Product logo
DocsBlogPricing

Policy types for @turbot/aws-vpc-connect

AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-vpc-connect

The CloudWatch Events event pattern used by the AWS VPC Connect module to specify which events to forward to the Turbot Event Handlers.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcConnectCustomEventPatterns
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "object"
  }
}

AWS > VPC > Customer Gateway > Active

Determine the action to take when an AWS VPC customer gateway, based on the AWS > VPC > Customer Gateway > Active > * policies.

The control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > Customer Gateway > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > VPC > Customer Gateway > Active > Age

The age after which the AWS VPC customer gateway is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > Customer Gateway > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > Customer Gateway > Active > Budget

The impact of the budget state on the active control. This policy allows you to force customerGateways to inactive based on the current budget state, as reflected in AWS > Account > Budget > State

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > Customer Gateway > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayActiveBudget
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if Budget > State is Over or higher",
  "Force inactive if Budget > State is Critical or higher",
  "Force inactive if Budget > State is Shutdown"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if Budget > State is Over or higher",
    "Force inactive if Budget > State is Critical or higher",
    "Force inactive if Budget > State is Shutdown"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > VPC > Customer Gateway > Active > Last Modified

The number of days since the AWS VPC customer gateway was last modified before it is considered inactive.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > Customer Gateway > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > Customer Gateway > Approved

Determine the action to take when an AWS VPC customer gateway is not approved based on AWS > VPC > Customer Gateway > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > VPC > Customer Gateway > Approved > Budget

The policy allows you to set customer gateways to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State

This policy will be evaluated by the Approved control. If an AWS VPC customer gateway is not matched by the approved list, it will be subject to the action specified in the AWS > VPC > Customer Gateway > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayApprovedBudget
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Unapproved if Budget > State is Over or higher",
  "Unapproved if Budget > State is Critical or higher",
  "Unapproved if Budget > State is Shutdown"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Unapproved if Budget > State is Over or higher",
    "Unapproved if Budget > State is Critical or higher",
    "Unapproved if Budget > State is Shutdown"
  ],
  "example": [
    "Unapproved if Budget > State is Shutdown"
  ],
  "default": "Skip"
}

AWS > VPC > Customer Gateway > Approved > Custom

Determine whether the AWS VPC customer gateway is allowed to exist. This policy will be evaluated by the Approved control. If an AWS VPC customer gateway is not approved, it will be subject to the action specified in the AWS > VPC > Customer Gateway > Approved policy. See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

AWS > VPC > Customer Gateway > Approved > Regions

A list of AWS regions in which AWS VPC customer gateways are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS VPC customer gateway is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Customer Gateway > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"
Schema

AWS > VPC > Customer Gateway > Approved > Usage

Determine whether the AWS VPC customer gateway is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS VPC customer gateway is not approved, it will be subject to the action specified in the AWS > VPC > Customer Gateway > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if AWS > VPC > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > VPC > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > VPC > Enabled"
}

AWS > VPC > Customer Gateway > CMDB

Configure whether to record and synchronize details for the AWS VPC customer gateway into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Customer Gateway > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > VPC > Customer Gateway > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored and inherit from the stack that owns it

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > VPC > Customer Gateway > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource. A stack cannot claim a resource if it is already claimed by another stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > VPC > Customer Gateway > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > Customer Gateway > Regions

A list of AWS regions in which AWS VPC customer gateways are supported for use.

Any customer gateways in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayRegions
Category
Parent
Targets
Schema
{
  "allOf": [
    {
      "$ref": "aws#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "af-south-1",
        "ap-east-1",
        "ap-northeast-1",
        "ap-northeast-2",
        "ap-south-1",
        "ap-southeast-1",
        "ap-southeast-2",
        "ca-central-1",
        "eu-central-1",
        "eu-north-1",
        "eu-south-1",
        "eu-west-1",
        "eu-west-2",
        "eu-west-3",
        "me-south-1",
        "sa-east-1",
        "us-east-1",
        "us-east-2",
        "us-gov-east-1",
        "us-gov-west-1",
        "us-west-1",
        "us-west-2"
      ]
    }
  ]
}

AWS > VPC > Customer Gateway > Tags

Determine the action to take when an AWS VPC customer gateway tags are not updated based on the AWS > VPC > Customer Gateway > Tags > * policies.

The control ensure AWS VPC customer gateway tags include tags defined in AWS > VPC > Customer Gateway > Tags > Template.

