Policy types for @turbot/azure-compute

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure#/policy/types/approvedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Compute > Availability Set > Active

Determine the action to take when an Azure Compute availability set, based on the Azure > Compute > Availability Set > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Availability Set > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-compute#/policy/types/availabilitySetActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Compute > Availability Set > Active > Age

The age after which the Azure Compute availability set
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Availability Set > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-compute#/policy/types/availabilitySetActiveAge

Category

Azure > Compute > Availability Set > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Compute > Availability Set > Active > Last Modified

The number of days since the Azure Compute availability set was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Availability Set > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI

tmod:@turbot/azure-compute#/policy/types/availabilitySetActiveLastModified

Category

Azure > Compute > Availability Set > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

Azure > Compute > Availability Set > Approved

Determine the action to take when an Azure Compute availability set is not approved based on Azure > Compute > Availability Set > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/azure-compute#/policy/types/availabilitySetApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Compute > Availability Set > Approved > Custom

Determine whether the Azure Compute availability set is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Compute availability set is not approved, it will be subject to the action specified in the Azure > Compute > Availability Set > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/azure-compute#/policy/types/availabilitySetApprovedCustom

Category

Azure > Compute > Availability Set > Approved

Parent

Targets

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Compute > Availability Set > Approved > Regions

A list of Azure regions in which Azure Compute availability sets are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an Azure Compute availability set is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > Compute > Availability Set > Approved policy.

See Approved for more information.

URI

tmod:@turbot/azure-compute#/policy/types/availabilitySetApprovedRegions

Category

Azure > Compute > Availability Set > Approved

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-compute#/policy/types/computeApprovedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Compute > Availability Set > Approved > Usage

URI

tmod:@turbot/azure-compute#/policy/types/availabilitySetApprovedUsage

Category

Azure > Compute > Availability Set > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if Azure > Compute > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if Azure > Compute > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if Azure > Compute > Enabled"
}

Azure > Compute > Availability Set > CMDB

Configure whether to record and synchronize details for the Azure Compute availability set into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > Compute > Availability Set > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/azure-compute#/policy/types/availabilitySetCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute provider is Registered",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute provider is Registered",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute provider is Registered"
}

Azure > Compute > Availability Set > Regions

A list of Azure regions in which Azure Compute availability sets are supported for use.

Any availability sets in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI

tmod:@turbot/azure-compute#/policy/types/availabilitySetRegions

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-compute#/policy/types/computeRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Compute > Availability Set > Tags

Determine the action to take when an Azure Compute availability set tags are not updated based on the Azure > Compute > Availability Set > Tags > * policies.

The control ensure Azure Compute availability set tags include tags defined in Azure > Compute > Availability Set > Tags > Template.

Tags not defined in Availability Set Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-compute#/policy/types/availabilitySetTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

Azure > Compute > Availability Set > Tags > Template

The template is used to generate the keys and values for Azure Compute availability set.

Tags not defined in Availability Set Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-compute#/policy/types/availabilitySetTagsTemplate

Category

Azure > Compute > Availability Set > Tags

Parent

Targets

Default Template Input

[
  "{\n  subscription {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure-compute#/policy/types/computeTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Compute > Disk > Active

Determine the action to take when an Azure Compute disk, based on the Azure > Compute > Disk > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Disk > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-compute#/policy/types/diskActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Compute > Disk > Active > Age

The age after which the Azure Compute disk
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Disk > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-compute#/policy/types/diskActiveAge

Category

Azure > Compute > Disk > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Compute > Disk > Active > Attached

Determine whether the Disk is active, based on whether it is attached to any other resource types.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (Azure > Compute > Disk > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

URI

tmod:@turbot/azure-compute#/policy/types/diskActiveAttached

Category

Azure > Compute > Disk > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if attached",
  "Force active if attached",
  "Force inactive if unattached"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if attached",
    "Force active if attached",
    "Force inactive if unattached"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

Azure > Compute > Disk > Active > Last Modified

The number of days since the Azure Compute disk was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Disk > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI

tmod:@turbot/azure-compute#/policy/types/diskActiveLastModified

Category

Azure > Compute > Disk > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

Azure > Compute > Disk > Approved

Determine the action to take when an Azure Compute disk is not approved based on Azure > Compute > Disk > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/azure-compute#/policy/types/diskApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Compute > Disk > Approved > Custom

Determine whether the Azure Compute disk is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Compute disk is not approved, it will be subject to the action specified in the Azure > Compute > Disk > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/azure-compute#/policy/types/diskApprovedCustom

Category

Azure > Compute > Disk > Approved

Parent

Targets

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Compute > Disk > Approved > Regions

A list of Azure regions in which Azure Compute disks are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an Azure Compute disk is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > Compute > Disk > Approved policy.

See Approved for more information.

URI

tmod:@turbot/azure-compute#/policy/types/diskApprovedRegions

Category

Azure > Compute > Disk > Approved

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-compute#/policy/types/computeApprovedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Compute > Disk > Approved > Usage

URI

tmod:@turbot/azure-compute#/policy/types/diskApprovedUsage

Category

Azure > Compute > Disk > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if Azure > Compute > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if Azure > Compute > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if Azure > Compute > Enabled"
}

Azure > Compute > Disk > CMDB

Configure whether to record and synchronize details for the Azure Compute disk into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > Compute > Disk > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/azure-compute#/policy/types/diskCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute provider is Registered",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute provider is Registered",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute provider is Registered"
}

Azure > Compute > Disk > Regions

A list of Azure regions in which Azure Compute disks are supported for use.

