Policy types for @turbot/azure-network

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Network > Application Security Group > Active > Age

The age after which the Azure Network application security group
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Application Security Group > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/applicationSecurityGroupActiveAge

Category

Azure > Network > Application Security Group > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Application Security Group > Active > Last Modified

The number of days since the Azure Network application security group was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Application Security Group > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI

tmod:@turbot/azure-network#/policy/types/applicationSecurityGroupActiveLastModified

Category

Azure > Network > Application Security Group > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Application Security Group > Approved

Determine the action to take when an Azure Network application security group is not approved based on Azure > Network > Application Security Group > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/applicationSecurityGroupApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Network > Application Security Group > Approved > Custom

Determine whether the Azure Network application security group is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Network application security group is not approved, it will be subject to the action specified in the Azure > Network > Application Security Group > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/azure-network#/policy/types/applicationSecurityGroupApprovedCustom

Category

Azure > Network > Application Security Group > Approved

Parent

Targets

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Network > Application Security Group > Approved > Regions

A list of Azure regions in which Azure Network application security groups are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an Azure Network application security group is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > Network > Application Security Group > Approved policy.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/applicationSecurityGroupApprovedRegions

Category

Azure > Network > Application Security Group > Approved

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkApprovedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Network > Application Security Group > Approved > Usage

URI

tmod:@turbot/azure-network#/policy/types/applicationSecurityGroupApprovedUsage

Category

Azure > Network > Application Security Group > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if Azure > Network > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if Azure > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if Azure > Network > Enabled"
}

Azure > Network > Application Security Group > CMDB

Configure whether to record and synchronize details for the Azure Network application security group into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > Network > Application Security Group > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/azure-network#/policy/types/applicationSecurityGroupCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network provider is Registered",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network provider is Registered",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network provider is Registered"
}

Azure > Network > Application Security Group > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.

The policy values for Azure > Network > Application Security Group are deprecated and
replaced by new values. The deprecated values will be removed in the next major version.

| Deprecated Values | Current Values |
|--------------------------------------------------|----------------------------------------------------------------|
| Skip if using Configured > Source | Skip \$unless claimed by a stack\$ |
| Check: Configured if using Configured > Source | Check: Per Configured > Source \$unless claimed by a stack\$ |
| Enforce: Configured if using Configured > Source | Enforce: Per Configured > Source \$unless claimed by a stack\$ |

URI

tmod:@turbot/azure-network#/policy/types/applicationSecurityGroupConfigured

Category

Parent

Targets

Valid Value

[
  "Skip if using Configured > Source",
  "Check: Configured if using Configured > Source",
  "Enforce: Configured if using Configured > Source",
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]

Schema

{
  "enum": [
    "Skip if using Configured > Source",
    "Check: Configured if using Configured > Source",
    "Enforce: Configured if using Configured > Source",
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

Azure > Network > Application Security Group > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI

tmod:@turbot/azure-network#/policy/types/applicationSecurityGroupConfiguredPrecedence

Category

Azure > Network > Application Security Group > Configured

Parent

Targets

Default Template Input

"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"

Default Template

"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"

Schema

{
  "type": "array",
  "items": {
    "type": "string"
  }
}

Azure > Network > Application Security Group > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource.

URI

tmod:@turbot/azure-network#/policy/types/applicationSecurityGroupConfiguredSource

Category

Azure > Network > Application Security Group > Configured

Parent

Targets

Schema

{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

Azure > Network > Application Security Group > Regions

A list of Azure regions in which Azure Network application security groups are supported for use.

Any application security groups in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI

tmod:@turbot/azure-network#/policy/types/applicationSecurityGroupRegions

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Network > Application Security Group > Tags

Determine the action to take when an Azure Network application security group tags are not updated based on the Azure > Network > Application Security Group > Tags > * policies.

The control ensure Azure Network application security group tags include tags defined in Azure > Network > Application Security Group > Tags > Template.

Tags not defined in Application Security Group Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/applicationSecurityGroupTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

Azure > Network > Application Security Group > Tags > Template

The template is used to generate the keys and values for Azure Network application security group.

Tags not defined in Application Security Group Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/applicationSecurityGroupTagsTemplate

Category

Azure > Network > Application Security Group > Tags

Parent

Targets

Default Template Input

[
  "{\n  subscription {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Network > Approved Regions [Default]

A list of Azure regions in which Azure Network resources are approved for use.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

This policy is the default value for all Azure Network resources' Approved > Regions policies.

URI

tmod:@turbot/azure-network#/policy/types/networkApprovedRegionsDefault

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure#/policy/types/approvedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Network > Enabled

Enable Azure Network service.

URI

tmod:@turbot/azure-network#/policy/types/networkEnabled

Category

Parent

Targets

Valid Value

[
  "Enabled",
  "Enabled: Metadata Only",
  "Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled",
    "Enabled: Metadata Only",
    "Disabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Disabled"
}

Azure > Network > Express Route Circuits > Active

Determine the action to take when an Azure Network express route circuits, based on the Azure > Network > Express Route Circuits > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Express Route Circuits > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/expressRouteCircuitsActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Network > Express Route Circuits > Active > Age

The age after which the Azure Network express route circuits
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Express Route Circuits > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/expressRouteCircuitsActiveAge

Category

Azure > Network > Express Route Circuits > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Express Route Circuits > Active > Last Modified

The number of days since the Azure Network express route circuits was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Express Route Circuits > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI

tmod:@turbot/azure-network#/policy/types/expressRouteCircuitsActiveLastModified

Category

Azure > Network > Express Route Circuits > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Express Route Circuits > Approved

Determine the action to take when an Azure Network express route circuits is not approved based on Azure > Network > Express Route Circuits > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/expressRouteCircuitsApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Network > Express Route Circuits > Approved > Custom

Determine whether the Azure Network express route circuits is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Network express route circuits is not approved, it will be subject to the action specified in the Azure > Network > Express Route Circuits > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/azure-network#/policy/types/expressRouteCircuitsApprovedCustom

Category

Azure > Network > Express Route Circuits > Approved

Parent

Targets

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Network > Express Route Circuits > Approved > Regions

A list of Azure regions in which Azure Network express route circuitss are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an Azure Network express route circuits is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > Network > Express Route Circuits > Approved policy.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/expressRouteCircuitsApprovedRegions

Category

Azure > Network > Express Route Circuits > Approved

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkApprovedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Network > Express Route Circuits > Approved > Usage

URI

tmod:@turbot/azure-network#/policy/types/expressRouteCircuitsApprovedUsage

Category

Azure > Network > Express Route Circuits > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if Azure > Network > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if Azure > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if Azure > Network > Enabled"
}

Azure > Network > Express Route Circuits > CMDB

Configure whether to record and synchronize details for the Azure Network express route circuits into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > Network > Express Route Circuits > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/azure-network#/policy/types/expressRouteCircuitsCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network provider is Registered",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network provider is Registered",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network provider is Registered"
}

Azure > Network > Express Route Circuits > Regions

A list of Azure regions in which Azure Network express route circuits are supported for use.

Any express route circuits in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI

tmod:@turbot/azure-network#/policy/types/expressRouteCircuitsRegions

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Network > Express Route Circuits > Tags

Determine the action to take when an Azure Network express route circuits tags are not updated based on the Azure > Network > Express Route Circuits > Tags > * policies.

