Product logo
DocsBlogPricing

@turbot/gcp-iam

The gcp-iam mod contains resource, control and policy definitions for GCP IAM service.

Version
5.13.0
Released On
Feb 02, 2024
Depends On

Resource Types

Control Types

Policy Types

Release Notes

5.13.0 (2024-02-02)

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

5.12.0 (2023-09-22)

What's new?

  • The GCP/IAM/Metadata role now also includes serviceusage.services.list permission.

5.11.2 (2023-09-07)

Bug fixes

  • A few policy values would sometimes fail to evaluate correctly if the mod was installed on TE v5.42.1. We've fixed this issue and such policy values will now be evaluated correctly.

5.11.1 (2023-06-28)

Bug fixes

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

5.11.0 (2023-06-13)

What's new?

  • Resource's metadata will now also include createdBy details in Turbot CMDB.
  • README.md file is now available for users to check details about the resource types and service permissions that the mod covers.

5.10.1 (2023-03-22)

Bug fixes

  • We've updated the runtime of the lambda functions to node 16. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

5.10.0 (2022-08-11)

Action Types

  • GCP > IAM > Disable IAM API
  • GCP > IAM > Enable IAM API
  • GCP > IAM > Project User > Delete from GCP
  • GCP > IAM > Project User > Skip alarm for Active control
  • GCP > IAM > Project User > Skip alarm for Active control [90 days]
  • GCP > IAM > Service Account > Delete from GCP
  • GCP > IAM > Service Account > Skip alarm for Active control
  • GCP > IAM > Service Account > Skip alarm for Active control [90 days]
  • GCP > IAM > Service Account > Skip alarm for Approved control
  • GCP > IAM > Service Account > Skip alarm for Approved control [90 days]
  • GCP > IAM > Service Account Key > Delete from GCP
  • GCP > IAM > Service Account Key > Skip alarm for Active control
  • GCP > IAM > Service Account Key > Skip alarm for Active control [90 days]
  • GCP > IAM > Service Account Key > Skip alarm for Approved control
  • GCP > IAM > Service Account Key > Skip alarm for Approved control [90 days]

5.9.0 (2022-02-17)

What's new?

  • Users can now create their own custom checks against resource attributes in the Approved control using the Approved > Custom policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.

Bug fixes

  • We've improved the process of deleting resources from Guardrails if their CMDB policy was set to Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Guardrails' IAM role while deleting resources from Guardrails. This will allow the CMDB controls to process resource deletions from Guardrails more reliably than before.

Policy Types

  • GCP > IAM > Service Account > Approved > Custom
  • GCP > IAM > Service Account Key > Approved > Custom

5.8.1 (2021-10-25)

Bug fixes

  • We've made some more improvements in the GraphQL queries for various permission policies to be more reliable than before. You won't notice any difference and things should continue to run smoothly as expected.

5.8.0 (2021-07-29)

What's new?

  • The GCP > Turbot > Permissions > Terraform Version policy will now be set to 0.15.* by default for workspaces on TE v5.37.7 or higher. For workspaces on TE versions lower than 5.37.7, the policy will remain set to 0.11.* by default.

5.7.0 (2021-02-25)

What's new?

  • We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.6.2 (2021-01-20)

Bug fixes

  • Controls run faster now when in the tbd and skipped states thanks to the new Guardrails Precheck feature (not to be confused with TSA PreCheck). With Guardrails Precheck, controls avoid running GraphQL input queries when in tbd and skipped, resulting in faster and lighter control runs.

5.6.1 (2020-10-30)

Bug fixes

  • We've updated the Discovery controls for resources to now move to skipped instead of invalid if the service API is disabled in the project and the GCP > {service} > API Enabled policy is checking if the API is disabled. This will reduce the amount of noisy controls that cannot be easily resolved without making changes to the service API.

5.6.0 (2020-09-15)

What's new?

  • We've made improvements to how Active controls interact with CMDB policies and controls for more reliable active checks. Now, if a resource's CMDB policy is set to Skip, its Active control will move to invalid to prevent the Active control from making a decision based on outdated information. Also, Active controls will now wait until the resource's CMDB control has run at least once to ensure the required data is available.

5.5.0 (2020-08-28)

What's new?

  • Discovery controls now have their own control category, CMDB > Discovery, to allow for easier filtering separately from other CMDB controls.

5.4.0 (2020-08-13)

What's new?

  • We now support controlling access for service accounts to provide automatic protection against unexpected access from projects, domains, groups, users, and other service accounts.

    To get started with this new control, please see the GCP > IAM > Service Account > Policy > Trusted Access policy and all of its sub-policies to specify which IAM resources are allowed to access your service accounts.