Any disks in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI

tmod:@turbot/azure-compute#/policy/types/diskRegions

Category

Parent

Targets

Schema

{
  "allOf": [
    {
      "$ref": "azure#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "australiacentral",
        "australiaeast",
        "australiasoutheast",
        "brazilsouth",
        "canadacentral",
        "canadaeast",
        "centralindia",
        "centralus",
        "chinaeast",
        "chinaeast2",
        "chinaeast3",
        "chinanorth",
        "chinanorth2",
        "chinanorth3",
        "eastasia",
        "eastus",
        "eastus2",
        "francecentral",
        "germanywestcentral",
        "japaneast",
        "japanwest",
        "koreacentral",
        "koreasouth",
        "northcentralus",
        "northeurope",
        "norwayeast",
        "southafricanorth",
        "southcentralus",
        "southeastasia",
        "southindia",
        "switzerlandnorth",
        "uaenorth",
        "uksouth",
        "ukwest",
        "usgovarizona",
        "usgovtexas",
        "usgovvirginia",
        "westcentralus",
        "westeurope",
        "westindia",
        "westus",
        "westus2"
      ]
    }
  ]
}

Azure > Compute > Disk > Tags

Determine the action to take when an Azure Compute disk tags are not updated based on the Azure > Compute > Disk > Tags > * policies.

The control ensure Azure Compute disk tags include tags defined in Azure > Compute > Disk > Tags > Template.

Tags not defined in Disk Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-compute#/policy/types/diskTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

Azure > Compute > Disk > Tags > Template

The template is used to generate the keys and values for Azure Compute disk.

Tags not defined in Disk Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-compute#/policy/types/diskTagsTemplate

Category

Azure > Compute > Disk > Tags

Parent

Targets

Default Template Input

[
  "{\n  subscription {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure-compute#/policy/types/computeTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Compute > Disk Encryption Set > Active

Determine the action to take when an Azure Compute disk encryption set, based on the Azure > Compute > Disk Encryption Set > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Disk Encryption Set > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-compute#/policy/types/diskEncryptionSetActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Compute > Disk Encryption Set > Active > Age

The age after which the Azure Compute disk encryption set
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Disk Encryption Set > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-compute#/policy/types/diskEncryptionSetActiveAge

Category

Azure > Compute > Disk Encryption Set > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Compute > Disk Encryption Set > Active > Last Modified

The number of days since the Azure Compute disk encryption set was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Disk Encryption Set > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI

tmod:@turbot/azure-compute#/policy/types/diskEncryptionSetActiveLastModified

Category

Azure > Compute > Disk Encryption Set > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

Azure > Compute > Disk Encryption Set > Approved

Determine the action to take when an Azure Compute disk encryption set is not approved based on Azure > Compute > Disk Encryption Set > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/azure-compute#/policy/types/diskEncryptionSetApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Compute > Disk Encryption Set > Approved > Custom

Determine whether the Azure Compute disk encryption set is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Compute disk encryption set is not approved, it will be subject to the action specified in the Azure > Compute > Disk Encryption Set > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/azure-compute#/policy/types/diskEncryptionSetApprovedCustom

Category

Azure > Compute > Disk Encryption Set > Approved

Parent

Targets

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Compute > Disk Encryption Set > Approved > Regions

A list of Azure regions in which Azure Compute disk encryption sets are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an Azure Compute disk encryption set is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > Compute > Disk Encryption Set > Approved policy.

See Approved for more information.

URI

tmod:@turbot/azure-compute#/policy/types/diskEncryptionSetApprovedRegions

Category

Azure > Compute > Disk Encryption Set > Approved

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-compute#/policy/types/computeApprovedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Compute > Disk Encryption Set > Approved > Usage

URI

tmod:@turbot/azure-compute#/policy/types/diskEncryptionSetApprovedUsage

Category

Azure > Compute > Disk Encryption Set > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if Azure > Compute > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if Azure > Compute > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if Azure > Compute > Enabled"
}

Azure > Compute > Disk Encryption Set > CMDB

Configure whether to record and synchronize details for the Azure Compute disk encryption set into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > Compute > Disk Encryption Set > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/azure-compute#/policy/types/diskEncryptionSetCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute provider is Registered",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute provider is Registered",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute provider is Registered"
}

Azure > Compute > Disk Encryption Set > Regions

A list of Azure regions in which Azure Compute disk encryption sets are supported for use.

Any disk encryption sets in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI

tmod:@turbot/azure-compute#/policy/types/diskEncryptionSetRegions

Category

Parent

Targets

Schema

{
  "allOf": [
    {
      "$ref": "azure#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "australiacentral",
        "australiaeast",
        "australiasoutheast",
        "brazilsouth",
        "canadacentral",
        "canadaeast",
        "centralindia",
        "centralus",
        "chinaeast",
        "chinaeast2",
        "chinaeast3",
        "chinanorth",
        "chinanorth2",
        "chinanorth3",
        "eastasia",
        "eastus",
        "eastus2",
        "francecentral",
        "germanywestcentral",
        "japaneast",
        "japanwest",
        "koreacentral",
        "koreasouth",
        "northcentralus",
        "northeurope",
        "norwayeast",
        "southafricanorth",
        "southcentralus",
        "southeastasia",
        "southindia",
        "switzerlandnorth",
        "uaenorth",
        "uksouth",
        "ukwest",
        "usgovarizona",
        "usgovtexas",
        "usgovvirginia",
        "westcentralus",
        "westeurope",
        "westindia",
        "westus",
        "westus2"
      ]
    }
  ]
}

Azure > Compute > Disk Encryption Set > Tags

Determine the action to take when an Azure Compute disk encryption set tags are not updated based on the Azure > Compute > Disk Encryption Set > Tags > * policies.

The control ensure Azure Compute disk encryption set tags include tags defined in Azure > Compute > Disk Encryption Set > Tags > Template.

Tags not defined in Disk Encryption Set Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-compute#/policy/types/diskEncryptionSetTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

Azure > Compute > Disk Encryption Set > Tags > Template

The template is used to generate the keys and values for Azure Compute disk encryption set.

Tags not defined in Disk Encryption Set Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-compute#/policy/types/diskEncryptionSetTagsTemplate

Category

Azure > Compute > Disk Encryption Set > Tags

Parent

Targets

Default Template Input

[
  "{\n  subscription {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure-compute#/policy/types/computeTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Compute > Enabled

Enable Azure Compute service.

