Policy types for @turbot/gcp-iam
- GCP > IAM > API Enabled
- GCP > IAM > CMDB
- GCP > IAM > Enabled
- GCP > IAM > Login Names
- GCP > IAM > Member > Configured
- GCP > IAM > Member > Configured > Precedence
- GCP > IAM > Member > Configured > Source
- GCP > IAM > Permissions
- GCP > IAM > Permissions > Levels
- GCP > IAM > Permissions > Levels > Modifiers
- GCP > IAM > Permissions > Levels > Role Administration
- GCP > IAM > Permissions > Levels > Service Account Administration
- GCP > IAM > Permissions > Levels > Service Account Keys Administration
- GCP > IAM > Permissions > Levels > User And Group Administration
- GCP > IAM > Project Role > CMDB
- GCP > IAM > Project Role > Configured
- GCP > IAM > Project Role > Configured > Precedence
- GCP > IAM > Project Role > Configured > Source
- GCP > IAM > Project User > Active
- GCP > IAM > Project User > Active > Admin Activity
- GCP > IAM > Project User > Active > Age
- GCP > IAM > Project User > Active > Last Modified
- GCP > IAM > Project User > CMDB
- GCP > IAM > Service Account > Active
- GCP > IAM > Service Account > Active > Age
- GCP > IAM > Service Account > Active > Last Modified
- GCP > IAM > Service Account > Approved
- GCP > IAM > Service Account > Approved > Custom
- GCP > IAM > Service Account > Approved > Usage
- GCP > IAM > Service Account > CMDB
- GCP > IAM > Service Account > Policy
- GCP > IAM > Service Account > Policy > Trusted Access
- GCP > IAM > Service Account > Policy > Trusted Access > Domains
- GCP > IAM > Service Account > Policy > Trusted Access > Groups
- GCP > IAM > Service Account > Policy > Trusted Access > Service Accounts
- GCP > IAM > Service Account > Policy > Trusted Access > Users
- GCP > IAM > Service Account > Usage
- GCP > IAM > Service Account > Usage > Limit
- GCP > IAM > Service Account Key > Active
- GCP > IAM > Service Account Key > Active > Age
- GCP > IAM > Service Account Key > Active > Last Modified
- GCP > IAM > Service Account Key > Approved
- GCP > IAM > Service Account Key > Approved > Custom
- GCP > IAM > Service Account Key > Approved > Usage
- GCP > IAM > Service Account Key > CMDB
- GCP > IAM > Service Account Key > Usage
- GCP > IAM > Service Account Key > Usage > Limit
- GCP > IAM > Trusted Domains [Default]
- GCP > IAM > Trusted Groups [Default]
- GCP > IAM > Trusted Service Accounts [Default]
- GCP > IAM > Trusted Users [Default]
- GCP > IAM > Turbot
- GCP > IAM > Turbot > Role
- GCP > IAM > Turbot > Role > Name Prefix
- GCP > IAM > Turbot > Role > Stage
- GCP > Project > Policy > CMDB
- GCP > Project > Policy > Trusted Access
- GCP > Project > Policy > Trusted Access > Domains
- GCP > Project > Policy > Trusted Access > Groups
- GCP > Project > Policy > Trusted Access > Service Accounts
- GCP > Project > Policy > Trusted Access > Users
- GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-iam
- GCP > Turbot > Permissions
- GCP > Turbot > Permissions > Compiled
- GCP > Turbot > Permissions > Compiled > Levels
- GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-iam
- GCP > Turbot > Permissions > Compiled > Project Permissions
- GCP > Turbot > Permissions > Compiled > Service Permissions
- GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-iam
- GCP > Turbot > Permissions > Custom Levels [Folder]
- GCP > Turbot > Permissions > Custom Levels [Organization]
- GCP > Turbot > Permissions > Custom Levels [Project]
- GCP > Turbot > Permissions > Levels
- GCP > Turbot > Permissions > Levels > Modifiers
- GCP > Turbot > Permissions > Levels [Default]
- GCP > Turbot > Permissions > Source
- GCP > Turbot > Permissions > Terraform Version
- GCP > Turbot > Permissions > Turbot/Owner Level to grant GCP/SuperUser
- Turbot > IAM > Permissions > Compiled > Levels > GCP
- Turbot > IAM > Permissions > Compiled > Levels > GCP [Turbot]
GCP > IAM > API Enabled
Check whether GCP IAM API is enabled.
API Enabled refers specifically to the API state of a service in a cloud project.
This control determines whether the API state is set as per desired level.
