@turbot/gcp-kms
The gcp-kms mod contains resource, control and policy definitions for GCP KMS service.
- Setting Policies Tutorial
- Mods Overview
- Policies Overview
- Resources Overview
- Common Policies and Controls
Recommended Version
Resource Types
Control Types
- GCP > KMS > API Enabled
- GCP > KMS > CMDB
- GCP > KMS > Crypto Key > Approved
- GCP > KMS > Crypto Key > CMDB
- GCP > KMS > Crypto Key > Discovery
- GCP > KMS > Crypto Key > Labels
- GCP > KMS > Crypto Key > Policy
- GCP > KMS > Crypto Key > Policy > Trusted Access
- GCP > KMS > Discovery
- GCP > KMS > Key Ring > CMDB
- GCP > KMS > Key Ring > Discovery
- GCP > KMS > Key Ring > Policy
- GCP > KMS > Key Ring > Policy > Trusted Access
Policy Types
- GCP > KMS > API Enabled
- GCP > KMS > Approved Regions [Default]
- GCP > KMS > CMDB
- GCP > KMS > Crypto Key > Approved
- GCP > KMS > Crypto Key > Approved > Custom
- GCP > KMS > Crypto Key > Approved > Regions
- GCP > KMS > Crypto Key > Approved > Usage
- GCP > KMS > Crypto Key > CMDB
- GCP > KMS > Crypto Key > Labels
- GCP > KMS > Crypto Key > Labels > Template
- GCP > KMS > Crypto Key > Policy
- GCP > KMS > Crypto Key > Policy > Trusted Access
- GCP > KMS > Crypto Key > Policy > Trusted Access > All Authenticated
- GCP > KMS > Crypto Key > Policy > Trusted Access > All Users
- GCP > KMS > Crypto Key > Policy > Trusted Access > Domains
- GCP > KMS > Crypto Key > Policy > Trusted Access > Groups
- GCP > KMS > Crypto Key > Policy > Trusted Access > Service Accounts
- GCP > KMS > Crypto Key > Policy > Trusted Access > Users
- GCP > KMS > Crypto Key > Regions
- GCP > KMS > Enabled
- GCP > KMS > Key Ring > CMDB
- GCP > KMS > Key Ring > Policy
- GCP > KMS > Key Ring > Policy > Trusted Access
- GCP > KMS > Key Ring > Policy > Trusted Access > All Authenticated
- GCP > KMS > Key Ring > Policy > Trusted Access > All Users
- GCP > KMS > Key Ring > Policy > Trusted Access > Domains
- GCP > KMS > Key Ring > Policy > Trusted Access > Groups
- GCP > KMS > Key Ring > Policy > Trusted Access > Service Accounts
- GCP > KMS > Key Ring > Policy > Trusted Access > Users
- GCP > KMS > Key Ring > Regions
- GCP > KMS > Labels Template [Default]
- GCP > KMS > Permissions
- GCP > KMS > Permissions > Levels
- GCP > KMS > Permissions > Levels > Modifiers
- GCP > KMS > Regions
- GCP > KMS > Trusted Domains [Default]
- GCP > KMS > Trusted Groups [Default]
- GCP > KMS > Trusted Service Accounts [Default]
- GCP > KMS > Trusted Users [Default]
- GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-kms
- GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-kms
- GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-kms
Release Notes
5.8.2 (2024-04-19)
Bug fixes
- The
rotationPeriod
andnextRotationTime
attributes for Crypto Keys did not update correctly in CMDB when the rotation policy for such keys was removed. This is now fixed.
5.8.1 (2023-06-29)
Bug fixes
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
5.8.0 (2023-06-14)
What's new?
- Resource's metadata will now also include
createdBy
details in Turbot CMDB. - README.md file is now available for users to check details about the resource types and service permissions that the mod covers.
5.7.1 (2023-03-22)
Bug fixes
- We've updated the runtime of the lambda functions to node 16. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
5.7.0 (2022-02-17)
What's new?