The control ensure Azure Network express route circuits tags include tags defined in Azure > Network > Express Route Circuits > Tags > Template.

Tags not defined in Express Route Circuits Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/expressRouteCircuitsTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

Azure > Network > Express Route Circuits > Tags > Template

The template is used to generate the keys and values for Azure Network express route circuits.

Tags not defined in Express Route Circuits Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/expressRouteCircuitsTagsTemplate

Category

Azure > Network > Express Route Circuits > Tags

Parent

Targets

Default Template Input

[
  "{\n  subscription {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Network > Network Interface > Active

Determine the action to take when an Azure Network network interface, based on the Azure > Network > Network Interface > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Network Interface > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/networkInterfaceActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Network > Network Interface > Active > Age

The age after which the Azure Network network interface
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Network Interface > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/networkInterfaceActiveAge

Category

Azure > Network > Network Interface > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Network Interface > Active > Attached

Determine whether the Network Interface is active, based on whether it is attached to any other resource types.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (Azure > Network > Network Interface > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

URI

tmod:@turbot/azure-network#/policy/types/networkInterfaceActiveAttached

Category

Azure > Network > Network Interface > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if attached",
  "Force active if attached",
  "Force inactive if unattached"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if attached",
    "Force active if attached",
    "Force inactive if unattached"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

Azure > Network > Network Interface > Active > Last Modified

The number of days since the Azure Network network interface was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Network Interface > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI

tmod:@turbot/azure-network#/policy/types/networkInterfaceActiveLastModified

Category

Azure > Network > Network Interface > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Network Interface > Approved

Determine the action to take when an Azure Network network interface is not approved based on Azure > Network > Network Interface > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/networkInterfaceApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Network > Network Interface > Approved > Custom

Determine whether the Azure Network network interface is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Network network interface is not approved, it will be subject to the action specified in the Azure > Network > Network Interface > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/azure-network#/policy/types/networkInterfaceApprovedCustom

Category

Azure > Network > Network Interface > Approved

Parent

Targets

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Network > Network Interface > Approved > Regions

A list of Azure regions in which Azure Network network interfaces are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an Azure Network network interface is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > Network > Network Interface > Approved policy.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/networkInterfaceApprovedRegions

Category

Azure > Network > Network Interface > Approved

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkApprovedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Network > Network Interface > Approved > Usage

URI

tmod:@turbot/azure-network#/policy/types/networkInterfaceApprovedUsage

Category

Azure > Network > Network Interface > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if Azure > Network > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if Azure > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if Azure > Network > Enabled"
}

Azure > Network > Network Interface > CMDB

Configure whether to record and synchronize details for the Azure Network network interface into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > Network > Network Interface > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/azure-network#/policy/types/networkInterfaceCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network provider is Registered",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network provider is Registered",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network provider is Registered"
}

Azure > Network > Network Interface > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.

The policy values for Azure > Network > Network Interface are deprecated and
replaced by new values. The deprecated values will be removed in the next major version.

| Deprecated Values | Current Values |
|--------------------------------------------------|----------------------------------------------------------------|
| Skip if using Configured > Source | Skip \$unless claimed by a stack\$ |
| Check: Configured if using Configured > Source | Check: Per Configured > Source \$unless claimed by a stack\$ |
| Enforce: Configured if using Configured > Source | Enforce: Per Configured > Source \$unless claimed by a stack\$ |

URI

tmod:@turbot/azure-network#/policy/types/networkInterfaceConfigured

Category

Parent

Targets

Valid Value

[
  "Skip if using Configured > Source",
  "Check: Configured if using Configured > Source",
  "Enforce: Configured if using Configured > Source",
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]

Schema

{
  "enum": [
    "Skip if using Configured > Source",
    "Check: Configured if using Configured > Source",
    "Enforce: Configured if using Configured > Source",
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

Azure > Network > Network Interface > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI

tmod:@turbot/azure-network#/policy/types/networkInterfaceConfiguredPrecedence

Category

Azure > Network > Network Interface > Configured

Parent

Targets

Default Template Input

"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"

Default Template

"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"

Schema

{
  "type": "array",
  "items": {
    "type": "string"
  }
}

Azure > Network > Network Interface > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource.

URI

tmod:@turbot/azure-network#/policy/types/networkInterfaceConfiguredSource

Category

Azure > Network > Network Interface > Configured

Parent

Targets

Schema

{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

Azure > Network > Network Interface > Regions

A list of Azure regions in which Azure Network network interfaces are supported for use.

Any network interfaces in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI

tmod:@turbot/azure-network#/policy/types/networkInterfaceRegions

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Network > Network Interface > Tags

Determine the action to take when an Azure Network network interface tags are not updated based on the Azure > Network > Network Interface > Tags > * policies.

The control ensure Azure Network network interface tags include tags defined in Azure > Network > Network Interface > Tags > Template.

Tags not defined in Network Interface Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/networkInterfaceTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

Azure > Network > Network Interface > Tags > Template

The template is used to generate the keys and values for Azure Network network interface.

Tags not defined in Network Interface Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/networkInterfaceTagsTemplate

Category

Azure > Network > Network Interface > Tags

Parent

Targets

Default Template Input

[
  "{\n  subscription {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Network > Network Security Group > Active

Determine the action to take when an Azure Network network security group, based on the Azure > Network > Network Security Group > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Network Security Group > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Network > Network Security Group > Active > Age

The age after which the Azure Network network security group
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Network Security Group > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupActiveAge

Category

Azure > Network > Network Security Group > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Network Security Group > Active > Last Modified

The number of days since the Azure Network network security group was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Network Security Group > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupActiveLastModified

Category

Azure > Network > Network Security Group > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Network Security Group > Approved

Determine the action to take when an Azure Network network security group is not approved based on Azure > Network > Network Security Group > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Network > Network Security Group > Approved > Custom

Determine whether the Azure Network network security group is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Network network security group is not approved, it will be subject to the action specified in the Azure > Network > Network Security Group > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupApprovedCustom

Category

Azure > Network > Network Security Group > Approved

Parent

Targets

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Network > Network Security Group > Approved > Regions

A list of Azure regions in which Azure Network network security groups are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an Azure Network network security group is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > Network > Network Security Group > Approved policy.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupApprovedRegions

Category

Azure > Network > Network Security Group > Approved

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkApprovedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Network > Network Security Group > Approved > Usage

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupApprovedUsage

Category

Azure > Network > Network Security Group > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if Azure > Network > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if Azure > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if Azure > Network > Enabled"
}

Azure > Network > Network Security Group > CMDB

Configure whether to record and synchronize details for the Azure Network network security group into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > Network > Network Security Group > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network provider is Registered",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network provider is Registered",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network provider is Registered"
}

Azure > Network > Network Security Group > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.

