Product logo
DocsBlogPricing

Policy types for @turbot/aws-vpc-core

AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-vpc-core

The CloudWatch Events event pattern used by the AWS VPC Core module to specify
which events to forward to the Guardrails Event Handlers.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcCoreCustomEventPatterns
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "object"
  }
}

AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-vpc

A calculated policy that Guardrails uses to create a compiled list of ALL permissions for
AWS VPC that is used as input to the stack that manages the Guardrails IAM permissions objects.

URI
tmod:@turbot/aws-vpc-core#/policy/types/awsLevelsCompiled
Category
Parent
Targets
Schema

AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-vpc

A calculated policy that Guardrails uses to create a compiled list of ALL permissions
for AWS VPC that is used as input to the control that manages the IAM stack.

URI
tmod:@turbot/aws-vpc-core#/policy/types/awsCompiledServicePermissions
Category
Parent
Targets
Schema

AWS > VPC > Approved Regions [Default]

A list of AWS regions in which AWS VPC resources are approved for use.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

This policy is the default value for all AWS VPC resources' Approved > Regions policies.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/aws#/policy/types/approvedRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
Schema

AWS > VPC > DHCP Options > Active

Determine the action to take when an AWS VPC dhcp options, based on the AWS > VPC > DHCP Options > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > DHCP Options > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > VPC > DHCP Options > Active > Age

The age after which the AWS VPC dhcp options
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > DHCP Options > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > DHCP Options > Active > Last Modified

The number of days since the AWS VPC dhcp options
was last modified before it is considered inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > DHCP Options > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > DHCP Options > Approved

Determine the action to take when an AWS VPC dhcp options is not approved based on AWS > VPC > DHCP Options > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > VPC > DHCP Options > Approved > Custom

Determine whether the AWS VPC dhcp options is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC dhcp options is not approved, it will be subject to the action specified in the AWS > VPC > DHCP Options > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

AWS > VPC > DHCP Options > Approved > Regions

A list of AWS regions in which AWS VPC dhcp optionss are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS VPC dhcp options is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > DHCP Options > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

AWS > VPC > DHCP Options > Approved > Usage

Determine whether the AWS VPC dhcp options is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS VPC dhcp options is not approved, it will be subject to the action specified in the AWS > VPC > DHCP Options > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if AWS > VPC > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > VPC > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > VPC > Enabled"
}

AWS > VPC > DHCP Options > CMDB

Configure whether to record and synchronize details for the AWS VPC dhcp options into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > DHCP Options > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > VPC > DHCP Options > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.

URI
tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > VPC > DHCP Options > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > VPC > DHCP Options > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource.

URI
tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > DHCP Options > Regions

A list of AWS regions in which AWS VPC dhcp optionss are supported for use.

Any dhcp optionss in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

AWS > VPC > DHCP Options > Tags

Determine the action to take when an AWS VPC dhcp options tags are not updated based on the AWS > VPC > DHCP Options > Tags > * policies.

The control ensure AWS VPC dhcp options tags include tags defined in AWS > VPC > DHCP Options > Tags > Template.

Tags not defined in DHCP Options Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsTags
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > VPC > DHCP Options > Tags > Template

The template is used to generate the keys and values for AWS VPC dhcp options.

Tags not defined in DHCP Options Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsTagsTemplate
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

AWS > VPC > DHCP Options > Usage

Configure the number of AWS VPC dhcp optionss that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > VPC > DHCP Options > Usage policy.

URI
tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

AWS > VPC > DHCP Options > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 5000
}

AWS > VPC > Default VPC

URI
tmod:@turbot/aws-vpc-core#/policy/types/defaultVPC
Category
Parent
Targets

AWS > VPC > Default VPC > Approved

This policy defines whether the default VPC in the region is approved for use.

URI
tmod:@turbot/aws-vpc-core#/policy/types/defaultVpcApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Force delete unapproved"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Force delete unapproved"
  ],
  "example": [
    "Enforce: Force delete unapproved"
  ],
  "default": "Skip"
}

AWS > VPC > Default VPC > Approved > Usage

Determine whether the AWS default VPC is allowed to exist in region.

This policy will be evaluated by the Approved control. If an AWS default VPC is not approved, it will be subject to the action specified in the AWS > VPC > Default VPC > Approved policy.