- Users can now create their own custom checks against resource attributes in the Approved control using the
Approved > Custom
policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.
Bug fixes
- We've improved the process of deleting resources from Turbot if their CMDB policy was set to
Enforce: Disabled
. The CMDB controls will now not look to resolve credentials via Turbot's IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Turbot more reliably than before.
Policy Types
- GCP > KMS > Crypto Key > Approved > Custom
5.6.1 (2021-09-27)
Bug fixes
- The
GCP > KMS > Key Ring > Discovery
control would incorrectly go into aTBD
state when trying to discover multi-region and global region targeted resources. This is now fixed and the control works as expected.
5.6.0 (2021-08-05)
What's new?
- We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.
Bug fixes
- We've made a few improvements in the GraphQL queries for various router actions. You won't notice any difference, but things should run lighter and quicker than before.
5.5.1 (2021-05-20)
Bug fixes
- The
GCP > KMS > Crypto Key > Discovery
control would incorrectly go into a skipped state by default for theglobal
region. This is now fixed.
5.5.0 (2021-02-25)
What's new?
- We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.
5.4.3 (2021-01-20)
Bug fixes
- Controls run faster now when in the
tbd
andskipped
states thanks to the new Turbot Precheck feature (not to be confused with TSA PreCheck). With Turbot Precheck, controls avoid running GraphQL input queries when intbd
andskipped
, resulting in faster and lighter control runs.
5.4.2 (2020-12-03)
Bug fixes
- We've updated the
GCP > * > Set API Enabled
actions to use the latest API calls when checking the state of the service in the GCP project. There's no noticeable difference, but things should run smoother now.
5.4.1 (2020-10-30)
Bug fixes
- We've updated the Discovery controls for resources to now move to
skipped
instead ofinvalid
if the service API is disabled in the project and theGCP > {service} > API Enabled
policy is checking if the API is disabled. This will reduce the amount of noisy controls that cannot be easily resolved without making changes to the service API.
5.4.0 (2020-09-29)
What's new?
Crypto keys and key rings created in the special global multi-region are now discovered and created in CMDB, similar to those created in the standard regions. Please note that support for the
GCP > Global Region
resource type is only available ingcp (5.15.0)
and later.The default values for the
GCP > KMS > Regions
policy now includesglobal
.
5.3.0 (2020-08-28)
What's new?
- Discovery controls now have their own control category,
CMDB > Discovery
, to allow for easier filtering separately from other CMDB controls. - We've renamed the service's default regions policy from
Regions [Default]
toRegions
to be consistent with our other regions policies.
5.2.0 (2020-08-13)
What's new?
We now support controlling access for crypto key and key ring to provide automatic protection against unexpected access from projects, domains, groups, users, and service accounts.
To get started with this new control, please see the
GCP > KMS > Crypto Key > Policy > Trusted Access
andGCP > KMS > Key Ring > Policy > Trusted Access
policies and all of their sub-policies to specify which IAM resources are allowed to access your keys.
