@turbot/azure

The azure mod contains resource, control and policy definitions for Azure Azure service.

Resource Types

Resource types covered by this mod:

Permissions

Taking a look at permissions and associated grant levels for each permission for Azure:

PermissionGrant LevelHelp
microsoft.resources/deployments/cancel/actionOperatorOperator level is safe as users still need the service specific write/delete permissions to deploy resources.
microsoft.resources/deployments/deleteOperatorOperator level is safe as users still need the service specific write/delete permissions to deploy resources.
microsoft.resources/deployments/operations/readMetadata
microsoft.resources/deployments/readMetadata
microsoft.resources/deployments/validate/actionOperator
microsoft.resources/deployments/writeOperatorOperator level is safe as users still need the service specific write permissions to deploy resources.
microsoft.resources/links/deleteAdminAdmin can delete resource link between the specified resources.
microsoft.resources/links/readMetadataGets or lists resource links.
microsoft.resources/links/writeAdminAdmin can create resource link between the specified resources.
microsoft.resources/marketplace/purchase/actionAdmin
microsoft.resources/providers/readMetadata
microsoft.resources/resources/readMetadata
microsoft.resources/subscriptions/locations/readMetadata
microsoft.resources/subscriptions/operationresults/readMetadata
microsoft.resources/subscriptions/providers/readMetadata
microsoft.resources/subscriptions/readMetadata
microsoft.resources/subscriptions/resourcegroups/deleteAdmin
microsoft.resources/subscriptions/resourcegroups/moveResources/actionAdminValidates whether resources can be moved from one resource group to another resource group.
microsoft.resources/subscriptions/resourcegroups/readMetadata
microsoft.resources/subscriptions/resourcegroups/validateMoveResources/actionOperator
microsoft.resources/subscriptions/resourcegroups/writeAdminThis permission is also used for applying tag in resource group. Hence tagging operation now assigned to Admin.
microsoft.resources/subscriptions/resourcegroups/deployments/operations/readMetadata
microsoft.resources/subscriptions/resourcegroups/deployments/operationstatuses/readMetadata
microsoft.resources/subscriptions/resourcegroups/deployments/readMetadata
microsoft.resources/subscriptions/resourcegroups/deployments/writeAdmin
microsoft.resources/subscriptions/resourcegroups/resources/readMetadata
microsoft.resources/subscriptions/resources/readMetadata
microsoft.resources/subscriptions/tagNames/deleteAdminAssigned to Admin over Operator as this execution requires resourceGroups/write permission which is assigned to Admin.
microsoft.resources/subscriptions/tagNames/readMetadata
microsoft.resources/subscriptions/tagNames/tagValues/deleteAdminAssigned to Admin over Operator as this execution requires resourceGroups/write permission which is assigned to Admin.
microsoft.resources/subscriptions/tagNames/tagValues/readMetadata
microsoft.resources/subscriptions/tagNames/tagValues/writeAdminAssigned to Admin over Operator as this execution requires resourceGroups/write permission which is assigned to Admin.
microsoft.resources/subscriptions/tagNames/writeAdminAssigned to Admin over Operator as this execution requires resourceGroups/write permission which is assigned to Admin.
microsoft.resources/tenants/readMetadata
microsoft.resources/tags/writeOperatorwrite tags
microsoft.resources/tags/deleteOperatordelete tags
microsoft.resources/tags/readMetadataread tags

Learn More About Guardrails

Version
5.18.0
Released On
Aug 11, 2023
Depends On

Resource Types

Control Types

Policy Types

Release Notes

5.18.0 (2023-08-11)

What's new?

  • README.md file is now available for users to check details about the resource types and service permissions that the mod covers.
  • Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.

Bug fixes

  • The Azure > Subscription > CMDB control would fail to trigger automatically if either the Azure > Client ID or Azure > Client Secret policy values were updated. This is now fixed.

5.17.3 (2023-06-27)

Bug fixes

  • We've made the switch to use the newer Microsoft Graph APIs instead of the deprecated Azure Graph APIs. You wouldn't notice any difference and things will continue to work smoothly as before.

  • We've updated the runtime of the lambda functions to node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

5.17.2 (2023-04-04)

Bug fixes

  • We'd sometimes fail to cleanup Subscriptions automatically in Turbot via the Azure > Turbot > Management Group Event Poller control. This is now fixed.

5.17.1 (2023-03-29)

Bug fixes

  • The real-time event handler action would sometimes throw action errors while raising events in Turbot if claims details were not available in the event. This is now fixed.

5.17.0 (2023-03-23)

What's new?

  • Users can now ignore changes made to tags on the Action Group, Activity Log Alert and Resource Group created via the Azure > Turbot > Event Handlers and Azure > Turbot > Resource Group stack controls respectively. To get started, set the Azure > Turbot > Event Handlers > Monitor > Action Group > Tags > Ignore Changes, Azure > Turbot > Event Handlers > Monitor > Activity Log Alert > Tags > Ignore Changes and Azure > Turbot > Resource Group > Tags > Ignore Changes policies to Enabled.