See https://turbot.com/guardrails/docs/concepts/guardrails/approved for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/defaultVpcApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if AWS > VPC > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > VPC > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > VPC > Enabled"
}

AWS > VPC > Enabled

Enabled VPC.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceEnabled
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Enabled: Metadata Only",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Enabled: Metadata Only",
    "Disabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Disabled"
}

AWS > VPC > Permissions

Configure whether permissions policies are in effect for AWS VPC. This setting does not affect account level permissions
(AWS/Admin, AWS/Owner, etc).

Note: The behavior of this policy depends on the value of AWS > Permissions.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServicePermissions
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled",
  "Enabled if AWS > VPC > Enabled & AWS > EC2 > API Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled",
    "Enabled if AWS > VPC > Enabled & AWS > EC2 > API Enabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Enabled if AWS > VPC > Enabled & AWS > EC2 > API Enabled"
}

AWS > VPC > Permissions > Levels

Define the permissions levels that can be used to grant access to an AWS account.
Permissions levels defined will appear in the UI to assign access to Guardrails users.
This policy provides a default for Permissions > Levels in each service, however
you can explicitly override the setting for each service if desired

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServicePermissionsLevels
Category
Parent
Targets
Default Template Input
[
  "{\n  item: account {\n    turbot{\n      id\n    }\n  }\n}\n",
  "{\n  availableLevels: policyValues(filter:\"policyTypeLevel:self resourceId:{{ $.item.turbot.id }} policyTypeId:'tmod:@turbot/aws-iam#/policy/types/permissionsLevelsDefault'\") {\n    items {\n      value\n    }\n  }\n}\n"
]
Default Template
"{% if $.availableLevels.items[0].value | length == 0 %} [] {% endif %}{% for item in $.availableLevels.items[0].value %}- {{ item }}&#92;n{% endfor %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string",
    "enum": [
      "Metadata",
      "ReadOnly",
      "Operator",
      "Admin",
      "Owner"
    ]
  }
}

AWS > VPC > Permissions > Levels > CGW Administration

Determines which Guardrails permissions level can manage CGW Administration.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServicePermissionsLevelsCgwAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

AWS > VPC > Permissions > Levels > DHCP Options Administration

Determines which Guardrails permissions level can manage DHCP Options Administration.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServicePermissionsLevelsDhcpOptionsAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

AWS > VPC > Permissions > Levels > EGW Administration

Determines which Guardrails permissions level can manage EGW Administration.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServicePermissionsLevelsEgwAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

AWS > VPC > Permissions > Levels > Endpoint Administration

Determines which Guardrails permissions level can manage Endpoint Administration.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServicePermissionsLevelsEndpointAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

AWS > VPC > Permissions > Levels > Flow Logs Administration

Determines which Guardrails permissions level can manage Flow Logs Administration.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServicePermissionsLevelsFlowLogsAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

AWS > VPC > Permissions > Levels > IGW Administration

Determines which Guardrails permissions level can manage IGW Administration.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServicePermissionsLevelsIgwAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

AWS > VPC > Permissions > Levels > Modifiers

A map of AWS API to Guardrails Permission Level used to customize Guardrails' standard permissions.
You can add, remove or redefine the mapping of AWS API operations to Guardrails permissions levels here.

Note: Modifiers are cumulative - if you add a permission to the Metadata level, it is also added
to ReadOnly, Operator and Admin. Modifier policies set here apply ONLY to the AWS level

<br />example:<br /> - &quot;glacier:createvault&quot;: admin<br /> - &quot;glacier:ListVaults&quot;: metadata<br /> - &quot;s3:DeleteBucket&quot;: none<br />

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServicePermissionsLevelsModifiers
Category
Parent
Targets
Schema

AWS > VPC > Permissions > Levels > NAT Gateway Administration

Determines which Guardrails permissions level can manage NAT Gateway Administration.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServicePermissionsLevelsNatGatewayAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

AWS > VPC > Permissions > Levels > Network ACL Administration

Determines which Guardrails permissions level can manage Network ACL Administration.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServicePermissionsLevelsNetworkAclAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

AWS > VPC > Permissions > Levels > Peering Connection Administration

Determines which Guardrails permissions level can manage Peering Connection Administration.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServicePermissionsLevelsPeeringConnectionAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