URI

tmod:@turbot/azure-compute#/policy/types/computeEnabled

Category

Parent

Targets

Valid Value

[
  "Enabled",
  "Enabled: Metadata Only",
  "Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled",
    "Enabled: Metadata Only",
    "Disabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Disabled"
}

Azure > Compute > Image > Active

Determine the action to take when an Azure Compute image, based on the Azure > Compute > Image > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Image > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-compute#/policy/types/imageActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Compute > Image > Active > Age

The age after which the Azure Compute image
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Image > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-compute#/policy/types/imageActiveAge

Category

Azure > Compute > Image > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Compute > Image > Active > Last Modified

The number of days since the Azure Compute image was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Image > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI

tmod:@turbot/azure-compute#/policy/types/imageActiveLastModified

Category

Azure > Compute > Image > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

Azure > Compute > Image > Approved

Determine the action to take when an Azure Compute image is not approved based on Azure > Compute > Image > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/azure-compute#/policy/types/imageApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Compute > Image > Approved > Custom

Determine whether the Azure Compute image is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Compute image is not approved, it will be subject to the action specified in the Azure > Compute > Image > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/azure-compute#/policy/types/imageApprovedCustom

Category

Azure > Compute > Image > Approved

Parent

Targets

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Compute > Image > Approved > Regions

A list of Azure regions in which Azure Compute images are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an Azure Compute image is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > Compute > Image > Approved policy.

See Approved for more information.

URI

tmod:@turbot/azure-compute#/policy/types/imageApprovedRegions

Category

Azure > Compute > Image > Approved

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-compute#/policy/types/computeApprovedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Compute > Image > Approved > Usage

URI

tmod:@turbot/azure-compute#/policy/types/imageApprovedUsage

Category

Azure > Compute > Image > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if Azure > Compute > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if Azure > Compute > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if Azure > Compute > Enabled"
}

Azure > Compute > Image > CMDB

Configure whether to record and synchronize details for the Azure Compute image into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > Compute > Image > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/azure-compute#/policy/types/imageCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute provider is Registered",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute provider is Registered",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute provider is Registered"
}

Azure > Compute > Image > Regions

A list of Azure regions in which Azure Compute images are supported for use.

Any images in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI

tmod:@turbot/azure-compute#/policy/types/imageRegions

Category

Parent

Targets

Schema

{
  "allOf": [
    {
      "$ref": "azure#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "australiacentral",
        "australiaeast",
        "australiasoutheast",
        "brazilsouth",
        "canadacentral",
        "canadaeast",
        "centralindia",
        "centralus",
        "chinaeast",
        "chinaeast2",
        "chinaeast3",
        "chinanorth",
        "chinanorth2",
        "chinanorth3",
        "eastasia",
        "eastus",
        "eastus2",
        "francecentral",
        "germanywestcentral",
        "japaneast",
        "japanwest",
        "koreacentral",
        "koreasouth",
        "northcentralus",
        "northeurope",
        "norwayeast",
        "southafricanorth",
        "southcentralus",
        "southeastasia",
        "southindia",
        "switzerlandnorth",
        "uaenorth",
        "uksouth",
        "ukwest",
        "usgovarizona",
        "usgovtexas",
        "usgovvirginia",
        "westcentralus",
        "westeurope",
        "westindia",
        "westus",
        "westus2"
      ]
    }
  ]
}

Azure > Compute > Image > Tags

Determine the action to take when an Azure Compute image tags are not updated based on the Azure > Compute > Image > Tags > * policies.

The control ensure Azure Compute image tags include tags defined in Azure > Compute > Image > Tags > Template.

Tags not defined in Image Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-compute#/policy/types/imageTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

Azure > Compute > Image > Tags > Template

The template is used to generate the keys and values for Azure Compute image.

Tags not defined in Image Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-compute#/policy/types/imageTagsTemplate

Category

Azure > Compute > Image > Tags

Parent

Targets

Default Template Input

[
  "{\n  subscription {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure-compute#/policy/types/computeTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Compute > Image > Trusted Publishers

A list of total Publishers whose Images will be allowed to run in the subscription. All others will be disabled.

URI

tmod:@turbot/azure-compute#/policy/types/imageTrustedPublishers

Category

Parent

Targets

Schema

{
  "type": "array",
  "items": {
    "type": "string"
  }
}

Azure > Compute > Image > Trusted Publishers > Custom - list of publishers

A list of publishers whose Images are allowed to be run in the subscription.

URI

tmod:@turbot/azure-compute#/policy/types/imageTrustedPublishersCustom

Category

Parent

Targets

Schema

{
  "type": "array",
  "items": {
    "type": "string"
  },
  "default": []
}

Azure > Compute > Image > Trusted Publishers > Local

Determine whether the Local Images (from this Azure Subscription may be
may be used to launch and run Compute Virtual Machines

URI

tmod:@turbot/azure-compute#/policy/types/imageTrustedPublishersLocal

Category

Parent

Targets

Valid Value

[
  "Enabled",
  "Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Enabled"
}

Azure > Compute > Image > Trusted Publishers > RHEL

Determine whether the RHEL Server publisher
Images may be used to launch and run Compute Virtual Machines

URI

tmod:@turbot/azure-compute#/policy/types/imageTrustedPublishersRhel

Category

Parent

Targets

Valid Value

[
  "Enabled",
  "Disabled",
  "Enabled if Azure > Compute > Virtual Machine > Approved > Image > RHEL Server * is Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled",
    "Enabled if Azure > Compute > Virtual Machine > Approved > Image > RHEL Server * is Enabled"
  ],
  "example": [
    "Enabled if Azure > Compute > Virtual Machine > Approved > Image > RHEL Server * is Enabled"
  ],
  "default": "Enabled if Azure > Compute > Virtual Machine > Approved > Image > RHEL Server * is Enabled"
}

Azure > Compute > Image > Trusted Publishers > Ubuntu

Determine whether the Ubuntu Server publisher
Images may be used to launch and run Compute Virtual Machines

URI

tmod:@turbot/azure-compute#/policy/types/imageTrustedPublishersUbuntu

Category

Parent

Targets

Valid Value

[
  "Enabled",
  "Disabled",
  "Enabled if Azure > Compute > Virtual Machine > Approved > Image > Ubuntu Server * is Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled",
    "Enabled if Azure > Compute > Virtual Machine > Approved > Image > Ubuntu Server * is Enabled"
  ],
  "example": [
    "Enabled if Azure > Compute > Virtual Machine > Approved > Image > Ubuntu Server * is Enabled"
  ],
  "default": "Enabled if Azure > Compute > Virtual Machine > Approved > Image > Ubuntu Server * is Enabled"
}

