@turbot/gcp
The gcp mod contains resource, control and policy definitions for GCP GCP service.
- Setting Policies Tutorial
- Mods Overview
- Policies Overview
- Resources Overview
- Common Policies and Controls
Recommended Version
Resource Types
- GCP
- GCP > Folder
- GCP > Global Region
- GCP > Multi-Region
- GCP > Organization
- GCP > Project
- GCP > Region
- GCP > Zone
Control Types
- GCP > Folder > CMDB
- GCP > Folder > Discovery
- GCP > Global Region > Discovery
- GCP > Multi-Region > Discovery
- GCP > Multi-Region > Stack
- GCP > Organization > CMDB
- GCP > Project > CMDB
- GCP > Project > Discovery
- GCP > Project > Labels
- GCP > Project > Resource AKA Cleanup
- GCP > Project > Service APIs
- GCP > Project > Service APIs > Approved
- GCP > Project > Stack
- GCP > Region > Discovery
- GCP > Region > Stack
- GCP > Turbot
- GCP > Turbot > Event Handlers
- GCP > Turbot > Event Handlers > Logging
- GCP > Turbot > Event Handlers > Pub/Sub
- GCP > Turbot > Event Poller
- GCP > Zone > Discovery
Policy Types
- GCP > Client Email
- GCP > Data Protection
- GCP > Data Protection > Minimum Schedule [Default]
- GCP > Data Protection > Schedule [Default]
- GCP > Folder > CMDB
- GCP > Multi-Region > Stack
- GCP > Multi-Region > Stack > Secret Variables
- GCP > Multi-Region > Stack > Source
- GCP > Multi-Region > Stack > Terraform Version
- GCP > Multi-Region > Stack > Variables
- GCP > Organization > CMDB
- GCP > Private Key
- GCP > Project > Approved Regions [Default]
- GCP > Project > CMDB
- GCP > Project > Labels
- GCP > Project > Labels > Template
- GCP > Project > Labels Template [Default]
- GCP > Project > Regions
- GCP > Project > Resource AKA Cleanup
- GCP > Project > Service APIs
- GCP > Project > Service APIs > Approved
- GCP > Project > Service APIs > Approved > Services
- GCP > Project > Stack
- GCP > Project > Stack > Secret Variables
- GCP > Project > Stack > Source
- GCP > Project > Stack > Terraform Version
- GCP > Project > Stack > Variables
- GCP > Project > Trusted Domains [Default]
- GCP > Project > Trusted Groups [Default]
- GCP > Project > Trusted Projects [Default]
- GCP > Project > Trusted Service Accounts [Default]
- GCP > Project > Trusted Users [Default]
- GCP > Region > Stack
- GCP > Region > Stack > Source
- GCP > Turbot
- GCP > Turbot > Event Handlers
- GCP > Turbot > Event Handlers > Logging
- GCP > Turbot > Event Handlers > Logging > Sink
- GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter
- GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp
- GCP > Turbot > Event Handlers > Logging > Sink > Destination Topic
- GCP > Turbot > Event Handlers > Logging > Sink > Name Prefix
- GCP > Turbot > Event Handlers > Logging > Source
- GCP > Turbot > Event Handlers > Logging > Terraform Version
- GCP > Turbot > Event Handlers > Logging > Unique Writer Identity
- GCP > Turbot > Event Handlers > Pub/Sub
- GCP > Turbot > Event Handlers > Pub/Sub > Source
- GCP > Turbot > Event Handlers > Pub/Sub > Subscription
- GCP > Turbot > Event Handlers > Pub/Sub > Subscription > Labels
- GCP > Turbot > Event Handlers > Pub/Sub > Subscription > Name Prefix
- GCP > Turbot > Event Handlers > Pub/Sub > Terraform Version
- GCP > Turbot > Event Handlers > Pub/Sub > Topic
- GCP > Turbot > Event Handlers > Pub/Sub > Topic > Name Prefix
- GCP > Turbot > Event Poller
- GCP > Turbot > Event Poller > Filter
- GCP > Turbot > Event Poller > Interval
- GCP > Turbot > Event Poller > Window
Release Notes
5.23.4 (2024-02-29)
Bug fixes
- The
GCP > Turbot > Event Handlers > Pub/Sub
stack control previously attempted to create a topic and its IAM member incorrectly when theGCP > Turbot > Event Handlers > Logging > Unique Writer Identity
policy was set toEnforce: Unique Identity
, but the project number for the project was not available. This is fixed and the control will transition to an Invalid state until Guardrails can correctly fetch the project number.
