Policy types for @turbot/aws-vpc-connect

AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-vpc-connect

The CloudWatch Events event pattern used by the AWS VPC Connect module to specify
which events to forward to the Guardrails Event Handlers.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcConnectCustomEventPatterns
Schema
{
"type": "array",
"items": {
"type": "object"
}
}

AWS > VPC > Customer Gateway > Active

Determine the action to take when an AWS VPC customer gateway, based on the AWS > VPC > Customer Gateway > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Customer Gateway > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > VPC > Customer Gateway > Active > Age

The age after which the AWS VPC customer gateway
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Customer Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > VPC > Customer Gateway > Active > Budget

The impact of the budget state on the active control. This policy allows you to force
customerGateways to inactive based on the current budget state, as reflected in
AWS > Account > Budget > State

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Customer Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayActiveBudget
Valid Value
[
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
],
"example": [
"Skip"
],
"default": "Skip"
}

AWS > VPC > Customer Gateway > Active > Last Modified

The number of days since the AWS VPC customer gateway
was last modified before it is considered inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Customer Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > VPC > Customer Gateway > Approved

Determine the action to take when an AWS VPC customer gateway is not approved based on AWS > VPC > Customer Gateway > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > VPC > Customer Gateway > Approved > Budget

The policy allows you to set customer gateways to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State

This policy will be evaluated by the Approved control. If an AWS VPC customer gateway is not matched by the approved list, it will be subject to the action specified in the AWS > VPC > Customer Gateway > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayApprovedBudget
Valid Value
[
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
],
"example": [
"Unapproved if Budget > State is Shutdown"
],
"default": "Skip"
}

AWS > VPC > Customer Gateway > Approved > Custom

Determine whether the AWS VPC customer gateway is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC customer gateway is not approved, it will be subject to the action specified in the AWS > VPC > Customer Gateway > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > VPC > Customer Gateway > Approved > Regions

A list of AWS regions in which AWS VPC customer gateways are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS VPC customer gateway is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Customer Gateway > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayApprovedRegions
Default Template Input
"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > VPC > Customer Gateway > Approved > Usage

Determine whether the AWS VPC customer gateway is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS VPC customer gateway is not approved, it will be subject to the action specified in the AWS > VPC > Customer Gateway > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > VPC > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > VPC > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > VPC > Enabled"
}

AWS > VPC > Customer Gateway > CMDB

Configure whether to record and synchronize details for the AWS VPC customer gateway into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Customer Gateway > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > VPC > Customer Gateway > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayConfigured
Valid Value
[
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
"enum": [
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
],
"default": "Skip (unless claimed by a stack)"
}

AWS > VPC > Customer Gateway > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayConfiguredPrecedence
Default Template Input
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
"type": "array",
"items": {
"type": "string"
}
}

AWS > VPC > Customer Gateway > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayConfiguredSource
Schema
{
"type": "string",
"default": "",
"x-schema-form": {
"type": "code",
"language": "hcl"
}
}

AWS > VPC > Customer Gateway > Regions

A list of AWS regions in which AWS VPC customer gateways are supported for use.

Any customer gateways in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayRegions
Schema
{
"allOf": [
{
"$ref": "aws#/definitions/regionNameMatcherList"
},
{
"default": [
"af-south-1",
"ap-east-1",
"ap-northeast-1",
"ap-northeast-2",
"ap-south-1",
"ap-southeast-1",
"ap-southeast-2",
"ca-central-1",
"eu-central-1",
"eu-north-1",
"eu-south-1",
"eu-west-1",
"eu-west-2",
"eu-west-3",
"me-south-1",
"sa-east-1",
"us-east-1",
"us-east-2",
"us-gov-east-1",
"us-gov-west-1",
"us-west-1",
"us-west-2"
]
}
]
}

AWS > VPC > Customer Gateway > Tags

Determine the action to take when an AWS VPC customer gateway tags are not updated based on the AWS > VPC > Customer Gateway > Tags > * policies.