Control Types

  • GCP > IAM > Service Account > Policy
  • GCP > IAM > Service Account > Policy > Trusted Access

Policy Types

  • GCP > IAM > Service Account > Policy
  • GCP > IAM > Service Account > Policy > Trusted Access
  • GCP > IAM > Service Account > Policy > Trusted Access > Domains
  • GCP > IAM > Service Account > Policy > Trusted Access > Groups
  • GCP > IAM > Service Account > Policy > Trusted Access > Service Accounts
  • GCP > IAM > Service Account > Policy > Trusted Access > Users
  • GCP > IAM > Trusted Domains [Default]
  • GCP > IAM > Trusted Groups [Default]
  • GCP > IAM > Trusted Service Accounts [Default]
  • GCP > IAM > Trusted Users [Default]

Action Types

  • GCP > IAM > Service Account > Set Trusted Access

5.3.1 (2020-08-10)

Bug fixes

  • We’ve made improvements to our GraphQL input queries for various controls and actions. You won’t notice any differences, but things should run smoother and quicker than before.

5.3.0 (2020-07-29)

What's new?

  • We now support controlling access for projects to provide automatic protection against unexpected access from domains, groups, users, and service accounts.

    To get started with this new control, please see the GCP > IAM > Project > Policy > Trusted Access policy and all of its sub-policies to specify which IAM resources are allowed to access your project.

Policy Types

  • GCP > Turbot > Permissions > Terraform Version

Action Types

  • GCP > Project > Policy > Set Trusted Access

Removed

  • GCP > Project > Policy > Set Policy

5.2.0 (2020-07-23)

Bug fixes

  • Active controls for all resources were not calling the delete action properly, which meant inactive resources were not being deleted when the policy was set to enforce deletions. This has been fixed and inactive resources will now be cleaned up again.

Resource Types

  • GCP > IAM > Project User

Renamed

  • GCP > IAM > Project IAM Policy to GCP > Project > Policy

Removed

  • GCP > IAM > IAM Policy

Control Types

  • GCP > IAM > Project User > Active
  • GCP > IAM > Project User > CMDB
  • GCP > IAM > Project User > Discovery
  • GCP > Project > Policy > Trusted Access

Renamed

  • GCP > IAM > Project IAM Policy > CMDB to GCP > Project > Policy > CMDB
  • GCP > IAM > Project IAM Policy > Discovery to GCP > Project > Policy > Discovery

Policy Types

  • GCP > IAM > Project User > Active
  • GCP > IAM > Project User > Active > Admin Activity
  • GCP > IAM > Project User > Active > Age
  • GCP > IAM > Project User > Active > Last Modified
  • GCP > IAM > Project User > CMDB
  • GCP > Project > Policy > Trusted Access
  • GCP > Project > Policy > Trusted Access > Domains
  • GCP > Project > Policy > Trusted Access > Groups
  • GCP > Project > Policy > Trusted Access > Service Accounts
  • GCP > Project > Policy > Trusted Access > Users

Renamed

  • GCP > IAM > Project IAM Policy > CMDB to GCP > Project > Policy > CMDB

Action Types

  • GCP > IAM > Project User > Delete Project User
  • GCP > Project > Policy > Set Policy

Renamed

  • GCP > IAM > Project IAM Policy > Router to GCP > Project > Policy > Router

5.1.6 (2020-06-03)

What's new?

  • All resource Router actions now run even if Guardrails is outside of its allowed change window. This allows Guardrails to maintain an up-to-date CMDB by handling resource updates at all times. Note that this only affects Guardrails' ability to process resources changes that were made in the cloud provider - enforcement actions are still disabled outside of the change window.

5.1.5 (2020-05-29)

Bug fixes

  • Links to documentation in the descriptions for several controls and policies were broken. These links have now been fixed.

5.1.4 (2020-05-15)

Bug fixes

  • Several permissions did not have grant levels assigned, so when this service was enabled, the IAM permission model would be unable to calculate the full permission set across all services. The missing grant levels have been added and permission calculations are now running smoothly again.

5.1.3 (2020-05-06)

Bug fixes

  • While importing a GCP project, sometimes resources' Discovery controls would get stuck in an Invalid state due to incorrectly configured dependencies. This has been fixed and project imports should be smooth again.

5.1.2 (2020-04-30)

Bug fixes

  • Service Account's CMDB did not get updated whenever its status changed to Enabled/Disabled. This has now been fixed.

5.1.1 (2020-04-17)

Bug fixes

  • Several resources that have an IAM policy had an incomplete schema, which prevented the iamPolicy attribute from being used in calculated policies. This has been fixed.
  • The Project IAM policy was incorrectly being stored without any of its data due to an invalid reference. The data has returned and is visible once again.

5.1.0 (2020-04-13)

What's new?

  • Services can now be enabled as Metadata only, restricting users to only use metadata level permissions.

Bug fixes

  • Many calculations for Permissions > Compiled > Service Permissions were in error due to a missing library. This is now fixed.

