VMware Tanzu CloudHealth: Policies may execute without intended filters

VMware Engineering teams have fixed the issue and services are operating as expected. This incident stands resolved and there will be no further updates.

Start Time: November 18, 2023 01:00 UTC End Time: November 19, 2023 00:00 UTC

Current Impact: None

An edge case has been discovered that could lead to policy actions executing against unintended resources.

If a policy is configured with a filter against a specific set of resources, and the filtered targets are removed from the CloudHealth platform, the policy will continue to execute without this filter applied. This can potentially cause a policy to execute on resources that were beyond intended scope of the policy.

Example: If a policy is configured to filter against an AWS account, and that account is deleted from the CloudHealth platform, the policy filter will then evaluate against all AWS accounts from the point of account deletion.

To ensure this edge case does not lead to any policies executing with an unintended scope, a platform fix is currently in development and we will provide an update as soon as it is deployed to the platform.

NOTE: This has the potential to impact any policy that allows filtering on resources that can be deleted from the CloudHealth platform. E.g. Policies filtering on AWS Accounts, Azure Subscriptions, GCP Projects.

As a best practice, it's also recommended to apply an authorizer or approver to any policies that may execute actions that make changes to public cloud resources -

https://docs.vmware.com/en/VMware-Aria-Cost/SaaS/using-and-managing-vmware-aria-cost/GUID-aws-governance-using-policies.html#add-authorizers-and-approvers-4

Current Status and Action Plan: The engineering team is currently developing a code fix.

Start Time: November 18, 2023 01:00 UTC End Time: N/A

Current Impact: CloudHealth Policies across AWS/Azure/GCP