The policy values for Azure > Network > Network Security Group are deprecated and
replaced by new values. The deprecated values will be removed in the next major version.

| Deprecated Values | Current Values |
|--------------------------------------------------|----------------------------------------------------------------|
| Skip if using Configured > Source | Skip \$unless claimed by a stack\$ |
| Check: Configured if using Configured > Source | Check: Per Configured > Source \$unless claimed by a stack\$ |
| Enforce: Configured if using Configured > Source | Enforce: Per Configured > Source \$unless claimed by a stack\$ |

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupConfigured

Category

Parent

Targets

Valid Value

[
  "Skip if using Configured > Source",
  "Check: Configured if using Configured > Source",
  "Enforce: Configured if using Configured > Source",
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]

Schema

{
  "enum": [
    "Skip if using Configured > Source",
    "Check: Configured if using Configured > Source",
    "Enforce: Configured if using Configured > Source",
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

Azure > Network > Network Security Group > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupConfiguredPrecedence

Category

Azure > Network > Network Security Group > Configured

Parent

Targets

Default Template Input

"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"

Default Template

"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"

Schema

{
  "type": "array",
  "items": {
    "type": "string"
  }
}

Azure > Network > Network Security Group > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource.

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupConfiguredSource

Category

Azure > Network > Network Security Group > Configured

Parent

Targets

Schema

{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

Azure > Network > Network Security Group > Egress Rules

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupEgressRules

Category

Parent

Targets

Azure > Network > Network Security Group > Egress Rules > Approved

Configure Network Security Group Egress Rule checking. This policy defines whether
to verify the security group egress rules are approved, as well as the
subsequent action to take on unapproved items. Rules for all Approved
policies will be compiled in Approved > Compiled Rules and then
evaluated.

If set to Enforce: Delete unapproved, any unapproved rules will be
revoked from the security group.

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupEgressRulesApproved

Category

Azure > Network > Network Security Group > Egress Rules

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

Azure > Network > Network Security Group > Egress Rules > Approved > CIDR Ranges

Custom Network Security Group egress rules may only be added within the specified
CIDR address ranges. Acceptable values are valid CIDR blocks. If this list
is empty, no CIDR address ranges are permitted.

Applies to non-Guardrails managed Security Groups.

Examples:
- 10.0.0.0/8
- 172.16.0.0/12

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupEgressRulesApprovedCidrRanges

Category

Azure > Network > Network Security Group > Egress Rules > Approved

Parent

Targets

Schema

{
  "type": "array",
  "items": {
    "description": "An IPv4 CIDR block.",
    "type": "string",
    "pattern": "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/[0-9]{1,2}$",
    "tests": [
      {
        "description": "all zero octects and prefix.",
        "input": "0.0.0.0/0"
      },
      {
        "description": "invalid - missing first octect",
        "input": "0.0.0/0",
        "expected": false
      },
      {
        "description": "invalid - missing prefix",
        "input": "0.0.0.0/",
        "expected": false
      },
      {
        "description": "invalid - prefix too many digits",
        "input": "0.0.0.0/123",
        "expected": false
      },
      {
        "description": "invalid - octect too many digits",
        "input": "1234.0.0.0/0",
        "expected": false
      }
    ],
    ".turbot": {
      "uri": "tmod:@turbot/azure#/definitions/cidrBlock",
      "modUri": "tmod:@turbot/azure"
    }
  },
  "default": [
    "0.0.0.0/0"
  ]
}

Azure > Network > Network Security Group > Egress Rules > Approved > Compiled Rules

A read-only Object Control List
(OCL) with a list of compiled
filter rules to approve or reject security group rules.

This policy is generated by Guardrails.

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupEgressRulesApprovedCompiledRules

Category

Azure > Network > Network Security Group > Egress Rules > Approved

Parent

Targets

Schema

{
  "type": "string"
}

Azure > Network > Network Security Group > Egress Rules > Approved > Maximum Port Range

The maximum number of ports that may be opened by any single egress rule
in a security group.

Examples:
- 1 - Allow a single port only (e.g. 8080)
- 4 - Allow up to 4 ports (e.g. 8080-8083)
- -1 - Allow unlimited number of ports, including -1 for all.

Applies to non-Guardrails managed Security Groups.

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupEgressRulesApprovedMaximumPortRange

Category

Azure > Network > Network Security Group > Egress Rules > Approved

Parent

Targets

Schema

{
  "type": "integer",
  "minimum": -1,
  "maximum": 65535,
  "default": -1
}

Azure > Network > Network Security Group > Egress Rules > Approved > Minimum Bitmask

Defines the smallest allowed bitmask (largest range of IP addresses) that
can be granted access in any single custom security group egress rule.

Examples:
- IPv4
- 32 - Restrict rules to a single IP address
- 24 - Restrict rules to a /24 CIDR block
- 0 - Unlimited size
- IPv6
- 256 - Restrict rules to a single IP address
- 32 - Restrict rules to a /32 CIDR block

Applies to non-Guardrails managed Security Groups.

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupEgressRulesApprovedMinimumBitmask

Category

Azure > Network > Network Security Group > Egress Rules > Approved

Parent

Targets

Schema

{
  "type": "integer",
  "minimum": 0,
  "maximum": 256,
  "default": 0
}

Azure > Network > Network Security Group > Egress Rules > Approved > Prohibited Ports

A YAML list of ports that are prohibited and may not be used for egress
in custom security groups. For example, 21 might be prohibited to prevent
the use of FTP. This list is also applied to ICMP rules, so should be
checked against valid ICMP numbers.

Applies to non-Guardrails managed Security Groups.

Examples:
- 21 # FTP
- 25 # SMTP

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupEgressRulesApprovedProhibitedPorts

Category

Azure > Network > Network Security Group > Egress Rules > Approved

Parent

Targets

Schema

{
  "type": "array",
  "items": {
    "type": "integer"
  },
  "default": []
}

Azure > Network > Network Security Group > Egress Rules > Approved > Rules

An Object Control List (OCL)
with a list of filter rules to approve or reject security group rules.

Note that the Approved control does not operate directly from this policy,
but from the Approved > Compiled Rules. The rules are processed in order,
and any built-in Guardrails rules will appear first in the list of compiled
rules.

Examples:
 Allow HTTP and HTTPS rules for RFC1918 private space APPROVE $.turbot.fromPort:=80 $.turbot.toPort:=80 $.turbot.cidr:<=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 APPROVE $.turbot.fromPort:=443 $.turbot.toPort:=443 $.turbot.cidr:<=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 Allow all rules from security groups in this account APPROVE $.UserIdGroupPairs.+.UserId:"969297701313" Reject any rule from 0.0.0.0/0 REJECT $.turbot.cidr:0.0.0.0/0

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupEgressRulesApprovedRules

Category

Azure > Network > Network Security Group > Egress Rules > Approved

Parent

Targets

Schema

{
  "type": "string",
  "default": "# Approve unmatched rules\nAPPROVE *",
  "x-schema-form": {
    "type": "textarea"
  }
}

Azure > Network > Network Security Group > Egress Rules > Approved > Service Tags

A YAML list of service tags that are allowed for egress
in custom security groups. If this list is empty, no service tags are permitted.

Applies to non-Guardrails managed Security Groups.

Examples:
 - VirtualNetwork - Storage 

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupEgressRulesApprovedServiceTags

Category

Azure > Network > Network Security Group > Egress Rules > Approved

Parent

Targets

Schema

{
  "type": "array",
  "items": {
    "type": "string"
  },
  "default": [
    "*"
  ]
}

Azure > Network > Network Security Group > Ingress Rules

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupIngressRules

Category

Parent

Targets

Azure > Network > Network Security Group > Ingress Rules > Approved

Configure Network Security Group Ingress Rule checking. This policy defines whether
to verify the security group ingress rules are approved, as well as the
subsequent action to take on unapproved items. Rules for all Approved
policies will be compiled in Approved > Compiled Rules and then
evaluated.