Azure > Compute > Image > Trusted Publishers > Windows Server

Determine whether the Microsoft Windows Server publisher
Images may be used to launch and run Compute Virtual Machines

URI

tmod:@turbot/azure-compute#/policy/types/imageTrustedPublishersWindows

Category

Parent

Targets

Valid Value

[
  "Enabled",
  "Disabled",
  "Enabled if Azure > Compute > Virtual Machine > Approved > Image > Windows Server * is Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled",
    "Enabled if Azure > Compute > Virtual Machine > Approved > Image > Windows Server * is Enabled"
  ],
  "example": [
    "Enabled if Azure > Compute > Virtual Machine > Approved > Image > Windows Server * is Enabled"
  ],
  "default": "Enabled if Azure > Compute > Virtual Machine > Approved > Image > Windows Server * is Enabled"
}

Azure > Compute > Permissions

Configure whether permissions policies are in effect for Azure Compute
This setting does not affect Subscription level permissions (Azure/Admin, Azure/Owner, etc)

URI

tmod:@turbot/azure-compute#/policy/types/computePermissions

Category

Parent

Targets

Valid Value

[
  "Enabled",
  "Disabled",
  "Enabled if Azure > Compute > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled",
    "Enabled if Azure > Compute > Enabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Enabled if Azure > Compute > Enabled"
}

Azure > Compute > Permissions > Levels

Define the permissions levels that can be used to grant access to Storage an
Azure Subscription. Permissions levels defined will appear in the UI to assign
access to Guardrails users.

URI

tmod:@turbot/azure-compute#/policy/types/computePermissionsLevels

Category

Azure > Compute > Permissions

Parent

Targets

Default Template Input

[
  "{\n  item: subscription {\n    turbot{\n      id\n    }\n  }\n}\n",
  "{\n  availableLevels: policyValues(filter:\"policyTypeLevel:self resourceId:{{ $.item.turbot.id }} policyTypeId:'tmod:@turbot/azure-iam#/policy/types/permissionsLevelsDefault'\") {\n    items {\n      value\n    }\n  }\n}\n"
]

Default Template

"{% if $.availableLevels.items[0].value | length == 0 %} [] {% endif %}{% for item in $.availableLevels.items[0].value %}- {{ item }}&#92;n{% endfor %}"

Schema

{
  "type": "array",
  "items": {
    "type": "string",
    "enum": [
      "User",
      "Metadata",
      "ReadOnly",
      "Operator",
      "Admin",
      "Owner"
    ]
  }
}

Azure > Compute > Permissions > Levels > Modifiers

A map of Azure API to Guardrails Permission Level used to customize Guardrails'
standard permissions. You can add, remove or redefine the mapping of
Azure API operations to Guardrails permissions levels here.

 example: - "Microsoft.Compute/Compute/delete": operator - "Microsoft.Compute/Compute/write": admin - "Microsoft.Compute/Compute/read": readonly 

URI

tmod:@turbot/azure-compute#/policy/types/computePermissionsLevelsModifiers

Category

Azure > Compute > Permissions > Levels

Parent

Targets

azure-iam#/definitions/azureModifierList

Schema

Azure > Compute > Regions

A list of Azure regions in which Azure Compute resources are supported for use.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

This policy is the default value for all Azure Compute resources' Regions policies.

URI

tmod:@turbot/azure-compute#/policy/types/computeRegionsDefault

Category

Parent

Targets

Schema

{
  "allOf": [
    {
      "$ref": "azure#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "australiacentral",
        "australiaeast",
        "australiasoutheast",
        "brazilsouth",
        "canadacentral",
        "canadaeast",
        "centralindia",
        "centralus",
        "chinaeast",
        "chinaeast2",
        "chinaeast3",
        "chinanorth",
        "chinanorth2",
        "chinanorth3",
        "eastasia",
        "eastus",
        "eastus2",
        "francecentral",
        "germanywestcentral",
        "japaneast",
        "japanwest",
        "koreacentral",
        "koreasouth",
        "northcentralus",
        "northeurope",
        "southafricanorth",
        "southcentralus",
        "southeastasia",
        "southindia",
        "uaenorth",
        "uksouth",
        "ukwest",
        "usgovarizona",
        "usgoviowa",
        "usgovtexas",
        "usgovvirginia",
        "westcentralus",
        "westeurope",
        "westindia",
        "westus",
        "westus2"
      ]
    }
  ]
}

Azure > Compute > Snapshot > Active

Determine the action to take when an Azure Compute snapshot, based on the Azure > Compute > Snapshot > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Snapshot > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-compute#/policy/types/snapshotActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Compute > Snapshot > Active > Age

The age after which the Azure Compute snapshot
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Snapshot > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-compute#/policy/types/snapshotActiveAge

Category

Azure > Compute > Snapshot > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Compute > Snapshot > Active > Last Modified

The number of days since the Azure Compute snapshot was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Snapshot > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI

tmod:@turbot/azure-compute#/policy/types/snapshotActiveLastModified

Category

Azure > Compute > Snapshot > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

Azure > Compute > Snapshot > Approved

Determine the action to take when an Azure Compute snapshot is not approved based on Azure > Compute > Snapshot > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/azure-compute#/policy/types/snapshotApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Compute > Snapshot > Approved > Custom

Determine whether the Azure Compute snapshot is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Compute snapshot is not approved, it will be subject to the action specified in the Azure > Compute > Snapshot > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/azure-compute#/policy/types/snapshotApprovedCustom

Category

Azure > Compute > Snapshot > Approved

Parent

Targets

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Compute > Snapshot > Approved > Regions

A list of Azure regions in which Azure Compute snapshots are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an Azure Compute snapshot is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > Compute > Snapshot > Approved policy.

See Approved for more information.

