Bug fixes
- Fixed the issue where the search path setting was not retained while navigating to a different dashboard. (#325)
Subscribe to all changelog posts via RSS or follow #changelog on our Slack community to stay updated on everything we ship.
Bug fixes
What's new?
Resource Types
Control Types
Policy Types
Action Types
What's new?
Added:
In Azure > Compute > Disk:
supportedCapabilities.diskControllerTypes
diskIopsReadWrite
lastOwnershipUpdateTime
In Azure > Compute > Virtual Machine:
resources
timeCreated
etag
In Azure > Compute > Virtual Machine Scale Set:
constrainedMaximumCapacity
etag
scaleInPolicy
timeCreated
upgradePolicy
storageProfile. diskControllerType
In Azure > Compute > Snapshot:
dataAccessAuthMode
incrementalSnapshotFamilyId
Removed:
In Azure > Compute > Virtual Machine:
statuses.time
Bug fixes
What's new?
Added:
Azure > App Service > App Service Plan
elasticScaleEnabled
numberOfWorkers
zoneRedundant
Azure > App Service > Function App
configuration.acrUseManagedIdentityCreds
configuration.acrUserManagedIdentityID
configuration.elasticWebAppScaleLimit
configuration.ipSecurityRestrictionsDefaultAction
configuration.metadata
configuration.minTlsCipherSuite
configuration.scmIpSecurityRestrictionsDefaultAction
dnsConfiguration
publicNetworkAccess
vnetBackupRestoreEnabled
vnetContentShareEnabled
vnetImagePullEnabled
vnetRouteAllEnabled
Azure > App Service > Web App
configuration.acrUseManagedIdentityCreds
configuration.acrUserManagedIdentityID
configuration.elasticWebAppScaleLimit
configuration.ipSecurityRestrictionsDefaultAction
configuration.metadata
configuration.minTlsCipherSuite
configuration.scmIpSecurityRestrictionsDefaultAction
dnsConfiguration
publicNetworkAccess
vnetBackupRestoreEnabled
vnetContentShareEnabled
vnetImagePullEnabled
vnetRouteAllEnabled
Bug fixes
What's new?
What's new?
Renamed:
JitNetworkAccessPolicies
to jitNetworkAccessPolicies
Pricing
to pricing
Locations
to locations
Bug fixes
What's new?
Bug fixes
What's new?
Added:
frontdoorId
rulesEngines
extendedProperties
backendPoolsSettings
backendPool.privateLinkAlias
backendPool.privateLinkLocation
backendPool.privateEndpointStatus
backendPool.privateLinkResourceId
backendPool.privateLinkApprovalMessage
routingRule.rulesEngine
routingRule.routeConfiguration.odataType
routingRule.routeConfiguration.cacheConfiguration.cacheDuration
routingRule.routeConfiguration.cacheConfiguration.queryParameters
routingRule.webApplicationFirewallPolicyLink
Modified:
routingRule.backendPool
to routingRule.routeConfiguration.backendPool
routingRule.forwardingProtocol
to routingRule.routeConfiguration.forwardingProtocol
routingRule.customForwardingPath
to routingRule.routeConfiguration.customForwardingPath
routingRule.cacheConfiguration.dynamicCompression
to routingRule.routeConfiguration.cacheConfiguration. dynamicCompression
routingRule.cacheConfiguration.queryParameterStripDirective
to routingRule.routeConfiguration.cacheConfiguration. queryParameterStripDirective
Bug fixes
What's new?
Bug fixes
What's new?
Added:
networkProfile.podCidrs
networkProfile.ipFamilies
networkProfile.outboundType
networkProfile.serviceCidrs
networkProfile.networkPolicy
networkProfile.loadBalancerProfile.backendPoolType
networkProfile.loadBalancerProfile.countIPv6
networkProfile.loadBalancerProfile.idleTimeoutInMinutes
networkProfile.loadBalancerProfile.allocatedOutboundPorts
agentPoolProfiles.mode
agentPoolProfiles.osSKU
agentPoolProfiles.enableFips
agentPoolProfiles.osDiskType
agentPoolProfiles.spotMaxPrice
agentPoolProfiles.scaleDownMode
agentPoolProfiles.enableUltraSSD
agentPoolProfiles.kubeletDiskType
agentPoolProfiles.upgradeSettings.maxSurge
agentPoolProfiles.nodeImageVersion
agentPoolProfiles.enableEncryptionAtHost
agentPoolProfiles.currentOrchestratorVersion
Bug fixes
What's new?
Added:
hostNamePrefix
serverless. connectionTimeoutInSeconds
Bug fixes
What's new?
Added:
Azure > Service Bus > Namespace
disableLocalAuth
status
zoneRedundant
Azure > Service Bus > Queue
maxMessageSizeInKilobytes
Azure > Service Bus > Topic
maxMessageSizeInKilobytes
Bug fixes
What's new?
Bug fixes
What's new?
Added: Azure > Recovery Service > Vault
properties.backupStorageVersion
properties.bcdrSecurityLevel
properties.publicNetworkAccess
properties.restoreSettings
properties.secureScore
properties.securitySettings
Bug fixes
Bug fixes
AWS > RoboMaker > Robot Application > CMDB
, AWS > RoboMaker > Fleet > CMDB
and AWS > RoboMaker > Robot > CMDB
policies will now be set to Skip
by default because the resource types have been deprecated and will be removed in the next major version. Please check end of support for more information.What's new?
AWS > ECS > Account Settings > Fargate FIPS Mode
policy.Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Resource Types
Control Types
Policy Types
Action Types
What's new?
Server
UI
+
sign to grant permissions in the context of both the identity and resource.Bug fixes
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Enhancements
blocks
to the post_message
pipeline. (#24) (Thanks @johnlayton for the contribution!)Bug fixes
resource/turbot_policy_pack_attachment
: terraform apply
failed to detect existing Policy Pack attachments. (#181)What's new?
Added:
flowType
requestSource
Bug fixes
What's new?
Bug fixes
Resource Types
Policy Types
What's new?
AWS/User
grant should include support:*
permissions. To get started, set the AWS > Account > Permissions > Support Level
policy.Policy Types
Bug fixes
AWS > Turbot > IAM
stack control did not correctly evaluate user memberships in custom IAM groups when the AWS > Turbot > Permissions > Custom Group Levels [Account]
policy was set, and users were granted permissions for those custom IAM groups. This issue has now been fixed.Bug fixes
AWS > EC2 > Volume > CMDB
control would sometimes run unnecessarily due to a bad internal GraphQL dependency. This is now fixed.Bug fixes
Kubernetes > Cluster > CMDB > Expiration
policy was inadvertently added to the Kubernetes > Cluster > CMDB
control. This precheck condition has now been removed.Resource Types
Control Types
Policy Types
Action Types
What's new?
What's new?
Bug fixes
rules
column in okta_signon_policy
, okta_password_policy
, okta_idp_discovery_policy
and okta_authentication_policy
tables to correctly return data instead of null
. (#145)Dependencies
1.22
. (#146)All Pipes workspaces are now running Steampipe v0.24.0.
For more information on this Steampipe release, see the release notes.
Bug fixes
Enforce: Enabled
for the service.What's new?
Added:
authOptions
disableLocalAuth
encryptionWithCmk
networkRuleSet
privateEndpointConnections
publicNetworkAccess
semanticSearch
sharedPrivateLinkResources
Bug fixes
Enhancements
netgo
package.version
flag to the plugin's Export tool. (#65)Bug fixes
Dependencies
1.22
. (#43)What's new?
What's new?
What's new?
Action Types
Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.What's new?
Added: Azure > Synapse Analytics > Workspace
azureADOnlyAuthentication
createManagedPrivateEndpoint
encryption
extraProperties
publicNetworkAccess
settings
trustedServiceBypassEnabled
workspaceUID
Azure > Synapse Analytics > SQL Pool
storageAccountType
Bug fixes
What's new?
Action Types
What's new?
Added:
authConfig
dataEncryption
standbyAvailabilityZone
network. delegatedSubnetResourceId
network. privateDnsZoneArmResourceId
replicaCapacity
replicationRole
systemData
configurations.documentationLink
configurations.isConfigPendingRestart
configurations.isDynamicConfig
configurations.isReadOnly
configurations.unit
Modified:
firewallRules
has been changed from array ([]
) to object ({}
).Bug fixes
What's new?
Bug fixes
Bug fixes
Dependencies
1.22
. (#450)What's new?
Enhancements
connection_info
column to the gcp_alloydb_instance
table. (#651)Bug fixes
name
column from the gcp_bigquery_table
table since the API response did not include this field. (#648)Dependencies
1.22
. (#635)Bug fixes
steampipe -v
command. (#4388)Bug fixes
Deprecations
Bug fixes
Dependencies
Bug fixes
trigger
introspection output correctly shows param
attribute. (#900)Bug fixes
serviceProperties.table.clientRequestId
and serviceProperties.table.requestId
properties for storage accounts have now been made dynamic
to avoid unnecessary notifications in the activity tab.Bug fixes
Whats new
columns
property containing the column information. This allows us to handle duplicate column names by appending a unique suffix to duplicate column name (#4317)Existing query JSON format:
$ steampipe query "select account_id, arn from aws_account" --output json{ "rows": [ { "account_id": "123456789012", "arn": "arn:aws:::123456789012" } ]}
New query JSON format(with new columns
property):
$ steampipe query "select account_id, arn from aws_account" --output json{ "columns": [ { "name": "account_id", "data_type": "text" }, { "name": "arn", "data_type": "text" } ], "rows": [ { "account_id": "123456789012", "arn": "arn:aws:::123456789012" } ]}
Bug fixes
What's new?
tags
argument in pipeline param
and mod variable
resources. (#898).Docker
dependency to v27.1.2.What's new?
