Enhancements
- Added
allowedToCreateTenants
field underdefault_user_role_permissions
column ofazuread_authorization_policy
table. (#243) (Thanks @MarkusGnigler for the contribution!)
Subscribe to all changelog posts via RSS or follow #changelog on our Slack community to stay updated on everything we ship.
Enhancements
allowedToCreateTenants
field under default_user_role_permissions
column of azuread_authorization_policy
table. (#243) (Thanks @MarkusGnigler for the contribution!)Bug fixes
MinCorePluginVersion
to v0.2.5.Whats new?
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
AWS > IAM > MFA Virtual > Active
control for virtual MFA devices based on their age. To get started, set the AWS > IAM > MFA Virtual > Active > Age
policy. As part of this enhancement, a new value of 45 days
has been applied to all relevant Active policies.Policy Types
Action Types
What's new
memory_max_mb
controls CLI memory usage and conversion worker count and memory allocation.plugin_memory_max_mb
controls a per-plugin soft memory cap.temp_dir_max_mb
limits size of temp data written to disk during a conversion.show source
output to include source properties. (#388)Bug fixes
Bug fixes
sagemaker_notebook_instance_encryption_at_rest_enabled
query to correctly return SageMaker notebook instances with encryption at rest disabled. (#897)iam_user_one_active_key
query. (#895)lambda_function_dead_letter_queue_configured
query to properly check for Lambda functions with a DLQ (Dead Letter Queue) configured. (#893)kms_cmk_policy_prohibit_public_access
, sns_topic_policy_prohibit_public_access
, and sns_topic_policy_prohibit_cross_account_access
queries to correctly assess whether the associated IAM policies allow public access or cross-account access. (#858, #887)What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.Bug fixes
aws_cost_and_usage_report
table while collecting rows. (#174)Bug fixes
Reattachment process not found
error when starting steampipe service. (#4507)What's new?
Server
UI
Bug fixes
Note
This is a checkpoint version. Guardrails must be updated to v5.51.x first before continuing. It can be any version in v5.51.x series.
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
main.go
and the module path in go.mod
to use the full GitHub URL.What's new?
What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.Bug fixes
Azure > Subscription > Event Poller
control previously processed some real-time events multiple times, resulting in unnecessary Lambda churn. The event processing logic has been improved to ensure each event is handled only once, enhancing overall efficiency.Azure > Subscription > CMDB
control previously ran unnecessarily when Guardrails received real-time Microsoft.Resources/tags/write
events for resources other than subscriptions or resource groups. These events will no longer be processed, preventing unnecessary CMDB control runs.What's new?
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them. Resource Types
AWS > API Gateway > Account
Control Types
Policy Types
Action Types
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Enhancements
Bug fixes
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Enhancements
allow_cross_tenant_replication
, default_to_oauth_authentication
, sas_expiration_period
, sas_expiration_action
, is_local_user_enabled
, routing_preference_routing_choice
, routing_preference_publish_microsoft_endpoints
, routing_preference_publish_internet_endpoints
columns to the azure_storage_account
table. (#891)allow_shared_key_access
column to the azure_storage_account
table. (#889)Bug Fixes
Bug fixes
resource_turbot_file
were silently ignored. These updates are now processed correctly to ensure changes are properly applied.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.Resource Types
Renamed
Control Types
Renamed
Policy Types
Renamed
Action Types
Renamed
Bug fixes
AWS > Secrets Manager > Secret > Stack [Native]
control previously failed to import and manage resources outside the us-east-1
region. This issue has now been resolved.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.Resource Types
Renamed
Control Types
Renamed
Policy Types
Renamed
Action Types
Renamed
Dependencies
v1.12.0
or higher is now required. (#882)What's new?
iam_user_access_key_age_365
and secretsmanager_secret_rotation_enabled
controls to all_controls_iam
and all_controls_secretsmanager
benchmarks respectively. (#886)Bug fixes
eks_cluster_secrets_encrypted
query to automatically return ok
instead of an alarm
for EKS clusters with version greater than 1.27
since they are automatically encrypted by AWS owned KMS keys. (#883)What's new?
Stack [Native] > *
policies.Control Types
Policy Types
What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Region > Connection Region
policy did not evaluate correctly for AWS GovCloud accounts. This issue has been resolved.What's new?
Stack [Native] > *
policies.Control Types
Policy Types
What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
AWS > Account > Permissions > Default Region
policy.Policy Types
What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new
Bug fixes
What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
AWS > EKS > Cluster > Endpoint Access > *
policies.Control Types
Policy Types
Action Types
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.Bug fixes
DBInstanceIdentifier
and the AKA for the resource. Guardrails will now be smarter to avoid updating these details in CMDB data in such scenarios.Bug fixes
AWS > EC2 > AMI > Discovery
control previously failed to fetch all resources, due to the lack of pagination support. This issue has been fixed, and the control will now correctly fetch all available AMIs.Bug fixes
Kubernetes > Pod > osquery > Configuration > Columns
policy, which previously caused churn by unnecessarily triggering the Kubernetes > Pod > CMDB
control.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Turbot > Workspace > Background Tasks
to ensure a more reliable and consistent execution flow.Requirements
What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
powerpipe benchmark run aws_compliance.benchmark.cis_v500
). (#881)lambda_function_logging_config_enabled
control to all_controls_lambda
benchmark.Bug fixes
eks_cluster_secrets_encrypted
query to automatically return ok
instead of an alarm
for EKS clusters with version greater than 1.27
since they are automatically encrypted by AWS owned KMS keys. (#883)What's new
MinCorePluginVersion
to v0.2.2.Bug fixes
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.What's new?
Bug fixes
Configuration Item > Record
policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.Bug fixes
Skip
. This issue has been resolved; such controls will now correctly transition to a skipped state.Bug fixes
Azure > Storage > Storage Account > Tags
control previously failed to update tags for storage accounts of type StandardV2_LRS
. This issue has been resolved, and the control now correctly updates tags for this storage account type.Azure > Storage > Queue > Discovery
control previously entered an error state for storage accounts of kind FileStorage
. This issue has been resolved, and the control will now be skipped for such storage accounts.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
AWS > Secrets Manager > Secret > Rotation > *
policies.Control Types
Policy Types
Action Types
What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.Bug fixes
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.Bug fixes
AWS > RDS > DB Parameter Group > CMDB
control to enter an error state due to duplicate AKAs. We have improved the handling of create and copy real-time events for parameter groups to ensure they are now upserted correctly and more reliably.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.Dependencies
containerd
, golang.org/x/net
, and vite
packages to remediate moderate vulnerabilities.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
What's new?
What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.Bug fixes
AWS > VPC > Transit Gateway Attachment > CMDB
control would sometimes go into an error state when ResourceOwnerId
for the resource was not available in the CMDB data. This is fixed and the control will now work correctly, as expected.Bug fixes
force_detach_policies
in the Terraform mapping for the resource type. We have now removed the conflicting default to prevent such unnecessary executions. You now need to explicitly define force_detach_policies
to override the existing Terraform default value (if required by your use case).Bug fixes
What's new?
New benchmarks added:
powerpipe benchmark run aws_vpc_flow_log_detections.benchmark.mitre_attack_v161
).powerpipe benchmark run aws_vpc_flow_log_detections.benchmark.vpc_flow_log_detections
).New dashboards added:
What's new?
Top 10 Keys
table to Activity Dashboard.Enhancements
Bug fixes
Top 10 URIs
tables in Activity Dashboard.folder = "S3"
tag to detection queries.Whats new?
Whats new?
Whats new?
What's new?
AWS > Logs > Log Group > Retention > *
policies.Control Types
Policy Types
Action Types
Enhancements
file_layout
arguments in documentation to wrap values in backticks instead of double quotes to align with Tailpipe CLI v0.2.0 changes. (#140)Bug fixes
aws_vpc_flow_log
table no longer skips collecting records with log status SKIPPED
or NODATA
.aws_cost_and_usage_focus
, aws_cost_and_usage_report
and aws_cost_optimization_recommendation
tables to store missing column values as null
. (#139)file_layout
in aws_s3_bucket
source doc.Dependencies
What's new
location
to format list/show. (#283)plugin
to source list/show. (#337)Bug fixes
What's new?
powerpipe benchmark run nginx_access_log_detections.benchmark.access_log_detections
).powerpipe benchmark run nginx_access_log_detections.benchmark.mitre_attack_v161
).powerpipe benchmark run nginx_access_log_detections.benchmark.owasp_top_10_2021
).What's new?
New benchmarks added:
powerpipe benchmark run aws_s3_server_access_log_detections.benchmark.mitre_attack_v161
).powerpipe benchmark run aws_s3_server_access_log_detections.benchmark.s3_server_access_log_detections
).New dashboards added:
What's new?
New benchmarks added:
powerpipe benchmark run apache_access_log_detections.benchmark.access_log_detections
).powerpipe benchmark run apache_access_log_detections.benchmark.mitre_attack_v161
).powerpipe benchmark run apache_access_log_detections.benchmark.owasp_top_10_2021
).New dashboards added:
What's new?
Bug fixes
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
v0.13.0 of the Pipes SDK Go is now available.
Breaking changes
Get_1
method in UserWorkspaceSchemasService
used to list tables for a schema renamed to ListTables
to denote its exact purpose.Get_1
method in OrgWorkspaceSchemasService
used to list tables for a schema renamed to ListTables
to denote its exact purpose.What's new?
GetTable
method to UserWorkspaceSchemasService
to get a specific table for a schema.GetTable
method to OrgWorkspaceSchemasService
to get a specific table for a schema.Enhancements
Install
and Update
for both flowpipe and powerpipe mods now support archived mod upload via multipart/form-data
request.SourceType
to model WorkspaceMod
to denote the source of the mod i.e. repository
or archive
.AggregatedBy
to model WorkspaceSchema
to store the list of aggregators that are using the schema.Turbot Pipes' latest update enhances its built-in query editor with improved schema navigation, integrated documentation, pre-built query examples, and powerful search, making it faster and easier for teams to explore and query cloud data.
For more information on this release, see the blog post or refer to the documentation.
What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
What's new?
Stack [Native] > *
policies.Control Types
Policy Types
All Pipes workspaces are now running Steampipe v1.1.0.
For more information on this Steampipe release, see the release notes.
Bug fixes
GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-iam
rendered the real-time events filter for Project User resource type incorrectly, which caused the GCP > Logging > Sink > Configured
control for Logging sinks created via Event Handlers to go into an error state. This issue is now fixed.GCP > IAM > Project User > CMDB
control entered an error state due to incorrect internal references introduced in the previous version of the mod (v5.17.0). This issue has been fixed, and the control now works as expected.What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
Enhancements
folder
metadata to the documentation of all the AWS tables for improved organization on the Steampipe Hub. (#2465) inline_policy
and inline_policy_std
columns to aws_ssoadmin_permission_set
table. (#2458) (Thanks @2XXE-SRA for the contribution!)AWS
.Dependencies
What's new?
account
, azure
and gcp
as a permission type.class: ACCOUNT
to Turbot > Notifications > CC > Tag and Turbot > Notifications > CC > Tag > Name.Bug fixes
Turbot > Workspace > Usage
control will be skipped in GovCloud deployments.Requirements
What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.Bug fixes
GCP > Project > Labels
control failed to apply labels to projects according to the GCP > Project > Labels > Template
policy. This issue has been fixed.What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
Bug fixes
AWS > Organization
resource type have been updated. All functionality will continue to work smoothly as before.Bug fixes
AWS > S3 > Bucket > Public Access Block
control type. All functionality will continue to work smoothly as before.What's new?
AWS > EC2 > Target Group > Discovery
control sometimes failed to upsert target groups under gateway load balancers that were not present in the CMDB. This occurred because Guardrails was unable to discover those gateway load balancers due to an outdated list of supported regions. The list has been refreshed for the AWS > EC2 > Gateway Load Balancer
resource type, enabling Guardrails to discover and manage these resources across all supported AWS regions.Bug fixes
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.Bug fixes
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
Bug fixes
Enforce: Enabled
, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.What's new?
What's new?
Resource Types
Control Types
Policy Types
Action Types
What's new?
AWS > Region > Discovery > Connection Region
policy has been deprecated and will be removed in the next major version of the mod (v6.0.0). Two new policies, AWS > Account > Connection Region [Default]
and AWS > Region > Connection Region
, have been introduced. These policies streamline connection region management across all global resource types in various services. For the deprecated AWS > Region > Discovery > Connection Region
policy, we recommend migrating existing settings to the AWS > Region > Connection Region
policy if you intend to define a connection region for discovering Region resources. Alternatively, you may configure the AWS > Account > Connection Region [Default]
policy, which serves as the default region for discovering all global resources across services in your account.Policy Types
Renamed
What's new?
AWS > S3 > Connection Region
policy. This policy defaults to the value of the AWS > Account > Connection Region [Default]
policy, which can be used to define a default connection region for all global resources in an account.Policy Types
The schema list view in the Steampipe query editor now hides aggregated connections by default. This change helps highlight the key schemas whilst also improving readability of the list, especially in workspaces with a large number of aggregated connections.
You can still view the aggregated connections by clicking the Show Aggregated Connections
option via the schema list settings button. This will expand the list to show all connections, including the aggregated ones.
What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.Bug Fixes
Bug fixes
organizations:MoveAccount
real-time event incorrectly for individually imported management accounts, inadvertently deleting them from the CMDB. We have tightened the validation checks to prevent such deletions in these cases.Bug fixes
Breaking changes
projects_total_count
column from the github_organization
and github_my_organization
tables. This property was removed from the GitHub GraphQL API as of April 1, 2025, which caused queries using it to fail. We recommend using projects_v2_total_count
column instead. Please check GitHub GraphQL API changelog for additional details. (#488)Enhancements
run_attempt
column as an optional qual to the GetConfig
of github_actions_repository_workflow_run
table. (#464) (Thanks @tsibley for the contribution!!)run_attempt
and previous_attempt_url
columns to github_actions_repository_workflow_run
table. (#463) (Thanks @tsibley for the contribution!!)workflow_id
column as an optional qual to the ListConfig
of github_actions_repository_workflow_run
table. (#465) (Thanks @tsibley for the contribution!!)Dependencies
1.23.1
. (#486)What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.Bug fixes
Enforce: Enabled
, the EventBridge rule for Organizations will exclude events for that resource type.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.Bug fixes
nginx_access_log
default format from default
to combined
.Enhancements
apache_access_log
table docs with correct default log format information.Bug Fixes
powerpipe query run
command. (#539)Dependencies
containerd
and golang.org/x/net
packages to remediate moderate vulnerabilities.What's new?
Bug fixes
Server
Type Installed
control now spreads events over time to reduce the likelihood of API throttling during large-scale installations or updates.Type Installed
> Policies
> Scheduled Actions
> Controls
.UI
Account Permissions
Introduced a new category of permissions — Account/ — designed specifically for application teams who need limited visibility and control over resources within their own accounts. These are distinct from the Turbot/ permissions used by governance teams.
Account levels:
These levels are now explained alongside Turbot/* levels, with clear usage guidance:
Notification Routing to Guardrails Profiles
You can now route notifications to Guardrails user profiles dynamically based on resource permissions — a major upgrade from static email/webhook targeting. This allows for context-aware delivery to users like Account Owners or Admins.
Access Controls Refined for Process Logs
Access to process logs is now restricted to users with appropriate permissions, specifically those with Turbot/Metadata or higher.
Previously, any authenticated user could retrieve process logs via the API. This behavior has been corrected to align with expected permission boundaries and prevent overexposure of operational data.
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
AWS > VPC > Security Group Rule > CMDB
control.What's new?
What's new?
What's new
format
block can be defined in config and plugins can provide formats types
and presets
. Format are supported by the new Nginx and Apache plugins.
(#264).format list
and format show
commands. (#235)plugin show
command to add exported formats and correctly display partitions, etc. (#257)Bug fixes
GCP > IAM > Service Account > CMDB
control would sometimes enter a skipped state for newly imported projects if certain required attributes were missing from the IAM service's CMDB data. The control will now go into a TBD state instead and rerun after five minutes to allow the IAM service's CMDB data to populate correctly for newly imported projects.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.Bug fixes
GCP > BigQuery > Table > CMDB
policy set to Enforce: Disabled
and still upsert table resources via real-time events in CMDB. These resources were subsequently cleaned up by the CMDB control. This issue has been resolved, and the CMDB policy will now be correctly respected before upserting resources.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.Bug fixes
aws_cost_and_usage_focus
, aws_cost_and_usage_report
, and aws_cost_optimization_recommendation
tables.Persistent workspaces now support high-performance SSD storage. This allows you to run your workloads on faster storage, which can be especially useful for queries that require high IOPS or low latency.
Any new persistent workspaces created will automatically use SSD storage. We'll gradually migrate existing persistent workspaces to SSD storage over the next few weeks. This change is included in the current pricing model and will not incur any additional cost.
What's new?
Account/*
as the default recipient profile.Turbot > Workspace > Retention > Activity Retention
The default retention period for activity has been updated to 90 days (previously unlimited)
Storing too much historical activity data can slow down the system and increase storage costs. By setting a 90-day default, we ensure:
Need more or less retention? You can adjust based on your needs:
Retention Period | Ideal For |
---|---|
30 days | High-performance environments |
60 days | Balanced usage, recommended for most users |
90 days | New default — standard compliance needs |
180 / 365 days | Long-term auditing or retention policies |
For self-hosted environments, the 90-day default will apply when upgrading to @turbot/turbot version 5.51.0 or higher, unless a custom retention policy is set.
Requirements
What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.af-south-1
, ap-east-1
, ap-southeast-3
, ap-southeast-5
, ap-southeast-7
, ca-west-1
, eu-central-2
, eu-south-1
, eu-south-2
, il-central-1
, me-central-1
and me-south-1
regions in the AWS > Lambda > Regions
policy.AWS > Lambda > Function Alias > Regions
policy by updating us-west-3 to the correct region, us-west-2.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
New benchmarks added:
powerpipe benchmark run github_audit_log_detections.benchmark.audit_log_detections
).powerpipe benchmark run github_audit_log_detections.benchmark.mitre_attack_v161
).New dashboards added:
What's new?
Added:
policy.enforcementMode
policy.nonComplianceMessages
policy.systemData
Removed:
policy.sku
Renamed:
settings[*].properties.enabled
to settings[*].enabled
What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
Bug fixes
AWS > Account > Partition
policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.What's new?
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40
). (#871)Bug fixes
iam_user_one_active_key
query to correctly evaluate IAM access keys across multiple AWS accounts. (#867) (Thanks @adrianstanislaus for the contribution!!)Bug fixes
Bug fixes
AWS > MySQL > Server > CMDB
policy will now be set to Skip
by default because the resource type has been deprecated and will be removed in the next major version. Please check Single Server retirement for more information.Resource Types
Renamed
Control Types
Renamed
Policy Types
Renamed
Action Types
Removed
What's new?
Dependencies
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
AWS > SQS > Queue > CMDB
policy. If the CMDB policy is not set to Enforce: Enabled
, the EventBridge rule for SQS will not be configured, preventing events for that resource type. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.Policy Types
Removed
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
Bug fixes
aws_health_*
tables to correctly reference the AWS Health Global endpoint instead of regional endpoints. (#2450)Dependencies
golang.org/x/net
with v0.36.0
. (#2447)What's new?
What's new?
What's new?
What's new?
What's new?
Bug fixes
AWS > Turbot > IAM
stack control occasionally encountered an error while attaching tags with special characters to Guardrails-managed users and roles. This issue is now fixed.What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
Bug fixes
Azure > Compute > Disk > Discovery
control occasionally encountered an error while upserting attached disks under VMs that were not available in Guardrails CMDB. Now, all disks will be upserted under their respective resource groups, ensuring the Discovery control functions more smoothly and reliably than before.What's new?
What's new?
gateway
.Enhancements
changelog
column to jira_issue
table. (#149) (Thanks @mariusgrigaitis for the contribution!)updated
column as an optional qual to the jira_issue_worklog
table. (#151) (Thanks @mariusgrigaitis for the contribution!) jira_issue_comment
table to avoid unnecessary API calls when issue_id
is passed in as an optional qual when querying the table. (#143)Bug fixes
jira_issue
table to correctly return data instead of an error when resolution_date
and status
columns are passed in as the query parameters. (#152) (Thanks @mariusgrigaitis for the contribution!)Dependencies
1.23.1
. (#154)What's new?
max_error_retry_attempts
and min_error_retry_delay
to allow customization of the error retry timings. For more information please see Azure plugin configuration. (#873)Bug fixes
scope
column of the azure_role_assignment
table to correctly return data instead of nil
. (#868)Dependencies
1.23.1
.What's new?
Enhancements
aws_acm_*
, aws_sns_*
, aws_sqs_*
, aws_cloudtrail_*
, and aws_guardduty_*
tables to use AWS Go SDK V2, enabling dynamic region listing for all AWS partitions. (#2440) Enhancements
profile
based authentication support for the alicloud_oss_bucket
table. (#498)me-central-1
, cn-wuhan-lr
, cn-nanjing
, ap-northeast-2
, cn-fuzhou
, ap-southeast-6
, ap-southeast-7
regions. (#491)Bug fixes
create_timestamp
column of alicloud_alidns_domain
table to correctly return data instead of an error. (#482)alicloud_slb_load_balancer
table to correctly return data instead of a panic interface conversion
error. (#481)Dependencies
1.23.1
. (#495)What's new?
Dependencies
Bug fixes
Azure > Turbot > Event Poller
control.Microsoft.Resources
tagging events will now be processed only for subscriptions and resource groups, and will be ignored for other resource types. This will avoid unnecessary triggers for subscription & resource group router actions.Enhancements
title
, description
, and folder
tag to Activity Dashboard
queries for improved organization and clarity.folder = "<service>"
tag to service common tag locals
for better query categorization.service common tags
, ensuring consistency across detection queries.Bug fixes
Chaos
instead of Chaos (Tailpipe)
. (#6)Enhancements
Title Case
for consistency. (#109)folder
front matter to all queries for improved organization and discoverability in the Hub. (#109)Bug fixes
display_name
in docs/index.md
from Amazon Web Services
to AWS
for consistency with standard naming conventions. (#109)Dependencies
1.23.1
.Enhancements
sse_customer_algorithm
, sse_customer_key
and sse_customer_key_md5
optional key quals in the aws_s3_object
table to list objects encrypted with SSE-C. (#2409)aws_ecr_image_scan_finding
table to manage the complex join queries. (#2376)pending_modified_values
column to the aws_rds_db_instance
table. (#2411)aws_glue_*
tables. (#2402) (Thanks @pdecat for the contribution!)aws_ses_domain_identity
table documentation. (#2432)logging_config
column to the aws_lambda_function
table. (#2423)Bug fixes
nil pointer dereference
error when querying AWS RDS custom instances. (#2436)region
column of aws_wafregional_rule
table to correctly return the resource region instead of global
. (#2429)arn
column in aws_vpc_eip
table to use the correct format. (#2415) (Thanks @thomasklemm for the contribution!)aws_kinesis_consumer
and aws_lightsail_instance
tables. (#2408)InvalidParameterException
error in aws_ecs_service
tables when listing tags for older ECS services. (#2410)Bug fixes
cloudfront_distribution_no_non_existent_s3_origin
query to correctly check if the distributions are associated with S3 buckets. (#864)eks_cluster_control_plane_audit_logging_enabled
query to correctly check if audit logging is enabled or not. (#856)vpc_peering_connection_route_table_least_privilege
and vpc_peering_connection_no_cross_account_access
queries to use arn
instead of id
. (#860)iam_user_hardware_mfa_enabled
query. (#851) (Thanks to @ramses999 for the contribution!)What's new?