URI

tmod:@turbot/azure-compute#/policy/types/snapshotApprovedRegions

Category

Azure > Compute > Snapshot > Approved

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-compute#/policy/types/computeApprovedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Compute > Snapshot > Approved > Usage

URI

tmod:@turbot/azure-compute#/policy/types/snapshotApprovedUsage

Category

Azure > Compute > Snapshot > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if Azure > Compute > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if Azure > Compute > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if Azure > Compute > Enabled"
}

Azure > Compute > Snapshot > CMDB

Configure whether to record and synchronize details for the Azure Compute snapshot into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > Compute > Snapshot > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/azure-compute#/policy/types/snapshotCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute provider is Registered",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute provider is Registered",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute provider is Registered"
}

Azure > Compute > Snapshot > Regions

A list of Azure regions in which Azure Compute snapshots are supported for use.

Any snapshots in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI

tmod:@turbot/azure-compute#/policy/types/snapshotRegions

Category

Parent

Targets

Schema

{
  "allOf": [
    {
      "$ref": "azure#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "australiacentral",
        "australiaeast",
        "australiasoutheast",
        "brazilsouth",
        "canadacentral",
        "canadaeast",
        "centralindia",
        "centralus",
        "chinaeast",
        "chinaeast2",
        "chinaeast3",
        "chinanorth",
        "chinanorth2",
        "chinanorth3",
        "eastasia",
        "eastus",
        "eastus2",
        "francecentral",
        "germanywestcentral",
        "japaneast",
        "japanwest",
        "koreacentral",
        "koreasouth",
        "northcentralus",
        "northeurope",
        "norwayeast",
        "southafricanorth",
        "southcentralus",
        "southeastasia",
        "southindia",
        "switzerlandnorth",
        "uaenorth",
        "uksouth",
        "ukwest",
        "usgovarizona",
        "usgovtexas",
        "usgovvirginia",
        "westcentralus",
        "westeurope",
        "westindia",
        "westus",
        "westus2"
      ]
    }
  ]
}

Azure > Compute > Snapshot > Tags

Determine the action to take when an Azure Compute snapshot tags are not updated based on the Azure > Compute > Snapshot > Tags > * policies.

The control ensure Azure Compute snapshot tags include tags defined in Azure > Compute > Snapshot > Tags > Template.

Tags not defined in Snapshot Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-compute#/policy/types/snapshotTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

Azure > Compute > Snapshot > Tags > Template

The template is used to generate the keys and values for Azure Compute snapshot.

Tags not defined in Snapshot Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-compute#/policy/types/snapshotTagsTemplate

Category

Azure > Compute > Snapshot > Tags

Parent

Targets

Default Template Input

[
  "{\n  subscription {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure-compute#/policy/types/computeTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Compute > Ssh Public Key > Active

Determine the action to take when an Azure Compute ssh public key, based on the Azure > Compute > Ssh Public Key > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Ssh Public Key > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-compute#/policy/types/sshPublicKeyActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Compute > Ssh Public Key > Active > Age

The age after which the Azure Compute ssh public key
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Ssh Public Key > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-compute#/policy/types/sshPublicKeyActiveAge

Category

Azure > Compute > Ssh Public Key > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Compute > Ssh Public Key > Active > Last Modified

The number of days since the Azure Compute ssh public key was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Ssh Public Key > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI

tmod:@turbot/azure-compute#/policy/types/sshPublicKeyActiveLastModified

Category

Azure > Compute > Ssh Public Key > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

Azure > Compute > Ssh Public Key > Approved

Determine the action to take when an Azure Compute ssh public key is not approved based on Azure > Compute > Ssh Public Key > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/azure-compute#/policy/types/sshPublicKeyApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Compute > Ssh Public Key > Approved > Custom

Determine whether the Azure Compute ssh public key is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Compute ssh public key is not approved, it will be subject to the action specified in the Azure > Compute > Ssh Public Key > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/azure-compute#/policy/types/sshPublicKeyApprovedCustom

Category

Azure > Compute > Ssh Public Key > Approved

Parent

Targets

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Compute > Ssh Public Key > Approved > Regions

A list of Azure regions in which Azure Compute ssh public keys are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an Azure Compute ssh public key is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > Compute > Ssh Public Key > Approved policy.

See Approved for more information.

URI

tmod:@turbot/azure-compute#/policy/types/sshPublicKeyApprovedRegions

Category

Azure > Compute > Ssh Public Key > Approved

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-compute#/policy/types/computeApprovedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Compute > Ssh Public Key > Approved > Usage

URI

tmod:@turbot/azure-compute#/policy/types/sshPublicKeyApprovedUsage

Category

Azure > Compute > Ssh Public Key > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if Azure > Compute > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if Azure > Compute > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if Azure > Compute > Enabled"
}

Azure > Compute > Ssh Public Key > CMDB

Configure whether to record and synchronize details for the Azure Compute ssh public key into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > Compute > Ssh Public Key > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/azure-compute#/policy/types/sshPublicKeyCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute provider is Registered",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute provider is Registered",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute provider is Registered"
}

Azure > Compute > Ssh Public Key > Regions

A list of Azure regions in which Azure Compute ssh public keys are supported for use.

Any ssh public keys in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI

tmod:@turbot/azure-compute#/policy/types/sshPublicKeyRegions

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-compute#/policy/types/computeRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Compute > Ssh Public Key > Tags

Determine the action to take when an Azure Compute ssh public key tags are not updated based on the Azure > Compute > Ssh Public Key > Tags > * policies.

The control ensure Azure Compute ssh public key tags include tags defined in Azure > Compute > Ssh Public Key > Tags > Template.

Tags not defined in Ssh Public Key Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-compute#/policy/types/sshPublicKeyTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

Azure > Compute > Ssh Public Key > Tags > Template

The template is used to generate the keys and values for Azure Compute ssh public key.

Tags not defined in Ssh Public Key Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-compute#/policy/types/sshPublicKeyTagsTemplate

Category

Azure > Compute > Ssh Public Key > Tags

Parent

Targets

Default Template Input

[
  "{\n  subscription {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure-compute#/policy/types/computeTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Compute > Tags Template [Default]

A template used to generate the keys and values for Azure Compute resources.

By default, all Compute resource Tags > Template policies will use this value.

