@turbot/azure-compute
The azure-compute mod contains resource, control and policy definitions for Azure Compute service.
- Setting Policies Tutorial
- Mods Overview
- Policies Overview
- Resources Overview
- Common Policies and Controls
Recommended Version
Version
5.16.0
Released On
Feb 05, 2024
Depends On
@turbot/azure ^5.0.0
@turbot/azure-iam ^5.0.0
@turbot/azure-provider ^5.0.0
@turbot/turbot ^5.22.0
@turbot/turbot-iam ^5.1.0
@turbot/azure-iam ^5.0.0
@turbot/azure-provider ^5.0.0
@turbot/turbot ^5.22.0
@turbot/turbot-iam ^5.1.0
Resource Types
- Azure > Compute
- Azure > Compute > Availability Set
- Azure > Compute > Disk
- Azure > Compute > Disk Encryption Set
- Azure > Compute > Image
- Azure > Compute > Snapshot
- Azure > Compute > Ssh Public Key
- Azure > Compute > Virtual Machine
- Azure > Compute > Virtual Machine Scale Set
Control Types
- Azure > Compute > Availability Set > Active
- Azure > Compute > Availability Set > Approved
- Azure > Compute > Availability Set > CMDB
- Azure > Compute > Availability Set > Discovery
- Azure > Compute > Availability Set > Tags
- Azure > Compute > Disk > Active
- Azure > Compute > Disk > Approved
- Azure > Compute > Disk > CMDB
- Azure > Compute > Disk > Discovery
- Azure > Compute > Disk > Tags
- Azure > Compute > Disk Encryption Set > Active
- Azure > Compute > Disk Encryption Set > Approved
- Azure > Compute > Disk Encryption Set > CMDB
- Azure > Compute > Disk Encryption Set > Discovery
- Azure > Compute > Disk Encryption Set > Tags
- Azure > Compute > Image > Active
- Azure > Compute > Image > Approved
- Azure > Compute > Image > CMDB
- Azure > Compute > Image > Discovery
- Azure > Compute > Image > Tags
- Azure > Compute > Snapshot > Active
- Azure > Compute > Snapshot > Approved
- Azure > Compute > Snapshot > CMDB
- Azure > Compute > Snapshot > Discovery
- Azure > Compute > Snapshot > Tags
- Azure > Compute > Ssh Public Key > Active
- Azure > Compute > Ssh Public Key > Approved
- Azure > Compute > Ssh Public Key > CMDB
- Azure > Compute > Ssh Public Key > Discovery
- Azure > Compute > Ssh Public Key > Tags
- Azure > Compute > Virtual Machine > Active
- Azure > Compute > Virtual Machine > Approved
- Azure > Compute > Virtual Machine > CMDB
- Azure > Compute > Virtual Machine > Discovery
- Azure > Compute > Virtual Machine > Schedule
- Azure > Compute > Virtual Machine > Tags
- Azure > Compute > Virtual Machine Scale Set > Active
- Azure > Compute > Virtual Machine Scale Set > Approved
- Azure > Compute > Virtual Machine Scale Set > CMDB
- Azure > Compute > Virtual Machine Scale Set > Discovery
- Azure > Compute > Virtual Machine Scale Set > Tags
Policy Types
- Azure > Compute > Approved Regions [Default]
- Azure > Compute > Availability Set > Active
- Azure > Compute > Availability Set > Active > Age
- Azure > Compute > Availability Set > Active > Last Modified
- Azure > Compute > Availability Set > Approved
- Azure > Compute > Availability Set > Approved > Custom
- Azure > Compute > Availability Set > Approved > Regions
- Azure > Compute > Availability Set > Approved > Usage
- Azure > Compute > Availability Set > CMDB
- Azure > Compute > Availability Set > Regions
- Azure > Compute > Availability Set > Tags
- Azure > Compute > Availability Set > Tags > Template
- Azure > Compute > Disk > Active
- Azure > Compute > Disk > Active > Age
- Azure > Compute > Disk > Active > Attached
- Azure > Compute > Disk > Active > Last Modified
- Azure > Compute > Disk > Approved
- Azure > Compute > Disk > Approved > Custom
- Azure > Compute > Disk > Approved > Regions
- Azure > Compute > Disk > Approved > Usage
- Azure > Compute > Disk > CMDB
- Azure > Compute > Disk > Regions
- Azure > Compute > Disk > Tags