The GCP > IAM > API Enabled
control compares
the API state against the API Enabled policies,
raises an alarm, and takes the defined enforcement action.
tmod:@turbot/gcp-iam#/policy/types/iamApiEnabled
[ "Skip", "Check: Disabled", "Check: Enabled", "Check: Enabled if IAM > Enabled", "Enforce: Disabled", "Enforce: Enabled", "Enforce: Enabled if IAM > Enabled"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled", "Check: Enabled if IAM > Enabled", "Enforce: Disabled", "Enforce: Enabled", "Enforce: Enabled if IAM > Enabled" ], "default": "Skip"}
GCP > IAM > CMDB
Record and synchronize details for GCP IAM iam(s) into the CMDB.
tmod:@turbot/gcp-iam#/policy/types/iamCmdb
[ "Skip", "Enforce: Enabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
GCP > IAM > Enabled
Enabled IAM.
tmod:@turbot/gcp-iam#/policy/types/iamEnabled
[ "Enabled", "Enabled: Metadata Only", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Enabled: Metadata Only", "Disabled" ], "example": [ "Enabled" ], "default": "Disabled"}
GCP > IAM > Login Names
GCP IAM login names
tmod:@turbot/gcp-iam#/policy/types/loginNames
"{\n profile{\n email\n }\n}\n"
"- '{{ $.profile.email }}'"
{ "type": "array"}
GCP > IAM > Member > Configured
Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/gcp-iam#/policy/types/memberConfigured
[ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source"]
{ "enum": [ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source" ], "default": "Enforce: Configured if using Configured > Source"}
GCP > IAM > Member > Configured > Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence
tmod:@turbot/gcp-iam#/policy/types/memberConfiguredPrecedence
{ "type": "array", "items": { "type": "string" }, "default": [ "**" ]}
GCP > IAM > Member > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/gcp-iam#/policy/types/memberConfiguredSource
{ "type": "string", "default": "{\"resource\": {}}\n", "x-schema-form": { "type": "code", "language": "hcl" }}
GCP > IAM > Permissions
Configure whether permissions policies are in effect for GCP IAM.
This setting does not affect Project level permissions (GCP/Admin, GCP/Owner, etc).
Note: The behavior of this policy depends on the value of GCP > Permissions.
tmod:@turbot/gcp-iam#/policy/types/iamPermissions
[ "Enabled", "Disabled", "Enabled if GCP > IAM > Enabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled", "Enabled if GCP > IAM > Enabled" ], "example": [ "Enabled" ], "default": "Enabled if GCP > IAM > Enabled"}
GCP > IAM > Permissions > Levels
Define the permissions levels that can be used to grant access to IAM
an GCP project. Permissions levels defined will appear in the UI to assign access to Guardrails users.
Note: Some services do not use all permissions levels, and any permissions level that has
no permissions associated will not be created even if it is selected here.
tmod:@turbot/gcp-iam#/policy/types/iamPermissionsLevels
[ "{\n item: project {\n turbot{\n id\n }\n }\n}\n", "{\n availableLevels: policyValues(filter:\"policyTypeLevel:self resourceId:{{ $.item.turbot.id }} policyTypeId:'tmod:@turbot/gcp-iam#/policy/types/permissionsLevelsDefault'\") {\n items {\n value\n }\n }\n}\n"]
"{% if $.availableLevels.items[0].value | length == 0 %} [] {% endif %}{% for item in $.availableLevels.items[0].value %}- {{ item }}\n{% endfor %}"
{ "type": "array", "items": { "type": "string", "enum": [ "Metadata", "ReadOnly", "Operator", "Admin", "Owner" ] }}
GCP > IAM > Permissions > Levels > Modifiers
A map of GCP API to Guardrails Permission Level used to customize Guardrails' standard permissions.
You can add, remove or redefine the mapping of GCP API operations to Guardrails permissions levels here.
Note: Modifiers are cumulative - if you add a permission to the metadata level, it is also added
to readOnly, operator and admin. Modifier policies set here will “roll up” to the GCP level too - if
you add a permission to Admin, it will be granted to GCP/Storage/Admin and also GCP/Admin<br />example:<br /> - "storage.bucket.create": admin<br /> - "sql.database.create": metadata<br />
tmod:@turbot/gcp-iam#/policy/types/iamPermissionsLevelsModifiers
GCP > IAM > Permissions > Levels > Role Administration
Determines which Guardrails permissions level can manage Role Administration.
tmod:@turbot/gcp-iam#/policy/types/iamPermissionsLevelsRoleAdministration
[ "None", "Owner"]
{ "type": "string", "enum": [ "None", "Owner" ], "example": [ "None" ], "default": "None"}
GCP > IAM > Permissions > Levels > Service Account Administration
Determines which Guardrails permissions level can manage Service Account Administration.
tmod:@turbot/gcp-iam#/policy/types/iamPermissionsLevelsServiceAccountAdministration
[ "None", "Owner"]
{ "type": "string", "enum": [ "None", "Owner" ], "example": [ "None" ], "default": "None"}
GCP > IAM > Permissions > Levels > Service Account Keys Administration
Determines which Guardrails permissions level can manage Service Account Keys Administration.
