@turbot/azure
The azure mod contains resource, control and policy definitions for Azure Azure service.
- Setting Policies Tutorial
- Mods Overview
- Policies Overview
- Resources Overview
- Common Policies and Controls
Recommended Version
Resource Types
Control Types
- Azure > Management Group > CMDB
- Azure > Management Group > Discovery
- Azure > Resource Group > CMDB
- Azure > Resource Group > Configured
- Azure > Resource Group > Discovery
- Azure > Resource Group > Stack
- Azure > Resource Group > Tags
- Azure > Subscription > CMDB
- Azure > Subscription > Discovery
- Azure > Subscription > Stack
- Azure > Tenant > CMDB
- Azure > Turbot
- Azure > Turbot > Event Handlers
- Azure > Turbot > Event Poller
- Azure > Turbot > Management Group Event Poller
- Azure > Turbot > Resource Group
Policy Types
- Azure > Client ID
- Azure > Client Secret
- Azure > Environment
- Azure > Management Group > CMDB
- Azure > Resource Group > CMDB
- Azure > Resource Group > Configured
- Azure > Resource Group > Configured > Claim Precedence
- Azure > Resource Group > Configured > Source
- Azure > Resource Group > Stack
- Azure > Resource Group > Stack > Secret Variables
- Azure > Resource Group > Stack > Source
- Azure > Resource Group > Stack > Terraform Version
- Azure > Resource Group > Stack > Variables
- Azure > Resource Group > Tags
- Azure > Resource Group > Tags > Template
- Azure > Subscription > Approved Regions [Default]
- Azure > Subscription > CMDB
- Azure > Subscription > Regions [Default]
- Azure > Subscription > Stack
- Azure > Subscription > Stack > Secret Variables
- Azure > Subscription > Stack > Source
- Azure > Subscription > Stack > Terraform Version
- Azure > Subscription > Stack > Variables
- Azure > Subscription > Tags Template [Default]
- Azure > Tags Template [Default]
- Azure > Tenant > CMDB
- Azure > Tenant ID
- Azure > Turbot
- Azure > Turbot > Event Handlers
- Azure > Turbot > Event Handlers > Monitor
- Azure > Turbot > Event Handlers > Monitor > Action Group
- Azure > Turbot > Event Handlers > Monitor > Action Group > Name Prefix
- Azure > Turbot > Event Handlers > Monitor > Action Group > Tags
- Azure > Turbot > Event Handlers > Monitor > Action Group > Tags > Ignore Changes
- Azure > Turbot > Event Handlers > Monitor > Activity Log Alert
- Azure > Turbot > Event Handlers > Monitor > Activity Log Alert > Name Prefix
- Azure > Turbot > Event Handlers > Monitor > Activity Log Alert > Tags
- Azure > Turbot > Event Handlers > Monitor > Activity Log Alert > Tags > Ignore Changes
- Azure > Turbot > Event Handlers > Monitor > Resource Group Name
- Azure > Turbot > Event Handlers > Source
- Azure > Turbot > Event Handlers > Terraform Version
- Azure > Turbot > Event Poller
- Azure > Turbot > Event Poller > Interval
- Azure > Turbot > Event Poller > Window
- Azure > Turbot > Management Group Event Poller
- Azure > Turbot > Management Group Event Poller > Interval
- Azure > Turbot > Resource Group
- Azure > Turbot > Resource Group > Name Prefix
- Azure > Turbot > Resource Group > Regions
- Azure > Turbot > Resource Group > Source
- Azure > Turbot > Resource Group > Tags
- Azure > Turbot > Resource Group > Tags > Ignore Changes
- Azure > Turbot > Resource Group > Terraform Version
Release Notes
5.18.2 (2024-02-16)
Bug fixes
- Due to an inadvertently introduced issue with an internal build for
Azure > Subscription
, importing subscriptions encountered schema validation problems. This issue has been resolved, and you can successfully import subscriptions as before.