AWS > VPC > Permissions > Levels > Route Table Administration

Determines which Guardrails permissions level can manage Route Table Administration.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServicePermissionsLevelsRouteTableAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

AWS > VPC > Permissions > Levels > Security Group Administration

Determines which Guardrails permissions level can manage Security Group Administration.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServicePermissionsLevelsSecurityGroupAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

AWS > VPC > Permissions > Levels > Subnet Administration

Determines which Guardrails permissions level can manage Subnet Administration.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServicePermissionsLevelsSubnetAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

AWS > VPC > Permissions > Levels > VGW Administration

Determines which Guardrails permissions level can manage VGW Administration.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServicePermissionsLevelsVgwAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

AWS > VPC > Permissions > Levels > VPC Administration

Determines which Guardrails permissions level can manage VPC Administration.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServicePermissionsLevelsVpcAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

AWS > VPC > Permissions > Levels > VPN Connection Administration

Determines which Guardrails permissions level can manage VPN Connection Administration.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServicePermissionsLevelsVpnConnectionAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

AWS > VPC > Permissions > Lockdown

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServicePermissionsLockdown
Category
Parent
Targets

AWS > VPC > Regions

A list of AWS regions in which AWS VPC resources are supported for use.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

This policy is the default value for all AWS VPC resources' Regions policies.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault
Category
Parent
Targets
Schema
{
  "allOf": [
    {
      "$ref": "aws#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "af-south-1",
        "ap-east-1",
        "ap-northeast-1",
        "ap-northeast-2",
        "ap-northeast-3",
        "ap-south-1",
        "ap-southeast-1",
        "ap-southeast-2",
        "ca-central-1",
        "cn-north-1",
        "cn-northwest-1",
        "eu-central-1",
        "eu-north-1",
        "eu-west-1",
        "eu-west-2",
        "eu-west-3",
        "me-south-1",
        "sa-east-1",
        "us-east-1",
        "us-east-2",
        "us-gov-east-1",
        "us-gov-west-1",
        "us-west-1",
        "us-west-2"
      ]
    }
  ]
}

AWS > VPC > Route > CMDB

Configure whether to record and synchronize details for the AWS VPC route into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > VPC > Route > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > VPC > Route > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > VPC > Route > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource.

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > Route Table > Active

Determine the action to take when an AWS VPC route table, based on the AWS > VPC > Route Table > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Route Table > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeTableActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > VPC > Route Table > Active > Age

The age after which the AWS VPC route table
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Route Table > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeTableActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > Route Table > Active > Last Modified

The number of days since the AWS VPC route table
was last modified before it is considered inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Route Table > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeTableActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > Route Table > Approved

Determine the action to take when an AWS VPC route table is not approved based on AWS > VPC > Route Table > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeTableApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > VPC > Route Table > Approved > Custom

Determine whether the AWS VPC route table is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC route table is not approved, it will be subject to the action specified in the AWS > VPC > Route Table > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeTableApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

AWS > VPC > Route Table > Approved > Regions

A list of AWS regions in which AWS VPC route tables are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS VPC route table is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Route Table > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeTableApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

AWS > VPC > Route Table > Approved > Usage

Determine whether the AWS VPC route table is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS VPC route table is not approved, it will be subject to the action specified in the AWS > VPC > Route Table > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeTableApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if AWS > VPC > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > VPC > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > VPC > Enabled"
}

AWS > VPC > Route Table > CMDB

Configure whether to record and synchronize details for the AWS VPC route table into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Route Table > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeTableCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > VPC > Route Table > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeTableConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > VPC > Route Table > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeTableConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > VPC > Route Table > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource.

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeTableConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > Route Table > Regions

A list of AWS regions in which AWS VPC route tables are supported for use.

Any route tables in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeTableRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

AWS > VPC > Route Table > Tags

Determine the action to take when an AWS VPC route table tags are not updated based on the AWS > VPC > Route Table > Tags > * policies.

The control ensure AWS VPC route table tags include tags defined in AWS > VPC > Route Table > Tags > Template.

Tags not defined in Route Table Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeTableTags
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > VPC > Route Table > Tags > Template

The template is used to generate the keys and values for AWS VPC route table.

Tags not defined in Route Table Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeTableTagsTemplate
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

AWS > VPC > Route Table > Usage

Configure the number of AWS VPC route tables that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > VPC > Route Table > Usage policy.

