Policy types for @turbot/aws-vpc-connect
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-vpc-connect
- AWS > VPC > Customer Gateway > Active
- AWS > VPC > Customer Gateway > Active > Age
- AWS > VPC > Customer Gateway > Active > Budget
- AWS > VPC > Customer Gateway > Active > Last Modified
- AWS > VPC > Customer Gateway > Approved
- AWS > VPC > Customer Gateway > Approved > Budget
- AWS > VPC > Customer Gateway > Approved > Custom
- AWS > VPC > Customer Gateway > Approved > Regions
- AWS > VPC > Customer Gateway > Approved > Usage
- AWS > VPC > Customer Gateway > CMDB
- AWS > VPC > Customer Gateway > Configured
- AWS > VPC > Customer Gateway > Configured > Claim Precedence
- AWS > VPC > Customer Gateway > Configured > Source
- AWS > VPC > Customer Gateway > Regions
- AWS > VPC > Customer Gateway > Tags
- AWS > VPC > Customer Gateway > Tags > Template
- AWS > VPC > Customer Gateway > Usage
- AWS > VPC > Customer Gateway > Usage > Limit
- AWS > VPC > Peering Connection > Active
- AWS > VPC > Peering Connection > Active > Age
- AWS > VPC > Peering Connection > Active > Last Modified
- AWS > VPC > Peering Connection > Approved
- AWS > VPC > Peering Connection > Approved > Custom
- AWS > VPC > Peering Connection > Approved > Regions
- AWS > VPC > Peering Connection > Approved > Usage
- AWS > VPC > Peering Connection > CMDB
- AWS > VPC > Peering Connection > Configured
- AWS > VPC > Peering Connection > Configured > Claim Precedence
- AWS > VPC > Peering Connection > Configured > Source
- AWS > VPC > Peering Connection > DNS Resolution
- AWS > VPC > Peering Connection > Regions
- AWS > VPC > Peering Connection > Tags
- AWS > VPC > Peering Connection > Tags > Template
- AWS > VPC > Peering Connection > Usage
- AWS > VPC > Peering Connection > Usage > Limit
- AWS > VPC > Transit Gateway > Active
- AWS > VPC > Transit Gateway > Active > Age
- AWS > VPC > Transit Gateway > Active > Budget
- AWS > VPC > Transit Gateway > Active > Last Modified
- AWS > VPC > Transit Gateway > Approved
- AWS > VPC > Transit Gateway > Approved > Budget
- AWS > VPC > Transit Gateway > Approved > Custom
- AWS > VPC > Transit Gateway > Approved > Regions
- AWS > VPC > Transit Gateway > Approved > Usage
- AWS > VPC > Transit Gateway > CMDB
- AWS > VPC > Transit Gateway > Configured
- AWS > VPC > Transit Gateway > Configured > Claim Precedence
- AWS > VPC > Transit Gateway > Configured > Source
- AWS > VPC > Transit Gateway > Regions
- AWS > VPC > Transit Gateway > Tags
- AWS > VPC > Transit Gateway > Tags > Template
- AWS > VPC > Transit Gateway > Usage
- AWS > VPC > Transit Gateway > Usage > Limit
- AWS > VPC > Transit Gateway Attachment > CMDB
- AWS > VPC > Transit Gateway Attachment > Configured
- AWS > VPC > Transit Gateway Attachment > Configured > Claim Precedence
- AWS > VPC > Transit Gateway Attachment > Configured > Source
- AWS > VPC > Transit Gateway Attachment > Regions
- AWS > VPC > Transit Gateway Route Table > Active
- AWS > VPC > Transit Gateway Route Table > Active > Age
- AWS > VPC > Transit Gateway Route Table > Active > Budget
- AWS > VPC > Transit Gateway Route Table > Active > Last Modified
- AWS > VPC > Transit Gateway Route Table > Approved
- AWS > VPC > Transit Gateway Route Table > Approved > Budget
- AWS > VPC > Transit Gateway Route Table > Approved > Custom
- AWS > VPC > Transit Gateway Route Table > Approved > Regions
- AWS > VPC > Transit Gateway Route Table > Approved > Usage
- AWS > VPC > Transit Gateway Route Table > CMDB
- AWS > VPC > Transit Gateway Route Table > Configured
- AWS > VPC > Transit Gateway Route Table > Configured > Claim Precedence
- AWS > VPC > Transit Gateway Route Table > Configured > Source
- AWS > VPC > Transit Gateway Route Table > Regions
- AWS > VPC > Transit Gateway Route Table > Tags
- AWS > VPC > Transit Gateway Route Table > Tags > Template
- AWS > VPC > Transit Gateway Route Table > Usage
- AWS > VPC > Transit Gateway Route Table > Usage > Limit
- AWS > VPC > VPN Connection > Active
- AWS > VPC > VPN Connection > Active > Age
- AWS > VPC > VPN Connection > Active > Last Modified
- AWS > VPC > VPN Connection > Approved
- AWS > VPC > VPN Connection > Approved > Custom
- AWS > VPC > VPN Connection > Approved > Regions
- AWS > VPC > VPN Connection > Approved > Usage
- AWS > VPC > VPN Connection > CMDB
- AWS > VPC > VPN Connection > Configured
- AWS > VPC > VPN Connection > Configured > Claim Precedence
- AWS > VPC > VPN Connection > Configured > Source
- AWS > VPC > VPN Connection > Regions
- AWS > VPC > VPN Connection > Tags
- AWS > VPC > VPN Connection > Tags > Template
- AWS > VPC > VPN Connection > Usage
- AWS > VPC > VPN Connection > Usage > Limit
- AWS > VPC > VPN Gateway > Active
- AWS > VPC > VPN Gateway > Active > Age
- AWS > VPC > VPN Gateway > Active > Attached
- AWS > VPC > VPN Gateway > Active > Last Modified
- AWS > VPC > VPN Gateway > Approved
- AWS > VPC > VPN Gateway > Approved > Custom
- AWS > VPC > VPN Gateway > Approved > Regions
- AWS > VPC > VPN Gateway > Approved > Usage
- AWS > VPC > VPN Gateway > CMDB
- AWS > VPC > VPN Gateway > Configured