5.18.1 (2024-01-16)
Bug fixes
- The
Azure > Turbot > Event Poller
andAzure > Turbot > Management Group Event Poller
controls now include a precheck condition to avoid running GraphQL input queries when theAzure > Turbot > Event Poller
andAzure > Turbot > Management Group Event Poller
policies are set toDisabled
respectively. You won’t notice any difference and the controls should run lighter and quicker than before.
5.18.0 (2023-08-11)
What's new?
- README.md file is now available for users to check details about the resource types and service permissions that the mod covers.
- Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
Bug fixes
- The
Azure > Subscription > CMDB
control would fail to trigger automatically if either theAzure > Client ID
orAzure > Client Secret
policy values were updated. This is now fixed.
5.17.3 (2023-06-27)
Bug fixes
We've made the switch to use the newer Microsoft Graph APIs instead of the deprecated Azure Graph APIs. You wouldn't notice any difference and things will continue to work smoothly as before.
We've updated the runtime of the lambda functions to node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
5.17.2 (2023-04-04)
Bug fixes
- We'd sometimes fail to cleanup Subscriptions automatically in Turbot via the
Azure > Turbot > Management Group Event Poller
control. This is now fixed.
5.17.1 (2023-03-29)
Bug fixes
- The real-time event handler action would sometimes throw action errors while raising events in Turbot if
claims
details were not available in the event. This is now fixed.
5.17.0 (2023-03-23)
What's new?
- Users can now ignore changes made to tags on the Action Group, Activity Log Alert and Resource Group created via the
Azure > Turbot > Event Handlers
andAzure > Turbot > Resource Group
stack controls respectively. To get started, set theAzure > Turbot > Event Handlers > Monitor > Action Group > Tags > Ignore Changes
,Azure > Turbot > Event Handlers > Monitor > Activity Log Alert > Tags > Ignore Changes
andAzure > Turbot > Resource Group > Tags > Ignore Changes
policies toEnabled
.
Policy Types
- Azure > Turbot > Event Handlers > Monitor > Action Group > Tags > Ignore Changes
- Azure > Turbot > Event Handlers > Monitor > Activity Log Alert > Tags > Ignore Changes
- Azure > Turbot > Resource Group > Tags > Ignore Changes
5.16.1 (2023-03-22)
Bug fixes
- We've updated the runtime of the lambda functions to node 16. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
5.16.0 (2023-02-10)
What's new?
- The
Azure > Turbot > Management Group Event Poller
policy is now set toEnabled
by default.
5.15.0 (2023-02-03)
Control Types
Removed
- Azure > Subscription > Resource AKA Migration
Policy Types
Removed
- Azure > Subscription > Resource AKA Migration
5.14.0 (2022-12-20)
What's new?
Azure > Turbot > Resource Group > Regions
policy now supports China Cloud regions.
5.13.0 (2022-12-15)
What's new?
- Users can now import China Cloud Subscriptions, Management Groups and Tenants in Turbot.
5.12.4 (2022-08-25)
Bug fixes
- We’ve made a few improvements in the GraphQL queries for various controls and actions to be lighter and more reliable. You won’t notice any difference but things will now run quicker than before.
5.12.3 (2022-05-13)
Bug fixes
- Turbot would upsert incorrect resource groups via real-time event handling when an Application Insights' smart detector alert rule was tagged/untagged in Azure. This is now fixed.
5.12.2 (2022-03-29)
Bug fixes
- The real-time event handler action would sometimes throw unnecessary action errors while raising events in Turbot. This is now fixed.
- We've improved the process of deleting resources from Turbot if their CMDB policy was set to
Enforce: Disabled
. The CMDB controls will now not look to resolve credentials via Turbot's IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Turbot more reliably than before.
5.12.1 (2021-12-24)
Bug fixes
- We've made a few improvements in the GraphQL queries for
Azure > Subscription > Event Handler
. You won't notice any difference, but things should run lighter and quicker than before.
5.12.0 (2021-10-25)
What's new?
