Policy types for @turbot/gcp-network
- GCP > Network > API Enabled
- GCP > Network > Address > Active
- GCP > Network > Address > Active > Age
- GCP > Network > Address > Active > Last Modified
- GCP > Network > Address > Active > Status
- GCP > Network > Address > Approved
- GCP > Network > Address > Approved > Custom
- GCP > Network > Address > Approved > Network Tier
- GCP > Network > Address > Approved > Regions
- GCP > Network > Address > Approved > Usage
- GCP > Network > Address > CMDB
- GCP > Network > Address > Configured
- GCP > Network > Address > Configured > Precedence
- GCP > Network > Address > Configured > Source
- GCP > Network > Address > Regions
- GCP > Network > Address > Usage
- GCP > Network > Address > Usage > Limit
- GCP > Network > Approved Regions [Default]
- GCP > Network > Backend Bucket > Active
- GCP > Network > Backend Bucket > Active > Age
- GCP > Network > Backend Bucket > Active > Last Modified
- GCP > Network > Backend Bucket > Approved
- GCP > Network > Backend Bucket > Approved > Custom
- GCP > Network > Backend Bucket > Approved > Usage
- GCP > Network > Backend Bucket > CMDB
- GCP > Network > Backend Bucket > Configured
- GCP > Network > Backend Bucket > Configured > Precedence
- GCP > Network > Backend Bucket > Configured > Source
- GCP > Network > Backend Bucket > Usage
- GCP > Network > Backend Bucket > Usage > Limit
- GCP > Network > Backend Service > Active
- GCP > Network > Backend Service > Active > Age
- GCP > Network > Backend Service > Active > Last Modified
- GCP > Network > Backend Service > Approved
- GCP > Network > Backend Service > Approved > Custom
- GCP > Network > Backend Service > Approved > Usage
- GCP > Network > Backend Service > CMDB
- GCP > Network > Backend Service > Configured
- GCP > Network > Backend Service > Configured > Precedence
- GCP > Network > Backend Service > Configured > Source
- GCP > Network > Backend Service > Logging
- GCP > Network > Backend Service > Logging > Sample Rate
- GCP > Network > Backend Service > Usage
- GCP > Network > Backend Service > Usage > Limit
- GCP > Network > CMDB
- GCP > Network > Enabled
- GCP > Network > Firewall > Active
- GCP > Network > Firewall > Active > Age
- GCP > Network > Firewall > Active > Last Modified
- GCP > Network > Firewall > Approved
- GCP > Network > Firewall > Approved > Custom
- GCP > Network > Firewall > Approved > Usage
- GCP > Network > Firewall > CMDB
- GCP > Network > Firewall > Configured
- GCP > Network > Firewall > Configured > Precedence
- GCP > Network > Firewall > Configured > Source
- GCP > Network > Firewall > Ingress Rules
- GCP > Network > Firewall > Ingress Rules > Approved
- GCP > Network > Firewall > Ingress Rules > Approved > Rules
- GCP > Network > Firewall > Logging
- GCP > Network > Firewall > Usage
- GCP > Network > Firewall > Usage > Limit
- GCP > Network > Forwarding Rule > Active
- GCP > Network > Forwarding Rule > Active > Age
- GCP > Network > Forwarding Rule > Active > Last Modified
- GCP > Network > Forwarding Rule > Approved
- GCP > Network > Forwarding Rule > Approved > Custom
- GCP > Network > Forwarding Rule > Approved > Regions
- GCP > Network > Forwarding Rule > Approved > Usage
- GCP > Network > Forwarding Rule > CMDB
- GCP > Network > Forwarding Rule > Labels
- GCP > Network > Forwarding Rule > Labels > Template
- GCP > Network > Forwarding Rule > Regions
- GCP > Network > Forwarding Rule > Usage
- GCP > Network > Forwarding Rule > Usage > Limit
- GCP > Network > Global Address > Active
- GCP > Network > Global Address > Active > Age
- GCP > Network > Global Address > Active > Last Modified
- GCP > Network > Global Address > Approved
- GCP > Network > Global Address > Approved > Custom
- GCP > Network > Global Address > Approved > Usage
- GCP > Network > Global Address > CMDB
- GCP > Network > Global Address > Usage
- GCP > Network > Global Address > Usage > Limit
- GCP > Network > Global Forwarding Rule > Active