Multi Region KMS Key
Starting from TEF v1.65.0 and TE v5.49.0, a new multi-region KMS key is created at the TEF level.
When workspaces are upgraded to TE v5.49.0, Guardrails use this new key to re-encrypt the existing Tenant Master Key within the workspaces. The Tenant Master Key itself remains unchanged-only its encryption is updated. The previous version, encrypted with a regional KMS key, remains available.
If a workspace is downgraded to TE v5.48.0, the multi-region encryption persists. Upon re-upgrading to TE v5.49.0, re-encryption does not occur again.
This process works seamlessly unless TEF is downgraded to a version earlier than v1.65.0.
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Requirements
What's new?
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
CMDB > Query
policy for various resource types. For more details, refer to the ServiceNow documentation on encoded query strings.Policy Types
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
Enhancements:
206 (Partial Content)
status, with 408 (Request Timeout)
still being the status for any requests that have timed out with no data.Bug fixes
Skip
or Enforce: Disabled
.Bug fixes
GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-storage
policy now respects CMDB policy settings for resource types and filters out real-time events when the policies are set to Skip
or Enforce: Disabled
. We recommend upgrading the gcp
mod to v5.30.2 or higher in order to process real-time events correctly.What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
turbot_control_mute
allows muting a control to help streamline operations without compromising security policies.Bug fixes
Documentation
turbot_policy_pack
resource.turbot_turbot_directory
documentation.What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Stack [Native]
controls now run faster when in skipped
state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
AWS > VPC > Transit Gateway Attachment > Discovery [Cross-Account]
control would sometimes upsert transit gateway attachments in a deleted
or deleting
state. This issue is now fixed.Bug fixes
AWS > VPC > Transit Gateway Attachment > CMDB
control previously, in some cases, inadvertently deleted cross-account transit gateway attachments from Guardrails CMDB. This issue has now been fixed.What's new?
AWS > RDS > DB Cluster > Schedule
control. To get started, set the AWS > RDS > DB Cluster > Schedule Tag > Name
policy.Policy Types
What's new?
Action Types
Bug fixes
Azure > Subscription > Tags > Template
policy referred to an incorrect policy for its value. This is now fixed.Enhancements
operation_src
and resource_src
columns to retain original log data with consistent column naming.Breaking changes
aws_s3_server_access_log
table index is now based on the source bucket's name instead of the destination bucket's AWS account ID. We recommend deleting existing aws_s3_server_access_log
partition data (e.g., tailpipe partition delete aws_s3_server_access_log.my_partition
) and recollecting your data. (#89)Bug fixes
Requirements
Bug fixes
Bug fixes
Dependencies
Bug fixes
Policy Types
Renamed
Bug fixes
Policy Types
Removed
What's new?
Enhancements
Type
column in aws_s3_bucket
source arguments table.Dependencies
What's new?
All Pipes workspaces are now running Powerpipe v1.2.0.
For more information on this Powerpipe release, see the release notes.
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Version bump to align with deployment requirements.
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
UI
Server
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
GCP > Storage > Bucket > Policy > Trusted Access
control previously failed to evaluate results correctly and caused internal process timeouts when Guardrails was denied access to fetch IAM policy bindings for buckets. This issue has been resolved, ensuring that the control now evaluates results and terminates correctly as expected.Bug fixes
Azure > Compute > Virtual Machine > Tags
control would sometimes failed to update tags on spot instances. This is now fixed.Bug fixes
AWS > S3 > Bucket > Discovery
control incorrectly went into a skipped state when the AWS > S3 > Bucket > CMDB
policy was set to Enforce: Enabled but ignore permission errors
. This is fixed and control will now work as expected.What's new?
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Requirements
Bug Fixes
v0.15.0 of the Terraform Provider for Pipes is now available.
Breaking Changes
github_installation_id
for resource pipes_tenant_integration
is now of type int
instead of string
.github_installation_id
for resource pipes_organization_integration
is now of type int
instead of string
.github_installation_id
for resource pipes_user_integration
is now of type int
instead of string
.What's new?
pipes_organization_integration
.pipes_tenant_integration
.pipes_user_integration
.pipes_workspace
.pipes_workspace_flowpipe_pipeline
.pipes_tenant_notifier
.pipes_organization_notifier
.pipes_user_notifier
.pipes_workspace_notifier
.pipes_workspace_flowpipe_mod
.pipes_workspace_flowpipe_mod_variable
.pipes_workspace_flowpipe_trigger
.Enhancements
last_activity_at
attribute to the pipes_tenant_member
resource to track the last time a user performed an activity in the tenant.last_activity_at
attribute to the pipes_organization_member
resource to track the last time a user performed an activity in the organization.last_activity_at
attribute to the pipes_organization_workspace_member
resource to track the last time a user performed an activity in the workspace.Integrate your developer account, team or custom tenant with GitLab, enabling you to install custom Powerpipe or Flowpipe mods from public or private projects. Push changes for instant deploys and live updates.
For more information, check out the docs.
Bug fixes
Azure > SQL > Server > CMDB
control sometimes failed to fetch data for the associated firewall rules. This issue has now been fixed.Bug fixes
Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
control sometimes failed to evaluate the control state correctly. This issue is now fixed.Dependencies
v1.12.2
to remediate critical and high vulnerabilities. (#533)What's new?
AWS > RDS > DB Instance > Schedule
control. To get started, set the AWS > RDS > DB Instance > Schedule Tag > Name
policy.Policy Types
Bug fixes
AWS > CloudSearch > Domain > CMDB
policy will now be set to Skip
by default because the resource type has been deprecated and will be removed in the next major version. Please check end of support for more information.Bug fixes
Stack [Native]
controls now run faster when in skipped
state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.Bug fixes
Stack [Native]
controls now run faster when in skipped
state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.Bug fixes
Stack [Native]
controls now run faster when in skipped
state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.Bug fixes
Stack [Native]
controls now run faster when in skipped
state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.Bug fixes
Stack [Native]
controls now run faster when in skipped
state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.Bug fixes
Stack [Native]
controls now run faster when in skipped
state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.Enhancements
last_activity_at
to pipes_organization_member
, pipes_organization_workspace_member
and pipes_tenant_member
tables. (#47)Dependencies
We are excited to announce the release of five new Tailpipe plugins that make it easy to collect logs from various sources, e.g., AWS CloudTrail logs from S3 buckets, and then query the data with familiar SQL syntax.
For more information on how you can get started with the plugins, please see Learn Tailpipe
Introducing Tailpipe, a high-performance data collection and querying tool that makes it easy to collect, store, and analyze log data.
With Tailpipe you can:
Learn more at:
Whats new
tailpipe
detections and detection benchmarks.tailpipe
connection type.detection
command. 500 MB
limit for opening snapshots. (#671)What's new?
powerpipe benchmark run gcp_audit_log_detections.benchmark.audit_log_detections
).powerpipe benchmark run gcp_audit_log_detections.benchmark.mitre_attack_v161
).What's new?
powerpipe benchmark run azure_activity_log_detections.benchmark.activity_log_detections
).powerpipe benchmark run azure_activity_log_detections.benchmark.mitre_attack_v161
).What's new?
powerpipe benchmark run aws_cloudtrail_log_detections.benchmark.cloudtrail_log_detections
).powerpipe benchmark run aws_cloudtrail_log_detections.benchmark.mitre_attack_v161
).What's new?
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
AWS > Account > CMDB
control occasionally encountered an error state while fetching tagging details for accounts. This issue has now been fixed.Bug fixes
AWS > Turbot > Event Handlers [Global] > Events > Target > IAM Role ARN
policy.Bug fixes
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
All Pipes workspaces are now running Powerpipe v1.1.0.
For more information on this Powerpipe release, see the release notes.
What's new?
What's new?
What's new?
What's new?
Server
createSmartFolder
→ Use createPolicyPack
instead.deleteSmartFolders
→ Use deletePolicyPacks
instead.attachSmartFolders
→ Use attachPolicyPacks
instead.putSmartFolderAttachments
→ Use putPolicyPackAttachments
instead.updateSmartFolders
→ Use updatePolicyPacks
instead.detachSmartFolders
→ Use detachPolicyPacks
instead.UI
Bug fixes
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Policy Types:
Control Types:
Requirements
What's new?
Resource Types
Control Types
Policy Types
Action Types
What's new?
Users can now exclude subscriptions that they do not wish to import while importing a tenant in Guardrails. To get started, set the Azure > Tenant > CMDB > Exclude
policy.
Users can now create and manage tags for subscriptions. To get started, set the Azure > Subscription > Tags > *
policies.
Control Types
Policy Types
Action Types
What's new?
Resource Types
Control Types
Policy Types
Action Types
Bug fixes
GitHub > Organization > Event Handlers
control will now use Turbot > Workspace > GitHub > Secrets
policy to set the webhook secret.What's new?
Resource Types
Control Types
Policy Types
Action Types
Whats new
Dependencies
crypto
, net
, and go-git
packages to remediate critical and high vulnerabilities.Dependencies
crypto
, net
, and go-git
packages to remediate critical and high vulnerabilities. (#4462)Bug fixes
Azure > SQL > Server > CMDB
control occasionally deleted servers from Guardrails CMDB when they used the SQL authentication method. This issue has been fixed, and such resources will no longer be removed from the CMDB.What's new?
Stack [Native]
controls.Policy Types
What's new?
Stack [Native]
controls.Policy Types
What's new?
Stack [Native]
controls.Policy Types
What's new?
Stack [Native]
controls.Policy Types
What's new?
Stack [Native]
controls.Policy Types
What's new?
Stack [Native]
controls.Policy Types
What's new?
Stack [Native]
controls.Policy Types
Bug fixes
Postgres 15 FDW Linux - ARM64
plugin build incorrectly used Postgres 14
instead of Postgres 15
. (#53)Custom tenant, organization and workspace people pages now show the last activity date for each member, allowing owners to track usage of their environments.
For more information, check out the tenant, organization and workspace people docs.
Custom tenant settings now allow owners to control workspace snapshot visibility settings, restricting the use of publicly-shared snapshot links.
For more information, check out the docs.
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Stack [Native] > *
policies.Control Types
Policy Types
What's new?
Stack [Native] > *
policies.Control Types
Policy Types
What's new?
Stack [Native] > *
policies.Control Types
Policy Types
What's new?
Stack [Native] > *
policies.Control Types
Policy Types
What's new?
Stack [Native] > *
policies.Control Types
Policy Types
What's new?
Stack [Native] > *
policies.Control Types
Policy Types
What's new?
Stack [Native] > *
policies.Control Types
Policy Types
What's new?
Enhancements
instance_type_pattern
column as an optional qual to the aws_ec2_instance_type
table. (#2301)image_digest
column as an optional qual to the aws_ecr_image_scan_finding
table. (#2357)created_at
and updated_at
columns as optional quals to the aws_securityhub_finding
table. (#2298)account_password_present
column to aws_iam_account_summary
table. (#2346)tags
column to aws_backup_plan table
. (#2336) (Thanks @pdecat for the contribution!)Bug fixes
aws_rds_db_instance
table to correctly return data instead of an error by ignoring the CertificateNotFound
error code. (#2363)What's new?
Bug fixes
Bug fixes
What's new?
What's new?
Bug fixes
AWS > VPC > VPC > Flow Logging
control previously attempted to destroy and recreate flow logs with CloudWatch log groups as the destination on successive runs due to an incorrect ARN reference to the log destination. This issue is now fixed, and the control will no longer unnecessarily destroy and recreate flow logs in such cases.What's new?
encrypt_storage_account
set_mysql_flexible_server_parameter
set_postgres_flexible_server_configuration
set_postgres_flexible_server_require_secure_transport
set_sql_server_tde_key
update_compute_disk_encryption_with_cmk
update_compute_disk
update_key_vault_rbac_authorization
update_sql_server_public_network_access
update_storage_account_blob_public_access
What's new?
generate_iam_credential_report
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Azure > Compute > Virtual Machine Scale Set > Tags
control to ensure tags were updated correctly for Scale Sets launched via the Azure Marketplace. However, the control occasionally failed to update tags for Scale Sets on certain purchase plans. This issue has now been addressed, and the control will update tags correctly and reliably for all types of Scale Sets.Bug fixes
Bug fixes
Bug fixes
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Azure > Turbot > Event Poller
. To get started, set the Azure > Turbot > Event Poller > Excluded Events
policy.Policy Types
What's new?
AWS > SQS > Queue > Encryption at Rest
policy to one of the following values: Check: SQS SSE
, Check: SQS SSE or higher
, Enforce: SQS SSE
or Enforce: SQS SSE or higher
.What's new?
Kubernetes > Cluster > Approved > *
policies.Control Types
Policy Types
Bug fixes
Azure > App Service > Function App > HTTPS Only
control would sometime fail to enable the setting in Azure. This is now fixed.Bug fixes
GCP > Compute Engine > Instance > Serial Port Access
and GCP > Compute Engine > Instance > Block Project Wide SSH Keys
controls would sometimes go into an error state due to incorrect references to CMDB attributes. This is fixed and the controls will now work as expected.What's new?
Bug fixes
Azure > Network > Network Security Group > Ingress Rules > Approved
policy was set to Enforce: Delete unapproved
. This is now fixed.What's new?
What's new?
Bug fixes
createTimestamp
for Web Apps and Function Apps incorrectly when processing update events for these resources. We have updated the internal logic to ensure the createTimestamp
is now updated correctly and more reliably than before.What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
Bug fixes
createdBy
details in their metadata. The internal logic has been updated to ensure createdBy
details are added more reliably for these disks.What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
Bug fixes
GCP > IAM > Service Account Key > Active
control has been updated to use validAfterTime
instead of metadata.createTimestamp
to accurately evaluate the age of the resource.What's new?
What's new?
AWS > RDS > DB Cluster > Approved > Encryption at Rest > *
policies.Policy Types
What's new?
On Target
per Budget. To get started, set the AWS > Account > Budget > Enabled
policy to Check: Budget > State is On Target
.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
AWS > VPC > Route > CMDB
control would go into an error state due to an incorrect use of a function from an internal node package. This is now fixed.Bug fixes
createdBy
details for storage accounts due to mishandled real-time update events. This issue has been fixed, and createdBy
details will now be stored more reliably and consistently than before.createTimestamp
details from being stored in the metadata of new storage accounts upserted in Guardrails CMDB. This issue has now been resolved, and createTimestamp
details are now stored correctly and reliably.What's new?
Enhancements
error
, is_public
, resource_owner_account
and resource_type
optional quals for aws_accessanalyzer_finding
table. (#2331) (Thanks @dbermuehler for the contribution!)aws_s3_object
table to use the HeadObject
API to retrieve object metadata. (#2312) (Thanks @JonMerlevede for the contribution!)Bug fixes
aws_s3_bucket
table to correctly return data by ignoring the not found error in getBucketTagging
and getBucketWebsite
hydrate functions. (#2335)Bug fixes
.cache clear
was not clearing the cache. (#4443)What's new?
powerpipe benchmark run aws_compliance.benchmark.nydfs_23
). (#844)What's new?
createdBy
details in Guardrails CMDB.Bug fixes
AWS > VPC > VPC > Flow Logging
control would sometimes fail to update flow logs if the Max Aggregation Interval in the stack's source policy was updated. This is fixed and the stack control will now update such resources correctly, as expected.What's new?
AWS > VPC > VPC > Flow Logging
control. To get started, set the AWS > VPC > VPC > Flow Logging > Cloud Watch > Maximum Aggregation Interval
policy and/or AWS > VPC > VPC > Flow Logging > S3 > Maximum Aggregation Interval
policy.Policy Types
Enhancements
multi_region
and multi_region_configuration
columns to aws_kms_key
table. (#2338) (Thanks @pdecat for the contribution!)Bug fixes
(<= or >=)
for number and date filter in aws_inspector2_finding
table. (#2332) (Thanks @dbermuehler for the contribution!)Bug fixes
trigger_parameters
column of the circleci_pipeline
table to correctly return data instead of JSON unmarshalling
error. (#53)The Okta plugin in Pipes now supports max_backoff
, max_retries
and request_timeout
settings.
To get started, create an Okta connection and add it to your workspace.
What's new?
Enhancements
labels
and tags
columns to the gcp_compute_global_forwarding_rule
table. (#678) (Thanks @pdecat for the contribution!)database_installed_version
and maintenance_version
columns to the gcp_sql_database_instance
table. (#677) (Thanks @pdecat for the contribution!)Bug fixes
gcp_compute_instance_group
table to correctly return data for regional instance groups' instances
column. (#670) (Thanks @pdecat for the contribution!)kubernetes_node_pool
table to correctly return data instead of an error for node pools with auto-pilot disabled. (#668) (Thanks @multani for the contribution!)What's new?
Enhancements
firewall_rules
column to the azure_postgresql_flexible_server
table. (#852)Resource Types
Control Types
Policy Types
Action Types
Bug fixes
AWS > IAM > Credential Report
resource type have now been updated to target either the AWS > IAM > Root
or AWS > IAM > User
resource types, depending on the specific control requirements. This adjustment more accurately aligns each control with the relevant resources, enabling more precise and targeted checks.What's new?
powerpipe benchmark run azure_compliance.benchmark.cis_v300
). (#282)Bug fixes
elb_application_lb_waf_enabled
query to correctly flag ELB application load balancers as alarm when the associated WAF is disabled. (#840)cloudfront_distribution_custom_origins_encryption_in_transit_enabled
query to remove duplicate AWS CloudFront distributions from the result. (#829) (Thanks to @sbldevnet for the contribution!)where
clause of the cloudfront_distribution_use_secure_cipher
query to correctly check if the CloudFront distributions have insecure cipher protocols. (#827) (Thanks to @sbldevnet for the contribution!)Bug fixes
Azure > Security Center > Security Center > Auto Provisioning
control is now deprecated and will now move to an Invalid state if enforcements are applied. This follows the deprecation plan announcement from Azure. The control will be removed in a future mod version.Control Types
Renamed
Policy Types
Renamed
Action Types
Removed
All Pipes workspaces are now running Steampipe v1.0.0.
For more information on this Steampipe release, see the launch post or check out the release notes.
All Pipes workspaces are now running Powerpipe v1.0.0.
For more information on this Powerpipe release, see the launch post or check out the release notes.
With a web UI, point-and-click mod installation, and easy integration with Slack and GitHub, Pipes takes workflows-as-code to the next level.
For more information, see the launch post or check out the docs.
All the components of Turbot's open source suite are now fully integrated into Pipes.
For more information, see the launch post or check out the docs.
Bug Fixes
*.ppvars.example
files across the following 24 mods to ensure alignment with the Powerpipe v1.0.0 release:steampipe-mod-alicloud-compliance
steampipe-mod-aws-perimeter
steampipe-mod-aws-tags
steampipe-mod-aws-thrifty
steampipe-mod-aws-top-10
steampipe-mod-azure-compliance
steampipe-mod-azure-tags
steampipe-mod-azure-thrifty
steampipe-mod-digitalocean-thrifty
steampipe-mod-docker-compliance
steampipe-mod-gcp-compliance
steampipe-mod-gcp-labels
steampipe-mod-gcp-thrifty
steampipe-mod-github-compliance
steampipe-mod-kubernetes-compliance
steampipe-mod-microsoft365-compliance
steampipe-mod-net-insights
steampipe-mod-oci-compliance
steampipe-mod-oci-thrifty
steampipe-mod-snowflake-compliance
steampipe-mod-terraform-aws-compliance
steampipe-mod-terraform-azure-compliance
steampipe-mod-terraform-gcp-compliance
steampipe-mod-terraform-oci-compliance
Bug fixes
Bug fixes
--output json
. (#594).max_concurrency
setting is now automatically paused and will successfully resume. (#957).form_url
is now sanitized.What's new?
steampipe check benchmark.cis_v400
). (#836)ebs_encryption_by_default_enabled
and vpc_security_group_restrict_ingress_cifs_port_all
controls to the All Controls
benchmark. (#835)Enhancements
ebs_encryption_by_default_enabled
control to the rbi_cyber_security_annex_i_1_3
benchmark. (#835)python3.8
as deprecated Lambda runtime in lambda_function_use_latest_runtime
control. (#833) (Thanks to @sbldevnet for the contribution!)iam_access_analyzer_enabled_without_findings
and ssm_document_prohibit_public_access
controls to use latest columns and tables from the AWS plugin. (#835)Bug fixes
fedramp_moderate_rev_4_sc_28
benchmark to check if EBS encryption by default is enabled instead of individual volume encryption settings. (#835)Deprecated
ec2_ebs_default_encryption_enabled
control and query. Please use the ebs_encryption_by_default
control and query instead.What's new?
Control Types
Policy Types
Bug fixes
Bug fixes
Bug fixes
verification_token
column toaws_ses_domain_identity
table which was accidentally removed in v1.0.0.Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
What's new?
Policy Types
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Azure > Security Center > Security Center > CMDB
control would go into an error state if it was not able to fetch policy assignment details correctly. This issue has now been fixed.Bug fixes
Bug fixes
Bug fixes
Bug fixes
What's new?
What's new?
What's new?
Bug fixes
We're excited to announce the v1.0.0 release of 43 Powerpipe mods!
These mods now require Powerpipe. Steampipe users should check the migration guide.
Whats new
connection
resource to manage credentials. Documentation.database
property has been added to mod. A database can be a connection reference, connection string, or Pipes workspace to query.Deprecations
database
CLI arg. See Setting the Database for the new syntax to set the database.POWERPIPE_DATABASE
env var. See Setting the Database for the new syntax to set the database.database
workspace profile arg. See Setting the Database for the new syntax to set the database.Breaking changes
The mod functionality, which was previously deprecated and moved to Powerpipe, has been removed in this version.
check
, dashboard
, mod
, and variable
commands. (#4413)watch
and mod-location
CLI args from the query
command. (#4417)dashboard
, dashboard-listen
, and dashboard-port
CLI args from the service
command. (#4418)STEAMPIPE_MOD_LOCATION
and STEAMPIPE_INTROSPECTION
env vars. (#4419)STEAMPIPE_CLOUD_HOST
and STEAMPIPE_CLOUD_TOKEN
env vars. (#4420)watch
, introspection
, and mod-location
workspace profile args. (#4421)check
and dashboard
options from workspace profiles. (#4422)dashboard
option from global options (default.spc
). (#4423)We're excited to announce the v1.0.0 release of all 76 Flowpipe mods, including 29 Library mods, 6 Standard mods, and 41 Sample mods!