tmod:@turbot/gcp-iam#/policy/types/iamPermissionsLevelsServiceAccountKeysAdministration
[ "None", "Owner"]
{ "type": "string", "enum": [ "None", "Owner" ], "example": [ "None" ], "default": "None"}
GCP > IAM > Permissions > Levels > User And Group Administration
Determines which Guardrails permissions level can manage User And Group Administration.
tmod:@turbot/gcp-iam#/policy/types/iamPermissionsLevelsUserAndGroupAdministration
[ "None", "Owner"]
{ "type": "string", "enum": [ "None", "Owner" ], "example": [ "None" ], "default": "None"}
GCP > IAM > Project Role > CMDB
Configure whether to record and synchronize details for the GCP IAM project role into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/gcp-iam#/policy/types/projectRoleCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if IAM API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if IAM API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if IAM API is enabled"}
GCP > IAM > Project Role > Configured
Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/gcp-iam#/policy/types/projectRoleConfigured
[ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source"]
{ "enum": [ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source" ], "default": "Enforce: Configured if using Configured > Source"}
GCP > IAM > Project Role > Configured > Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence
tmod:@turbot/gcp-iam#/policy/types/projectRoleConfiguredPrecedence
{ "type": "array", "items": { "type": "string" }, "default": [ "**" ]}
GCP > IAM > Project Role > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/gcp-iam#/policy/types/projectRoleConfiguredSource
{ "type": "string", "default": "{\"resource\": {}}\n", "x-schema-form": { "type": "code", "language": "hcl" }}
GCP > IAM > Project User > Active
Determine the action to take when an GCP IAM project user, based on the GCP > IAM > Project User > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > IAM > Project User > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-iam#/policy/types/projectUserActive
[ "Skip", "Check: Active", "Enforce: Remove inactive with 1 day warning", "Enforce: Remove inactive with 3 days warning", "Enforce: Remove inactive with 7 days warning", "Enforce: Remove inactive with 14 days warning", "Enforce: Remove inactive with 30 days warning", "Enforce: Remove inactive with 60 days warning", "Enforce: Remove inactive with 90 days warning", "Enforce: Remove inactive with 180 days warning", "Enforce: Remove inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Remove inactive with 1 day warning", "Enforce: Remove inactive with 3 days warning", "Enforce: Remove inactive with 7 days warning", "Enforce: Remove inactive with 14 days warning", "Enforce: Remove inactive with 30 days warning", "Enforce: Remove inactive with 60 days warning", "Enforce: Remove inactive with 90 days warning", "Enforce: Remove inactive with 180 days warning", "Enforce: Remove inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > IAM > Project User > Active > Admin Activity
The number of days since the GCP IAM project user was last used before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > IAM > Project User > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-iam#/policy/types/projectUserActiveAdminActivity
[ "Skip", "Active if used <= 1 day", "Active if used <= 3 days", "Active if used <= 7 days", "Active if used <= 14 days", "Active if used <= 30 days", "Active if used <= 60 days", "Active if used <= 90 days", "Active if used <= 180 days", "Active if used <= 365 days", "Force active if used <= 1 day", "Force active if used <= 3 days", "Force active if used <= 7 days", "Force active if used <= 14 days", "Force active if used <= 30 days", "Force active if used <= 60 days", "Force active if used <= 90 days", "Force active if used <= 180 days", "Force active if used <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if used <= 1 day", "Active if used <= 3 days", "Active if used <= 7 days", "Active if used <= 14 days", "Active if used <= 30 days", "Active if used <= 60 days", "Active if used <= 90 days", "Active if used <= 180 days", "Active if used <= 365 days", "Force active if used <= 1 day", "Force active if used <= 3 days", "Force active if used <= 7 days", "Force active if used <= 14 days", "Force active if used <= 30 days", "Force active if used <= 60 days", "Force active if used <= 90 days", "Force active if used <= 180 days", "Force active if used <= 365 days" ], "example": [ "Active if used <= 90 days" ], "default": "Skip"}
GCP > IAM > Project User > Active > Age
The age after which the GCP IAM project user
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > IAM > Project User > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-iam#/policy/types/projectUserActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > IAM > Project User > Active > Last Modified
The number of days since the GCP IAM project user was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > IAM > Project User > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-iam#/policy/types/projectUserActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > IAM > Project User > CMDB
Configure whether to record and synchronize details for the GCP IAM project user into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/gcp-iam#/policy/types/projectUserCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if IAM API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if IAM API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if IAM API is enabled"}
GCP > IAM > Service Account > Active
Determine the action to take when an GCP IAM service account, based on the GCP > IAM > Service Account > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > IAM > Service Account > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-iam#/policy/types/serviceAccountActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > IAM > Service Account > Active > Age
The age after which the GCP IAM service account
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > IAM > Service Account > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-iam#/policy/types/serviceAccountActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > IAM > Service Account > Active > Last Modified
The number of days since the GCP IAM service account was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > IAM > Service Account > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-iam#/policy/types/serviceAccountActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > IAM > Service Account > Approved
Determine the action to take when a GCP IAM service account is not approved based on GCP > IAM > Service Account > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-iam#/policy/types/serviceAccountApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > IAM > Service Account > Approved > Custom
Determine whether the GCP IAM service account is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP IAM service account is not approved, it will be subject to the action specified in the GCP > IAM > Service Account > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-iam#/policy/types/serviceAccountApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > IAM > Service Account > Approved > Usage
Determine whether the GCP IAM service account is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP IAM service account is not approved, it will be subject to the action specified in the GCP > IAM > Service Account > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-iam#/policy/types/serviceAccountApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > IAM > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > IAM > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > IAM > Enabled"}
GCP > IAM > Service Account > CMDB
Configure whether to record and synchronize details for the GCP IAM service account into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/gcp-iam#/policy/types/serviceAccountCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if IAM API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if IAM API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if IAM API is enabled"}
GCP > IAM > Service Account > Policy
tmod:@turbot/gcp-iam#/policy/types/serviceAccountPolicy
GCP > IAM > Service Account > Policy > Trusted Access
Check or Enforce access checking on the GCP IAM Service Account policy.