- GCP > Network > Global Forwarding Rule > Active > Age
- GCP > Network > Global Forwarding Rule > Active > Last Modified
- GCP > Network > Global Forwarding Rule > Approved
- GCP > Network > Global Forwarding Rule > Approved > Custom
- GCP > Network > Global Forwarding Rule > Approved > Usage
- GCP > Network > Global Forwarding Rule > CMDB
- GCP > Network > Global Forwarding Rule > Labels
- GCP > Network > Global Forwarding Rule > Labels > Template
- GCP > Network > Global Forwarding Rule > Usage
- GCP > Network > Global Forwarding Rule > Usage > Limit
- GCP > Network > Interconnect > Active
- GCP > Network > Interconnect > Active > Age
- GCP > Network > Interconnect > Active > Last Modified
- GCP > Network > Interconnect > Approved
- GCP > Network > Interconnect > Approved > Custom
- GCP > Network > Interconnect > Approved > Usage
- GCP > Network > Interconnect > CMDB
- GCP > Network > Interconnect > Usage
- GCP > Network > Interconnect > Usage > Limit
- GCP > Network > Labels Template [Default]
- GCP > Network > Network > Active
- GCP > Network > Network > Active > Age
- GCP > Network > Network > Active > Last Modified
- GCP > Network > Network > Approved
- GCP > Network > Network > Approved > Custom
- GCP > Network > Network > Approved > Usage
- GCP > Network > Network > CMDB
- GCP > Network > Network > Configured
- GCP > Network > Network > Configured > Precedence
- GCP > Network > Network > Configured > Source
- GCP > Network > Network > Trusted Domains [Default]
- GCP > Network > Network > Trusted Groups [Default]
- GCP > Network > Network > Trusted Projects [Default]
- GCP > Network > Network > Trusted Service Accounts [Default]
- GCP > Network > Network > Trusted Users [Default]
- GCP > Network > Network > Usage
- GCP > Network > Network > Usage > Limit
- GCP > Network > Packet Mirroring > Active
- GCP > Network > Packet Mirroring > Active > Age
- GCP > Network > Packet Mirroring > Active > Last Modified
- GCP > Network > Packet Mirroring > Approved
- GCP > Network > Packet Mirroring > Approved > Custom
- GCP > Network > Packet Mirroring > Approved > Regions
- GCP > Network > Packet Mirroring > Approved > Usage
- GCP > Network > Packet Mirroring > CMDB
- GCP > Network > Packet Mirroring > Regions
- GCP > Network > Packet Mirroring > Usage
- GCP > Network > Packet Mirroring > Usage > Limit
- GCP > Network > Permissions
- GCP > Network > Permissions > Levels
- GCP > Network > Permissions > Levels > Address Administration
- GCP > Network > Permissions > Levels > Firewall Administration
- GCP > Network > Permissions > Levels > Forwarding Rules Administration
- GCP > Network > Permissions > Levels > Global Addresses Administration
- GCP > Network > Permissions > Levels > Global Forwarding Rules Administration
- GCP > Network > Permissions > Levels > HTTP Load Balancer Administration
- GCP > Network > Permissions > Levels > Modifiers
- GCP > Network > Permissions > Levels > Network Administration
- GCP > Network > Permissions > Levels > Route Administration
- GCP > Network > Permissions > Levels > Router Administration
- GCP > Network > Permissions > Levels > Subnetwork Administration
- GCP > Network > Permissions > Levels > VPN Gateway Administration
- GCP > Network > Permissions > Levels > VPN Tunnel Administration
- GCP > Network > Region Backend Service > Active
- GCP > Network > Region Backend Service > Active > Age
- GCP > Network > Region Backend Service > Active > Last Modified
- GCP > Network > Region Backend Service > Approved
- GCP > Network > Region Backend Service > Approved > Custom
- GCP > Network > Region Backend Service > Approved > Regions
- GCP > Network > Region Backend Service > Approved > Usage
- GCP > Network > Region Backend Service > CMDB
- GCP > Network > Region Backend Service > Configured
- GCP > Network > Region Backend Service > Configured > Precedence
- GCP > Network > Region Backend Service > Configured > Source
- GCP > Network > Region Backend Service > Logging