The control ensure AWS VPC customer gateway tags include tags defined in AWS > VPC > Customer Gateway > Tags > Template.

Tags not defined in Customer Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayTags
Valid Value
[
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
],
"example": [
"Check: Tags are correct"
],
"default": "Skip"
}

AWS > VPC > Customer Gateway > Tags > Template

The template is used to generate the keys and values for AWS VPC customer gateway.

Tags not defined in Customer Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayTagsTemplate
Default Template Input
[
"{\n account {\n turbot {\n id\n }\n }\n}\n",
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

AWS > VPC > Customer Gateway > Usage

Configure the number of AWS customer gateways that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > > Customer Gateway > Usage policy.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayUsage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}

AWS > VPC > Customer Gateway > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayUsageLimit
Schema
{
"type": "integer",
"minimum": 0,
"default": 50
}

AWS > VPC > Peering Connection > Active

Determine the action to take when an AWS VPC peering connection, based on the AWS > VPC > Peering Connection > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Peering Connection > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > VPC > Peering Connection > Active > Age

The age after which the AWS VPC peering connection
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Peering Connection > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > VPC > Peering Connection > Active > Last Modified

The number of days since the AWS VPC peering connection
was last modified before it is considered inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Peering Connection > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > VPC > Peering Connection > Approved

Determine the action to take when an AWS VPC peering connection is not approved based on AWS > VPC > Peering Connection > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > VPC > Peering Connection > Approved > Custom

Determine whether the AWS VPC peering connection is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC peering connection is not approved, it will be subject to the action specified in the AWS > VPC > Peering Connection > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > VPC > Peering Connection > Approved > Regions

A list of AWS regions in which AWS VPC peering connections are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS VPC peering connection is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Peering Connection > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionApprovedRegions
Default Template Input
"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > VPC > Peering Connection > Approved > Usage

Determine whether the AWS VPC peering connection is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS VPC peering connection is not approved, it will be subject to the action specified in the AWS > VPC > Peering Connection > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > VPC > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > VPC > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > VPC > Enabled"
}

AWS > VPC > Peering Connection > CMDB

Configure whether to record and synchronize details for the AWS VPC peering connection into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Peering Connection > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > VPC > Peering Connection > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionConfigured
Valid Value
[
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
"enum": [
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
],
"default": "Skip (unless claimed by a stack)"
}

AWS > VPC > Peering Connection > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionConfiguredPrecedence
Default Template Input
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
"type": "array",
"items": {
"type": "string"
}
}

AWS > VPC > Peering Connection > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionConfiguredSource
Schema
{
"type": "string",
"default": "",
"x-schema-form": {
"type": "code",
"language": "hcl"
}
}

AWS > VPC > Peering Connection > DNS Resolution

Check if the AWS VPC Peering Connection DNS Resolution configuration is set correctly.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionDnsResolution
Category
Valid Value
[
"Skip",
"Check: Disabled",
"Check: Enabled",
"Enforce: Disabled",
"Enforce: Enabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Disabled",
"Check: Enabled",
"Enforce: Disabled",
"Enforce: Enabled"
],
"example": [
"Skip"
],
"default": "Skip"
}

AWS > VPC > Peering Connection > Regions

A list of AWS regions in which AWS VPC peering connections are supported for use.

Any peering connections in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionRegions
Default Template Input
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n value\n }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > VPC > Peering Connection > Tags

Determine the action to take when an AWS VPC peering connection tags are not updated based on the AWS > VPC > Peering Connection > Tags > * policies.

The control ensure AWS VPC peering connection tags include tags defined in AWS > VPC > Peering Connection > Tags > Template.

Tags not defined in Peering Connection Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionTags
Valid Value
[
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
],
"example": [
"Check: Tags are correct"
],
"default": "Skip"
}

AWS > VPC > Peering Connection > Tags > Template

The template is used to generate the keys and values for AWS VPC peering connection.

