Policy types for @turbot/azure-iam
- Azure > IAM > Enabled
- Azure > IAM > Login Names
- Azure > IAM > Login Names > Primary Object ID
- Azure > IAM > Permissions
- Azure > IAM > Permissions > Levels
- Azure > IAM > Permissions > Levels > Modifiers
- Azure > IAM > Role Assignment > Active
- Azure > IAM > Role Assignment > Active > Age
- Azure > IAM > Role Assignment > Active > Last Modified
- Azure > IAM > Role Assignment > Approved
- Azure > IAM > Role Assignment > Approved > Custom
- Azure > IAM > Role Assignment > Approved > Usage
- Azure > IAM > Role Assignment > CMDB
- Azure > IAM > Role Assignment > Configured
- Azure > IAM > Role Assignment > Configured > Claim Precedence
- Azure > IAM > Role Assignment > Configured > Source
- Azure > IAM > Role Definition > Active
- Azure > IAM > Role Definition > Active > Age
- Azure > IAM > Role Definition > Active > Last Modified
- Azure > IAM > Role Definition > Approved
- Azure > IAM > Role Definition > Approved > Custom
- Azure > IAM > Role Definition > Approved > Usage
- Azure > IAM > Role Definition > CMDB
- Azure > IAM > Role Definition > Configured
- Azure > IAM > Role Definition > Configured > Claim Precedence
- Azure > IAM > Role Definition > Configured > Source
- Azure > IAM > Turbot
- Azure > Turbot > Permissions
- Azure > Turbot > Permissions > Compiled
- Azure > Turbot > Permissions > Compiled > Levels
- Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-iam
- Azure > Turbot > Permissions > Compiled > Service Permissions
- Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-iam
- Azure > Turbot > Permissions > Compiled > Subscription Permissions
- Azure > Turbot > Permissions > Custom Levels
- Azure > Turbot > Permissions > Levels
- Azure > Turbot > Permissions > Levels > Modifiers
- Azure > Turbot > Permissions > Levels [Default]
- Azure > Turbot > Permissions > Role
- Azure > Turbot > Permissions > Role > Name Prefix
- Azure > Turbot > Permissions > Source
- Azure > Turbot > Permissions > Terraform Version
- Turbot > IAM > Permissions > Compiled > Levels > Azure
- Turbot > IAM > Permissions > Compiled > Levels > Azure [Turbot]
Azure > IAM > Enabled
Enable Azure IAM service.
tmod:@turbot/azure-iam#/policy/types/iamEnabled[ "Enabled", "Enabled: Metadata Only", "Disabled"]{ "type": "string", "enum": [ "Enabled", "Enabled: Metadata Only", "Disabled" ], "example": [ "Enabled" ], "default": "Disabled"}Azure > IAM > Login Names
A list of user names that should map to this profile. This policy is used by the event router to map an Azure user to a Guardrails profile, and to grant permissions via Turbot.
tmod:@turbot/azure-iam#/policy/types/loginNames{ "type": "array", "default": []}Azure > IAM > Login Names > Primary Object ID
The Azure Object ID of the primary login name, per Azure > IAM > Login Names. This is a readonly value used by Guardrails for granting permissions.
tmod:@turbot/azure-iam#/policy/types/primaryObjectId{ "type": "array"}Azure > IAM > Permissions
Configure whether permissions policies are in effect for Azure IAM
This setting does not affect Subscription level permissions (Azure/Admin, Azure/Owner, etc)
tmod:@turbot/azure-iam#/policy/types/iamPermissions[ "Enabled", "Disabled", "Enabled if Azure > IAM > Enabled"]{ "type": "string", "enum": [ "Enabled", "Disabled", "Enabled if Azure > IAM > Enabled" ], "example": [ "Enabled" ], "default": "Enabled if Azure > IAM > Enabled"}Azure > IAM > Permissions > Levels
Define the permissions levels that can be used to grant access to Storage an
Azure Subscription. Permissions levels defined will appear in the UI to assign
access to Guardrails users.