5.23.3 (2024-02-01)
Bug fixes
- The Org policy details in the Project CMDB data will now be properly and consistently sorted.
5.23.2 (2024-01-16)
Bug fixes
- The
GCP > Turbot > Event Poller
control now includes a precheck condition to avoid running GraphQL input queries when theGCP > Turbot > Event Poller
policy is set toDisabled
. You won’t notice any difference and the control should run lighter and quicker than before.
5.23.1 (2023-11-24)
Bug fixes
- Added support to process enable and disable real-time events for Firebase Management API via Service Usage APIs.
5.23.0 (2023-11-03)
What's new?
- Users can now set a Unique Writer Identity for Logging Sink created via the
GCP > Turbot > Event Handlers
stack. To get started, set theGCP > Turbot > Event Handlers > Logging > Unique Writer Identity
policy.
Policy Types
- GCP > Turbot > Event Handlers > Logging > Unique Writer Identity
5.22.0 (2023-09-20)
What's new?
- Added support for new multi-regions
NAM8
,NAM9
,NAM10
,NAM11
,NAM12
,NAM13
,NAM14
,NAM15
,NAM-EUR-ASIA1
,NAM-EUR-ASIA3
,IN
,EUR5
,EUR6
,EUROPE
andEMEA
in theGCP > Project > Regions
policy.
Policy Types
Removed
- GCP > Project > Multi-Regions [Deprecated]
5.21.0 (2023-09-15)
What's new?
- Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
Bug fixes
- Added support for new
europe-west10
region in theGCP > Project > Regions
policy.
5.20.1 (2023-09-07)
Bug fixes
- A few policy values would sometimes fail to evaluate correctly if the mod was installed on TE v5.42.1. We've fixed this issue and such policy values will now be evaluated correctly.
5.20.0 (2023-08-10)
What's new?
- README.md file is now available for users to check details about the resource types and service permissions that the mod covers.
Bug fixes
- The
GCP > Project > CMDB
control would fail to trigger automatically if either of theGCP > Private Key
orGCP > Client Email
policy values were updated. This is now fixed.
5.19.0 (2023-08-07)
What's new?
- Added support for new
asia-south
,australia-southeast
,europe-west
,northamerica-northeast
,southamerica-west
,us-east
,us-south
andus-west
regions in theGCP > Project > Regions
policy.
Bug fixes
- The
GCP > Turbot > Event Handlers
andGCP > Turbot > Event Poller
controls would fail to handle all events correctly if the filter pattern for the events would exceed 20K characters. This is fixed and all events will now be processed correctly as expected.
5.18.0 (2023-03-24)
Control Types
- GCP > Project > Service APIs
- GCP > Project > Service APIs > Approved
Policy Types
- GCP > Project > Service APIs
- GCP > Project > Service APIs > Approved
- GCP > Project > Service APIs > Approved > Services
5.17.3 (2023-02-06)
Bug fixes
- Added support for
GCP > SecretManager
service APIs.
5.17.2 (2023-01-17)
Bug fixes
- We’ve made a few improvements in the GraphQL queries for
GCP > Turbot > Event Handlers
to make it lighter and faster than before. You won’t notice any difference and things should continue to run smoothly as expected. - Added support to process enable and disable real-time events for Data Pipelines and Cloud Run APIs.
5.17.1 (2022-11-25)
Bug fixes
- Added support to process enable and disable real-time events for BigQuery API via Service Usage APIs.
5.17.0 (2022-10-21)
What's new?