Tags not defined in Peering Connection Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionTagsTemplate
Default Template Input
[
"{\n account {\n turbot {\n id\n }\n }\n}\n",
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

AWS > VPC > Peering Connection > Usage

Configure the number of AWS peering connections that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > > Peering Connection > Usage policy.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionUsage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}

AWS > VPC > Peering Connection > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionUsageLimit
Schema
{
"type": "integer",
"minimum": 0,
"default": 250
}

AWS > VPC > Transit Gateway > Active

Determine the action to take when an AWS VPC transit gateway, based on the AWS > VPC > Transit Gateway > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Transit Gateway > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > VPC > Transit Gateway > Active > Age

The age after which the AWS VPC transit gateway
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Transit Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > VPC > Transit Gateway > Active > Budget

The impact of the budget state on the active control. This policy allows you to force
transitGateways to inactive based on the current budget state, as reflected in
AWS > Account > Budget > State

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Transit Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayActiveBudget
Valid Value
[
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
],
"example": [
"Skip"
],
"default": "Skip"
}

AWS > VPC > Transit Gateway > Active > Last Modified

The number of days since the AWS VPC transit gateway
was last modified before it is considered inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Transit Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > VPC > Transit Gateway > Approved

Determine the action to take when an AWS VPC transit gateway is not approved based on AWS > VPC > Transit Gateway > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > VPC > Transit Gateway > Approved > Budget

The policy allows you to set transit gateways to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State

This policy will be evaluated by the Approved control. If an AWS VPC transit gateway is not matched by the approved list, it will be subject to the action specified in the AWS > VPC > Transit Gateway > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayApprovedBudget
Valid Value
[
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
],
"example": [
"Unapproved if Budget > State is Shutdown"
],
"default": "Skip"
}

AWS > VPC > Transit Gateway > Approved > Custom

Determine whether the AWS VPC transit gateway is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC transit gateway is not approved, it will be subject to the action specified in the AWS > VPC > Transit Gateway > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > VPC > Transit Gateway > Approved > Regions

A list of AWS regions in which AWS VPC transit gateways are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS VPC transit gateway is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Transit Gateway > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayApprovedRegions
Default Template Input
"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > VPC > Transit Gateway > Approved > Usage

Determine whether the AWS VPC transit gateway is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS VPC transit gateway is not approved, it will be subject to the action specified in the AWS > VPC > Transit Gateway > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > VPC > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > VPC > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > VPC > Enabled"
}

AWS > VPC > Transit Gateway > CMDB

Configure whether to record and synchronize details for the AWS VPC transit gateway into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Transit Gateway > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > VPC > Transit Gateway > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayConfigured
Valid Value
[
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
"enum": [
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
],
"default": "Skip (unless claimed by a stack)"
}

AWS > VPC > Transit Gateway > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayConfiguredPrecedence
Default Template Input
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
"type": "array",
"items": {
"type": "string"
}
}

AWS > VPC > Transit Gateway > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayConfiguredSource
Schema
{
"type": "string",
"default": "",
"x-schema-form": {
"type": "code",
"language": "hcl"
}
}

AWS > VPC > Transit Gateway > Regions

A list of AWS regions in which AWS VPC transit gateways are supported for use.

Any transit gateways in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRegions
Schema
{
"allOf": [
{
"$ref": "aws#/definitions/regionNameMatcherList"
},
{
"default": [
"af-south-1",
"ap-east-1",
"ap-northeast-1",
"ap-northeast-2",
"ap-south-1",
"ap-southeast-1",
"ap-southeast-2",
"ca-central-1",
"cn-north-1",
"cn-northwest-1",
"eu-central-1",
"eu-north-1",
"eu-south-1",
"eu-west-1",
"eu-west-2",
"eu-west-3",
"me-south-1",
"sa-east-1",
"us-east-1",
"us-east-2",
"us-gov-east-1",
"us-gov-west-1",
"us-west-1",
"us-west-2"
]
}
]
}

AWS > VPC > Transit Gateway > Tags

Determine the action to take when an AWS VPC transit gateway tags are not updated based on the AWS > VPC > Transit Gateway > Tags > * policies.