- We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.
Bug fixes
- We've made a few improvements in the GraphQL queries for various router actions. You won't notice any difference, but things should run lighter and quicker than before.
5.11.3 (2021-04-21)
Bug fixes
- Controls run faster now when in the
tbd
andskipped
states thanks to the new Turbot Precheck feature (not to be confused with TSA PreCheck). With Turbot Precheck, controls avoid running GraphQL input queries when intbd
andskipped
, resulting in faster and lighter control runs.
5.11.2 (2021-01-08)
Bug fixes
- We've made some improvements in the GraphQL queries for a few controls under
Azure > Subscription
andAzure > Management Group
. There's no noticeable difference, but they will run much lighter now. - The policy title for
Azure > Client Key
has been updated toAzure > Client Secret
to better match Azure's console and documentation. The policy's URI is stilltmod:@turbot/azure#/policy/types/clientKey
, so no migration action is required. - We've updated the Discovery controls for resources to now move to skipped instead of invalid if the provider is disabled in the subscription and the
Azure > Provider > {service} > Registered
policy is checking if the provider is disabled. This will reduce the amount of noisy controls that cannot be easily resolved without making changes to the provider.
Policy Types
Renamed
- Azure > Client Key to Azure > Client Secret
5.11.1 (2020-10-14)
Bug fixes
- Sometimes the
Azure > Subscription > Event Poller
control would run less frequently than the interval set in theAzure > Subscription > Event Poller > Interval
policy. We've updated this control to now ensure that it will run at least every 10 minutes (which is the maximum interval allowed in the policy) to prevent it from missing events.
5.11.0 (2020-09-21)
Warning
- The
Azure > Resource Group > Configured
policy now includes the following new policy values:
These new values will replace the following current values, which have been deprecated and will be removed in the next major version:- Skip (unless claimed by a stack)- Check: Per Configured > Source (unless claimed by a stack)- Enforce: Per Configured > Source (unless claimed by a stack)
We recommend that you update your policy settings to use the new values, as these have replaced the deprecated values and are backward compatible.- Skip if using Configured > Source- Check: Configured if using Configured > Source- Enforce: Configured if using Configured > Source
Bug fixes
- Management groups, subscriptions, and tenants can now be imported at the Turbot level (previously they could only be imported in a Turbot folder).
Policy Types
Renamed
- Azure > Resource Group > Configured > Precedence to Azure > Resource Group > Configured > Claim Precedence
5.10.0 (2020-08-28)
What's new?
- Discovery controls now have their own control category,
CMDB > Discovery
, to allow for easier filtering separately from other CMDB controls. - We've renamed the service's default regions policy from
Regions [Default]
toRegions
to be consistent with our other regions policies.
5.9.0 (2020-08-26)
Policy Types
- Azure > Resource Group > Stack > Terraform Version
- Azure > Subscription > Stack > Terraform Version
- Azure > Turbot > Event Handlers > Terraform Version
- Azure > Turbot > Resource Group > Terraform Version
5.8.1 (2020-07-23)
Bug fixes
- We've cleaned up our use of some deprecated GraphQL resolvers in the event handlers policies. There's no noticeable difference, but this will help us clean up some of our resolvers.
5.8.0 (2020-07-03)
Policy Types
- Azure > Resource Group > Stack > Secret Variables
- Azure > Resource Group > Stack > Variables
5.7.0 (2020-06-30)
Bug fixes
- In version
5.6.0
, AKA of tenant was modified toazure:///tenant/cdffd708-xxxx-xxxx-abeb-0a4c334d7xxx
. This has now been reverted back toazure:///tenants/cdffd708-xxxx-xxxx-abeb-0a4c334d7xxx
to maintain consistency across the AKA's of all other Azure resources like management groups and subscriptions.
Policy Types
- Azure > Subscription > Stack > Secret Variables
- Azure > Subscription > Stack > Variables
5.6.0 (2020-06-30)
What's new?
