Product logo
DocsBlogPricing

@turbot/azure-storage

The azure-storage mod contains resource, control and policy definitions for Azure Storage service.

Version
5.17.1
Released On
Apr 26, 2024
Depends On

Resource Types

Control Types

Policy Types

Release Notes

5.17.1 (2024-04-26)

Bug fixes

  • The Azure > Storage > Storage Account > Data Protection control would go into an error state when container delete retention policy data was not available in CMDB. This issue is fixed and the control will now work as expected.

5.17.0 (2024-04-22)

Control Types

  • Azure > Storage > Storage Account > Access Keys
  • Azure > Storage > Storage Account > Access Keys > Rotation Reminder
  • Azure > Storage > Storage Account > Data Protection
  • Azure > Storage > Storage Account > Data Protection > Soft Delete

Policy Types

  • Azure > Storage > Storage Account > Access Keys
  • Azure > Storage > Storage Account > Access Keys > Rotation Reminder
  • Azure > Storage > Storage Account > Access Keys > Rotation Reminder > Days
  • Azure > Storage > Storage Account > Data Protection
  • Azure > Storage > Storage Account > Data Protection > Soft Delete
  • Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs
  • Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs > Retention Days
  • Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers
  • Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers > Retention Days

Action Types

  • Azure > Storage > Storage Account > Set Data Protection Soft Delete
  • Azure > Storage > Storage Account > Update Rotation Reminder

5.16.1 (2024-04-12)

Bug fixes

  • The Azure > Storage > Storage Account > Queue > Logging control would go into a skipped state for storage accounts, irrespective of any policy setting for Logging. This issue is fixed and the control will now work as expected.

5.16.0 (2024-04-01)

What's new?

  • Storage Account CMDB data will now also include details about the account's blob service properties.

5.15.0 (2024-02-01)

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

5.14.0 (2023-06-16)

What's new?

  • Resource's metadata will now also include createdBy details in Guardrails CMDB.

5.13.2 (2023-04-03)

Bug fixes

  • The Azure > Storage > Queue > CMDB control would go into an error state while trying to fetch Queue access policies if key based authentication was not permitted on the parent storage account. This is fixed and the control will now not try to fetch the Queue access policies in such cases, and work as expected.

5.13.1 (2023-03-16)

Bug fixes

  • The Azure > Storage > Storage Account > CMDB control would go into an error state while trying to fetch default Queue details if key based authentication was not permitted on the storage account. This is fixed and the control will now not try to fetch default Queue details in such cases, and work as expected.

5.13.0 (2022-12-26)

What's new?

  • All Azure > Storage resource types now support China Cloud regions.

5.12.2 (2022-03-01)

Bug fixes

  • The Azure > Storage > Storage Account > Public Access control would sometimes incorrectly evaluate the outcome if the Azure > Storage > Storage Account > Public Access policy was set to Enforce: Disabled. This issue is fixed and the control now works as expected.

5.12.1 (2022-02-25)

Bug fixes

  • The Azure > Storage > Queue > Discovery control would fail to discover the queues and incorrectly move to an error state when an Azure > Storage > Storage Account was created using a private endpoint with IP Address restrictions. This is fixed and the control will now work as expected.

5.12.0 (2022-02-18)

What's new?

  • Users can now create their own custom checks against resource attributes in the Approved control using the Approved > Custom policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.

Bug fixes

  • We've improved the process of deleting resources from Guardrails if their CMDB policy was set to Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Guardrails' IAM role while deleting resources from Guardrails. This will allow the CMDB controls to process resource deletions from Guardrails more reliably than before.

Policy Types

  • Azure > Storage > Container > Approved > Custom
  • Azure > Storage > FileShare > Approved > Custom
  • Azure > Storage > Storage Account > Approved > Custom

5.11.0 (2021-11-26)

What's new?

  • Users now can cleanup resources and stop tracking changes for storage queues in Guardrails. To get started, set the Azure > Storage > Queue > CMDB policy to Enforce: Disabled.

Bug fixes

  • The Azure > Storage > Storage Account > Public Access control would sometimes evaluate the outcome incorrectly when the public access setting on a storage account was null by default. This is now fixed.

5.10.1 (2021-10-21)

Bug fixes

  • The Azure > Storage > Queue > Discovery control would incorrectly go into an invalid state when the storage provider was not registered. This is fixed and the control would now move to a skipped state instead for such cases.

5.10.0 (2021-08-06)

What's new?

  • We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

Bug fixes

  • Previously, if the Azure > Storage > Storage Account > CMDB control was in an error state, we'd still try and run the Azure > Storage > Queue > Discovery control to discover queues under the storage account, which resulted in an error. The Azure > Storage > Queue > Discovery control now will be dependent on the Azure > Storage > Storage Account > CMDB control and will try and discover queues only if the parent storage account's CMDB control is not in an error state.

  • We've made a few improvements in the GraphQL queries for various router actions. You won't notice any difference, but things should run lighter and quicker than before.