- The real-time event handlers will now also process update events for Organization Policy.
5.16.2 (2022-07-20)
Bug fixes
- The
GCP > Project > CMDB
control would sometimes hit the API throttling limit and inadvertently trigger multiple times leading the control to an error state. We've removed unnecessary service API calls and the control will now work smoothly as expected. - Guardrails would sometimes fail to process real-time events for enabling or disabling service APIs in a project. This is fixed and the CMDB data for such services will now be updated correctly on listening to such real-time events.
5.16.1 (2022-06-01)
Bug fixes
- We've updated descriptions for several controls to indicate their purpose better. There are no changes otherwise and things should continue to run smoothly, as expected.
5.16.0 (2021-07-29)
What's new?
- The
GCP > Turbot > Event Handlers > Logging > Terraform Version
andGCP > Turbot > Event Handlers > Pub/Sub > Terraform Version
policies will now be set to0.15.*
by default for workspaces on TE v5.37.7 or higher. For workspaces on TE versions lower than 5.37.7, the policy will remain set to0.11.*
by default.
5.15.4 (2021-03-01)
Bug fixes
- To reduce unnecessary processing, the
GCP > Project > Event Poller
action will now ignore any bucket read level events, e.g.,storage.buckets.get
, and all object events, e.g.,storage.objects.create
,storage.objects.get
. These events are not used for any resource updates in theGCP > Storage
mod, so the event poller can safely ignore them.
5.15.3 (2021-02-16)
Bug fixes
- Links to documentation in the descriptions for several controls and policies were broken. These links have now been fixed.
5.15.2 (2020-11-30)
Bug fixes
- Enabling/Disabling a service in GCP wouldn't update its CMDB data automatically since GCP deprecated and removed support for the APIs that we used. We've made the switch to the new Enabling and Disabling service APIs and things should now work smoothly.
5.15.1 (2020-10-14)
Bug fixes
- Sometimes the
GCP > Project > Event Poller
control would run less frequently than the interval set in theGCP > Project > Event Poller > Interval
policy. We've updated this control to now ensure that it will run at least every 10 minutes (which is the maximum interval allowed in the policy) to prevent it from missing events.
5.15.0 (2020-09-22)
What's new?
We've added a new region type,
GCP > Global Region
, which is a special multi-region that is only used for certain services, like Dataproc and KMS. This region type will be created in CMDB for a given project if theglobal
value is included in theGCP > Project > Region
policy (the default values includesglobal
).The
GCP > Project > Multi-Regions
policy has been deprecated, its title has been updated toGCP > Project > Multi-Regions [Deprecated]
, and it will be removed in the next major version. TheGCP > Multi-Region > Discovery
control will now use theGCP > Project > Regions
policy to determine which multi-regions to create in CMDB for a given project (the default values include all current multi-regions).For backward compatibility, if any projects have an existing policy setting for the
GCP > Project > Multi-Regions [Deprecated]
policy, then the control will use this policy setting instead to determine which multi-regions to create in CMDB to provide a changeover window.We recommend migrating any existing policy settings for the
GCP > Project > Multi-Regions
policy to theGCP > Project > Regions
policy to prevent any future incompatibilities.
Resource Types
- GCP > Global Region
Control Types
- GCP > Global Region > Discovery
Policy Types
Renamed
- GCP > Project > Multi-Regions to GCP > Project > Multi-Regions [Deprecated]
- GCP > Project > Regions [Default] to GCP > Project > Regions
5.14.2 (2020-09-16)
Bug fixes
- Projects can now be imported at the Guardrails level (previously they could only be imported in a Guardrails folder).
5.14.1 (2020-09-07)
Bug fixes
- The real-time event handling for
GCP > Notebooks
service API had an incorrect reference toGCP > Notebooks > CMDB
control. This issue has now been fixed.
5.14.0 (2020-09-04)
What's new?
- Added real-time event handling for
GCP > Notebook
service API updates.
5.13.0 (2020-08-28)
What's new?