tmod:@turbot/azure-iam#/policy/types/iamPermissionsLevels[ "{\n item: subscription {\n turbot{\n id\n }\n }\n}\n", "{\n availableLevels: policyValues(filter:\"policyTypeLevel:self resourceId:{{ $.item.turbot.id }} policyTypeId:'tmod:@turbot/azure-iam#/policy/types/permissionsLevelsDefault'\") {\n items {\n value\n }\n }\n}\n"]"{% if $.availableLevels.items[0].value | length == 0 %} [] {% endif %}{% for item in $.availableLevels.items[0].value %}- {{ item }}\n{% endfor %}"{ "type": "array", "items": { "type": "string", "enum": [ "User", "Metadata", "ReadOnly", "Operator", "Admin", "Owner" ] }}Azure > IAM > Permissions > Levels > Modifiers
A map of Azure API to Guardrails Permission Level used to customize Guardrails'
standard permissions. You can add, remove or redefine the mapping of
Azure API operations to Guardrails permissions levels here.<br />example:<br /> - "Microsoft.IAM/IAM/delete": operator<br /> - "Microsoft.IAM/IAM/write": admin<br /> - "Microsoft.IAM/IAM/read": readonly<br />
tmod:@turbot/azure-iam#/policy/types/iamPermissionsLevelsModifiersAzure > IAM > Role Assignment > Active
Determine the action to take when an Azure IAM role assignment, based on the Azure > IAM > Role Assignment > Active > * policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > IAM > Role Assignment > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/azure-iam#/policy/types/roleAssignmentActive[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}Azure > IAM > Role Assignment > Active > Age
The age after which the Azure IAM role assignment
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > IAM > Role Assignment > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/azure-iam#/policy/types/roleAssignmentActiveAge[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}Azure > IAM > Role Assignment > Active > Last Modified
The number of days since the Azure IAM role assignment was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > IAM > Role Assignment > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/azure-iam#/policy/types/roleAssignmentActiveLastModified[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}Azure > IAM > Role Assignment > Approved
Determine the action to take when an Azure IAM role assignment is not approved based on Azure > IAM > Role Assignment > Approved > * policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/azure-iam#/policy/types/roleAssignmentApproved[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}Azure > IAM > Role Assignment > Approved > Custom
Determine whether the Azure IAM role assignment is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure IAM role assignment is not approved, it will be subject to the action specified in the Azure > IAM > Role Assignment > Approved policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.
tmod:@turbot/azure-iam#/policy/types/roleAssignmentApprovedCustom{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}Azure > IAM > Role Assignment > Approved > Usage
Determine whether the Azure IAM role assignment is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure IAM role assignment is not approved, it will be subject to the action specified in the Azure > IAM > Role Assignment > Approved policy.
See Approved for more information.
tmod:@turbot/azure-iam#/policy/types/roleAssignmentApprovedUsage[ "Not approved", "Approved", "Approved if Azure > IAM > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if Azure > IAM > Enabled" ], "example": [ "Not approved" ], "default": "Approved if Azure > IAM > Enabled"}Azure > IAM > Role Assignment > CMDB
Configure whether to record and synchronize details for the Azure IAM role assignment into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/azure-iam#/policy/types/roleAssignmentCmdb[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}Azure > IAM > Role Assignment > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.
The policy values for Azure > IAM > Role Assignment are deprecated and
replaced by new values. The deprecated values will be removed in the next major version.
| Deprecated Values | Current Values |
|--------------------------------------------------|----------------------------------------------------------------|
| Skip if using Configured > Source | Skip \\(unless claimed by a stack\\) |
| Check: Configured if using Configured > Source | Check: Per Configured > Source \\(unless claimed by a stack\\) |
| Enforce: Configured if using Configured > Source | Enforce: Per Configured > Source \\(unless claimed by a stack\\) |
tmod:@turbot/azure-iam#/policy/types/roleAssignmentConfigured[ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source", "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source", "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}Azure > IAM > Role Assignment > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/azure-iam#/policy/types/roleAssignmentConfiguredPrecedence"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}Azure > IAM > Role Assignment > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource.
tmod:@turbot/azure-iam#/policy/types/roleAssignmentConfiguredSource{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}Azure > IAM > Role Definition > Active
Determine the action to take when an Azure IAM role definition, based on the Azure > IAM > Role Definition > Active > * policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > IAM > Role Definition > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/azure-iam#/policy/types/roleDefinitionActive[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}Azure > IAM > Role Definition > Active > Age
The age after which the Azure IAM role definition
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > IAM > Role Definition > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/azure-iam#/policy/types/roleDefinitionActiveAge[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}Azure > IAM > Role Definition > Active > Last Modified
The number of days since the Azure IAM role definition was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > IAM > Role Definition > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/azure-iam#/policy/types/roleDefinitionActiveLastModified[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}Azure > IAM > Role Definition > Approved
Determine the action to take when an Azure IAM role definition is not approved based on Azure > IAM > Role Definition > Approved > * policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/azure-iam#/policy/types/roleDefinitionApproved[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}Azure > IAM > Role Definition > Approved > Custom
Determine whether the Azure IAM role definition is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure IAM role definition is not approved, it will be subject to the action specified in the Azure > IAM > Role Definition > Approved policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.