Policy Types

Added

  • Azure > Turbot > Event Handlers > Monitor > Action Group > Tags > Ignore Changes
  • Azure > Turbot > Event Handlers > Monitor > Activity Log Alert > Tags > Ignore Changes
  • Azure > Turbot > Resource Group > Tags > Ignore Changes

5.16.1 (2023-03-22)

Bug fixes

  • We've updated the runtime of the lambda functions to node 16. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

5.16.0 (2023-02-10)

What's new?

  • The Azure > Turbot > Management Group Event Poller policy is now set to Enabled by default.

5.15.0 (2023-02-03)

Control Types

Removed

  • Azure > Subscription > Resource AKA Migration

Policy Types

Removed

  • Azure > Subscription > Resource AKA Migration

5.14.0 (2022-12-20)

What's new?

  • Azure > Turbot > Resource Group > Regions policy now supports China Cloud regions.

5.13.0 (2022-12-15)

What's new?

  • Users can now import China Cloud Subscriptions, Management Groups and Tenants in Turbot.

5.12.4 (2022-08-25)

Bug fixes

  • We’ve made a few improvements in the GraphQL queries for various controls and actions to be lighter and more reliable. You won’t notice any difference but things will now run quicker than before.

5.12.3 (2022-05-13)

Bug fixes

  • Turbot would upsert incorrect resource groups via real-time event handling when an Application Insights' smart detector alert rule was tagged/untagged in Azure. This is now fixed.

5.12.2 (2022-03-29)

Bug fixes

  • The real-time event handler action would sometimes throw unnecessary action errors while raising events in Turbot. This is now fixed.
  • We've improved the process of deleting resources from Turbot if their CMDB policy was set to Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Turbot's IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Turbot more reliably than before.

5.12.1 (2021-12-24)

Bug fixes

  • We've made a few improvements in the GraphQL queries for Azure > Subscription > Event Handler. You won't notice any difference, but things should run lighter and quicker than before.

5.12.0 (2021-10-25)

What's new?

  • We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

Bug fixes

  • We've made a few improvements in the GraphQL queries for various router actions. You won't notice any difference, but things should run lighter and quicker than before.

5.11.3 (2021-04-21)

Bug fixes

  • Controls run faster now when in the tbd and skipped states thanks to the new Turbot Precheck feature (not to be confused with TSA PreCheck). With Turbot Precheck, controls avoid running GraphQL input queries when in tbd and skipped, resulting in faster and lighter control runs.

5.11.2 (2021-01-08)

Bug fixes

  • We've made some improvements in the GraphQL queries for a few controls under Azure > Subscription and Azure > Management Group. There's no noticeable difference, but they will run much lighter now.
  • The policy title for Azure > Client Key has been updated to Azure > Client Secret to better match Azure's console and documentation. The policy's URI is still tmod:@turbot/azure#/policy/types/clientKey, so no migration action is required.
  • We've updated the Discovery controls for resources to now move to skipped instead of invalid if the provider is disabled in the subscription and the Azure > Provider > {service} > Registered policy is checking if the provider is disabled. This will reduce the amount of noisy controls that cannot be easily resolved without making changes to the provider.

Policy Types

Renamed

  • Azure > Client Key to Azure > Client Secret

5.11.1 (2020-10-14)

Bug fixes

  • Sometimes the Azure > Subscription > Event Poller control would run less frequently than the interval set in the Azure > Subscription > Event Poller > Interval policy. We've updated this control to now ensure that it will run at least every 10 minutes (which is the maximum interval allowed in the policy) to prevent it from missing events.

5.11.0 (2020-09-21)

Warning

  • The Azure > Resource Group > Configured policy now includes the following new policy values:
    - Skip (unless claimed by a stack)
    - Check: Per Configured > Source (unless claimed by a stack)
    - Enforce: Per Configured > Source (unless claimed by a stack)
    These new values will replace the following current values, which have been deprecated and will be removed in the next major version:
    - Skip if using Configured > Source
    - Check: Configured if using Configured > Source
    - Enforce: Configured if using Configured > Source
    We recommend that you update your policy settings to use the new values, as these have replaced the deprecated values and are backward compatible.

Bug fixes

  • Management groups, subscriptions, and tenants can now be imported at the Turbot level (previously they could only be imported in a Turbot folder).

Policy Types

Renamed

  • Azure > Resource Group > Configured > Precedence to Azure > Resource Group > Configured > Claim Precedence

5.10.0 (2020-08-28)

What's new?

  • Discovery controls now have their own control category, CMDB > Discovery, to allow for easier filtering separately from other CMDB controls.
  • We've renamed the service's default regions policy from Regions [Default] to Regions to be consistent with our other regions policies.

5.9.0 (2020-08-26)

Policy Types

Added

  • Azure > Resource Group > Stack > Terraform Version
  • Azure > Subscription > Stack > Terraform Version
  • Azure > Turbot > Event Handlers > Terraform Version
  • Azure > Turbot > Resource Group > Terraform Version

5.8.1 (2020-07-23)

Bug fixes

  • We've cleaned up our use of some deprecated GraphQL resolvers in the event handlers policies. There's no noticeable difference, but this will help us clean up some of our resolvers.