Tags not defined in Customer Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayTags
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > VPC > Customer Gateway > Tags > Template

The template is used to generate the keys and values for AWS VPC customer gateway.

Tags not defined in Customer Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayTagsTemplate
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

AWS > VPC > Customer Gateway > Usage

Configure the number of AWS customer gateways that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > > Customer Gateway > Usage policy.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

AWS > VPC > Customer Gateway > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 50
}

AWS > VPC > Peering Connection > Active

Determine the action to take when an AWS VPC peering connection, based on the AWS > VPC > Peering Connection > Active > * policies.

The control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > Peering Connection > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > VPC > Peering Connection > Active > Age

The age after which the AWS VPC peering connection is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > Peering Connection > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > Peering Connection > Active > Last Modified

The number of days since the AWS VPC peering connection was last modified before it is considered inactive.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > Peering Connection > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > Peering Connection > Approved

Determine the action to take when an AWS VPC peering connection is not approved based on AWS > VPC > Peering Connection > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > VPC > Peering Connection > Approved > Custom

Determine whether the AWS VPC peering connection is allowed to exist. This policy will be evaluated by the Approved control. If an AWS VPC peering connection is not approved, it will be subject to the action specified in the AWS > VPC > Peering Connection > Approved policy. See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

AWS > VPC > Peering Connection > Approved > Regions

A list of AWS regions in which AWS VPC peering connections are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS VPC peering connection is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Peering Connection > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"
Schema

AWS > VPC > Peering Connection > Approved > Usage

Determine whether the AWS VPC peering connection is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS VPC peering connection is not approved, it will be subject to the action specified in the AWS > VPC > Peering Connection > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if AWS > VPC > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > VPC > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > VPC > Enabled"
}

AWS > VPC > Peering Connection > CMDB

Configure whether to record and synchronize details for the AWS VPC peering connection into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Peering Connection > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > VPC > Peering Connection > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored and inherit from the stack that owns it

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > VPC > Peering Connection > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource. A stack cannot claim a resource if it is already claimed by another stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > VPC > Peering Connection > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > Peering Connection > DNS Resolution

Check if the AWS VPC Peering Connection DNS Resolution configuration is set correctly.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionDnsResolution
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Disabled",
  "Check: Enabled",
  "Enforce: Disabled",
  "Enforce: Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Disabled",
    "Check: Enabled",
    "Enforce: Disabled",
    "Enforce: Enabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > VPC > Peering Connection > Regions

A list of AWS regions in which AWS VPC peering connections are supported for use.

Any peering connections in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;\n{% endfor %}"
Schema

AWS > VPC > Peering Connection > Tags

Determine the action to take when an AWS VPC peering connection tags are not updated based on the AWS > VPC > Peering Connection > Tags > * policies.

The control ensure AWS VPC peering connection tags include tags defined in AWS > VPC > Peering Connection > Tags > Template.

Tags not defined in Peering Connection Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionTags
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > VPC > Peering Connection > Tags > Template

The template is used to generate the keys and values for AWS VPC peering connection.

Tags not defined in Peering Connection Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionTagsTemplate
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

AWS > VPC > Peering Connection > Usage

Configure the number of AWS peering connections that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > > Peering Connection > Usage policy.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

AWS > VPC > Peering Connection > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 250
}

AWS > VPC > Transit Gateway > Active

Determine the action to take when an AWS VPC transit gateway, based on the AWS > VPC > Transit Gateway > Active > * policies.

The control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > Transit Gateway > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > VPC > Transit Gateway > Active > Age

The age after which the AWS VPC transit gateway is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > Transit Gateway > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > Transit Gateway > Active > Budget

The impact of the budget state on the active control. This policy allows you to force transitGateways to inactive based on the current budget state, as reflected in AWS > Account > Budget > State

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > Transit Gateway > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayActiveBudget
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if Budget > State is Over or higher",
  "Force inactive if Budget > State is Critical or higher",
  "Force inactive if Budget > State is Shutdown"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if Budget > State is Over or higher",
    "Force inactive if Budget > State is Critical or higher",
    "Force inactive if Budget > State is Shutdown"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > VPC > Transit Gateway > Active > Last Modified

The number of days since the AWS VPC transit gateway was last modified before it is considered inactive.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > Transit Gateway > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > Transit Gateway > Approved

Determine the action to take when an AWS VPC transit gateway is not approved based on AWS > VPC > Transit Gateway > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > VPC > Transit Gateway > Approved > Budget