Google Cloud IAM allows you to control who has access to the
iam service account via an IAM Policy. The Trusted Access policy
allows you to configure whether Guardrails will evaluate or
enforce restrictions on which members are allowed to be granted
access.
If enabled, the members in the IAM policy will be evaluated
against the list of allowed members in each of the Trusted
Access sub-policies (Trusted Access > Domains,
Trusted Access > Groups, etc).
If set to "Enforce: Trusted Access > *", access to non-trusted
members will be removed.
tmod:@turbot/gcp-iam#/policy/types/serviceAccountPolicyTrustedAccess
[ "Skip", "Check: Trusted Access > *", "Enforce: Trusted Access > *"]
{ "type": "string", "enum": [ "Skip", "Check: Trusted Access > *", "Enforce: Trusted Access > *" ], "default": "Skip"}
GCP > IAM > Service Account > Policy > Trusted Access > Domains
List of GCP Domains that are trusted for access in the GCP IAM Service Account policy.
This policy is used by the GCP > IAM > Service Account > Policy > Trusted Access
control to determine which members of type "domain" are allowed
to be granted access.You may use the '*' and '?' wildcard characters.<br />example:<br /> - company.com<br /> - company-dev.org<br />
Note: Setting the policy to Empty
array will remove all domains.
tmod:@turbot/gcp-iam#/policy/types/serviceAccountPolicyTrustedDomains
"{\n value: policy(uri: \"tmod:@turbot/gcp-iam#/policy/types/iamTrustedDomains\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > IAM > Service Account > Policy > Trusted Access > Groups
List of GCP Groups that are trusted for access in the GCP IAM Service Account policy.
This policy is used by the GCP > IAM > Service Account > Policy > Trusted Access
control to determine which members of type "group" are allowed
to be granted access.You may use the '' and '?' wildcard characters.
```
example:
- notification@company.com
- "@company.com"
``<br /><br />**Note**: Setting the policy to an
Empty` array will remove all groups.
tmod:@turbot/gcp-iam#/policy/types/serviceAccountPolicyTrustedGroups
"{\n value: policy(uri: \"tmod:@turbot/gcp-iam#/policy/types/iamTrustedGroups\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > IAM > Service Account > Policy > Trusted Access > Service Accounts
List of GCP Service Accounts that are trusted for access in the GCP IAM Service Account policy.
This policy is used by the GCP > IAM > Service Account > Policy > Trusted Access
control to determine which members of type "serviceAccount" are allowed
to be granted access.You may use the '' and '?' wildcard characters.
```
example:
- project-owner@dev-aaa.iam.gserviceaccount.com
- "" # All service account trusted
``<br /><br />**Note**: Setting the policy to an
Empty` array will remove all service accounts.
tmod:@turbot/gcp-iam#/policy/types/serviceAccountPolicyTrustedServiceAccounts
"{\n value: policy(uri: \"tmod:@turbot/gcp-iam#/policy/types/iamTrustedServiceAccounts\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > IAM > Service Account > Policy > Trusted Access > Users
List of GCP Users that are trusted for access in the GCP IAM Service Account policy.
This policy is used by the GCP > IAM > Service Account > Trusted Access
control to determine which members of type "user" are allowed
to be granted access.You may use the '' and '?' wildcard characters.