Breaking changes
.fpc
), credential
and credential_import
resources have been renamed to connection
and connection_import
respectively.approvers
: list(string)
to list(notifier)
.database
: string
to connection.steampipe
.notifier
: string
to notifier
.approvers
: list(string)
to list(notifier)
.database
: string
to connection.steampipe
.notifier
: string
to notifier
.cred
param to conn
and updated its type from string
to conn
.What's new?
connection
resource to manage credentials. Documentation.connection
and notifier
types for variables and params. (#871)enum
validation for variables and params.Bug fixes
Deprecation
credential
and credential_import
are deprecated to be replaced with connection
and connection_import
.Bug fixes
We’re excited to announce the v1.0.0 release of 116 Steampipe plugins!
While there are no significant changes in the new plugin versions, this release aligns with Steampipe's v1.0.0 launch. The plugins now adhere to semantic versioning, ensuring backward compatibility within each major version.
Bug fixes
What's new?
KeyVault > Vault
Added :
enableSoftDelete
publicNetworkAccess
enableRbacAuthorization
KeyVault > Key
Added :
hsmPlatform
Removed:
key.e
key.n
KeyVault > Secret
Modified :
ID
property does not contain the secret version.Removed:
expires
updated
created
Bug fixes
Azure > Key Vault > Key > CMDB
control would go into an error state while fetching key rotation policy details for managed keys. The control will no longer attempt to fetch the key rotation policy details for such keys and will work as expected.What's new?
What's new?
Server
Activity Retention
feature for Smart Retention control to enhance version and data management.UI
Bug fixes
Server
Notify
or Ignore
keywords were missing in the notification rules.UI
+
button for adding permissions now correctly applies the appropriate attributes.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Policy Types:
Control Types:
Turbot > Smart Retention
control to enhance version and data management.Requirements
What's new?
Azure > MySQL > Flexible Server > Set Minimum TLS Version
policy to Check: TLS 1.2 or higher
.What's new?
Azure > Management Group
Modified :
type
property is updated as type: Microsoft.Management/managementGroups
, earlier it was /providers/Microsoft.Management/managementGroups
What's new?
Bug fixes
What's new?
Renamed:
transparentDataEncryption.status
to transparentDataEncryption.state
databaseThreatDetectionPolicy
to databaseSecurityAlertPolicy
Added:
Azure SQL > Server
administrators
blockisManagedIdentityInUse
autoRotationEnabled
externalGovernanceStatus
minimalTlsVersion
privateEndpointConnections
publicNetworkAccess
restrictOutboundNetworkAccess
serverAzureADAdministrator.azureADOnlyAuthentication
Azure SQL > Database
availabilityZone
currentBackupStorageRedundancy
databaseSecurityAlertPolicy. creationTime
transparentDataEncryption.location
isInfraEncryptionEnabled
isLedgerOn
maintenanceConfigurationId
requestedBackupStorageRedundancy
maintenanceConfigurationId
Azure SQL > ElasticPool
maintenanceConfigurationId
Modified:
serverAzureADAdministrator.name
has been changed from string (activeDirectory
) to string (ActiveDirectory
).databaseThreatDetectionPolicy.disabledAlerts
has been changed from string (""
) to object ([]
).databaseThreatDetectionPolicy.emailAddresses
has been changed from string (""
) to object ([]
).databaseThreatDetectionPolicy.emailAccountAdmins
has been changed from string (Disabled/Enabled
) to boolean (false/true
).disabledAlerts
has been changed from string (""
) to object ([]
).Removed:
databaseThreatDetectionPolicy.useServerDefault
Bug fixes
What's new?
What's new?
Network > NetworkInterface
Added :
auxiliaryMode
auxiliarySku
kind
disableTcpStateTracking
Network > PrivateDNSZone
Added :
internalId
Network > VirtualNetworkGateway
Added :
allowVirtualWanTraffic
allowRemoteVnetTraffic
Modified :
activeActive
property updated as active
What's new?
Added:
tags
kind
Resource Types
Control Types
Policy Types
Action Types
Bug fixes
What's new?
Removed:
clientSecretUrl
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Added:
createMode
Bug fixes
Bug fixes
AWS > Account > Budget > Budget
control would enter an error state for US Gov cloud accounts because the budget APIs are not supported for these accounts. We have updated the control to avoid making these API calls and instead rely on the AWS > Account > Budget > State
policy being updated periodically, allowing the control to evaluate the outcome correctly.What's new?
Control Types
Policy Types
What's new?
What's new?
GCP > Project > ServiceNow > Relationships > *
policies.Control Types
Policy Types
What's new?
Azure > Subscription > ServiceNow > Relationships > *
policies.Control Types
Policy Types
What's new?
AWS > Account > ServiceNow > Relationships > *
policies.Control Types
Policy Types
What's new?
Removed:
tTL
Bug fixes
What's new?
Added:
createdBy
updatedBy
systemData
createdDateTime
Bug fixes
What's new?
Added:
softDeletePolicy
azureADAuthenticationAsArmPolicy
What's new?
Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
GCP > Global Region > ServiceNow > Relationships > *
, GCP > Multi-Region > ServiceNow > Relationships > *
, GCP > Region > ServiceNow > Relationships > *
and GCP > Zone > ServiceNow > Relationships > *
policies respectively.Control Types
Policy Types
What's new?
GCP > Storage > Bucket > ServiceNow > Relationships > *
and GCP > Storage > Object > ServiceNow > Relationships > *
policies respectively.Control Types
Policy Types
What's new?
Azure > Resource Group > ServiceNow > Relationships > *
policies.Control Types
Policy Types
What's new?
Azure > Storage > Container > ServiceNow > Relationships > *
, Azure > Storage > File Share > ServiceNow > Relationships > *
, Azure > Storage > Queue > ServiceNow > Relationships > *
and Azure > Storage > Storage Account > ServiceNow > Relationships > *
policies respectively.Control Types
Policy Types
What's new?
AWS > VPC > Elastic IP > ServiceNow > Relationships > *
, AWS > VPC > Internet Gateway > ServiceNow > Relationships > *
and AWS > VPC > NAT Gateway > ServiceNow > Relationships > *
policies respectively.Control Types
Policy Types
Control Types
Policy Types
What's new?
AWS > EC2 > AMI > ServiceNow > Relationships > *
, AWS > EC2 > Instance > ServiceNow > Relationships > *
, AWS > EC2 > Key Pair > ServiceNow > Relationships > *
, AWS > EC2 > Network Interface > ServiceNow > Relationships > *
, AWS > EC2 > Snapshot > ServiceNow > Relationships > *
and AWS > EC2 > Volume > ServiceNow > Relationships > *
policies respectively.Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
AWS > VPC > Flow Log > ServiceNow > Relationships > *
, AWS > VPC > Network ACL > ServiceNow > Relationships > *
, AWS > VPC > Security Group > ServiceNow > Relationships > *
and AWS > VPC > Security Group Rule > ServiceNow > Relationships > *
policies respectively.Control Types
Policy Types
What's new?
AWS > VPC > Route Table > ServiceNow > Relationships > *
, AWS > VPC > Subnet > ServiceNow > Relationships > *
and AWS > VPC > VPC > ServiceNow > Relationships > *
policies respectively.Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
AWS > S3 > Bucket > ServiceNow > Relationships > *
policies.Control Types
Policy Types
What's new?
AWS/Billing/Admin
, AWS/Billing/Metadata
and AWS/Billing/Operator
now also include purchase orders permissions.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
What's new?
What's new?
Resource Types
Control Types
Policy Types
Action Types
What's new?
Added:
In Azure > Compute > Disk:
supportedCapabilities.diskControllerTypes
diskIopsReadWrite
lastOwnershipUpdateTime
In Azure > Compute > Virtual Machine:
resources
timeCreated
etag
In Azure > Compute > Virtual Machine Scale Set:
constrainedMaximumCapacity
etag
scaleInPolicy
timeCreated
upgradePolicy
storageProfile. diskControllerType
In Azure > Compute > Snapshot:
dataAccessAuthMode
incrementalSnapshotFamilyId
Removed:
In Azure > Compute > Virtual Machine:
statuses.time
Bug fixes
What's new?
Added:
Azure > App Service > App Service Plan
elasticScaleEnabled
numberOfWorkers
zoneRedundant
Azure > App Service > Function App
configuration.acrUseManagedIdentityCreds
configuration.acrUserManagedIdentityID
configuration.elasticWebAppScaleLimit
configuration.ipSecurityRestrictionsDefaultAction
configuration.metadata
configuration.minTlsCipherSuite
configuration.scmIpSecurityRestrictionsDefaultAction
dnsConfiguration
publicNetworkAccess
vnetBackupRestoreEnabled
vnetContentShareEnabled
vnetImagePullEnabled
vnetRouteAllEnabled
Azure > App Service > Web App
configuration.acrUseManagedIdentityCreds
configuration.acrUserManagedIdentityID
configuration.elasticWebAppScaleLimit
configuration.ipSecurityRestrictionsDefaultAction
configuration.metadata
configuration.minTlsCipherSuite
configuration.scmIpSecurityRestrictionsDefaultAction
dnsConfiguration
publicNetworkAccess
vnetBackupRestoreEnabled
vnetContentShareEnabled
vnetImagePullEnabled
vnetRouteAllEnabled
Bug fixes
What's new?
What's new?
Renamed:
JitNetworkAccessPolicies
to jitNetworkAccessPolicies
Pricing
to pricing
Locations
to locations
Bug fixes
What's new?
Bug fixes
What's new?
Added:
frontdoorId
rulesEngines
extendedProperties
backendPoolsSettings
backendPool.privateLinkAlias
backendPool.privateLinkLocation
backendPool.privateEndpointStatus
backendPool.privateLinkResourceId
backendPool.privateLinkApprovalMessage
routingRule.rulesEngine
routingRule.routeConfiguration.odataType
routingRule.routeConfiguration.cacheConfiguration.cacheDuration
routingRule.routeConfiguration.cacheConfiguration.queryParameters
routingRule.webApplicationFirewallPolicyLink
Modified:
routingRule.backendPool
to routingRule.routeConfiguration.backendPool
routingRule.forwardingProtocol
to routingRule.routeConfiguration.forwardingProtocol
routingRule.customForwardingPath
to routingRule.routeConfiguration.customForwardingPath
routingRule.cacheConfiguration.dynamicCompression
to routingRule.routeConfiguration.cacheConfiguration. dynamicCompression
routingRule.cacheConfiguration.queryParameterStripDirective
to routingRule.routeConfiguration.cacheConfiguration. queryParameterStripDirective
Bug fixes
What's new?
Bug fixes
What's new?
Added:
networkProfile.podCidrs
networkProfile.ipFamilies
networkProfile.outboundType
networkProfile.serviceCidrs
networkProfile.networkPolicy
networkProfile.loadBalancerProfile.backendPoolType
networkProfile.loadBalancerProfile.countIPv6
networkProfile.loadBalancerProfile.idleTimeoutInMinutes
networkProfile.loadBalancerProfile.allocatedOutboundPorts
agentPoolProfiles.mode
agentPoolProfiles.osSKU
agentPoolProfiles.enableFips
agentPoolProfiles.osDiskType
agentPoolProfiles.spotMaxPrice
agentPoolProfiles.scaleDownMode
agentPoolProfiles.enableUltraSSD
agentPoolProfiles.kubeletDiskType
agentPoolProfiles.upgradeSettings.maxSurge
agentPoolProfiles.nodeImageVersion
agentPoolProfiles.enableEncryptionAtHost
agentPoolProfiles.currentOrchestratorVersion
Bug fixes
What's new?
Added:
hostNamePrefix
serverless. connectionTimeoutInSeconds
Bug fixes
What's new?
Added:
Azure > Service Bus > Namespace
disableLocalAuth
status
zoneRedundant
Azure > Service Bus > Queue
maxMessageSizeInKilobytes
Azure > Service Bus > Topic
maxMessageSizeInKilobytes
Bug fixes
What's new?
Bug fixes
What's new?
Added: Azure > Recovery Service > Vault
properties.backupStorageVersion
properties.bcdrSecurityLevel
properties.publicNetworkAccess
properties.restoreSettings
properties.secureScore
properties.securitySettings
Bug fixes
Bug fixes
AWS > RoboMaker > Robot Application > CMDB
, AWS > RoboMaker > Fleet > CMDB
and AWS > RoboMaker > Robot > CMDB
policies will now be set to Skip
by default because the resource types have been deprecated and will be removed in the next major version. Please check end of support for more information.What's new?
AWS > ECS > Account Settings > Fargate FIPS Mode
policy.Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Resource Types
Control Types
Policy Types
Action Types
What's new?
Server
UI
+
sign to grant permissions in the context of both the identity and resource.Bug fixes
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
The Prisma Cloud plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
Enhancements
blocks
to the post_message
pipeline. (#24) (Thanks @johnlayton for the contribution!)Bug fixes
resource/turbot_policy_pack_attachment
: terraform apply
failed to detect existing Policy Pack attachments. (#181)What's new?
Added:
flowType
requestSource
Bug fixes
What's new?
Bug fixes
Resource Types
Policy Types
What's new?
AWS/User
grant should include support:*
permissions. To get started, set the AWS > Account > Permissions > Support Level
policy.Policy Types
Bug fixes
AWS > Turbot > IAM
stack control did not correctly evaluate user memberships in custom IAM groups when the AWS > Turbot > Permissions > Custom Group Levels [Account]
policy was set, and users were granted permissions for those custom IAM groups. This issue has now been fixed.Bug fixes
AWS > EC2 > Volume > CMDB
control would sometimes run unnecessarily due to a bad internal GraphQL dependency. This is now fixed.Bug fixes
Kubernetes > Cluster > CMDB > Expiration
policy was inadvertently added to the Kubernetes > Cluster > CMDB
control. This precheck condition has now been removed.Resource Types
Control Types
Policy Types
Action Types
What's new?
What's new?
Bug fixes
rules
column in okta_signon_policy
, okta_password_policy
, okta_idp_discovery_policy
and okta_authentication_policy
tables to correctly return data instead of null
. (#145)Dependencies
1.22
. (#146)All Pipes workspaces are now running Steampipe v0.24.0.
For more information on this Steampipe release, see the release notes.
Bug fixes
Enforce: Enabled
for the service.What's new?
Added:
authOptions
disableLocalAuth
encryptionWithCmk
networkRuleSet
privateEndpointConnections
publicNetworkAccess
semanticSearch
sharedPrivateLinkResources
Bug fixes
Enhancements
netgo
package.version
flag to the plugin's Export tool. (#65)Bug fixes
Dependencies
1.22
. (#43)What's new?
What's new?
What's new?
Action Types
Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.What's new?
Added: Azure > Synapse Analytics > Workspace
azureADOnlyAuthentication
createManagedPrivateEndpoint
encryption
extraProperties
publicNetworkAccess
settings
trustedServiceBypassEnabled
workspaceUID
Azure > Synapse Analytics > SQL Pool
storageAccountType
Bug fixes
What's new?
Action Types
What's new?
Added:
authConfig
dataEncryption
standbyAvailabilityZone
network. delegatedSubnetResourceId
network. privateDnsZoneArmResourceId
replicaCapacity
replicationRole
systemData
configurations.documentationLink
configurations.isConfigPendingRestart
configurations.isDynamicConfig
configurations.isReadOnly
configurations.unit
Modified:
firewallRules
has been changed from array ([]
) to object ({}
).Bug fixes
What's new?
Bug fixes
Bug fixes
Dependencies
1.22
. (#450)What's new?
Enhancements
connection_info
column to the gcp_alloydb_instance
table. (#651)Bug fixes
name
column from the gcp_bigquery_table
table since the API response did not include this field. (#648)Dependencies
1.22
. (#635)Bug fixes
steampipe -v
command. (#4388)Bug fixes
Deprecations
Bug fixes
Dependencies
Bug fixes
trigger
introspection output correctly shows param
attribute. (#900)Bug fixes
serviceProperties.table.clientRequestId
and serviceProperties.table.requestId
properties for storage accounts have now been made dynamic
to avoid unnecessary notifications in the activity tab.Bug fixes
Whats new
columns
property containing the column information. This allows us to handle duplicate column names by appending a unique suffix to duplicate column name (#4317)Existing query JSON format:
$ steampipe query "select account_id, arn from aws_account" --output json{ "rows": [ { "account_id": "123456789012", "arn": "arn:aws:::123456789012" } ]}
New query JSON format(with new columns
property):
$ steampipe query "select account_id, arn from aws_account" --output json{ "columns": [ { "name": "account_id", "data_type": "text" }, { "name": "arn", "data_type": "text" } ], "rows": [ { "account_id": "123456789012", "arn": "arn:aws:::123456789012" } ]}
Bug fixes
What's new?
tags
argument in pipeline param
and mod variable
resources. (#898).Docker
dependency to v27.1.2.What's new?
Policy Types
Bug fixes
osquery
error events.Bug fixes
osquery
agent.What's new?
Enhancements
time_created
column to the azure_compute_virtual_machine
table. (#831)ip_configuration
, linked_public_ip_address
, nat_gateway
and service_public_ip_address
columns to the azure_public_ip
table. (#836)azure_postgresql_flexible_server
table. (#824)Bug fixes
ip_configurations
column of the azure_subnet
table to correctly return data instead of null
. (#822)web_application_firewall_configuration
column of azure_application_gateway
table to correctly return data instead of null
. (#835)Dependencies
1.22
. (#832)azure_mysql_flexible_server
and azure_postgresql_flexible_server
tables to use the new Azure ARM Go package. (#820)What's new?
Enhancements
aws_ec2_ami
table to correctly return disabled AMIs on passing the disabled
value to the state
optional qual (where state = 'disabled'
). (#2277)AWS Go SDK v2 1.27.0
. (#2139)Dependencies
1.22
. (#2283)Bug fixes
source
attribute in function step is now evaluated relative to the its mod directory rather than the root mod directory. (#895).What's new?
powerpipe benchmark run aws_compliance.benchmark.acsc_essential_eight
). (#823)What's new?
Policy Types
Control Types
Policy Types
What's new?
Policy Types
Control Types
Policy Types
What's new?
Policy Types
What's new?
Policy Types
Bug fixes
modifyVolume
event for EBS Volume Notifications. This issue is now fixed.What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
Action Types
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
Bug fixes
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
createdBy
details in Guardrails CMDB.Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
AWS > EC2 > Volume > Performance Configuration
control would sometimes fail to set the expected configuration per AWS > EC2 > Volume > Performance Configuration > *
policies and move to an Invalid state if the required data was not available for new volumes in the CMDB. The control will now move to TBD instead and retry after 5 minutes to fetch the required data correctly and set the performance configuration as expected.What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Enhancements
VPC Security Group
detail page now includes information on the following associated services: (#352) (Thanks @maxcorbin for the contribution!)Amazon MQ broker
ECS service
ECS task
GCP integrations now make use of temporary credentials via service account impersonation using the Service Account Token Creator role.
For more information, check out the docs.
What's new?
Azure > Storage> Storage Account > CMDB
control will now also fetch diagnostic settings details and store them in CMDB.Resource Types
Control Types
Policy Types
Bug fixes
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
powerpipe benchmark run gcp_compliance.benchmark.soc_2_2017
). (#181)Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Control Types
Policy Types
Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.What's new?
AWS > RDS > DB Cluster > Parameter Group > *
policies.Control Types
Policy Types
Action Types
Bug fixes
Bug fixes
Enforce: Enabled
for the service.Enhancements
base_tag_rules
variable. (#18)Enhancements
base_tag_rules
variable. (#28)Bug fixes
Bug fixes
Server
UI
Import
button on the Connect page has been updated to Connect
.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
What's new?
You can now configure Master Authorized Networks for region and zone clusters via Guardrails. To get started, set the GCP > Kubernetes Engine > Region Cluster > Master Authorized Networks Config
and GCP > Kubernetes Engine > Zone Cluster > Master Authorized Networks Config
policies respectively.
Improved descriptions for various resource types to ensure they are clearer and more helpful.
Control Types
Policy Types
Action Types
What's new?
Bug fixes
Resource Types
Control Types
Policy Types
Action Types
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
Enforce: Enabled but ignore permission errors
. However, the CMDB control previously ignored permission errors only on the HeadBucket
operation and still entered an error state for permission errors on sub-API calls. The CMDB control will now ignore all sub-API calls if the HeadBucket
operation is denied access. If the HeadBucket operation is successful, the control will attempt to make all sub-API calls and ignore access denied errors if encountered.Bug fixes
pipeline param
no longer fails with a mismatched types
error. (#879).What's new?
Resource Types
Control Types
Policy Types
Action Types
Resource Types
Control Types
Policy Types
Action Types
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
AWS > VPC > VPC > Stack
control would sometimes go into an error state while upserting newly created flow logs in Guardrails due to incorrect mapping of its parent resource. This issue has now been fixed, and the control will upsert flow logs more consistently and reliably than before.Bug fixes
Enforce: Enabled
for the service.What's new?
rds-ca-rsa4096-g1
.Resource Types
Control Types
Policy Types
Action Types
What's new?
AWS > Turbot > Logging > Bucket > Default Encryption
policy is now deprecated because all buckets are now encrypted by default in AWS. As a result, all buckets created and managed via the AWS > Turbot > Logging > Bucket
stack control will now be encrypted by AWS SSE
by default. We've also removed ACL settings for buckets and now apply bucket ownership controls instead via the stack control to align with the latest AWS recommendations. Please upgrade the @turbot/aws-s3
mod to v5.26.0 for the stack control to work reliably as before.Policy Types
Renamed
What's new?
aws_s3_bucket_ownership_controls
Terraform resource for buckets.What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
What's new?
AWS > Config > Configuration Recording
stack control. To get started, set the AWS > Config > Configuration Recording > Terraform Version
policy. We recommend using versions 0.11, 0.12, or 0.15 for this control to create and manage resources effectively and reliably.Policy Types
What's new?
What's new?
Enhancements
euuid
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Linode accounts. (#56)netgo
package. (#60)version
flag to the plugin's Export tool. (#65)Dependencies
QueryData
passed to ConnectionKeyColumns
value callback is populated with ConnectionManager
. (#55)What's new?
