration)
+- [Run AWS Policy Using Podman](#run-aws-policy-using-podman)
+- [Run IBM Policy Using Podman](#run-ibm-policy-using-podman)
+- [Run Policy Using Pod](#run-policy-using-pod)
+- [Pytest](#pytest)
+- [Post Installation](#post-installation)
+
+<!-- /TOC -->
+
+## Installation
+
+#### Download cloud-governance image from quay.io
+```sh
+# Need to run it with root privileges
+sudo podman pull quay.io/ebattat/cloud-governance
+```
+
+#### Environment variables description:
+
+(mandatory)AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
+
+(mandatory)AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
+
+##### Policy name:
+(mandatory)policy=ec2_idle / ec2_run / ebs_unattached / ebs_in_use / tag_cluster_resource / zombie_cluster_resource / tag_ec2_resource
+
+##### Policy logs output
+(mandatory)policy_output=s3://redhat-cloud-governance/logs
+
+##### Cluster or instance name:
+(mandatory policy:tag_cluster_resource)resource_name=ocs-test
+
+##### Cluster or instance tags:
+(mandatory policy:tag_cluster_resource)mandatory_tags="{'Owner': 'Name','Email': 'name@redhat.com','Purpose': 'test'}"
+
+##### gitleaks
+(mandatory policy: gitleaks)git_access_token=$git_access_token
+(mandatory policy: gitleaks)git_repo=https://github.com/redhat-performance/cloud-governance
+(optional policy: gitleaks)several_repos=yes/no (default = no)
+
+##### Choose a specific region or all for all the regions, default : us-east-2
+(optional)AWS_DEFAULT_REGION=us-east-2/all (default = us-east-2)
+
+##### Choose dry run or not, default yes
+(optional)dry_run=yes/no (default = yes)
+
+##### Choose log level, default INFO
+(optional)log_level=INFO (default = INFO)
+
+#### LDAP hostname to fetch mail records
+LDAP_HOST_NAME=ldap.example.com
+
+#### Enable Google Drive API in console and create Service account
+GOOGLE_APPLICATION_CREDENTIALS=$pwd/service_account.json
+
+# Configuration
+
+### AWS Configuration
+
+#### Create a user and a bucket
+* Create user with IAM [iam](iam/clouds)
+* Create a logs bucket [create_bucket.sh](iam/cloud/aws/create_bucket.sh)
+
+### IBM Configuration
+* Create classic infrastructure API key
+
+## Run AWS Policy Using Podman
+```sh
+# policy=ec2_idle
+sudo podman run --rm --name cloud-governance -e policy="ec2_idle" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e policy_output="s3://bucket/logs" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# policy=ec2_run
+sudo podman run --rm --name cloud-governance -e policy="ec2_run" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e policy_output="s3://bucket/logs" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# select policy ['ec2_stop', 's3_inactive', 'empty_roles', 'ip_unattached', 'nat_gateway_unused', 'zombie_snapshots']
+sudo podman run --rm --name cloud-governance -e policy="policy" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# policy=ebs_unattached
+sudo podman run --rm --name cloud-governance -e policy="ebs_unattached" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e policy_output="s3://bucket/logs" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# policy=ebs_in_use
+sudo podman run --rm --name cloud-governance -e policy="ebs_in_use" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e policy_output="s3://bucket/logs" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# policy=zombie_cluster_resource
+sudo podman run --rm --name cloud-governance -e policy="zombie_cluster_resource" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e resource="zombie_cluster_elastic_ip" -e cluster_tag="kubernetes.io/cluster/test-pd9qq" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# policy=tag_resources
+sudo podman run --rm --name cloud-governance -e policy="tag_resources" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e tag_operation="read/update/delete" -e mandatory_tags="{'Owner': 'Name','Email': 'name@redhat.com','Purpose': 'test'}" -e log_level="INFO" -v "/etc/localtime":"/etc/localtime" "quay.io/ebattat/cloud-governance"
+
+# policy=tag_non_cluster
+sudo podman run --rm --name cloud-governance -e policy="tag_non_cluster" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e tag_operation="read/update/delete" -e mandatory_tags="{'Owner': 'Name','Email': 'name@redhat.com','Purpose': 'test'}" -e log_level="INFO" -v "/etc/localtime":"/etc/localtime" "quay.io/ebattat/cloud-governance"
+
+# policy=tag_iam_user
+sudo podman run --rm --name cloud-governance -e policy="tag_iam_user" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e user_tag_operation="read/update/delete" -e remove_tags="['Environment', 'Test']" -e username="test_username" -e file_name="tag_user.csv" -e log_level="INFO" -v "/home/user/tag_user.csv":"/tmp/tag_user.csv" --privileged "quay.io/ebattat/cloud-governance"
+
+# policy=cost_explorer
+sudo podman run --rm --name cloud-governance -e policy="cost_explorer" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e es_host="$elasticsearch_host" -e es_port="$elasticsearch_port" -e es_index="$elasticsearch_index" -e cost_metric=UnblendedCost -e start_date="$start_date" -e end_date="$end_date" -e granularity="DAILY" -e cost_explorer_tags="['User', 'Budget', 'Project', 'Manager', 'Owner', 'LaunchTime', 'Name', 'Email']" -e log_level="INFO" "quay.io/ebattat/cloud-governance:latest"