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeTableUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

AWS > VPC > Route Table > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-vpc-core#/policy/types/routeTableUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 1000
}

AWS > VPC > Stack

Configure a custom stack on AWS, per the custom Stack > Source.

A Guardrails Stack is a set of resources configured by Guardrails, as specified
via Terraform source. Stacks are responsible for the creation and deletion
of multiple resources. Once created, stack resources are responsible for
configuring themselves from the stack source via their Configured control.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceStack
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Configured",
  "Enforce: Configured"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Configured",
    "Enforce: Configured"
  ],
  "default": "Skip"
}

AWS > VPC > Stack > Secret Variables

Terraform secret variables in Terraform HCL that will be used as
inputs to the stack as a .tfvars file.

A Guardrails Stack is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured control.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceStackSecretVariables
Category
Parent
Targets
Schema
{
  "type": "string",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > Stack > Source

The Terraform HCL source used to configure this stack.

A Guardrails Stack is a set of resources configured by Guardrails, as specified
via Terraform source. Stacks are responsible for the creation and deletion
of multiple resources. Once created, stack resources are responsible for
configuring themselves from the stack source via their Configured control.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceStackSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > Stack > Terraform Version

The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.

A Guardrails Stack is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured control.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceStackTerraformVersion
Category
Parent
Targets
Default Template Input
"{\n  terraformVersion: policy(uri:\"tmod:@turbot/turbot#/policy/types/stackTerraformVersion\")\n}\n"
Default Template
"{% if $.terraformVersion %}&quot;{{$.terraformVersion}}&quot;{% else %}&quot;&quot;{% endif %}"
Schema
{
  "type": "string"
}

AWS > VPC > Stack > Variables

Terraform variables in Terraform HCL that will be used as
inputs to the stack as a .tfvars file.

A Guardrails Stack is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured control.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceStackVariables
Category
Parent
Targets
Schema
{
  "type": "string",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > Subnet > Active

Determine the action to take when an AWS VPC subnet, based on the AWS > VPC > Subnet > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Subnet > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/subnetActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > VPC > Subnet > Active > Age

The age after which the AWS VPC subnet
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Subnet > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/subnetActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > Subnet > Active > Last Modified

The number of days since the AWS VPC subnet
was last modified before it is considered inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > Subnet > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/subnetActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > Subnet > Approved

Determine the action to take when an AWS VPC subnet is not approved based on AWS > VPC > Subnet > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/subnetApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > VPC > Subnet > Approved > Custom

Determine whether the AWS VPC subnet is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC subnet is not approved, it will be subject to the action specified in the AWS > VPC > Subnet > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-vpc-core#/policy/types/subnetApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

AWS > VPC > Subnet > Approved > Regions

A list of AWS regions in which AWS VPC subnets are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS VPC subnet is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > Subnet > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/subnetApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

AWS > VPC > Subnet > Approved > Usage

Determine whether the AWS VPC subnet is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS VPC subnet is not approved, it will be subject to the action specified in the AWS > VPC > Subnet > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/subnetApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if AWS > VPC > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > VPC > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > VPC > Enabled"
}

AWS > VPC > Subnet > Auto Assign Public IP

Define the Auto-assign Public IP setting required for AWS > VPC > Subnet.

All subnets have an attribute that determines whether a network interface created in the subnet automatically receives a public IPv4 address (also referred to as a public IP address). Therefore, when you launch an instance into a subnet that has this attribute enabled, a public IP address is assigned to the primary network interface (eth0) that's created for the instance. A public IP address is mapped to the primary private IP address through network address translation (NAT).

The values Check: Auto Assign Public IP and Enforce: Auto Assign Public IP have been deprecated and replaced by Check: Enabled and Enforce: Enabled respectively. The deprecated values will be removed in the next major version, v6.0.0

URI
tmod:@turbot/aws-vpc-core#/policy/types/subnetSetAutoAssignPublicIp
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Auto Assign Public IP",
  "Check: Enabled",
  "Check: Disabled",
  "Enforce: Auto Assign Public IP",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Auto Assign Public IP",
    "Check: Enabled",
    "Check: Disabled",
    "Enforce: Auto Assign Public IP",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > VPC > Subnet > CMDB

Configure whether to record and synchronize details for the AWS VPC subnet into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > Subnet > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-core#/policy/types/subnetCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > VPC > Subnet > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.