- Discovery controls now have their own control category,
CMDB > Discovery
, to allow for easier filtering separately from other CMDB controls. - Added real-time event handling for
GCP > Dataflow
service API updates.
5.12.0 (2020-08-18)
Policy Types
- GCP > Multi-Region > Stack > Terraform Version
- GCP > Project > Stack > Terraform Version
5.11.0 (2020-08-05)
Policy Types
- GCP > Turbot > Event Handlers > Logging > Terraform Version
- GCP > Turbot > Event Handlers > Pub/Sub > Terraform Version
5.10.1 (2020-07-24)
Bug fixes
- We've cleaned up our use of some deprecated GraphQL resolvers in the event handlers policies. There's no noticeable difference, but this will help us clean up some of our resolvers.
5.10.0 (2020-07-21)
What's new?
- Various policies have been added for defining trusted IAM resources, like users, groups, and service accounts, in preparation for upcoming trusted access controls. Upcoming mod versions for
gcp-iam
andgcp-storage
will have controls that use these new policies as default lists of who or what should be trusted.
Policy Types
- GCP > Project > Trusted Domains [Default]
- GCP > Project > Trusted Groups [Default]
- GCP > Project > Trusted Projects [Default]
- GCP > Project > Trusted Service Accounts [Default]
- GCP > Project > Trusted Users [Default]
5.9.0 (2020-07-17)
What's new?
- Projects now contain information about any associated organizational policies under the
orgPolicyMap
andeffectiveOrgPolicyMap
properties.
Bug fixes
- The
GCP > Turbot > Pub/Sub > Event Handlers
control would sometimes delete resources it had previously created when theGCP> Turbot> Event Handlers> Pub/Sub
policy was set fromEnforce: Configured
toSkip
. This has now been fixed and the control will not make any changes to existing resources when set toSkip
.
5.8.1 (2020-06-26)
Bug fixes
- Fixed an invalid reference in the default value calculation for the
GCP > Project > Labels > Template
policy. - Earlier the default value of
GCP > Turbot > Event Poller
policy wasDisabled
. Now the Event Poller policy checks ifGCP > Turbot > Event Handlers
policy is set toEnforce: Configured
then it remainsDisabled
otherwise it defaults toEnabled
.
5.8.0 (2020-06-24)
What's new?
- Multi-Regional resources can now be easily created by configuring a custom stack as per
GCP > Multi-Region > Stack > Source
policy.
Control Types
- GCP > Multi-Region > Stack
Policy Types
- GCP > Multi-Region > Stack
- GCP > Multi-Region > Stack > Secret Variables
- GCP > Multi-Region > Stack > Source
- GCP > Multi-Region > Stack > Variables
- GCP > Project > Stack > Secret Variables
- GCP > Project > Stack > Variables
5.7.0 (2020-06-19)
What's new?
- In
gcp-computeengine (5.2.1)
we fixed a bug that caused someGCP > Compute Engine > Disks
to be created in CMDB with the disk name missing in their AKAs. To automatically cleanup and delete these invalid disk CMDB entries, we have added theGCP > Project > Resource AKA Cleanup
control. TheGCP > Project > Resource AKA Cleanup
policy is set toEnforce: Delete
by default and it is recommended to leave this policy asEnforce: Delete
to ensure all invalid resources are deleted.
Control Types
- GCP > Project > Resource AKA Cleanup
Policy Types
- GCP > Project > Resource AKA Cleanup
5.6.0 (2020-06-10)
Control Types
- GCP > Project > Labels
Policy Types
- GCP > Project > Labels
- GCP > Project > Labels > Template
- GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp
Action Types
- GCP > Project > Router
- GCP > Project > Set Labels
5.5.0 (2020-06-02)
What's new?
GCP > Project > Project Event Handler
andGCP > Project > Project Raw Event Handler
action types are now set to run even if Guardrails is outside of its allowed change window. This allows Guardrails to maintain an up-to-date CMDB by handling resource updates at all times. Note that this only affects Guardrails' ability to process resources changes that were made in the cloud provider - enforcement actions are still disabled outside of the change window.