5.8.0 (2020-07-03)

Policy Types

Added

  • Azure > Resource Group > Stack > Secret Variables
  • Azure > Resource Group > Stack > Variables

5.7.0 (2020-06-30)

Bug fixes

  • In version 5.6.0, AKA of tenant was modified to azure:///tenant/cdffd708-xxxx-xxxx-abeb-0a4c334d7xxx. This has now been reverted back to azure:///tenants/cdffd708-xxxx-xxxx-abeb-0a4c334d7xxx to maintain consistency across the AKA's of all other Azure resources like management groups and subscriptions.

Policy Types

Added

  • Azure > Subscription > Stack > Secret Variables
  • Azure > Subscription > Stack > Variables

5.6.0 (2020-06-30)

What's new?

  • Tenant's CMDB is now equipped with more information on the currently authenticated organisation. Information around all the service plans and verified domains have been added which provides more depth to the tenant data.

  • Now you can automatically discover any new management group or subscription by setting Azure > Turbot > Management Group Event Poller policy to Enabled and by selecting the requisite time interval in Azure > Turbot > Management Group Event Poller > Interval policy.

  • Management Group's AKA now contains the Tenant ID to maintain its uniqueness.

Bug fixes

  • Azure > Management Group > CMDB control when triggered manually, would remain in error state for all the management groups which have already been deleted from the Azure console. This has now been fixed.

Control Types

Added

  • Azure > Turbot > Management Group Event Poller

Policy Types

Added

  • Azure > Turbot > Management Group Event Poller
  • Azure > Turbot > Management Group Event Poller > Interval

5.5.0 (2020-06-22)

Bug fixes

  • In azure (5.0.13) a bug was fixed that caused some resource groups to be created with missing metadata. Any resources created under those resource groups were created with a malformed AKA that was missing the resource group name, e.g., azure:///subscriptions/123-456-789-012/resourceGroups//providers/Microsoft.Storage/storageAccounts/myStorageAccount. The Azure > Subscription > Resource AKA Migration control has been added to automatically migrate these resources. The Azure > Subscription > Resource AKA Migration policy is set to Enforce: Migrated by default and it is recommended to leave this policy as Enforce: Delete to ensure all invalid resources are migrated.

Control Types

Added

  • Azure > Subscription > Resource AKA Migration

Policy Types

Added

  • Azure > Subscription > Resource AKA Migration

5.4.1 (2020-06-15)

Bug fixes

  • The Azure > Turbot > Event Handlers stack would sometimes go into error state when the Azure subscription was imported using a service principal that had limited permissions. These errors were a result of Terraform attempting to register all providers by default during resource creation, which would then fail due to limited permissions. We've disabled this capability in this stack as it's unnecessary and the stacks now work properly with limited permissions.

5.4.0 (2020-06-12)

What's new?

  • Several policy configurations have been updated to provide support for the Azure > Active Directory mod.

5.3.1 (2020-06-11)

Bug fixes

  • The Azure > Turbot > Resource Group stack would sometimes go into error state when the Azure subscription was imported using a service principal that had limited permissions. These errors were a result of Terraform attempting to register all providers by default during resource creation, which would then fail due to limited permissions. We've disabled this capability in the stack as it's unnecessary and the stack now works properly with limited permissions.

5.3.0 (2020-06-03)

Warning

  • The Azure > Event Poller is now enabled by default if the Azure > Event Handler is not Enforced: Configured

What's new?

  • Azure > Subscription > Event Handler action type is now set to run even if Turbot is outside of its allowed change window. This allows Turbot to maintain an up-to-date CMDB by handling resource updates at all times. Note that this only affects Turbot's ability to process resources changes that were made in the cloud provider - enforcement actions are still disabled outside of the change window.

5.2.0 (2020-05-28)

What's new?

  • Updated various resource configurations in preparation for upcoming maintenance window features.

5.1.0 (2020-05-12)

Control Types

Added

  • Azure > Resource Group > Tags

Policy Types

Added

  • Azure > Resource Group > Tags
  • Azure > Resource Group > Tags > Template
  • Azure > Tags Template [Default]

Action Types

Added

  • Azure > Resource Group > Set Tags

5.0.13 (2020-04-28)

Bug fixes

  • The default value of Azure > Turbot > Event Poller > Window policy was increased from 5 minutes to 10 minutes to avoid missing certain real-time events which take slightly longer to arrive from Azure.

  • When a new resource group was created in CMDB, sometimes it was created without the resource group name in its metadata. Without this metadata, controls for resources belonging to the resource group could not make any Azure API calls. This has been fixed.

  • When the Azure > Turbot > Event Handlers policy was set to Enforced: Not Configured the Azure > Event Handlers control remained in an Error state instead of deleting the resources created by the stack. Now the stack can properly clean up after itself.