```
example:
- "@company.com" # All users with email ending in @company.com are trusted
- "test@dev-company.com"
- "dummy@gmail.com"
``<br /><br />**Note**: Setting the policy to an
Empty` array will remove all users.
tmod:@turbot/gcp-iam#/policy/types/serviceAccountPolicyTrustedUsers
"{\n value: policy(uri: \"tmod:@turbot/gcp-iam#/policy/types/iamTrustedUsers\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > IAM > Service Account > Usage
Configure the number of GCP IAM service accounts that can be used for this project and the current consumption against the limit.
You can configure the behavior of the control with this GCP > IAM > Service Account > Usage
policy.
tmod:@turbot/gcp-iam#/policy/types/serviceAccountUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > IAM > Service Account > Usage > Limit
Maximum number of items that can be created for this project
tmod:@turbot/gcp-iam#/policy/types/serviceAccountUsageLimit
{ "type": "integer", "minimum": 0, "default": 100}
GCP > IAM > Service Account Key > Active
Determine the action to take when an GCP IAM service account key, based on the GCP > IAM > Service Account Key > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > IAM > Service Account Key > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-iam#/policy/types/serviceAccountKeyActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > IAM > Service Account Key > Active > Age
The age after which the GCP IAM service account key
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > IAM > Service Account Key > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-iam#/policy/types/serviceAccountKeyActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > IAM > Service Account Key > Active > Last Modified
The number of days since the GCP IAM service account key was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > IAM > Service Account Key > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-iam#/policy/types/serviceAccountKeyActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > IAM > Service Account Key > Approved
Determine the action to take when a GCP IAM service account key is not approved based on GCP > IAM > Service Account Key > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-iam#/policy/types/serviceAccountKeyApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > IAM > Service Account Key > Approved > Custom
Determine whether the GCP IAM service account key is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP IAM service account key is not approved, it will be subject to the action specified in the GCP > IAM > Service Account Key > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-iam#/policy/types/serviceAccountKeyApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > IAM > Service Account Key > Approved > Usage
Determine whether the GCP IAM service account key is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP IAM service account key is not approved, it will be subject to the action specified in the GCP > IAM > Service Account Key > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-iam#/policy/types/serviceAccountKeyApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > IAM > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > IAM > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > IAM > Enabled"}
GCP > IAM > Service Account Key > CMDB
Configure whether to record and synchronize details for the GCP IAM service account key into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > IAM > Service Account Key > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-iam#/policy/types/serviceAccountKeyCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if IAM API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if IAM API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if IAM API is enabled"}
GCP > IAM > Service Account Key > Usage
Configure the number of GCP IAM service account keys that can be used for this serviceAccount and the current consumption against the limit.
You can configure the behavior of the control with this GCP > IAM > Service Account Key > Usage
policy.
tmod:@turbot/gcp-iam#/policy/types/serviceAccountKeyUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > IAM > Service Account Key > Usage > Limit
Maximum number of items that can be created for this serviceAccount
tmod:@turbot/gcp-iam#/policy/types/serviceAccountKeyUsageLimit
{ "type": "integer", "minimum": 0, "default": 10}
GCP > IAM > Trusted Domains [Default]
List of GCP Domains that are trusted for access in the GCP IAM policy.
This policy is used by the GCP > IAM > Policy > Trusted Access
control to determine which members of type "domain" are allowed
to be granted access.You may use the '*' and '?' wildcard characters.<br />example:<br /> - company.com<br /> - company-dev.org<br />
Note: Setting the policy to Empty
array will remove all domains.
tmod:@turbot/gcp-iam#/policy/types/iamTrustedDomains
"{\n value: policy(uri: \"tmod:@turbot/gcp#/policy/types/trustedDomains\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > IAM > Trusted Groups [Default]
List of GCP Groups that are trusted for access in the GCP IAM policy.
This policy is used by the GCP > IAM > Policy > Trusted Access
control to determine which members of type "group" are allowed
to be granted access.You may use the '' and '?' wildcard characters.
```
example:
- notification@company.com
- "@company.com"
``<br /><br />**Note**: Setting the policy to an
Empty` array will remove all groups.
tmod:@turbot/gcp-iam#/policy/types/iamTrustedGroups
"{\n value: policy(uri: \"tmod:@turbot/gcp#/policy/types/trustedGroups\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > IAM > Trusted Service Accounts [Default]
List of GCP Service Accounts that are trusted for access in the GCP IAM policy.
This policy is used by the GCP > IAM > Policy > Trusted Access
control to determine which members of type "serviceAccount" are allowed
to be granted access.You may use the '' and '?' wildcard characters.
```
example:
- project-owner@dev-aaa.iam.gserviceaccount.com
- "" # All service account trusted
``<br /><br />**Note**: Setting the policy to an
Empty` array will remove all service accounts.
tmod:@turbot/gcp-iam#/policy/types/iamTrustedServiceAccounts
"{\n value: policy(uri: \"tmod:@turbot/gcp#/policy/types/trustedServiceAccounts\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > IAM > Trusted Users [Default]
List of GCP Users that are trusted for access in the GCP IAM policy.