5.4.0 (2020-05-28)
What's new?
- Updated various resource configurations in preparation for upcoming maintenance window features.
5.3.0 (2020-05-15)
What's new?
- Guardrails now supports
asia-northeast2
,asia-northeast3
,europe-west6
,us-west2
,us-west3
,us-west4
GCP regions.
5.2.0 (2020-05-08)
What's new?
- Added real-time event handling for GCP > Build , GCP > Memorystore, and GCP > Data Catalog service API updates.
Bug fixes
- Service API update events for GCP > Composer and GCP > Scheduler were not being handled properly, so the CMDB entries for these services were often out of date. This has been fixed and updates are now handled accordingly.
Control Types
Removed
- GCP > Mapping Test Stack
Policy Types
Removed
- GCP > Region > Mapping Test Stack
- GCP > Region > Mapping Test Stack > Source
5.1.1 (2020-04-27)
Bug fixes
- Now the
GCP > Region > Discovery
control will only upsert the regions present in theGCP > Project > Regions [Default]
policy.
5.1.0 (2020-04-13)
What's new?
- API enabled status for all services is now included in CMDB entry for the project.
5.0.0 (2020-03-26)
Resource Types
- GCP
- GCP > Folder
- GCP > Multi-Region
- GCP > Organization
- GCP > Project
- GCP > Region
- GCP > Zone
Control Types
- GCP > Folder > CMDB
- GCP > Folder > Discovery
- GCP > Mapping Test Stack
- GCP > Multi-Region > Discovery
- GCP > Organization > CMDB
- GCP > Project > CMDB
- GCP > Project > Discovery
- GCP > Project > Stack
- GCP > Region > Discovery
- GCP > Region > Stack
- GCP > Turbot
- GCP > Turbot > Event Handlers
- GCP > Turbot > Event Handlers > Logging
- GCP > Turbot > Event Handlers > Pub/Sub
- GCP > Turbot > Event Poller
- GCP > Zone > Discovery
Policy Types
- GCP > Client Email
- GCP > Data Protection
- GCP > Data Protection > Minimum Schedule [Default]
- GCP > Data Protection > Schedule [Default]
- GCP > Folder > CMDB
- GCP > Organization > CMDB
- GCP > Private Key
- GCP > Project > Approved Regions [Default]
- GCP > Project > CMDB
- GCP > Project > Labels Template [Default]
- GCP > Project > Multi-Regions
- GCP > Project > Regions [Default]
- GCP > Project > Stack
- GCP > Project > Stack > Source
- GCP > Region > Mapping Test Stack
- GCP > Region > Mapping Test Stack > Source
- GCP > Region > Stack
- GCP > Region > Stack > Source
- GCP > Turbot
- GCP > Turbot > Event Handlers
- GCP > Turbot > Event Handlers > Logging
- GCP > Turbot > Event Handlers > Logging > Sink
- GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter
- GCP > Turbot > Event Handlers > Logging > Sink > Destination Topic
- GCP > Turbot > Event Handlers > Logging > Sink > Name Prefix
- GCP > Turbot > Event Handlers > Logging > Source
- GCP > Turbot > Event Handlers > Pub/Sub
- GCP > Turbot > Event Handlers > Pub/Sub > Source
- GCP > Turbot > Event Handlers > Pub/Sub > Subscription
- GCP > Turbot > Event Handlers > Pub/Sub > Subscription > Labels
- GCP > Turbot > Event Handlers > Pub/Sub > Subscription > Name Prefix
- GCP > Turbot > Event Handlers > Pub/Sub > Topic
- GCP > Turbot > Event Handlers > Pub/Sub > Topic > Name Prefix
- GCP > Turbot > Event Poller
- GCP > Turbot > Event Poller > Filter
- GCP > Turbot > Event Poller > Interval
- GCP > Turbot > Event Poller > Window
Action Types
- GCP > Project > Event Poller
- GCP > Project > Project Event Handler
- GCP > Project > Project Raw Event Handler
- GCP > Project > Service API Router