Policy Types
Bug fixes
osquery
error events.Bug fixes
osquery
agent.What's new?
Enhancements
time_created
column to the azure_compute_virtual_machine
table. (#831)ip_configuration
, linked_public_ip_address
, nat_gateway
and service_public_ip_address
columns to the azure_public_ip
table. (#836)azure_postgresql_flexible_server
table. (#824)Bug fixes
ip_configurations
column of the azure_subnet
table to correctly return data instead of null
. (#822)web_application_firewall_configuration
column of azure_application_gateway
table to correctly return data instead of null
. (#835)Dependencies
1.22
. (#832)azure_mysql_flexible_server
and azure_postgresql_flexible_server
tables to use the new Azure ARM Go package. (#820)What's new?
Enhancements
aws_ec2_ami
table to correctly return disabled AMIs on passing the disabled
value to the state
optional qual (where state = 'disabled'
). (#2277)AWS Go SDK v2 1.27.0
. (#2139)Dependencies
1.22
. (#2283)Bug fixes
source
attribute in function step is now evaluated relative to the its mod directory rather than the root mod directory. (#895).What's new?
powerpipe benchmark run aws_compliance.benchmark.acsc_essential_eight
). (#823)What's new?
Policy Types
Control Types
Policy Types
What's new?
Policy Types
Control Types
Policy Types
What's new?
Policy Types
What's new?
Policy Types
Bug fixes
modifyVolume
event for EBS Volume Notifications. This issue is now fixed.What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
Action Types
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
Bug fixes
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
createdBy
details in Guardrails CMDB.Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
AWS > EC2 > Volume > Performance Configuration
control would sometimes fail to set the expected configuration per AWS > EC2 > Volume > Performance Configuration > *
policies and move to an Invalid state if the required data was not available for new volumes in the CMDB. The control will now move to TBD instead and retry after 5 minutes to fetch the required data correctly and set the performance configuration as expected.What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Enhancements
VPC Security Group
detail page now includes information on the following associated services: (#352) (Thanks @maxcorbin for the contribution!)Amazon MQ broker
ECS service
ECS task
GCP integrations now make use of temporary credentials via service account impersonation using the Service Account Token Creator role.
For more information, check out the docs.
What's new?
Azure > Storage> Storage Account > CMDB
control will now also fetch diagnostic settings details and store them in CMDB.Resource Types
Control Types
Policy Types
Bug fixes
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
powerpipe benchmark run gcp_compliance.benchmark.soc_2_2017
). (#181)Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Control Types
Policy Types
Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.What's new?
AWS > RDS > DB Cluster > Parameter Group > *
policies.Control Types
Policy Types
Action Types
Bug fixes
Bug fixes
Enforce: Enabled
for the service.Enhancements
base_tag_rules
variable. (#18)Enhancements
base_tag_rules
variable. (#28)Bug fixes
Bug fixes
Server
UI
Import
button on the Connect page has been updated to Connect
.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
What's new?
You can now configure Master Authorized Networks for region and zone clusters via Guardrails. To get started, set the GCP > Kubernetes Engine > Region Cluster > Master Authorized Networks Config
and GCP > Kubernetes Engine > Zone Cluster > Master Authorized Networks Config
policies respectively.
Improved descriptions for various resource types to ensure they are clearer and more helpful.
Control Types
Policy Types
Action Types
What's new?
Bug fixes
Resource Types
Control Types
Policy Types
Action Types
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
Enforce: Enabled but ignore permission errors
. However, the CMDB control previously ignored permission errors only on the HeadBucket
operation and still entered an error state for permission errors on sub-API calls. The CMDB control will now ignore all sub-API calls if the HeadBucket
operation is denied access. If the HeadBucket operation is successful, the control will attempt to make all sub-API calls and ignore access denied errors if encountered.Bug fixes
pipeline param
no longer fails with a mismatched types
error. (#879).What's new?
Resource Types
Control Types
Policy Types
Action Types
Resource Types
Control Types
Policy Types
Action Types
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
AWS > VPC > VPC > Stack
control would sometimes go into an error state while upserting newly created flow logs in Guardrails due to incorrect mapping of its parent resource. This issue has now been fixed, and the control will upsert flow logs more consistently and reliably than before.Bug fixes
Enforce: Enabled
for the service.What's new?
rds-ca-rsa4096-g1
.Resource Types
Control Types
Policy Types
Action Types
What's new?
AWS > Turbot > Logging > Bucket > Default Encryption
policy is now deprecated because all buckets are now encrypted by default in AWS. As a result, all buckets created and managed via the AWS > Turbot > Logging > Bucket
stack control will now be encrypted by AWS SSE
by default. We've also removed ACL settings for buckets and now apply bucket ownership controls instead via the stack control to align with the latest AWS recommendations. Please upgrade the @turbot/aws-s3
mod to v5.26.0 for the stack control to work reliably as before.Policy Types
Renamed
What's new?
aws_s3_bucket_ownership_controls
Terraform resource for buckets.What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
What's new?
AWS > Config > Configuration Recording
stack control. To get started, set the AWS > Config > Configuration Recording > Terraform Version
policy. We recommend using versions 0.11, 0.12, or 0.15 for this control to create and manage resources effectively and reliably.Policy Types
What's new?
What's new?
Enhancements
euuid
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Linode accounts. (#56)netgo
package. (#60)version
flag to the plugin's Export tool. (#65)Dependencies
QueryData
passed to ConnectionKeyColumns
value callback is populated with ConnectionManager
. (#55)What's new?
GCP > Turbot > Event Handlers > Pub/Sub
control. To get started, set the GCP > Turbot > Event Handlers > Pub/Sub > Topic > Labels
policy.Policy Types
Bug fixes
ec2:RevokeSecurityGroupEgress
and ec2:RevokeSecurityGroupIngress
events. This issue is now fixed.Bug fixes
AWS > Turbot > Event Handlers
control did not correctly raise the real-time CreateTags
and DeleteTags
events for VPC security group rules. This issue is now fixed.Enhancements
Reader
and Data Access
role assignment information to the docs/index.md
file. (#811)Bug fixes
azure_compute_virtual_machine
table to correctly populate the guest_configuration_assignments
column across all Azure
environments. (#816)azure_role_assignment
table to correctly return the result while using any mode of plugin authentication. (#809)azure_monitor_activity_log_event
table. (#810)Enhancements
location_type
column as an optional qual to the aws_ec2_instance_availability
table and 6 new columns to the aws_ec2_instance_type
table. (#2078)aws_appautoscaling_policy
and aws_appautoscaling_target
tables to add information on required quals. (#2247)type
column as an optional qual to the aws_auditmanager_control
table. (#2254)Bug fixes
GetConfig
definition of the aws_auditmanager_control
table to correctly return data instead of an error. (#2254)aws_kms_key_rotation
table to correctly return nil
whenever an AccessDeniedException
error is returned by the API. (#2253)What's new?
GCP > Network > Subnetwork > Flow Log
policy.Control Types
Policy Types
Action Types
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Resource Types
Control Types
Policy Types
Action Types
Bug fixes
variable
command no longer fails if the .flowpipe
directory in the user's home directory is not created yet. (#872).What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
What's new?
GCP > IAM > Service Account > Active
or GCP > IAM > Service Account > Approved
policy to Enforce: Disable inactive with <x> days warning
or Enforce: Disable unapproved
respectively.Action Types
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Bug fixes
AWS > ECR > Repository > CMDB
control went into an error state for shared repositories upserted incorrectly in Guardrails CMDB. Shared repositories will now not be upserted under shared accounts or regions, but will only be upserted under their owner accounts and regions.Bug fixes
ec2:CreateReplaceRootVolumeTask
for instances. This is now fixed.Enhancements
All Controls
benchmark: (#176)alloydb_instance_log_error_verbosity_database_flag_default_or_stricter
alloydb_instance_log_min_error_statement_database_flag_configured
alloydb_instance_log_min_messages_database_flag_error
Enhancements
All Controls
benchmark: (#274)application_gateway_waf_uses_specified_mode
application_insights_block_log_ingestion_and_querying_from_public
log_analytics_workspace_block_log_ingestion_and_querying_from_public
log_analytics_workspace_block_non_azure_ingestion
Bug fixes
storage_account_block_public_access
query to correctly check if the public_network_access
column of the azure_storage_account
table is correctly set to disabled
or not as per the CIS documentation. (#277)v0.14.0 of the Terraform Provider for Pipes is now available.