- GCP > Network > Region Backend Service > Logging > Sample Rate
- GCP > Network > Region Backend Service > Regions
- GCP > Network > Region Backend Service > Usage
- GCP > Network > Region Backend Service > Usage > Limit
- GCP > Network > Region SSL Certificate > Active
- GCP > Network > Region SSL Certificate > Active > Age
- GCP > Network > Region SSL Certificate > Active > Last Modified
- GCP > Network > Region SSL Certificate > Approved
- GCP > Network > Region SSL Certificate > Approved > Custom
- GCP > Network > Region SSL Certificate > Approved > Regions
- GCP > Network > Region SSL Certificate > Approved > Usage
- GCP > Network > Region SSL Certificate > CMDB
- GCP > Network > Region SSL Certificate > Regions
- GCP > Network > Region SSL Certificate > Usage
- GCP > Network > Region SSL Certificate > Usage > Limit
- GCP > Network > Region Target HTTPS Proxy > Active
- GCP > Network > Region Target HTTPS Proxy > Active > Age
- GCP > Network > Region Target HTTPS Proxy > Active > Last Modified
- GCP > Network > Region Target HTTPS Proxy > Approved
- GCP > Network > Region Target HTTPS Proxy > Approved > Custom
- GCP > Network > Region Target HTTPS Proxy > Approved > Regions
- GCP > Network > Region Target HTTPS Proxy > Approved > Usage
- GCP > Network > Region Target HTTPS Proxy > CMDB
- GCP > Network > Region Target HTTPS Proxy > Regions
- GCP > Network > Region Target HTTPS Proxy > SSL Policy
- GCP > Network > Region Target HTTPS Proxy > SSL Policy > Allowed
- GCP > Network > Region Target HTTPS Proxy > Usage
- GCP > Network > Region Target HTTPS Proxy > Usage > Limit
- GCP > Network > Region URL Map > Active
- GCP > Network > Region URL Map > Active > Age
- GCP > Network > Region URL Map > Active > Last Modified
- GCP > Network > Region URL Map > Approved
- GCP > Network > Region URL Map > Approved > Custom
- GCP > Network > Region URL Map > Approved > Regions
- GCP > Network > Region URL Map > Approved > Usage
- GCP > Network > Region URL Map > CMDB
- GCP > Network > Region URL Map > Regions
- GCP > Network > Region URL Map > Usage
- GCP > Network > Region URL Map > Usage > Limit
- GCP > Network > Regions
- GCP > Network > Route > Active
- GCP > Network > Route > Active > Age
- GCP > Network > Route > Active > Last Modified
- GCP > Network > Route > Approved
- GCP > Network > Route > Approved > Custom
- GCP > Network > Route > Approved > Usage
- GCP > Network > Route > CMDB
- GCP > Network > Route > Configured
- GCP > Network > Route > Configured > Precedence
- GCP > Network > Route > Configured > Source
- GCP > Network > Route > Regions
- GCP > Network > Route > Usage
- GCP > Network > Route > Usage > Limit
- GCP > Network > Router > Active
- GCP > Network > Router > Active > Age
- GCP > Network > Router > Active > Last Modified
- GCP > Network > Router > Approved
- GCP > Network > Router > Approved > Custom
- GCP > Network > Router > Approved > Regions
- GCP > Network > Router > Approved > Usage
- GCP > Network > Router > CMDB
- GCP > Network > Router > Configured
- GCP > Network > Router > Configured > Precedence
- GCP > Network > Router > Configured > Source
- GCP > Network > Router > Regions
- GCP > Network > Router > Usage
- GCP > Network > Router > Usage > Limit
- GCP > Network > SSL Certificate > Active
- GCP > Network > SSL Certificate > Active > Age
- GCP > Network > SSL Certificate > Active > Last Modified
- GCP > Network > SSL Certificate > Approved
- GCP > Network > SSL Certificate > Approved > Custom
- GCP > Network > SSL Certificate > Approved > Usage
- GCP > Network > SSL Certificate > CMDB
- GCP > Network > SSL Certificate > Usage
- GCP > Network > SSL Certificate > Usage > Limit
- GCP > Network > SSL Policy > Active
- GCP > Network > SSL Policy > Active > Age
- GCP > Network > SSL Policy > Active > Last Modified
- GCP > Network > SSL Policy > Approved
- GCP > Network > SSL Policy > Approved > Custom
- GCP > Network > SSL Policy > Approved > Usage
- GCP > Network > SSL Policy > CMDB