This policy is used by the GCP > IAM > Trusted Access
control to determine which members of type "user" are allowed
to be granted access.You may use the '' and '?' wildcard characters.
```
example:
- "@company.com" # All users with email ending in @company.com are trusted
- "test@dev-company.com"
- "dummy@gmail.com"
``<br /><br />**Note**: Setting the policy to an
Empty` array will remove all users.
tmod:@turbot/gcp-iam#/policy/types/iamTrustedUsers
"{\n value: policy(uri: \"tmod:@turbot/gcp#/policy/types/trustedUsers\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > IAM > Turbot
Configures Guardrails IAM Users, Roles, and Policies, per GCP > Permissions.
tmod:@turbot/gcp-iam#/policy/types/iamTurbot
[ "Per GCP > Permissions"]
{ "type": "string", "enum": [ "Per GCP > Permissions" ], "default": "Per GCP > Permissions"}
GCP > IAM > Turbot > Role
tmod:@turbot/gcp-iam#/policy/types/iamTurbotRole
GCP > IAM > Turbot > Role > Name Prefix
A prefix to be used for the role name (role-id) for standard Guardrails IAM Roles.
tmod:@turbot/gcp-iam#/policy/types/iamTurbotRoleNamePrefix
{ "type": "string", "default": "", "example": "turbot"}
GCP > IAM > Turbot > Role > Stage
The stage of a role in the launch lifecycle, such as ALPHA, BETA, or GA.
tmod:@turbot/gcp-iam#/policy/types/iamTurbotRoleStage
[ "ALPHA", "BETA", "GA", "DEPRECATED", "DISABLED", "EAP"]
{ "type": "string", "enum": [ "ALPHA", "BETA", "GA", "DEPRECATED", "DISABLED", "EAP" ], "example": [ "ALPHA" ], "default": "BETA"}
GCP > Project > Policy > CMDB
Configure whether to record and synchronize details for the GCP IAM policy into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/gcp-iam#/policy/types/projectIamPolicyCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if IAM API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if IAM API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if IAM API is enabled"}
GCP > Project > Policy > Trusted Access
Check or Enforce access checking on the Project IAM Policy.
Google Cloud IAM allows you to control who has access to the
project via an IAM Policy. The Trusted Access policy
allows you to configure whether Guardrails will evaluate or
enforce restrictions on which members are allowed to be granted
access.
If enabled, the members in the IAM policy will be evaluated
against the list of allowed members in each of the Trusted
Access sub-policies (Trusted Access > Domains,
Trusted Access > Groups, etc).
If set to "Enforce: Trusted Access > *", access to non-trusted
members will be removed.
tmod:@turbot/gcp-iam#/policy/types/projectIamPolicyTrustedAccess
[ "Skip", "Check: Trusted Access > *", "Enforce: Trusted Access > *"]
{ "type": "string", "enum": [ "Skip", "Check: Trusted Access > *", "Enforce: Trusted Access > *" ], "default": "Skip"}
GCP > Project > Policy > Trusted Access > Domains
List of GCP Domains that are trusted for access in the Project IAM Policy.
This policy is used by the GCP > Project > Policy > Trusted Access
control to determine which members of type "domain" are allowed
to be granted access. You may use the '*' and '?' wildcard characters.<br />example:<br /> - company.com<br /> - company-dev.org<br />
Note: Setting the policy to Empty
will remove all domains.
tmod:@turbot/gcp-iam#/policy/types/projectIamPolicyTrustedDomains
"{\n value: policy(uri: \"tmod:@turbot/gcp#/policy/types/trustedDomains\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > Project > Policy > Trusted Access > Groups
List of GCP Groups that are trusted for access in the Project IAM Policy.
This policy is used by the GCP > Project > Policy > Trusted Access
control to determine which members of type "group" are allowed
to be granted access.You may use the '' and '?' wildcard characters.
```
example:
- notification@company.com
- "@company.com"
``<br /><br />**Note**: Setting the policy to an
Empty` array will remove all groups.
tmod:@turbot/gcp-iam#/policy/types/projectIamPolicyTrustedGroups
"{\n value: policy(uri: \"tmod:@turbot/gcp#/policy/types/trustedGroups\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > Project > Policy > Trusted Access > Service Accounts
List of GCP Service Accounts that are trusted for access in the Project IAM Policy.
This policy is used by the GCP > Project > Policy > Trusted Access
control to determine which members of type "serviceAccount" are allowed
to be granted access.You may use the '' and '?' wildcard characters.
```
example:
- project-owner@dev-aaa.iam.gserviceaccount.com
- "" # All service account trusted
``<br /><br />**Note**: Setting the policy to an
Empty` array will remove all service accounts.
tmod:@turbot/gcp-iam#/policy/types/projectIamPolicyTrustedServiceAccounts
"{\n value: policy(uri: \"tmod:@turbot/gcp#/policy/types/trustedServiceAccounts\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > Project > Policy > Trusted Access > Users
List of GCP Users that are trusted for access in the Project IAM Policy.