- AWS > VPC > VPN Gateway > Configured > Claim Precedence
- AWS > VPC > VPN Gateway > Configured > Source
- AWS > VPC > VPN Gateway > Regions
- AWS > VPC > VPN Gateway > Tags
- AWS > VPC > VPN Gateway > Tags > Template
- AWS > VPC > VPN Gateway > Usage
- AWS > VPC > VPN Gateway > Usage > Limit
AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-vpc-connect
The CloudWatch Events event pattern used by the AWS VPC Connect module to specify
which events to forward to the Guardrails Event Handlers.
tmod:@turbot/aws-vpc-connect#/policy/types/vpcConnectCustomEventPatterns{ "type": "array", "items": { "type": "object" }}AWS > VPC > Customer Gateway > Active
Determine the action to take when an AWS VPC customer gateway, based on the AWS > VPC > Customer Gateway > Active > * policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Customer Gateway > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayActive[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}AWS > VPC > Customer Gateway > Active > Age
The age after which the AWS VPC customer gateway
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Customer Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayActiveAge[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}AWS > VPC > Customer Gateway > Active > Budget
The impact of the budget state on the active control. This policy allows you to force
customerGateways to inactive based on the current budget state, as reflected inAWS > Account > Budget > State
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Customer Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayActiveBudget[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}AWS > VPC > Customer Gateway > Active > Last Modified
The number of days since the AWS VPC customer gateway
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Customer Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayActiveLastModified[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}AWS > VPC > Customer Gateway > Approved
Determine the action to take when an AWS VPC customer gateway is not approved based on AWS > VPC > Customer Gateway > Approved > * policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayApproved[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}AWS > VPC > Customer Gateway > Approved > Budget
The policy allows you to set customer gateways to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
This policy will be evaluated by the Approved control. If an AWS VPC customer gateway is not matched by the approved list, it will be subject to the action specified in the AWS > VPC > Customer Gateway > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayApprovedBudget[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}AWS > VPC > Customer Gateway > Approved > Custom
Determine whether the AWS VPC customer gateway is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC customer gateway is not approved, it will be subject to the action specified in the AWS > VPC > Customer Gateway > Approved policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayApprovedCustom{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}AWS > VPC > Customer Gateway > Approved > Regions
A list of AWS regions in which AWS VPC customer gateways are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS VPC customer gateway is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Customer Gateway > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayApprovedRegions"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n""{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Customer Gateway > Approved > Usage
Determine whether the AWS VPC customer gateway is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC customer gateway is not approved, it will be subject to the action specified in the AWS > VPC > Customer Gateway > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayApprovedUsage[ "Not approved", "Approved", "Approved if AWS > VPC > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > VPC > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > VPC > Enabled"}AWS > VPC > Customer Gateway > CMDB
Configure whether to record and synchronize details for the AWS VPC customer gateway into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Customer Gateway > Regions policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayCmdb[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > VPC > Customer Gateway > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayConfigured[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}AWS > VPC > Customer Gateway > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayConfiguredPrecedence"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}AWS > VPC > Customer Gateway > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayConfiguredSource{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > VPC > Customer Gateway > Regions
A list of AWS regions in which AWS VPC customer gateways are supported for use.