URI
tmod:@turbot/aws-vpc-core#/policy/types/subnetConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > VPC > Subnet > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-core#/policy/types/subnetConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > VPC > Subnet > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource.

URI
tmod:@turbot/aws-vpc-core#/policy/types/subnetConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > Subnet > Regions

A list of AWS regions in which AWS VPC subnets are supported for use.

Any subnets in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/aws-vpc-core#/policy/types/subnetRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

AWS > VPC > Subnet > Tags

Determine the action to take when an AWS VPC subnet tags are not updated based on the AWS > VPC > Subnet > Tags > * policies.

The control ensure AWS VPC subnet tags include tags defined in AWS > VPC > Subnet > Tags > Template.

Tags not defined in Subnet Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/subnetTags
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > VPC > Subnet > Tags > Template

The template is used to generate the keys and values for AWS VPC subnet.

Tags not defined in Subnet Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/subnetTagsTemplate
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

AWS > VPC > Subnet > Usage

Configure the number of AWS VPC subnets that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > VPC > Subnet > Usage policy.

URI
tmod:@turbot/aws-vpc-core#/policy/types/subnetUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

AWS > VPC > Subnet > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-vpc-core#/policy/types/subnetUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 1000
}

AWS > VPC > Tags Template [Default]

A template used to generate the keys and values for AWS VPC resources.

By default, all VPC resource Tags > Template policies will use this value.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate
Category
Parent
Targets
Default Template Input
"{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws#/policy/types/defaultTagsTemplate\") {\n    value\n  }\n}\n"
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

AWS > VPC > Trusted Accounts [Default]

List of AWS Accounts that are trusted for access in the AWS VPC policy.

This policy is used by the Trusted Access
control to determine which members of type "account" are allowed
to be granted access. You may use the '*' and '?' wildcard characters.

<br />example:<br /> - &quot;013122550996&quot;<br /> - &quot;560741234067&quot;<br />

Note: Setting the policy to Empty array will remove all accounts.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTrustedAccounts
Category
Parent
Targets
Default Template Input
"{\n  trustedAccounts: policyValue(uri:\"tmod:@turbot/aws#/policy/types/trustedAccounts\") {\n    value\n  }\n}\n"
Default Template
"{% if $.trustedAccounts.value | length == 0 %}[]{% else %}{% for item in $.trustedAccounts.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string",
    "pattern": "^[0-9]{12}|^\\*$"
  }
}

AWS > VPC > Trusted Organizations [Default]

List of AWS Organizations that are trusted for access in the AWS VPC policy.

This policy is used by the Trusted Access
control to determine which members of type "organization" are allowed
to be granted access. You may use the '*' and '?' wildcard characters.

<br />example:<br /> - &quot;o-333333333&quot;<br /> - &quot;o-c3a5y4wd52&quot;<br />

Note: Trusted Access > Organization Restrictions are ONLY
applied to AWS principals. Services and Federated principals do
NOT contain the aws:PrincipalOrgId condition key, and thus
cannot be validated against the Organization.

Setting the policy to Empty array will remove all organizations.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTrustedOrganizations
Category
Parent
Targets
Default Template Input
"{\n  trustedOrganizations: policyValue(uri:\"tmod:@turbot/aws#/policy/types/trustedOrganizations\") {\n    value\n  }\n}\n"
Default Template
"{% if $.trustedOrganizations.value | length == 0 %}[]{% else %}{% for item in $.trustedOrganizations.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string",
    "pattern": "(?:^o-[a-z0-9]{10,32}$|^\\*$)"
  }
}

AWS > VPC > Trusted Services [Default]

List of AWS Services that are trusted for access in the AWS VPC policy.

This policy is used by the Trusted Access
control to determine which members of type "service" are allowed
to be granted access. You may use the '*' and '?' wildcard characters.