tmod:@turbot/azure-iam#/policy/types/roleDefinitionApprovedCustom{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}Azure > IAM > Role Definition > Approved > Usage
Determine whether the Azure IAM role definition is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure IAM role definition is not approved, it will be subject to the action specified in the Azure > IAM > Role Definition > Approved policy.
See Approved for more information.
tmod:@turbot/azure-iam#/policy/types/roleDefinitionApprovedUsage[ "Not approved", "Approved", "Approved if Azure > IAM > Enabled"]{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if Azure > IAM > Enabled" ], "example": [ "Not approved" ], "default": "Approved if Azure > IAM > Enabled"}Azure > IAM > Role Definition > CMDB
Configure whether to record and synchronize details for the Azure IAM role definition into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/azure-iam#/policy/types/roleDefinitionCmdb[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}Azure > IAM > Role Definition > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.
The policy values for Azure > IAM > Role Definition are deprecated and
replaced by new values. The deprecated values will be removed in the next major version.
| Deprecated Values | Current Values |
|--------------------------------------------------|----------------------------------------------------------------|
| Skip if using Configured > Source | Skip \\(unless claimed by a stack\\) |
| Check: Configured if using Configured > Source | Check: Per Configured > Source \\(unless claimed by a stack\\) |
| Enforce: Configured if using Configured > Source | Enforce: Per Configured > Source \\(unless claimed by a stack\\) |
tmod:@turbot/azure-iam#/policy/types/roleDefinitionConfigured[ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source", "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]{ "enum": [ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source", "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}Azure > IAM > Role Definition > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/azure-iam#/policy/types/roleDefinitionConfiguredPrecedence"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n""{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"{ "type": "array", "items": { "type": "string" }}Azure > IAM > Role Definition > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource.
tmod:@turbot/azure-iam#/policy/types/roleDefinitionConfiguredSource{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}Azure > IAM > Turbot
Configures Guardrails IAM Users, Roles, per Azure > Permissions.
tmod:@turbot/azure-iam#/policy/types/iamTurbot[ "Per Azure > Permissions"]{ "type": "string", "enum": [ "Per Azure > Permissions" ], "default": "Per Azure > Permissions"}Azure > Turbot > Permissions
Configures whether Guardrails will manage permissions in Azure.
tmod:@turbot/azure-iam#/policy/types/permissions[ "Skip", "Check: None", "Check: Role Mode", "Enforce: None", "Enforce: Role Mode"]{ "type": "string", "enum": [ "Skip", "Check: None", "Check: Role Mode", "Enforce: None", "Enforce: Role Mode" ], "example": [ "Enforce: None" ], "default": "Skip"}Azure > Turbot > Permissions > Compiled
tmod:@turbot/azure-iam#/policy/types/iamPermissionsCompiledAzure > Turbot > Permissions > Compiled > Levels
A calculated policy that Guardrails uses to create a single list of ALL permissions levels for all services that is used as input to the stack that manages the Guardrails IAM permissions objects.
tmod:@turbot/azure-iam#/policy/types/iamPermissionsCompiledLevelsAzure > Turbot > Permissions > Compiled > Levels > @turbot/azure-iam
A calculated policy that Guardrails uses to create a compiled list of ALL
permission levels for Azure IAM that is used as input to the
stack that manages the Guardrails IAM permissions objects.
tmod:@turbot/azure-iam#/policy/types/azureLevelsCompiledAzure > Turbot > Permissions > Compiled > Service Permissions
A calculated policy that Guardrails uses to create a single list of ALL permissions for all services that is used as input to the control that manages the IAM stack.
tmod:@turbot/azure-iam#/policy/types/iamPermissionsCompiledServicePermissions{ "type": "array"}Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-iam
A calculated policy that Guardrails uses to create a compiled list of ALL
permissions for Azure IAM that is used as input to the control that manages
the IAM stack.
tmod:@turbot/azure-iam#/policy/types/azureCompiledServicePermissionsAzure > Turbot > Permissions > Compiled > Subscription Permissions
A calculated policy that Guardrails uses to create a single list of ALL permissions for all provider level permissions (Azure/Admin, Azure/Operator, etc) that is used as input to the control that manages the IAM stack
tmod:@turbot/azure-iam#/policy/types/iamPermissionsCompiledSubscriptionPermissionsAzure > Turbot > Permissions > Custom Levels
An ordered list of azure role names to use as custom Guardrails permission
levels for Azure Subscriptions.