Any customer gateways in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayRegions{ "allOf": [ { "$ref": "aws#/definitions/regionNameMatcherList" }, { "default": [ "af-south-1", "ap-east-1", "ap-northeast-1", "ap-northeast-2", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-south-1", "eu-west-1", "eu-west-2", "eu-west-3", "me-south-1", "sa-east-1", "us-east-1", "us-east-2", "us-gov-east-1", "us-gov-west-1", "us-west-1", "us-west-2" ] } ]}AWS > VPC > Customer Gateway > Tags
Determine the action to take when an AWS VPC customer gateway tags are not updated based on the AWS > VPC > Customer Gateway > Tags > * policies.
The control ensure AWS VPC customer gateway tags include tags defined in AWS > VPC > Customer Gateway > Tags > Template.
Tags not defined in Customer Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayTags[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}AWS > VPC > Customer Gateway > Tags > Template
The template is used to generate the keys and values for AWS VPC customer gateway.
Tags not defined in Customer Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayTagsTemplate[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"AWS > VPC > Customer Gateway > Usage
Configure the number of AWS customer gateways that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > > Customer Gateway > Usage policy.
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayUsage[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}AWS > VPC > Customer Gateway > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayUsageLimit{ "type": "integer", "minimum": 0, "default": 50}AWS > VPC > Peering Connection > Active
Determine the action to take when an AWS VPC peering connection, based on the AWS > VPC > Peering Connection > Active > * policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Peering Connection > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionActive[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}AWS > VPC > Peering Connection > Active > Age
The age after which the AWS VPC peering connection
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Peering Connection > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionActiveAge[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}AWS > VPC > Peering Connection > Active > Last Modified
The number of days since the AWS VPC peering connection
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Peering Connection > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionActiveLastModified[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}AWS > VPC > Peering Connection > Approved
Determine the action to take when an AWS VPC peering connection is not approved based on AWS > VPC > Peering Connection > Approved > * policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionApproved[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}AWS > VPC > Peering Connection > Approved > Custom
Determine whether the AWS VPC peering connection is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC peering connection is not approved, it will be subject to the action specified in the AWS > VPC > Peering Connection > Approved policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionApprovedCustom{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}AWS > VPC > Peering Connection > Approved > Regions
A list of AWS regions in which AWS VPC peering connections are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS VPC peering connection is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Peering Connection > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionApprovedRegions"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n""{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Peering Connection > Approved > Usage
Determine whether the AWS VPC peering connection is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC peering connection is not approved, it will be subject to the action specified in the AWS > VPC > Peering Connection > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionApprovedUsage[ "Not approved", "Approved", "Approved if AWS > VPC > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > VPC > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > VPC > Enabled"}AWS > VPC > Peering Connection > CMDB
Configure whether to record and synchronize details for the AWS VPC peering connection into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Peering Connection > Regions policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionCmdb[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > VPC > Peering Connection > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionConfigured[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}AWS > VPC > Peering Connection > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionConfiguredPrecedence"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}AWS > VPC > Peering Connection > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionConfiguredSource{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > VPC > Peering Connection > DNS Resolution
Check if the AWS VPC Peering Connection DNS Resolution configuration is set correctly.