Breaking Changes
resources/pipes_workspace_connection
moved to manage connections at the workspace level. Previously, the resource used to manage attachment
of connections to the workspace defined at the respective identity level. Please follow the migration guide for migrating your existing configuration into the new model.resources/pipes_connection
does not support management of user level connections in line with changes in Pipes.What's new?
pipes_organization_connection
pipes_organization_connection_folder
pipes_organization_connection_folder_permission
pipes_organization_connection_permission
pipes_organization_integration
pipes_tenant_connection
pipes_tenant_connection_folder
pipes_tenant_connection_folder_permission
pipes_tenant_connection_permission
pipes_tenant_integration
pipes_user_integration
pipes_workspace_connection_folder
pipes_workspace_schema
Enhancements
resources/pipes_workspace_mod
add support for storing attribute state_reason
v0.10.0 of the Pipes SDK Go is now available.
What's new?
Tenants
, Users
, Organizations
, UserWorkspaces
and OrgWorkspaces
.Connections
and ConnectionFolders
.Enhancements
What's new?
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > Resource Group > ServiceNow > Configuration Item
control would fail to fetch instance credentials internally and did not process the data correctly in ServiceNow. This issue has now been fixed.Bug fixes
Bug fixes
Bug fixes
Control Types
Policy Types
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
What's new?
What's new?
What's new?
AWS/DynamoDB/Admin
, AWS/DynamoDB/Metadata
and AWS/DynamoDB/Operator
now include permissions for Resource Policy, Imports, Time to Live and Global Table Version.Breaking changes
gcp_cloudfunctions_function
table to align with the new API response structure: (#612)environment_variables
source_upload_url
version_id
What's new?
impersonate_access_token
config argument to support plugin authentication by using a pre-generated temporary access token. (#621)Enhancements
gcp_cloudfunctions_function
table. (#612)Bug fixes
SecretManager
service client creation. (#624)What's new?
Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
Table logging
for Storage Accounts
via Azure > Storage > Storage Account > Table > Logging
control. To get started, set the Azure > Storage > Storage Account > Table > Logging
policy.Control Types
Policy Types
Action Types
Azure > Storage > Storage Account > Update Encryption at Rest
Azure > Storage > Storage Account > Update Storage Account Table Logging
The Storage Account CMDB data will now also include information about the account's table service properties.
We've removed the dependency on listKeys
permission for Azure > Storage Account > Container > Discovery
to run its course to completion. This release includes breaking changes in the CMDB data for containers. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.
Renamed:
isImmutableStorageWithVersioningEnabled
to isImmutableStorageWithVersioning.enabled
Removed:
preventEncryptionScopeOverride
Bug fixes
Azure > Storage > Storage Account > CMDB
control would go into an error state while trying to fetch default Queue and Blob properties if Guardrails did not have permission to list the storage account keys. The control will now not attempt to fetch default Queue and Blob properties if Guardrails does not have the required access for listKeys
, and will run its course to completion without going into an error state.Bug fixes
AWS > S3 > Bucket > CMDB
control if it would go into an error state due to insufficient permissions for the headBucket
operation.What's new?
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Import a tree of folders and projects as Pipes connections, control permissions for workspaces, and auto-create aggregators.
For more information, see the launch post or check out the docs.
You can now create connections at the custom tenant, organization or workspace level in Pipes, along with grouping of these within folders to allow easier sharing of related connections.
This is coupled with a fine-grained permissions model, allowing you to share connections & folders broadly across a custom tenant, or restrict access to specific organizations and/or their workspaces.
For more information, check out the docs:
Import a tree of management groups and subscriptions as Pipes connections, control permissions for workspaces, and auto-create aggregators.
For more information, see the launch post or check out the docs.
Import a tree of OUs and accounts as Pipes connections, control permissions for workspaces, and auto-create aggregators.
For more information, see the launch post or check out the docs.
What's new?
Control Types
Policy Types
What's new?
Resource Types
Control Types
Policy Types
Action Types
Bug fixes
What's new?
AWS > S3 > Bucket > CMDB
control would go into an error state if Guardrails did not have permissions to call the headBucket
operation on a bucket. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the AWS > S3 > Bucket > CMDB
policy to Enforce: Enabled but ignore permission errors
.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > App Service > Web App > Client Certificate Mode
control, ensuring that the Client Certificate Mode is set to Require
correctly. However, we missed an edge case where the control wouldn’t enforce any mode other than the default setting of Ignore
. We have now addressed all cases, and the control will work more reliably and consistently than before.What's new?
flowpipe pipeline run
command when running in Client mode and not using the --verbose
arg.--data-dir
parameter to specify the location of the event store database. (#852).--execution-id
parameter to specify custom execution id for pipeline run. (#856).Go
version to v1.22.4.Bug fixes
What's new?
detect and correct
pipelines to identify unused and underutilized GCP resources, as well as deprecated resource configurations. These pipelines also suggest potential remediation actions to optimize costs. For usage information and a full list of pipelines, please see GCP Thrifty Mod.What's new?
env
, owner
).secret
, key
).cc
to cost_center
).Prod
to prod
).For detailed usage information and a full list of pipelines, please see GCP Labels Mod.
What's new?
detect and correct
pipelines to identify unused and underutilized Azure resources, as well as deprecated resource configurations. These pipelines also suggest potential remediation actions to optimize costs. For usage information and a full list of pipelines, please see Azure Thrifty Mod.What's new?
env
, owner
).secret
, key
).cc
to cost_center
).Prod
to prod
).For detailed usage information and a full list of pipelines, please see Azure Tags Mod.
What's new?
What's new?
env
, owner
).secret
, key
).cc
to cost_center
).Prod
to prod
).For detailed usage information and a full list of pipelines, please see AWS Tags Mod.
What's new?
What's new?
Server
UI
Smart Folders
are now called Policy Packs
.Policy Packs
from UI.Bug fixes
Server
UI
Policy Packs
from the UI.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Enforce: Sync
policy value for integrating Import Sets in ServiceNow.Control Types
Policy Types
Control Types
Policy Types
Control Types
Policy Types
Control Types
Policy Types
Control Types
Policy Types
What's new?
What's new?
Bug fixes
power_state
column of the azure_compute_virtual_machine
table to correctly return data instead of a nil pointer dereference
error. (#804)Bug fixes
Azure > App Service > Web App > Client Certificate Mode
control did not apply Enforce: Require
settings correctly. This is now fixed.What's new?
google_monitoring_alert_policy
and google_monitoring_notification_channel
Terraform resources.Control Types
Policy Types
What's new?
google_logging_metric
Terraform resource.Control Types
Policy Types
Bug fixes
Azure > Storage > Storage Account > Queue > Logging
control failed to set queue logging properties correctly. This issue has been fixed, and the control will now function correctly as intended.Bug fixes
Bug fixes
Bug fixes
What's new?
insecure_skip_verify
connection config argument to support bypassing the SSL/TLS
certificate verification while querying the tables. (#48)Enhancements
netgo
package.Dependencies
Bug fixes
What's new?
GCP > Compute > Instance > Shielded Instance Configuration > *
policies.Control Types
Policy Types
Action Types
What's new?
Azure > CIS v2.0 > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
control will also evaluate SQL databases for SKU Basic/Consumption.Control Types
Policy Types
Bug fixes
Azure > CIS v2.0 > 4 - Database Services > 01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
control did not evaluate the result correctly, as expected. This is now fixed.The CrowdStrike plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
What's new?
DOCUMENTATION:
resource/turbot_policy_pack
: Added documentation for akas
attribute for the resource. (#179)What's new?
GCP > SQL > Instance > Encryption In Transit
policy.Control Types
Policy Types
Action Types
What's new?
Control Types
Policy Types
What's new?
Basic
to Standard
for Public IP Addresss via Azure > Network > Public IP Address > Standard SKU
control. To get started, set the Azure > Network > Public IP Address > Standard SKU
policy.Control Types
Policy Types
Action Types
What's new?
To get started configuring these rules through Guardrails, the following policies should set according to your desired firewall rules configuration:
Azure > Cosmos DB > Database Account > Firewall
- Configure default access rules for the public endpoint
Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved
- Remove unapproved IP ranges
Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required
- Grant access to specific IP ranges
Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved
- Remove unapproved virtual network subnets
Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required
- Grant access to specific virtual network subnets
Please note that if the Azure > Cosmos DB > Database Account > Firewall
policy is set to Enforce: Allow only approved virtual networks and IP ranges
, only applications in the configured IP ranges, virtual network subnets, and trusted Microsoft services will be allowed to access the database accounts. If these boundaries are not properly configured beforehand or an application is outside of these boundaries, it will lose access to the database accounts.
Control Types
Policy Types
Action Types
Bug fixes
Bug fixes
What's new?
Bug fixes
GCP > Project > CMDB
control went into an error state while fetching Access Approval settings for the project if Access Transparency was disabled at the organization level. We have now handled such cases gracefully, and the control will fetch all available details without going into an error state.What's new?
GCP > SQL > Instance > Authorized Network > *
policies.GCP > SQL > Instance > Database Flags
policy.GCP > SQL > CMDB
policy to Enforce: Disabled
.Control Types
Policy Types
Action Types
What's new?
We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Storage resources in Guardrails. This release includes breaking changes in the CMDB data for storage accounts. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.