If set to Enforce: Delete unapproved, any unapproved rules will be
revoked from the security group.

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupIngressRulesApproved

Category

Azure > Network > Network Security Group > Ingress Rules

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

Azure > Network > Network Security Group > Ingress Rules > Approved > CIDR Ranges

Custom Network Security Group ingress rules may only be added within the specified
CIDR address ranges. Acceptable values are valid CIDR blocks. If this list
is empty, no CIDR address ranges are permitted.

Applies to non-Guardrails managed Security Groups.

Examples:
- 10.0.0.0/8
- 172.16.0.0/12

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupIngressRulesApprovedCidrRanges

Category

Azure > Network > Network Security Group > Ingress Rules > Approved

Parent

Targets

Schema

{
  "type": "array",
  "items": {
    "description": "An IPv4 CIDR block.",
    "type": "string",
    "pattern": "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/[0-9]{1,2}$",
    "tests": [
      {
        "description": "all zero octects and prefix.",
        "input": "0.0.0.0/0"
      },
      {
        "description": "invalid - missing first octect",
        "input": "0.0.0/0",
        "expected": false
      },
      {
        "description": "invalid - missing prefix",
        "input": "0.0.0.0/",
        "expected": false
      },
      {
        "description": "invalid - prefix too many digits",
        "input": "0.0.0.0/123",
        "expected": false
      },
      {
        "description": "invalid - octect too many digits",
        "input": "1234.0.0.0/0",
        "expected": false
      }
    ],
    ".turbot": {
      "uri": "tmod:@turbot/azure#/definitions/cidrBlock",
      "modUri": "tmod:@turbot/azure"
    }
  },
  "default": [
    "0.0.0.0/0"
  ]
}

Azure > Network > Network Security Group > Ingress Rules > Approved > Compiled Rules

A read-only Object Control List
(OCL) with a list of compiled
filter rules to approve or reject security group rules.

This policy is generated by Guardrails.

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupIngressRulesApprovedCompiledRules

Category

Azure > Network > Network Security Group > Ingress Rules > Approved

Parent

Targets

Schema

{
  "type": "string"
}

Azure > Network > Network Security Group > Ingress Rules > Approved > Maximum Port Range

The maximum number of ports that may be opened by any single ingress rule
in a security group.

Examples:
- 1 - Allow a single port only (e.g. 8080)
- 4 - Allow up to 4 ports (e.g. 8080-8083)
- -1 - Allow unlimited number of ports, including -1 for all.

Applies to non-Guardrails managed Security Groups.

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupIngressRulesApprovedMaximumPortRange

Category

Azure > Network > Network Security Group > Ingress Rules > Approved

Parent

Targets

Schema

{
  "type": "integer",
  "minimum": -1,
  "maximum": 65535,
  "default": -1
}

Azure > Network > Network Security Group > Ingress Rules > Approved > Minimum Bitmask

Defines the smallest allowed bitmask (largest range of IP addresses) that
can be granted access in any single custom security group ingress rule.

Examples:
- IPv4
- 32 - Restrict rules to a single IP address
- 24 - Restrict rules to a /24 CIDR block
- 0 - Unlimited size
- IPv6
- 256 - Restrict rules to a single IP address
- 32 - Restrict rules to a /32 CIDR block

Applies to non-Guardrails managed Security Groups.

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupIngressRulesApprovedMinimumBitmask

Category

Azure > Network > Network Security Group > Ingress Rules > Approved

Parent

Targets

Schema

{
  "type": "integer",
  "minimum": 0,
  "maximum": 256,
  "default": 0
}

Azure > Network > Network Security Group > Ingress Rules > Approved > Prohibited Ports

A YAML list of ports that are prohibited and may not be used for ingress
in custom security groups. For example, 21 might be prohibited to prevent
the use of FTP. This list is also applied to ICMP rules, so should be
checked against valid ICMP numbers.

Applies to non-Guardrails managed Security Groups.

Examples:
- 21 # FTP
- 25 # SMTP

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupIngressRulesApprovedProhibitedPorts

Category

Azure > Network > Network Security Group > Ingress Rules > Approved

Parent

Targets

Schema

{
  "type": "array",
  "items": {
    "type": "integer"
  },
  "default": []
}

Azure > Network > Network Security Group > Ingress Rules > Approved > Rules

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupIngressRulesApprovedRules

Category

Azure > Network > Network Security Group > Ingress Rules > Approved

Parent

Targets

Schema

{
  "type": "string",
  "default": "# Approve unmatched rules\nAPPROVE *",
  "x-schema-form": {
    "type": "textarea"
  }
}

Azure > Network > Network Security Group > Ingress Rules > Approved > Service Tags

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupIngressRulesApprovedServiceTags

Category

Azure > Network > Network Security Group > Ingress Rules > Approved

Parent

Targets

Schema

{
  "type": "array",
  "items": {
    "type": "string"
  },
  "default": [
    "*"
  ]
}

Azure > Network > Network Security Group > Regions

A list of Azure regions in which Azure Network network security groups are supported for use.

Any network security groups in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupRegions

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Network > Network Security Group > Tags

Determine the action to take when an Azure Network network security group tags are not updated based on the Azure > Network > Network Security Group > Tags > * policies.

The control ensure Azure Network network security group tags include tags defined in Azure > Network > Network Security Group > Tags > Template.

Tags not defined in Network Security Group Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

Azure > Network > Network Security Group > Tags > Template

The template is used to generate the keys and values for Azure Network network security group.

Tags not defined in Network Security Group Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/networkSecurityGroupTagsTemplate

Category

Azure > Network > Network Security Group > Tags

Parent

Targets

Default Template Input

[
  "{\n  subscription {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Network > Permissions

Configure whether permissions policies are in effect for Azure Network
This setting does not affect Subscription level permissions (Azure/Admin, Azure/Owner, etc)

URI

tmod:@turbot/azure-network#/policy/types/networkPermissions

Category

Parent

Targets

Valid Value

[
  "Enabled",
  "Disabled",
  "Enabled if Azure > Network > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled",
    "Enabled if Azure > Network > Enabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Enabled if Azure > Network > Enabled"
}

Azure > Network > Permissions > Levels

Define the permissions levels that can be used to grant access to Storage an
Azure Subscription. Permissions levels defined will appear in the UI to assign
access to Guardrails users.