- GCP > Network > SSL Policy > Minimum TLS Version
- GCP > Network > SSL Policy > Profile
- GCP > Network > SSL Policy > Usage
- GCP > Network > SSL Policy > Usage > Limit
- GCP > Network > Subnetwork > Active
- GCP > Network > Subnetwork > Active > Age
- GCP > Network > Subnetwork > Active > Last Modified
- GCP > Network > Subnetwork > Approved
- GCP > Network > Subnetwork > Approved > Custom
- GCP > Network > Subnetwork > Approved > Regions
- GCP > Network > Subnetwork > Approved > Usage
- GCP > Network > Subnetwork > CMDB
- GCP > Network > Subnetwork > Configured
- GCP > Network > Subnetwork > Configured > Precedence
- GCP > Network > Subnetwork > Configured > Source
- GCP > Network > Subnetwork > Policy
- GCP > Network > Subnetwork > Policy > Trusted Access
- GCP > Network > Subnetwork > Policy > Trusted Access > Domains
- GCP > Network > Subnetwork > Policy > Trusted Access > Groups
- GCP > Network > Subnetwork > Policy > Trusted Access > Projects
- GCP > Network > Subnetwork > Policy > Trusted Access > Service Accounts
- GCP > Network > Subnetwork > Policy > Trusted Access > Users
- GCP > Network > Subnetwork > Regions
- GCP > Network > Subnetwork > Usage
- GCP > Network > Subnetwork > Usage > Limit
- GCP > Network > Target HTTPS Proxy > Active
- GCP > Network > Target HTTPS Proxy > Active > Age
- GCP > Network > Target HTTPS Proxy > Active > Last Modified
- GCP > Network > Target HTTPS Proxy > Approved
- GCP > Network > Target HTTPS Proxy > Approved > Custom
- GCP > Network > Target HTTPS Proxy > Approved > Usage
- GCP > Network > Target HTTPS Proxy > CMDB
- GCP > Network > Target HTTPS Proxy > SSL Policy
- GCP > Network > Target HTTPS Proxy > SSL Policy > Allowed
- GCP > Network > Target HTTPS Proxy > SSL Policy > Default
- GCP > Network > Target HTTPS Proxy > Usage
- GCP > Network > Target HTTPS Proxy > Usage > Limit
- GCP > Network > Target Pool > Active
- GCP > Network > Target Pool > Active > Age
- GCP > Network > Target Pool > Active > Last Modified
- GCP > Network > Target Pool > Approved
- GCP > Network > Target Pool > Approved > Custom
- GCP > Network > Target Pool > Approved > Regions
- GCP > Network > Target Pool > Approved > Usage
- GCP > Network > Target Pool > CMDB
- GCP > Network > Target Pool > Regions
- GCP > Network > Target Pool > Usage
- GCP > Network > Target Pool > Usage > Limit
- GCP > Network > Target SSL Proxy > Active
- GCP > Network > Target SSL Proxy > Active > Age
- GCP > Network > Target SSL Proxy > Active > Last Modified
- GCP > Network > Target SSL Proxy > Approved
- GCP > Network > Target SSL Proxy > Approved > Custom
- GCP > Network > Target SSL Proxy > Approved > Usage
- GCP > Network > Target SSL Proxy > CMDB
- GCP > Network > Target SSL Proxy > SSL Policy
- GCP > Network > Target SSL Proxy > SSL Policy > Allowed
- GCP > Network > Target SSL Proxy > SSL Policy > Default
- GCP > Network > Target SSL Proxy > Usage
- GCP > Network > Target SSL Proxy > Usage > Limit
- GCP > Network > Target TCP Proxy > Active
- GCP > Network > Target TCP Proxy > Active > Age
- GCP > Network > Target TCP Proxy > Active > Last Modified
- GCP > Network > Target TCP Proxy > Approved
- GCP > Network > Target TCP Proxy > Approved > Custom
- GCP > Network > Target TCP Proxy > Approved > Usage
- GCP > Network > Target TCP Proxy > CMDB
- GCP > Network > Target TCP Proxy > Usage
- GCP > Network > Target TCP Proxy > Usage > Limit
- GCP > Network > Target VPN Gateway > Active
- GCP > Network > Target VPN Gateway > Active > Age
- GCP > Network > Target VPN Gateway > Active > Last Modified
- GCP > Network > Target VPN Gateway > Approved
- GCP > Network > Target VPN Gateway > Approved > Custom
- GCP > Network > Target VPN Gateway > Approved > Regions
- GCP > Network > Target VPN Gateway > Approved > Usage
- GCP > Network > Target VPN Gateway > CMDB
- GCP > Network > Target VPN Gateway > Configured
- GCP > Network > Target VPN Gateway > Configured > Precedence
- GCP > Network > Target VPN Gateway > Configured > Source