Renamed:
serviceProperties.blob.DeleteRetentionPolicy
to serviceProperties.blob.deleteRetentionPolicy
serviceProperties.blob.DeleteRetentionPolicy.Days
to serviceProperties.blob.deleteRetentionPolicy.days
serviceProperties.blob.DeleteRetentionPolicy.Enabled
to serviceProperties.blob.deleteRetentionPolicy.enabled
serviceProperties.blob.StaticWebsite
to serviceProperties.blob.staticWebsite
serviceProperties.blob.StaticWebsite.Enabled
to serviceProperties.blob.staticWebsite.enabled
serviceProperties.blob.logging
to serviceProperties.blob.blobAnalyticsLogging
serviceProperties.queue.logging
to serviceProperties.queue.queueAnalyticsLogging
Added:
serviceProperties.blob.deleteRetentionPolicy.AllowPermanentDelete
Modified:
serviceProperties.blob.cors
has been changed from string (""
) to array ([]
).serviceProperties.queue.cors
has been changed from string (""
) to array ([]
).Users can now enable/disable Blob logging
for storage accounts. To get started, set the Azure > Storage > Storage Account > Blob > Logging > *
policies.
Users can now check if storage accounts are approved for use based on Infrastructure Encryption settings. To get started, set the Azure > Storage > Storage Account > Approved > Infrastructure Encryption
policy.
Control Types
Renamed
Policy Types
Renamed
Action Types
Renamed
What's new?
Azure > App Service > Web App > Client Certificate Mode
policy.Control Types
Policy Types
Action Types
What's new?
Enhancements
domain
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Okta organizations. (#120).spc
file for max retries
, request timeout
, and max backoff time
as required. (#112)profile
column to the okta_factor
table. (#130)Dependencies
QueryData
passed to ConnectionKeyColumns
value callback is populated with ConnectionManager
. (#120)Enhancements
organization_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Linear accounts. (#34)Bug fixes
Dependencies
QueryData
passed to ConnectionKeyColumns
value callback is populated with ConnectionManager
. (#34)Enhancements
power_state
to the azure_compute_virtual_machine_scale_set_vm
table. (#800) (Thanks @pdepdecatcat for the contribution!)Bug fixes
azure_log_alert
table to correctly return values for actions
, condition
, description
, enabled
, and scopes
columns instead of null
. (#796)What's new?
Resource Types
Control Types
Policy Types
Action Types
What's new?
GCP > BigQuery > Dataset > Encryption at Rest > *
policies.Control Types
Policy Types
Action Types
What's new?
Control Types
Policy Types
Bug fixes
AWS > EC2 > Snapshot > CMDB
policy was set to Enforce: Enabled for Snapshots not created with AWS Backup
. This issue has now been fixed.What's new?
GCP > DNS > Managed Zone > DNSSEC Configuration
policy.GCP > DNS > Policy > Logging
policy.Control Types
Policy Types
Action Types
Bug fixes
What's new?
Azure > Compute > Virtual Machine > Trusted launch
policy.Azure > Compute > Disk > Encryption at Rest > *
policies.Control Types
Policy Types
Action Types
What's new?
Azure > App Service > Web App > System Assigned Identity
policy.Control Types
Policy Types
Action Types
Bug fixes
Azure > App Service > Web App > FTPS State
control failed to set the FTPS State correctly for web apps. This issue is now fixed.What's new?
Policy Types
What's new?
Azure > Network Watcher > Flow Log > Retention Policy > *
policies.Control Types
Policy Types
Action Types
What's new?
Azure > Active Directory > Directory > CMDB
control will now also fetch named locations and authorization policy details and store them in CMDB.Bug fixes
AWS > IAM > Account Password Policy > Settings
control not applying custom settings correctly. This issue is fixed, and the CMDB details will now refresh correctly, allowing the corresponding Settings control to work as expected.What's new?
Bug fixes
What's new?
Azure > Security Center > Security Center > CMDB
control will now also fetch security settings details and store them in CMDB.Bug fixes
Bug fixes
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
The default value for GCP > Storage > Bucket > ServiceNow > Import Set
now shows the resource_type_uri
correctly.
Control Types
Added
Policy Types
Added
What's new?
ServiceNow > Turbot > Watches > GCP Archive and Delete Record
action now supports archiving Import Set
records.Control Types
Added
Policy Types
Added
What's new?
ServiceNow > Turbot > Watches > Azure Archive and Delete Record
action now supports archiving Import Set
records.Bug fixes
ServiceNow > Application > CMDB
, ServiceNow > Cost Center > CMDB
& ServiceNow > User > CMDB
have been updated from Enforce: Enabled
to Skip
.Policy Types
Added
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
OUTBOUND_SECURITY_GROUP_ID
environment variable in Lambda functions now defaults to using the TEF outbound security group when there is no override specified in TEF and TE.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > Network > Network Security Group > Ingress Rules > Approved
and Azure > Network > Network Security Group > Egress Rules > Approved
controls previously deleted an entire rule if at least one of the corresponding port prefixes was rejected, even if the others were approved. These controls will now revoke only the rejected port prefixes instead of deleting the entire rule in such cases.Bug fixes
<nil>
for null
values instead of ""
. (#77)Bug fixes
<nil>
for null
values instead of ""
. (#77)Bug fixes
<nil>
for null
values instead of ""
. (#77)Bug fixes
AWS > RDS > DB Instance > Approved
control will now be skipped for instances that belong to a cluster. To check if a cluster is approved for use, please set the AWS > RDS > DB Cluster > Approved > *
policies.AWS > RDS > DB Instance > Approved
control did not stop an unapproved instance if the corresponding policy was set to Enforce: Stop unapproved
or Enforce: Stop unapproved if new
, and deletion protection for the instance was enabled. The control will now stop instances correctly in such cases.What's new
Enhancements
aws_elasticache_cluster
table. (#2224)Bug fixes
What's new?
EncryptionInTransit
TopicPolicy has shifted from a custom resource to AWS CloudFormation’s AWS::SNS::TopicPolicy
.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Enhancements
log_group_metric_*
queries to minimize API usage, achieving faster performance. (#802)What's new?
Server
UI
Depends-on
tab on the controls page has been renamed to Related
. It now includes the information from the Depends-on tab along with additional related controls information.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > Network > Network Security Group > Ingress Rules > Approved
control would sometimes fail to revoke rejected rules when the corresponding policy was set to Enforce: Delete unapproved
. This has been fixed, and the control will now work more reliably and consistently than before.What's new?
Enhancements
netgo
package. (#101)version
flag to the plugin's Export tool. (#65)Bug fixes
arguments
column of terraform_resource
table to correctly return the type
field. (#99) (#92)Dependencies
What's new?
Enhancements
Bug fixes
Turbot > osquery > Event Handler
action was not able to handle events for large payloads. This issue is now fixed.Bug fixes
GCP > Project > CMDB
control would incorrectly delete a project from Guardrails CMDB if it was unable to fetch Access Approval settings for the project. This issue has been fixed and the control will now attempt to fetch all available details and will not delete the project from CMDB.All Pipes workspaces are now running Steampipe v0.23.2.
For more information on this Steampipe release, see the release notes.
All Pipes workspaces are now running Powerpipe v0.4.0.
For more information on this Powerpipe release, see the release notes.
Bug fixes
Azure > Security Center > Security Center > Auto Provisioning
policy.Control Types
Policy Types
Action Types
Bug fixes
What's new?
Enhancements
aws_s3_bucket
, aws_s3_bucket_intelligent_tiering_configuration
, aws_s3_object
and aws_s3_object_version
tables to use HeadBucket
API instead of GetBucketLocation
to fetch the region that the bucket resides in. (#2082) (Thanks @pdecat for the contribution!)create_time
to aws_ec2_key_pair
table. (#2196) (Thanks @kasadaamos for the contribution!)instance_type
column as an optional qual to the aws_ec2_instance_type
table. (#2200)Bug fixes
akas
column in aws_health_affected_entity
table to correctly return data instead of an error by handling events that do not have any ARN
. (#2189)cname
and endpoint_url
columns of aws_elastic_beanstalk_environment
table to correctly return data instead of null
. (#2201)aws_api_gatewayv2_*
tables to correctly return data instead of an error by excluding support for the new unsupported il-central-1
region. (#2190)What's new?
Enhancements
login_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Jira connections. (#119)netgo
package. (#128)version
flag to the plugin's Export tool. (#65)Bug fixes
jira_board
table to correctly return all the data instead of partial results. (#127)Dependencies
What's new?
Bug fixes
public_network_access_for_ingestion
and the public_network_access_for_query
columns of the azure_application_insight
table to be of String
data type instead of JSON
. (#769)azure_role_assignment
table to correctly return values for principal_id
and principal_type
columns instead of null
. (#763)web_application_firewall_configuration
column of the azure_application_gateway
table to correctly return data instead of null
. (#770)What's new?
powerpipe benchmark run azure_compliance.benchmark.fedramp_high
). (#270)What's new?
What's new?
Azure > Security Center > Security Center > Defender Plan
control now also supports services like Cloud Posture, Containers and Cosmos DB.What's new?
Bug fixes
What's new?