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionDnsResolution[ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled"]{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled" ], "example": [ "Skip" ], "default": "Skip"}AWS > VPC > Peering Connection > Regions
A list of AWS regions in which AWS VPC peering connections are supported for use.
Any peering connections in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionRegions"{\n regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n value\n }\n}\n""{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Peering Connection > Tags
Determine the action to take when an AWS VPC peering connection tags are not updated based on the AWS > VPC > Peering Connection > Tags > * policies.
The control ensure AWS VPC peering connection tags include tags defined in AWS > VPC > Peering Connection > Tags > Template.
Tags not defined in Peering Connection Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionTags[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}AWS > VPC > Peering Connection > Tags > Template
The template is used to generate the keys and values for AWS VPC peering connection.
Tags not defined in Peering Connection Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionTagsTemplate[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"AWS > VPC > Peering Connection > Usage
Configure the number of AWS peering connections that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > > Peering Connection > Usage policy.
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionUsage[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}AWS > VPC > Peering Connection > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionUsageLimit{ "type": "integer", "minimum": 0, "default": 250}AWS > VPC > Transit Gateway > Active
Determine the action to take when an AWS VPC transit gateway, based on the AWS > VPC > Transit Gateway > Active > * policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Transit Gateway > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayActive[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}AWS > VPC > Transit Gateway > Active > Age
The age after which the AWS VPC transit gateway
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Transit Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayActiveAge[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}AWS > VPC > Transit Gateway > Active > Budget
The impact of the budget state on the active control. This policy allows you to force
transitGateways to inactive based on the current budget state, as reflected inAWS > Account > Budget > State
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Transit Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayActiveBudget[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}AWS > VPC > Transit Gateway > Active > Last Modified
The number of days since the AWS VPC transit gateway
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Transit Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayActiveLastModified[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}AWS > VPC > Transit Gateway > Approved
Determine the action to take when an AWS VPC transit gateway is not approved based on AWS > VPC > Transit Gateway > Approved > * policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayApproved[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}AWS > VPC > Transit Gateway > Approved > Budget
The policy allows you to set transit gateways to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
This policy will be evaluated by the Approved control. If an AWS VPC transit gateway is not matched by the approved list, it will be subject to the action specified in the AWS > VPC > Transit Gateway > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayApprovedBudget[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}AWS > VPC > Transit Gateway > Approved > Custom
Determine whether the AWS VPC transit gateway is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC transit gateway is not approved, it will be subject to the action specified in the AWS > VPC > Transit Gateway > Approved policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayApprovedCustom{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}AWS > VPC > Transit Gateway > Approved > Regions
A list of AWS regions in which AWS VPC transit gateways are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS VPC transit gateway is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Transit Gateway > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayApprovedRegions"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n""{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Transit Gateway > Approved > Usage
Determine whether the AWS VPC transit gateway is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC transit gateway is not approved, it will be subject to the action specified in the AWS > VPC > Transit Gateway > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayApprovedUsage[ "Not approved", "Approved", "Approved if AWS > VPC > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > VPC > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > VPC > Enabled"}AWS > VPC > Transit Gateway > CMDB
Configure whether to record and synchronize details for the AWS VPC transit gateway into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Transit Gateway > Regions policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayCmdb[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > VPC > Transit Gateway > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayConfigured[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}AWS > VPC > Transit Gateway > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayConfiguredPrecedence"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}AWS > VPC > Transit Gateway > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayConfiguredSource{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > VPC > Transit Gateway > Regions
A list of AWS regions in which AWS VPC transit gateways are supported for use.