GCP > Turbot > Event Handlers > Pub/Sub
control. To get started, set the GCP > Turbot > Event Handlers > Pub/Sub > Topic > Labels
policy.Policy Types
Bug fixes
ec2:RevokeSecurityGroupEgress
and ec2:RevokeSecurityGroupIngress
events. This issue is now fixed.Bug fixes
AWS > Turbot > Event Handlers
control did not correctly raise the real-time CreateTags
and DeleteTags
events for VPC security group rules. This issue is now fixed.Enhancements
Reader
and Data Access
role assignment information to the docs/index.md
file. (#811)Bug fixes
azure_compute_virtual_machine
table to correctly populate the guest_configuration_assignments
column across all Azure
environments. (#816)azure_role_assignment
table to correctly return the result while using any mode of plugin authentication. (#809)azure_monitor_activity_log_event
table. (#810)Enhancements
location_type
column as an optional qual to the aws_ec2_instance_availability
table and 6 new columns to the aws_ec2_instance_type
table. (#2078)aws_appautoscaling_policy
and aws_appautoscaling_target
tables to add information on required quals. (#2247)type
column as an optional qual to the aws_auditmanager_control
table. (#2254)Bug fixes
GetConfig
definition of the aws_auditmanager_control
table to correctly return data instead of an error. (#2254)aws_kms_key_rotation
table to correctly return nil
whenever an AccessDeniedException
error is returned by the API. (#2253)What's new?
GCP > Network > Subnetwork > Flow Log
policy.Control Types
Policy Types
Action Types
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Resource Types
Control Types
Policy Types
Action Types
Bug fixes
variable
command no longer fails if the .flowpipe
directory in the user's home directory is not created yet. (#872).What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
What's new?
GCP > IAM > Service Account > Active
or GCP > IAM > Service Account > Approved
policy to Enforce: Disable inactive with <x> days warning
or Enforce: Disable unapproved
respectively.Action Types
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Bug fixes
AWS > ECR > Repository > CMDB
control went into an error state for shared repositories upserted incorrectly in Guardrails CMDB. Shared repositories will now not be upserted under shared accounts or regions, but will only be upserted under their owner accounts and regions.Bug fixes
ec2:CreateReplaceRootVolumeTask
for instances. This is now fixed.Enhancements
All Controls
benchmark: (#176)alloydb_instance_log_error_verbosity_database_flag_default_or_stricter
alloydb_instance_log_min_error_statement_database_flag_configured
alloydb_instance_log_min_messages_database_flag_error
Enhancements
All Controls
benchmark: (#274)application_gateway_waf_uses_specified_mode
application_insights_block_log_ingestion_and_querying_from_public
log_analytics_workspace_block_log_ingestion_and_querying_from_public
log_analytics_workspace_block_non_azure_ingestion
Bug fixes
storage_account_block_public_access
query to correctly check if the public_network_access
column of the azure_storage_account
table is correctly set to disabled
or not as per the CIS documentation. (#277)v0.14.0 of the Terraform Provider for Pipes is now available.
Breaking Changes
resources/pipes_workspace_connection
moved to manage connections at the workspace level. Previously, the resource used to manage attachment
of connections to the workspace defined at the respective identity level. Please follow the migration guide for migrating your existing configuration into the new model.resources/pipes_connection
does not support management of user level connections in line with changes in Pipes.What's new?
pipes_organization_connection
pipes_organization_connection_folder
pipes_organization_connection_folder_permission
pipes_organization_connection_permission
pipes_organization_integration
pipes_tenant_connection
pipes_tenant_connection_folder
pipes_tenant_connection_folder_permission
pipes_tenant_connection_permission
pipes_tenant_integration
pipes_user_integration
pipes_workspace_connection_folder
pipes_workspace_schema
Enhancements
resources/pipes_workspace_mod
add support for storing attribute state_reason
v0.10.0 of the Pipes SDK Go is now available.
What's new?
Tenants
, Users
, Organizations
, UserWorkspaces
and OrgWorkspaces
.Connections
and ConnectionFolders
.Enhancements
What's new?
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > Resource Group > ServiceNow > Configuration Item
control would fail to fetch instance credentials internally and did not process the data correctly in ServiceNow. This issue has now been fixed.Bug fixes
Bug fixes
Bug fixes
Control Types
Policy Types
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
What's new?
What's new?
What's new?
AWS/DynamoDB/Admin
, AWS/DynamoDB/Metadata
and AWS/DynamoDB/Operator
now include permissions for Resource Policy, Imports, Time to Live and Global Table Version.Breaking changes
gcp_cloudfunctions_function
table to align with the new API response structure: (#612)environment_variables
source_upload_url
version_id
What's new?
impersonate_access_token
config argument to support plugin authentication by using a pre-generated temporary access token. (#621)Enhancements
gcp_cloudfunctions_function
table. (#612)Bug fixes
SecretManager
service client creation. (#624)What's new?
Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
Table logging
for Storage Accounts
via Azure > Storage > Storage Account > Table > Logging
control. To get started, set the Azure > Storage > Storage Account > Table > Logging
policy.Control Types
Policy Types
Action Types
Azure > Storage > Storage Account > Update Encryption at Rest
Azure > Storage > Storage Account > Update Storage Account Table Logging
The Storage Account CMDB data will now also include information about the account's table service properties.
We've removed the dependency on listKeys
permission for Azure > Storage Account > Container > Discovery
to run its course to completion. This release includes breaking changes in the CMDB data for containers. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.
Renamed:
isImmutableStorageWithVersioningEnabled
to isImmutableStorageWithVersioning.enabled
Removed:
preventEncryptionScopeOverride
Bug fixes
Azure > Storage > Storage Account > CMDB
control would go into an error state while trying to fetch default Queue and Blob properties if Guardrails did not have permission to list the storage account keys. The control will now not attempt to fetch default Queue and Blob properties if Guardrails does not have the required access for listKeys
, and will run its course to completion without going into an error state.Bug fixes
AWS > S3 > Bucket > CMDB
control if it would go into an error state due to insufficient permissions for the headBucket
operation.What's new?
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Import a tree of folders and projects as Pipes connections, control permissions for workspaces, and auto-create aggregators.
For more information, see the launch post or check out the docs.
You can now create connections at the custom tenant, organization or workspace level in Pipes, along with grouping of these within folders to allow easier sharing of related connections.
This is coupled with a fine-grained permissions model, allowing you to share connections & folders broadly across a custom tenant, or restrict access to specific organizations and/or their workspaces.
For more information, check out the docs:
Import a tree of management groups and subscriptions as Pipes connections, control permissions for workspaces, and auto-create aggregators.
For more information, see the launch post or check out the docs.
Import a tree of OUs and accounts as Pipes connections, control permissions for workspaces, and auto-create aggregators.
For more information, see the launch post or check out the docs.
What's new?
Control Types
Policy Types
What's new?
Resource Types
Control Types
Policy Types
Action Types
Bug fixes
What's new?
AWS > S3 > Bucket > CMDB
control would go into an error state if Guardrails did not have permissions to call the headBucket
operation on a bucket. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the AWS > S3 > Bucket > CMDB
policy to Enforce: Enabled but ignore permission errors
.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > App Service > Web App > Client Certificate Mode
control, ensuring that the Client Certificate Mode is set to Require
correctly. However, we missed an edge case where the control wouldn’t enforce any mode other than the default setting of Ignore
. We have now addressed all cases, and the control will work more reliably and consistently than before.What's new?
flowpipe pipeline run
command when running in Client mode and not using the --verbose
arg.--data-dir
parameter to specify the location of the event store database. (#852).--execution-id
parameter to specify custom execution id for pipeline run. (#856).Go
version to v1.22.4.Bug fixes
What's new?
detect and correct
pipelines to identify unused and underutilized GCP resources, as well as deprecated resource configurations. These pipelines also suggest potential remediation actions to optimize costs. For usage information and a full list of pipelines, please see GCP Thrifty Mod.What's new?
env
, owner
).secret
, key
).cc
to cost_center
).Prod
to prod
).For detailed usage information and a full list of pipelines, please see GCP Labels Mod.
What's new?
detect and correct
pipelines to identify unused and underutilized Azure resources, as well as deprecated resource configurations. These pipelines also suggest potential remediation actions to optimize costs. For usage information and a full list of pipelines, please see Azure Thrifty Mod.What's new?
env
, owner
).secret
, key
).cc
to cost_center
).Prod
to prod
).For detailed usage information and a full list of pipelines, please see Azure Tags Mod.
What's new?
What's new?
env
, owner
).secret
, key
).cc
to cost_center
).Prod
to prod
).For detailed usage information and a full list of pipelines, please see AWS Tags Mod.
What's new?
What's new?
Server
UI
Smart Folders
are now called Policy Packs
.Policy Packs
from UI.Bug fixes
Server
UI
Policy Packs
from the UI.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Enforce: Sync
policy value for integrating Import Sets in ServiceNow.Control Types
Policy Types
Control Types
Policy Types
Control Types
Policy Types
Control Types
Policy Types
Control Types
Policy Types
What's new?
What's new?
Bug fixes
power_state
column of the azure_compute_virtual_machine
table to correctly return data instead of a nil pointer dereference
error. (#804)Bug fixes
Azure > App Service > Web App > Client Certificate Mode
control did not apply Enforce: Require
settings correctly. This is now fixed.What's new?
google_monitoring_alert_policy
and google_monitoring_notification_channel
Terraform resources.Control Types
Policy Types
What's new?
google_logging_metric
Terraform resource.Control Types
Policy Types
Bug fixes
Azure > Storage > Storage Account > Queue > Logging
control failed to set queue logging properties correctly. This issue has been fixed, and the control will now function correctly as intended.Bug fixes
Bug fixes
Bug fixes
What's new?
insecure_skip_verify
connection config argument to support bypassing the SSL/TLS
certificate verification while querying the tables. (#48)Enhancements
netgo
package.Dependencies
Bug fixes
What's new?
GCP > Compute > Instance > Shielded Instance Configuration > *
policies.Control Types
Policy Types
Action Types
What's new?
Azure > CIS v2.0 > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
control will also evaluate SQL databases for SKU Basic/Consumption.Control Types
Policy Types
Bug fixes
Azure > CIS v2.0 > 4 - Database Services > 01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
control did not evaluate the result correctly, as expected. This is now fixed.The CrowdStrike plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
What's new?
DOCUMENTATION:
resource/turbot_policy_pack
: Added documentation for akas
attribute for the resource. (#179)What's new?
GCP > SQL > Instance > Encryption In Transit
policy.Control Types
Policy Types
Action Types
What's new?
Control Types
Policy Types
What's new?
Basic
to Standard
for Public IP Addresss via Azure > Network > Public IP Address > Standard SKU
control. To get started, set the Azure > Network > Public IP Address > Standard SKU
policy.Control Types
Policy Types
Action Types
What's new?
To get started configuring these rules through Guardrails, the following policies should set according to your desired firewall rules configuration:
Azure > Cosmos DB > Database Account > Firewall
- Configure default access rules for the public endpoint
Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved
- Remove unapproved IP ranges
Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required
- Grant access to specific IP ranges
Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved
- Remove unapproved virtual network subnets
Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required
- Grant access to specific virtual network subnets
Please note that if the Azure > Cosmos DB > Database Account > Firewall
policy is set to Enforce: Allow only approved virtual networks and IP ranges
, only applications in the configured IP ranges, virtual network subnets, and trusted Microsoft services will be allowed to access the database accounts. If these boundaries are not properly configured beforehand or an application is outside of these boundaries, it will lose access to the database accounts.
Control Types
Policy Types
Action Types
Bug fixes
Bug fixes
What's new?
Bug fixes
GCP > Project > CMDB
control went into an error state while fetching Access Approval settings for the project if Access Transparency was disabled at the organization level. We have now handled such cases gracefully, and the control will fetch all available details without going into an error state.What's new?
GCP > SQL > Instance > Authorized Network > *
policies.GCP > SQL > Instance > Database Flags
policy.GCP > SQL > CMDB
policy to Enforce: Disabled
.Control Types
Policy Types
Action Types
What's new?
We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Storage resources in Guardrails. This release includes breaking changes in the CMDB data for storage accounts. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.
Renamed:
serviceProperties.blob.DeleteRetentionPolicy
to serviceProperties.blob.deleteRetentionPolicy
serviceProperties.blob.DeleteRetentionPolicy.Days
to serviceProperties.blob.deleteRetentionPolicy.days
serviceProperties.blob.DeleteRetentionPolicy.Enabled
to serviceProperties.blob.deleteRetentionPolicy.enabled
serviceProperties.blob.StaticWebsite
to serviceProperties.blob.staticWebsite
serviceProperties.blob.StaticWebsite.Enabled
to serviceProperties.blob.staticWebsite.enabled
serviceProperties.blob.logging
to serviceProperties.blob.blobAnalyticsLogging
serviceProperties.queue.logging
to serviceProperties.queue.queueAnalyticsLogging
Added:
serviceProperties.blob.deleteRetentionPolicy.AllowPermanentDelete
Modified:
serviceProperties.blob.cors
has been changed from string (""
) to array ([]
).serviceProperties.queue.cors
has been changed from string (""
) to array ([]
).Users can now enable/disable Blob logging
for storage accounts. To get started, set the Azure > Storage > Storage Account > Blob > Logging > *
policies.
Users can now check if storage accounts are approved for use based on Infrastructure Encryption settings. To get started, set the Azure > Storage > Storage Account > Approved > Infrastructure Encryption
policy.
Control Types
Renamed
Policy Types
Renamed
Action Types
Renamed
What's new?
Azure > App Service > Web App > Client Certificate Mode
policy.Control Types
Policy Types
Action Types
What's new?
Enhancements
domain
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Okta organizations. (#120).spc
file for max retries
, request timeout
, and max backoff time
as required. (#112)profile
column to the okta_factor
table. (#130)Dependencies
QueryData
passed to ConnectionKeyColumns
value callback is populated with ConnectionManager
. (#120)Enhancements
organization_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Linear accounts. (#34)Bug fixes
Dependencies
QueryData
passed to ConnectionKeyColumns
value callback is populated with ConnectionManager
. (#34)Enhancements
power_state
to the azure_compute_virtual_machine_scale_set_vm
table. (#800) (Thanks @pdepdecatcat for the contribution!)Bug fixes
azure_log_alert
table to correctly return values for actions
, condition
, description
, enabled
, and scopes
columns instead of null
. (#796)What's new?
Resource Types
Control Types
Policy Types
Action Types
What's new?
GCP > BigQuery > Dataset > Encryption at Rest > *
policies.Control Types
Policy Types
Action Types
What's new?
Control Types
Policy Types
Bug fixes
AWS > EC2 > Snapshot > CMDB
policy was set to Enforce: Enabled for Snapshots not created with AWS Backup
. This issue has now been fixed.What's new?
GCP > DNS > Managed Zone > DNSSEC Configuration
policy.GCP > DNS > Policy > Logging
policy.Control Types
Policy Types
Action Types
Bug fixes
What's new?
Azure > Compute > Virtual Machine > Trusted launch
policy.Azure > Compute > Disk > Encryption at Rest > *
policies.Control Types
Policy Types
Action Types
What's new?
Azure > App Service > Web App > System Assigned Identity
policy.Control Types
Policy Types
Action Types
Bug fixes
Azure > App Service > Web App > FTPS State
control failed to set the FTPS State correctly for web apps. This issue is now fixed.What's new?
Policy Types
What's new?
Azure > Network Watcher > Flow Log > Retention Policy > *
policies.Control Types
Policy Types
Action Types
What's new?
Azure > Active Directory > Directory > CMDB
control will now also fetch named locations and authorization policy details and store them in CMDB.Bug fixes
AWS > IAM > Account Password Policy > Settings
control not applying custom settings correctly. This issue is fixed, and the CMDB details will now refresh correctly, allowing the corresponding Settings control to work as expected.What's new?
Bug fixes
What's new?
Azure > Security Center > Security Center > CMDB
control will now also fetch security settings details and store them in CMDB.Bug fixes
Bug fixes
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
The default value for GCP > Storage > Bucket > ServiceNow > Import Set
now shows the resource_type_uri
correctly.
Control Types
Added
Policy Types
Added
What's new?
ServiceNow > Turbot > Watches > GCP Archive and Delete Record
action now supports archiving Import Set
records.Control Types
Added
Policy Types
Added
What's new?
ServiceNow > Turbot > Watches > Azure Archive and Delete Record
action now supports archiving Import Set
records.Bug fixes
ServiceNow > Application > CMDB
, ServiceNow > Cost Center > CMDB
& ServiceNow > User > CMDB
have been updated from Enforce: Enabled
to Skip
.Policy Types
Added
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
OUTBOUND_SECURITY_GROUP_ID
environment variable in Lambda functions now defaults to using the TEF outbound security group when there is no override specified in TEF and TE.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > Network > Network Security Group > Ingress Rules > Approved
and Azure > Network > Network Security Group > Egress Rules > Approved
controls previously deleted an entire rule if at least one of the corresponding port prefixes was rejected, even if the others were approved. These controls will now revoke only the rejected port prefixes instead of deleting the entire rule in such cases.Bug fixes
<nil>
for null
values instead of ""
. (#77)Bug fixes
<nil>
for null
values instead of ""
. (#77)Bug fixes
<nil>
for null
values instead of ""
. (#77)Bug fixes
AWS > RDS > DB Instance > Approved
control will now be skipped for instances that belong to a cluster. To check if a cluster is approved for use, please set the AWS > RDS > DB Cluster > Approved > *
policies.AWS > RDS > DB Instance > Approved
control did not stop an unapproved instance if the corresponding policy was set to Enforce: Stop unapproved
or Enforce: Stop unapproved if new
, and deletion protection for the instance was enabled. The control will now stop instances correctly in such cases.What's new
Enhancements
aws_elasticache_cluster
table. (#2224)Bug fixes
What's new?
EncryptionInTransit
TopicPolicy has shifted from a custom resource to AWS CloudFormation’s AWS::SNS::TopicPolicy
.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Enhancements
log_group_metric_*
queries to minimize API usage, achieving faster performance. (#802)What's new?
Server
UI
Depends-on
tab on the controls page has been renamed to Related
. It now includes the information from the Depends-on tab along with additional related controls information.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > Network > Network Security Group > Ingress Rules > Approved
control would sometimes fail to revoke rejected rules when the corresponding policy was set to Enforce: Delete unapproved
. This has been fixed, and the control will now work more reliably and consistently than before.What's new?
Enhancements
netgo
package. (#101)version
flag to the plugin's Export tool. (#65)Bug fixes
arguments
column of terraform_resource
table to correctly return the type
field. (#99) (#92)Dependencies
What's new?
Enhancements
Bug fixes
Turbot > osquery > Event Handler
action was not able to handle events for large payloads. This issue is now fixed.Bug fixes
GCP > Project > CMDB
control would incorrectly delete a project from Guardrails CMDB if it was unable to fetch Access Approval settings for the project. This issue has been fixed and the control will now attempt to fetch all available details and will not delete the project from CMDB.All Pipes workspaces are now running Steampipe v0.23.2.
For more information on this Steampipe release, see the release notes.
All Pipes workspaces are now running Powerpipe v0.4.0.
For more information on this Powerpipe release, see the release notes.
Bug fixes
Azure > Security Center > Security Center > Auto Provisioning
policy.Control Types
Policy Types
Action Types
Bug fixes
What's new?
Enhancements
aws_s3_bucket
, aws_s3_bucket_intelligent_tiering_configuration
, aws_s3_object
and aws_s3_object_version
tables to use HeadBucket
API instead of GetBucketLocation
to fetch the region that the bucket resides in. (#2082) (Thanks @pdecat for the contribution!)create_time
to aws_ec2_key_pair
table. (#2196) (Thanks @kasadaamos for the contribution!)instance_type
column as an optional qual to the aws_ec2_instance_type
table. (#2200)Bug fixes
akas
column in aws_health_affected_entity
table to correctly return data instead of an error by handling events that do not have any ARN
. (#2189)cname
and endpoint_url
columns of aws_elastic_beanstalk_environment
table to correctly return data instead of null
. (#2201)aws_api_gatewayv2_*
tables to correctly return data instead of an error by excluding support for the new unsupported il-central-1
region. (#2190)What's new?
Enhancements
login_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Jira connections. (#119)netgo
package. (#128)version
flag to the plugin's Export tool. (#65)Bug fixes
jira_board
table to correctly return all the data instead of partial results. (#127)Dependencies
What's new?
Bug fixes
public_network_access_for_ingestion
and the public_network_access_for_query
columns of the azure_application_insight
table to be of String
data type instead of JSON
. (#769)azure_role_assignment
table to correctly return values for principal_id
and principal_type
columns instead of null
. (#763)web_application_firewall_configuration
column of the azure_application_gateway
table to correctly return data instead of null
. (#770)What's new?
powerpipe benchmark run azure_compliance.benchmark.fedramp_high
). (#270)What's new?
What's new?
Azure > Security Center > Security Center > Defender Plan
control now also supports services like Cloud Posture, Containers and Cosmos DB.What's new?
Bug fixes
What's new?
Server
@azure/msal-node
package.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
AWS > EC2 > Snapshot > CMDB
policy to Enforce: Enabled for Snapshots not created with AWS Backup
.Bug fixes
AWS > Turbot > Service Roles > Source
policy went to an invalid state if all but the AWS > Turbot > Service Roles > Event Handlers [Global]
policy was enabled. This issue impacted the AWS > Turbot > Service Roles
stack control, preventing the role from being created correctly. This has been fixed, and the AWS > Turbot > Service Roles > Source
policy will now work as expected.Bug fixes
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
control did not evaluate the result correctly, as expected. This is now fixed.Whats new
Bug fixes
POWERPIPE_PORT
env var was not being honoured. (#362)duration
field to duration_ms
for consistency with steampipe. (#368)The rows
property in the JSON
and snapshot
output will now have unique column names for duplicate column names.
The columns property will have the original column name as original_name
.