Server
@azure/msal-node
package.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
AWS > EC2 > Snapshot > CMDB
policy to Enforce: Enabled for Snapshots not created with AWS Backup
.Bug fixes
AWS > Turbot > Service Roles > Source
policy went to an invalid state if all but the AWS > Turbot > Service Roles > Event Handlers [Global]
policy was enabled. This issue impacted the AWS > Turbot > Service Roles
stack control, preventing the role from being created correctly. This has been fixed, and the AWS > Turbot > Service Roles > Source
policy will now work as expected.Bug fixes
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
control did not evaluate the result correctly, as expected. This is now fixed.Whats new
Bug fixes
POWERPIPE_PORT
env var was not being honoured. (#362)duration
field to duration_ms
for consistency with steampipe. (#368)The rows
property in the JSON
and snapshot
output will now have unique column names for duplicate column names.
The columns property will have the original column name as original_name
.
For example, for the query:
powerpipe query run " select arn as title, account_id as title, title as title from aws_account" --output pps
Here is the updated JSON output:
powerpipe query run " select arn as title, account_id as title, title as title from aws_account" --output json{ "columns": [ { "name": "title", "data_type": "text" }, { "name": "title_t5zj1", "data_type": "text", "original_name": "title" }, { "name": "title_t5zj2", "data_type": "text", "original_name": "title" } ], "rows": [ { "title": "arn:aws:::882789663776", "title_t5zj1": "882789663776", "title_t5zj2": "882789663776" }, ], "metadata": { "rows_returned": 3, "duration_ms": "202ms" }}
Here is the updated snapshot output:
{ "schema_version": "20240130", "panels": { "custom.dashboard.sql_e5br7b82": { "dashboard": "custom.dashboard.sql_e5br7b82", "name": "custom.dashboard.sql_e5br7b82", "panel_type": "dashboard", "source_definition": "", "status": "complete", "title": "Custom query [e5br7b82]" }, "custom.table.results": { "dashboard": "custom.dashboard.sql_e5br7b82", "name": "custom.table.results", "panel_type": "table", "source_definition": "", "status": "complete", "sql": " select arn as title, account_id as title, title as title from aws_account", "properties": { "name": "results" }, "data": { "columns": [ { "name": "title", "data_type": "TEXT" }, { "name": "title_t5zj1", "data_type": "TEXT", "original_name": "title" }, { "name": "title_t5zj2", "data_type": "TEXT", "original_name": "title" } ], "rows": [ { "title": "arn:aws:::876515858155", "title_t5zj1": "876515858155", "title_t5zj2": "morales-aaa" }, { "title": "arn:aws:::882789663776", "title_t5zj1": "882789663776", "title_t5zj2": "882789663776" }, { "title": "arn:aws:::097350876455", "title_t5zj1": "097350876455", "title_t5zj2": "turbot-silverwater" } ] } } }, "inputs": {}, "variables": {}, "search_path": null, "start_time": "2024-06-06T14:50:16.906739+01:00", "end_time": "2024-06-06T14:50:16.991955+01:00", "layout": { "name": "custom.dashboard.sql_e5br7b82", "children": [ { "name": "custom.table.results", "panel_type": "table" } ], "panel_type": "dashboard" }}
What's new?
Updated the existing Flags attribute to include new specific flags that control the operation of Mod Lambda functions within a Virtual Private Cloud (VPC). This update allows Lambdas to use static IP addresses, improving network stability and predictability across different cloud environments. New flags Added to Flags Attribute:
Introduced a new SSM parameter outbound_cidr_ranges to retrieve the Elastic IPs associated with the NAT gateways.
What's new?
Server
osquery/logger
API to support payloads up to 10MB.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Bug fixes
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
control did not evaluate the result correctly, as expected. This is now fixed.What's new?
Bug fixes
Azure > Network > Network Security Group > Ingress Rules > Approved
and Azure > Network > Network Security Group > Egress Rules > Approved
controls previously deleted an entire rule if at least one of the corresponding address prefixes was rejected, even if the others were approved. These controls will now revoke only the rejected address prefix instead of deleting the entire rule in such cases.What's new?
Add support for installing mods from a branch or from the local file system. (#849).
To install from a branch:
flowpipe mod install github.com/turbot/flowpipe-mod-aws-thrifty#main
To reference a mod in the local file system:
flowpipe mod install ../mods/local_mod_folder
Add --pull
flag to mod
command to control the mod update strategy. (#849). Possible update strategies are:
full
- check branch and tags for both latest and accuracylatest
- update everything to latest, but only branches - not tags - are commit checked (which is the same as latest)development
- update branches and broken constraints to latest, leave satisfied constraints unchangedminimal
- only update broken constraints, do not check branches for new commitsBug fixes
What's new?
powerpipe benchmark run azure_compliance.benchmark.rbi_itf_nbfc_v2017
). (#267)Bug fixes
GCP > Turbot > Event Handlers > Logging
would go into an Invalid state because of incorrect filter patterns defined in the GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-bigquerydatatransfer
policy. This is fixed and the control will now work as expected.Bug fixes
compute.networks.delete
for default networks incorrectly, resulting in the inadvertent deletion of those networks from CMDB. This is now fixed.What's new?
Resource Types
Policy Types
What's new?
Control Types
Policy Types
Bug fixes
s3:PutBucketReplication
for buckets. This is now fixed.AWS > S3 > Bucket > Access Logging
control would sometimes go into an error state if the target bucket name started with a number. This is fixed and the control will now work more smoothly and consistently than before.Enhancements
user_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Pipes connections. (#27)netgo
package. (#32)version
flag to the plugin's Export tool. (#65)Bug fixes
Pipes
instead of returning a 401
error. (#30)Dependencies
The Semgrep plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
What's new?
Detect and Correct
pipeline for DynamoDB tables with stale data. (#34)What's new?
delete_dynamodb_table
What's new?
Enhancements
login_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Github connections. (#422)netgo
package. (#219)version
flag to the plugin's Export tool. (#65)Bug fixes
Dependencies
Bug fixes
v1.11.2
to remove unnecessary NOTICE
level log messages. (#469)What's new?
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2
). (#264)Integrate your developer, team or custom tenant with GitHub, enabling you to install custom Powerpipe mods from public or private repositories. Push changes for instant deploys and live updates.
For more information, see the launch post or check out the docs.
Bug fixes
$logs
) for storage accounts. This is now fixed.Bug fixes
What's new?
Resource Types
Control Types
Policy Types
Action Types
Bug fixes
locals
in order of dependency. (#399).What's new?
Enhancements
Whats new
Added support for installing mods from a branch or from the local file system. (#285)
To install from a branch:
powerpipe mod install github.com/turbot/steampipe-mod-aws-well-architected#main
To reference a mod in the local file system:
powerpipe mod install ../mods/local_mod_folder
Added --pull
flag to mod
, dashboard
and benchmark
commands to control the mod update strategy. (#352). Possible update strategies are:
full
- check branch and tags for both latest and accuracylatest
- update everything to latest, but only branches - not tags - are commit checked (which is the same as latest)development
- update branches and broken constraints to latest, leave satisfied constraints unchangedminimal
- only update broken constraints, do not check branches for new commitsBug fixes
osquery
instead of Osquery
.Bug fixes
Kubernetes > Node
resources will no longer include the conditions.lastHeartbeatTime
or resource_version
properties to avoid unnecessary notifications in the activity tab.What's new?
Resource Types
Policy Types
What's new?
Resource Types
Policy Types
Enhancements
tenant_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Microsoft 365 subscriptions. (#50)netgo
package. (#55)version
flag to the plugin's Export tool. (#65)Dependencies
QueryData
passed to ConnectionKeyColumns
value callback is populated with ConnectionManager
. (#50)Enhancements
tenant_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Azure subscriptions. (#175)netgo
package. (#180)China cloud
endpoint and scope based on the environment. (#174)version
flag to the plugin's Export tool. (#65)Dependencies
QueryData
passed to ConnectionKeyColumns
value callback is populated with ConnectionManager
. (#175)What's new?
Enhancements
Enhancements
Enhancements
What's new?
Server
api/latest/osquery/enroll
api/latest/osquery/config
api/latest/osquery/logger
serviceNowCredential
resolver specifically for Kubernetes clusters.@turbot/sdk
) to version 5.15.0 and our fn toolkit (@turbot/fn
) to version 5.22.0, to support FIFO queues.UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Control Types
Policy Types
Action Types
What's new?
Resource Types
Control Types
Policy Types
Action Types
What's new?
Resource Types
Control Types
Policy Types
Action Types
Bug fixes
GCP > IAM > Service Account Key > Active
control will no longer attempt to delete a system-managed service account key deemed inactive by the control.What's new?