<br />example:<br /> - &quot;sns.amazonaws.com&quot;<br /> - &quot;ec2.amazonaws.com&quot;<br />

Note: Setting the policy to Empty array will remove all services.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTrustedServices
Category
Parent
Targets
Default Template Input
"{\n  trustedServices: policyValue(uri:\"tmod:@turbot/aws#/policy/types/trustedServices\") {\n    value\n  }\n}\n"
Default Template
"{% if $.trustedServices.value | length == 0 %}[]{% else %}{% for item in $.trustedServices.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string",
    "pattern": "(?:^\\S*\\.amazonaws\\.com$|^\\*$)"
  }
}

AWS > VPC > VPC > Active

Determine the action to take when an AWS VPC vpc, based on the AWS > VPC > VPC > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > VPC > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

AWS > VPC > VPC > Active > Age

The age after which the AWS VPC vpc
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > VPC > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > VPC > Active > Budget

The impact of the budget state on the active control. This policy allows you to force
vpcs to inactive based on the current budget state, as reflected in
AWS > Account > Budget > State

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > VPC > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcActiveBudget
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if Budget > State is Over or higher",
  "Force inactive if Budget > State is Critical or higher",
  "Force inactive if Budget > State is Shutdown"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if Budget > State is Over or higher",
    "Force inactive if Budget > State is Critical or higher",
    "Force inactive if Budget > State is Shutdown"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > VPC > VPC > Active > Last Modified

The number of days since the AWS VPC vpc
was last modified before it is considered inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (AWS > VPC > VPC > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

AWS > VPC > VPC > Approved

Determine the action to take when an AWS VPC vpc is not approved based on AWS > VPC > VPC > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

AWS > VPC > VPC > Approved > Budget

The policy allows you to set vpcs to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State

This policy will be evaluated by the Approved control. If an AWS VPC vpc is not matched by the approved list, it will be subject to the action specified in the AWS > VPC > VPC > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcApprovedBudget
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Unapproved if Budget > State is Over or higher",
  "Unapproved if Budget > State is Critical or higher",
  "Unapproved if Budget > State is Shutdown"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Unapproved if Budget > State is Over or higher",
    "Unapproved if Budget > State is Critical or higher",
    "Unapproved if Budget > State is Shutdown"
  ],
  "example": [
    "Unapproved if Budget > State is Shutdown"
  ],
  "default": "Skip"
}

AWS > VPC > VPC > Approved > Custom

Determine whether the AWS VPC vpc is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS VPC vpc is not approved, it will be subject to the action specified in the AWS > VPC > VPC > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

AWS > VPC > VPC > Approved > Regions

A list of AWS regions in which AWS VPC vpcs are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an AWS VPC vpc is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > VPC > VPC > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policy(uri: \"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceApprovedRegionsDefault\")\n}\n"
Default Template
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

AWS > VPC > VPC > Approved > Usage

Determine whether the AWS VPC vpc is allowed to exist.

This policy will be evaluated by the Approved control. If an AWS VPC vpc is not approved, it will be subject to the action specified in the AWS > VPC > VPC > Approved policy.

See Approved for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if AWS > VPC > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if AWS > VPC > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if AWS > VPC > Enabled"
}

AWS > VPC > VPC > CMDB

Configure whether to record and synchronize details for the AWS VPC vpc into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > VPC > VPC > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

AWS > VPC > VPC > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcConfigured
Category
Parent
Targets
Valid Value
[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]
Schema
{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

AWS > VPC > VPC > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcConfiguredPrecedence
Category
Parent
Targets
Default Template Input
"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
Default Template
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

AWS > VPC > VPC > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > VPC > DNS Hostnames

Check if the AWS VPC DNS Hostnames configuration is set correctly.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcDnsHostnames
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Disabled",
  "Check: Enabled",
  "Enforce: Disabled",
  "Enforce: Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Disabled",
    "Check: Enabled",
    "Enforce: Disabled",
    "Enforce: Enabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > VPC > VPC > DNS Resolution

Check if the AWS VPC DNS Resolution configuration is set correctly.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcDnsResolution
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Disabled",
  "Check: Enabled",
  "Enforce: Disabled",
  "Enforce: Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Disabled",
    "Check: Enabled",
    "Enforce: Disabled",
    "Enforce: Enabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > VPC > VPC > Flow Logging

Configure VPC Flow logging for the VPC.