The policy allows you to set transit gateways to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State

This policy will be evaluated by the Approved control. If an AWS VPC transit gateway is not matched by the approved list, it will be subject to the action specified in the AWS > VPC > Transit Gateway > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayApprovedBudget
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Unapproved if Budget > State is Over or higher",
  "Unapproved if Budget > State is Critical or higher",
  "Unapproved if Budget > State is Shutdown"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Unapproved if Budget > State is Over or higher",
    "Unapproved if Budget > State is Critical or higher",
    "Unapproved if Budget > State is Shutdown"
  ],
  "example": [
    "Unapproved if Budget > State is Shutdown"
  ],
  "default": "Skip"
}

AWS > VPC > Transit Gateway > Approved > Custom

Determine whether the AWS VPC transit gateway is allowed to exist. This policy will be evaluated by the Approved control. If an AWS VPC transit gateway is not approved, it will be subject to the action specified in the AWS > VPC > Transit Gateway > Approved policy. See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

AWS > VPC > Transit Gateway > Approved > Regions

A list of AWS regions in which AWS VPC transit gateways are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS VPC transit gateway is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Transit Gateway > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"
Schema

AWS > VPC > Transit Gateway > Approved > Usage

Determine whether the AWS VPC transit gateway is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS VPC transit gateway is not approved, it will be subject to the action specified in the AWS > VPC > Transit Gateway > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if AWS > VPC > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > VPC > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > VPC > Enabled"
}

AWS > VPC > Transit Gateway > CMDB

Configure whether to record and synchronize details for the AWS VPC transit gateway into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Transit Gateway > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > VPC > Transit Gateway > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored and inherit from the stack that owns it

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > VPC > Transit Gateway > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource. A stack cannot claim a resource if it is already claimed by another stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > VPC > Transit Gateway > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > Transit Gateway > Regions

A list of AWS regions in which AWS VPC transit gateways are supported for use.

Any transit gateways in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRegions
Category
Parent
Targets
Schema
{
  "allOf": [
    {
      "$ref": "aws#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "af-south-1",
        "ap-east-1",
        "ap-northeast-1",
        "ap-northeast-2",
        "ap-south-1",
        "ap-southeast-1",
        "ap-southeast-2",
        "ca-central-1",
        "cn-north-1",
        "cn-northwest-1",
        "eu-central-1",
        "eu-north-1",
        "eu-south-1",
        "eu-west-1",
        "eu-west-2",
        "eu-west-3",
        "me-south-1",
        "sa-east-1",
        "us-east-1",
        "us-east-2",
        "us-gov-east-1",
        "us-gov-west-1",
        "us-west-1",
        "us-west-2"
      ]
    }
  ]
}

AWS > VPC > Transit Gateway > Tags

Determine the action to take when an AWS VPC transit gateway tags are not updated based on the AWS > VPC > Transit Gateway > Tags > * policies.

The control ensure AWS VPC transit gateway tags include tags defined in AWS > VPC > Transit Gateway > Tags > Template.

Tags not defined in Transit Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayTags
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > VPC > Transit Gateway > Tags > Template

The template is used to generate the keys and values for AWS VPC transit gateway.

Tags not defined in Transit Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayTagsTemplate
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

AWS > VPC > Transit Gateway > Usage

Configure the number of AWS transit gateways that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > > Transit Gateway > Usage policy.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

AWS > VPC > Transit Gateway > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 5
}

AWS > VPC > Transit Gateway Attachment > CMDB

Configure whether to record and synchronize details for the AWS VPC transit gateway attachment into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Transit Gateway Attachment > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayAttachmentCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > VPC > Transit Gateway Attachment > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored and inherit from the stack that owns it

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayAttachmentConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > VPC > Transit Gateway Attachment > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource. A stack cannot claim a resource if it is already claimed by another stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayAttachmentConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > VPC > Transit Gateway Attachment > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayAttachmentConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > Transit Gateway Attachment > Regions

A list of AWS regions in which AWS VPC transit gateway attachments are supported for use.