Any transit gateways in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRegions{ "allOf": [ { "$ref": "aws#/definitions/regionNameMatcherList" }, { "default": [ "af-south-1", "ap-east-1", "ap-northeast-1", "ap-northeast-2", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "cn-north-1", "cn-northwest-1", "eu-central-1", "eu-north-1", "eu-south-1", "eu-west-1", "eu-west-2", "eu-west-3", "me-south-1", "sa-east-1", "us-east-1", "us-east-2", "us-gov-east-1", "us-gov-west-1", "us-west-1", "us-west-2" ] } ]}AWS > VPC > Transit Gateway > Tags
Determine the action to take when an AWS VPC transit gateway tags are not updated based on the AWS > VPC > Transit Gateway > Tags > * policies.
The control ensure AWS VPC transit gateway tags include tags defined in AWS > VPC > Transit Gateway > Tags > Template.
Tags not defined in Transit Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayTags[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}AWS > VPC > Transit Gateway > Tags > Template
The template is used to generate the keys and values for AWS VPC transit gateway.
Tags not defined in Transit Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayTagsTemplate[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"AWS > VPC > Transit Gateway > Usage
Configure the number of AWS transit gateways that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > > Transit Gateway > Usage policy.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayUsage[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}AWS > VPC > Transit Gateway > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayUsageLimit{ "type": "integer", "minimum": 0, "default": 5}AWS > VPC > Transit Gateway Attachment > CMDB
Configure whether to record and synchronize details for the AWS VPC transit gateway attachment into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Transit Gateway Attachment > Regions policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayAttachmentCmdb[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > VPC > Transit Gateway Attachment > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayAttachmentConfigured[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}AWS > VPC > Transit Gateway Attachment > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayAttachmentConfiguredPrecedence"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}AWS > VPC > Transit Gateway Attachment > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayAttachmentConfiguredSource{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > VPC > Transit Gateway Attachment > Regions
A list of AWS regions in which AWS VPC transit gateway attachments are supported for use.
Any transit gateway attachments in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayAttachmentRegions{ "allOf": [ { "$ref": "aws#/definitions/regionNameMatcherList" }, { "default": [ "af-south-1", "ap-east-1", "ap-northeast-1", "ap-northeast-2", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "cn-north-1", "cn-northwest-1", "eu-central-1", "eu-north-1", "eu-west-1", "eu-west-2", "eu-west-3", "me-south-1", "sa-east-1", "us-east-1", "us-east-2", "us-gov-east-1", "us-gov-west-1", "us-west-1", "us-west-2" ] } ]}AWS > VPC > Transit Gateway Route Table > Active
Determine the action to take when an AWS VPC transit gateway route table, based on the AWS > VPC > Transit Gateway Route Table > Active > * policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Transit Gateway Route Table > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableActive[ "Skip", "Check: Active", "Enforce: Detach and delete inactive with 1 day warning", "Enforce: Detach and delete inactive with 3 days warning", "Enforce: Detach and delete inactive with 7 days warning", "Enforce: Detach and delete inactive with 14 days warning", "Enforce: Detach and delete inactive with 30 days warning", "Enforce: Detach and delete inactive with 60 days warning", "Enforce: Detach and delete inactive with 90 days warning", "Enforce: Detach and delete inactive with 180 days warning", "Enforce: Detach and delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Detach and delete inactive with 1 day warning", "Enforce: Detach and delete inactive with 3 days warning", "Enforce: Detach and delete inactive with 7 days warning", "Enforce: Detach and delete inactive with 14 days warning", "Enforce: Detach and delete inactive with 30 days warning", "Enforce: Detach and delete inactive with 60 days warning", "Enforce: Detach and delete inactive with 90 days warning", "Enforce: Detach and delete inactive with 180 days warning", "Enforce: Detach and delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}AWS > VPC > Transit Gateway Route Table > Active > Age
The age after which the AWS VPC transit gateway route table
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Transit Gateway Route Table > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableActiveAge[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}AWS > VPC > Transit Gateway Route Table > Active > Budget
The impact of the budget state on the active control. This policy allows you to force
transitGatewayRouteTables to inactive based on the current budget state, as reflected inAWS > Account > Budget > State