- GCP > Network > Target VPN Gateway > Regions
- GCP > Network > Target VPN Gateway > Usage
- GCP > Network > Target VPN Gateway > Usage > Limit
- GCP > Network > URL Map > Active
- GCP > Network > URL Map > Active > Age
- GCP > Network > URL Map > Active > Last Modified
- GCP > Network > URL Map > Approved
- GCP > Network > URL Map > Approved > Custom
- GCP > Network > URL Map > Approved > Usage
- GCP > Network > URL Map > CMDB
- GCP > Network > URL Map > Usage
- GCP > Network > URL Map > Usage > Limit
- GCP > Network > VPN Tunnel > Active
- GCP > Network > VPN Tunnel > Active > Age
- GCP > Network > VPN Tunnel > Active > Last Modified
- GCP > Network > VPN Tunnel > Approved
- GCP > Network > VPN Tunnel > Approved > Custom
- GCP > Network > VPN Tunnel > Approved > Regions
- GCP > Network > VPN Tunnel > Approved > Usage
- GCP > Network > VPN Tunnel > CMDB
- GCP > Network > VPN Tunnel > Configured
- GCP > Network > VPN Tunnel > Configured > Precedence
- GCP > Network > VPN Tunnel > Configured > Source
- GCP > Network > VPN Tunnel > Labels
- GCP > Network > VPN Tunnel > Labels > Template
- GCP > Network > VPN Tunnel > Regions
- GCP > Network > VPN Tunnel > Usage
- GCP > Network > VPN Tunnel > Usage > Limit
- GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-network
- GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-network
- GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-network
GCP > Network > API Enabled
Configure whether the GCP Network API is enabled.
tmod:@turbot/gcp-network#/policy/types/networkServiceApiEnabled
[ "Skip", "Check: Disabled", "Check: Enabled", "Check: Enabled if Network > Enabled", "Enforce: Disabled", "Enforce: Enabled", "Enforce: Enabled if Network > Enabled"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled", "Check: Enabled if Network > Enabled", "Enforce: Disabled", "Enforce: Enabled", "Enforce: Enabled if Network > Enabled" ], "default": "Skip"}
GCP > Network > Address > Active
Determine the action to take when an GCP Network address, based on the GCP > Network > Address > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Address > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/addressActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Address > Active > Age
The age after which the GCP Network address
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Address > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/addressActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Address > Active > Last Modified
The number of days since the GCP Network address was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Address > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/addressActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Address > Active > Status
The policy allows you to
check which status determines if the GCP Network address is active.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Address > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/addressActiveStatus
[ "Skip", "Active if $.status is in_use", "Force active if $.status is in_use"]
{ "type": "string", "enum": [ "Skip", "Active if $.status is in_use", "Force active if $.status is in_use" ], "example": [ "Skip" ], "default": "Skip"}
GCP > Network > Address > Approved
Determine the action to take when a GCP Network address is not approved based on GCP > Network > Address > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/addressApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Address > Approved > Custom
Determine whether the GCP Network address is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network address is not approved, it will be subject to the action specified in the GCP > Network > Address > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/addressApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Address > Approved > Network Tier
Determine whether the GCP Network address is allowed to have a Network Tier enabled.