Any transit gateway attachments in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayAttachmentRegions
Category
Parent
Targets
Schema
{
  "allOf": [
    {
      "$ref": "aws#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "af-south-1",
        "ap-east-1",
        "ap-northeast-1",
        "ap-northeast-2",
        "ap-south-1",
        "ap-southeast-1",
        "ap-southeast-2",
        "ca-central-1",
        "cn-north-1",
        "cn-northwest-1",
        "eu-central-1",
        "eu-north-1",
        "eu-west-1",
        "eu-west-2",
        "eu-west-3",
        "me-south-1",
        "sa-east-1",
        "us-east-1",
        "us-east-2",
        "us-gov-east-1",
        "us-gov-west-1",
        "us-west-1",
        "us-west-2"
      ]
    }
  ]
}

AWS > VPC > Transit Gateway Route Table > Active

Determine the action to take when an AWS VPC transit gateway route table, based on the AWS > VPC > Transit Gateway Route Table > Active > * policies.

The control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > Transit Gateway Route Table > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Detach and delete inactive with 1 day warning",
  "Enforce: Detach and delete inactive with 3 days warning",
  "Enforce: Detach and delete inactive with 7 days warning",
  "Enforce: Detach and delete inactive with 14 days warning",
  "Enforce: Detach and delete inactive with 30 days warning",
  "Enforce: Detach and delete inactive with 60 days warning",
  "Enforce: Detach and delete inactive with 90 days warning",
  "Enforce: Detach and delete inactive with 180 days warning",
  "Enforce: Detach and delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Detach and delete inactive with 1 day warning",
    "Enforce: Detach and delete inactive with 3 days warning",
    "Enforce: Detach and delete inactive with 7 days warning",
    "Enforce: Detach and delete inactive with 14 days warning",
    "Enforce: Detach and delete inactive with 30 days warning",
    "Enforce: Detach and delete inactive with 60 days warning",
    "Enforce: Detach and delete inactive with 90 days warning",
    "Enforce: Detach and delete inactive with 180 days warning",
    "Enforce: Detach and delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > VPC > Transit Gateway Route Table > Active > Age

The age after which the AWS VPC transit gateway route table is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > Transit Gateway Route Table > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > Transit Gateway Route Table > Active > Budget

The impact of the budget state on the active control. This policy allows you to force transitGatewayRouteTables to inactive based on the current budget state, as reflected in AWS > Account > Budget > State

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > Transit Gateway Route Table > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableActiveBudget
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if Budget > State is Over or higher",
  "Force inactive if Budget > State is Critical or higher",
  "Force inactive if Budget > State is Shutdown"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if Budget > State is Over or higher",
    "Force inactive if Budget > State is Critical or higher",
    "Force inactive if Budget > State is Shutdown"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > VPC > Transit Gateway Route Table > Active > Last Modified

The number of days since the AWS VPC transit gateway route table was last modified before it is considered inactive.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > Transit Gateway Route Table > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > Transit Gateway Route Table > Approved

Determine the action to take when an AWS VPC transit gateway route table is not approved based on AWS > VPC > Transit Gateway Route Table > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Detach unapproved",
  "Enforce: Detach unapproved if new",
  "Enforce: Detach and delete unapproved if new",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Detach unapproved",
    "Enforce: Detach unapproved if new",
    "Enforce: Detach and delete unapproved if new",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > VPC > Transit Gateway Route Table > Approved > Budget

The policy allows you to set transit gateway route tables to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State

This policy will be evaluated by the Approved control. If an AWS VPC transit gateway route table is not matched by the approved list, it will be subject to the action specified in the AWS > VPC > Transit Gateway Route Table > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableApprovedBudget
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Unapproved if Budget > State is Over or higher",
  "Unapproved if Budget > State is Critical or higher",
  "Unapproved if Budget > State is Shutdown"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Unapproved if Budget > State is Over or higher",
    "Unapproved if Budget > State is Critical or higher",
    "Unapproved if Budget > State is Shutdown"
  ],
  "example": [
    "Unapproved if Budget > State is Shutdown"
  ],
  "default": "Skip"
}

AWS > VPC > Transit Gateway Route Table > Approved > Custom

Determine whether the AWS VPC transit gateway route table is allowed to exist. This policy will be evaluated by the Approved control. If an AWS VPC transit gateway route table is not approved, it will be subject to the action specified in the AWS > VPC > Transit Gateway Route Table > Approved policy. See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

AWS > VPC > Transit Gateway Route Table > Approved > Regions

A list of AWS regions in which AWS VPC transit gateway route tables are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS VPC transit gateway route table is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Transit Gateway Route Table > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"
Schema