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Transit Gateway Route Table > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableActiveBudget[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}AWS > VPC > Transit Gateway Route Table > Active > Last Modified
The number of days since the AWS VPC transit gateway route table
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Transit Gateway Route Table > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableActiveLastModified[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}AWS > VPC > Transit Gateway Route Table > Approved
Determine the action to take when an AWS VPC transit gateway route table is not approved based on AWS > VPC > Transit Gateway Route Table > Approved > * policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableApproved[ "Skip", "Check: Approved", "Enforce: Detach unapproved", "Enforce: Detach unapproved if new", "Enforce: Detach and delete unapproved if new", "Enforce: Delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Detach unapproved", "Enforce: Detach unapproved if new", "Enforce: Detach and delete unapproved if new", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}AWS > VPC > Transit Gateway Route Table > Approved > Budget
The policy allows you to set transit gateway route tables to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
This policy will be evaluated by the Approved control. If an AWS VPC transit gateway route table is not matched by the approved list, it will be subject to the action specified in the AWS > VPC > Transit Gateway Route Table > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableApprovedBudget[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}AWS > VPC > Transit Gateway Route Table > Approved > Custom
Determine whether the AWS VPC transit gateway route table is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC transit gateway route table is not approved, it will be subject to the action specified in the AWS > VPC > Transit Gateway Route Table > Approved policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableApprovedCustom{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}AWS > VPC > Transit Gateway Route Table > Approved > Regions
A list of AWS regions in which AWS VPC transit gateway route tables are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS VPC transit gateway route table is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Transit Gateway Route Table > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableApprovedRegions"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n""{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"AWS > VPC > Transit Gateway Route Table > Approved > Usage
Determine whether the AWS VPC transit gateway route table is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC transit gateway route table is not approved, it will be subject to the action specified in the AWS > VPC > Transit Gateway Route Table > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableApprovedUsage[ "Not approved", "Approved", "Approved if AWS > VPC > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > VPC > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > VPC > Enabled"}AWS > VPC > Transit Gateway Route Table > CMDB
Configure whether to record and synchronize details for the AWS VPC transit gateway route table into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Transit Gateway Route Table > Regions policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableCmdb[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > VPC > Transit Gateway Route Table > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableConfigured[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}AWS > VPC > Transit Gateway Route Table > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableConfiguredPrecedence"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}AWS > VPC > Transit Gateway Route Table > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableConfiguredSource{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > VPC > Transit Gateway Route Table > Regions
A list of AWS regions in which AWS VPC transit gateway route tables are supported for use.
Any transit gateway route tables in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableRegions{ "allOf": [ { "$ref": "aws#/definitions/regionNameMatcherList" }, { "default": [ "af-south-1", "ap-east-1", "ap-northeast-1", "ap-northeast-2", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "cn-north-1", "cn-northwest-1", "eu-central-1", "eu-north-1", "eu-south-1", "eu-west-1", "eu-west-2", "eu-west-3", "me-south-1", "sa-east-1", "us-east-1", "us-east-2", "us-gov-east-1", "us-gov-west-1", "us-west-1", "us-west-2" ] } ]}AWS > VPC > Transit Gateway Route Table > Tags
Determine the action to take when an AWS VPC transit gateway route table tags are not updated based on the AWS > VPC > Transit Gateway Route Table > Tags > * policies.
The control ensure AWS VPC transit gateway route table tags include tags defined in AWS > VPC > Transit Gateway Route Table > Tags > Template.
Tags not defined in Transit Gateway Route Table Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableTags[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}AWS > VPC > Transit Gateway Route Table > Tags > Template
The template is used to generate the keys and values for AWS VPC transit gateway route table.