+sudo podman run --rm --name cloud-governance -e policy="cost_explorer" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e es_index="elasticsearch_index" -e cost_metric="UnblendedCost" -e start_date="$start_date" -e end_date="$end_date" -e granularity="DAILY" -e cost_explorer_tags="['User', 'Budget', 'Project', 'Manager', 'Owner', 'LaunchTime', 'Name', 'Email']" -e file_name="cost_explorer.txt" -v "/home/cost_explorer.txt":"/tmp/cost_explorer.txt" -e log_level="INFO" "quay.io/ebattat/cloud-governance:latest"
+
+# policy=validate_iam_user_tags
+sudo podman run --rm --name cloud-governance -e policy="validate_iam_user_tags" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e validate_type="spaces/tags" -e user_tags="['Budget', 'User', 'Owner', 'Manager', 'Environment', 'Project']" -e log_level="INFO" "quay.io/ebattat/cloud-governance:latest"
+
+# policy=gitleaks
+sudo podman run --rm --name cloud-governance -e policy="gitleaks" -e git_access_token="$git_access_token" -e git_repo="https://github.com/redhat-performance/cloud-governance" -e several_repos="no" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# custom cloud custodian policy (path for custom policy: -v /home/user/custodian_policy:/custodian_policy)
+sudo podman run --rm --name cloud-governance -e policy="/custodian_policy/policy.yml" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e policy_output="s3://bucket/logs" -e log_level="INFO" -v "/home/user/custodian_policy":"/custodian_policy" --privileged "quay.io/ebattat/cloud-governance"
+
+```
+
+## Run IBM Policy Using Podman
+
+```sh
+# policy=tag_baremetal
+podman run --rm --name cloud-governance -e policy="tag_baremetal" -e account="$account" -e IBM_API_USERNAME="$IBM_API_USERNAME" -e IBM_API_KEY="$IBM_API_KEY" -e SPREADSHEET_ID="$SPREADSHEET_ID" -e GOOGLE_APPLICATION_CREDENTIALS="$GOOGLE_APPLICATION_CREDENTIALS" -v $GOOGLE_APPLICATION_CREDENTIALS:$GOOGLE_APPLICATION_CREDENTIALS -e LDAP_USER_HOST="$LDAP_USER_HOST" -e tag_operation="update" -e log_level="INFO" -v "/etc/localtime":"/etc/localtime" "quay.io/ebattat/cloud-governance:latest"
+
+# tag=tab_vm
+podman run --rm --name cloud-governance -e policy="tag_vm" -e account="$account" -e IBM_API_USERNAME="$IBM_API_USERNAME" -e IBM_API_KEY="$IBM_API_KEY" -e SPREADSHEET_ID="$SPREADSHEET_ID" -e GOOGLE_APPLICATION_CREDENTIALS="$GOOGLE_APPLICATION_CREDENTIALS" -v $GOOGLE_APPLICATION_CREDENTIALS:$GOOGLE_APPLICATION_CREDENTIALS -e LDAP_USER_HOST="$LDAP_USER_HOST" -e tag_operation="update" -e log_level="INFO" -v "/etc/localtime":"/etc/localtime" "quay.io/ebattat/cloud-governance:latest"
+
+```
+
+## Run Policy Using Pod
+
+#### Run as a pod job via OpenShift
+
+Job Pod: [cloud-governance.yaml](pod_yaml/cloud-governance.yaml)
+
+Configmaps: [cloud_governance_configmap.yaml](pod_yaml/cloud_governance_configmap.yaml)
+
+Quay.io Secret: [quayio_secret.sh](pod_yaml/quayio_secret.sh)
+
+AWS Secret: [cloud_governance_secret.yaml](pod_yaml/cloud_governance_secret.yaml)
+
+ * Need to convert secret key to base64 [run_base64.py](pod_yaml/run_base64.py)
+
+## Pytest
+
+##### Cloud-governance integration tests using pytest
+```sh
+python3 -m venv governance
+source governance/bin/activate
+(governance) $ python -m pip install --upgrade pip
+(governance) $ pip install coverage
+(governance) $ pip install pytest
+(governance) $ git clone https://github.com/redhat-performance/cloud-governance
+(governance) $ cd cloud-governance
+(governance) $ coverage run -m pytest
+(governance) $ deactivate
+rm -rf *governance*
+```
+
+## Post Installation
+
+#### Delete cloud-governance image
+```sh
+sudo podman rmi quay.io/ebattat/cloud-governance
+```
+
+
+%package -n python3-cloud-governance
+Summary: Cloud Governance Tool
+Provides: python-cloud-governance
+BuildRequires: python3-devel
+BuildRequires: python3-setuptools
+BuildRequires: python3-pip
+%description -n python3-cloud-governance
+
+[![PyPI Latest Release](https://img.shields.io/pypi/v/cloud-governance.svg)](https://pypi.org/project/cloud-governance/)
+[![Container Repository on Quay](https://quay.io/repository/projectquay/quay/status "Container Repository on Quay")](https://quay.io/repository/ebattat/cloud-governance?tab=tags)
+[![Actions Status](https://github.com/redhat-performance/cloud-governance/workflows/Build/badge.svg)](https://github.com/redhat-performance/cloud-governance/actions)
+[![Coverage Status](https://coveralls.io/repos/github/redhat-performance/cloud-governance/badge.svg?branch=main)](https://coveralls.io/github/redhat-performance/cloud-governance?branch=main)
+[![Documentation Status](https://readthedocs.org/projects/cloud-governance/badge/?version=latest)](https://cloud-governance.readthedocs.io/en/latest/?badge=latest)
+[![python](https://img.shields.io/pypi/pyversions/cloud-governance.svg?color=%2334D058)](https://pypi.org/project/cloud-governance)
+[![License](https://img.shields.io/pypi/l/cloud-governance.svg)](https://github.com/redhat-performance/cloud-governance/blob/main/LICENSE)
+
+
+# Cloud Governance
+
+![](images/cloud_governance.png)
+
+## What is it?