- Azure > Compute > Disk > Tags > Template
- Azure > Compute > Disk Encryption Set > Active
- Azure > Compute > Disk Encryption Set > Active > Age
- Azure > Compute > Disk Encryption Set > Active > Last Modified
- Azure > Compute > Disk Encryption Set > Approved
- Azure > Compute > Disk Encryption Set > Approved > Custom
- Azure > Compute > Disk Encryption Set > Approved > Regions
- Azure > Compute > Disk Encryption Set > Approved > Usage
- Azure > Compute > Disk Encryption Set > CMDB
- Azure > Compute > Disk Encryption Set > Regions
- Azure > Compute > Disk Encryption Set > Tags
- Azure > Compute > Disk Encryption Set > Tags > Template
- Azure > Compute > Enabled
- Azure > Compute > Image > Active
- Azure > Compute > Image > Active > Age
- Azure > Compute > Image > Active > Last Modified
- Azure > Compute > Image > Approved
- Azure > Compute > Image > Approved > Custom
- Azure > Compute > Image > Approved > Regions
- Azure > Compute > Image > Approved > Usage
- Azure > Compute > Image > CMDB
- Azure > Compute > Image > Regions
- Azure > Compute > Image > Tags
- Azure > Compute > Image > Tags > Template
- Azure > Compute > Image > Trusted Publishers
- Azure > Compute > Image > Trusted Publishers > Custom - list of publishers
- Azure > Compute > Image > Trusted Publishers > Local
- Azure > Compute > Image > Trusted Publishers > RHEL
- Azure > Compute > Image > Trusted Publishers > Ubuntu
- Azure > Compute > Image > Trusted Publishers > Windows Server
- Azure > Compute > Permissions
- Azure > Compute > Permissions > Levels
- Azure > Compute > Permissions > Levels > Modifiers
- Azure > Compute > Regions
- Azure > Compute > Snapshot > Active
- Azure > Compute > Snapshot > Active > Age
- Azure > Compute > Snapshot > Active > Last Modified
- Azure > Compute > Snapshot > Approved
- Azure > Compute > Snapshot > Approved > Custom
- Azure > Compute > Snapshot > Approved > Regions
- Azure > Compute > Snapshot > Approved > Usage
- Azure > Compute > Snapshot > CMDB
- Azure > Compute > Snapshot > Regions
- Azure > Compute > Snapshot > Tags
- Azure > Compute > Snapshot > Tags > Template
- Azure > Compute > Ssh Public Key > Active
- Azure > Compute > Ssh Public Key > Active > Age
- Azure > Compute > Ssh Public Key > Active > Last Modified
- Azure > Compute > Ssh Public Key > Approved
- Azure > Compute > Ssh Public Key > Approved > Custom
- Azure > Compute > Ssh Public Key > Approved > Regions
- Azure > Compute > Ssh Public Key > Approved > Usage
- Azure > Compute > Ssh Public Key > CMDB
- Azure > Compute > Ssh Public Key > Regions
- Azure > Compute > Ssh Public Key > Tags
- Azure > Compute > Ssh Public Key > Tags > Template
- Azure > Compute > Tags Template [Default]
- Azure > Compute > Virtual Machine > Active
- Azure > Compute > Virtual Machine > Active > Age
- Azure > Compute > Virtual Machine > Active > Last Modified
- Azure > Compute > Virtual Machine > Approved
- Azure > Compute > Virtual Machine > Approved > Custom
- Azure > Compute > Virtual Machine > Approved > Image
- Azure > Compute > Virtual Machine > Approved > Image > Compiled Rules
- Azure > Compute > Virtual Machine > Approved > Image > Local
- Azure > Compute > Virtual Machine > Approved > Image > RHEL 6
- Azure > Compute > Virtual Machine > Approved > Image > RHEL 7
- Azure > Compute > Virtual Machine > Approved > Image > Rules
- Azure > Compute > Virtual Machine > Approved > Image > Status
- Azure > Compute > Virtual Machine > Approved > Image > Trusted Publishers
- Azure > Compute > Virtual Machine > Approved > Image > Ubuntu 16.04
- Azure > Compute > Virtual Machine > Approved > Image > Ubuntu 18.04
- Azure > Compute > Virtual Machine > Approved > Image > Windows 2012-R2 Datacenter