For example, for the query:
powerpipe query run " select arn as title, account_id as title, title as title from aws_account" --output pps
Here is the updated JSON output:
powerpipe query run " select arn as title, account_id as title, title as title from aws_account" --output json{ "columns": [ { "name": "title", "data_type": "text" }, { "name": "title_t5zj1", "data_type": "text", "original_name": "title" }, { "name": "title_t5zj2", "data_type": "text", "original_name": "title" } ], "rows": [ { "title": "arn:aws:::882789663776", "title_t5zj1": "882789663776", "title_t5zj2": "882789663776" }, ], "metadata": { "rows_returned": 3, "duration_ms": "202ms" }}
Here is the updated snapshot output:
{ "schema_version": "20240130", "panels": { "custom.dashboard.sql_e5br7b82": { "dashboard": "custom.dashboard.sql_e5br7b82", "name": "custom.dashboard.sql_e5br7b82", "panel_type": "dashboard", "source_definition": "", "status": "complete", "title": "Custom query [e5br7b82]" }, "custom.table.results": { "dashboard": "custom.dashboard.sql_e5br7b82", "name": "custom.table.results", "panel_type": "table", "source_definition": "", "status": "complete", "sql": " select arn as title, account_id as title, title as title from aws_account", "properties": { "name": "results" }, "data": { "columns": [ { "name": "title", "data_type": "TEXT" }, { "name": "title_t5zj1", "data_type": "TEXT", "original_name": "title" }, { "name": "title_t5zj2", "data_type": "TEXT", "original_name": "title" } ], "rows": [ { "title": "arn:aws:::876515858155", "title_t5zj1": "876515858155", "title_t5zj2": "morales-aaa" }, { "title": "arn:aws:::882789663776", "title_t5zj1": "882789663776", "title_t5zj2": "882789663776" }, { "title": "arn:aws:::097350876455", "title_t5zj1": "097350876455", "title_t5zj2": "turbot-silverwater" } ] } } }, "inputs": {}, "variables": {}, "search_path": null, "start_time": "2024-06-06T14:50:16.906739+01:00", "end_time": "2024-06-06T14:50:16.991955+01:00", "layout": { "name": "custom.dashboard.sql_e5br7b82", "children": [ { "name": "custom.table.results", "panel_type": "table" } ], "panel_type": "dashboard" }}
What's new?
Updated the existing Flags attribute to include new specific flags that control the operation of Mod Lambda functions within a Virtual Private Cloud (VPC). This update allows Lambdas to use static IP addresses, improving network stability and predictability across different cloud environments. New flags Added to Flags Attribute:
Introduced a new SSM parameter outbound_cidr_ranges to retrieve the Elastic IPs associated with the NAT gateways.
What's new?
Server
osquery/logger
API to support payloads up to 10MB.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Bug fixes
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
control did not evaluate the result correctly, as expected. This is now fixed.What's new?
Bug fixes
Azure > Network > Network Security Group > Ingress Rules > Approved
and Azure > Network > Network Security Group > Egress Rules > Approved
controls previously deleted an entire rule if at least one of the corresponding address prefixes was rejected, even if the others were approved. These controls will now revoke only the rejected address prefix instead of deleting the entire rule in such cases.What's new?
Add support for installing mods from a branch or from the local file system. (#849).
To install from a branch:
flowpipe mod install github.com/turbot/flowpipe-mod-aws-thrifty#main
To reference a mod in the local file system:
flowpipe mod install ../mods/local_mod_folder
Add --pull
flag to mod
command to control the mod update strategy. (#849). Possible update strategies are:
full
- check branch and tags for both latest and accuracylatest
- update everything to latest, but only branches - not tags - are commit checked (which is the same as latest)development
- update branches and broken constraints to latest, leave satisfied constraints unchangedminimal
- only update broken constraints, do not check branches for new commitsBug fixes
What's new?
powerpipe benchmark run azure_compliance.benchmark.rbi_itf_nbfc_v2017
). (#267)Bug fixes
GCP > Turbot > Event Handlers > Logging
would go into an Invalid state because of incorrect filter patterns defined in the GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-bigquerydatatransfer
policy. This is fixed and the control will now work as expected.Bug fixes
compute.networks.delete
for default networks incorrectly, resulting in the inadvertent deletion of those networks from CMDB. This is now fixed.What's new?
Resource Types
Policy Types
What's new?
Control Types
Policy Types
Bug fixes
s3:PutBucketReplication
for buckets. This is now fixed.AWS > S3 > Bucket > Access Logging
control would sometimes go into an error state if the target bucket name started with a number. This is fixed and the control will now work more smoothly and consistently than before.Enhancements
user_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Pipes connections. (#27)netgo
package. (#32)version
flag to the plugin's Export tool. (#65)Bug fixes
Pipes
instead of returning a 401
error. (#30)Dependencies
The Semgrep plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
What's new?
Detect and Correct
pipeline for DynamoDB tables with stale data. (#34)What's new?
delete_dynamodb_table
What's new?
Enhancements
login_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Github connections. (#422)netgo
package. (#219)version
flag to the plugin's Export tool. (#65)Bug fixes
Dependencies
Bug fixes
v1.11.2
to remove unnecessary NOTICE
level log messages. (#469)What's new?
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2
). (#264)Integrate your developer account, team or custom tenant with GitHub, enabling you to install custom Powerpipe mods from public or private repositories. Push changes for instant deploys and live updates.
For more information, see the launch post or check out the docs.
Bug fixes
$logs
) for storage accounts. This is now fixed.Bug fixes
What's new?
Resource Types
Control Types
Policy Types
Action Types
Bug fixes
locals
in order of dependency. (#399).What's new?
Enhancements
Whats new
Added support for installing mods from a branch or from the local file system. (#285)
To install from a branch:
powerpipe mod install github.com/turbot/steampipe-mod-aws-well-architected#main
To reference a mod in the local file system:
powerpipe mod install ../mods/local_mod_folder
Added --pull
flag to mod
, dashboard
and benchmark
commands to control the mod update strategy. (#352). Possible update strategies are:
full
- check branch and tags for both latest and accuracylatest
- update everything to latest, but only branches - not tags - are commit checked (which is the same as latest)development
- update branches and broken constraints to latest, leave satisfied constraints unchangedminimal
- only update broken constraints, do not check branches for new commitsBug fixes
osquery
instead of Osquery
.Bug fixes
Kubernetes > Node
resources will no longer include the conditions.lastHeartbeatTime
or resource_version
properties to avoid unnecessary notifications in the activity tab.What's new?
Resource Types
Policy Types
What's new?
Resource Types
Policy Types
Enhancements
tenant_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Microsoft 365 subscriptions. (#50)netgo
package. (#55)version
flag to the plugin's Export tool. (#65)Dependencies
QueryData
passed to ConnectionKeyColumns
value callback is populated with ConnectionManager
. (#50)Enhancements
tenant_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Azure subscriptions. (#175)netgo
package. (#180)China cloud
endpoint and scope based on the environment. (#174)version
flag to the plugin's Export tool. (#65)Dependencies
QueryData
passed to ConnectionKeyColumns
value callback is populated with ConnectionManager
. (#175)What's new?
Enhancements
Enhancements
Enhancements
What's new?
Server
api/latest/osquery/enroll
api/latest/osquery/config
api/latest/osquery/logger
serviceNowCredential
resolver specifically for Kubernetes clusters.@turbot/sdk
) to version 5.15.0 and our fn toolkit (@turbot/fn
) to version 5.22.0, to support FIFO queues.UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Control Types
Policy Types
Action Types
What's new?
Resource Types
Control Types
Policy Types
Action Types
What's new?
Resource Types
Control Types
Policy Types
Action Types
Bug fixes
GCP > IAM > Service Account Key > Active
control will no longer attempt to delete a system-managed service account key deemed inactive by the control.What's new?
AWS > IAM > Access Key > Active > Latest
policy.AWS > IAM > Server Certificate > Active > Expired
policy.Policy Types
Enhancements
tenant_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple OCI tenants. (#606)netgo
package. (#614)version
flag to the plugin's Export tool. (#65)Dependencies
Enhancements
project
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple GCP projects. (#564)netgo
package. (#580)version
flag to the plugin's Export tool. (#65)****Bug fixes
gcp_cloudfunctions_function
to list gen2
cloud functions. (#568) (Thanks @ashutoshmore658 for the contribution!)Dependencies
Enhancements
netgo
package. (#756)Bug fixes
server_properties
column in the azure_postgresql_flexible_server
table to correctly return data instead of nil
. (#754)Dependencies
QueryData
passed to ConnectionKeyColumns
value callback is populated with ConnectionManager
. (#755)Enhancements
account_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Alibaba Cloud accounts. (#406)netgo
package. (#419)version
flag to the plugin's Export tool. (#65)Dependencies
Bug fixes
GCP > Project > CMDB
control would go into an error state if Access Approval API was disabled in GCP. This is now fixed.Enhancements
context_name
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Kubernetes connections. (#217)netgo
package. (#219)version
flag to the plugin's Export tool. (#65)Dependencies
Enhancements
netgo
package for both the Linux and Darwin systems. (#219) (#2180)Bug fixes
aws_ebs_snapshot
table to correctly return data instead of an empty row. (#2185)Dependencies
Whats new
Added support for connection key columns: (#768)
A connection key column
defines a column whose value maps 1-1 to a Steampipe connection
and so can be used to filter connections when executing an aggregator query. These columns are treated as (optional) KeyColumns. This means they are taken into account in the query planning.
Added support for verbose timing information. (#4244)
Added support for pushing down sort order. (#447)
Updated limit pushdown logic to push down the limit if all sort clauses are pushed down. (#458)
Added support for WHERE column=val1 OR column=val2 OR column=val3...
Migrated from plugin registry from GCP to GHCR. (#4232)
Bug fixes
Bug fixes
QueryData
passed to connection key column value callback is populated with ConnectionManager
. (#797) What's new?
/processes
prefix from 1 day to 2 days./osquery
prefix.What's new?
Bug fixes
Azure > Compute > Virtual Machine Scale Set > Tags
control would sometimes fail to update tags correctly for Scale Sets launched via Azure marketplace. This is fixed and the control will now update tags correctly, as expected.What's new?
AWS > VPC > Network ACL > Ingress Rules > Approved > *
policies.Bug fixes
What's new?
AWS > EFS > Mount Target > Approved
policy to Enforce: Delete unapproved
.What's new?
aws_cloudwatch_metric_alarm
resources via Guardrails stacks.Control Types
Policy Types
Bug fixes
aws_securityhub_account
Terraform resource.What's new?
createdBy
details in Turbot CMDB.What's new?
Control Types
Policy Types
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Resource Types:
Control Types:
Policy Types:
Action Types:
What's new?
Control Types
Policy Types
Bug fixes
What's new?
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Enhancements
subscription_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Azure subscriptions. (#740)version
flag to the plugin's Export tool. (#65)Bug fixes
Dependencies
Bug fixes
Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved
control did not render correctly on mod inspect. This is now fixed.What's new?
Enhancements
version
flag to the plugin's Export tool. (#65)Bug fixes
Whats new
dashboard_timeout
and benchmark_timeout
--dashboard-timeout
flag for the dashboard run
and server
commands--benchmark-timeout
flag for the benchmark run
commands.POWERPIPE_DASHBOARD_TIMEOUT
and POWERPIPE_BENCHMARK_TIMEOUT
respectively.
(#336)dashboard input list
and dashboard input show
commands.Bug fixes
All new Pipes workspaces will be running Powerpipe v0.2.0 and existing workspaces will be upgraded by Monday 29th April 2024.
For more information on this Powerpipe release, see the release notes.
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > Storage > Storage Account > Data Protection
control would go into an error state when container delete retention policy data was not available in CMDB. This issue is fixed and the control will now work as expected.What's new?
Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > *
and Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > *
policies respectively.Azure > PostgreSQL > Flexible Server > Approved
policy to Enforce: Stop unapproved
or Enforce: Stop unapproved if new
.Control Types
Policy Types
Action Types
Bug fixes
What's new?
Control Types
User consent for applications
is set to Do not allow user consent
Enable Infrastructure Encryption
for Each Storage Account in Azure Storage is Set to enabled
Policy Types
User consent for applications
is set to Do not allow user consent
User consent for applications
is set to Do not allow user consent
> AttestationEnable Infrastructure Encryption
for Each Storage Account in Azure Storage is Set to enabled
What's new?
worker_factory
in the CloudWatch Dashboard widgets "Events Queue Activity" and "Events Queue Backlog"._worker_factory
queue._worker
queue.Bug fixes
Server
UI
template_input
property of the policy setting in the Terraform plan to YAML format, improving clarity and manageability.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Turbot > Process Monitor
control to operate within the priority queue, ensuring more timely and efficient processing of critical tasks.Turbot > Workspace > Background Tasks
control to modify the next_tick_timestamp for any policy values that previously had incorrect defaults.Bug fixes
What's new?
Azure > Storage > Storage Account > Access Keys > Rotation Reminder > *
and Azure > Storage > Storage Account > Data Protection > Soft Delete > *
policies respectively.Control Types
Policy Types
Action Types
What's new?
Azure > SQL > Server > Firewall > IP Ranges > Approved > *
policies.Control Types
Policy Types
Action Types
Enhancements
workspace_dashboard
dashboard to include information on the accounts, resources, and active controls across different workspaces. (#31)workspace_account_report
dashboard to display resources, policy settings, alerts, and active controls across workspaces instead of the TE version. (#31)Enhancements
Bug fixes
rotationPeriod
and nextRotationTime
attributes for Crypto Keys did not update correctly in CMDB when the rotation policy for such keys was removed. This is now fixed.What's new?
Azure > MySQL > Flexible Server > Encryption in Transit > *
policies.createdBy
details in Turbot CMDB.Control Types
Policy Types
Action Types
What's new?
createdBy
details in Turbot CMDB.Policy Types
Bug fixes
AWS > VPC > Flow Log > Configured
control would sometimes go into an error state for flow logs created via the AWS console, even though they were correctly claimed by a Guardrails stack. This is now fixed.What's new?
Enhancements
account_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple AWS accounts. (#2133)Bug fixes
getDirectoryServiceSnapshotLimit
and getDirectoryServiceEventTopics
hydrate calls in the aws_directory_service_directory
table to correctly return nil
for the unsupported ADConnector
services instead of an error. (#2170)What's new?
What's new?
Azure > PostgreSQL > Flexible Server > Audit Logging > *
policies.Control Types
Policy Types
Action Types
What's new?
Azure > Key Vault > Key > Expiration > *
and Azure > Key Vault > Secret > Expiration > *
policies respectively.Control Types
Policy Types
Action Types
What's new?
What's new?
powerpipe benchmark run gcp_compliance.benchmark.cis_v300
). (#158)What's new?
Bug fixes
Azure > Storage > Storage Account > Queue > Logging
control would go into a skipped state for storage accounts, irrespective of any policy setting for Logging. This issue is fixed and the control will now work as expected.What's new?
Github App
. Please refer Github plugin configuration for more information. (#414)Bug fixes
What's new?
Enhancements
snapshot_block_public_access_state
column to aws_ec2_regional_settings
table. (#2077)Bug fixes
getDirectoryServiceSnapshotLimit
and getDirectoryServiceEventTopics
hydrate calls in the aws_directory_service_directory
table to correctly return nil
for unsupported SharedMicrosoftAD
services instead of an error. (#2156)What's new?
What's new?
Azure > Network > Public IP Address > Approved
policy to Enforce: Delete unapproved
.Bug fixes
Turbot > IAM > Permissions > Compiled > Levels > Account
policy now correctly checks the workspace version if it's installed on a workspace version < 5.50.0.What's new?
Azure > PostgresSql > Flexible Server > Encryption in Transit > *
policies.Control Types
Policy Types
Action Types
Bug fixes
foundational_security_lambda_2
control to check for the latest Lambda runtimes as per the AWS FSBP document. (#778) (Thanks @sbldevnet for the contribution!)secretsmanager_secret_unused_90_day
control. (#783)What's new?
Azure > Active Directory > User > Approved
policy to Enforce: Delete unapproved
.Policy Types
What's new?
Azure > MySQL > Flexible Server > Minimum TLS Version > *
policies.Enhancements
All Controls
benchmark: (#253)cosmosdb_account_uses_aad_and_rbac
iam_user_not_allowed_to_create_tenants
securitycenter_image_scan_enabled
Bug fixes
postgres_db_server_allow_access_to_azure_services_disabled
query to check if the endIpAddress
column is set to 0.0.0.0
instead of 255.255.255.255
as per the CIS documentation. (#253)Bug fixes
Account/User
and Account/Metadata
levels from the default Account > Permission policyWhat's new?
What's new?
What's new?
Control Types
Policy Types
What's new?
Enhancements
Bug fixes
versions.json
). (#4223)<nil>
when there was no message to show. (#4206)Bug fixes
What's new?
AWS > EC2 > Account Attributes > Instance Metadata Service Defaults > *
policies.Bug fixes
AWS > EC2 > Instance > Approved
control would sometimes fail to stop instances that were discovered in Guardrails via real-time events if the AWS > EC2 > Instance > Approved
policy was set to Enforce: Stop unapproved if new
. This is now fixed.What's new?
What's new?
connection_throttling
parameter for PostgreSQL servers. To get started, set the Azure > PostgreSQL > Server > Audit Logging > Connection Throttling
policy.What's new?
What's new?
AWS > KMS > Key > Approved
policy to Enforce: Disable unapproved
.What's new?
Enhancements
quota_project
config arg to provide users the ability to set the Project ID
used for billing and quota. (#556)Bug fixes
retry_policy_maximum_backoff
and retry_policy_minimum_backoff
columns of gcp_pubsub_subscription
table to correctly return data. (#552) (Thanks to @mvanholsteijn for the contribution!)What's new?
Bug fixes
aws_vpc_eip
table to return an Access Denied
error instead of an Invalid Memory Address or Nil Pointer Dereference
error when a Service Control Policy
is applied to an account for a specific region. (#2136)aws_s3_bucket
terraform script to prevent the AccessControlListNotSupported: The bucket does not allow ACLs
error during the PutBucketAcl
terraform call. (#2080) (Thanks @pdecat for the contribution!)cross-account
role credentials results in the correct error being reported instead of zero rows. (#2137)aws_ebs_snapshot
table to make fewer API calls when the limit
parameter is passed to the query. (#2088)What's new?
rds_mysql_postresql_db_no_unsupported_version
(#174)Bug fixes
Enforce: Enabled but ignore permission errors
for the AWS > SNS > Subscription > CMDB
policy, allowing the corresponding CMDB control to ignore permission errors, if any, and proceed to completion. However, configuring the CMDB policy to Enforce: Enabled but ignore permission errors
inadvertently introduced a bug, resulting in the removal of real-time events for Subscription from the SNS EventBridge rule created by the Event Handlers. This issue has now been fixed.Bug fixes
Enforce: Enabled but ignore permission errors
for the AWS > KMS > Key > CMDB
policy, allowing the corresponding CMDB control to ignore permission errors, if any, and proceed to completion. However, configuring the CMDB policy to Enforce: Enabled but ignore permission errors
inadvertently introduced a bug, resulting in the removal of the EventBridge Rule for KMS by the Event Handlers. This issue has now been fixed.Bug fixes
loop
block now works in container
, function
, message
and input
steps.max_concurrency
step argument. (#800).throw
, retry
and error
block now works for input
step.Breaking changes
Foundational Security Best Practices v1.0.0
benchmark has been updated to better align with the matching AWS Security Hub. The following updates have been made: (#772)foundational_security_elbv2
sub-benchmark have been removed.foundational_security_cloudfront_2
foundational_security_ec2_22
foundational_security_s3_4
Enhancements
Foundational Security Best Practices v1.0.0
benchmark has been updated to better align with the matching AWS Security Hub. The following updates have been made: (#772)foundational_security
benchmark:foundational_security_appsync
foundational_security_backup
foundational_security_eventbridge
foundational_security_fsx
foundational_security_msk
foundational_security_pca
foundational_security_route53
foundational_security_sfn
foundational_security_acm_2
foundational_security_appsync_2
foundational_security_backup_1
foundational_security_cloudfront_13
foundational_security_dms_6
foundational_security_dms_7
foundational_security_dms_8
foundational_security_dms_9
foundational_security_docdb_3
foundational_security_docdb_4
foundational_security_docdb_5
foundational_security_dms_9
foundational_security_dynamodb_6
foundational_security_ec2_51
foundational_security_ecs_9
foundational_security_eks_8
foundational_security_elasticbeanstalk_3
foundational_security_emr_2
foundational_security_eventbridge_3
foundational_security_fsx_1
foundational_security_msk_1
foundational_security_networkfirewall_2
foundational_security_networkfirewall_9
foundational_security_opensearch_10
foundational_security_pca_1
foundational_security_rds_34
foundational_security_rds_35
foundational_security_route53_2
foundational_security_s3_19
foundational_security_sfn_1
foundational_security_waf_12
What's new?
Enhancements
v0.13.2 of the Terraform Provider for Pipes is now available.
Bug fixes
pipes_workspace_datatank_table
: Set PartPer
setting for datatank table to be nil
if nothing is passed in configuration while updating a datatank table. (#23)Enhancements:
resources/pipes_workspace
: Add support for passing desired_state
, db_volume_size_bytes
attribute when creating or updating a workspace. Add missing attribute state_reason
.resources/pipes_workspace_pipeline
: Add support for passing desired_state
attribute when creating or updating a pipeline. Add attributes state
and state_reason
.resources/pipes_workspace_datatank
: Add support for passing desired_state
attribute when creating a datatank.resources/pipes_workspace_datatank_table
: Add support for passing desired_state
attribute when creating a datatank_table.Bug fixes
project_license_table
, project_other_license_count
and project_weak_copyleft_license_count
queries to use the latest version of EUP (European Union Public License 1.2). (#13)Bug fixes
repository_license_table
, repository_other_license_count
and repository_weak_copyleft_license_count
queries to use the latest version of EUP (European Union Public License 1.2). (#25)Bug fixes
cis_v200_2_4
to cis_v200_2_11
to correctly evaluate results when using the aggregator connection of the GCP plugin. (#154)Bug fixes
max_concurrency
argument. (#798).try()
function should be evaluated at runtime rather than parse time.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Control Types:
Policy Types:
Action Types:
Bug fixes
benchmark run
result as a snapshot, ensure the top level panel has a valid summary. (#274)mod list
output to include resource_name
and mod
fields. Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Enforce: Disabled
. This is now fixed.What's new?
powerpipe benchmark run azure_compliance.benchmark.cis_v210
). (#250)Whats new
All new Pipes workspaces will be running Powerpipe v0.4.1 and existing workspaces will be upgraded by Monday 29th July 2024.
For more information on this Powerpipe release, see the release notes.
All new Pipes workspaces will be running Steampipe v0.22.1 and existing workspaces will be upgraded by Monday 18th March 2024.
For more information on this Steampipe release, see the release notes.
All new Pipes workspaces will be running Powerpipe v0.1.2 and existing workspaces will be upgraded by Monday 18th March 2024.
For more information on this Powerpipe release, see the release notes.
Bug fixes
AWS > VPC > VPC > Stack
control failed to claim security group rules correctly if the protocol
for such rules was set to All
or TCP
in the stack's source policy. This issue has been fixed, and the control will now claim such rules correctly.Bug fixes
What's new?