+
+**Cloud Governance** tool provides a lightweight and flexible framework for deploying cloud management policies focusing on cost optimize and security.
+
+This tool support the following policies:
+[policy](cloud_governance/policy)
+
+[AWS Polices](cloud_governance/policy/aws)
+
+* Real time Openshift Cluster cost, User cost
+* [ec2_idle](cloud_governance/policy/aws/ec2_idle.py): idle ec2 in last 4 days, cpu < 2% & network < 5mb.
+* [ec2_run](cloud_governance/policy/aws/ec2_run.py): running ec2.
+* [ebs_unattached](cloud_governance/policy/aws/ebs_unattached.py): volumes that did not connect to instance, volume in available status.
+* [ebs_in_use](cloud_governance/policy/aws/ebs_in_use.py): in use volumes.
+* [tag_resources](cloud_governance/policy/policy_operations/aws/tag_cluster): Update cluster and non cluster resource tags fetching from the user tags or from the mandatory tags
+* [zombie_cluster_resource](cloud_governance/policy/aws/zombie_cluster_resource.py): Delete cluster's zombie resources
+* [tag_non_cluster](cloud_governance/policy/policy_operations/aws/tag_non_cluster): tag ec2 resources (instance, volume, ami, snapshot) by instance name
+* [tag_iam_user](cloud_governance/policy/policy_operations/aws/tag_user): update the user tags from the csv file
+* [cost_explorer](cloud_governance/policy/aws/cost_explorer.py): Get data from cost explorer and upload to ElasticSearch
+* [ip_unattached](cloud_governance/policy/aws/ip_unattached.py): Get the unattached IP and delete it after 7 days.
+* [s3_inactive](cloud_governance/policy/aws/s3_inactive.py): Get the inactive/empty buckets and delete them after 7 days.
+* [empty_roles](cloud_governance/policy/aws/empty_roles.py): Get empty roles and delete it after 7 days.
+* [zombie_snapshots](cloud_governance/policy/aws/zombie_snapshots.py): Get the zombie snapshots and delete it after 7 days.
+* [nat_gateway_unused](cloud_governance/policy/aws/nat_gateway_unused.py): Get the unused nat gateways and deletes it after 7 days.
+* gitleaks: scan Github repository git leak (security scan)
+* [cost_over_usage](cloud_governance/policy/aws/cost_over_usage.py): send mail to aws user if over usage cost
+
+[IBM policies](cloud_governance/policy/ibm)
+
+* [tag_baremetal](cloud_governance/policy/ibm/tag_baremetal.py): Tag IBM baremetal machines
+* [tag_vm](cloud_governance/policy/ibm/tag_vm.py): Tga IBM Virtual Machines machines
+
+** You can write your own policy using [Cloud-Custodian](https://cloudcustodian.io/docs/quickstart/index.html)
+ and run it (see 'custom cloud custodian policy' in [Policy workflows](#policy-workloads)).