- Azure > Compute > Virtual Machine > Approved > Image > Windows 2016 Datacenter
- Azure > Compute > Virtual Machine > Approved > Image > Windows 2019 Datacenter
- Azure > Compute > Virtual Machine > Approved > Regions
- Azure > Compute > Virtual Machine > Approved > Usage
- Azure > Compute > Virtual Machine > CMDB
- Azure > Compute > Virtual Machine > Regions
- Azure > Compute > Virtual Machine > Schedule
- Azure > Compute > Virtual Machine > Schedule Tag
- Azure > Compute > Virtual Machine > Tags
- Azure > Compute > Virtual Machine > Tags > Template
- Azure > Compute > Virtual Machine Scale Set > Active
- Azure > Compute > Virtual Machine Scale Set > Active > Age
- Azure > Compute > Virtual Machine Scale Set > Active > Last Modified
- Azure > Compute > Virtual Machine Scale Set > Approved
- Azure > Compute > Virtual Machine Scale Set > Approved > Custom
- Azure > Compute > Virtual Machine Scale Set > Approved > Regions
- Azure > Compute > Virtual Machine Scale Set > Approved > Usage
- Azure > Compute > Virtual Machine Scale Set > CMDB
- Azure > Compute > Virtual Machine Scale Set > Regions
- Azure > Compute > Virtual Machine Scale Set > Tags
- Azure > Compute > Virtual Machine Scale Set > Tags > Template
- Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-compute
- Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-compute
Release Notes
5.16.0 (2024-02-05)
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
5.15.0 (2023-08-18)
What's new?
- Rebranded to a Guardrails Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
Resource Types
- Azure > Compute > Ssh Public Key
- Azure > Compute > Virtual Machine Scale Set
Control Types
- Azure > Compute > Ssh Public Key > Active
- Azure > Compute > Ssh Public Key > Approved
- Azure > Compute > Ssh Public Key > CMDB
- Azure > Compute > Ssh Public Key > Discovery
- Azure > Compute > Ssh Public Key > Tags
- Azure > Compute > Virtual Machine Scale Set > Active
- Azure > Compute > Virtual Machine Scale Set > Approved
- Azure > Compute > Virtual Machine Scale Set > CMDB
- Azure > Compute > Virtual Machine Scale Set > Discovery
- Azure > Compute > Virtual Machine Scale Set > Tags
Policy Types
- Azure > Compute > Ssh Public Key > Active
- Azure > Compute > Ssh Public Key > Active > Age
- Azure > Compute > Ssh Public Key > Active > Last Modified
- Azure > Compute > Ssh Public Key > Approved
- Azure > Compute > Ssh Public Key > Approved > Custom
- Azure > Compute > Ssh Public Key > Approved > Regions
- Azure > Compute > Ssh Public Key > Approved > Usage
- Azure > Compute > Ssh Public Key > CMDB
- Azure > Compute > Ssh Public Key > Regions
- Azure > Compute > Ssh Public Key > Tags
- Azure > Compute > Ssh Public Key > Tags > Template
- Azure > Compute > Virtual Machine Scale Set > Active
- Azure > Compute > Virtual Machine Scale Set > Active > Age
- Azure > Compute > Virtual Machine Scale Set > Active > Last Modified
- Azure > Compute > Virtual Machine Scale Set > Approved
- Azure > Compute > Virtual Machine Scale Set > Approved > Custom
- Azure > Compute > Virtual Machine Scale Set > Approved > Regions
- Azure > Compute > Virtual Machine Scale Set > Approved > Usage
- Azure > Compute > Virtual Machine Scale Set > CMDB
- Azure > Compute > Virtual Machine Scale Set > Regions
- Azure > Compute > Virtual Machine Scale Set > Tags
- Azure > Compute > Virtual Machine Scale Set > Tags > Template
Action Types
- Azure > Compute > Ssh Public Key > Delete
- Azure > Compute > Ssh Public Key > Router
- Azure > Compute > Ssh Public Key > Set Tags
- Azure > Compute > Virtual Machine Scale Set > Delete
- Azure > Compute > Virtual Machine Scale Set > Router
- Azure > Compute > Virtual Machine Scale Set > Set Tags
5.14.0 (2023-06-19)
What's new?