The control ensure AWS VPC transit gateway tags include tags defined in AWS > VPC > Transit Gateway > Tags > Template.

Tags not defined in Transit Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayTags
Valid Value
[
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
],
"example": [
"Check: Tags are correct"
],
"default": "Skip"
}

AWS > VPC > Transit Gateway > Tags > Template

The template is used to generate the keys and values for AWS VPC transit gateway.

Tags not defined in Transit Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayTagsTemplate
Default Template Input
[
"{\n account {\n turbot {\n id\n }\n }\n}\n",
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

AWS > VPC > Transit Gateway > Usage

Configure the number of AWS transit gateways that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > > Transit Gateway > Usage policy.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayUsage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}

AWS > VPC > Transit Gateway > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayUsageLimit
Schema
{
"type": "integer",
"minimum": 0,
"default": 5
}

AWS > VPC > Transit Gateway Attachment > CMDB

Configure whether to record and synchronize details for the AWS VPC transit gateway attachment into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Transit Gateway Attachment > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayAttachmentCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > VPC > Transit Gateway Attachment > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayAttachmentConfigured
Valid Value
[
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
"enum": [
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
],
"default": "Skip (unless claimed by a stack)"
}

AWS > VPC > Transit Gateway Attachment > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayAttachmentConfiguredPrecedence
Default Template Input
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
"type": "array",
"items": {
"type": "string"
}
}

AWS > VPC > Transit Gateway Attachment > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayAttachmentConfiguredSource
Schema
{
"type": "string",
"default": "",
"x-schema-form": {
"type": "code",
"language": "hcl"
}
}

AWS > VPC > Transit Gateway Attachment > Regions

A list of AWS regions in which AWS VPC transit gateway attachments are supported for use.

Any transit gateway attachments in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayAttachmentRegions
Schema
{
"allOf": [
{
"$ref": "aws#/definitions/regionNameMatcherList"
},
{
"default": [
"af-south-1",
"ap-east-1",
"ap-northeast-1",
"ap-northeast-2",
"ap-south-1",
"ap-southeast-1",
"ap-southeast-2",
"ca-central-1",
"cn-north-1",
"cn-northwest-1",
"eu-central-1",
"eu-north-1",
"eu-west-1",
"eu-west-2",
"eu-west-3",
"me-south-1",
"sa-east-1",
"us-east-1",
"us-east-2",
"us-gov-east-1",
"us-gov-west-1",
"us-west-1",
"us-west-2"
]
}
]
}

AWS > VPC > Transit Gateway Route Table > Active

Determine the action to take when an AWS VPC transit gateway route table, based on the AWS > VPC > Transit Gateway Route Table > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Transit Gateway Route Table > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Detach and delete inactive with 1 day warning",
"Enforce: Detach and delete inactive with 3 days warning",
"Enforce: Detach and delete inactive with 7 days warning",
"Enforce: Detach and delete inactive with 14 days warning",
"Enforce: Detach and delete inactive with 30 days warning",
"Enforce: Detach and delete inactive with 60 days warning",
"Enforce: Detach and delete inactive with 90 days warning",
"Enforce: Detach and delete inactive with 180 days warning",
"Enforce: Detach and delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Detach and delete inactive with 1 day warning",
"Enforce: Detach and delete inactive with 3 days warning",
"Enforce: Detach and delete inactive with 7 days warning",
"Enforce: Detach and delete inactive with 14 days warning",
"Enforce: Detach and delete inactive with 30 days warning",
"Enforce: Detach and delete inactive with 60 days warning",
"Enforce: Detach and delete inactive with 90 days warning",
"Enforce: Detach and delete inactive with 180 days warning",
"Enforce: Detach and delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > VPC > Transit Gateway Route Table > Active > Age