+
+
+![](images/cloud_governance1.png)
+![](images/demo.gif)
+
+![](images/cloud_governance2.png)
+
+Reference:
+* The cloud-governance package is placed in [PyPi](https://pypi.org/project/cloud-governance/)
+* The cloud-governance container image is placed in [Quay.io](https://quay.io/repository/ebattat/cloud-governance)
+* The cloud-governance readthedocs link is [ReadTheDocs](https://cloud-governance.readthedocs.io/en/latest/)
+![](images/cloud_governance3.png)
+
+_**Table of Contents**_
+
+<!-- TOC -->
+- [Installation](#installation)
+- [Configuration](#configuration)
+- [Run AWS Policy Using Podman](#run-aws-policy-using-podman)
+- [Run IBM Policy Using Podman](#run-ibm-policy-using-podman)
+- [Run Policy Using Pod](#run-policy-using-pod)
+- [Pytest](#pytest)
+- [Post Installation](#post-installation)
+
+<!-- /TOC -->
+
+## Installation
+
+#### Download cloud-governance image from quay.io
+```sh
+# Need to run it with root privileges
+sudo podman pull quay.io/ebattat/cloud-governance
+```
+
+#### Environment variables description:
+
+(mandatory)AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
+
+(mandatory)AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
+
+##### Policy name:
+(mandatory)policy=ec2_idle / ec2_run / ebs_unattached / ebs_in_use / tag_cluster_resource / zombie_cluster_resource / tag_ec2_resource
+
+##### Policy logs output
+(mandatory)policy_output=s3://redhat-cloud-governance/logs
+
+##### Cluster or instance name:
+(mandatory policy:tag_cluster_resource)resource_name=ocs-test
+
+##### Cluster or instance tags:
+(mandatory policy:tag_cluster_resource)mandatory_tags="{'Owner': 'Name','Email': 'name@redhat.com','Purpose': 'test'}"
+
+##### gitleaks
+(mandatory policy: gitleaks)git_access_token=$git_access_token
+(mandatory policy: gitleaks)git_repo=https://github.com/redhat-performance/cloud-governance
+(optional policy: gitleaks)several_repos=yes/no (default = no)
+
+##### Choose a specific region or all for all the regions, default : us-east-2
+(optional)AWS_DEFAULT_REGION=us-east-2/all (default = us-east-2)
+
+##### Choose dry run or not, default yes
+(optional)dry_run=yes/no (default = yes)
+
+##### Choose log level, default INFO
+(optional)log_level=INFO (default = INFO)
+
+#### LDAP hostname to fetch mail records
+LDAP_HOST_NAME=ldap.example.com
+
+#### Enable Google Drive API in console and create Service account
+GOOGLE_APPLICATION_CREDENTIALS=$pwd/service_account.json
+
+# Configuration
+
+### AWS Configuration
+
+#### Create a user and a bucket
+* Create user with IAM [iam](iam/clouds)
+* Create a logs bucket [create_bucket.sh](iam/cloud/aws/create_bucket.sh)
+
+### IBM Configuration
+* Create classic infrastructure API key
+
+## Run AWS Policy Using Podman
+```sh
+# policy=ec2_idle
+sudo podman run --rm --name cloud-governance -e policy="ec2_idle" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e policy_output="s3://bucket/logs" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# policy=ec2_run
+sudo podman run --rm --name cloud-governance -e policy="ec2_run" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e policy_output="s3://bucket/logs" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# select policy ['ec2_stop', 's3_inactive', 'empty_roles', 'ip_unattached', 'nat_gateway_unused', 'zombie_snapshots']
+sudo podman run --rm --name cloud-governance -e policy="policy" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# policy=ebs_unattached
+sudo podman run --rm --name cloud-governance -e policy="ebs_unattached" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e policy_output="s3://bucket/logs" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# policy=ebs_in_use
+sudo podman run --rm --name cloud-governance -e policy="ebs_in_use" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e policy_output="s3://bucket/logs" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# policy=zombie_cluster_resource
+sudo podman run --rm --name cloud-governance -e policy="zombie_cluster_resource" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e resource="zombie_cluster_elastic_ip" -e cluster_tag="kubernetes.io/cluster/test-pd9qq" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# policy=tag_resources
+sudo podman run --rm --name cloud-governance -e policy="tag_resources" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e tag_operation="read/update/delete" -e mandatory_tags="{'Owner': 'Name','Email': 'name@redhat.com','Purpose': 'test'}" -e log_level="INFO" -v "/etc/localtime":"/etc/localtime" "quay.io/ebattat/cloud-governance"
+
+# policy=tag_non_cluster
+sudo podman run --rm --name cloud-governance -e policy="tag_non_cluster" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e tag_operation="read/update/delete" -e mandatory_tags="{'Owner': 'Name','Email': 'name@redhat.com','Purpose': 'test'}" -e log_level="INFO" -v "/etc/localtime":"/etc/localtime" "quay.io/ebattat/cloud-governance"
+
+# policy=tag_iam_user
+sudo podman run --rm --name cloud-governance -e policy="tag_iam_user" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e user_tag_operation="read/update/delete" -e remove_tags="['Environment', 'Test']" -e username="test_username" -e file_name="tag_user.csv" -e log_level="INFO" -v "/home/user/tag_user.csv":"/tmp/tag_user.csv" --privileged "quay.io/ebattat/cloud-governance"
+
+# policy=cost_explorer