Tags not defined in Transit Gateway Route Table Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableTagsTemplate[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"AWS > VPC > Transit Gateway Route Table > Usage
Configure the number of AWS transit gateway route tables that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > > Transit Gateway Route Table > Usage policy.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableUsage[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}AWS > VPC > Transit Gateway Route Table > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableUsageLimit{ "type": "integer", "minimum": 0, "default": 20}AWS > VPC > VPN Connection > Active
Determine the action to take when an AWS VPC vpn connection, based on the AWS > VPC > VPN Connection > Active > * policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > VPN Connection > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionActive[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}AWS > VPC > VPN Connection > Active > Age
The age after which the AWS VPC vpn connection
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > VPN Connection > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionActiveAge[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}AWS > VPC > VPN Connection > Active > Last Modified
The number of days since the AWS VPC vpn connection
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > VPN Connection > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionActiveLastModified[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}AWS > VPC > VPN Connection > Approved
Determine the action to take when an AWS VPC vpn connection is not approved based on AWS > VPC > VPN Connection > Approved > * policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionApproved[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}AWS > VPC > VPN Connection > Approved > Custom
Determine whether the AWS VPC vpn connection is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC vpn connection is not approved, it will be subject to the action specified in the AWS > VPC > VPN Connection > Approved policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionApprovedCustom{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}AWS > VPC > VPN Connection > Approved > Regions
A list of AWS regions in which AWS VPC vpn connections are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS VPC vpn connection is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > VPN Connection > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionApprovedRegions"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n""{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"AWS > VPC > VPN Connection > Approved > Usage
Determine whether the AWS VPC vpn connection is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC vpn connection is not approved, it will be subject to the action specified in the AWS > VPC > VPN Connection > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionApprovedUsage[ "Not approved", "Approved", "Approved if AWS > VPC > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > VPC > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > VPC > Enabled"}AWS > VPC > VPN Connection > CMDB
Configure whether to record and synchronize details for the AWS VPC vpn connection into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > VPN Connection > Regions policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionCmdb[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > VPC > VPN Connection > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionConfigured[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}AWS > VPC > VPN Connection > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionConfiguredPrecedence"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}AWS > VPC > VPN Connection > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionConfiguredSource{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > VPC > VPN Connection > Regions
A list of AWS regions in which AWS VPC vpn connections are supported for use.
Any vpn connections in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionRegions{ "allOf": [ { "$ref": "aws#/definitions/regionNameMatcherList" }, { "default": [ "af-south-1", "ap-east-1", "ap-northeast-1", "ap-northeast-2", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-south-1", "eu-west-1", "eu-west-2", "eu-west-3", "me-south-1", "sa-east-1", "us-east-1", "us-east-2", "us-gov-east-1", "us-gov-west-1", "us-west-1", "us-west-2" ] } ]}AWS > VPC > VPN Connection > Tags
Determine the action to take when an AWS VPC vpn connection tags are not updated based on the AWS > VPC > VPN Connection > Tags > * policies.
The control ensure AWS VPC vpn connection tags include tags defined in AWS > VPC > VPN Connection > Tags > Template.
Tags not defined in VPN Connection Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionTags[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}AWS > VPC > VPN Connection > Tags > Template
The template is used to generate the keys and values for AWS VPC vpn connection.
Tags not defined in VPN Connection Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionTagsTemplate[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"AWS > VPC > VPN Connection > Usage
Configure the number of AWS vpn connections that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > > VPN Connection > Usage policy.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionUsage[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}AWS > VPC > VPN Connection > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionUsageLimit{ "type": "integer", "minimum": 0, "default": 50}AWS > VPC > VPN Gateway > Active
Determine the action to take when an AWS VPC vpn gateway, based on the AWS > VPC > VPN Gateway > Active > * policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > VPN Gateway > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayActive[ "Skip", "Check: Active", "Enforce: Detach and delete inactive with 1 day warning", "Enforce: Detach and delete inactive with 3 days warning", "Enforce: Detach and delete inactive with 7 days warning", "Enforce: Detach and delete inactive with 14 days warning", "Enforce: Detach and delete inactive with 30 days warning", "Enforce: Detach and delete inactive with 60 days warning", "Enforce: Detach and delete inactive with 90 days warning", "Enforce: Detach and delete inactive with 180 days warning", "Enforce: Detach and delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Detach and delete inactive with 1 day warning", "Enforce: Detach and delete inactive with 3 days warning", "Enforce: Detach and delete inactive with 7 days warning", "Enforce: Detach and delete inactive with 14 days warning", "Enforce: Detach and delete inactive with 30 days warning", "Enforce: Detach and delete inactive with 60 days warning", "Enforce: Detach and delete inactive with 90 days warning", "Enforce: Detach and delete inactive with 180 days warning", "Enforce: Detach and delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}AWS > VPC > VPN Gateway > Active > Age
The age after which the AWS VPC vpn gateway
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > VPN Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayActiveAge[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}AWS > VPC > VPN Gateway > Active > Attached
Determine whether the VPN Gateway is active, based on whether it is attached to any other resource types.
