Enabling Azure Services in Turbot

This section details the steps required to enable services for a Azure Subscription. Alternatively, you can use the azure_services baseline and Azure Provider Registration Baseline which automate this process.

Enabling Services

All supported services have an Enabled policy.

  • Azure > Storage > Enabled
  • Azure > Compute Engine > Enabled
  • Azure > SQL > Enabled

You should enable any services that users are allowed to use. By default, the value of these policies is set to Disabled. When a service is disabled, users granted permissions to cloud accounts via Turbot will not be able to manage the service. Additionally, other policies may reference this policy to determine their behavior. For example, the default behavior of the Approved control is that any resources are unapproved unless the service is enabled.

For example, to enable the Azure Storage service:

# Azure > Storage > Enabled
resource "turbot_policy_setting" "azure_storage_enabled" {
resource = "id of sub or parent folder/policy pack" //highlight-line
type = "tmod:@turbot/azure-storage#/policy/types/storageEnabled"
value = "Enabled"
}

Registering Service Providers

To use a service API in Azure, you must register the resource provider in your subscription

Note that a single provider may support many services - they do not map 1:1.

To enable a provider, set the relevant Azure > Provider > {provider} > Registered policy to "Enforce: Registered"

  • Azure > Provider > Storage > Registered
  • Azure > Provider > Compute > Registered
  • Azure > Provider > SQL > Registered

For example, to enable the storage provider:

# Azure > Provider > Storage > Registered
resource "turbot_policy_setting" "provider_registration_enable" {
resource = "id of sub or parent folder/policy pack" //highlight-line
type = "tmod:@turbot/azure-provider#/policy/types/storageRegistered"
value = "Enforce: Registered"
}

Failing to register a provider cause CMDB and Discovery errors from controls for the dependent services. You can get rid of the discovery errors by setting the relevant CMDB policies to Skip.

For example, if the Storage provider is not enabled in Azure, the Azure > Storage > Storage Account > Discovery controls will be in error, as they do not have the required access to discover the resources. Changing the CMDB policy to skip will cause the Discovery control to skip as well