URI

tmod:@turbot/azure-network#/policy/types/networkPermissionsLevels

Category

Azure > Network > Permissions

Parent

Targets

Default Template Input

[
  "{\n  item: subscription {\n    turbot{\n      id\n    }\n  }\n}\n",
  "{\n  availableLevels: policyValues(filter:\"policyTypeLevel:self resourceId:{{ $.item.turbot.id }} policyTypeId:'tmod:@turbot/azure-iam#/policy/types/permissionsLevelsDefault'\") {\n    items {\n      value\n    }\n  }\n}\n"
]

Default Template

"{% if $.availableLevels.items[0].value | length == 0 %} [] {% endif %}{% for item in $.availableLevels.items[0].value %}- {{ item }}&#92;n{% endfor %}"

Schema

{
  "type": "array",
  "items": {
    "type": "string",
    "enum": [
      "User",
      "Metadata",
      "ReadOnly",
      "Operator",
      "Admin",
      "Owner"
    ]
  }
}

Azure > Network > Permissions > Levels > Modifiers

A map of Azure API to Guardrails Permission Level used to customize Guardrails
standard permissions. You can add, remove or redefine the mapping of
Azure API operations to Guardrails permissions levels here.

 example: - "Microsoft.Network/Network/delete": operator - "Microsoft.Network/Network/write": admin - "Microsoft.Network/Network/read": readonly 

URI

tmod:@turbot/azure-network#/policy/types/networkPermissionsLevelsModifiers

Category

Azure > Network > Permissions > Levels

Parent

Targets

azure-iam#/definitions/azureModifierList

Schema

Azure > Network > Private DNS Zones > Active

Determine the action to take when an Azure Network private dns zones, based on the Azure > Network > Private DNS Zones > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Private DNS Zones > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/privateDnsZonesActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Network > Private DNS Zones > Active > Age

The age after which the Azure Network private dns zones
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Private DNS Zones > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/privateDnsZonesActiveAge

Category

Azure > Network > Private DNS Zones > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Private DNS Zones > Active > Last Modified

The number of days since the Azure Network private dns zones was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Private DNS Zones > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI

tmod:@turbot/azure-network#/policy/types/privateDnsZonesActiveLastModified

Category

Azure > Network > Private DNS Zones > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Private DNS Zones > Approved

Determine the action to take when an Azure Network private dns zones is not approved based on Azure > Network > Private DNS Zones > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/privateDnsZonesApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Network > Private DNS Zones > Approved > Custom

Determine whether the Azure Network private dns zones is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Network private dns zones is not approved, it will be subject to the action specified in the Azure > Network > Private DNS Zones > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/azure-network#/policy/types/privateDnsZonesApprovedCustom

Category

Azure > Network > Private DNS Zones > Approved

Parent

Targets

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Network > Private DNS Zones > Approved > Usage

URI

tmod:@turbot/azure-network#/policy/types/privateDnsZonesApprovedUsage

Category

Azure > Network > Private DNS Zones > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if Azure > Network > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if Azure > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if Azure > Network > Enabled"
}

Azure > Network > Private DNS Zones > CMDB

Configure whether to record and synchronize details for the Azure Network private dns zones into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

URI

tmod:@turbot/azure-network#/policy/types/privateDnsZonesCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network provider is Registered",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network provider is Registered",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network provider is Registered"
}

Azure > Network > Private DNS Zones > Tags

Determine the action to take when an Azure Network private dns zones tags are not updated based on the Azure > Network > Private DNS Zones > Tags > * policies.

The control ensure Azure Network private dns zones tags include tags defined in Azure > Network > Private DNS Zones > Tags > Template.

Tags not defined in Private DNS Zones Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/privateDnsZonesTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

Azure > Network > Private DNS Zones > Tags > Template

The template is used to generate the keys and values for Azure Network private dns zones.

Tags not defined in Private DNS Zones Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/privateDnsZonesTagsTemplate

Category

Azure > Network > Private DNS Zones > Tags

Parent

Targets

Default Template Input

[
  "{\n  subscription {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Network > Private Endpoints > Active

Determine the action to take when an Azure Network private endpoints, based on the Azure > Network > Private Endpoints > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Private Endpoints > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/privateEndpointsActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Network > Private Endpoints > Active > Age

The age after which the Azure Network private endpoints
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Private Endpoints > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/privateEndpointsActiveAge

Category

Azure > Network > Private Endpoints > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Private Endpoints > Active > Last Modified

The number of days since the Azure Network private endpoints was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Private Endpoints > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI

tmod:@turbot/azure-network#/policy/types/privateEndpointsActiveLastModified

Category

Azure > Network > Private Endpoints > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Private Endpoints > Approved

Determine the action to take when an Azure Network private endpoints is not approved based on Azure > Network > Private Endpoints > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/privateEndpointsApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Network > Private Endpoints > Approved > Custom

Determine whether the Azure Network private endpoints is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Network private endpoints is not approved, it will be subject to the action specified in the Azure > Network > Private Endpoints > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/azure-network#/policy/types/privateEndpointsApprovedCustom

Category

Azure > Network > Private Endpoints > Approved

Parent

Targets

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Network > Private Endpoints > Approved > Regions

A list of Azure regions in which Azure Network private endpointss are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an Azure Network private endpoints is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > Network > Private Endpoints > Approved policy.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/privateEndpointsApprovedRegions

Category

Azure > Network > Private Endpoints > Approved

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkApprovedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Network > Private Endpoints > Approved > Usage

URI

tmod:@turbot/azure-network#/policy/types/privateEndpointsApprovedUsage

Category

Azure > Network > Private Endpoints > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if Azure > Network > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if Azure > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if Azure > Network > Enabled"
}

Azure > Network > Private Endpoints > CMDB

Configure whether to record and synchronize details for the Azure Network private endpoints into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > Network > Private Endpoints > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/azure-network#/policy/types/privateEndpointsCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network provider is Registered",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network provider is Registered",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network provider is Registered"
}

Azure > Network > Private Endpoints > Regions

A list of Azure regions in which Azure Network private endpointss are supported for use.

Any private endpointss in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI

tmod:@turbot/azure-network#/policy/types/privateEndpointsRegions

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Network > Private Endpoints > Tags

Determine the action to take when an Azure Network private endpoints tags are not updated based on the Azure > Network > Private Endpoints > Tags > * policies.

The control ensure Azure Network private endpoints tags include tags defined in Azure > Network > Private Endpoints > Tags > Template.

Tags not defined in Private Endpoints Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/privateEndpointsTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

Azure > Network > Private Endpoints > Tags > Template

The template is used to generate the keys and values for Azure Network private endpoints.

Tags not defined in Private Endpoints Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/privateEndpointsTagsTemplate

Category

Azure > Network > Private Endpoints > Tags

Parent

Targets

Default Template Input

[
  "{\n  subscription {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Network > Public IP Address > Active

Determine the action to take when an Azure Network public ip address, based on the Azure > Network > Public IP Address > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Public IP Address > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/publicIpAddressActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Network > Public IP Address > Active > Age

The age after which the Azure Network public ip address
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Public IP Address > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/publicIpAddressActiveAge

Category

Azure > Network > Public IP Address > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Public IP Address > Active > Attached

Determine whether the Public IP Address is active, based on whether it is attached to any other resource types.

The Active control determines whether the resource is in active use, and if not, has the ability to delete / cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the resource (Azure > Network > Public IP Address > Active > *), raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.