AWS > IAM > Access Key > Active > Latest
policy.AWS > IAM > Server Certificate > Active > Expired
policy.Policy Types
Enhancements
tenant_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple OCI tenants. (#606)netgo
package. (#614)version
flag to the plugin's Export tool. (#65)Dependencies
Enhancements
project
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple GCP projects. (#564)netgo
package. (#580)version
flag to the plugin's Export tool. (#65)****Bug fixes
gcp_cloudfunctions_function
to list gen2
cloud functions. (#568) (Thanks @ashutoshmore658 for the contribution!)Dependencies
Enhancements
netgo
package. (#756)Bug fixes
server_properties
column in the azure_postgresql_flexible_server
table to correctly return data instead of nil
. (#754)Dependencies
QueryData
passed to ConnectionKeyColumns
value callback is populated with ConnectionManager
. (#755)Enhancements
account_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Alibaba Cloud accounts. (#406)netgo
package. (#419)version
flag to the plugin's Export tool. (#65)Dependencies
Bug fixes
GCP > Project > CMDB
control would go into an error state if Access Approval API was disabled in GCP. This is now fixed.Enhancements
context_name
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Kubernetes connections. (#217)netgo
package. (#219)version
flag to the plugin's Export tool. (#65)Dependencies
Enhancements
netgo
package for both the Linux and Darwin systems. (#219) (#2180)Bug fixes
aws_ebs_snapshot
table to correctly return data instead of an empty row. (#2185)Dependencies
Whats new
Added support for connection key columns: (#768)
A connection key column
defines a column whose value maps 1-1 to a Steampipe connection
and so can be used to filter connections when executing an aggregator query. These columns are treated as (optional) KeyColumns. This means they are taken into account in the query planning.
Added support for verbose timing information. (#4244)
Added support for pushing down sort order. (#447)
Updated limit pushdown logic to push down the limit if all sort clauses are pushed down. (#458)
Added support for WHERE column=val1 OR column=val2 OR column=val3...
Migrated from plugin registry from GCP to GHCR. (#4232)
Bug fixes
Bug fixes
QueryData
passed to connection key column value callback is populated with ConnectionManager
. (#797) What's new?
/processes
prefix from 1 day to 2 days./osquery
prefix.What's new?
Bug fixes
Azure > Compute > Virtual Machine Scale Set > Tags
control would sometimes fail to update tags correctly for Scale Sets launched via Azure marketplace. This is fixed and the control will now update tags correctly, as expected.What's new?
AWS > VPC > Network ACL > Ingress Rules > Approved > *
policies.Bug fixes
What's new?
AWS > EFS > Mount Target > Approved
policy to Enforce: Delete unapproved
.What's new?
aws_cloudwatch_metric_alarm
resources via Guardrails stacks.Control Types
Policy Types
Bug fixes
aws_securityhub_account
Terraform resource.What's new?
createdBy
details in Turbot CMDB.What's new?
Control Types
Policy Types
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Resource Types:
Control Types:
Policy Types:
Action Types:
What's new?
Control Types
Policy Types
Bug fixes
What's new?
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Enhancements
subscription_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Azure subscriptions. (#740)version
flag to the plugin's Export tool. (#65)Bug fixes
Dependencies
Bug fixes
Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved
control did not render correctly on mod inspect. This is now fixed.What's new?
Enhancements
version
flag to the plugin's Export tool. (#65)Bug fixes
Whats new
dashboard_timeout
and benchmark_timeout
--dashboard-timeout
flag for the dashboard run
and server
commands--benchmark-timeout
flag for the benchmark run
commands.POWERPIPE_DASHBOARD_TIMEOUT
and POWERPIPE_BENCHMARK_TIMEOUT
respectively.
(#336)dashboard input list
and dashboard input show
commands.Bug fixes
All new Pipes workspaces will be running Powerpipe v0.2.0 and existing workspaces will be upgraded by Monday 29th April 2024.
For more information on this Powerpipe release, see the release notes.
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > Storage > Storage Account > Data Protection
control would go into an error state when container delete retention policy data was not available in CMDB. This issue is fixed and the control will now work as expected.What's new?
Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > *
and Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > *
policies respectively.Azure > PostgreSQL > Flexible Server > Approved
policy to Enforce: Stop unapproved
or Enforce: Stop unapproved if new
.Control Types
Policy Types
Action Types
Bug fixes
What's new?
Control Types
User consent for applications
is set to Do not allow user consent
Enable Infrastructure Encryption
for Each Storage Account in Azure Storage is Set to enabled
Policy Types
User consent for applications
is set to Do not allow user consent
User consent for applications
is set to Do not allow user consent
> AttestationEnable Infrastructure Encryption
for Each Storage Account in Azure Storage is Set to enabled
What's new?
worker_factory
in the CloudWatch Dashboard widgets "Events Queue Activity" and "Events Queue Backlog"._worker_factory
queue._worker
queue.Bug fixes
Server
UI
template_input
property of the policy setting in the Terraform plan to YAML format, improving clarity and manageability.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Turbot > Process Monitor
control to operate within the priority queue, ensuring more timely and efficient processing of critical tasks.Turbot > Workspace > Background Tasks
control to modify the next_tick_timestamp for any policy values that previously had incorrect defaults.Bug fixes
What's new?
Azure > Storage > Storage Account > Access Keys > Rotation Reminder > *
and Azure > Storage > Storage Account > Data Protection > Soft Delete > *
policies respectively.Control Types
Policy Types
Action Types
What's new?
Azure > SQL > Server > Firewall > IP Ranges > Approved > *
policies.Control Types
Policy Types
Action Types
Enhancements
workspace_dashboard
dashboard to include information on the accounts, resources, and active controls across different workspaces. (#31)workspace_account_report
dashboard to display resources, policy settings, alerts, and active controls across workspaces instead of the TE version. (#31)Enhancements
Bug fixes
rotationPeriod
and nextRotationTime
attributes for Crypto Keys did not update correctly in CMDB when the rotation policy for such keys was removed. This is now fixed.What's new?
Azure > MySQL > Flexible Server > Encryption in Transit > *
policies.createdBy
details in Turbot CMDB.Control Types
Policy Types
Action Types
What's new?
createdBy
details in Turbot CMDB.Policy Types
Bug fixes
AWS > VPC > Flow Log > Configured
control would sometimes go into an error state for flow logs created via the AWS console, even though they were correctly claimed by a Guardrails stack. This is now fixed.What's new?
Enhancements
account_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple AWS accounts. (#2133)Bug fixes
getDirectoryServiceSnapshotLimit
and getDirectoryServiceEventTopics
hydrate calls in the aws_directory_service_directory
table to correctly return nil
for the unsupported ADConnector
services instead of an error. (#2170)What's new?
What's new?
Azure > PostgreSQL > Flexible Server > Audit Logging > *
policies.Control Types
Policy Types
Action Types
What's new?
Azure > Key Vault > Key > Expiration > *
and Azure > Key Vault > Secret > Expiration > *
policies respectively.Control Types
Policy Types
Action Types
What's new?
What's new?
powerpipe benchmark run gcp_compliance.benchmark.cis_v300
). (#158)What's new?
Bug fixes
Azure > Storage > Storage Account > Queue > Logging
control would go into a skipped state for storage accounts, irrespective of any policy setting for Logging. This issue is fixed and the control will now work as expected.What's new?
Github App
. Please refer Github plugin configuration for more information. (#414)Bug fixes
What's new?
Enhancements
snapshot_block_public_access_state
column to aws_ec2_regional_settings
table. (#2077)Bug fixes
getDirectoryServiceSnapshotLimit
and getDirectoryServiceEventTopics
hydrate calls in the aws_directory_service_directory
table to correctly return nil
for unsupported SharedMicrosoftAD
services instead of an error. (#2156)What's new?
What's new?
Azure > Network > Public IP Address > Approved
policy to Enforce: Delete unapproved
.What's new?
Azure > PostgresSql > Flexible Server > Encryption in Transit > *
policies.Control Types
Policy Types
Action Types
Bug fixes
foundational_security_lambda_2
control to check for the latest Lambda runtimes as per the AWS FSBP document. (#778) (Thanks @sbldevnet for the contribution!)secretsmanager_secret_unused_90_day
control. (#783)What's new?
Azure > Active Directory > User > Approved
policy to Enforce: Delete unapproved
.Policy Types
What's new?
Azure > MySQL > Flexible Server > Minimum TLS Version > *
policies.Enhancements
All Controls
benchmark: (#253)cosmosdb_account_uses_aad_and_rbac
iam_user_not_allowed_to_create_tenants
securitycenter_image_scan_enabled
Bug fixes
postgres_db_server_allow_access_to_azure_services_disabled
query to check if the endIpAddress
column is set to 0.0.0.0
instead of 255.255.255.255
as per the CIS documentation. (#253)What's new?
What's new?
What's new?
Control Types
Policy Types
What's new?
Enhancements
Bug fixes
versions.json
). (#4223)<nil>
when there was no message to show. (#4206)Bug fixes
What's new?
AWS > EC2 > Account Attributes > Instance Metadata Service Defaults > *
policies.Bug fixes
AWS > EC2 > Instance > Approved
control would sometimes fail to stop instances that were discovered in Guardrails via real-time events if the AWS > EC2 > Instance > Approved
policy was set to Enforce: Stop unapproved if new
. This is now fixed.What's new?
What's new?
connection_throttling
parameter for PostgreSQL servers. To get started, set the Azure > PostgreSQL > Server > Audit Logging > Connection Throttling
policy.What's new?
What's new?
AWS > KMS > Key > Approved
policy to Enforce: Disable unapproved
.What's new?