URI

tmod:@turbot/azure-compute#/policy/types/computeTagsTemplate

Category

Parent

Targets

Default Template Input

"{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure#/policy/types/defaultTagsTemplate\") {\n    value\n  }\n}\n"

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Compute > Virtual Machine > Active

Determine the action to take when an Azure Compute virtual machine, based on the Azure > Compute > Virtual Machine > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Virtual Machine > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Compute > Virtual Machine > Active > Age

The age after which the Azure Compute virtual machine
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Virtual Machine > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineActiveAge

Category

Azure > Compute > Virtual Machine > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Compute > Virtual Machine > Active > Last Modified

The number of days since the Azure Compute virtual machine was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Virtual Machine > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineActiveLastModified

Category

Azure > Compute > Virtual Machine > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

Azure > Compute > Virtual Machine > Approved

Determine the action to take when an Azure Compute virtual machine is not approved based on Azure > Compute > Virtual Machine > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Stop unapproved",
  "Enforce: Stop unapproved if new",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Stop unapproved",
    "Enforce: Stop unapproved if new",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Compute > Virtual Machine > Approved > Custom

Determine whether the Azure Compute virtual machine is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Compute virtual machine is not approved, it will be subject to the action specified in the Azure > Compute > Virtual Machine > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineApprovedCustom

Category

Parent

Targets

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Compute > Virtual Machine > Approved > Image

Determine whether the Virtual Machine is approved based on the AMI status

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineApprovedImage

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Approved if Image > Status is Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Approved if Image > Status is Enabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

Azure > Compute > Virtual Machine > Approved > Image > Compiled Rules

An OCL policy to define the status of Images based on fields in the Image Reference data. This
policy is read only, and is constructed by Guardrails based on the values of the
'Azure > Compute > Virtual Machine > Approved > Image . *' sub-policies

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineApprovedImageCompiledRules

Category

Azure > Compute > Virtual Machine > Approved > Image

Parent

Targets

Schema

{
  "type": "OCL",
  "x-schema-form": {
    "type": "textarea"
  }
}

Azure > Compute > Virtual Machine > Approved > Image > Local

Determine whether all local Images are enabled. If enabled, all
local AMIs are enabled.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineApprovedImageLocal

Category

Azure > Compute > Virtual Machine > Approved > Image

Parent

Targets

Valid Value

[
  "Skip",
  "Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enabled"
  ],
  "default": "Enabled"
}

Azure > Compute > Virtual Machine > Approved > Image > RHEL 6

Determine the status of the standard RHEL 6 marketplace image:
Enabled - This is image is approved for use
Deprecated - This image cannot be used to launch new vms, but
existing vms launched from it may continue to run
Disabled - This image is unapproved

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineApprovedImageRHEL6

Category

Azure > Compute > Virtual Machine > Approved > Image

Parent

Targets

Valid Value

[
  "Enabled",
  "Deprecated",
  "Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled",
    "Deprecated",
    "Disabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Enabled"
}

Azure > Compute > Virtual Machine > Approved > Image > RHEL 7

Determine the status of the standard RHEL 7 marketplace image:
Enabled - This is image is approved for use
Deprecated - This image cannot be used to launch new vms, but
existing vms launched from it may continue to run
Disabled - This image is unapproved

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineApprovedImageRHEL7

Category

Azure > Compute > Virtual Machine > Approved > Image

Parent

Targets

Valid Value

[
  "Enabled",
  "Deprecated",
  "Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled",
    "Deprecated",
    "Disabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Enabled"
}

Azure > Compute > Virtual Machine > Approved > Image > Rules

An OCL policy to define the status of Images based on fields in the image reference data.

Standard OCL syntax may be used. Allowed actions are:
ENABLED - Images that match should be considered "enabled"
DEPRECATED - Images that match should be considered "deprecated"
DISABLED - Images that match should be considered "disabled" and may not be used

Examples:
ENABLED * # Allow all images published
DEPRECATED $.publisher:MicrosoftWindowsServer $.sku:2016-Datacenter $.offer:WindowsServer # Windows Server 2016 images are deprecated. New vms may not use these Images
DISABLED $.publisher:MicrosoftWindowsServer $.sku:/^2012-/ $.offer:WindowsServer # Windows Server 2012 images are disabled.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineApprovedImageRules

Category

Azure > Compute > Virtual Machine > Approved > Image

Parent

Targets

Schema

{
  "type": "string",
  "default": "# Approve unmatched rules\nENABLED *",
  "x-schema-form": {
    "type": "textarea"
  }
}

Azure > Compute > Virtual Machine > Approved > Image > Status

The status of the Image from which this instance was launched.

This is a calculated, read-only policy that shows the AMI status based on other Guardrails policies.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineApprovedStatus

Category

Azure > Compute > Virtual Machine > Approved > Image

Parent

Targets

Valid Value

[
  "Enabled",
  "Deprecated",
  "Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled",
    "Deprecated",
    "Disabled"
  ]
}

Azure > Compute > Virtual Machine > Approved > Image > Trusted Publishers

A list of publishers whose Images are allowed to be used to launch
virtual machines. Images from publishers not listed are not allowed.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineApprovedImageTrustedPublishers

Category

Azure > Compute > Virtual Machine > Approved > Image

Parent

Targets

Default Template Input

[
  "{\n  item: subscription {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  imageTrustedPublishers: policyValue(resourceId:\"{{ $.item.turbot.id }}\" uri:\"tmod:@turbot/azure-compute#/policy/types/imageTrustedPublishers\") {\n    path: value\n  }\n}\n"
]

Default Template

"{% if $.imageTrustedPublishers.path | length == 0 %} [] {% endif %}{% for item in $.imageTrustedPublishers.path %}- {{ item }}&#92;n{% endfor %}"

Schema

{
  "type": "array",
  "items": {
    "type": "string"
  }
}

Azure > Compute > Virtual Machine > Approved > Image > Ubuntu 16.04

Determine the status of the standard Ubuntu 16.04 marketplace image:
Enabled - This is image is approved for use
Deprecated - This image cannot be used to launch new vms, but
existing vms launched from it may continue to run
Disabled - This image is unapproved

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineApprovedImageUbuntu16

Category

Azure > Compute > Virtual Machine > Approved > Image

Parent

Targets

Valid Value

[
  "Enabled",
  "Deprecated",
  "Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled",
    "Deprecated",
    "Disabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Enabled"
}