The age after which the AWS VPC transit gateway route table
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Transit Gateway Route Table > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > VPC > Transit Gateway Route Table > Active > Budget

The impact of the budget state on the active control. This policy allows you to force
transitGatewayRouteTables to inactive based on the current budget state, as reflected in
AWS > Account > Budget > State

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Transit Gateway Route Table > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableActiveBudget
Valid Value
[
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if Budget > State is Over or higher",
"Force inactive if Budget > State is Critical or higher",
"Force inactive if Budget > State is Shutdown"
],
"example": [
"Skip"
],
"default": "Skip"
}

AWS > VPC > Transit Gateway Route Table > Active > Last Modified

The number of days since the AWS VPC transit gateway route table
was last modified before it is considered inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Transit Gateway Route Table > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > VPC > Transit Gateway Route Table > Approved

Determine the action to take when an AWS VPC transit gateway route table is not approved based on AWS > VPC > Transit Gateway Route Table > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Detach unapproved",
"Enforce: Detach unapproved if new",
"Enforce: Detach and delete unapproved if new",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Detach unapproved",
"Enforce: Detach unapproved if new",
"Enforce: Detach and delete unapproved if new",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > VPC > Transit Gateway Route Table > Approved > Budget

The policy allows you to set transit gateway route tables to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State

This policy will be evaluated by the Approved control. If an AWS VPC transit gateway route table is not matched by the approved list, it will be subject to the action specified in the AWS > VPC > Transit Gateway Route Table > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableApprovedBudget
Valid Value
[
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Unapproved if Budget > State is Over or higher",
"Unapproved if Budget > State is Critical or higher",
"Unapproved if Budget > State is Shutdown"
],
"example": [
"Unapproved if Budget > State is Shutdown"
],
"default": "Skip"
}

AWS > VPC > Transit Gateway Route Table > Approved > Custom

Determine whether the AWS VPC transit gateway route table is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC transit gateway route table is not approved, it will be subject to the action specified in the AWS > VPC > Transit Gateway Route Table > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > VPC > Transit Gateway Route Table > Approved > Regions

A list of AWS regions in which AWS VPC transit gateway route tables are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS VPC transit gateway route table is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Transit Gateway Route Table > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableApprovedRegions
Default Template Input
"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > VPC > Transit Gateway Route Table > Approved > Usage

Determine whether the AWS VPC transit gateway route table is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS VPC transit gateway route table is not approved, it will be subject to the action specified in the AWS > VPC > Transit Gateway Route Table > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > VPC > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > VPC > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > VPC > Enabled"
}

AWS > VPC > Transit Gateway Route Table > CMDB

Configure whether to record and synchronize details for the AWS VPC transit gateway route table into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Transit Gateway Route Table > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > VPC > Transit Gateway Route Table > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableConfigured
Valid Value
[
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
"enum": [
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
],
"default": "Skip (unless claimed by a stack)"
}

AWS > VPC > Transit Gateway Route Table > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableConfiguredPrecedence
Default Template Input
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
"type": "array",
"items": {
"type": "string"
}
}

AWS > VPC > Transit Gateway Route Table > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableConfiguredSource
Schema
{
"type": "string",
"default": "",
"x-schema-form": {
"type": "code",
"language": "hcl"
}
}

AWS > VPC > Transit Gateway Route Table > Regions

A list of AWS regions in which AWS VPC transit gateway route tables are supported for use.

Any transit gateway route tables in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableRegions
Schema
{
"allOf": [
{
"$ref": "aws#/definitions/regionNameMatcherList"
},
{
"default": [
"af-south-1",
"ap-east-1",
"ap-northeast-1",
"ap-northeast-2",
"ap-south-1",
"ap-southeast-1",
"ap-southeast-2",
"ca-central-1",
"cn-north-1",
"cn-northwest-1",
"eu-central-1",
"eu-north-1",
"eu-south-1",
"eu-west-1",
"eu-west-2",
"eu-west-3",
"me-south-1",
"sa-east-1",
"us-east-1",
"us-east-2",
"us-gov-east-1",
"us-gov-west-1",
"us-west-1",
"us-west-2"
]
}
]
}

AWS > VPC > Transit Gateway Route Table > Tags

Determine the action to take when an AWS VPC transit gateway route table tags are not updated based on the AWS > VPC > Transit Gateway Route Table > Tags > * policies.