- Resource's metadata will now also include
createdBy
details in Turbot CMDB. - README.md file is now available for users to check details about the resource types and service permissions that the mod covers.
5.13.1 (2023-03-10)
Bug fixes
- The
Azure > Compute > Virtual Machine > Tags
control would sometimes try and update the purchase plan as well while updating tags on a VM, which of course led to an error. This was all unintentional and we've now fixed the control to only update tags as it was originally meant to do. - The
Azure > Compute > Virtual Machine > Tags
control would incorrectly remain in an alarm state when tags were enforced on generalized VMs. The control will now move to a skipped state instead because tag updates for such VMs are not supported in Azure.
5.13.0 (2022-12-21)
What's new?
- All
Azure > Compute
resource types now support China Cloud regions.
5.12.1 (2022-11-17)
Bug fixes
- Guardrails real-time event handlers would sometimes fail to update VM's CMDB data for VM restart events. This is now fixed.
5.12.0 (2022-08-17)
Action Types
- Azure > Compute > Availability Set > Delete from Azure
- Azure > Compute > Availability Set > Set Tags
- Azure > Compute > Availability Set > Skip alarm for Active control
- Azure > Compute > Availability Set > Skip alarm for Active control [90 days]
- Azure > Compute > Availability Set > Skip alarm for Approved control
- Azure > Compute > Availability Set > Skip alarm for Approved control [90 days]
- Azure > Compute > Availability Set > Skip alarm for Tags control
- Azure > Compute > Availability Set > Skip alarm for Tags control [90 days]
- Azure > Compute > Disk > Set Tags
- Azure > Compute > Disk > Skip alarm for Active control
- Azure > Compute > Disk > Skip alarm for Active control [90 days]
- Azure > Compute > Disk > Skip alarm for Approved control
- Azure > Compute > Disk > Skip alarm for Approved control [90 days]
- Azure > Compute > Disk > Skip alarm for Tags control
- Azure > Compute > Disk > Skip alarm for Tags control [90 days]
- Azure > Compute > Disk > Snapshot and delete from Azure
- Azure > Compute > Disk Encryption Set > Delete from Azure
- Azure > Compute > Disk Encryption Set > Set Tags
- Azure > Compute > Disk Encryption Set > Skip alarm for Active control
- Azure > Compute > Disk Encryption Set > Skip alarm for Active control [90 days]
- Azure > Compute > Disk Encryption Set > Skip alarm for Approved control
- Azure > Compute > Disk Encryption Set > Skip alarm for Approved control [90 days]
- Azure > Compute > Disk Encryption Set > Skip alarm for Tags control
- Azure > Compute > Disk Encryption Set > Skip alarm for Tags control [90 days]
- Azure > Compute > Image > Delete from Azure
- Azure > Compute > Image > Set Tags
- Azure > Compute > Image > Skip alarm for Active control
- Azure > Compute > Image > Skip alarm for Active control [90 days]
- Azure > Compute > Image > Skip alarm for Approved control
- Azure > Compute > Image > Skip alarm for Approved control [90 days]
- Azure > Compute > Image > Skip alarm for Tags control
- Azure > Compute > Image > Skip alarm for Tags control [90 days]
- Azure > Compute > Snapshot > Delete from Azure
- Azure > Compute > Snapshot > Set Tags
- Azure > Compute > Snapshot > Skip alarm for Active control
- Azure > Compute > Snapshot > Skip alarm for Active control [90 days]
- Azure > Compute > Snapshot > Skip alarm for Approved control
- Azure > Compute > Snapshot > Skip alarm for Approved control [90 days]
- Azure > Compute > Snapshot > Skip alarm for Tags control
- Azure > Compute > Snapshot > Skip alarm for Tags control [90 days]
- Azure > Compute > Virtual Machine > Delete from Azure
- Azure > Compute > Virtual Machine > Set Tags
- Azure > Compute > Virtual Machine > Skip alarm for Active control
- Azure > Compute > Virtual Machine > Skip alarm for Active control [90 days]
- Azure > Compute > Virtual Machine > Skip alarm for Approved control
- Azure > Compute > Virtual Machine > Skip alarm for Approved control [90 days]
- Azure > Compute > Virtual Machine > Skip alarm for Tags control
- Azure > Compute > Virtual Machine > Skip alarm for Tags control [90 days]
- Azure > Compute > Virtual Machine > Start Virtual Machine
- Azure > Compute > Virtual Machine > Stop Virtual Machine
5.11.1 (2022-03-03)
Bug fixes
- The
Azure > Compute > Disk > Active
control would sometimes incorrectly determine if a disk was attached to a VM, which would then lead to incorrect control evaluation. This is fixed and the control now works as expected.