Control Types

  • Azure > Storage > Storage Account > Minimum TLS Version

Policy Types

  • Azure > Storage > Storage Account > Minimum TLS Version

Action Types

  • Azure > Storage > Storage Account > Set Minimum TLS Version

5.9.0 (2021-03-12)

What's new?

  • We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

Bug fixes

  • The Azure > Storage > Storage Account > CMDB control now will not attempt to fetch the default queue details for the storage account if the Azure > Storage > Queue > CMDB policy is set to Skip.

5.8.3 (2021-02-02)

Bug fixes

  • The Azure > Storage > Container > Discovery control would go into an error state for FileStorage kind of storage accounts since they don't support containers. Now onwards the Azure > Storage > Container > Discovery control will move to Skip in such cases.

5.8.2 (2021-01-22)

Bug fixes

  • Controls run faster now when in the tbd and skipped states thanks to the new Guardrails Precheck feature (not to be confused with TSA PreCheck). With Guardrails Precheck, controls avoid running GraphQL input queries when in tbd and skipped, resulting in faster and lighter control runs.

5.8.1 (2020-12-23)

Bug fixes

  • The Azure > Storage > Storage Account > Firewall > IP Ranges > Approved > CIDR Ranges policy data validation failed if the last octet of a public IP was less than 10. This is now fixed.

5.8.0 (2020-12-09)

What's new?

  • With the addition of the Azure > Storage > Container > Public Access Level and Azure > Storage > Storage Account > Public Access controls, you can now configure and restrict public access for containers and storage accounts by setting the Azure > Storage > Container > Public Access Level and Azure > Storage > Storage Account > Public Access policies respectively.

Control Types

  • Azure > Storage > Container > Public Access Level
  • Azure > Storage > Storage Account > Public Access

Policy Types

  • Azure > Storage > Container > Public Access Level
  • Azure > Storage > Storage Account > Public Access

Action Types

  • Azure > Storage > Container > Set Public Access Level
  • Azure > Storage > Storage Account > Set Public Access

5.7.1 (2020-11-13)

Bug fixes

  • We've fixed a syntax error that would cause the Azure > Storage > Storage Account > Firewall control to always go into error state.

5.7.0 (2020-11-10)

What's new?

  • We've added guardrails to help secure access to your storage accounts' public endpoints. All storage accounts have public endpoints that are accessible through the internet by default. This access can be limited to specific IP ranges, virtual network subnets, and trusted Microsoft services by defining firewall and virtual network rules.

    To get started configuring these rules through Guardrails, the following policies should set according to your desired firewall rules configuration:

    • Azure > Storage > Storage Account > Firewall - Configure default access rules for the public endpoint
    • Azure > Storage > Storage Account > Firewall > Exceptions - Configure trusted Microsoft services
    • Azure > Storage > Storage Account > Firewall > IP Ranges > Approved - Remove unapproved IP ranges
    • Azure > Storage > Storage Account > Firewall > IP Ranges > Required - Grant access to specific IP ranges
    • Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved - Remove unapproved virtual network subnets
    • Azure > Storage > Storage Account > Firewall > Virtual Networks > Required - Grant access to specific virtual network subnets

Please note that if the Azure > Storage > Storage Account > Firewall policy is set to Enforce: Allow only approved virtual networks and IP ranges, only applications in the configured IP ranges, virtual network subnets, and trusted Microsoft services will be allowed to access the storage accounts. If these boundaries are not properly configured beforehand or an application is outside of these boundaries, it will lose access to the storage accounts.

  • We've made improvements to how Approved controls interact with CMDB policies and controls for more reliable approved checks. Now, if a resource's CMDB policy is set to Skip, its Approved control will move to invalid to prevent the Approved control from making a decision based on outdated information. Also, Approved controls will now wait until the resource's CMDB control has run at least once to ensure the required data is available.

Bug fixes

  • We've updated the Discovery controls for resources to now move to skipped instead of invalid if the provider is disabled in the subscription and the Azure > Provider > {service} > Registered policy is checking if the provider is disabled. This will reduce the amount of noisy controls that cannot be easily resolved without making changes to the provider.

Control Types

  • Azure > Storage > Storage Account > Firewall
  • Azure > Storage > Storage Account > Firewall > Exceptions
  • Azure > Storage > Storage Account > Firewall > IP Ranges
  • Azure > Storage > Storage Account > Firewall > IP Ranges > Approved
  • Azure > Storage > Storage Account > Firewall > IP Ranges > Required
  • Azure > Storage > Storage Account > Firewall > Virtual Networks
  • Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved
  • Azure > Storage > Storage Account > Firewall > Virtual Networks > Required