5.0.0 (2020-03-26)

Resource Types

  • GCP > IAM
  • GCP > IAM > IAM Policy
  • GCP > IAM > Member
  • GCP > IAM > Project IAM Policy
  • GCP > IAM > Project Role
  • GCP > IAM > Service Account
  • GCP > IAM > Service Account Key

Control Types

  • GCP > IAM > API Enabled
  • GCP > IAM > CMDB
  • GCP > IAM > Discovery
  • GCP > IAM > Member > Configured
  • GCP > IAM > Project IAM Policy > CMDB
  • GCP > IAM > Project IAM Policy > Discovery
  • GCP > IAM > Project Role > CMDB
  • GCP > IAM > Project Role > Configured
  • GCP > IAM > Project Role > Discovery
  • GCP > IAM > Service Account > Active
  • GCP > IAM > Service Account > Approved
  • GCP > IAM > Service Account > CMDB
  • GCP > IAM > Service Account > Discovery
  • GCP > IAM > Service Account > Usage
  • GCP > IAM > Service Account Key > Active
  • GCP > IAM > Service Account Key > Approved
  • GCP > IAM > Service Account Key > CMDB
  • GCP > IAM > Service Account Key > Discovery
  • GCP > IAM > Service Account Key > Usage
  • GCP > Turbot > IAM

Policy Types

  • GCP > IAM > API Enabled
  • GCP > IAM > CMDB
  • GCP > IAM > Enabled
  • GCP > IAM > Login Names
  • GCP > IAM > Member > Configured
  • GCP > IAM > Member > Configured > Precedence
  • GCP > IAM > Member > Configured > Source
  • GCP > IAM > Permissions
  • GCP > IAM > Permissions > Levels
  • GCP > IAM > Permissions > Levels > Modifiers
  • GCP > IAM > Permissions > Levels > Role Administration
  • GCP > IAM > Permissions > Levels > Service Account Administration
  • GCP > IAM > Permissions > Levels > Service Account Keys Administration
  • GCP > IAM > Permissions > Levels > User And Group Administration
  • GCP > IAM > Project IAM Policy > CMDB
  • GCP > IAM > Project Role > CMDB
  • GCP > IAM > Project Role > Configured
  • GCP > IAM > Project Role > Configured > Precedence
  • GCP > IAM > Project Role > Configured > Source
  • GCP > IAM > Service Account > Active
  • GCP > IAM > Service Account > Active > Age
  • GCP > IAM > Service Account > Active > Last Modified
  • GCP > IAM > Service Account > Approved
  • GCP > IAM > Service Account > Approved > Usage
  • GCP > IAM > Service Account > CMDB
  • GCP > IAM > Service Account > Usage
  • GCP > IAM > Service Account > Usage > Limit
  • GCP > IAM > Service Account Key > Active
  • GCP > IAM > Service Account Key > Active > Age
  • GCP > IAM > Service Account Key > Active > Last Modified
  • GCP > IAM > Service Account Key > Approved
  • GCP > IAM > Service Account Key > Approved > Usage
  • GCP > IAM > Service Account Key > CMDB
  • GCP > IAM > Service Account Key > Usage
  • GCP > IAM > Service Account Key > Usage > Limit
  • GCP > IAM > Turbot
  • GCP > IAM > Turbot > Role
  • GCP > IAM > Turbot > Role > Name Prefix
  • GCP > IAM > Turbot > Role > Stage
  • GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-iam
  • GCP > Turbot > Permissions
  • GCP > Turbot > Permissions > Compiled
  • GCP > Turbot > Permissions > Compiled > Levels
  • GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-iam
  • GCP > Turbot > Permissions > Compiled > Project Permissions
  • GCP > Turbot > Permissions > Compiled > Service Permissions
  • GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-iam
  • GCP > Turbot > Permissions > Custom Levels [Folder]
  • GCP > Turbot > Permissions > Custom Levels [Organization]
  • GCP > Turbot > Permissions > Custom Levels [Project]
  • GCP > Turbot > Permissions > Levels
  • GCP > Turbot > Permissions > Levels > Modifiers
  • GCP > Turbot > Permissions > Levels [Default]
  • GCP > Turbot > Permissions > Source
  • GCP > Turbot > Permissions > Turbot/Owner Level to grant GCP/SuperUser
  • Turbot > IAM > Permissions > Compiled > Levels > GCP
  • Turbot > IAM > Permissions > Compiled > Levels > GCP [Turbot]

Action Types

  • GCP > IAM > Project IAM Policy > Router
  • GCP > IAM > Project Role > Delete
  • GCP > IAM > Project Role > Router
  • GCP > IAM > Service Account > Delete
  • GCP > IAM > Service Account > Router
  • GCP > IAM > Service Account Key > Delete
  • GCP > IAM > Service Account Key > Router
  • GCP > IAM > Set API Enabled