5.11.0 (2022-02-17)
What's new?
- Users can now create their own custom checks against resource attributes in the Approved control using the
Approved > Custom
policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.
Bug fixes
- We've improved the process of deleting resources from Guardrails if their CMDB policy was set to
Enforce: Disabled
. The CMDB controls will now not look to resolve credentials via Guardrails'IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Guardrails more reliably than before.
Policy Types
- Azure > Compute > Availability Set > Approved > Custom
- Azure > Compute > Disk > Approved > Custom
- Azure > Compute > Disk Encryption Set > Approved > Custom
- Azure > Compute > Image > Approved > Custom
- Azure > Compute > Snapshot > Approved > Custom
- Azure > Compute > Virtual Machine > Approved > Custom
5.10.0 (2021-08-25)
What's new?
- We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.
Bug fixes
- We've made a few improvements in the GraphQL queries for various router actions. You won't notice any difference, but things should run lighter and quicker than before.
5.9.0 (2021-06-02)
What's new?
- We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.
Bug fixes
- Controls run faster now when in the
tbd
andskipped
states thanks to the new Turbot Precheck feature (not to be confused with TSA PreCheck). With Turbot Precheck, controls avoid running GraphQL input queries when intbd
andskipped
, resulting in faster and lighter control runs.
5.8.2 (2021-01-14)
Bug fixes
- We'd fail to upsert disks attached to a Virtual Machine scale set. This is now fixed and such disks will now be upserted correctly into Turbot's CMDB.
5.8.1 (2020-11-03)
Bug fixes
- We've updated the Discovery controls for resources to now move to skipped instead of invalid if the provider is disabled in the subscription and the
Azure > Provider > {service} > Registered
policy is checking if the provider is disabled. This will reduce the amount of noisy controls that cannot be easily resolved without making changes to the provider.
5.8.0 (2020-10-23)
What's new?
- We've made improvements to how Approved controls interact with CMDB policies and controls for more reliable approved checks. Now, if a resource's CMDB policy is set to
Skip
, its Approved control will move toinvalid
to prevent the Approved control from making a decision based on outdated information. Also, Approved controls will now wait until the resource's CMDB control has run at least once to ensure the required data is available.
5.7.0 (2020-09-25)
What's new?
- We've made improvements to how Active controls interact with CMDB policies and controls for more reliable active checks. Now, if a resource's CMDB policy is set to
Skip
, its Active control will move toinvalid
to prevent the Active control from making a decision based on outdated information. Also, Active controls will now wait until the resource's CMDB control has run at least once to ensure the required data is available.
5.6.1 (2020-09-04)
Bug fixes
- Links to documentation in the descriptions for several controls and policies were broken. These links have now been fixed.
5.6.0 (2020-09-04)
Control Types
- Azure > Compute > Virtual Machine > Schedule
Policy Types
- Azure > Compute > Virtual Machine > Schedule
- Azure > Compute > Virtual Machine > Schedule Tag
Action Types
- Azure > Compute > Virtual Machine > Start
5.5.0 (2020-08-26)
What's new?