Policy Types

  • Azure > Storage > Storage Account > Firewall
  • Azure > Storage > Storage Account > Firewall > Exceptions
  • Azure > Storage > Storage Account > Firewall > Exceptions > Items
  • Azure > Storage > Storage Account > Firewall > IP Ranges
  • Azure > Storage > Storage Account > Firewall > IP Ranges > Approved
  • Azure > Storage > Storage Account > Firewall > IP Ranges > Approved > CIDR Ranges
  • Azure > Storage > Storage Account > Firewall > IP Ranges > Approved > Compiled Rules
  • Azure > Storage > Storage Account > Firewall > IP Ranges > Approved > Rules
  • Azure > Storage > Storage Account > Firewall > IP Ranges > Required
  • Azure > Storage > Storage Account > Firewall > IP Ranges > Required > Items
  • Azure > Storage > Storage Account > Firewall > Virtual Networks
  • Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved
  • Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved > Compiled Rules
  • Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved > Rules
  • Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved > Subnets
  • Azure > Storage > Storage Account > Firewall > Virtual Networks > Required
  • Azure > Storage > Storage Account > Firewall > Virtual Networks > Required > Items

Action Types

  • Azure > Storage > Storage Account > Update Firewall Default Access Rule
  • Azure > Storage > Storage Account > Update Firewall Exceptions
  • Azure > Storage > Storage Account > Update Firewall IP Ranges
  • Azure > Storage > Storage Account > Update Firewall Virtual Networks

5.6.0 (2020-10-15)

What's new?

  • We've made improvements to how Approved controls interact with CMDB policies and controls for more reliable approved checks. Now, if a resource's CMDB policy is set to Skip, its Approved control will move to invalid to prevent the Approved control from making a decision based on outdated information. Also, Approved controls will now wait until the resource's CMDB control has run at least once to ensure the required data is available.

5.5.0 (2020-09-28)

What's new?

  • We've made improvements to how Active controls interact with CMDB policies and controls for more reliable active checks. Now, if a resource's CMDB policy is set to Skip, its Active control will move to invalid to prevent the Active control from making a decision based on outdated information. Also, Active controls will now wait until the resource's CMDB control has run at least once to ensure the required data is available.

5.4.0 (2020-09-22)

What's new?

  • The Azure > Storage > Storage Account > Configured policy now includes the following new policy values:
     - Skip (unless claimed by a stack)
     - Check: Per Configured > Source (unless claimed by a stack)
     - Enforce: Per Configured > Source (unless claimed by a stack)
    These new values will replace the following current values, which have been deprecated and will be removed in the next major version:
     - Skip if using Configured > Source
     - Check: Configured if using Configured > Source
     - Enforce: Configured if using Configured > Source
    We recommend that you update your policy settings to use the new values, as these have replaced the deprecated values and are backwards compatible.

Policy Types

Renamed

  • Azure > Storage > Storage Account > Configured > Precedence to Azure > Storage > Storage Account > Configured > Claim Precedence

5.3.0 (2020-08-27)

What's new?

  • Discovery controls now have their own control category, CMDB > Discovery, to allow for easier filtering separately from other CMDB controls.
  • We've renamed the service's default regions policy from Regions [Default] to Regions to be consistent with our other regions policies.

5.2.3 (2020-07-24)

Bug fixes

  • When deleting inactive resources through an Active control, different warning periods in days can be set to delay deletion. We recently identified a bug that would cause these warning periods to be ignored, and any inactive resources would be deleted immediately. This bug has been fixed and now all Active controls will abide by the warning period set in the policy value.

5.2.2 (2020-06-10)

Bug fixes

  • Discovery controls for queue and fileshare resources remained in error state due to an invalid syntax. This issue has now been fixed.

5.2.1 (2020-06-09)

Bug fixes

  • Since Azure premium storage accounts do not support queues and fileshares, their CMDB controls will now remain in skipped state instead of being in error.

5.2.0 (2020-06-09)

What's new?

  • Storage Account's Approved control is now equipped with Azure > Storage > Storage Account > Approved > Azure Datalake Storage policy which checks if the Azure Datalake Storage is enabled/disabled in the Storage Account.

Policy Types

  • Azure > Storage > Storage Account > Approved > Azure Datalake Storage

5.1.7 (2020-06-04)

Bug fixes

  • Sometimes when the Azure > Storage > Storage Account > Access Tier control would set a storage account's access tier to hot or cold, the control would not re-run automatically after the access tier was updated and remain in alarm state. This has been fixed.

5.1.6 (2020-06-03)

What's new?

  • All resource Router actions now run even if Guardrails is outside of its allowed change window. This allows Guardrails to maintain an up-to-date CMDB by handling resource updates at all times. Note that this only affects Guardrails' ability to process resources changes that were made in the cloud provider - enforcement actions are still disabled outside of the change window.

5.1.5 (2020-05-12)

Bug fixes

  • Links to documentation in the descriptions for several controls and policies were broken. These links have now been fixed.

Policy Types

Removed

  • Azure > Storage > Container > Regions

5.1.4 (2020-04-22)

Bug fixes

  • Queue CMDB and Discovery controls in the Azure Government regions failed to connect to the API due to use of an invalid service URL. This has been fixed and the controls are running smoothly again.