URI

tmod:@turbot/azure-network#/policy/types/publicIpAddressActiveAttached

Category

Azure > Network > Public IP Address > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if attached",
  "Force active if attached",
  "Force inactive if unattached"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if attached",
    "Force active if attached",
    "Force inactive if unattached"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

Azure > Network > Public IP Address > Active > Last Modified

The number of days since the Azure Network public ip address was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Public IP Address > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI

tmod:@turbot/azure-network#/policy/types/publicIpAddressActiveLastModified

Category

Azure > Network > Public IP Address > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Public IP Address > Approved

Determine the action to take when an Azure Network public ip address is not approved based on Azure > Network > Public IP Address > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/publicIpAddressApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Network > Public IP Address > Approved > Custom

Determine whether the Azure Network public ip address is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Network public ip address is not approved, it will be subject to the action specified in the Azure > Network > Public IP Address > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/azure-network#/policy/types/publicIpAddressApprovedCustom

Category

Azure > Network > Public IP Address > Approved

Parent

Targets

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Network > Public IP Address > Approved > Regions

A list of Azure regions in which Azure Network public ip addresss are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an Azure Network public ip address is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > Network > Public IP Address > Approved policy.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/publicIpAddressApprovedRegions

Category

Azure > Network > Public IP Address > Approved

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkApprovedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Network > Public IP Address > Approved > Usage

URI

tmod:@turbot/azure-network#/policy/types/publicIpAddressApprovedUsage

Category

Azure > Network > Public IP Address > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if Azure > Network > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if Azure > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if Azure > Network > Enabled"
}

Azure > Network > Public IP Address > CMDB

Configure whether to record and synchronize details for the Azure Network public ip address into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > Network > Public IP Address > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/azure-network#/policy/types/publicIpAddressCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network provider is Registered",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network provider is Registered",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network provider is Registered"
}

Azure > Network > Public IP Address > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.

The policy values for Azure > Network > Public IP Address are deprecated and
replaced by new values. The deprecated values will be removed in the next major version.

| Deprecated Values | Current Values |
|--------------------------------------------------|----------------------------------------------------------------|
| Skip if using Configured > Source | Skip \$unless claimed by a stack\$ |
| Check: Configured if using Configured > Source | Check: Per Configured > Source \$unless claimed by a stack\$ |
| Enforce: Configured if using Configured > Source | Enforce: Per Configured > Source \$unless claimed by a stack\$ |

URI

tmod:@turbot/azure-network#/policy/types/publicIpAddressConfigured

Category

Parent

Targets

Valid Value

[
  "Skip if using Configured > Source",
  "Check: Configured if using Configured > Source",
  "Enforce: Configured if using Configured > Source",
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]

Schema

{
  "enum": [
    "Skip if using Configured > Source",
    "Check: Configured if using Configured > Source",
    "Enforce: Configured if using Configured > Source",
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

Azure > Network > Public IP Address > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI

tmod:@turbot/azure-network#/policy/types/publicIpAddressConfiguredPrecedence

Category

Azure > Network > Public IP Address > Configured

Parent

Targets

Default Template Input

"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"

Default Template

"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"

Schema

{
  "type": "array",
  "items": {
    "type": "string"
  }
}

Azure > Network > Public IP Address > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource.

URI

tmod:@turbot/azure-network#/policy/types/publicIpAddressConfiguredSource

Category

Azure > Network > Public IP Address > Configured

Parent

Targets

Schema

{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

Azure > Network > Public IP Address > Regions

A list of Azure regions in which Azure Network public ip addresss are supported for use.

Any public ip addresss in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI

tmod:@turbot/azure-network#/policy/types/publicIpAddressRegions

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Network > Public IP Address > Tags

Determine the action to take when an Azure Network public ip address tags are not updated based on the Azure > Network > Public IP Address > Tags > * policies.

The control ensure Azure Network public ip address tags include tags defined in Azure > Network > Public IP Address > Tags > Template.

Tags not defined in Public IP Address Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/publicIpAddressTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

Azure > Network > Public IP Address > Tags > Template

The template is used to generate the keys and values for Azure Network public ip address.

Tags not defined in Public IP Address Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/publicIpAddressTagsTemplate

Category

Azure > Network > Public IP Address > Tags

Parent

Targets

Default Template Input

[
  "{\n  subscription {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Network > Regions

A list of Azure regions in which Azure Network resources are supported for use.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

This policy is the default value for all Azure Network resources' Regions policies.

URI

tmod:@turbot/azure-network#/policy/types/networkRegionsDefault

Category

Parent

Targets

Schema

{
  "allOf": [
    {
      "$ref": "azure#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "australiacentral",
        "australiaeast",
        "australiasoutheast",
        "brazilsouth",
        "canadacentral",
        "canadaeast",
        "centralindia",
        "centralus",
        "eastasia",
        "eastus",
        "eastus2",
        "francecentral",
        "germanywestcentral",
        "japaneast",
        "japanwest",
        "koreacentral",
        "koreasouth",
        "northcentralus",
        "northeurope",
        "southafricanorth",
        "southcentralus",
        "southeastasia",
        "southindia",
        "uksouth",
        "ukwest",
        "usgovarizona",
        "usgoviowa",
        "usgovtexas",
        "usgovvirginia",
        "westcentralus",
        "westeurope",
        "westindia",
        "westus",
        "westus2",
        "chinaeast",
        "chinaeast2",
        "chinaeast3",
        "chinanorth",
        "chinanorth2",
        "chinanorth3"
      ]
    }
  ]
}

Azure > Network > Route Table > Active

Determine the action to take when an Azure Network route table, based on the Azure > Network > Route Table > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Route Table > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/routeTableActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Network > Route Table > Active > Age

The age after which the Azure Network route table
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Route Table > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/routeTableActiveAge

Category

Azure > Network > Route Table > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Route Table > Active > Last Modified

The number of days since the Azure Network route table was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Route Table > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI

tmod:@turbot/azure-network#/policy/types/routeTableActiveLastModified

Category

Azure > Network > Route Table > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Route Table > Approved

Determine the action to take when an Azure Network route table is not approved based on Azure > Network > Route Table > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/routeTableApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Network > Route Table > Approved > Custom

Determine whether the Azure Network route table is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Network route table is not approved, it will be subject to the action specified in the Azure > Network > Route Table > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/azure-network#/policy/types/routeTableApprovedCustom

Category

Azure > Network > Route Table > Approved

Parent

Targets

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Network > Route Table > Approved > Regions

A list of Azure regions in which Azure Network route tables are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an Azure Network route table is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > Network > Route Table > Approved policy.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/routeTableApprovedRegions

Category

Azure > Network > Route Table > Approved

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkApprovedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Network > Route Table > Approved > Usage

URI

tmod:@turbot/azure-network#/policy/types/routeTableApprovedUsage

Category

Azure > Network > Route Table > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if Azure > Network > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if Azure > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if Azure > Network > Enabled"
}

Azure > Network > Route Table > CMDB

Configure whether to record and synchronize details for the Azure Network route table into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > Network > Route Table > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/azure-network#/policy/types/routeTableCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network provider is Registered",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network provider is Registered",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network provider is Registered"
}

Azure > Network > Route Table > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.