Enhancements
auto_minor_version_upgrade
column to aws_rds_db_cluster
table. (#2109)open_zfs_configuration
column to aws_fsx_file_system
table. (#2113)logging_configuration
column to aws_networkfirewall_firewall
table. (#2115)lf_tags
column to aws_glue_catalog_table
table. (#2128)Bug fixes
aws_s3_bucket
table doc to correctly filter out buckets without the application
tag. (#2093)aws_cloudtrail_lookup_event
input param to pass correctly end_time
as an optional qual. (#2102)arn
column of the aws_elastic_beanstalk_environment
table to correctly return data instead of null
. (#2105)template_body_json
column of the aws_cloudformation_stack
table to correctly return data by adding a new transform function formatJsonBody
, replacing the UnmarshalYAML
transform function. (#1959)next_execution_time
column of aws_ssm_maintenance_window
table to be of String
datatype instead of TIMESTAMP
. (#2116)client_log_options
column to connection_log_options
in aws_ec2_client_vpn_endpoint
table to correctly return data instead of null
. (#2122)Whats new
Bug fixes
Notice
install.sh
has been moved from the top level folder to the scripts
folder.Notice
Steampipe will no longer officially publish or support a Dockerfile or container images.
Steampipe can be run in a containerized setup. We run it ourselves that way as part of Turbot Pipes. But, we've decided to cease publishing an supporting a container definition because:
We welcome users to create and share your own open-source container definitions for Steampipe!
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
AWS > SageMaker > Code Repository > Regions
policy, which led to the AWS > SageMaker > Code Repository > Discovery
control being in an error state for those regions. We've now removed the unsupported US Gov cloud regions from the Regions policy.What's new?
Bug fixes
Enforce: Disabled
. This is now fixed.Bug fixes
throw
and output
block in pipeline steps works correctly with ternary operators and will not trigger mod reload for white space changes.Bug fixes
Enforce: Disabled
. This is now fixed.AWS > VPC > VPC > Stack
control that prevented it from recognizing security group rules with the port range set to 0 correctly. However, the control still failed to claim existing security group rules available in Guardrails CMDB, due to an inadvertent bug introduced in v5.9.2. This issue has now been fixed, and the control will correctly claim existing security group rules.Bug fixes
Enforce: Disabled
. This is now fixed.Bug fixes
lists
events for various storage resources. We've now improved our events filter to ignore these lists
events, thereby reducing unnecessary processing.Bug fixes
Enforce: Disabled
. This is now fixed.Bug fixes
Enforce: Disabled
. This is now fixed.Bug fixes
Enforce: Disabled
. This is now fixed.AWS > EC2 > Snapshot > Active
and AWS > EC2 > Snapshot > Approved
controls will now not attempt to delete a snapshot if it has one or more AMIs attached to it.ec2-reports:*
permissions are now removed from the mod.v0.13.1 of the Terraform Provider for Pipes is now available.
Bug fixes
pipes_workspace_pipeline
and are only updated when a valid value is present in the Terraform configuration.All new Pipes workspaces will be running Steampipe v0.22.0 and existing workspaces will be upgraded by Monday 11th March 2024.
For more information on this Steampipe release, see the release post or release notes.
Dashboards in Turbot Pipes are now powered by Powerpipe, allowing you to filter, group and share custom views of your cloud benchmarks.
All new Pipes workspaces will be running Powerpipe v0.1.0 and existing workspaces will be upgraded by Monday 11th March 2024.
For more information on the launch of Powerpipe, see the launch post or release notes.
Bug fixes
CreateDefaultVpc
events. However, we overlooked an edge case in the fix. We have now addressed this issue, ensuring that Internet Gateways will be reliably discovered and upserted into the Guardrails CMDB. We recommend updating the aws-vpc-core
mod to version 5.17.1 or higher to enable Guardrails to correctly process real-time CreateDefaultVpc events for Internet Gateways.Enforce: Disabled
. This is now fixed.We're thrilled to announce the release of 52 new Powerpipe mods, featuring pre-built dashboards and benchmarks for cloud inventory & insights, security & compliance, cost management and shift-left scanning. These include the 43 Steampipe mods to visualize AWS, Azure, GCP, GitHub, Terraform and more using Steampipe as the database. And 9 new, ready-to-use Powerpipe mods providing easy to learn examples to visualize data in Postgres, SQLite, DuckDB, and MySQL!
A full list of mods can be found in the Powerpipe Hub.
For more information on how you can get started incorporating these mods into your own custom dashboards and benchmarks, please see Introducing Powerpipe - Composable Mods.
Introducing Powerpipe - Dashboards for DevOps.
Benchmarks - 5,000+ open-source controls from CIS, NIST, PCI, HIPAA, FedRamp and more. Run instantly on your machine or as part of your deployment pipeline.
Relationship Diagrams - The only dashboarding tool designed from the ground up to visualize DevOps data. Explore your cloud,understand relationships and drill down to the details.
Dashboards & Reports - High level dashboards provide a quick management view. Reports highlight misconfigurations and attention areas. Filter, pivot and snapshot results.
Code, not clicks - Our dashboards are code. Version controlled, composable, shareable, easy to edit - designed for the way you work. Join our open-source community!
Learn more at:
Bug fixes
AWS > VPC > VPC > Stack
control would sometimes go into an error state after creating security group rules with port range set to 0. This occurred because the control failed to recognize the existing rule in Guardrails CMDB and attempted to create a new rule instead. This issue has been fixed, and the stack control will now work correctly as expected.AWS > VPC > Security Group > CMDB
control would sometimes go into an error state for security groups shared from other AWS accounts. We will now exclude shared security groups and only upsert security groups that belong to the owner account.What's new?
You can now also manage the IAM Permissions model for Guardrails Users via the AWS > Turbot > IAM > Managed
control. The AWS > Turbot > IAM > Managed
control is faster and more efficient than the existing AWS > Turbot > IAM
control because it utilizes Native AWS APIs rather than Terraform to manage IAM resources. Please note that this feature will work as intended only on TE v5.42.19 or higher and turbot-iam
mod v5.11.0 or higher.
Control Types
Policy Types
Policy Types Renamed
Action Types
Bug fixes
The AWS > IAM > Group > CMDB
, AWS > IAM > Role > CMDB
, and AWS > IAM > User > CMDB
controls previously failed to fetch all attachments for groups, roles, and users, respectively, due to the lack of pagination support. This issue has been fixed, and the controls will now correctly fetch all respective attachments.
Steampipe unbundled, introducing Powerpipe
Powerpipe is now the recommended way to run dashboards and benchmarks!
Mods still work as normal in Steampipe for now, but they are deprecated and will be removed in a future release:
Whats new
version
column to steampipe_plugin
table. (#4141)Bug fixes
search_path_prefix
set in database options
does not alter the search path. (#4160)asff
output was always missing the first row. (#4157)Deprecations and migrations
cloud-host
and cloud-token
CLI args, and replaced them with pipes-host
and pipes-token
respectively. (#4137)STEAMPIPE_CLOUD_HOST
and STEAMPIPE_CLOUD_TOKEN
env vars, replaced with PIPES_HOST
and PIPES_TOKEN
respectively. (#4137)cloud_host
and cloud_token
workspace args, replaced with pipes_host
and pipes_token
respectively. (#4137)terminal options
. (#3751)max_parallel
property in general options
. (#4132)connection options
. (#4131)version
property from the mod require
block. (#3750)What's new?
alicloud
and mastodon
.started_at
and finished_at
added under a flowpipe
attribute.flowpipe.db
into the mod-level .flowpipe
directory.connection_string
in query step and trigger renamed to database
.Deprecation
Bug fixes
log_level
workspace setting is now respected (#618).listen
flag should be network, not localhost (#694)Bug fixes
metadata
param type in create_ticket
pipeline to be consistent with similar param types.Bug fixes
secret
param type in create_secret
pipeline.Bug fixes
What's new?
add_s3_bucket_cost_center_tags
aws_iam_access_key_events_notifier_with_multiple_pipelines
aws_iam_access_key_events_notifier_with_single_pipeline
deactivate_expired_aws_iam_access_keys_using_queries
deactivate_expired_aws_iam_access_keys_with_approval
notify_new_aws_iam_access_keys
Enhancements
Bug fixes
Server
/tenant/${workspaceFullId}
to Advanced
.resolvedSchema
if not available in the schema.UI
AWS > Turbot > IAM > Managed
control.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Turbot > IAM > Permissions > Compiled > Levels > Turbot
policy will now be evaluated correctly and consistently.Bug fixes
What's new?
The AWS > S3 > Bucket
CMDB data will now also include information about Bucket Intelligent Tiering Configuration.
A few policy values in the AWS > S3 > Bucket > Encyprion at Rest
policy have now been deprecated and will be removed in the next major mod version (v6.0.0) because they are no longer supported by AWS.
| Deprecated Values
|-
| Check: None
| Check: None or higher
| Enforce: None
| Enforce: None or higher
Bug fixes
ticket_id
param from update_ticket_comment
pipeline.Bug fixes
license
param in create_user
pipeline. (#6)Bug fixes
generate_ssh_keys
param in various Compute VM test pipelines.Bug fixes
CreateDefaultVpc
events. This issue has been fixed, and Internet Gateways will now be more reliably upserted into the Guardrails CMDB.
We recommend updating the aws-vpc-core
mod to v5.17.1 or higher to allow Guardrails to process the CreateDefaultVpc
event for Internet Gateways correctly.Bug fixes
CreateDefaultVpc
events. This issue has been fixed, and DHCP Options will now be more reliably upserted into the Guardrails CMDB.Bug fixes
lists
events for various Dataproc resources. We've now improved our events filter to ignore these lists
events, thereby reducing unnecessary processing.Bug fixes
GCP > Turbot > Event Handlers > Pub/Sub
stack control previously attempted to create a topic and its IAM member incorrectly when the GCP > Turbot > Event Handlers > Logging > Unique Writer Identity
policy was set to Enforce: Unique Identity
, but the project number for the project was not available. This is fixed and the control will transition to an Invalid state until Guardrails can correctly fetch the project number.Bug fixes
get_channel_history
pipeline. (#20)What's new?
Control Types:
Policy Types:
Action Types
Bug fixes
AWS > S3 > Bucket > Encryption in Transit
and AWS > S3 > Bucket > Encryption at Rest
control to wait for a few minutes before applying the respective policies to new buckets created via Cloudformation Stacks. We've now extended this feature to all buckets regardless of how they were created, to ensure that IaC changes can be correctly applied to buckets without interference from immediate policy enforcements.What's new?
What's new?
What's new?
Note
To use the latest RDS certificate in commercial cloud, please upgrade TE to 5.42.3 or higher and update the RDS CA Certificate for Commercial Cloud
parameter.
Bug fixes
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
What's new?
Control Types:
Policy Types:
What's new?
AWS > Secrets Manager > Secret > CMDB
control would go into an error state if Guardrails did not have permissions to describe a secret. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the AWS > Secrets Manager > Secret > CMDB
policy to Enforce: Enabled but ignore permission errors
.What's new?
You can now attach custom IAM Groups to Guardrails users if the AWS > Turbot > Permissions
policy is set to Enforce: User Mode
. To get started, set the AWS > Turbot > Permissions > Custom Group Levels [Account]
policy and then attach the custom group to a user via the Grant Permission button on the Permissions page. Please note that this feature will work as intended only on TE v5.42.18 or higher and turbot-iam
mod v5.11.0 or higher.
Policy Types:
Policy Types renamed:
What's new?
Bug fixes
InvalidParameterCombination
error when querying the aws_rds_db_instance
table. (#2085)aws_rds_db_instance_metric_write_iops_daily
table to correctly display WriteIOPS
instead of ReadIOPS
. (#2079)Dependencies
Bug fixes
Cloud Functions
benchmark into all_controls
benchmark. (#146)What's new?
Bug fixes
What's new?
Control Types:
Policy Types:
Bug fixes
Bug fixes
AWS > VPC > VPC > Stack
control would sometimes fail to claim existing Flow Logs in Guardrails CMDB. This is now fixed.What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
Bug fixes
AWS > SNS > Subscription > CMDB
control would go into an error state if Guardrails did not have permissions to describe a subscription. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the AWS > SNS > Subscription > CMDB
policy to Enforce: Enabled but ignore permission errors
.Dependencies
v0.131.0
or higher is now required. (#747)Enhancements
All Controls
benchmark across the following services: (#747)API Gateway
DMS
EMR
MQ
VPC
Bug fixes
foundational_security_ssm_2
control to correctly evaluate results when patches are not applicable for SSM managed EC2 instances. (#761)What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
The timeout for scheduled snapshot pipelines has been extended from 10 minutes to 1 hour, giving complex benchmarks and dashboards longer to successfully complete.
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
Bug fixes
GCP > Compute Engine > Instance Template > CMDB
control would sometimes go into an error state due to a bad internal build. This is fixed and the control will now work as expected.Bug fixes
Azure > Subscription
, importing subscriptions encountered schema validation problems. This issue has been resolved, and you can now successfully import subscriptions as before.Bug fixes
Bug fixes
scaleway_billing_consumption
table docs to use consumption
instead of consumtion
. (#80)What's new?
Enhancements
wiz.spc
file. (#23)Bug fixes
service_tickets
column in wiz_issue
table by removing the action
subfield from the ServiceTickets
field in the GraphQL response since it was no longer available. (#24 #25) (Thanks @sycophantic for the contribution!)Bug fixes
rds_db_cluster_encrypted_with_kms_cmk
. (#105)Bug fixes
service_account
. (#56)What's new?
Bug fixes
What's new?
ap-northeast-3
in the AWS > Account > Regions
policy.What's new?
af-south-1
, ap-northeast-3
, ap-south-2
, ap-southeast-3
, ap-southeast-4
, ca-west-1
, eu-central-2
, eu-south-1
, eu-south-2
, il-central-1
and me-central-1
regions in the AWS > Logs > Regions
policy.What's new?
You can now configure Block Public Access for Snapshots. To get started, set the AWS > EC2 > Account Attributes > Block Public Access for Snapshots
policy.
You can now also disable Block Public Access for AMIs. To get started, set the AWS > EC2 > Account Attributes > Block Public Access for AMIs
policy.
AWS/EC2/Admin
, AWS/EC2/Metadata
and AWS/EC2/Operator
now includes permissions for Verified Access Endpoints, Verified Access Groups and Verified Access Trust Providers.
Control Types:
Policy Types:
Action Types:
Bug fixes
What's new?
Bug fixes
What's new?
create_branch
, delete_branch
and get_branch
pipelines. (#10)What's new?
steampipe check benchmark.cis_v300
). (#755)What's new?
Deny: *
for HTTP in SNS Policy.What's new?
Bug fixes
Deny:*
policy for HTTP traffic back to the turbot-policy-parameter custom lambda code.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
createdBy
details in Turbot CMDB.What's new?
createdBy
details in Turbot CMDB.What's new?
createdBy
details in Turbot CMDB.Bug fixes
HomeDirectoryModfileCheck
returning false positive, causing errors when executing steampipe out of the home directory. (#4118)v1.10.1 of the Terraform Provider for Guardrails is now available.
Bug fixes
resource/turbot_file
: terraform apply failed to update content
of an existing File in Guardrails. This is now fixed.What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
What's new?
What's new?
createdBy
details in Turbot CMDB.What's new?
What's new?
What's new?
createdBy
details in Turbot CMDB.Bug fixes
The AWS > EC2 > Key Pair > Discovery
control would sometimes go into an error state if a Key Pair alias included escape characters. This is now fixed.
Control Types renamed:
AWS > EC2 > Volume > Configuration
to AWS > EC2 > Volume > Performance Configuration
Policy Types renamed:
AWS > EC2 > Volume > Configuration
to AWS > EC2 > Volume > Performance Configuration
AWS > EC2 > Volume > Configuration > IOPS Capacity
to AWS > EC2 > Volume > Performance Configuration > IOPS Capacity
AWS > EC2 > Volume > Configuration > Throughput
to AWS > EC2 > Volume > Performance Configuration > Throughput
AWS > EC2 > Volume > Configuration > Type
to AWS > EC2 > Volume > Performance Configuration > Type
Action Types renamed:
AWS > EC2 > Volume > Update Configuration
to AWS > EC2 > Volume > Update Performance Configuration
Enhancements
Bug fixes
Turbot > Policy Setting Expiration
control will now run every 12 hours to manage policy setting expirations more consistently than before.Bug fixes
add_labels_to_compute_disk
and add_labels_to_compute_instance
pipelines. (#7)What's new?
What's new?
What's new?
createdBy
details in Turbot CMDB.What's new?
createdBy
details in Turbot CMDB.What's new?
What's new?
What's new?
createdBy
details in Turbot CMDB.What's new?
createdBy
details in Turbot CMDB.What's new?
What's new?
createdBy
details in Turbot CMDB.What's new?
What's new?
OAuth
config support to provide users the ability to set OAuth secret client ID
and OAuth secret value
of a service principal. For more information, please see Databricks plugin configuration. (#6) (Thanks @rinzool for the contribution!)Config
object to directly pass credentials to the client. (#10)What's new?
Enhancements
authorization_rules
column to azure_servicebus_namespace
table. (#719)Enhancements
aws_cloudwatch_log_stream
table's query performance by adding descending
, log_group_name
, log_stream_name_prefix
and order_by
new optional key qual columns. (#1951)aws_ssm_inventory
table's query performance by adding new optional key qual columns such as filter_key
, filter_value
, network_attribute_key
, network_attribute_value
, etc. (#1980)Bug fixes
aws_cloudwatch_log_group
table key column to be globally unique by filtering the results by region. (#1976)aws_s3_multi_region_access_point
and aws_ec2_launch_template
tables.(#2065)type_name
in table aws_ssm_inventory_entry
. (#1980)aws_s3_bucket
table's GetBucketLocation
hydrate function to optimize query performance. (#2066)Bug fixes
What's new?
What's new?
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Types:
What's new?
createdBy
details in Turbot CMDB.What's new?
createdBy
details in Turbot CMDB.What's new?
What's new?
What's new?
What's new?
Dependencies
v0.53.0
or higher is now required. (#242)Enhancements
All Controls
benchmark across the following services: (#234 #233)Active Directory
App Service
Batch
Compute
Container Instance
Key Vault
Kubernetes Service
Network
Recovery Service
Service Bus
Storage
Bug fixes
CIS_v150_2_1_9
control. (#238) (Thanks @sfunkernw for the contribution!)v0.13.0 of the Terraform Provider for Pipes is now available.
What's new?
pipes_tenant
.pipes_tenant_member
.Enhancements
pipes_organization_member
now supports adding users directly to an organization in a custom tenant, rather than by invitation.What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
Action Types:
Breaking changes
iam_root_user_virtual_mfa
control since it is not recommended as good practice. (#743)iam_account_password_policy_strong
with iam_account_password_policy_strong_min_reuse_24
in the GDPR
, FFIEC
and CISA Cyber Essentials
benchmarks to align more accurately with the requirements specified in the AWS Config rules. (#739)Bug fixes
What's new?
What's new?
source
argument for inline image definitions.timeout
to pipeline steps.enabled
attribute.flowpipe server
.list
and show
commands.5m
, 10m
, etc).Bug fixes
execution_mode
argument to HTTP Trigger (#533).args
arguments unable to be updated in the Pipeline Step loop block (#559).Bug fixes
versions.json
to the CWD if the plugin folder is not found. (#4073)What's new?
What's new?
kubernetes_cluster_no_cluster_level_node_pool
control to the Kubernetes
benchmark. (#53)What's new?
Enhancements
What's new?
Enhancements
iam_policy
to gcp_cloud_run_service
table. (#531)gcp_logging_log_entry
table result or result timing by applying a timestamp filter. (#508)json_payload
, proto_payload
, metadata
, resource
, operation
, and tags
columns to gcp_logging_log_entry
table. (#508)Bug fixes
addons_config
, network_config
and network_policy
column of gcp_kubernetes_cluster
table to correctly return data instead of null. (#530)end_time
column of the gcp_sql_backup
table to return null
instead of an error when end time is unavailable for a SQL backup. (#534)enqueued_time
, start_time
and window_start_time
columns of the gcp_sql_backup
table to return null
instead of an error when timestamp is unavailable for a SQL backup. (#536)Enhancements
audit_policy
column to azure_sql_database
and azure_sql_server
tables. (#711)webhooks
column to azure_container_registry
table. (#710)disable_local_auth
and status
columns to azure_servicebus_namespace
table. (#715)Bug fixes
azure_key_vault_secret
table to correctly return data when keyvault name is in camel-case. (#638)Bug fixes
low_iops_ebs_volumes
control to now suggest converting io1
and io2
volumes to GP3
volumes, when the base IOPS
is less than 16000
instead of 3000
. (#167)What's new?
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
What's new?
Resource Types:
Control Types:
Policy Types:
Action Types:
What's new?
Enhancements
deletion_protection_enabled
column to aws_dynamodb_table
table. (#2049)Bug fixes
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Requirements
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
Bug fixes
GCP > Turbot > Event Poller
control now includes a precheck condition to avoid running GraphQL input queries when the GCP > Turbot > Event Poller
policy is set to Disabled
. You won’t notice any difference and the control should run lighter and quicker than before.Bug fixes
Azure > Turbot > Event Poller
and Azure > Turbot > Management Group Event Poller
controls now include a precheck condition to avoid running GraphQL input queries when the Azure > Turbot > Event Poller
and Azure > Turbot > Management Group Event Poller
policies are set to Disabled
respectively. You won’t notice any difference and the controls should run lighter and quicker than before.Bug fixes
Azure > Turbot > Directory Event Poller
control now includes a precheck condition to avoid running GraphQL input queries when the Azure > Turbot > Directory Event Poller
policy is set to Disabled
. You won’t notice any difference and the control should run lighter and quicker than before.Bug fixes
AWS > Turbot > Event Poller
control now includes a precheck condition to avoid running GraphQL input queries when the AWS > Turbot > Event Poller
policy is set to Disabled
. You won’t notice any difference and the control should run lighter and quicker than before.What's new?
Resource Types:
Policy Types:
What's new?
Droplet
Database
Block Storage
Kubernetes
To get started, please see [Digitalocean Thrifty Configuration] (https://hub.steampipe.io/mods/turbot/digitalocean_thrifty#configuration). For a list of variables and their default values, please see steampipe.spvars. (#36)
What's new?
Note : Table aws_sns_topic_subscription
will be changing behaviours in a future release to return results from ListSubscriptionsByTopic
instead of ListSubscriptions
.
What's new?
Control Types:
Policy Types:
Bug fixes
risk
instead of severity
to eliminate duplicate column names in output files. (#41)What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
aws_network_interface_sg_attachment
Terraform resource for AWS > EC2 > Network Interface
.Bug fixes
AWS > EC2 > Instance > CMDB
control would sometimes trigger multiple times if EnclaveOptions
was not set as part of the AWS > EC2 > Instance > CMDB > Attributes
policy. This would result in unnecessary Lambda runs for the control. The EnclaveOptions
attribute is now available in the CMDB data by default and the EnclaveOptions
policy value in AWS > EC2 > Instance > CMDB > Attributes
policy has now been deprecated, and will be removed in the next major version.Bug fixes
api_key
instead of token
. (#7)What's new?