This policy will be evaluated by the Approved control. If an GCP Compute engine instance is not approved, it will be subject to the action specified in the GCP > Compute engine > Instance > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/addressApprovedNetworkTier
[ "Skip", "Approved if enabled", "Approved if disabled"]
{ "type": "string", "enum": [ "Skip", "Approved if enabled", "Approved if disabled" ], "example": [ "Approved if enabled" ], "default": "Skip"}
GCP > Network > Address > Approved > Regions
A list of GCP regions in which GCP Network addresss are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If a GCP Network address is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Address > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/addressApprovedRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Address > Approved > Usage
Determine whether the GCP Network address is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network address is not approved, it will be subject to the action specified in the GCP > Network > Address > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/addressApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Address > CMDB
Configure whether to record and synchronize details for the GCP Network address into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Address > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-network#/policy/types/addressCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Compute Engine API is enabled"}
GCP > Network > Address > Configured
Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/gcp-network#/policy/types/addressConfigured
[ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source"]
{ "enum": [ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source" ], "default": "Enforce: Configured if using Configured > Source"}
GCP > Network > Address > Configured > Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence
tmod:@turbot/gcp-network#/policy/types/addressConfiguredPrecedence
{ "type": "array", "items": { "type": "string" }, "default": [ "**" ]}
GCP > Network > Address > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/gcp-network#/policy/types/addressConfiguredSource
{ "type": "string", "default": "{\"resource\": {}}\n", "x-schema-form": { "type": "code", "language": "hcl" }}
GCP > Network > Address > Regions
A list of GCP regions in which GCP Network addresss are supported for use.
Any addresss in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/gcp-network#/policy/types/addressRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Address > Usage
Configure the number of GCP Network addresss that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Address > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/addressUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Address > Usage > Limit
Maximum number of items that can be created for this region
tmod:@turbot/gcp-network#/policy/types/addressUsageLimit
{ "type": "integer", "minimum": 0, "default": 200}
GCP > Network > Approved Regions [Default]
A list of GCP regions in which GCP Network resources are approved for use.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
This policy is the default value for all GCP Network resources' Approved > Regions policies.
tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp#/policy/types/approvedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Backend Bucket > Active
Determine the action to take when an GCP Network backend bucket, based on the GCP > Network > Backend Bucket > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Backend Bucket > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/backendBucketActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Backend Bucket > Active > Age
The age after which the GCP Network backend bucket
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Backend Bucket > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/backendBucketActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Backend Bucket > Active > Last Modified
The number of days since the GCP Network backend bucket was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Backend Bucket > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/backendBucketActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Backend Bucket > Approved
Determine the action to take when a GCP Network backend bucket is not approved based on GCP > Network > Backend Bucket > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/backendBucketApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Backend Bucket > Approved > Custom
Determine whether the GCP Network backend bucket is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network backend bucket is not approved, it will be subject to the action specified in the GCP > Network > Backend Bucket > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/backendBucketApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Backend Bucket > Approved > Usage
Determine whether the GCP Network backend bucket is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network backend bucket is not approved, it will be subject to the action specified in the GCP > Network > Backend Bucket > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/backendBucketApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Backend Bucket > CMDB
Configure whether to record and synchronize details for the GCP Network backend bucket into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Backend Bucket > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-network#/policy/types/backendBucketCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Compute Engine API is enabled"}
GCP > Network > Backend Bucket > Configured
Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/gcp-network#/policy/types/backendBucketConfigured
[ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source"]
{ "enum": [ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source" ], "default": "Enforce: Configured if using Configured > Source"}