Azure > Compute > Virtual Machine > Approved > Image > Ubuntu 18.04

Determine the status of the standard Ubuntu 18.04 marketplace image:
Enabled - This is image is approved for use
Deprecated - This image cannot be used to launch new vms, but
existing vms launched from it may continue to run
Disabled - This image is unapproved

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineApprovedImageUbuntu18

Category

Azure > Compute > Virtual Machine > Approved > Image

Parent

Targets

Valid Value

[
  "Enabled",
  "Deprecated",
  "Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled",
    "Deprecated",
    "Disabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Enabled"
}

Azure > Compute > Virtual Machine > Approved > Image > Windows 2012-R2 Datacenter

Determine the status of the standard Windows 2012-R2 Datacenter marketplace image:
Enabled - This is image is approved for use
Deprecated - This image cannot be used to launch new vms, but
existing vms launched from it may continue to run
Disabled - This image is unapproved

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineApprovedImageWindows2012DataCenter

Category

Azure > Compute > Virtual Machine > Approved > Image

Parent

Targets

Valid Value

[
  "Enabled",
  "Deprecated",
  "Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled",
    "Deprecated",
    "Disabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Enabled"
}

Azure > Compute > Virtual Machine > Approved > Image > Windows 2016 Datacenter

Determine the status of the standard Windows 2016 Datacenter marketplace image:
Enabled - This is image is approved for use
Deprecated - This image cannot be used to launch new vms, but
existing vms launched from it may continue to run
Disabled - This image is unapproved

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineApprovedImageWindows2016DataCenter

Category

Azure > Compute > Virtual Machine > Approved > Image

Parent

Targets

Valid Value

[
  "Enabled",
  "Deprecated",
  "Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled",
    "Deprecated",
    "Disabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Enabled"
}

Azure > Compute > Virtual Machine > Approved > Image > Windows 2019 Datacenter

Determine the status of the standard Windows 2019 Datacenter marketplace image:
Enabled - This is image is approved for use
Deprecated - This image cannot be used to launch new vms, but
existing vms launched from it may continue to run
Disabled - This image is unapproved

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineApprovedImageWindows2019DataCenter

Category

Azure > Compute > Virtual Machine > Approved > Image

Parent

Targets

Valid Value

[
  "Enabled",
  "Deprecated",
  "Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled",
    "Deprecated",
    "Disabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Enabled"
}

Azure > Compute > Virtual Machine > Approved > Regions

A list of Azure regions in which Azure Compute virtual machines are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an Azure Compute virtual machine is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > Compute > Virtual Machine > Approved policy.

See Approved for more information.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineApprovedRegions

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-compute#/policy/types/computeApprovedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Compute > Virtual Machine > Approved > Usage

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineApprovedUsage

Category

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if Azure > Compute > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if Azure > Compute > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if Azure > Compute > Enabled"
}

Azure > Compute > Virtual Machine > CMDB

Configure whether to record and synchronize details for the Azure Compute virtual machine into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > Compute > Virtual Machine > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute provider is Registered",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute provider is Registered",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute provider is Registered"
}

Azure > Compute > Virtual Machine > Regions

A list of Azure regions in which Azure Compute virtual machines are supported for use.

Any virtual machines in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineRegions

Category

Parent

Targets

Schema

{
  "allOf": [
    {
      "$ref": "azure#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "australiacentral",
        "australiaeast",
        "australiasoutheast",
        "brazilsouth",
        "canadacentral",
        "canadaeast",
        "centralindia",
        "centralus",
        "chinaeast",
        "chinaeast2",
        "chinaeast3",
        "chinanorth",
        "chinanorth2",
        "chinanorth3",
        "eastasia",
        "eastus",
        "eastus2",
        "francecentral",
        "germanywestcentral",
        "japaneast",
        "japanwest",
        "koreacentral",
        "koreasouth",
        "northcentralus",
        "northeurope",
        "norwayeast",
        "southafricanorth",
        "southcentralus",
        "southeastasia",
        "southindia",
        "switzerlandnorth",
        "uaenorth",
        "uksouth",
        "ukwest",
        "usgovarizona",
        "usgoviowa",
        "usgovtexas",
        "usgovvirginia",
        "westcentralus",
        "westeurope",
        "westindia",
        "westus",
        "westus2"
      ]
    }
  ]
}

Azure > Compute > Virtual Machine > Schedule

Set a schedule for starting and stopping an Azure Compute virtual machine.

Note If both "Schedule" and "Schedule Tag" are set to enforce and the
virtual machine has a turbot_custom_schedule tag, then the schedule specified by
the tag will be in effect.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineSchedule

Category

Resource > Schedule

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Business hours (8:00am - 6:00pm on weekdays)",
  "Enforce: Extended business hours (7:00am - 11:00pm on weekdays)",
  "Enforce: Stop for night (stop at 10:00pm every day)",
  "Enforce: Stop for weekend (stop at 10:00pm on Friday)"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Business hours (8:00am - 6:00pm on weekdays)",
    "Enforce: Extended business hours (7:00am - 11:00pm on weekdays)",
    "Enforce: Stop for night (stop at 10:00pm every day)",
    "Enforce: Stop for weekend (stop at 10:00pm on Friday)"
  ],
  "example": [
    "Enforce: Business hours (8:00am - 6:00pm on weekdays)"
  ],
  "default": "Skip"
}

Azure > Compute > Virtual Machine > Schedule Tag

Allow setting a schedule for starting and stopping an Azure Compute virtual machine via the
turbot_custom_schedule tag. If the schedule is invalid, no actions will be
taken against the virtualMachine.

Note If both "Schedule" and "Schedule Tag" are set to enforce and the
virtual machine has a turbot_custom_schedule, then the schedule specified by the
tag will be in effect.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineScheduleTag

Category

Resource > Schedule

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Schedule per turbot_custom_schedule tag"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Schedule per turbot_custom_schedule tag"
  ],
  "example": [
    "Enforce: Schedule per turbot_custom_schedule tag"
  ],
  "default": "Skip"
}

Azure > Compute > Virtual Machine > Tags

Determine the action to take when an Azure Compute virtual machine tags are not updated based on the Azure > Compute > Virtual Machine > Tags > * policies.