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
container_instance_container_group_secure_environment_variable
container_registry_zone_redundant_enabled
What's new?
Enhancements
storage_throughput
column to aws_rds_db_instance
table. (#2010) (Thanks @toddwh50 for the contribution!)layers
column to aws_lambda_function
table. (#2008) (Thanks @icaliskanoglu for the contribution!)tags
column to aws_backup_recovery_point
and aws_backup_vault
tables. (#2033)Bug fixes
Bug fixes
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Enhancements
query =
rather than sql =
. (#25)Bug fixes
network_subnet_to_network_virtual_network
edge of the relationship graph in the sql_server_detail
dashboard page to correctly reference the network_subnets_for_sql_server
query. (#118)Bug fixes
kubernetes_cluster_upgraded_with_non_vulnerable_version
query to correctly check if a Kubernetes cluster is using an outdated software version. (#235)Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Control Types:
Policy Types:
Bug fixes
objects
config argument is not set or the plugin credentials are not set correctly. (#26)What's new?
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
Whats new
Bug fixes
v0.12.1 of the Terraform Provider for Pipes is now available.
Bug fixes
PartPer
setting for a pipes_workspace_datatank_table
resource would have previously resulted in an error, meaning you had to pass connection
as the value. This field is now optional, allowing single part tables to be defined.What's new?
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Enhancements
All Controls
benchmark across the following services: (#140)Enhancements
All Controls
benchmark across the following services: (#736)What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
What's new?
Server
Require Signed Assertion Response
.UI:
Require Signed Assertion Response
for enhanced security in SAML authentication.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Enhanced Security and Compatibility Guide for SAML Authentication
Description:
The recent update to @node-saml/passport-saml
mandates the signing of the assertion response. To ensure backward compatibility, we have introduced a new configuration option in the UI:
By default, this option is set to Disabled
to maintain compatibility with existing setups.
Recommendations: We recommend enabling this option as it adds an additional layer of security. However, please be aware that enabling this setting might impact the SAML login functionality.
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
Enhancements
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
Enhancements
.goreleaser
file to build the netgo package only for Darwin systems. (#2029)What's new?
Control Types:
Policy Types:
What's new?
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
Bug fixes
AWS > RDS > DB Instance > Discovery
control would sometimes upsert DocumentDB Instances as RDS Instances in Guardrails CMDB. This is fixed and the control will now filter out DocumentDB Instances while upserting resources in CMDB.Turbot Pipes Enterprise plan is now available.
The Enterprise tier expands on the Team tier’s features with enhanced collaboration, enterprise-grade security, and improved scalability, making it ideal for larger organizations:
Get started in a 14-day free trial then switch to flexible, usage based pricing.
For more information, see the launch post.
Turbot Pipes now officially supports billing for your organization Enterprise plan via the AWS Marketplace.
For more information, see the Pipes billing docs.
Our trademark policy & terms now clarify that while others are allowed to make their own distribution of Turbot open-source software, they cannot use any of the Turbot trademarks, cloud services, etc.
We now require a signed Contributor License Agreement for all contributions to our AGPL 3.0 and CC BY-NC-ND licensed repositories.
Learn more in our open source FAQ.
114 plugins have been updated to include the following changes:
What's new?
Dependencies
_ctx
column, and fixing connection and potential divide-by-zero bugs.35 new, ready-to-use Flowpipe sample mods are now available! These mods serve as practical examples, showcasing the patterns and applications of various library mods. Every mod comes with specific instructions for installation and use, enabling fast and easy setup.
A full list of sample mods can be found in the Flowpipe Hub and the source code is available at turbot/flowpipe-samples.
Introducing Flowpipe, a cloud scripting engine. Automation and workflow to connect your clouds to the people, systems and data that matter. Pipelines for DevOps written in HCL.
Initial support for:
Learn more at:
We're thrilled to announce the release of 28 new Flowpipe library mods, featuring versatile pipelines for common tasks. These include starting AWS EC2 instances, creating GitHub issues, sending Slack messages, generating Zendesk tickets, and much more!
A full list of library mods can be found in the Flowpipe Hub.
For more information on how you can get started incorporating these library mods into your own mods and pipelines, please see Introducing Flowpipe - Composable Mods.
What's new?
What's new?
Control Types:
Policy Types:
Action Types:
Bug fixes
AWS > IAM > Account Password Policy > CMDB
control would incorrectly go into an Alarm state when Guardrails was denied access to fetch the Account Password Policy data. This is fixed and the control will now move to an Error state instead for such cases.Bug fixes
What's new?
AWS/CloudFront/Admin
and AWS/CloudFront/Metadata
will now also include permissions for CloudFront KeyValueStore.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Policy Types:
Control Types:
Action Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
Action Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
Bug fixes
ServiceNow > Turbot > Watches > AWS
control would fail to delete/archive records in ServiceNow. This is now fixed.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
cmdb_ci*
Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.Bug fixes
cmdb_ci*
Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.Bug fixes
cmdb_ci*
Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.Bug fixes
cmdb_ci*
Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.Bug fixes
cmdb_ci*
Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.Bug fixes
cmdb_ci*
Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.Bug fixes
cmdb_ci*
Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
AWS > Turbot > Event Poller
policy will now be automatically set to Disabled
if any of the AWS > Turbot > Event Handlers
or AWS > Turbot > Event Handlers [Global]
policies is set to Enforce: Configured
.Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
What's new?
Enhancements
github_my_star
(#369)github_stargazer
(#370)github_tag
(#371)github_rate_limit
(#368)github_community_profile
(#367)github_license
(#366)github_organization_member
(#364)github_team_member
(#364)github_user
(#364)github_my_team
(#363)github_team
(#363)github_commit
(#362)github_my_organization
(#361)github_organization
(#361)github_organization_external_identity
(#361)github_branch
(#360)github_branch_protection
(#360)github_repository_collaborator
(#365)github_repository_deployment
(#365)github_repository_environment
(#365)github_repository_vulnerability_alert
(#365)github_issue
(#359)github_issue_comment
(#359)github_pull_request
(#359)github_pull_request_comment
(#359)github_pull_request_review
(#359)Bug fixes
Bug fixes
Bug fixes
What's new?
Resource Types:
Policy Types:
Control Types:
Action Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
Action Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Turbot Pipes now officially supports billing for your organization team plan via AWS Marketplace.
For more information, see the Pipes billing docs.
What's new?
Server
UI:
What's new?
What's new?
bigquery_table_deletion_protection_enabled
bigtable_instance_deletion_protection_enabled
spanner_database_deletion_protection_enabled
spanner_database_drop_protection_enabled
What's new?
appservice_environment_zone_redundant_enabled
appservice_function_app_public_access_disabled
appservice_plan_zone_redundant
appservice_web_app_public_access_disabled
eventhub_namespace_uses_latest_tls_version
eventhub_namespace_zone_redundant
kubernetes_cluster_critical_pods_on_system_nodes
kubernetes_cluster_os_disk_ephemeral
redis_cache_standard_replication_enabled
sql_database_ledger_enabled
sql_database_zone_redundant_enabled
What's new?
docdb_cluster_backup_retention_period_7
lambda_permission_restricted_service_permission
neptune_cluster_backup_retention_period_7
neptune_cluster_copy_tags_to_snapshot_enabled
neptune_cluster_iam_authentication_enabled
Bug fixes
Enhancements
All Controls
benchmark: (#733)api_gateway_rest_api_public_endpoint_with_authorizer
dlm_ebs_snapshot_lifecycle_policy_enabled
docdb_cluster_instance_encryption_at_rest_enabled
ebs_volume_snapshot_exists
elasticache_cluster_no_public_subnet
iam_role_no_administrator_access_policy_attached
iam_user_access_key_unused_45
iam_user_console_access_unused_45
neptune_db_cluster_no_public_subnet
Bug fixes
What's new?
Resource Types:
Policy Types:
Bug fixes
ad_guest_user_reviewed_monthly
, iam_deprecated_account_with_owner_roles
, iam_external_user_with_read_permission
, iam_external_user_with_write_permission
, iam_user_not_allowed_to_create_security_group
and iam_user_not_allowed_to_register_application
queries to remove duplicate benchmark results. (#228)What's new?
What's new?
What's new?
You can now Enable/Disable Firebase Management API via Guardrails. To get started, set the GCP > Firebase > API Enabled
policy.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Control Types:
Policy Types:
Action Types:
What's new?
Added support for newer US, Europe, India and US Government regions in the Azure > Synapse Analytics > Regions
policy.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
What's new?
What's new?
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
What's new?
createdBy
details in Turbot CMDB.What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
What's new?
createdBy
details in Turbot CMDB.What's new?
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Bug fixes
What's new?
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Bug fixes
retention_policy
column of gcp_storage_bucket
table to correctly return data instead of null. (#502)What's new?
Enhancements
What's new?
Enhancements
properties
column to jira_project
table. (#105)Bug fixes
What's new?
steampipe check benchmark.cis_v300
). (#57)Breaking Changes
linkedin_company_employee
linkedin_company_past_employee
linkedin_connection
linkedin_search_company
linkedin_search_profile
Bug fixes
compute_firewall_allow_tcp_connections_proxied_by_iap
query to correctly include all the ports and source IP ranges. (#128) (Thanks @saisirishreddy for the contribution!)What's new?
steampipe
field to _ctx
column, containing sdk version. (#712)Bug fixes
plugin has no connections
error when deleting and then re-adding a connection. (#725)What's new?
Enhancements
features
column to aws_guardduty_detector
table. (#1958)What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?_
All Controls
benchmark (steampipe check benchmark.all_controls). This new benchmark includes 109 service-specific controls. (#127)What's new?
Server
passport-saml
to @node-saml/passport-saml
: 4.0.4Require Signed Authentication Response
and Strict Audience Validation
.UI:
Require Signed Authentication Response
and Strict Audience Validation
for enhanced security in SAML authentication.Enhanced Security and Compatibility Guide for SAML Authentication
Description
The recent package change for @node-saml/passport-saml
has made it mandatory to sign the audience response and perform audience validation. To maintain backward compatibility, we have introduced two new options in the UI:
To make it backward compatible, both of these options are initially set to Disabled
by default.
Important Note: This change ensures that the audience response is signed and audience validation is enforced. These checks were not available in earlier versions of the package.
Recommendations
We recommend customers enable both of these properties as they add an additional layer of security. However, it's important to be aware that enabling these properties might potentially break SAML login functionality. Therefore, certain steps need to be taken before enabling them.
Here are specific recommendations for popular Identity Providers (IDPs):
Okta
OneLogin
Azure Entra ID (Previously Known as Azure AD)
Signing option
to be "SIGN SAML response and assertion". The Signing option
is available on the Signing Certificate page of Entra IDPlease follow these recommendations carefully to make sure you're able to transition smoothly to the updated SAML package.
What's new?
createdBy
details in Turbot CMDB.What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Types:
Action Types:
What's new?
Resource Types:
Policy Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
min_version
instead of version
:Breaking changes
Bug fixes
Breaking changes
min_version
instead of version
. (#161)lambda_function_with_graviton2
to lambda_function_with_graviton
in order to maintain consistency. (#158) (Thanks @bluedoors for the contribution!)What's new?
createdBy
details in Turbot CMDB.Bug fixes
AWS > ElastiCache > Snapshot > CMDB
control would go into an error state due to a bad internal build. This is fixed and the control will now work correctly as expected.What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
Bug fixes
name
column in aws_organizations_account
table. (#1947) (Thanks @badideasforsale for the contribution!)Dependencies
Bug fixes
v0.12.0 of the Terraform Provider for Pipes is now available.
What's new?
pipes_workspace_datatank
.pipes_workspace_datatank_table
.Enhancements
pipes_workspace
now supports instance_type
.The Google Workspace plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The Google Sheets plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The Google Directory plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The crt.sh plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The query API timeout has been increased from 1 minute to 2 minutes, allowing for greater flexibility in how you query your data.
What's new?
GCP > Turbot > Event Handlers
stack. To get started, set the GCP > Turbot > Event Handlers > Logging > Unique Writer Identity
policy.Bug fixes
Bug fixes
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
createdBy
details in Turbot CMDB.What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
createdBy
details in Turbot CMDB.What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
What's new?
What's new?
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
Bug fixes
AWS > EC2 > Account Attributes > CMDB
control would go into an error state due to a bad internal build. This is fixed and the control will now work correctly as expected.What's new?
What's new?
What's new?
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
Bug fixes
Enhancements
contact_info
column to linkedin_profile
table. (#5)What's new?
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Added support for ap-northeast-3
and us-gov-east-1
regions in the AWS > SageMaker > Regions
policy.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
What's new?
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
Bug fixes
github_issue
and github_pull_request
tables to correctly return data instead of an error. (#355)What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
Added support for ap-south-1
, af-south-1
, cn-north-1
and us-gov-east-1
regions in the AWS > WorkSpaces > Regions
policy.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
Added support for cn-north-1
, cn-northwest-1
, us-gov-east-1
and us-gov-west-1
regions in the AWS > MQ > Regions
policy.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
Added support for cn-north-1
, cn-northwest-1
, us-gov-east-1
and us-gov-west-1
regions in the AWS > FSx > Regions
policy.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
Added support for ca-central-1
, eu-west-2
, sa-east-1
, us-east-2
and us-gov-east-1
regions in the AWS > AppStream > Regions
policy.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
What's new
github_issue
, github_my_issue
, github_pull_request
, github_search_issue
, and github_search_pull_request
tables to only include nested and user permission columns in GraphQL request when requested. This should result in faster queries and large scale queries completing more consistently. (#342)Enhancements
All Controls
benchmark: (#722)athena_workgroup_enforce_configuration_enabled
iam_inline_policy_no_administrative_privileges
Bug fixes
Bug fixes
AWS > EC2 > Volume > Discovery
control would go into an error state because of an unintended GraphQL query bug. This is fixed and the control will now work correctly as expected.Enhancements
What's new?
What's new?
What's new?
Server:
UI:
Bug fixes
All Pipes workspaces have now been upgraded to Steampipe v0.21.1.
For more information on this Steampipe release, see the release notes.
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Action Types:
What's new?
You can now configure Block Public Access for AMIs. To get started, set the AWS > EC2 > Account Attributes > Block Public Access for AMIs
policy to Enforce: Enable Block Public Access for AMIs
.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Control Types:
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Action Types:
What's new?
The Turbot Pipes app for Zapier, announced today, opens the world of DevOps data to Zap developers.
For more information, see the launch post.
Turbot Pipes plans & pricing are now available.
Free for Developers! Free trial & usage-based for Teams. Start immediately & cancel anytime.
For more information, see the launch post.
Datatank is now available in Turbot Pipes workspaces. Blow past API speed limits with scheduled data sync.
For more information, see the launch post.
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
The remaining 94 Turbot Steampipe plugins have been updated to use steampipe-plugin-sdk v5.6.2, which prevents nil pointer reference errors for implicit hydrate configs.
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Action Types:
What's new?
AWS/Amplify/Admin
and AWS/Amplify/Metadata
now also include permissions for Deployment, WebHook and Artifacts.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Policy Types:
Action Types:
Bug fixes
connection_name
and tags
dimensions instead of an error. (#73)Enhancements
url
as the resource column: (#35)default_branch_all_build_steps_as_code
default_branch_pipeline_locks_external_dependencies_for_build_process
default_branch_pipeline_must_have_jobs_with_sbom_generation
default_branch_pipelines_scan_for_vulnerabilities
default_branch_pipelines_scanners_set_to_prevent_sensitive_data
org_member_mfa_enabled
repo_inactive_members_review
repo_deletion_limited_to_trusted_users
repo_issue_deletion_limited_to_trusted_users
repo_webhook_package_registery_security_settings_enabled
What's new?
The following 21 Turbot Steampipe plugins have been updated to use steampipe-plugin-sdk v5.6.2, which prevents nil pointer reference errors for implicit hydrate configs:
All new Pipes workspaces will be running Steampipe v0.21.1 and existing workspaces will be upgraded by Monday 9th October 2023.
For more information on this Steampipe release, see the launch post or release notes.
Bug fixes
source_types
config argument contains manifest
but manifest_file_paths
is not defined. (#177)What's new?
ClusterRoleBinding
, CronJob
, DaemonSet
, Ingress
, Job
, Pod
resource types to the all_controls
benchmark. (#68)Bug fixes
source_account_id
column of aws_securityhub_finding
table to correctly return data instead of null
. (#1927) (Thanks @gabrielsoltz for the contribution!)members
column of aws_rds_db_cluster
table to correctly return data instead of null
. (#1926)Bug fixes
mod-location
flag to the steampipe variable list
command. (#3942)Bug fixes
initialise
function is now being called for implicit hydrate configs (i.e. hydrate functions without explicit config), thereby preventing nil pointer reference errors when the hydrate function returns an error. (#683)Whats new?
plugin
connection config block. (#3807)plugin
instance definitions or the new plugin
options block. (#3807)steampipe_plugin
and steampipe_plugin_limiter
containing all configured plugin instances and limiters. (#3746)steampipe_server_settings
populated with server settings data during service startup. (#3462)plugin install
with no arguments installs all referenced plugins. (#3451)--output
flag for plugin list
cmd allows selection between json
and table
output. (#3368)version.json
which can be used to recompose the global plugin versions.json
if it is missing or corrupt. (#3492).cache
in interactive prompt shows the current value of cache. (#2439)skip-config
flag disables writing of default plugin config during plugin installation. (#3531, #2206)default.spc.sample
), but only overwrite the default.spc
file with the sample content if the existing file has not been modified. (#3431)cache
settings. (#3646)Bug fixes
service start
was not listening on network
by default. (#3593).inspect
panicking for long column descriptions. (#3709)BuildFullResourceName
not validating non empty arguments. (#3601)stdin
was consumed by query
command even if there are arguments. (#1985)install-dir
and workspace
flags should be global flags. All other flags should only apply to specific command. (#3542)version
field in require
block of mod definition.plugin list
returned nothing if no plugins were installed. (#3927)Deprecations and migrations
steampipe_connection_state
renamed to steampipe_connection
workspace-chdir
flag. (#3925)cloud.steampipe.io
to pipes.turbot.com
. (#3724)terminal options
.All 115 Turbot Steampipe plugins have been updated to use steampipe-plugin-sdk v5.6.1, which adds support for rate and concurrency limiters.
Limiters provide a simple, flexible interface to implement client-site rate limiting and concurrency thresholds at compile time or run time. You can use limiters to:
For more information on getting started, please see Concurrency and Rate Limiting.
What's new?
What's new?
Deprecated
source_type
config argument has been deprecated and will be removed in the next major version. Please use the source_types
config argument instead. If both config arguments are set, source_types
will take precedence. For backward compatibility, please see below for old and new value equivalents: (#167)source_type = 'all'
: source_types = ["deployed", "helm", "manifest"]
source_type = 'deployed'
: source_types = ["deployed"]
source_type = 'helm'
: source_types = ["helm"]
source_type = 'manifest'
: source_types = ["manifest"]
What's new?
source_types
config argument, which allows specifying a combination of source types to load per connection. (#167)What's new?
all_controls
benchmark. (#64)Enhancements
path
to default set of common_dimensions
, so now any file paths will appear by default in the additional dimensions in control results. (#63)iac
category to mod definition.Dependencies
v0.23.0
or higher is now required.Breaking changes
output
column in the exec_command
table. This column has been replaced by the stdout_output
and stderr_output
columns. (#13)What's new?
stdout_output
and stderr_output
columns to the exec_command
table. (#13)stream
column to the exec_command_line
table. (#13)exec_global
with MaxConcurrency
set to 15 in an effort to reduce abuse reports due to large number of concurrent remote connections. (#13)Bug fixes
exec_command
table should now be consistent when using local and remote connections. (#13)Dependencies
What's new?
steampipe check docker_compliance.benchmark.cis_v160
). (#4)What's new?
SetConnectionCacheOptions
, a new GRPC endpoint to clear connection cache. (#678)What's new?
Resource Types:
Control Types:
Policy Types:
Action Types:
Enhancements
last_successful_login_time
column to oci_identity_user
table. (#547)What's new?
_ctx
column, containing information on hydrate calls and rate limiting (enabled by setting env var STEAMPIPE_DIAGNOSTIC_LEVEL=all
)List
hydrate functions. (#594)Type
property added to ConnectionConfig
protobuf definition to determine if a connection is an aggregator. (#590)Equals
function for QualValue
. (#646)What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Control Types:
Policy Types:
Action Types:
What's new?
AWS/MSK/Admin
, AWS/MSK/Metadata
and AWS/MSK/Operator
now also include permissions for Cluster V2, Scram Secrets and Kafka VPC Connections.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
Policy Types:
Action Types:
Bug fixes
What's new?
Control Types:
Policy Types:
Action Types:
What's new?
All Pipes workspaces have now been upgraded to Steampipe v0.20.12.
For more information on this Steampipe release, see the release notes.
Enhancements
All Controls
benchmark for the following services: (#59)CronJob
DaemonSet
Deployment
Job
Pod
ReplicaSet
ReplicationController
StatefulSet
All new Pipes workspaces will be running Steampipe v0.20.12 and existing workspaces will be upgraded by Monday 25th September 2023.
For more information on this Steampipe release, see the release notes.
The ServiceNow plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
What's new?
Added support for Global Event Handlers. This release contains new Guardrails policies and controls to support deployment of Global Event Handlers for AWS.
Control Types:
Policy Types:
What's new?
AWS/RDS/Admin
, AWS/RDS/Metadata
and AWS/RDS/Operator
now include permissions for Performance Insights.What's new?
Added support for new multi-regions NAM8
, NAM9
, NAM10
, NAM11
, NAM12
, NAM13
, NAM14
, NAM15
, NAM-EUR-ASIA1
, NAM-EUR-ASIA3
, IN
, EUR5
, EUR6
, EUROPE
and EMEA
in the GCP > Project > Regions
policy.
Policy Types Removed:
Bug fixes
github_search_repository
table queries failing when selecting the has_downloads
, has_pages
, hooks
, network_count
, subscribers_count
, or topics
columns. (#337)All Pipes workspaces have now been upgraded to Steampipe v0.20.11.
For more information on this Steampipe release, see the release notes.
Bug fixes
AWS > VPC > Security Group > CMDB
control would sometimes go into an error state if the TE version installed on the workspace was 5.42.1 or lower. This is fixed and the control will now work as expected.What's new?
Bug fixes
Requirements
What's new?
europe-west10
region in the GCP > Project > Regions
policy.What's new?
asia-northeast3
, asia-south2
, asia-southeast2
, australia-southeast2
, europe-central2
, europe-southwest1
, europe-west10
, europe-west12
, europe-west8
, europe-west9
, me-central1
, me-west1
, northamerica-northeast2
, southamerica-west1
, us-east5
, us-south1
, us-west3
and us-west4
regions in the GCP > Compute Engine > Regions
policy.Bug fixes
Bug fixes
What's new?