Control Types
- GCP > KMS > Crypto Key > Policy
- GCP > KMS > Crypto Key > Policy > Trusted Access
- GCP > KMS > Key Ring > Policy
- GCP > KMS > Key Ring > Policy > Trusted Access
Policy Types
- GCP > KMS > Crypto Key > Policy
- GCP > KMS > Crypto Key > Policy > Trusted Access
- GCP > KMS > Crypto Key > Policy > Trusted Access > All Authenticated
- GCP > KMS > Crypto Key > Policy > Trusted Access > All Users
- GCP > KMS > Crypto Key > Policy > Trusted Access > Domains
- GCP > KMS > Crypto Key > Policy > Trusted Access > Groups
- GCP > KMS > Crypto Key > Policy > Trusted Access > Service Accounts
- GCP > KMS > Crypto Key > Policy > Trusted Access > Users
- GCP > KMS > Key Ring > Policy
- GCP > KMS > Key Ring > Policy > Trusted Access
- GCP > KMS > Key Ring > Policy > Trusted Access > All Authenticated
- GCP > KMS > Key Ring > Policy > Trusted Access > All Users
- GCP > KMS > Key Ring > Policy > Trusted Access > Domains
- GCP > KMS > Key Ring > Policy > Trusted Access > Groups
- GCP > KMS > Key Ring > Policy > Trusted Access > Service Accounts
- GCP > KMS > Key Ring > Policy > Trusted Access > Users
- GCP > KMS > Trusted Domains [Default]
- GCP > KMS > Trusted Groups [Default]
- GCP > KMS > Trusted Service Accounts [Default]
- GCP > KMS > Trusted Users [Default]
Action Types
- GCP > KMS > Crypto Key > Set Trusted Access
- GCP > KMS > Key Ring > Set Trusted Access
5.1.5 (2020-08-10)
Bug fixes
- We’ve made improvements to our GraphQL input queries for various controls and actions. You won’t notice any differences, but things should run smoother and quicker than before.
5.1.4 (2020-06-03)
What's new?
- All resource Router actions now run even if Turbot is outside of its allowed change window. This allows Turbot to maintain an up-to-date CMDB by handling resource updates at all times. Note that this only affects Turbot's ability to process resources changes that were made in the cloud provider - enforcement actions are still disabled outside of the change window.
5.1.3 (2020-05-14)
Bug fixes
- Although the data validation errors, which appear in various CMDB and Discovery controls, are not blockers, they look ugly in the UI and should be cleaned up. These errors have now been fixed.
5.1.2 (2020-05-06)
Bug fixes
- While importing a GCP project, sometimes resources' Discovery controls would get stuck in an Invalid state due to incorrectly configured dependencies. This has been fixed and project imports should be smooth again.
5.1.1 (2020-04-17)
Bug fixes
- Several resources that have an IAM policy had an incomplete schema, which prevented the
iamPolicy
attribute from being used in calculated policies. This has been fixed.
5.1.0 (2020-04-13)
What's new?
- Services can now be enabled as Metadata only, restricting users to only use metadata level permissions.
Bug fixes
- Many calculations for
Permissions > Compiled > Service Permissions
were in error due to a missing library. This is now fixed.
5.0.0 (2020-03-31)
Resource Types
- GCP > KMS
- GCP > KMS > Crypto Key
- GCP > KMS > Key Ring
Control Types
- GCP > KMS > API Enabled
- GCP > KMS > CMDB
- GCP > KMS > Crypto Key > Approved
- GCP > KMS > Crypto Key > CMDB
- GCP > KMS > Crypto Key > Discovery
- GCP > KMS > Crypto Key > Labels
- GCP > KMS > Discovery
- GCP > KMS > Key Ring > CMDB
- GCP > KMS > Key Ring > Discovery
Policy Types
- GCP > KMS > API Enabled
- GCP > KMS > Approved Regions [Default]
- GCP > KMS > CMDB
- GCP > KMS > Crypto Key > Approved
- GCP > KMS > Crypto Key > Approved > Regions
- GCP > KMS > Crypto Key > Approved > Usage
- GCP > KMS > Crypto Key > CMDB
- GCP > KMS > Crypto Key > Labels
- GCP > KMS > Crypto Key > Labels > Template
- GCP > KMS > Crypto Key > Regions
- GCP > KMS > Enabled
- GCP > KMS > Key Ring > CMDB
- GCP > KMS > Key Ring > Regions
- GCP > KMS > Labels Template [Default]
- GCP > KMS > Permissions
- GCP > KMS > Permissions > Levels
- GCP > KMS > Permissions > Levels > Modifiers
- GCP > KMS > Regions [Default]
- GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-kms
- GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-kms
- GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-kms
Action Types
- GCP > KMS > Crypto Key > Router
- GCP > KMS > Crypto Key > Set Labels
- GCP > KMS > Key Ring > Router
- GCP > KMS > Set API Enabled