AWS > VPC > Transit Gateway Route Table > Approved > Usage

Determine whether the AWS VPC transit gateway route table is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS VPC transit gateway route table is not approved, it will be subject to the action specified in the AWS > VPC > Transit Gateway Route Table > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if AWS > VPC > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > VPC > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > VPC > Enabled"
}

AWS > VPC > Transit Gateway Route Table > CMDB

Configure whether to record and synchronize details for the AWS VPC transit gateway route table into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Transit Gateway Route Table > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > VPC > Transit Gateway Route Table > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored and inherit from the stack that owns it

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > VPC > Transit Gateway Route Table > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource. A stack cannot claim a resource if it is already claimed by another stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > VPC > Transit Gateway Route Table > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > Transit Gateway Route Table > Regions

A list of AWS regions in which AWS VPC transit gateway route tables are supported for use.

Any transit gateway route tables in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableRegions
Category
Parent
Targets
Schema
{
  "allOf": [
    {
      "$ref": "aws#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "af-south-1",
        "ap-east-1",
        "ap-northeast-1",
        "ap-northeast-2",
        "ap-south-1",
        "ap-southeast-1",
        "ap-southeast-2",
        "ca-central-1",
        "cn-north-1",
        "cn-northwest-1",
        "eu-central-1",
        "eu-north-1",
        "eu-south-1",
        "eu-west-1",
        "eu-west-2",
        "eu-west-3",
        "me-south-1",
        "sa-east-1",
        "us-east-1",
        "us-east-2",
        "us-gov-east-1",
        "us-gov-west-1",
        "us-west-1",
        "us-west-2"
      ]
    }
  ]
}

AWS > VPC > Transit Gateway Route Table > Tags

Determine the action to take when an AWS VPC transit gateway route table tags are not updated based on the AWS > VPC > Transit Gateway Route Table > Tags > * policies.

The control ensure AWS VPC transit gateway route table tags include tags defined in AWS > VPC > Transit Gateway Route Table > Tags > Template.

Tags not defined in Transit Gateway Route Table Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableTags
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > VPC > Transit Gateway Route Table > Tags > Template

The template is used to generate the keys and values for AWS VPC transit gateway route table.

Tags not defined in Transit Gateway Route Table Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableTagsTemplate
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

AWS > VPC > Transit Gateway Route Table > Usage

Configure the number of AWS transit gateway route tables that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > > Transit Gateway Route Table > Usage policy.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

AWS > VPC > Transit Gateway Route Table > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 20
}

AWS > VPC > VPN Connection > Active

Determine the action to take when an AWS VPC vpn connection, based on the AWS > VPC > VPN Connection > Active > * policies.

The control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > VPN Connection > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > VPC > VPN Connection > Active > Age

The age after which the AWS VPC vpn connection is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > VPN Connection > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > VPN Connection > Active > Last Modified

The number of days since the AWS VPC vpn connection was last modified before it is considered inactive.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > VPN Connection > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > VPN Connection > Approved

Determine the action to take when an AWS VPC vpn connection is not approved based on AWS > VPC > VPN Connection > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > VPC > VPN Connection > Approved > Custom

Determine whether the AWS VPC vpn connection is allowed to exist. This policy will be evaluated by the Approved control. If an AWS VPC vpn connection is not approved, it will be subject to the action specified in the AWS > VPC > VPN Connection > Approved policy. See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

AWS > VPC > VPN Connection > Approved > Regions

A list of AWS regions in which AWS VPC vpn connections are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS VPC vpn connection is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > VPN Connection > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"
Schema

AWS > VPC > VPN Connection > Approved > Usage

Determine whether the AWS VPC vpn connection is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS VPC vpn connection is not approved, it will be subject to the action specified in the AWS > VPC > VPN Connection > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if AWS > VPC > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > VPC > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > VPC > Enabled"
}

AWS > VPC > VPN Connection > CMDB

Configure whether to record and synchronize details for the AWS VPC vpn connection into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > VPN Connection > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > VPC > VPN Connection > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored and inherit from the stack that owns it

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > VPC > VPN Connection > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource. A stack cannot claim a resource if it is already claimed by another stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > VPC > VPN Connection > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > VPN Connection > Regions

A list of AWS regions in which AWS VPC vpn connections are supported for use.