+sudo podman run --rm --name cloud-governance -e policy="cost_explorer" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e es_host="$elasticsearch_host" -e es_port="$elasticsearch_port" -e es_index="$elasticsearch_index" -e cost_metric=UnblendedCost -e start_date="$start_date" -e end_date="$end_date" -e granularity="DAILY" -e cost_explorer_tags="['User', 'Budget', 'Project', 'Manager', 'Owner', 'LaunchTime', 'Name', 'Email']" -e log_level="INFO" "quay.io/ebattat/cloud-governance:latest"
+sudo podman run --rm --name cloud-governance -e policy="cost_explorer" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e es_index="elasticsearch_index" -e cost_metric="UnblendedCost" -e start_date="$start_date" -e end_date="$end_date" -e granularity="DAILY" -e cost_explorer_tags="['User', 'Budget', 'Project', 'Manager', 'Owner', 'LaunchTime', 'Name', 'Email']" -e file_name="cost_explorer.txt" -v "/home/cost_explorer.txt":"/tmp/cost_explorer.txt" -e log_level="INFO" "quay.io/ebattat/cloud-governance:latest"
+
+# policy=validate_iam_user_tags
+sudo podman run --rm --name cloud-governance -e policy="validate_iam_user_tags" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e validate_type="spaces/tags" -e user_tags="['Budget', 'User', 'Owner', 'Manager', 'Environment', 'Project']" -e log_level="INFO" "quay.io/ebattat/cloud-governance:latest"
+
+# policy=gitleaks
+sudo podman run --rm --name cloud-governance -e policy="gitleaks" -e git_access_token="$git_access_token" -e git_repo="https://github.com/redhat-performance/cloud-governance" -e several_repos="no" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# custom cloud custodian policy (path for custom policy: -v /home/user/custodian_policy:/custodian_policy)
+sudo podman run --rm --name cloud-governance -e policy="/custodian_policy/policy.yml" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e policy_output="s3://bucket/logs" -e log_level="INFO" -v "/home/user/custodian_policy":"/custodian_policy" --privileged "quay.io/ebattat/cloud-governance"
+
+```
+
+## Run IBM Policy Using Podman
+
+```sh
+# policy=tag_baremetal
+podman run --rm --name cloud-governance -e policy="tag_baremetal" -e account="$account" -e IBM_API_USERNAME="$IBM_API_USERNAME" -e IBM_API_KEY="$IBM_API_KEY" -e SPREADSHEET_ID="$SPREADSHEET_ID" -e GOOGLE_APPLICATION_CREDENTIALS="$GOOGLE_APPLICATION_CREDENTIALS" -v $GOOGLE_APPLICATION_CREDENTIALS:$GOOGLE_APPLICATION_CREDENTIALS -e LDAP_USER_HOST="$LDAP_USER_HOST" -e tag_operation="update" -e log_level="INFO" -v "/etc/localtime":"/etc/localtime" "quay.io/ebattat/cloud-governance:latest"
+
+# tag=tab_vm
+podman run --rm --name cloud-governance -e policy="tag_vm" -e account="$account" -e IBM_API_USERNAME="$IBM_API_USERNAME" -e IBM_API_KEY="$IBM_API_KEY" -e SPREADSHEET_ID="$SPREADSHEET_ID" -e GOOGLE_APPLICATION_CREDENTIALS="$GOOGLE_APPLICATION_CREDENTIALS" -v $GOOGLE_APPLICATION_CREDENTIALS:$GOOGLE_APPLICATION_CREDENTIALS -e LDAP_USER_HOST="$LDAP_USER_HOST" -e tag_operation="update" -e log_level="INFO" -v "/etc/localtime":"/etc/localtime" "quay.io/ebattat/cloud-governance:latest"
+
+```
+
+## Run Policy Using Pod
+
+#### Run as a pod job via OpenShift
+
+Job Pod: [cloud-governance.yaml](pod_yaml/cloud-governance.yaml)
+
+Configmaps: [cloud_governance_configmap.yaml](pod_yaml/cloud_governance_configmap.yaml)
+
+Quay.io Secret: [quayio_secret.sh](pod_yaml/quayio_secret.sh)
+
+AWS Secret: [cloud_governance_secret.yaml](pod_yaml/cloud_governance_secret.yaml)
+
+ * Need to convert secret key to base64 [run_base64.py](pod_yaml/run_base64.py)
+
+## Pytest
+
+##### Cloud-governance integration tests using pytest
+```sh
+python3 -m venv governance
+source governance/bin/activate
+(governance) $ python -m pip install --upgrade pip
+(governance) $ pip install coverage
+(governance) $ pip install pytest
+(governance) $ git clone https://github.com/redhat-performance/cloud-governance
+(governance) $ cd cloud-governance
+(governance) $ coverage run -m pytest
+(governance) $ deactivate
+rm -rf *governance*
+```
+
+## Post Installation
+
+#### Delete cloud-governance image
+```sh
+sudo podman rmi quay.io/ebattat/cloud-governance
+```
+
+
+%package help
+Summary: Development documents and examples for cloud-governance
+Provides: python3-cloud-governance-doc
+%description help
+
+[![PyPI Latest Release](https://img.shields.io/pypi/v/cloud-governance.svg)](https://pypi.org/project/cloud-governance/)
+[![Container Repository on Quay](https://quay.io/repository/projectquay/quay/status "Container Repository on Quay")](https://quay.io/repository/ebattat/cloud-governance?tab=tags)
+[![Actions Status](https://github.com/redhat-performance/cloud-governance/workflows/Build/badge.svg)](https://github.com/redhat-performance/cloud-governance/actions)
+[![Coverage Status](https://coveralls.io/repos/github/redhat-performance/cloud-governance/badge.svg?branch=main)](https://coveralls.io/github/redhat-performance/cloud-governance?branch=main)
+[![Documentation Status](https://readthedocs.org/projects/cloud-governance/badge/?version=latest)](https://cloud-governance.readthedocs.io/en/latest/?badge=latest)
+[![python](https://img.shields.io/pypi/pyversions/cloud-governance.svg?color=%2334D058)](https://pypi.org/project/cloud-governance)
+[![License](https://img.shields.io/pypi/l/cloud-governance.svg)](https://github.com/redhat-performance/cloud-governance/blob/main/LICENSE)
+
+
+# Cloud Governance
+
+![](images/cloud_governance.png)
+
+## What is it?
+
+**Cloud Governance** tool provides a lightweight and flexible framework for deploying cloud management policies focusing on cost optimize and security.
+
+This tool support the following policies:
+[policy](cloud_governance/policy)
+
+[AWS Polices](cloud_governance/policy/aws)
+
+* Real time Openshift Cluster cost, User cost
+* [ec2_idle](cloud_governance/policy/aws/ec2_idle.py): idle ec2 in last 4 days, cpu < 2% & network < 5mb.
+* [ec2_run](cloud_governance/policy/aws/ec2_run.py): running ec2.
+* [ebs_unattached](cloud_governance/policy/aws/ebs_unattached.py): volumes that did not connect to instance, volume in available status.
+* [ebs_in_use](cloud_governance/policy/aws/ebs_in_use.py): in use volumes.
+* [tag_resources](cloud_governance/policy/policy_operations/aws/tag_cluster): Update cluster and non cluster resource tags fetching from the user tags or from the mandatory tags
+* [zombie_cluster_resource](cloud_governance/policy/aws/zombie_cluster_resource.py): Delete cluster's zombie resources
+* [tag_non_cluster](cloud_governance/policy/policy_operations/aws/tag_non_cluster): tag ec2 resources (instance, volume, ami, snapshot) by instance name
+* [tag_iam_user](cloud_governance/policy/policy_operations/aws/tag_user): update the user tags from the csv file
+* [cost_explorer](cloud_governance/policy/aws/cost_explorer.py): Get data from cost explorer and upload to ElasticSearch
+* [ip_unattached](cloud_governance/policy/aws/ip_unattached.py): Get the unattached IP and delete it after 7 days.
+* [s3_inactive](cloud_governance/policy/aws/s3_inactive.py): Get the inactive/empty buckets and delete them after 7 days.
+* [empty_roles](cloud_governance/policy/aws/empty_roles.py): Get empty roles and delete it after 7 days.
+* [zombie_snapshots](cloud_governance/policy/aws/zombie_snapshots.py): Get the zombie snapshots and delete it after 7 days.
+* [nat_gateway_unused](cloud_governance/policy/aws/nat_gateway_unused.py): Get the unused nat gateways and deletes it after 7 days.
+* gitleaks: scan Github repository git leak (security scan)
+* [cost_over_usage](cloud_governance/policy/aws/cost_over_usage.py): send mail to aws user if over usage cost
+
+[IBM policies](cloud_governance/policy/ibm)
+
+* [tag_baremetal](cloud_governance/policy/ibm/tag_baremetal.py): Tag IBM baremetal machines
+* [tag_vm](cloud_governance/policy/ibm/tag_vm.py): Tga IBM Virtual Machines machines
+
+** You can write your own policy using [Cloud-Custodian](https://cloudcustodian.io/docs/quickstart/index.html)
+ and run it (see 'custom cloud custodian policy' in [Policy workflows](#policy-workloads)).
+
+
+![](images/cloud_governance1.png)
+![](images/demo.gif)
+
+![](images/cloud_governance2.png)
+
+Reference:
+* The cloud-governance package is placed in [PyPi](https://pypi.org/project/cloud-governance/)
+* The cloud-governance container image is placed in [Quay.io](https://quay.io/repository/ebattat/cloud-governance)
+* The cloud-governance readthedocs link is [ReadTheDocs](https://cloud-governance.readthedocs.io/en/latest/)
+![](images/cloud_governance3.png)
+
+_**Table of Contents**_
+
+<!-- TOC -->
+- [Installation](#installation)
+- [Configuration](#configuration)
+- [Run AWS Policy Using Podman](#run-aws-policy-using-podman)
+- [Run IBM Policy Using Podman](#run-ibm-policy-using-podman)
+- [Run Policy Using Pod](#run-policy-using-pod)
+- [Pytest](#pytest)
+- [Post Installation](#post-installation)
+
+<!-- /TOC -->
+
+## Installation
+
+#### Download cloud-governance image from quay.io
+```sh
+# Need to run it with root privileges
+sudo podman pull quay.io/ebattat/cloud-governance
+```
+
+#### Environment variables description:
+
+(mandatory)AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
+
+(mandatory)AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
+
+##### Policy name:
+(mandatory)policy=ec2_idle / ec2_run / ebs_unattached / ebs_in_use / tag_cluster_resource / zombie_cluster_resource / tag_ec2_resource
+
+##### Policy logs output
+(mandatory)policy_output=s3://redhat-cloud-governance/logs
+
+##### Cluster or instance name:
+(mandatory policy:tag_cluster_resource)resource_name=ocs-test
+
+##### Cluster or instance tags:
+(mandatory policy:tag_cluster_resource)mandatory_tags="{'Owner': 'Name','Email': 'name@redhat.com','Purpose': 'test'}"
+
+##### gitleaks
+(mandatory policy: gitleaks)git_access_token=$git_access_token
+(mandatory policy: gitleaks)git_repo=https://github.com/redhat-performance/cloud-governance
+(optional policy: gitleaks)several_repos=yes/no (default = no)
+
+##### Choose a specific region or all for all the regions, default : us-east-2
+(optional)AWS_DEFAULT_REGION=us-east-2/all (default = us-east-2)
+
+##### Choose dry run or not, default yes
+(optional)dry_run=yes/no (default = yes)
+
+##### Choose log level, default INFO
+(optional)log_level=INFO (default = INFO)
+
+#### LDAP hostname to fetch mail records
+LDAP_HOST_NAME=ldap.example.com
+
+#### Enable Google Drive API in console and create Service account
+GOOGLE_APPLICATION_CREDENTIALS=$pwd/service_account.json
+
+# Configuration
+
+### AWS Configuration
+
+#### Create a user and a bucket
+* Create user with IAM [iam](iam/clouds)
+* Create a logs bucket [create_bucket.sh](iam/cloud/aws/create_bucket.sh)
+
+### IBM Configuration
+* Create classic infrastructure API key
+
+## Run AWS Policy Using Podman
+```sh
+# policy=ec2_idle
+sudo podman run --rm --name cloud-governance -e policy="ec2_idle" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e policy_output="s3://bucket/logs" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# policy=ec2_run
+sudo podman run --rm --name cloud-governance -e policy="ec2_run" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e policy_output="s3://bucket/logs" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# select policy ['ec2_stop', 's3_inactive', 'empty_roles', 'ip_unattached', 'nat_gateway_unused', 'zombie_snapshots']
+sudo podman run --rm --name cloud-governance -e policy="policy" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# policy=ebs_unattached
+sudo podman run --rm --name cloud-governance -e policy="ebs_unattached" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e policy_output="s3://bucket/logs" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# policy=ebs_in_use
+sudo podman run --rm --name cloud-governance -e policy="ebs_in_use" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e policy_output="s3://bucket/logs" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# policy=zombie_cluster_resource
+sudo podman run --rm --name cloud-governance -e policy="zombie_cluster_resource" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e resource="zombie_cluster_elastic_ip" -e cluster_tag="kubernetes.io/cluster/test-pd9qq" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# policy=tag_resources
+sudo podman run --rm --name cloud-governance -e policy="tag_resources" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e tag_operation="read/update/delete" -e mandatory_tags="{'Owner': 'Name','Email': 'name@redhat.com','Purpose': 'test'}" -e log_level="INFO" -v "/etc/localtime":"/etc/localtime" "quay.io/ebattat/cloud-governance"
+
+# policy=tag_non_cluster
+sudo podman run --rm --name cloud-governance -e policy="tag_non_cluster" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e tag_operation="read/update/delete" -e mandatory_tags="{'Owner': 'Name','Email': 'name@redhat.com','Purpose': 'test'}" -e log_level="INFO" -v "/etc/localtime":"/etc/localtime" "quay.io/ebattat/cloud-governance"
+
+# policy=tag_iam_user
+sudo podman run --rm --name cloud-governance -e policy="tag_iam_user" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e user_tag_operation="read/update/delete" -e remove_tags="['Environment', 'Test']" -e username="test_username" -e file_name="tag_user.csv" -e log_level="INFO" -v "/home/user/tag_user.csv":"/tmp/tag_user.csv" --privileged "quay.io/ebattat/cloud-governance"
+
+# policy=cost_explorer
+sudo podman run --rm --name cloud-governance -e policy="cost_explorer" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e es_host="$elasticsearch_host" -e es_port="$elasticsearch_port" -e es_index="$elasticsearch_index" -e cost_metric=UnblendedCost -e start_date="$start_date" -e end_date="$end_date" -e granularity="DAILY" -e cost_explorer_tags="['User', 'Budget', 'Project', 'Manager', 'Owner', 'LaunchTime', 'Name', 'Email']" -e log_level="INFO" "quay.io/ebattat/cloud-governance:latest"
+sudo podman run --rm --name cloud-governance -e policy="cost_explorer" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e es_index="elasticsearch_index" -e cost_metric="UnblendedCost" -e start_date="$start_date" -e end_date="$end_date" -e granularity="DAILY" -e cost_explorer_tags="['User', 'Budget', 'Project', 'Manager', 'Owner', 'LaunchTime', 'Name', 'Email']" -e file_name="cost_explorer.txt" -v "/home/cost_explorer.txt":"/tmp/cost_explorer.txt" -e log_level="INFO" "quay.io/ebattat/cloud-governance:latest"