This policy is used by the GCP > Project > Policy > Trusted Access
control to determine which members of type "user" are allowed
to be granted access.You may use the '' and '?' wildcard characters.
```
example:
- "@company.com" # All users with email ending in @company.com are trusted
- "test@dev-company.com"
- "dummy@gmail.com"
``<br /><br />**Note**: Setting the policy to an
Empty` array will remove all users.
tmod:@turbot/gcp-iam#/policy/types/projectIamPolicyTrustedUsers
"{\n value: policy(uri: \"tmod:@turbot/gcp#/policy/types/trustedUsers\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-iam
A GCP logs advanced filter
used to specify a subset of log entries that will be forwarded by the
logging sink on behalf of the gcp-iam mod
This is a read-only policy that is used internally by Turbot
tmod:@turbot/gcp-iam#/policy/types/iamEventPatterns
{ "type": "string", "default": "(((resource.type = iam_role AND protoPayload.authorizationInfo.permission != iam.roles.get AND protoPayload.authorizationInfo.permission != iam.roles.list) OR (resource.type = service_account AND protoPayload.authorizationInfo.permission != iam.serviceAccounts.get AND protoPayload.authorizationInfo.permission != iam.serviceAccounts.list AND protoPayload.authorizationInfo.permission != iam.serviceAccounts.getIamPolicy AND protoPayload.authorizationInfo.permission != iam.serviceAccountKeys.get AND protoPayload.authorizationInfo.permission != iam.serviceAccountKeys.list) OR (resource.type = project AND protoPayload.authorizationInfo.permission=resourcemanager.projects.setIamPolicy)) AND severity>=INFO AND severity<ERROR)"}
GCP > Turbot > Permissions
Configures whether Guardrails will manage permissions in GCP.
tmod:@turbot/gcp-iam#/policy/types/permissions
[ "Skip", "Check: None", "Check: Role Mode", "Enforce: None", "Enforce: Role Mode"]
{ "type": "string", "enum": [ "Skip", "Check: None", "Check: Role Mode", "Enforce: None", "Enforce: Role Mode" ], "example": [ "Enforce: None" ], "default": "Skip"}
GCP > Turbot > Permissions > Compiled
tmod:@turbot/gcp-iam#/policy/types/iamPermissionsCompiled
GCP > Turbot > Permissions > Compiled > Levels
A calculated policy that Guardrails uses to create a single list of ALL permissions levels for all services that is used as input to the stack that manages the Guardrails IAM permissions objects.
tmod:@turbot/gcp-iam#/policy/types/iamPermissionsCompiledLevels
GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-iam
A calculated policy that Guardrails uses to create a compiled list of ALL permission
levels for GCP IAM that is used as input to
the stack that manages the Guardrails IAM permissions objects.
tmod:@turbot/gcp-iam#/policy/types/gcpLevelsCompiled
GCP > Turbot > Permissions > Compiled > Project Permissions
A calculated policy that Guardrails uses to create a single list of ALL permissions for all provider level permissions (GCP/Admin, GCP/Operator, etc) that is used as input to the control that manages the IAM stack.
tmod:@turbot/gcp-iam#/policy/types/iamPermissionsCompiledProjectPermissions
GCP > Turbot > Permissions > Compiled > Service Permissions
A calculated policy that Guardrails uses to create a single list of ALL permissions for all services that is used as input to the control that manages the IAM stack.
tmod:@turbot/gcp-iam#/policy/types/iamPermissionsCompiledServicePermissions
{ "type": "array"}
GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-iam
A calculated policy that Guardrails uses to create a compiled list of ALL
permissions for GCP IAM that is used as
input to the control that manages the IAM stack.
tmod:@turbot/gcp-iam#/policy/types/gcpCompiledServicePermissions
GCP > Turbot > Permissions > Custom Levels [Folder]
An ordered list of roles to use as custom Guardrails permission levels for GCP
Folders.
Levels in this policy will appear in the Guardrails console as grantable to
Guardrails users as GCP/Role/{role name}. When granted access, Guardrails will grant the
associated IAM role to the GCP user in the Organization or folder.
Note that the IAM roles must already exist in the GCP Organization.
tmod:@turbot/gcp-iam#/policy/types/permissionsCustomLevelsFolder
GCP > Turbot > Permissions > Custom Levels [Organization]
An ordered list of roles to use as custom Guardrails permission levels for GCP
Organizations.
Levels in this policy will appear in the Guardrails console as grantable to
Guardrails users as GCP/Role/{role name}. When granted access, Guardrails will grant the
associated IAM role to the GCP user in the Organization or folder.