The policy values for Azure > Network > Route Table are deprecated and
replaced by new values. The deprecated values will be removed in the next major version.

| Deprecated Values | Current Values |
|--------------------------------------------------|----------------------------------------------------------------|
| Skip if using Configured > Source | Skip \$unless claimed by a stack\$ |
| Check: Configured if using Configured > Source | Check: Per Configured > Source \$unless claimed by a stack\$ |
| Enforce: Configured if using Configured > Source | Enforce: Per Configured > Source \$unless claimed by a stack\$ |

URI

tmod:@turbot/azure-network#/policy/types/routeTableConfigured

Category

Parent

Targets

Valid Value

[
  "Skip if using Configured > Source",
  "Check: Configured if using Configured > Source",
  "Enforce: Configured if using Configured > Source",
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]

Schema

{
  "enum": [
    "Skip if using Configured > Source",
    "Check: Configured if using Configured > Source",
    "Enforce: Configured if using Configured > Source",
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

Azure > Network > Route Table > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI

tmod:@turbot/azure-network#/policy/types/routeTableConfiguredPrecedence

Category

Azure > Network > Route Table > Configured

Parent

Targets

Default Template Input

"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"

Default Template

"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"

Schema

{
  "type": "array",
  "items": {
    "type": "string"
  }
}

Azure > Network > Route Table > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource.

URI

tmod:@turbot/azure-network#/policy/types/routeTableConfiguredSource

Category

Azure > Network > Route Table > Configured

Parent

Targets

Schema

{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

Azure > Network > Route Table > Regions

A list of Azure regions in which Azure Network route tables are supported for use.

Any route tables in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI

tmod:@turbot/azure-network#/policy/types/routeTableRegions

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Network > Route Table > Tags

Determine the action to take when an Azure Network route table tags are not updated based on the Azure > Network > Route Table > Tags > * policies.

The control ensure Azure Network route table tags include tags defined in Azure > Network > Route Table > Tags > Template.

Tags not defined in Route Table Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/routeTableTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

Azure > Network > Route Table > Tags > Template

The template is used to generate the keys and values for Azure Network route table.

Tags not defined in Route Table Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/routeTableTagsTemplate

Category

Azure > Network > Route Table > Tags

Parent

Targets

Default Template Input

[
  "{\n  subscription {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Network > Subnet > Active

Determine the action to take when an Azure Network subnet, based on the Azure > Network > Subnet > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Subnet > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/subnetActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Network > Subnet > Active > Age

The age after which the Azure Network subnet
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Subnet > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/subnetActiveAge

Category

Azure > Network > Subnet > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Subnet > Active > Last Modified

The number of days since the Azure Network subnet was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Subnet > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI

tmod:@turbot/azure-network#/policy/types/subnetActiveLastModified

Category

Azure > Network > Subnet > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Subnet > Approved

Determine the action to take when an Azure Network subnet is not approved based on Azure > Network > Subnet > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/subnetApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Network > Subnet > Approved > Custom

Determine whether the Azure Network subnet is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Network subnet is not approved, it will be subject to the action specified in the Azure > Network > Subnet > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/azure-network#/policy/types/subnetApprovedCustom

Category

Azure > Network > Subnet > Approved

Parent

Targets

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Network > Subnet > Approved > Usage

URI

tmod:@turbot/azure-network#/policy/types/subnetApprovedUsage

Category

Azure > Network > Subnet > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if Azure > Network > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if Azure > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if Azure > Network > Enabled"
}

Azure > Network > Subnet > CMDB

Configure whether to record and synchronize details for the Azure Network subnet into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

URI

tmod:@turbot/azure-network#/policy/types/subnetCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network provider is Registered",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network provider is Registered",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network provider is Registered"
}

Azure > Network > Subnet > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.

The policy values for Azure > Network > Subnet are deprecated and
replaced by new values. The deprecated values will be removed in the next major version.

| Deprecated Values | Current Values |
|--------------------------------------------------|----------------------------------------------------------------|
| Skip if using Configured > Source | Skip \$unless claimed by a stack\$ |
| Check: Configured if using Configured > Source | Check: Per Configured > Source \$unless claimed by a stack\$ |
| Enforce: Configured if using Configured > Source | Enforce: Per Configured > Source \$unless claimed by a stack\$ |

URI

tmod:@turbot/azure-network#/policy/types/subnetConfigured

Category

Parent

Targets

Valid Value

[
  "Skip if using Configured > Source",
  "Check: Configured if using Configured > Source",
  "Enforce: Configured if using Configured > Source",
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]

Schema

{
  "enum": [
    "Skip if using Configured > Source",
    "Check: Configured if using Configured > Source",
    "Enforce: Configured if using Configured > Source",
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

Azure > Network > Subnet > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI

tmod:@turbot/azure-network#/policy/types/subnetConfiguredPrecedence

Category

Azure > Network > Subnet > Configured

Parent

Targets

Default Template Input

"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"

Default Template

"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"

Schema

{
  "type": "array",
  "items": {
    "type": "string"
  }
}

Azure > Network > Subnet > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource.

URI

tmod:@turbot/azure-network#/policy/types/subnetConfiguredSource

Category

Azure > Network > Subnet > Configured

Parent

Targets

Schema

{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

Azure > Network > Tags Template [Default]

A template used to generate the keys and values for Azure Network resources.

By default, all Network resource Tags > Template policies will use this value.

URI

tmod:@turbot/azure-network#/policy/types/networkTagsTemplate

Category

Parent

Targets

Default Template Input

"{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure#/policy/types/defaultTagsTemplate\") {\n    value\n  }\n}\n"

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Network > Virtual Network > Active

Determine the action to take when an Azure Network virtual network, based on the Azure > Network > Virtual Network > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Virtual Network > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Network > Virtual Network > Active > Age

The age after which the Azure Network virtual network
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Virtual Network > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkActiveAge

Category

Azure > Network > Virtual Network > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Virtual Network > Active > Last Modified

The number of days since the Azure Network virtual network was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Virtual Network > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkActiveLastModified

Category

Azure > Network > Virtual Network > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Virtual Network > Approved

Determine the action to take when an Azure Network virtual network is not approved based on Azure > Network > Virtual Network > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Network > Virtual Network > Approved > Custom

Determine whether the Azure Network virtual network is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Network virtual network is not approved, it will be subject to the action specified in the Azure > Network > Virtual Network > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkApprovedCustom

Category

Azure > Network > Virtual Network > Approved

Parent

Targets

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Network > Virtual Network > Approved > Regions

A list of Azure regions in which Azure Network virtual networks are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an Azure Network virtual network is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > Network > Virtual Network > Approved policy.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkApprovedRegions

Category

Azure > Network > Virtual Network > Approved

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkApprovedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Network > Virtual Network > Approved > Usage

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkApprovedUsage

Category

Azure > Network > Virtual Network > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if Azure > Network > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if Azure > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if Azure > Network > Enabled"
}

Azure > Network > Virtual Network > CMDB

Configure whether to record and synchronize details for the Azure Network virtual network into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > Network > Virtual Network > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network provider is Registered",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network provider is Registered",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network provider is Registered"
}

Azure > Network > Virtual Network > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.