+
+# policy=validate_iam_user_tags
+sudo podman run --rm --name cloud-governance -e policy="validate_iam_user_tags" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e validate_type="spaces/tags" -e user_tags="['Budget', 'User', 'Owner', 'Manager', 'Environment', 'Project']" -e log_level="INFO" "quay.io/ebattat/cloud-governance:latest"
+
+# policy=gitleaks
+sudo podman run --rm --name cloud-governance -e policy="gitleaks" -e git_access_token="$git_access_token" -e git_repo="https://github.com/redhat-performance/cloud-governance" -e several_repos="no" -e log_level="INFO" "quay.io/ebattat/cloud-governance"
+
+# custom cloud custodian policy (path for custom policy: -v /home/user/custodian_policy:/custodian_policy)
+sudo podman run --rm --name cloud-governance -e policy="/custodian_policy/policy.yml" -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" -e AWS_DEFAULT_REGION="us-east-2" -e dry_run="yes" -e policy_output="s3://bucket/logs" -e log_level="INFO" -v "/home/user/custodian_policy":"/custodian_policy" --privileged "quay.io/ebattat/cloud-governance"
+
+```
+
+## Run IBM Policy Using Podman
+
+```sh
+# policy=tag_baremetal
+podman run --rm --name cloud-governance -e policy="tag_baremetal" -e account="$account" -e IBM_API_USERNAME="$IBM_API_USERNAME" -e IBM_API_KEY="$IBM_API_KEY" -e SPREADSHEET_ID="$SPREADSHEET_ID" -e GOOGLE_APPLICATION_CREDENTIALS="$GOOGLE_APPLICATION_CREDENTIALS" -v $GOOGLE_APPLICATION_CREDENTIALS:$GOOGLE_APPLICATION_CREDENTIALS -e LDAP_USER_HOST="$LDAP_USER_HOST" -e tag_operation="update" -e log_level="INFO" -v "/etc/localtime":"/etc/localtime" "quay.io/ebattat/cloud-governance:latest"
+
+# tag=tab_vm
+podman run --rm --name cloud-governance -e policy="tag_vm" -e account="$account" -e IBM_API_USERNAME="$IBM_API_USERNAME" -e IBM_API_KEY="$IBM_API_KEY" -e SPREADSHEET_ID="$SPREADSHEET_ID" -e GOOGLE_APPLICATION_CREDENTIALS="$GOOGLE_APPLICATION_CREDENTIALS" -v $GOOGLE_APPLICATION_CREDENTIALS:$GOOGLE_APPLICATION_CREDENTIALS -e LDAP_USER_HOST="$LDAP_USER_HOST" -e tag_operation="update" -e log_level="INFO" -v "/etc/localtime":"/etc/localtime" "quay.io/ebattat/cloud-governance:latest"
+
+```
+
+## Run Policy Using Pod
+
+#### Run as a pod job via OpenShift
+
+Job Pod: [cloud-governance.yaml](pod_yaml/cloud-governance.yaml)
+
+Configmaps: [cloud_governance_configmap.yaml](pod_yaml/cloud_governance_configmap.yaml)
+
+Quay.io Secret: [quayio_secret.sh](pod_yaml/quayio_secret.sh)
+
+AWS Secret: [cloud_governance_secret.yaml](pod_yaml/cloud_governance_secret.yaml)
+
+ * Need to convert secret key to base64 [run_base64.py](pod_yaml/run_base64.py)
+
+## Pytest
+
+##### Cloud-governance integration tests using pytest
+```sh
+python3 -m venv governance
+source governance/bin/activate
+(governance) $ python -m pip install --upgrade pip
+(governance) $ pip install coverage
+(governance) $ pip install pytest
+(governance) $ git clone https://github.com/redhat-performance/cloud-governance
+(governance) $ cd cloud-governance
+(governance) $ coverage run -m pytest
+(governance) $ deactivate
+rm -rf *governance*
+```
+
+## Post Installation
+
+#### Delete cloud-governance image
+```sh
+sudo podman rmi quay.io/ebattat/cloud-governance
+```
+
+
+%prep
+%autosetup -n cloud-governance-1.1.86
+
+%build
+%py3_build
+
+%install
+%py3_install
+install -d -m755 %{buildroot}/%{_pkgdocdir}
+if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi
+if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi
+if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi
+if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi
+pushd %{buildroot}
+if [ -d usr/lib ]; then
+ find usr/lib -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+if [ -d usr/lib64 ]; then
+ find usr/lib64 -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+if [ -d usr/bin ]; then
+ find usr/bin -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+if [ -d usr/sbin ]; then
+ find usr/sbin -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+touch doclist.lst
+if [ -d usr/share/man ]; then
+ find usr/share/man -type f -printf "/%h/%f.gz\n" >> doclist.lst
+fi
+popd
+mv %{buildroot}/filelist.lst .
+mv %{buildroot}/doclist.lst .
+
+%files -n python3-cloud-governance -f filelist.lst
+%dir %{python3_sitelib}/*
+
+%files help -f doclist.lst
+%{_docdir}/*
+
+%changelog
+* Tue Apr 11 2023 Python_Bot <Python_Bot@openeuler.org> - 1.1.86-1
+- Package Spec generated
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-14 13:02:38 +0000