Product logo
DocsBlogPricing

@turbot/azure-iam

The azure-iam mod contains resource, control and policy definitions for Azure IAM service.

Version
5.11.0
Released On
Feb 02, 2024
Depends On

Resource Types

Control Types

Policy Types

Release Notes

5.11.0 (2024-02-02)

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

5.10.1 (2023-09-08)

Bug fixes

  • A few policy values would sometimes fail to evaluate correctly if the mod was installed on TE v5.42.1. We've fixed this issue and such policy values will now be evaluated correctly.

5.10.0 (2023-06-19)

What's new?

  • Resource's metadata will now also include createdBy details in Turbot CMDB.
  • README.md file is now available for users to check details about the resource types and service permissions that the mod covers.

5.9.1 (2023-01-02)

Bug fixes

  • We've updated the runtime of the lambda functions to node 16. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

5.9.0 (2022-02-17)

What's new?

  • Users can now create their own custom checks against resource attributes in the Approved control using the Approved > Custom policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.

Bug fixes

  • We've improved the process of deleting resources from Guardrails if their CMDB policy was set to Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Guardrails' IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Guardrails more reliably than before.

Policy Types

  • Azure > IAM > Role Assignment > Approved > Custom
  • Azure > IAM > Role Definition > Approved > Custom

5.8.0 (2021-09-23)

What's new?

  • We've updated the way we fetch the object IDs for users in the Azure > IAM > Login Names > Primary Object ID policy and now fetch it via the Azure > IAM > Primary Object ID control. You won't notice any difference and things should continue to run smoothly as before.

Control Types

  • Azure > IAM > Primary Object ID

5.7.0 (2021-07-14)

Bug fixes

  • We’ve made a few improvements in the GraphQL queries for various controls, policies, and actions. You won’t notice any difference, but things should run lighter and quicker than before.
  • The Azure > Turbot > IAM control will now use the Azure > Turbot > Permissions > Terraform Version policy instead of Turbot > Stack Terraform Version [Default] policy to configure resources. The Azure > Turbot > Permissions > Terraform Version policy is read-only as it's managed by Guardrails and by default set to 0.15.* for workspaces on TE v5.37.7 or higher. For workspaces on TE versions lower than 5.37.7, the policy will be set to 0.11.* by default.

Policy Types

  • Azure > Turbot > Permissions > Terraform Version

5.6.0 (2021-03-24)

What's new?

  • We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.5.3 (2021-01-22)

Bug fixes

  • Controls run faster now when in the tbd and skipped states thanks to the new Turbot Precheck feature (not to be confused with TSA PreCheck). With Turbot Precheck, controls avoid running GraphQL input queries when in tbd and skipped, resulting in faster and lighter control runs.

5.5.2 (2021-01-13)

Bug fixes

  • We've made some improvements in a few GraphQL queries under Azure > Turbot > Permissions. There's no noticeable difference, but they will run much lighter now.

5.5.1 (2020-11-03)

Bug fixes

  • We've updated the Discovery controls for resources to now move to skipped instead of invalid if the provider is disabled in the subscription and the Azure > Provider > {service} > Registered policy is checking if the provider is disabled. This will reduce the amount of noisy controls that cannot be easily resolved without making changes to the provider.

5.5.0 (2020-10-22)

What's new?

  • We've made improvements to how Approved controls interact with CMDB policies and controls for more reliable approved checks. Now, if a resource's CMDB policy is set to Skip, its Approved control will move to invalid to prevent the Approved control from making a decision based on outdated information. Also, Approved controls will now wait until the resource's CMDB control has run at least once to ensure the required data is available.

5.4.0 (2020-09-28)

Warning

  • The Azure > IAM > Role Assignment > Configured and Azure > IAM > Role Definition > Configured policies now include the following new policy values:
     - Skip (unless claimed by a stack)
     - Check: Per Configured > Source (unless claimed by a stack)
     - Enforce: Per Configured > Source (unless claimed by a stack)
    These new values will replace the following current values, which have been deprecated and will be removed in the next major version:
     - Skip if using Configured > Source
     - Check: Configured if using Configured > Source
     - Enforce: Configured if using Configured > Source
    We recommend that you update your policy settings to use the new values, as these have replaced the deprecated values and are backwards compatible.

What's new?

  • We've made improvements to how Active controls interact with CMDB policies and controls for more reliable active checks. Now, if a resource's CMDB policy is set to Skip, its Active control will move to invalid to prevent the Active control from making a decision based on outdated information. Also, Active controls will now wait until the resource's CMDB control has run at least once to ensure the required data is available.

Policy Types

Renamed

  • Azure > IAM > Role Assignment > Configured > Precedence to Azure > IAM > Role Assignment > Configured > Claim Precedence
  • Azure > IAM > Role Definition > Configured > Precedence to Azure > IAM > Role Definition > Configured > Claim Precedence

5.3.0 (2020-08-26)

What's new?

  • Discovery controls now have their own control category, CMDB > Discovery, to allow for easier filtering separately from other CMDB controls.

5.2.1 (2020-08-03)

Bug fixes

  • When creating role assignments based on Turbot Azure grants, we were often inconsistent in which username we selected to use from the Azure > IAM > Login Names policy for different profiles. We now always select the first username in that policy for a more consistent role assignment creation process.

5.2.0 (2020-07-30)

What's new?

  • Earlier the role assignment in Azure > Turbot > IAM was limited to a single tenant in a workspace. Now we have upgraded the Azure > IAM > Login Names > Primary Object ID policy to store the object ID of all the login names of the user, instead of just the last one. This is a significant change since you can now assign roles to a user with different login names across all the tenants in a workspace.

Bug fixes

  • Azure > Turbot > Permissions > Source policy and Azure > Turbot > IAM stack remained in an error state when a profile was not mapped to Azure > IAM > Login Names policy. This issue has now been fixed.

5.1.9 (2020-07-28)

Bug fixes

  • While creating a role assignment, we check if the user is available in the Azure > IAM > Login Names > Primary Object ID policy. This works fine when the casing in Azure > IAM > Login Names policy is same as Azure > IAM > Login Names > Primary Object ID policy; however, it fails to create the role assignment if the casing is different. This issue has been fixed.

5.1.8 (2020-07-24)

Bug fixes

  • When deleting inactive resources through an Active control, different warning periods in days can be set to delay deletion. We recently identified a bug that would cause these warning periods to be ignored, and any inactive resources would be deleted immediately. This bug has been fixed and now all Active controls will abide by the warning period set in the policy value.

5.1.7 (2020-06-17)

Bug fixes

  • If a Guardrails profile had any email addresses in the Azure > IAM > Login Names policy that did not exist in the Azure active directory, the Azure > IAM > Login Names > Primary Object ID policy would incorrectly move to an error state. This issue has been fixed.

5.1.6 (2020-05-19)

Bug fixes

  • Links to documentation in the descriptions for several controls and policies were broken. These links have now been fixed.

5.1.5 (2020-04-29)

Bug fixes

  • Earlier when we assigned the same Role (Azure/SuperUser or Azure/Admin) to a User at different levels but in the same hierarchy , the Azure> Turbot> IAM control remained in error state. This error has been fixed and now the Role assignment can be done smoothly.

  • Azure > IAM > Role Assignment > Discovery control will now correctly upsert all the Role Assignments into the database.