The control ensure AWS VPC transit gateway route table tags include tags defined in AWS > VPC > Transit Gateway Route Table > Tags > Template.

Tags not defined in Transit Gateway Route Table Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableTags
Valid Value
[
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
],
"example": [
"Check: Tags are correct"
],
"default": "Skip"
}

AWS > VPC > Transit Gateway Route Table > Tags > Template

The template is used to generate the keys and values for AWS VPC transit gateway route table.

Tags not defined in Transit Gateway Route Table Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableTagsTemplate
Default Template Input
[
"{\n account {\n turbot {\n id\n }\n }\n}\n",
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

AWS > VPC > Transit Gateway Route Table > Usage

Configure the number of AWS transit gateway route tables that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > > Transit Gateway Route Table > Usage policy.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableUsage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}

AWS > VPC > Transit Gateway Route Table > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableUsageLimit
Schema
{
"type": "integer",
"minimum": 0,
"default": 20
}

AWS > VPC > VPN Connection > Active

Determine the action to take when an AWS VPC vpn connection, based on the AWS > VPC > VPN Connection > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > VPN Connection > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Delete inactive with 1 day warning",
"Enforce: Delete inactive with 3 days warning",
"Enforce: Delete inactive with 7 days warning",
"Enforce: Delete inactive with 14 days warning",
"Enforce: Delete inactive with 30 days warning",
"Enforce: Delete inactive with 60 days warning",
"Enforce: Delete inactive with 90 days warning",
"Enforce: Delete inactive with 180 days warning",
"Enforce: Delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > VPC > VPN Connection > Active > Age

The age after which the AWS VPC vpn connection
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > VPN Connection > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > VPC > VPN Connection > Active > Last Modified

The number of days since the AWS VPC vpn connection
was last modified before it is considered inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > VPN Connection > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > VPC > VPN Connection > Approved

Determine the action to take when an AWS VPC vpn connection is not approved based on AWS > VPC > VPN Connection > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > VPC > VPN Connection > Approved > Custom

Determine whether the AWS VPC vpn connection is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC vpn connection is not approved, it will be subject to the action specified in the AWS > VPC > VPN Connection > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > VPC > VPN Connection > Approved > Regions

A list of AWS regions in which AWS VPC vpn connections are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS VPC vpn connection is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > VPN Connection > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionApprovedRegions
Default Template Input
"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > VPC > VPN Connection > Approved > Usage

Determine whether the AWS VPC vpn connection is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS VPC vpn connection is not approved, it will be subject to the action specified in the AWS > VPC > VPN Connection > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionApprovedUsage
Valid Value
[
"Not approved",
"Approved",
"Approved if AWS > VPC > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Not approved",
"Approved",
"Approved if AWS > VPC > Enabled"
],
"example": [
"Not approved"
],
"default": "Approved if AWS > VPC > Enabled"
}

AWS > VPC > VPN Connection > CMDB

Configure whether to record and synchronize details for the AWS VPC vpn connection into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > VPN Connection > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Disabled"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled"
}

AWS > VPC > VPN Connection > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionConfigured
Valid Value
[
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
"enum": [
"Skip (unless claimed by a stack)",
"Check: Per Configured > Source (unless claimed by a stack)",
"Enforce: Per Configured > Source (unless claimed by a stack)"
],
"default": "Skip (unless claimed by a stack)"
}

AWS > VPC > VPN Connection > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionConfiguredPrecedence
Default Template Input
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
"type": "array",
"items": {
"type": "string"
}
}

AWS > VPC > VPN Connection > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionConfiguredSource
Schema
{
"type": "string",
"default": "",
"x-schema-form": {
"type": "code",
"language": "hcl"
}
}

AWS > VPC > VPN Connection > Regions

A list of AWS regions in which AWS VPC vpn connections are supported for use.