VPC Flow Logs is a feature that enables you to capture information about
the IP traffic going to and from network interfaces in your VPC. Flow log
data can be published to Amazon CloudWatch Logs and Amazon S3.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcFlowLogging
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Configured per `Flow Logging > *`",
  "Check: Not configured",
  "Enforce: Configured per `Flow Logging > *`",
  "Enforce: Not configured"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Configured per `Flow Logging > *`",
    "Check: Not configured",
    "Enforce: Configured per `Flow Logging > *`",
    "Enforce: Not configured"
  ],
  "default": "Skip"
}

AWS > VPC > VPC > Flow Logging > Cloud Watch

Configure VPC flow logs to be sent to a CloudWatch Log Group,
per the Flow Logging > CloudWatch > * policies

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcFlowLoggingCloudWatch
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ],
  "default": "Disabled"
}

AWS > VPC > VPC > Flow Logging > Cloud Watch > Log Group

The name of a CloudWatch Log Group to which the VPC flow logs will be delivered.
Note the following
- If no log group exists with this name exists, one will be created
- If an existing log group exists with the same name, it will be used
- The log group will NOT be deleted if flow logging is disabled

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcFlowLoggingCloudWatchLogGroup
Category
Parent
Targets
Default Template Input
"{\n  vpc {\n    VpcId\n  }\n}\n"
Default Template
"/turbot/flowlogs/{{ $.vpc.VpcId }}"
Schema
{
  "type": "string"
}

AWS > VPC > VPC > Flow Logging > Cloud Watch > Role

The name of an IAM role that Flow Logging will assume to write logs to CloudWatch logs.
If CloudWatch Log forwarding is enabled, you must also specify a role that CloudTrail can assume to write the logs. This role must have the correct access for the CloudWatch Log Group, and must allow the CloudTrail Service (cloudtrail.amazonaws.com) the ability to assume the role
The role must already exist - the stack wont create it

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcFlowLoggingCloudWatchRole
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  roleName: policy(uri:\"aws#/policy/types/serviceRolesFlowLoggingName\", resourceId: \"{{ $.account.turbot.id }}\")\n}\n"
]
Default Template
"{{ $.roleName }}"
Schema
{
  "type": "string"
}

AWS > VPC > VPC > Flow Logging > Cloud Watch > Traffic Type

The type of traffic to capture in the VPC flow logs.
You can log traffic that the resource accepts or rejects, or all traffic.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcFlowLoggingCloudWatchTrafficType
Category
Parent
Targets
Valid Value
[
  "Accept",
  "Reject",
  "All"
]
Schema
{
  "type": "string",
  "enum": [
    "Accept",
    "Reject",
    "All"
  ],
  "default": "All"
}

AWS > VPC > VPC > Flow Logging > Log Record Format

Configure the log record format to specify the fields to include in the flow log record.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcFlowLoggingLogFormat
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "string",
    "enum": [
      "account-id",
      "action",
      "az-id",
      "bytes",
      "dstaddr",
      "dstport",
      "end",
      "flow-direction",
      "instance-id",
      "interface-id",
      "log-status",
      "packets",
      "pkt-dst-aws-service",
      "pkt-dstaddr",
      "pkt-src-aws-service",
      "pkt-srcaddr",
      "protocol",
      "region",
      "srcaddr",
      "srcport",
      "start",
      "sublocation-id",
      "sublocation-type",
      "subnet-id",
      "tcp-flags",
      "traffic-path",
      "type",
      "version",
      "vpc-id"
    ]
  },
  "default": [
    "version",
    "account-id",
    "interface-id",
    "srcaddr",
    "dstaddr",
    "srcport",
    "dstport",
    "protocol",
    "packets",
    "bytes",
    "start",
    "end",
    "action",
    "log-status"
  ]
}

AWS > VPC > VPC > Flow Logging > S3

Configure VPC flow logs to be sent to an S3 bucket,
per the Flow Logging > S3 > * policies

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcFlowLoggingS3
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ],
  "default": "Enabled"
}

AWS > VPC > VPC > Flow Logging > S3 > Bucket

The name of an S3 Bucket to which the VPC flow logs will be delivered.
The S3 Bucket must already exist and the log delivery
service (delivery.logs.amazonaws.com) must be granted the appropriate access.
The bucket can reside in any account but must be in the same region as the VPC.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcFlowLoggingS3Bucket
Category
Parent
Targets
Default Template Input
[
  "{\n  region {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  bucketName: policy(uri: \"aws#/policy/types/loggingBucketDefault\", resourceId: \"{{ $.region.turbot.id }}\")\n}\n"
]
Default Template
"{{ $.bucketName }}"
Schema
{
  "type": "string"
}