Enhancements
quota_project
config arg to provide users the ability to set the Project ID
used for billing and quota. (#556)Bug fixes
retry_policy_maximum_backoff
and retry_policy_minimum_backoff
columns of gcp_pubsub_subscription
table to correctly return data. (#552) (Thanks to @mvanholsteijn for the contribution!)What's new?
Bug fixes
aws_vpc_eip
table to return an Access Denied
error instead of an Invalid Memory Address or Nil Pointer Dereference
error when a Service Control Policy
is applied to an account for a specific region. (#2136)aws_s3_bucket
terraform script to prevent the AccessControlListNotSupported: The bucket does not allow ACLs
error during the PutBucketAcl
terraform call. (#2080) (Thanks @pdecat for the contribution!)cross-account
role credentials results in the correct error being reported instead of zero rows. (#2137)aws_ebs_snapshot
table to make fewer API calls when the limit
parameter is passed to the query. (#2088)What's new?
rds_mysql_postresql_db_no_unsupported_version
(#174)Bug fixes
Enforce: Enabled but ignore permission errors
for the AWS > SNS > Subscription > CMDB
policy, allowing the corresponding CMDB control to ignore permission errors, if any, and proceed to completion. However, configuring the CMDB policy to Enforce: Enabled but ignore permission errors
inadvertently introduced a bug, resulting in the removal of real-time events for Subscription from the SNS EventBridge rule created by the Event Handlers. This issue has now been fixed.Bug fixes
Enforce: Enabled but ignore permission errors
for the AWS > KMS > Key > CMDB
policy, allowing the corresponding CMDB control to ignore permission errors, if any, and proceed to completion. However, configuring the CMDB policy to Enforce: Enabled but ignore permission errors
inadvertently introduced a bug, resulting in the removal of the EventBridge Rule for KMS by the Event Handlers. This issue has now been fixed.Bug fixes
loop
block now works in container
, function
, message
and input
steps.max_concurrency
step argument. (#800).throw
, retry
and error
block now works for input
step.Breaking changes
Foundational Security Best Practices v1.0.0
benchmark has been updated to better align with the matching AWS Security Hub. The following updates have been made: (#772)foundational_security_elbv2
sub-benchmark have been removed.foundational_security_cloudfront_2
foundational_security_ec2_22
foundational_security_s3_4
Enhancements
Foundational Security Best Practices v1.0.0
benchmark has been updated to better align with the matching AWS Security Hub. The following updates have been made: (#772)foundational_security
benchmark:foundational_security_appsync
foundational_security_backup
foundational_security_eventbridge
foundational_security_fsx
foundational_security_msk
foundational_security_pca
foundational_security_route53
foundational_security_sfn
foundational_security_acm_2
foundational_security_appsync_2
foundational_security_backup_1
foundational_security_cloudfront_13
foundational_security_dms_6
foundational_security_dms_7
foundational_security_dms_8
foundational_security_dms_9
foundational_security_docdb_3
foundational_security_docdb_4
foundational_security_docdb_5
foundational_security_dms_9
foundational_security_dynamodb_6
foundational_security_ec2_51
foundational_security_ecs_9
foundational_security_eks_8
foundational_security_elasticbeanstalk_3
foundational_security_emr_2
foundational_security_eventbridge_3
foundational_security_fsx_1
foundational_security_msk_1
foundational_security_networkfirewall_2
foundational_security_networkfirewall_9
foundational_security_opensearch_10
foundational_security_pca_1
foundational_security_rds_34
foundational_security_rds_35
foundational_security_route53_2
foundational_security_s3_19
foundational_security_sfn_1
foundational_security_waf_12
What's new?
Enhancements
v0.13.2 of the Terraform Provider for Pipes is now available.
Bug fixes
pipes_workspace_datatank_table
: Set PartPer
setting for datatank table to be nil
if nothing is passed in configuration while updating a datatank table. (#23)Enhancements:
resources/pipes_workspace
: Add support for passing desired_state
, db_volume_size_bytes
attribute when creating or updating a workspace. Add missing attribute state_reason
.resources/pipes_workspace_pipeline
: Add support for passing desired_state
attribute when creating or updating a pipeline. Add attributes state
and state_reason
.resources/pipes_workspace_datatank
: Add support for passing desired_state
attribute when creating a datatank.resources/pipes_workspace_datatank_table
: Add support for passing desired_state
attribute when creating a datatank_table.Bug fixes
project_license_table
, project_other_license_count
and project_weak_copyleft_license_count
queries to use the latest version of EUP (European Union Public License 1.2). (#13)Bug fixes
repository_license_table
, repository_other_license_count
and repository_weak_copyleft_license_count
queries to use the latest version of EUP (European Union Public License 1.2). (#25)Bug fixes
cis_v200_2_4
to cis_v200_2_11
to correctly evaluate results when using the aggregator connection of the GCP plugin. (#154)Bug fixes
max_concurrency
argument. (#798).try()
function should be evaluated at runtime rather than parse time.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Control Types:
Policy Types:
Action Types:
Bug fixes
benchmark run
result as a snapshot, ensure the top level panel has a valid summary. (#274)mod list
output to include resource_name
and mod
fields. Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Enforce: Disabled
. This is now fixed.What's new?
powerpipe benchmark run azure_compliance.benchmark.cis_v210
). (#250)Whats new
All new Pipes workspaces will be running Powerpipe v0.4.1 and existing workspaces will be upgraded by Monday 29th July 2024.
For more information on this Powerpipe release, see the release notes.
All new Pipes workspaces will be running Steampipe v0.22.1 and existing workspaces will be upgraded by Monday 18th March 2024.
For more information on this Steampipe release, see the release notes.
All new Pipes workspaces will be running Powerpipe v0.1.2 and existing workspaces will be upgraded by Monday 18th March 2024.
For more information on this Powerpipe release, see the release notes.
Bug fixes
AWS > VPC > VPC > Stack
control failed to claim security group rules correctly if the protocol
for such rules was set to All
or TCP
in the stack's source policy. This issue has been fixed, and the control will now claim such rules correctly.Bug fixes
What's new?
Enhancements
auto_minor_version_upgrade
column to aws_rds_db_cluster
table. (#2109)open_zfs_configuration
column to aws_fsx_file_system
table. (#2113)logging_configuration
column to aws_networkfirewall_firewall
table. (#2115)lf_tags
column to aws_glue_catalog_table
table. (#2128)Bug fixes
aws_s3_bucket
table doc to correctly filter out buckets without the application
tag. (#2093)aws_cloudtrail_lookup_event
input param to pass correctly end_time
as an optional qual. (#2102)arn
column of the aws_elastic_beanstalk_environment
table to correctly return data instead of null
. (#2105)template_body_json
column of the aws_cloudformation_stack
table to correctly return data by adding a new transform function formatJsonBody
, replacing the UnmarshalYAML
transform function. (#1959)next_execution_time
column of aws_ssm_maintenance_window
table to be of String
datatype instead of TIMESTAMP
. (#2116)client_log_options
column to connection_log_options
in aws_ec2_client_vpn_endpoint
table to correctly return data instead of null
. (#2122)Whats new
Bug fixes
Notice
install.sh
has been moved from the top level folder to the scripts
folder.Notice
Steampipe will no longer officially publish or support a Dockerfile or container images.
Steampipe can be run in a containerized setup. We run it ourselves that way as part of Turbot Pipes. But, we've decided to cease publishing an supporting a container definition because:
We welcome users to create and share your own open-source container definitions for Steampipe!
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
AWS > SageMaker > Code Repository > Regions
policy, which led to the AWS > SageMaker > Code Repository > Discovery
control being in an error state for those regions. We've now removed the unsupported US Gov cloud regions from the Regions policy.What's new?
Bug fixes
Enforce: Disabled
. This is now fixed.Bug fixes
throw
and output
block in pipeline steps works correctly with ternary operators and will not trigger mod reload for white space changes.Bug fixes
Enforce: Disabled
. This is now fixed.AWS > VPC > VPC > Stack
control that prevented it from recognizing security group rules with the port range set to 0 correctly. However, the control still failed to claim existing security group rules available in Guardrails CMDB, due to an inadvertent bug introduced in v5.9.2. This issue has now been fixed, and the control will correctly claim existing security group rules.Bug fixes
Enforce: Disabled
. This is now fixed.Bug fixes
lists
events for various storage resources. We've now improved our events filter to ignore these lists
events, thereby reducing unnecessary processing.Bug fixes
Enforce: Disabled
. This is now fixed.Bug fixes
Enforce: Disabled
. This is now fixed.Bug fixes
Enforce: Disabled
. This is now fixed.AWS > EC2 > Snapshot > Active
and AWS > EC2 > Snapshot > Approved
controls will now not attempt to delete a snapshot if it has one or more AMIs attached to it.ec2-reports:*
permissions are now removed from the mod.v0.13.1 of the Terraform Provider for Pipes is now available.
Bug fixes
pipes_workspace_pipeline
and are only updated when a valid value is present in the Terraform configuration.All new Pipes workspaces will be running Steampipe v0.22.0 and existing workspaces will be upgraded by Monday 11th March 2024.