Any vpn connections in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionRegions
Schema
{
"allOf": [
{
"$ref": "aws#/definitions/regionNameMatcherList"
},
{
"default": [
"af-south-1",
"ap-east-1",
"ap-northeast-1",
"ap-northeast-2",
"ap-south-1",
"ap-southeast-1",
"ap-southeast-2",
"ca-central-1",
"eu-central-1",
"eu-north-1",
"eu-south-1",
"eu-west-1",
"eu-west-2",
"eu-west-3",
"me-south-1",
"sa-east-1",
"us-east-1",
"us-east-2",
"us-gov-east-1",
"us-gov-west-1",
"us-west-1",
"us-west-2"
]
}
]
}

AWS > VPC > VPN Connection > Tags

Determine the action to take when an AWS VPC vpn connection tags are not updated based on the AWS > VPC > VPN Connection > Tags > * policies.

The control ensure AWS VPC vpn connection tags include tags defined in AWS > VPC > VPN Connection > Tags > Template.

Tags not defined in VPN Connection Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionTags
Valid Value
[
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Tags are correct",
"Enforce: Set tags"
],
"example": [
"Check: Tags are correct"
],
"default": "Skip"
}

AWS > VPC > VPN Connection > Tags > Template

The template is used to generate the keys and values for AWS VPC vpn connection.

Tags not defined in VPN Connection Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionTagsTemplate
Default Template Input
[
"{\n account {\n turbot {\n id\n }\n }\n}\n",
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

AWS > VPC > VPN Connection > Usage

Configure the number of AWS vpn connections that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > > VPN Connection > Usage policy.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionUsage
Valid Value
[
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Usage <= 85% of Limit",
"Check: Usage <= 100% of Limit"
],
"example": [
"Check: Usage <= 85% of Limit"
],
"default": "Skip"
}

AWS > VPC > VPN Connection > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionUsageLimit
Schema
{
"type": "integer",
"minimum": 0,
"default": 50
}

AWS > VPC > VPN Gateway > Active

Determine the action to take when an AWS VPC vpn gateway, based on the AWS > VPC > VPN Gateway > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > VPN Gateway > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayActive
Valid Value
[
"Skip",
"Check: Active",
"Enforce: Detach and delete inactive with 1 day warning",
"Enforce: Detach and delete inactive with 3 days warning",
"Enforce: Detach and delete inactive with 7 days warning",
"Enforce: Detach and delete inactive with 14 days warning",
"Enforce: Detach and delete inactive with 30 days warning",
"Enforce: Detach and delete inactive with 60 days warning",
"Enforce: Detach and delete inactive with 90 days warning",
"Enforce: Detach and delete inactive with 180 days warning",
"Enforce: Detach and delete inactive with 365 days warning"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Active",
"Enforce: Detach and delete inactive with 1 day warning",
"Enforce: Detach and delete inactive with 3 days warning",
"Enforce: Detach and delete inactive with 7 days warning",
"Enforce: Detach and delete inactive with 14 days warning",
"Enforce: Detach and delete inactive with 30 days warning",
"Enforce: Detach and delete inactive with 60 days warning",
"Enforce: Detach and delete inactive with 90 days warning",
"Enforce: Detach and delete inactive with 180 days warning",
"Enforce: Detach and delete inactive with 365 days warning"
],
"example": [
"Check: Active"
],
"default": "Skip"
}