AWS > VPC > VPC > Flow Logging > S3 > Key Prefix

An S3 key prefix to which the VPC flow logs will be written.
The file names of the access logs use the following format
bucket_ARN/prefix/AWSLogs/aws_account_id/vpcflowlogs/region/year/month/day/log_file_name.log.gz

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcFlowLoggingS3KeyPrefix
Category
Parent
Targets
Schema
{
  "type": "string",
  "maxLength": 200,
  "default": "",
  "example": "turbot_"
}

AWS > VPC > VPC > Flow Logging > S3 > Traffic Type

The type of traffic to capture in the VPC flow logs.
You can log traffic that the resource accepts or rejects, or all traffic.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcFlowLoggingS3TrafficType
Category
Parent
Targets
Valid Value
[
  "Accept",
  "Reject",
  "All"
]
Schema
{
  "type": "string",
  "enum": [
    "Accept",
    "Reject",
    "All"
  ],
  "default": "All"
}

AWS > VPC > VPC > Flow Logging > Source

The Terraform source used to configure VPC Flow logging for the VPC.
This policy is read-only, and generated by Guardrails based on the
Flow Logging > S3 > * and Flow Logging > CloudWatch > * policies.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcFlowLoggingSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > VPC > Regions

A list of AWS regions in which AWS VPC vpcs are supported for use.

Any vpcs in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

AWS > VPC > VPC > Stack

Configure a custom stack on AWS, per the custom Stack > Source.

A Guardrails Stack is a set of resources configured by Guardrails, as specified
via Terraform source. Stacks are responsible for the creation and deletion
of multiple resources. Once created, stack resources are responsible for
configuring themselves from the stack source via their Configured control.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcStack
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Configured",
  "Enforce: Configured"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Configured",
    "Enforce: Configured"
  ],
  "default": "Skip"
}

AWS > VPC > VPC > Stack > Secret Variables

Terraform secret variables in Terraform HCL that will be used as
inputs to the stack as a .tfvars file.

A Guardrails Stack is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured control.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcStackSecretVariables
Category
Parent
Targets
Schema
{
  "type": "string",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > VPC > Stack > Source

The Terraform HCL source used to configure this stack.

A Guardrails Stack is a set of resources configured by Guardrails, as specified
via Terraform source. Stacks are responsible for the creation and deletion
of multiple resources. Once created, stack resources are responsible for
configuring themselves from the stack source via their Configured control.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcStackSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > VPC > Stack > Terraform Version

The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.

A Guardrails Stack is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured control.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcStackTerraformVersion
Category
Parent
Targets
Default Template Input
"{\n  terraformVersion: policy(uri:\"tmod:@turbot/turbot#/policy/types/stackTerraformVersion\")\n}\n"
Default Template
"{% if $.terraformVersion %}&quot;{{$.terraformVersion}}&quot;{% else %}&quot;&quot;{% endif %}"
Schema
{
  "type": "string"
}

AWS > VPC > VPC > Stack > Variables

Terraform variables in Terraform HCL that will be used as
inputs to the stack as a .tfvars file.

A Guardrails Stack is a set of resources configured by Guardrails,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured control.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcStackVariables
Category
Parent
Targets
Schema
{
  "type": "string",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

AWS > VPC > VPC > Tags

Determine the action to take when an AWS VPC vpc tags are not updated based on the AWS > VPC > VPC > Tags > * policies.

The control ensure AWS VPC vpc tags include tags defined in AWS > VPC > VPC > Tags > Template.

Tags not defined in VPC Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcTags
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

AWS > VPC > VPC > Tags > Template

The template is used to generate the keys and values for AWS VPC vpc.

Tags not defined in VPC Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcTagsTemplate
Category
Parent
Targets
Default Template Input
[
  "{\n  account {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/aws-vpc-core#/policy/types/vpcServiceTagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n    value\n  }\n}\n"
]
Default Template
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

AWS > VPC > VPC > Usage

Configure the number of AWS VPC vpcs that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this AWS > VPC > VPC > Usage policy.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

AWS > VPC > VPC > Usage > Limit

Maximum number of items that can be created for this region.

URI
tmod:@turbot/aws-vpc-core#/policy/types/vpcUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 5
}