- Discovery controls now have their own control category,
CMDB > Discovery
, to allow for easier filtering separately from other CMDB controls.
5.4.2 (2020-07-24)
Bug fixes
- When deleting inactive resources through an Active control, different warning periods in days can be set to delay deletion. We recently identified a bug that would cause these warning periods to be ignored, and any inactive resources would be deleted immediately. This bug has been fixed and now all Active controls will abide by the warning period set in the policy value.
5.4.1 (2020-06-29)
Bug fixes
Azure > Compute > Virtual Machine > Approved
control remained inok
state inspite ofAzure > Compute > Virtual Machine > Approved > Image > Status
policy evaluating toNot Approved
. This issue has been fixed and now the approved control correctly goes took
oralarm
state as per the dependent policy settings.
5.4.0 (2020-06-24)
What's new?
- Unapproved virtual machines can now be stopped (previously only deletion was available) by setting the
Azure > Compute > Virtual Machine > Approved
policy toEnforce: Stop unapproved
andEnforce: Stop unapproved if new
.
Action Types
- Azure > Compute > Virtual Machine > Stop
5.3.0 (2020-06-17)
Resource Types
- Azure > Compute > Disk Encryption Set
Control Types
- Azure > Compute > Disk Encryption Set > Active
- Azure > Compute > Disk Encryption Set > Approved
- Azure > Compute > Disk Encryption Set > CMDB
- Azure > Compute > Disk Encryption Set > Discovery
- Azure > Compute > Disk Encryption Set > Tags
Policy Types
- Azure > Compute > Disk Encryption Set > Active
- Azure > Compute > Disk Encryption Set > Active > Age
- Azure > Compute > Disk Encryption Set > Active > Last Modified
- Azure > Compute > Disk Encryption Set > Approved
- Azure > Compute > Disk Encryption Set > Approved > Regions
- Azure > Compute > Disk Encryption Set > Approved > Usage
- Azure > Compute > Disk Encryption Set > CMDB
- Azure > Compute > Disk Encryption Set > Regions
- Azure > Compute > Disk Encryption Set > Tags
- Azure > Compute > Disk Encryption Set > Tags > Template
Action Types
- Azure > Compute > Disk Encryption Set > Delete
- Azure > Compute > Disk Encryption Set > Router
- Azure > Compute > Disk Encryption Set > Set Tags
5.2.3 (2020-06-12)
Bug fixes
- Disk encryption information was previously not stored in virtual machine or disk CMDB data, but is now included for both resource types.
5.2.2 (2020-06-09)
What's new?
- All resource Router actions now run even if Guardrails is outside of its allowed change window. This allows Guardrails to maintain an up-to-date CMDB by handling resource updates at all times. Note that this only affects Guardrails'ability to process resources changes that were made in the cloud provider - enforcement actions are still disabled outside of the change window.
5.2.1 (2020-05-26)
Bug fixes
- Minor optimisations were made to the GraphQL of the Virtual Machine resource type to improve its performance.
5.2.0 (2020-05-08)
What's new?
- Updated
Azure > Compute > Disk > Regions
policy default value to now includegermanywestcentral
,norwayeast
,switzerlandnorth
.
Bug fixes
- After a disk was detached from a virtual machine, the
managedBy
property was not getting updated properly to reflect it was no longer attached. This has been fixed. - The
Azure > Compute > Disk > CMDB
control was not deleting any disks that no longer existed in the subscription due to a missingNotFound
error code check. This has been fixed.
Policy Types
Removed
- Azure > Compute > Availability Set > Regions
5.1.4 (2020-04-27)
Bug fixes
- Fixed the default value of
Virtual Machine > Approved > Image > Rules
policy, updating it fromENABLED $.publisher:Canonical
toENABLED *
. Now all images, not just those from Canonical, will have their status set to ENABLED by default in theVirtual Machine > Approved > Image > Status
policy, which is more consistent with other Guardrails policies that use OCL rules. - When calculating the
Virtual Machine > Approved > Image > Status
policy, the correct status was not being set as images that had non-default SKUs were not being properly matched against OCL rules. This has been fixed.