Bug fixes
AWS > EC2 > Instance > Schedule
control would try and perform the same start/stop action again if the state of the instance was changed outside of the control within 1 hour of the successful start/stop run. This is fixed and the control will now not trigger a start/stop action again for a minimum of 1 hour of the previous successful run.Bug fixes
invalid memory address or nil pointer dereference
errors when querying Terraform configuration or plan or state files that included null
valued arguments. (#56)Bug fixes
nil
instead of an error
when the file/path specified in dockerfile_paths
or docker_compose_file_paths
config arguments does not exist. (#38)Bug fixes
resource
column in the queries of glue_data_catalog_encryption_settings_metadata_encryption_enabled
and glue_data_catalog_encryption_settings_password_encryption_enabled
controls. (#715)What's new?
What's new?
Bug fixes
What's new?
Resource Types:
Control Types:
Policy Types:
Action Types:
Enhancements
resource_object
and object
columns to guardrails_notification
and guardrails_resource
tables respectively. (#7)Bug fixes
docs/index.md
file.Bug fixes
capacity_reservation_specification
column of aws_ec2_instance
table to be of JSON
type instead of STRING
. (#1903)Enhancements
iam_workload_identity_restricted
control to the IAM
benchmark. (#38)All new Pipes workspaces will be running Steampipe v0.20.11 and existing workspaces will be upgraded by Monday 18th September 2023.
For more information on this Steampipe release, see the release notes.
Deprecations
domain
column in net_certificate
table, which has been replaced by the address
column. Please note that the address
column requires a port, e.g., github.com:443
. This column will be removed in a future version. (#50)What's new?
address
column to the net_certificate
table to allow specifying a port with the domain name. (#50)What's new?
Users can now delete Login Profiles for IAM Users.
Control Types:
Policy Types:
Action Types:
Bug fixes
bitbucket.spc
and index.md
files to include details of BITBUCKET_USERNAME
, BITBUCKET_PASSWORD
, and BITBUCKET_API_BASE_URL
environment variables. (#77)What's new?
Resource Types:
Control Types:
Policy Types:
Action Types:
Bug fixes
Bug fixes
AWS > Turbot > Event Handlers
now support real-time events for AWS S3 Multi-Region Access Point.What's new?
Resource Types:
Control Types:
Policy Types:
Action Types:
What's new?
AWS/S3/Admin
and AWS/S3/Metadata
now include permissions for Multi-Region Access Point Routes.The Shopify plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The Sentry plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The LaunchDarkly plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
What's new?
What's new?
We've updated the runtime for lambda functions in the aws-config mod to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Types:
Action Types
What's new?
The WorkOS plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The UptimeRobot plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The New Relic plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The Turbot Guardrails plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The CohereAI plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
What's new?
Resource Types:
Policy Types:
What's new?
What's new?
GCP/OAuth/Admin
and GCP/OAuth/Metadata
now also include oauthconfig:*
permissions. Click here for more details.The Turbot Pipes plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The GoDaddy plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The Docker Hub plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
All Pipes workspaces have now been upgraded to Steampipe v0.20.10.
For more information on this Steampipe release, see the release notes.
All new Pipes workspaces will be running Steampipe v0.20.10 and existing workspaces will be upgraded by Monday 21st August 2023.
For more information on this Steampipe release, see the release notes.
What's new?
What's new?
Bug fixes
Requirements
What's new?
What's new?
Bug fixes
What's new?
What's new?
What's new?
Server:
UI
Note
IAM change in this release:
What's new?
guardrails.turbot.com
, guardrails.turbot-stg.com
or guardrails.turbot-dev.com
to publish a guardrails mod. To maintain compatibility, none of the existing commands have changed, your existing configuration and commands will continue to work as before.What's new?
Policy Types:
Resource Types:
Smart Folders
are now called Policy Packs
.Requirements
v1.10.0 of the Terraform Provider for Guardrails is now available.
Documentation
Rebrand to Turbot Guardrails provider. Resource and data source names in this provider have not changed to maintain compatibility. Existing templates will continue to work as-is without need to change anything.
What's new?
Resources Deleted by Turbot
report.Requires
Container Info
22.04
, jammy-20230425
3.17.3
Bug fixes
slackWebhookUrl
in Turbot > Notifications > Rule-Based Routing
policy.Requirements
What's new?
Requires
Container Info
22.04
, jammy-20230425
3.17.3
What's new?
Requires
Container Info
22.04
, jammy-20230425
3.17.3
What's new?
What's new?
Requirements
What's new?
Enterprise
Requires
Container Info
22.04
, jammy-20230425
3.17.3
Enterprise
Requires
Container Info
22.04
, jammy-20230425
3.17.3
What's new?
Enterprise
Requires
Container Info
22.04
, jammy-20230425
3.18.0
What's new?
Requires
What's new?
v5.10.0
of the Turbot IAM mod.Requires
What's new?
What's new?
What's new?
SameSite
configuration to strict
.Enterprise
Requires
What's new?
What's new?
3.75.0
when
Turbot > Stack Terraform Version [Default]
is set to 0.15.*
Bug fixes
Action
fails due to cloud provider throttling, Turbot will
now reschedule the control that triggered the action, those actions should now
be more consistently applied under heavy loads.Note AWS IAM permissions change in this release:
Turbot > Cache > Health Check
control.What's new?
What's new?
Turbot > Type Installed > Background Tasks
is now removedRequirements
What's new?
v5.40.0
. db_pair
security group now includes Elasticache rules, when Elasticache is enabled.Deprecation
db_pair
security group, the Elasticache cache_pair
security group is no longer required. It will be removed in a future release.Bug fixes
Enterprise
Requires
What's new?
Enterprise
Requires TEF: v1.46.0 TED: v1.9.1
What's new?
Bug fixes
2.10.7
.Enterprise
Requires TEF: v1.45.0 TED: v1.9.1
What's new?
launch templates
to launch configurations
.gp3
.What's new?
alternatePersona
in the actor field if
available.Bug fixes
Enterprise
vm2
package to 3.9.11 in the ECS containers.What's new?
Bug fixes
Enterprise
Requires TEF: v1.42.1 TED: v1.9.1
What's new?
Bug fixes
Bug fixes
Activity
sub-tab on the resource page.Enterprise
Requires TEF: v1.42.1 TED: v1.9.1
What's new?
Bug fixes
Requires TEF: v1.42.1 TED: v1.9.1
Bug fixes
Enterprise
inline
.Requires TEF: v1.42.1 TED: v1.9.1
What's new?
Bug fixes
Enterprise
Requires TEF: v1.42.1 TED: v1.9.1
What's new?
Bug fixes
Enterprise
Requires TEF: v1.42.1 TED: v1.9.1
Bug fixes
unidentified
if
persona and identity are not available.Unidentified
, now they will carry the identity of the launcher,
most of the time this will be the Turbot identity unless the action is
launched by a user from Turbot UI.Enterprise
Enterprise
UI
Enterprise
What's new?
Quick Actions Quick Actions is a new feature that allows Turbot users to initaite specific (one time) control enforcements on their cloud environment via the Turbot UI. Cloud operations teams can use Quick Actions to remediate cloud configuration issues (e.g. enable encryption on a resource) or snooze Turbot alarms for issues that we want to come back to later. More details in the documentation. Quick actions will be rolling out across all supported cloud services in the coming months (based on your feedback); this initial release covers resources in the following AWS mods:
Disabling the Quick Actions feature
Quick Actions use the permissions granted to the Turbot service user or cross-account role used to import your cloud service account into Turbot. Execution of quick actions will fail if the underlying role prevents those actions from occuring.
The Quick Actions feature is disabled by default, but can easily be enabled
via the Turbot > Quick Actions > Enabled
policy. If you would like to
prevent lower level Turbot administrators from enabling Quick Actions for
their cloud service accounts, then make sure you set
Turbot > Quick Actions > Enabled
to Disabled
at the Turbot level using the
Required
option.
The policy Turbot > Quick Actions > Permission Levels
offers fine-grained
control over which Turbot permission levels are required to execute specific
quick actions. These permission limits can be set globally and specific
exceptions can be managed down to the individual cloud service account level.
Enterprise
Bug fixes
turbot completion
command was displayed twice on running turbot help
.Bug fixes
What's new?
Bug fixes
What's new?
What's new?
TEF KMS Key
parameter name changed to TEF KMS Key Arn
.What's new?
What's new?
What's new?
What's new?
db_pair
security group from TEF 1.47.0.Deprecation
db_pair
security group, the Elasticache
cache_pair
security group is no longer required. It will be removed in a
future release.Requirements
What's new?
What's new?
Warning
What's new?
What's new?
What's new?
gp3
.
More info on using gp3What's new?
What's new?
What's new?
What's new?
What's new?
Warning
turbot_policy_parameter
.Bug fixes
What's new?
Requirements
Warning
turbot_policy_parameter
.What's new?
turbot_parameters
and turbot_policy_parameter
lambda functions now include VPC config.turbot_policy_parameter
IAM Role now includes EC2 network interfaces policy. What's new?
Requirements
What's new?
Requirements
What's new?
Requirements
Bug fixes
turbot template build
to
fail.Bug fixes
template build
was loading the lock-file from the base branch to determine
the current template version. When using a work-in-progress (wip) branch, this
could lead to identifying an incorrect current version, leading to rebasing
errors. Fix by loading the lock file from the wip branch.What's new?
What's new?
Bug fixes
Requirements
Bug fixes
Requirements
What's new?
What's new?
Bug fixes
Requirements
Bug fixes
Bug fixes
turbot template build
now cleans up branches after a rebase failure.Warning
Bug fixes
Bug fixes
Requirements
Warning
Bug fixes
Warning
Bug fixes
Bug fixes
Requirements
Warning
What's new?
What's new?
Bug fixes
Requirements
What's new?
turbot template build --rebase
command now cleans up the work in progress
branch if the template render fails.Bug fixes
turbot template build --rebase
command was failing to re-apply manual
changes.turbot template build --fleet-mode
would stop building all branches if a
single one failed.Bug fixes
What's new?
Bug fixes
What's new?
Requirements
Warning
What's new?
turbot_transient
KMS key specifically used for encryption of transient data (e.g. SNS, SQS).Bug fixes
What's new?
turbot compose
(used by all CLI commands that compose mods) now omits the
releaseNotes
field from turbot.head.json
. It is still included in
turbot.dist.json
.turbot template
has a new --unchanged-issue <issue_id>
argument. When a
template build operation commits changes to git, if no files have actually
changed then the commit message will use this issue instead of the normal
--issue <issue_id>
field. The commit message will also specify "no changes".What's new?
turbot publish
has a new --timeout <secs>
argument to customize the
publish timeout. The default has been increased to 2 minutes.turbot template build --issue 1234 --close-issue
will set the commit
message to close the issue.Bug fixes
turbot test
should not fail with the the error
TypeError: tmod.parse is not a function
.Warning
What's new?
Bug fixes
Development
Mode
. It was harmless, but not necessary unless ElastiCache is enabled in
TED.Bug fixes
Requirements
Bug fixes
turbot template build --patch --push-instance-root
command failed to push
changes to the wip branch.What's new?
Bug fixes
Requirements
What's new?
ECSDesiredInstanceCount
parameter, which now defaults to
using ECSMinInstanceCount
instead. This frees up a precious parameter slot
for other options.DevelopmentMode
parameter for internal use, which groups options
like using the latest container image (instead of cached).What's new?
ExperimentalFeatures
flag, allowing gradual introduction of new
capabilities. The first one is installation of ElastiCache preparing for
future use in TE.Requirements
Bug fixes
turbot pack
and turbot publish
were failing to run pre-pack script when
--dir
arg is used.Bug fixes
turbot inspect
should give a clear error message for invalid templates.Bug fixes
turbot inspect --format changelog
should properly escape CSV fields with
commas.Bug fixes
Bug fixes
Bug fixes
Bug fixes
What's new?
Requirements
What's new?
Requirements
What's new?
turbot install
- checks if a compatible version of each dependency is
already installed. If so, it is does not install from the registry unless
there is a newer version available.turbot template build --rebase
rebuilds templates while using rebase to
better merge and preserve custom changes to the rendered files since the last
build.What's new?
Warning
Bug fixes
What's new?
Bug fixes
turbot configure
fails when no command line credentials arguments are given
but they set in environmentturbot workspace list
should ignore TURBOT_PROFILE
env var and only filter
profiles if one is given in command line.turbot download
should fall back to use the production registry if the user
is not logged in.Bug fixes
turbot pack
were not caught and
reported correctly.What's new?
turbot pack
, turbot up
and turbot publish
for faster troubleshooting.Bug fixes
turbot graphql
queries for control
, policy-value
, etc were not properly
handling the --resource-id
and --resource-aka
arguments.Bug fixes
turbot configure
was failing for some Windows users when used in interactive
mode.What's new?
Bug fixes
turbot configure
was always failing validation when using interactive mode
to enter credentials.Bug fixes
turbot install [mod]
was not working. You can now install specific mods as
expected.What's new?
turbot install [mod[@version]]
to
install a specific mod as a local dependency.turbot workspace configure
are now validated before
saving, so you can be confident they are good to go.What's new?
turbot workspace list
to see a list of your currently configured
workspaces.turbot workspace configure
added, with the same behavior as
turbot configure
.Bug fixes
turbot test
was failing for some GCP controls due to an update in the GCP
auth library package. This has been fixed.See v1.18.1
Bug fixes
What's new?
Requirements
What's new?
t3.medium
.What's new?
ALB Log Prefix
and ALB Idle Timeout
.What's new?
Requirements
What's new?
169.254.170.2
to the default NO_PROXY
parameter. This is required for stack containers to execute in some proxy environments.Bug fixes
turbot install
was attempting to install the latest version, which would
fail if that version was not available or recommended. It will now install the
latest recommended version, or if none are recommended, the latest available
version.Bug fixes
Bug fixes
preinstall
and preinstallation
which felt messy. This patch release brought to you by our clean up crew.Requirements
What's new?
What's new?
Requirements
What's new?
Flags
parameter now has validation rules and defaults to NONE
(CloudFormation does not like empty string defaults for SSM parameters).What's new?
Flags
parameter will allow features to be enabled or disabled at the
installation level giving us more flexibility to innovate and gradually
deploy features.Warning
TrackFunctions
in v1.7.0 was pl
. Consider changing this to
none
(the new, more common, default in v1.8.0) if you don't require that
tracking.What's new?
m5.8xlarge
.Bug fixes
What's new?
http://
proxy for
all traffic - no need for endpoints or similar in any case. (We do not yet
support custom certificates and https://
proxies.)Bug fixes
Bug fixes
force-recommended
as this causes
issues when using the yargs conflicts
parameter.What's new?
RECOMMENDED
in the
registry, telling users it's the best choice. Use
turbot publish --force-recommended
and turbot modify --force-recommended
to mark this version as RECOMMENDED
and set all currently recommended
versions to AVAILABLE
.Bug fixes
turbot test
was showing incorrect test data validation errors, due to a
graphql schema change that had not been handled by the CLI.What's new?
Allow Self-Signed Certificate
parameter, instructing Turbot to ignore
certificate errors when connecting to external services - for example -
enterprise environments with an outbound internet proxy.What's new?
${ResourceNamePrefix}_connectivity_checker
manually to test.What's new?
turbot inspect
now enforces valid semantic versions in mod version numbers.
We admire your creativity, but encourage you to express it elsewhere.Bug fixes
turbot up --zip
, which broke during a dependency update.What's new?
Bug fixes
turbot login
was failing if the ~/.config
folder did not exist.turbot template build
was always expecting a wip-*
instance branch to
exist. It's now correctly limited to runs where --use-instance-root-branch
is passed.What's new?
HTTPS_PROXY
environment variable. Login, install mods
and publish to our registry all via your favorite proxy. (Provided it's a
http://
proxy, we don't support https://
yet.)What's new?
What's new?
rds.force_admin_logging_level
and track_functions
,What's new?
turbot registry modify --mod "@turbot/aws" --mod-version "5.0.0" --status RECOMMENDED --description "updated description"
.turbot publish
using the
--status RECOMMENDED
flag.turbot template build
now supports instance root branch names with a random
suffix, following the naming convention: wip/<instance root name>/*
. We've
found scheme much more effective at scale.RELEASE_NOTES.md
as well as CHANGELOG.md
when
building a mod. Release notes are intended for users while a changelog is
intended for developers or others obsessed over details.turbot test
validates input query, but only works for a single query (not
for the more advanced array of queries syntax). Previously the test would
always fail for an array of queries, so we're now skipping the test in these
cases until it can be fully supported.Bug fixes
turbot publish --dir <mod folder>
did not work if run outside the mod
folder - the function zips were not correctly created.What's new?_
turbot login
(and similar) now requires both
--username
and --password
or neither. They just can't live without each
other.Bug fixes
turbot template build --patch
command was failing without running the git
command.Bug fixes
What's new?
_
consistently in names (instead of mixing _
and
-
together).What's new?
Self
Signed Certificate In ALB
parameter to ignore these certificate errors.Bug fixes
Warning
What's new?
What's new?
Bug fixes
What's new?
What's new?
What's new?
turbot compose
the +schema
directive can now map from openApi format
schema to valid JSON schema.Bug fixes
turbot template build
fleet operations were failing due to an error
displaying the summary. This has been fixed.What's new?
Warning
What's new?
Bug fixes
What's new?
turbot test
to check GraphQL mutations (e.g. updatePolicySetting
) are
called as expected from controls.turbot compose
no longer errors when a glob matches no source files.Warning
Security access from the load balancer to ECS has changed from requiring port 8443 to requiring the full high port range of 32768-65535. This allows us to run ECS in bridge mode and efficiently reuse IP addresses across Turbot core containers.
The outbound security group now allows port 80 outbound by default. This makes cloud-init in the ECS optimized image run much faster than only providing port 443 outbound.
If you are upgrading from a previous TEF version, you will need to make the modifications listed below:
Add ports 32768-65535 to the Load Balancer Security Group
OUTBOUND to the API Security Group
Add ports 32768-65535 to the API Security Group
INBOUND from the Load Balancer Security Group
Add port 80 to the Outbound Internet Security Group
OUTBOUND to 0.0.0.0/0
What's new?
What's new?
What's new?
turbot test
to check GraphQL mutations (e.g. updatePolicySetting
) are
called as expected from controls.turbot compose
no longer errors when a glob matches no source files.What's new?
+schema
has been added for turbot compose
. This allows
you to include a specific item from a schema file, including all definitions
which are referenced.turbot template build
will now run even if there are changes on the local
branch, if neither the --use-fleet-branch
or --use-instance-root-branch
arguments are set. This is useful when running building templates for the
first time with local config updated but not committed.What's new?
turbot inspect --format changelog
now includes the uri of each control,
policy, resource and action item.Bug fixes
turbot up
was broken in 1.7.0. This has been fixed.turbot pack
and turbot publish
had to be run out of the target mod
directory. They can now be run out of any directory by passing the --dir
flag.What's new?
turbot aws credentials
now supports --aws-profile <aws_profile>
,
--profile <turbot_profile>
and
--access-key <turbot_access_key> --secret-key <turbot_secret_key>
combinations.Bug fixes
turbot test
was doing type coercion of input data before validation. It now
expects correct types to be passed, matching the behavior of the Turbot
server.Bug fixes
What's new?
--no-color
to simplify the output of any command. Sometimes less is
more.turbot template build --git --branch <branch-name>
allows you to specify the
branch the build operations will be committed onto.turbot template build
no longer supports the --config
flag. Use
template.yml
files instead.Bug fixes
turbot install
was not downloading files. Now it does.turbot template build
was creating template.yml
files for every template
instance. This is noisy and defeats the value of template inheritence, so has
been stopped.Bug fixes
turbot template build --git
should checkout the original git branch at the
end of the build. Broken in v1.5.0What's new?
turbot template build --git
now skips instances without a template-lock
file, which cannot be resolved anyway.Bug fixes
turbot up
and turbot publish
were stalling for large mods.Bug fixes
turbot template build --git
should checkout the original git branch at the
end of the build. Broken in v1.4.0.What’s new?
turbot template build
.turbot template build --fleet-mode
now defaults to update
, which is almost
always the right choice.turbot template build --git
it is no longer necessary to
specify a base git branch, it sensibly assumes you want to use the current
branch.turbot pack --zip-file awesome.zip
to output mods with any name you
prefer.Bug fixes
turbot template outdated
fixed to work with specific template definition
directories.turbot template build --git
. Previously we were polluting that goodness with
failures as well.template-lock.yml
to data that is absolutely necessary, removing noise
from change logs.turbot template update
. Please use turbot template build
instead,
as you probably already were.What's new?
turbot inspect --output-format
will now accept either a file path to the template or the template string directly.turbot template build
.turbot template build
will now merge successful changes onto a single branch and write failed patches to the filesystem for easier review.What's new?
max_connections
, deadlock_timeout
,
idle_in_transaction_session_timeout
and statement_timeout
.What's new?
What's new?
Bug fixes
turbot template build
has a special case "provider" field in the render
context. Long term it will be removed. Short term, it should not break for
vendor level mods like @turbot/aws or @turbot/linux.What's new?
Instance Type for Replica DB
will now default to Same as Primary DB
, which
is a lot easier than having to set and maintain it manually when most of the
time they are the same anyway.What's new?
turbot template build
actions before they happen. (Add
--yes
to keep the previous behavior.)turbot template build
across
many instances.Bug fixes
turbot download
will now give up gracefully on failed downloads, relieving it of an eternity of failed retries.What's new?
Requirements
What's new?
Warning
Instance Type for Replica DB
is new and must be set during
upgrade. (Note: Fixed in v1.3.0 to use Same as Primary DB
by default.)What's new?
Bug fixes
turbot template build
crash added by v1.1.0.What’s new?
turbot aws credentials --account 123456789012 --profile my-account
to
generate and save temporary AWS credentials into your local AWS profile.
Easily work across many AWS accounts using your single Turbot profile.turbot template build
to target all instances of a specific template,
which is great when you are in the process of converting code to use the
template (some code in template management, some still custom).Bug fixes
turbot test
was broken in v1.0.4 due to a missing dependency. Life is better with friends.Bug fixes
Bug fixes
What's new?
Bug fixes
arn:aws-us-gov:
.Warning
What's new?
Bug fixes
turbot template
should allow rendering of the filename as well as folder
names, e.g. src/{{instance}}/resource/types/{{instance}}.yml
.Bug fixes
test.options
are useful, but not required, so turbot test
should not crash if they are not set for a test.Bug fixes
turbot test
has a test.awsProfile
field to set the AWS profile to use when
running tests locally. This has been moved into the generic, customizable
test.options.awsProile
location since it's relevant to AWS mods specifically
rather than a core feature of Turbot.What's new?
Bug fixes
What's new?
What's new?