The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the resource (AWS > VPC > VPN Gateway > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayActiveAttached[ "Skip", "Active if attached", "Force active if attached", "Force inactive if unattached"]{ "type": "string", "enum": [ "Skip", "Active if attached", "Force active if attached", "Force inactive if unattached" ], "example": [ "Skip" ], "default": "Skip"}AWS > VPC > VPN Gateway > Active > Last Modified
The number of days since the AWS VPC vpn gateway
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > VPN Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayActiveLastModified[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}AWS > VPC > VPN Gateway > Approved
Determine the action to take when an AWS VPC vpn gateway is not approved based on AWS > VPC > VPN Gateway > Approved > * policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayApproved[ "Skip", "Check: Approved", "Enforce: Detach unapproved", "Enforce: Detach unapproved if new", "Enforce: Detach and delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Detach unapproved", "Enforce: Detach unapproved if new", "Enforce: Detach and delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}AWS > VPC > VPN Gateway > Approved > Custom
Determine whether the AWS VPC vpn gateway is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC vpn gateway is not approved, it will be subject to the action specified in the AWS > VPC > VPN Gateway > Approved policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayApprovedCustom{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}AWS > VPC > VPN Gateway > Approved > Regions
A list of AWS regions in which AWS VPC vpn gateways are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS VPC vpn gateway is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > VPN Gateway > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayApprovedRegions"{\n regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n""{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"AWS > VPC > VPN Gateway > Approved > Usage
Determine whether the AWS VPC vpn gateway is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC vpn gateway is not approved, it will be subject to the action specified in the AWS > VPC > VPN Gateway > Approved policy.
See Approved for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayApprovedUsage[ "Not approved", "Approved", "Approved if AWS > VPC > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > VPC > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > VPC > Enabled"}AWS > VPC > VPN Gateway > CMDB
Configure whether to record and synchronize details for the AWS VPC vpn gateway into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB. All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayCmdb[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}AWS > VPC > VPN Gateway > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayConfigured[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}AWS > VPC > VPN Gateway > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayConfiguredPrecedence"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}AWS > VPC > VPN Gateway > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayConfiguredSource{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}AWS > VPC > VPN Gateway > Regions
A list of AWS regions in which AWS VPC vpn gateways are supported for use.
Any vpn gateways in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayRegions"{\n regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n value\n }\n}\n""{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"AWS > VPC > VPN Gateway > Tags
Determine the action to take when an AWS VPC vpn gateway tags are not updated based on the AWS > VPC > VPN Gateway > Tags > * policies.
The control ensure AWS VPC vpn gateway tags include tags defined in AWS > VPC > VPN Gateway > Tags > Template.
Tags not defined in VPN Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayTags[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}AWS > VPC > VPN Gateway > Tags > Template
The template is used to generate the keys and values for AWS VPC vpn gateway.
Tags not defined in VPN Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayTagsTemplate[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"AWS > VPC > VPN Gateway > Usage
Configure the number of AWS vpn gateways that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this AWS > > VPN Gateway > Usage policy.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayUsage[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}AWS > VPC > VPN Gateway > Usage > Limit
Maximum number of items that can be created for this region.
tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayUsageLimit{ "type": "integer", "minimum": 0, "default": 5}