Any vpn connections in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionRegions
Category
Parent
Targets
Schema
{
  "allOf": [
    {
      "$ref": "aws#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "af-south-1",
        "ap-east-1",
        "ap-northeast-1",
        "ap-northeast-2",
        "ap-south-1",
        "ap-southeast-1",
        "ap-southeast-2",
        "ca-central-1",
        "eu-central-1",
        "eu-north-1",
        "eu-south-1",
        "eu-west-1",
        "eu-west-2",
        "eu-west-3",
        "me-south-1",
        "sa-east-1",
        "us-east-1",
        "us-east-2",
        "us-gov-east-1",
        "us-gov-west-1",
        "us-west-1",
        "us-west-2"
      ]
    }
  ]
}

AWS > VPC > VPN Connection > Tags

Determine the action to take when an AWS VPC vpn connection tags are not updated based on the AWS > VPC > VPN Connection > Tags > * policies.

The control ensure AWS VPC vpn connection tags include tags defined in AWS > VPC > VPN Connection > Tags > Template.

Tags not defined in VPN Connection Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionTags
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > VPC > VPN Connection > Tags > Template

The template is used to generate the keys and values for AWS VPC vpn connection.

Tags not defined in VPN Connection Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionTagsTemplate
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

AWS > VPC > VPN Connection > Usage

Configure the number of AWS vpn connections that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > > VPN Connection > Usage policy.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

AWS > VPC > VPN Connection > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 50
}

AWS > VPC > VPN Gateway > Active

Determine the action to take when an AWS VPC vpn gateway, based on the AWS > VPC > VPN Gateway > Active > * policies.

The control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > VPN Gateway > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Detach and delete inactive with 1 day warning",
  "Enforce: Detach and delete inactive with 3 days warning",
  "Enforce: Detach and delete inactive with 7 days warning",
  "Enforce: Detach and delete inactive with 14 days warning",
  "Enforce: Detach and delete inactive with 30 days warning",
  "Enforce: Detach and delete inactive with 60 days warning",
  "Enforce: Detach and delete inactive with 90 days warning",
  "Enforce: Detach and delete inactive with 180 days warning",
  "Enforce: Detach and delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Detach and delete inactive with 1 day warning",
    "Enforce: Detach and delete inactive with 3 days warning",
    "Enforce: Detach and delete inactive with 7 days warning",
    "Enforce: Detach and delete inactive with 14 days warning",
    "Enforce: Detach and delete inactive with 30 days warning",
    "Enforce: Detach and delete inactive with 60 days warning",
    "Enforce: Detach and delete inactive with 90 days warning",
    "Enforce: Detach and delete inactive with 180 days warning",
    "Enforce: Detach and delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > VPC > VPN Gateway > Active > Age

The age after which the AWS VPC vpn gateway is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > VPN Gateway > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > VPN Gateway > Active > Attached

Determine whether the VPN Gateway is active, based on whether it is attached to any other resource types.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > VPN Gateway > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayActiveAttached
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if attached",
  "Force active if attached",
  "Force inactive if unattached"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if attached",
    "Force active if attached",
    "Force inactive if unattached"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > VPC > VPN Gateway > Active > Last Modified

The number of days since the AWS VPC vpn gateway was last modified before it is considered inactive.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (AWS > VPC > VPN Gateway > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > VPN Gateway > Approved

Determine the action to take when an AWS VPC vpn gateway is not approved based on AWS > VPC > VPN Gateway > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Detach unapproved",
  "Enforce: Detach unapproved if new",
  "Enforce: Detach and delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Detach unapproved",
    "Enforce: Detach unapproved if new",
    "Enforce: Detach and delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > VPC > VPN Gateway > Approved > Custom

Determine whether the AWS VPC vpn gateway is allowed to exist. This policy will be evaluated by the Approved control. If an AWS VPC vpn gateway is not approved, it will be subject to the action specified in the AWS > VPC > VPN Gateway > Approved policy. See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

AWS > VPC > VPN Gateway > Approved > Regions

A list of AWS regions in which AWS VPC vpn gateways are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS VPC vpn gateway is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > VPN Gateway > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;\n{% endfor %}"
Schema

AWS > VPC > VPN Gateway > Approved > Usage

Determine whether the AWS VPC vpn gateway is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS VPC vpn gateway is not approved, it will be subject to the action specified in the AWS > VPC > VPN Gateway > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if AWS > VPC > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > VPC > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > VPC > Enabled"
}

AWS > VPC > VPN Gateway > CMDB

Configure whether to record and synchronize details for the AWS VPC vpn gateway into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > VPC > VPN Gateway > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored and inherit from the stack that owns it

URI
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum"