Product logo
DocsBlogPricing

Policy types for @turbot/gcp-datacatalog

GCP > Data Catalog > API Enabled

Check whether GCP Data Catalog API is enabled.

API Enabled refers specifically to the API state of a service in a cloud project.
This control determines whether the API state is set as per desired level.

The GCP > Data Catalog > API Enabled control compares
the API state against the API Enabled policies,
raises an alarm, and takes the defined enforcement action.

URI
tmod:@turbot/gcp-datacatalog#/policy/types/dataCatalogApiEnabled
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Disabled",
  "Check: Enabled",
  "Check: Enabled if Data Catalog > Enabled",
  "Enforce: Disabled",
  "Enforce: Enabled",
  "Enforce: Enabled if Data Catalog > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Disabled",
    "Check: Enabled",
    "Check: Enabled if Data Catalog > Enabled",
    "Enforce: Disabled",
    "Enforce: Enabled",
    "Enforce: Enabled if Data Catalog > Enabled"
  ],
  "default": "Skip"
}

GCP > Data Catalog > Approved Regions [Default]

A list of GCP regions in which GCP Data Catalog resources are approved for use.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

This policy is the default value for all GCP Data Catalog resources' Approved > Regions policies.

URI
tmod:@turbot/gcp-datacatalog#/policy/types/dataCatalogApprovedRegionsDefault
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp#/policy/types/approvedRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
Schema

GCP > Data Catalog > CMDB

Configure whether to record and synchronize details for the GCP Data Catalog data catalog into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

URI
tmod:@turbot/gcp-datacatalog#/policy/types/dataCatalogCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

GCP > Data Catalog > Enabled

Enabled Data Catalog.

URI
tmod:@turbot/gcp-datacatalog#/policy/types/dataCatalogEnabled
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Enabled: Metadata Only",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Enabled: Metadata Only",
    "Disabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Disabled"
}

GCP > Data Catalog > Labels Template [Default]

A template used to generate the keys and values for GCP Data Catalog resources.

By default, all Data Catalog resource Labels > Template policies will use this value.

URI
tmod:@turbot/gcp-datacatalog#/policy/types/dataCatalogLabelsTemplate
Category
Parent
Targets
Default Template Input
"{\n  defaultLabels: policyValue(uri:\"tmod:@turbot/gcp#/policy/types/defaultLabelsTemplate\") {\n    value\n  }\n}\n"
Default Template
"{%- if $.defaultLabels.value | length == 0 %} [] {%- elif $.defaultLabels.value != undefined %}{{ $.defaultLabels.value | dump | safe }}{%- else %}{% for item in $.defaultLabels.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

GCP > Data Catalog > Permissions

Configure whether permissions policies are in effect for GCP Data Catalog.
This setting does not affect Project level permissions (GCP/Admin, GCP/Owner, etc).

Note: The behavior of this policy depends on the value of GCP > Permissions.

URI
tmod:@turbot/gcp-datacatalog#/policy/types/dataCatalogPermissions
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled",
  "Enabled if GCP > Data Catalog > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled",
    "Enabled if GCP > Data Catalog > Enabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Enabled if GCP > Data Catalog > Enabled"
}

GCP > Data Catalog > Permissions > Levels

Define the permissions levels that can be used to grant access to Data Catalog
an GCP project. Permissions levels defined will appear in the UI to assign access to Guardrails users.

Note: Some services do not use all permissions levels, and any permissions level that has
no permissions associated will not be created even if it is selected here.

URI
tmod:@turbot/gcp-datacatalog#/policy/types/dataCatalogPermissionsLevels
Category
Parent
Targets
Default Template Input
[
  "{\n  item: project {\n    turbot{\n      id\n    }\n  }\n}\n",
  "{\n  availableLevels: policyValues(filter:\"policyTypeLevel:self resourceId:{{ $.item.turbot.id }} policyTypeId:'tmod:@turbot/gcp-iam#/policy/types/permissionsLevelsDefault'\") {\n    items {\n      value\n    }\n  }\n}\n"
]
Default Template
"{% if $.availableLevels.items[0].value | length == 0 %} [] {% endif %}{% for item in $.availableLevels.items[0].value %}- {{ item }}\n{% endfor %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string",
    "enum": [
      "Metadata",
      "ReadOnly",
      "Operator",
      "Admin",
      "Owner"
    ]
  }
}

GCP > Data Catalog > Permissions > Levels > Modifiers

A map of GCP API to Guardrails Permission Level used to customize Guardrails' standard permissions.
You can add, remove or redefine the mapping of GCP API operations to Guardrails permissions levels here.

Note: Modifiers are cumulative - if you add a permission to the metadata level, it is also added
to readOnly, operator and admin. Modifier policies set here will “roll up” to the GCP level too - if
you add a permission to Admin, it will be granted to GCP/Storage/Admin and also GCP/Admin

<br />example:<br /> - &quot;storage.bucket.create&quot;: admin<br /> - &quot;sql.database.create&quot;: metadata<br />

URI
tmod:@turbot/gcp-datacatalog#/policy/types/dataCatalogPermissionsLevelsModifiers
Category
Parent
Targets
Schema

GCP > Data Catalog > Regions

A list of GCP regions in which GCP Data Catalog resources are supported for use.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

This policy is the default value for all GCP Data Catalog resources' Regions policies.

URI
tmod:@turbot/gcp-datacatalog#/policy/types/dataCatalogRegionsDefault
Category
Parent
Targets
Schema
{
  "allOf": [
    {
      "$ref": "gcp#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "asia-east1",
        "asia-southeast1",
        "eu",
        "europe-west1",
        "europe-west4",
        "us",
        "us-central1",
        "us-west1"
      ]
    }
  ]
}

GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-datacatalog

A calculated policy that Guardrails uses to create a compiled list of ALL permission
levels for GCP Data Catalog that is used as input to
the stack that manages the Guardrails IAM permissions objects.

URI
tmod:@turbot/gcp-datacatalog#/policy/types/gcpLevelsCompiled
Category
Parent
Targets
Schema

GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-datacatalog

A calculated policy that Guardrails uses to create a compiled list of ALL
permissions for GCP Data Catalog that is used as
input to the control that manages the IAM stack.

URI
tmod:@turbot/gcp-datacatalog#/policy/types/gcpCompiledServicePermissions
Category
Parent
Targets
Schema