The policy values for Azure > Network > Virtual Network are deprecated and
replaced by new values. The deprecated values will be removed in the next major version.

| Deprecated Values | Current Values |
|--------------------------------------------------|----------------------------------------------------------------|
| Skip if using Configured > Source | Skip \$unless claimed by a stack\$ |
| Check: Configured if using Configured > Source | Check: Per Configured > Source \$unless claimed by a stack\$ |
| Enforce: Configured if using Configured > Source | Enforce: Per Configured > Source \$unless claimed by a stack\$ |

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkConfigured

Category

Parent

Targets

Valid Value

[
  "Skip if using Configured > Source",
  "Check: Configured if using Configured > Source",
  "Enforce: Configured if using Configured > Source",
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]

Schema

{
  "enum": [
    "Skip if using Configured > Source",
    "Check: Configured if using Configured > Source",
    "Enforce: Configured if using Configured > Source",
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

Azure > Network > Virtual Network > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkConfiguredPrecedence

Category

Azure > Network > Virtual Network > Configured

Parent

Targets

Default Template Input

"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"

Default Template

"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"

Schema

{
  "type": "array",
  "items": {
    "type": "string"
  }
}

Azure > Network > Virtual Network > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkConfiguredSource

Category

Azure > Network > Virtual Network > Configured

Parent

Targets

Schema

{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

Azure > Network > Virtual Network > Regions

A list of Azure regions in which Azure Network virtual networks are supported for use.

Any virtual networks in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkRegions

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Network > Virtual Network > Tags

Determine the action to take when an Azure Network virtual network tags are not updated based on the Azure > Network > Virtual Network > Tags > * policies.

The control ensure Azure Network virtual network tags include tags defined in Azure > Network > Virtual Network > Tags > Template.

Tags not defined in Virtual Network Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

Azure > Network > Virtual Network > Tags > Template

The template is used to generate the keys and values for Azure Network virtual network.

Tags not defined in Virtual Network Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkTagsTemplate

Category

Azure > Network > Virtual Network > Tags

Parent

Targets

Default Template Input

[
  "{\n  subscription {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Network > Virtual Network Gateway > Active

Determine the action to take when an Azure Network virtual network gateway, based on the Azure > Network > Virtual Network Gateway > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Virtual Network Gateway > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkGatewayActive

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

Azure > Network > Virtual Network Gateway > Active > Age

The age after which the Azure Network virtual network gateway
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Virtual Network Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkGatewayActiveAge

Category

Azure > Network > Virtual Network Gateway > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Virtual Network Gateway > Active > Last Modified

The number of days since the Azure Network virtual network gateway was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Network > Virtual Network Gateway > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.

Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkGatewayActiveLastModified

Category

Azure > Network > Virtual Network Gateway > Active

Parent

Targets

Valid Value

[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

Azure > Network > Virtual Network Gateway > Approved

Determine the action to take when an Azure Network virtual network gateway is not approved based on Azure > Network > Virtual Network Gateway > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkGatewayApproved

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

Azure > Network > Virtual Network Gateway > Approved > Custom

Determine whether the Azure Network virtual network gateway is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Network virtual network gateway is not approved, it will be subject to the action specified in the Azure > Network > Virtual Network Gateway > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkGatewayApprovedCustom

Category

Azure > Network > Virtual Network Gateway > Approved

Parent

Targets

Schema

{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

Azure > Network > Virtual Network Gateway > Approved > Regions

A list of Azure regions in which Azure Network virtual network gateways are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If an Azure Network virtual network gateway is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > Network > Virtual Network Gateway > Approved policy.

See Approved for more information.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkGatewayApprovedRegions

Category

Azure > Network > Virtual Network Gateway > Approved

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkApprovedRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Network > Virtual Network Gateway > Approved > Usage

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkGatewayApprovedUsage

Category

Azure > Network > Virtual Network Gateway > Approved

Parent

Targets

Valid Value

[
  "Not approved",
  "Approved",
  "Approved if Azure > Network > Enabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if Azure > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if Azure > Network > Enabled"
}

Azure > Network > Virtual Network Gateway > CMDB

Configure whether to record and synchronize details for the Azure Network virtual network gateway into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > Network > Virtual Network Gateway > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkGatewayCmdb

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network provider is Registered",
  "Enforce: Disabled"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network provider is Registered",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network provider is Registered"
}

Azure > Network > Virtual Network Gateway > Configured

Determine how to configure this resource.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkGatewayConfigured

Category

Parent

Targets

Valid Value

[
  "Skip (unless claimed by a stack)",
  "Check: Per Configured > Source (unless claimed by a stack)",
  "Enforce: Per Configured > Source (unless claimed by a stack)"
]

Schema

{
  "enum": [
    "Skip (unless claimed by a stack)",
    "Check: Per Configured > Source (unless claimed by a stack)",
    "Enforce: Per Configured > Source (unless claimed by a stack)"
  ],
  "default": "Skip (unless claimed by a stack)"
}

Azure > Network > Virtual Network Gateway > Configured > Claim Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkGatewayConfiguredPrecedence

Category

Azure > Network > Virtual Network Gateway > Configured

Parent

Targets

Default Template Input

"{\n  defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"

Default Template

"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- &#39;{{ item }}&#39;{% endfor %}{% endif %}"

Schema

{
  "type": "array",
  "items": {
    "type": "string"
  }
}

Azure > Network > Virtual Network Gateway > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkGatewayConfiguredSource

Category

Azure > Network > Virtual Network Gateway > Configured

Parent

Targets

Schema

{
  "type": "string",
  "default": "",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

Azure > Network > Virtual Network Gateway > Regions

A list of Azure regions in which Azure Network virtual network gateways are supported for use.

Any virtual network gateways in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkGatewayRegions

Category

Parent

Targets

Default Template Input

"{\n  regions: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkRegionsDefault\") {\n    value\n  }\n}\n"

Default Template

"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"

Schema

Azure > Network > Virtual Network Gateway > Tags

Determine the action to take when an Azure Network virtual network gateway tags are not updated based on the Azure > Network > Virtual Network Gateway > Tags > * policies.

The control ensure Azure Network virtual network gateway tags include tags defined in Azure > Network > Virtual Network Gateway > Tags > Template.

Tags not defined in Virtual Network Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkGatewayTags

Category

Parent

Targets

Valid Value

[
  "Skip",
  "Check: Tags are correct",
  "Enforce: Set tags"
]

Schema

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Tags are correct",
    "Enforce: Set tags"
  ],
  "example": [
    "Check: Tags are correct"
  ],
  "default": "Skip"
}

Azure > Network > Virtual Network Gateway > Tags > Template

The template is used to generate the keys and values for Azure Network virtual network gateway.

Tags not defined in Virtual Network Gateway Tags Template will not be modified or deleted. Setting a tag value to undefined will result in the tag being deleted.

See Tags for more information.

URI

tmod:@turbot/azure-network#/policy/types/virtualNetworkGatewayTagsTemplate

Category

Azure > Network > Virtual Network Gateway > Tags

Parent

Targets

Default Template Input

[
  "{\n  subscription {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultTags: policyValue(uri:\"tmod:@turbot/azure-network#/policy/types/networkTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n    value\n  }\n}\n"
]

Default Template

"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"

Schema

Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-network

A calculated policy that Guardrails uses to create a compiled list of ALL
permission levels for Azure Network that is used as input to the
stack that manages the Guardrails IAM permissions objects.

URI

tmod:@turbot/azure-network#/policy/types/azureLevelsCompiled

Category

Azure > Turbot > Permissions > Compiled > Levels

Parent

Targets

azure-iam#/definitions/azureLevelDefinitionList

Schema

Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-network

A calculated policy that Guardrails uses to create a compiled list of ALL
permissions for Azure Network that is used as input to the control that manages
the IAM stack.

URI

tmod:@turbot/azure-network#/policy/types/azureCompiledServicePermissions

Category

Azure > Turbot > Permissions > Compiled > Service Permissions

Parent

Targets