The control ensure Azure Compute virtual machine tags include tags defined in Azure > Compute > Virtual Machine > Tags > Template.

Tags not defined in Virtual Machine Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

Azure > Compute > Virtual Machine > Tags > Template

The template is used to generate the keys and values for Azure Compute virtual machine.

Tags not defined in Virtual Machine Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineTagsTemplate

Category

Azure > Compute > Virtual Machine > Tags

Parent

Targets

Default Template Input

[
  "{\n  subscription {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure-compute#/policy/types/computeTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Compute > Virtual Machine Scale Set > Active

Determine the action to take when an Azure Compute virtual machine scale set, based on the Azure > Compute > Virtual Machine Scale Set > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Virtual Machine Scale Set > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineScaleSetActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Compute > Virtual Machine Scale Set > Active > Age

The age after which the Azure Compute virtual machine scale set
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Virtual Machine Scale Set > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineScaleSetActiveAge

Category

Azure > Compute > Virtual Machine Scale Set > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Compute > Virtual Machine Scale Set > Active > Last Modified

The number of days since the Azure Compute virtual machine scale set was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Compute > Virtual Machine Scale Set > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineScaleSetActiveLastModified

Category

Azure > Compute > Virtual Machine Scale Set > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

Azure > Compute > Virtual Machine Scale Set > Approved

Determine the action to take when an Azure Compute virtual machine scale set is not approved based on Azure > Compute > Virtual Machine Scale Set > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineScaleSetApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Compute > Virtual Machine Scale Set > Approved > Custom

Determine whether the Azure Compute virtual machine scale set is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Compute virtual machine scale set is not approved, it will be subject to the action specified in the Azure > Compute > Virtual Machine Scale Set > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineScaleSetApprovedCustom

Category

Azure > Compute > Virtual Machine Scale Set > Approved

Parent

Targets

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Compute > Virtual Machine Scale Set > Approved > Regions

A list of Azure regions in which Azure Compute virtual machine scale sets are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an Azure Compute virtual machine scale set is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > Compute > Virtual Machine Scale Set > Approved policy.

See Approved for more information.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineScaleSetApprovedRegions

Category

Azure > Compute > Virtual Machine Scale Set > Approved

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-compute#/policy/types/computeApprovedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Compute > Virtual Machine Scale Set > Approved > Usage

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineScaleSetApprovedUsage

Category

Azure > Compute > Virtual Machine Scale Set > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if Azure > Compute > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if Azure > Compute > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if Azure > Compute > Enabled"
}

Azure > Compute > Virtual Machine Scale Set > CMDB

Configure whether to record and synchronize details for the Azure Compute virtual machine scale set into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > Compute > Virtual Machine Scale Set > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineScaleSetCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute provider is Registered",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute provider is Registered",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute provider is Registered"
}

Azure > Compute > Virtual Machine Scale Set > Regions

A list of Azure regions in which Azure Compute virtual machine scale sets are supported for use.

Any virtual machine scale sets in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineScaleSetRegions

Category

Parent

Targets

Schema

{
  "allOf": [
    {
      "$ref": "azure#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "australiacentral",
        "australiacentral2",
        "australiaeast",
        "australiasoutheast",
        "brazilsouth",
        "brazilsoutheast",
        "canadacentral",
        "canadaeast",
        "centralindia",
        "centralus",
        "chinaeast",
        "chinaeast2",
        "chinaeast3",
        "chinanorth",
        "chinanorth2",
        "chinanorth3",
        "eastasia",
        "eastus",
        "eastus2",
        "francecentral",
        "francesouth",
        "germanynorth",
        "germanywestcentral",
        "japaneast",
        "japanwest",
        "koreacentral",
        "koreasouth",
        "northcentralus",
        "northeurope",
        "norwayeast",
        "norwaywest",
        "qatarcentral",
        "southafricanorth",
        "southafricawest",
        "southcentralus",
        "southeastasia",
        "southindia",
        "swedencentral",
        "swedensouth",
        "switzerlandnorth",
        "switzerlandwest",
        "uaecentral",
        "uaenorth",
        "uksouth",
        "ukwest",
        "usdodcentral",
        "usdodeast",
        "usgovarizona",
        "usgoviowa",
        "usgovtexas",
        "usgovvirginia",
        "westcentralus",
        "westeurope",
        "westindia",
        "westus",
        "westus2",
        "westus3"
      ]
    }
  ]
}

Azure > Compute > Virtual Machine Scale Set > Tags

Determine the action to take when an Azure Compute virtual machine scale set tags are not updated based on the Azure > Compute > Virtual Machine Scale Set > Tags > * policies.

The control ensure Azure Compute virtual machine scale set tags include tags defined in Azure > Compute > Virtual Machine Scale Set > Tags > Template.

Tags not defined in Virtual Machine Scale Set Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineScaleSetTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

Azure > Compute > Virtual Machine Scale Set > Tags > Template

The template is used to generate the keys and values for Azure Compute virtual machine scale set.

Tags not defined in Virtual Machine Scale Set Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-compute#/policy/types/virtualMachineScaleSetTagsTemplate

Category

Azure > Compute > Virtual Machine Scale Set > Tags

Parent

Targets

Default Template Input

[
  "{\n  subscription {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure-compute#/policy/types/computeTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-compute

A calculated policy that Guardrails uses to create a compiled list of ALL
permission levels for Azure Compute that is used as input to the
stack that manages the Guardrails IAM permissions objects.

URI

tmod:@turbot/azure-compute#/policy/types/azureLevelsCompiled

Category

Azure > Turbot > Permissions > Compiled > Levels

Parent

Targets

azure-iam#/definitions/azureLevelDefinitionList

Schema

Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-compute

A calculated policy that Guardrails uses to create a compiled list of ALL
permissions for Azure Compute that is used as input to the control that manages
the IAM stack.

URI

tmod:@turbot/azure-compute#/policy/types/azureCompiledServicePermissions

Category

Azure > Turbot > Permissions > Compiled > Service Permissions

Parent

Targets