AWS > VPC > VPN Gateway > Active > Age

The age after which the AWS VPC vpn gateway
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > VPN Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayActiveAge
Valid Value
[
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Force inactive if age > 1 day",
"Force inactive if age > 3 days",
"Force inactive if age > 7 days",
"Force inactive if age > 14 days",
"Force inactive if age > 30 days",
"Force inactive if age > 60 days",
"Force inactive if age > 90 days",
"Force inactive if age > 180 days",
"Force inactive if age > 365 days"
],
"example": [
"Force inactive if age > 90 days"
],
"default": "Skip"
}

AWS > VPC > VPN Gateway > Active > Attached

Determine whether the VPN Gateway is active, based on whether it is attached to any other resource types.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > VPN Gateway > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayActiveAttached
Valid Value
[
"Skip",
"Active if attached",
"Force active if attached",
"Force inactive if unattached"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if attached",
"Force active if attached",
"Force inactive if unattached"
],
"example": [
"Skip"
],
"default": "Skip"
}

AWS > VPC > VPN Gateway > Active > Last Modified

The number of days since the AWS VPC vpn gateway
was last modified before it is considered inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > VPN Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayActiveLastModified
Valid Value
[
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Active if last modified <= 1 day",
"Active if last modified <= 3 days",
"Active if last modified <= 7 days",
"Active if last modified <= 14 days",
"Active if last modified <= 30 days",
"Active if last modified <= 60 days",
"Active if last modified <= 90 days",
"Active if last modified <= 180 days",
"Active if last modified <= 365 days",
"Force active if last modified <= 1 day",
"Force active if last modified <= 3 days",
"Force active if last modified <= 7 days",
"Force active if last modified <= 14 days",
"Force active if last modified <= 30 days",
"Force active if last modified <= 60 days",
"Force active if last modified <= 90 days",
"Force active if last modified <= 180 days",
"Force active if last modified <= 365 days"
],
"example": [
"Active if last modified <= 90 days"
],
"default": "Skip"
}

AWS > VPC > VPN Gateway > Approved

Determine the action to take when an AWS VPC vpn gateway is not approved based on AWS > VPC > VPN Gateway > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayApproved
Valid Value
[
"Skip",
"Check: Approved",
"Enforce: Detach unapproved",
"Enforce: Detach unapproved if new",
"Enforce: Detach and delete unapproved if new"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Approved",
"Enforce: Detach unapproved",
"Enforce: Detach unapproved if new",
"Enforce: Detach and delete unapproved if new"
],
"example": [
"Check: Approved"
],
"default": "Skip"
}

AWS > VPC > VPN Gateway > Approved > Custom

Determine whether the AWS VPC vpn gateway is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC vpn gateway is not approved, it will be subject to the action specified in the AWS > VPC > VPN Gateway > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayApprovedCustom
Schema
{
"example": [
"Approved",
"Not approved",
"Skip",
{
"result": "Approved"
},
{
"title": "string",
"result": "Not approved"
},
{
"title": "string",
"result": "Approved",
"message": "string"
},
[
{
"title": "string",
"result": "Approved",
"message": "string"
},
{
"title": "string",
"result": "Not approved",
"message": "string"
}
]
],
"anyOf": [
{
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
}
},
{
"type": "object",
"properties": {
"title": {
"type": "string",
"pattern": "^[\\W\\w]{1,32}$"
},
"message": {
"type": "string",
"pattern": "^[\\W\\w]{1,128}$"
},
"result": {
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
},
"required": [
"result"
],
"additionalProperties": false
},
{
"type": "string",
"pattern": "^(Approved|Not approved|Skip)$"
}
],
"default": "Skip"
}

AWS > VPC > VPN Gateway > Approved > Regions

A list of AWS regions in which AWS VPC vpn gateways are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS VPC vpn gateway is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > VPN Gateway > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayApprovedRegions
Default Template Input
"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

AWS > VPC > VPN Gateway > Approved > Usage

Determine whether the AWS VPC vpn gateway is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS VPC vpn gateway is not approved, it will be subject to the action specified in the AWS > VPC > VPN Gateway > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayApprovedUsage
Targets