For more information on this Steampipe release, see the release post or release notes.
Dashboards in Turbot Pipes are now powered by Powerpipe, allowing you to filter, group and share custom views of your cloud benchmarks.
All new Pipes workspaces will be running Powerpipe v0.1.0 and existing workspaces will be upgraded by Monday 11th March 2024.
For more information on the launch of Powerpipe, see the launch post or release notes.
Bug fixes
CreateDefaultVpc
events. However, we overlooked an edge case in the fix. We have now addressed this issue, ensuring that Internet Gateways will be reliably discovered and upserted into the Guardrails CMDB. We recommend updating the aws-vpc-core
mod to version 5.17.1 or higher to enable Guardrails to correctly process real-time CreateDefaultVpc events for Internet Gateways.Enforce: Disabled
. This is now fixed.We're thrilled to announce the release of 52 new Powerpipe mods, featuring pre-built dashboards and benchmarks for cloud inventory & insights, security & compliance, cost management and shift-left scanning. These include the 43 Steampipe mods to visualize AWS, Azure, GCP, GitHub, Terraform and more using Steampipe as the database. And 9 new, ready-to-use Powerpipe mods providing easy to learn examples to visualize data in Postgres, SQLite, DuckDB, and MySQL!
A full list of mods can be found in the Powerpipe Hub.
For more information on how you can get started incorporating these mods into your own custom dashboards and benchmarks, please see Introducing Powerpipe - Composable Mods.
Introducing Powerpipe - Dashboards for DevOps.
Benchmarks - 5,000+ open-source controls from CIS, NIST, PCI, HIPAA, FedRamp and more. Run instantly on your machine or as part of your deployment pipeline.
Relationship Diagrams - The only dashboarding tool designed from the ground up to visualize DevOps data. Explore your cloud,understand relationships and drill down to the details.
Dashboards & Reports - High level dashboards provide a quick management view. Reports highlight misconfigurations and attention areas. Filter, pivot and snapshot results.
Code, not clicks - Our dashboards are code. Version controlled, composable, shareable, easy to edit - designed for the way you work. Join our open-source community!
Learn more at:
Bug fixes
AWS > VPC > VPC > Stack
control would sometimes go into an error state after creating security group rules with port range set to 0. This occurred because the control failed to recognize the existing rule in Guardrails CMDB and attempted to create a new rule instead. This issue has been fixed, and the stack control will now work correctly as expected.AWS > VPC > Security Group > CMDB
control would sometimes go into an error state for security groups shared from other AWS accounts. We will now exclude shared security groups and only upsert security groups that belong to the owner account.What's new?
You can now also manage the IAM Permissions model for Guardrails Users via the AWS > Turbot > IAM > Managed
control. The AWS > Turbot > IAM > Managed
control is faster and more efficient than the existing AWS > Turbot > IAM
control because it utilizes Native AWS APIs rather than Terraform to manage IAM resources. Please note that this feature will work as intended only on TE v5.42.19 or higher and turbot-iam
mod v5.11.0 or higher.
Control Types
Policy Types
Policy Types Renamed
Action Types
Bug fixes
The AWS > IAM > Group > CMDB
, AWS > IAM > Role > CMDB
, and AWS > IAM > User > CMDB
controls previously failed to fetch all attachments for groups, roles, and users, respectively, due to the lack of pagination support. This issue has been fixed, and the controls will now correctly fetch all respective attachments.
Steampipe unbundled, introducing Powerpipe
Powerpipe is now the recommended way to run dashboards and benchmarks!
Mods still work as normal in Steampipe for now, but they are deprecated and will be removed in a future release:
Whats new
version
column to steampipe_plugin
table. (#4141)Bug fixes
search_path_prefix
set in database options
does not alter the search path. (#4160)asff
output was always missing the first row. (#4157)Deprecations and migrations
cloud-host
and cloud-token
CLI args, and replaced them with pipes-host
and pipes-token
respectively. (#4137)STEAMPIPE_CLOUD_HOST
and STEAMPIPE_CLOUD_TOKEN
env vars, replaced with PIPES_HOST
and PIPES_TOKEN
respectively. (#4137)cloud_host
and cloud_token
workspace args, replaced with pipes_host
and pipes_token
respectively. (#4137)terminal options
. (#3751)max_parallel
property in general options
. (#4132)connection options
. (#4131)version
property from the mod require
block. (#3750)What's new?
alicloud
and mastodon
.started_at
and finished_at
added under a flowpipe
attribute.flowpipe.db
into the mod-level .flowpipe
directory.connection_string
in query step and trigger renamed to database
.Deprecation
Bug fixes
log_level
workspace setting is now respected (#618).listen
flag should be network, not localhost (#694)Bug fixes
metadata
param type in create_ticket
pipeline to be consistent with similar param types.Bug fixes
secret
param type in create_secret
pipeline.Bug fixes
What's new?
add_s3_bucket_cost_center_tags
aws_iam_access_key_events_notifier_with_multiple_pipelines
aws_iam_access_key_events_notifier_with_single_pipeline
deactivate_expired_aws_iam_access_keys_using_queries
deactivate_expired_aws_iam_access_keys_with_approval
notify_new_aws_iam_access_keys
Enhancements
Bug fixes
Server
/tenant/${workspaceFullId}
to Advanced
.resolvedSchema
if not available in the schema.UI
AWS > Turbot > IAM > Managed
control.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Turbot > IAM > Permissions > Compiled > Levels > Turbot
policy will now be evaluated correctly and consistently.Bug fixes
What's new?
The AWS > S3 > Bucket
CMDB data will now also include information about Bucket Intelligent Tiering Configuration.
A few policy values in the AWS > S3 > Bucket > Encyprion at Rest
policy have now been deprecated and will be removed in the next major mod version (v6.0.0) because they are no longer supported by AWS.
| Deprecated Values
|-
| Check: None
| Check: None or higher
| Enforce: None
| Enforce: None or higher
Bug fixes
ticket_id
param from update_ticket_comment
pipeline.Bug fixes
license
param in create_user
pipeline. (#6)Bug fixes
generate_ssh_keys
param in various Compute VM test pipelines.Bug fixes
CreateDefaultVpc
events. This issue has been fixed, and Internet Gateways will now be more reliably upserted into the Guardrails CMDB.
We recommend updating the aws-vpc-core
mod to v5.17.1 or higher to allow Guardrails to process the CreateDefaultVpc
event for Internet Gateways correctly.Bug fixes
CreateDefaultVpc
events. This issue has been fixed, and DHCP Options will now be more reliably upserted into the Guardrails CMDB.Bug fixes
lists
events for various Dataproc resources. We've now improved our events filter to ignore these lists
events, thereby reducing unnecessary processing.Bug fixes
GCP > Turbot > Event Handlers > Pub/Sub
stack control previously attempted to create a topic and its IAM member incorrectly when the GCP > Turbot > Event Handlers > Logging > Unique Writer Identity
policy was set to Enforce: Unique Identity
, but the project number for the project was not available. This is fixed and the control will transition to an Invalid state until Guardrails can correctly fetch the project number.Bug fixes
get_channel_history
pipeline. (#20)What's new?
Control Types:
Policy Types:
Action Types
Bug fixes
AWS > S3 > Bucket > Encryption in Transit
and AWS > S3 > Bucket > Encryption at Rest
control to wait for a few minutes before applying the respective policies to new buckets created via Cloudformation Stacks. We've now extended this feature to all buckets regardless of how they were created, to ensure that IaC changes can be correctly applied to buckets without interference from immediate policy enforcements.What's new?
What's new?
What's new?
Note
To use the latest RDS certificate in commercial cloud, please upgrade TE to 5.42.3 or higher and update the RDS CA Certificate for Commercial Cloud
parameter.
Bug fixes
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
What's new?
Control Types:
Policy Types:
What's new?
AWS > Secrets Manager > Secret > CMDB
control would go into an error state if Guardrails did not have permissions to describe a secret. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the AWS > Secrets Manager > Secret > CMDB
policy to Enforce: Enabled but ignore permission errors
.What's new?
You can now attach custom IAM Groups to Guardrails users if the AWS > Turbot > Permissions
policy is set to Enforce: User Mode
. To get started, set the AWS > Turbot > Permissions > Custom Group Levels [Account]
policy and then attach the custom group to a user via the Grant Permission button on the Permissions page. Please note that this feature will work as intended only on TE v5.42.18 or higher and turbot-iam
mod v5.11.0 or higher.
Policy Types:
Policy Types renamed:
What's new?
Bug fixes
InvalidParameterCombination
error when querying the aws_rds_db_instance
table. (#2085)aws_rds_db_instance_metric_write_iops_daily
table to correctly display WriteIOPS
instead of ReadIOPS
. (#2079)Dependencies
Bug fixes
Cloud Functions
benchmark into all_controls
benchmark. (#146)What's new?
Bug fixes
What's new?
Control Types:
Policy Types:
Bug fixes
Bug fixes
AWS > VPC > VPC > Stack
control would sometimes fail to claim existing Flow Logs in Guardrails CMDB. This is now fixed.What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
Bug fixes
AWS > SNS > Subscription > CMDB
control would go into an error state if Guardrails did not have permissions to describe a s