Levels in this policy will appear in the Guardrails console as grantable to
Guardrails users as Azure/Role/{role name}. When granted access, Guardrails will grant the
associated IAM role to the Azure user in the subscription.
Note that the IAM roles must already exist in the Azure Subscription.
tmod:@turbot/azure-iam#/policy/types/permissionsCustomLevelsSubscription{ "type": "array", "default": [], "example": [ [ "my_custom_backup_role", "my_custom_infosec_role" ] ], "items": { "type": "string", "minLength": 1, "maxLength": 128 }}Azure > Turbot > Permissions > Levels
Define the permissions levels that can be used to grant access to an
Azure subscription. Permissions levels defined will appear in the UI to assign
access to Guardrails users.
tmod:@turbot/azure-iam#/policy/types/permissionsLevels{ "type": "array", "items": { "type": "string", "enum": [ "Azure/User", "Azure/Metadata", "Azure/ReadOnly", "Azure/Operator", "Azure/Admin", "Azure/Owner", "Azure/SuperUser" ] }, "default": [ "Azure/User", "Azure/Metadata", "Azure/ReadOnly", "Azure/Operator", "Azure/Admin", "Azure/Owner", "Azure/SuperUser" ]}Azure > Turbot > Permissions > Levels > Modifiers
A map of Azure API to Guardrails Permission Level used to customize Guardrails' standard permissions.
You can add, remove or redefine the mapping of Azure API operations to Guardrails permissions levels here.
Note:
Modifiers are cumulative - if you add a permission to the metadata level, it is also added to readOnly, operator and admin.
Modifier policies set here apply ONLY to the Azure levels (Azure/Admin, Azure/Operator, etc),
not to the service levels (Azure/Storage/Admin, Azure/Compute/Operator, etc),
tmod:@turbot/azure-iam#/policy/types/permissionsLevelsModifiers{ "type": "array", "default": [], "example": [ [ { "Microsoft.Storage/storageAccounts/delete": "operator" }, { "Microsoft.Storage/storageAccounts/write": "admin" }, { "Microsoft.Storage/storageAccounts/read": "readOnly" }, { "Microsoft.Compute/disks/delete": "operator" } ] ]}Azure > Turbot > Permissions > Levels [Default]
Define the permissions levels that can be used to grant access to services
Azure subscription. Permissions levels defined will appear in the UI to assign
access to Guardrails users.
This policy provides a default for Permissions > Levels in each service,
however you can explicitly override the setting for each service if desired
tmod:@turbot/azure-iam#/policy/types/permissionsLevelsDefault{ "type": "array", "items": { "type": "string", "enum": [ "Metadata", "ReadOnly", "Operator", "Admin", "Owner" ] }, "default": []}Azure > Turbot > Permissions > Role
tmod:@turbot/azure-iam#/policy/types/turbotRoleAzure > Turbot > Permissions > Role > Name Prefix
A prefix to be used in resource names for standard Guardrails IAM Roles.
tmod:@turbot/azure-iam#/policy/types/turbotRoleNamePrefix{ "type": "string", "default": "", "example": "turbot-"}Azure > Turbot > Permissions > Source
A HCL format configuration template to create Guardrails permissions policies.
tmod:@turbot/azure-iam#/policy/types/iamTurbotSource{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }}Azure > Turbot > Permissions > Terraform Version
The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.
A Guardrails Stack is a set of resources configured by Turbot,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured control.
tmod:@turbot/azure-iam#/policy/types/permissionsTerraformVersion{ "type": "string"}Turbot > IAM > Permissions > Compiled > Levels > Azure
A list of Azure permissions that Guardrails may use to grant permissions on subscription or resource group.
tmod:@turbot/azure-iam#/policy/types/turbotPermissionsCompiledLevelsAzure{ "type": "array"}Turbot > IAM > Permissions > Compiled > Levels > Azure [Turbot]
A list of Azure permissions that Guardrails may use to grant permissions on folders that have azure subscription as children.
tmod:@turbot/azure-iam#/policy/types/turbotPermissionsCompiledLevels