Note that the IAM roles must already exist in the GCP Organization.
tmod:@turbot/gcp-iam#/policy/types/permissionsCustomLevelsOrganization
GCP > Turbot > Permissions > Custom Levels [Project]
An ordered list of roles to use as custom Guardrails permission levels for GCP Projects. Levels in this policy will appear in the Guardrails console as grantable to Guardrails users as GCP/Role/{role name}. When granted access, Guardrails will grant the associated IAM role to the GCP user in the project. Note that the IAM roles must already exist in the GCP Project.
tmod:@turbot/gcp-iam#/policy/types/permissionsCustomLevelsProject
GCP > Turbot > Permissions > Levels
Define the permissions levels that can be used to grant access to an GCP project. Permissions levels defined will appear in the UI to assign access to Guardrails users.
tmod:@turbot/gcp-iam#/policy/types/permissionsLevels
{ "type": "array", "items": { "type": "string", "enum": [ "GCP/User", "GCP/Metadata", "GCP/ReadOnly", "GCP/Operator", "GCP/Admin", "GCP/Owner", "GCP/SuperUser" ] }, "default": [ "GCP/User", "GCP/Metadata", "GCP/ReadOnly", "GCP/Operator", "GCP/Admin", "GCP/Owner", "GCP/SuperUser" ]}
GCP > Turbot > Permissions > Levels > Modifiers
A map of GCP API to Guardrails Permission Level used to customize Guardrails' standard permissions. You can add, remove or redefine the mapping of GCP API operations to Guardrails permissions levels here. Modifiers are cumulative - if you add a permission to the metadata level, it is also added to readOnly, operator and admin. Modifier policies set here apply ONLY to the GCP levels (GCP/Admin, GCP/Operator, etc), not to the service levels (GCP/Storage/Admin, GCP/Compute/Operator, etc)
tmod:@turbot/gcp-iam#/policy/types/permissionsLevelsModifiers
{ "type": "array", "default": [], "example": [ [ { "storage.bucket.create": "admin" }, { "sql.database.create": "metadata" } ] ]}
GCP > Turbot > Permissions > Levels [Default]
Define the permissions levels that can be used to grant access to an GCP project. Permissions levels defined will appear in the UI to assign access to Guardrails users. This policy provides a default for Permissions > Levels in each service, however you can explicitly override the setting for each service if desired.
tmod:@turbot/gcp-iam#/policy/types/permissionsLevelsDefault
{ "type": "array", "items": { "type": "string", "enum": [ "Metadata", "ReadOnly", "Operator", "Admin", "Owner" ] }, "default": []}
GCP > Turbot > Permissions > Source
Terraform source code used by the Guardrails Permissions stack to manage the standard Guardrails IAM Roles and Policies, per GCP > Permissions.
tmod:@turbot/gcp-iam#/policy/types/iamTurbotSource
{ "type": "string", "x-schema-form": { "type": "code", "language": "hcl" }}
GCP > Turbot > Permissions > Terraform Version
The Version of Terraform to use for this stack.
Specify an npm-style semver string to
determine which version of the Terraform container
Guardrails will use to run this stack.
A Guardrails Stack
is a set of resources configured by Turbot,
as specified via Terraform source. Stacks are responsible
for the creation and deletion of multiple resources. Once created,
stack resources are responsible for configuring themselves from
the stack source via their Configured
control.
tmod:@turbot/gcp-iam#/policy/types/permissionsTerraformVersion
{ "type": "string"}
GCP > Turbot > Permissions > Turbot/Owner Level to grant GCP/SuperUser
Define the levels at which a user must have Turbot/Owner to be able to grant GCP/SuperUser. GCP/SuperUser is a highly privileged right that may require tighter restrictions than other rights. For example, if set to "GCP Folder or higher", then only users with Turbot/Owner on a parent Google folder, Organization, or Guardrails folder can grant GCP/SuperUser on an GCP Project - users with Turbot/Owner at the Project level would not be able to grant GCP/SuperUser.
tmod:@turbot/gcp-iam#/policy/types/permissionsGrantOwner
[ "Turbot", "Turbot Folder or higher", "Organization or higher", "GCP Folder or higher", "Project or higher"]
{ "type": "string", "enum": [ "Turbot", "Turbot Folder or higher", "Organization or higher", "GCP Folder or higher", "Project or higher" ], "default": "Turbot Folder or higher"}
Turbot > IAM > Permissions > Compiled > Levels > GCP
A list of GCP permissions that Guardrails may use to grant permissions on a project.
tmod:@turbot/gcp-iam#/policy/types/turbotPermissionsCompiledLevelsGcp
{ "type": "array"}
Turbot > IAM > Permissions > Compiled > Levels > GCP [Turbot]
A list of GCP permissions that Guardrails may use to grant permissions on turbot and its folder.
tmod:@turbot/gcp-iam#/policy/types/turbotPermissionsCompiledLevels