Tenant's CMDB is now equipped with more information on the currently authenticated organisation. Information around all the service plans and verified domains have been added which provides more depth to the tenant data.
Now you can automatically discover any new management group or subscription by setting
Azure > Turbot > Management Group Event Poller
policy toEnabled
and by selecting the requisite time interval inAzure > Turbot > Management Group Event Poller > Interval
policy.Management Group's AKA now contains the Tenant ID to maintain its uniqueness.
Bug fixes
Azure > Management Group > CMDB
control when triggered manually, would remain in error state for all the management groups which have already been deleted from the Azure console. This has now been fixed.
Control Types
- Azure > Turbot > Management Group Event Poller
Policy Types
- Azure > Turbot > Management Group Event Poller
- Azure > Turbot > Management Group Event Poller > Interval
5.5.0 (2020-06-22)
Bug fixes
- In
azure (5.0.13)
a bug was fixed that caused some resource groups to be created with missing metadata. Any resources created under those resource groups were created with a malformed AKA that was missing the resource group name, e.g.,azure:///subscriptions/123-456-789-012/resourceGroups//providers/Microsoft.Storage/storageAccounts/myStorageAccount
. TheAzure > Subscription > Resource AKA Migration
control has been added to automatically migrate these resources. TheAzure > Subscription > Resource AKA Migration
policy is set toEnforce: Migrated
by default and it is recommended to leave this policy asEnforce: Delete
to ensure all invalid resources are migrated.
Control Types
- Azure > Subscription > Resource AKA Migration
Policy Types
- Azure > Subscription > Resource AKA Migration
5.4.1 (2020-06-15)
Bug fixes
- The
Azure > Turbot > Event Handlers
stack would sometimes go into error state when the Azure subscription was imported using a service principal that had limited permissions. These errors were a result of Terraform attempting to register all providers by default during resource creation, which would then fail due to limited permissions. We've disabled this capability in this stack as it's unnecessary and the stacks now work properly with limited permissions.
5.4.0 (2020-06-12)
What's new?
- Several policy configurations have been updated to provide support for the Azure > Active Directory mod.
5.3.1 (2020-06-11)
Bug fixes
- The
Azure > Turbot > Resource Group
stack would sometimes go into error state when the Azure subscription was imported using a service principal that had limited permissions. These errors were a result of Terraform attempting to register all providers by default during resource creation, which would then fail due to limited permissions. We've disabled this capability in the stack as it's unnecessary and the stack now works properly with limited permissions.
5.3.0 (2020-06-03)
Warning
- The
Azure > Event Poller
is now enabled by default if theAzure > Event Handler
is notEnforced: Configured
What's new?
Azure > Subscription > Event Handler
action type is now set to run even if Turbot is outside of its allowed change window. This allows Turbot to maintain an up-to-date CMDB by handling resource updates at all times. Note that this only affects Turbot's ability to process resources changes that were made in the cloud provider - enforcement actions are still disabled outside of the change window.
5.2.0 (2020-05-28)
What's new?
- Updated various resource configurations in preparation for upcoming maintenance window features.
5.1.0 (2020-05-12)
Control Types
- Azure > Resource Group > Tags
Policy Types
- Azure > Resource Group > Tags
- Azure > Resource Group > Tags > Template
- Azure > Tags Template [Default]
Action Types
- Azure > Resource Group > Set Tags
5.0.13 (2020-04-28)
Bug fixes
The default value of
Azure > Turbot > Event Poller > Window
policy was increased from5 minutes
to10 minutes
to avoid missing certain real-time events which take slightly longer to arrive from Azure.When a new resource group was created in CMDB, sometimes it was created without the resource group name in its metadata. Without this metadata, controls for resources belonging to the resource group could not make any Azure API calls. This has been fixed.
When the
Azure > Turbot > Event Handlers
policy was set toEnforced: Not Configured
theAzure > Event Handlers
control remained in an Error state instead of deleting the resources created by the stack. Now the stack can properly clean up after itself.