GCP > Network > Backend Bucket > Configured > Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence
tmod:@turbot/gcp-network#/policy/types/backendBucketConfiguredPrecedence
{ "type": "array", "items": { "type": "string" }, "default": [ "**" ]}
GCP > Network > Backend Bucket > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/gcp-network#/policy/types/backendBucketConfiguredSource
{ "type": "string", "default": "{\"resource\": {}}\n", "x-schema-form": { "type": "code", "language": "hcl" }}
GCP > Network > Backend Bucket > Usage
Configure the number of GCP Network backend buckets that can be used for this project and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Backend Bucket > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/backendBucketUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Backend Bucket > Usage > Limit
Maximum number of items that can be created for this project
tmod:@turbot/gcp-network#/policy/types/backendBucketUsageLimit
{ "type": "integer", "minimum": 0, "default": 9}
GCP > Network > Backend Service > Active
Determine the action to take when an GCP Network backend service, based on the GCP > Network > Backend Service > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Backend Service > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/backendServiceActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Backend Service > Active > Age
The age after which the GCP Network backend service
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Backend Service > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/backendServiceActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Backend Service > Active > Last Modified
The number of days since the GCP Network backend service was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Backend Service > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/backendServiceActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Backend Service > Approved
Determine the action to take when a GCP Network backend service is not approved based on GCP > Network > Backend Service > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/backendServiceApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Backend Service > Approved > Custom
Determine whether the GCP Network backend service is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network backend service is not approved, it will be subject to the action specified in the GCP > Network > Backend Service > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/backendServiceApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Backend Service > Approved > Usage
Determine whether the GCP Network backend service is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network backend service is not approved, it will be subject to the action specified in the GCP > Network > Backend Service > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/backendServiceApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Backend Service > CMDB
Configure whether to record and synchronize details for the GCP Network backend service into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Backend Service > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-network#/policy/types/backendServiceCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Compute Engine API is enabled"}
GCP > Network > Backend Service > Configured
Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/gcp-network#/policy/types/backendServiceConfigured
[ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source"]
{ "enum": [ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source" ], "default": "Enforce: Configured if using Configured > Source"}
GCP > Network > Backend Service > Configured > Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence
tmod:@turbot/gcp-network#/policy/types/backendServiceConfiguredPrecedence
{ "type": "array", "items": { "type": "string" }, "default": [ "**" ]}
GCP > Network > Backend Service > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/gcp-network#/policy/types/backendServiceConfiguredSource
{ "type": "string", "default": "{\"resource\": {}}\n", "x-schema-form": { "type": "code", "language": "hcl" }}
GCP > Network > Backend Service > Logging
Define the Logging settings required for GCP > Network > Backend Service > Logging
.
Backend Service Logging allows you to audit, verify, and analyze the effects of your Backend Service.
tmod:@turbot/gcp-network#/policy/types/backendServiceLogging
[ "Skip", "Check: Enabled", "Check: Disabled", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Check: Enabled", "Check: Disabled", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Check: Enabled" ], "default": "Skip"}
GCP > Network > Backend Service > Logging > Sample Rate
The value of the field must be in [0, 1]. This configures the sampling rate of
requests to the load balancer where 1 means all logged requests are reported and
0 means no logged requests are reported. The default value is 1.
tmod:@turbot/gcp-network#/policy/types/backendServiceLoggingSampleRate
{ "type": "number", "default": 1, "minimum": 0, "maximum": 1}
GCP > Network > Backend Service > Usage
Configure the number of GCP Network backend services that can be used for this project and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Backend Service > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/backendServiceUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Backend Service > Usage > Limit
Maximum number of items that can be created for this project
tmod:@turbot/gcp-network#/policy/types/backendServiceUsageLimit
{ "type": "integer", "minimum": 0, "default": 9}
GCP > Network > CMDB
Record and synchronize details for GCP Network network service(s) into the CMDB.
tmod:@turbot/gcp-network#/policy/types/networkServiceCmdb
[ "Skip", "Enforce: Enabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
GCP > Network > Enabled
Enabled Network.
tmod:@turbot/gcp-network#/policy/types/networkServiceEnabled
[ "Enabled", "Enabled: Metadata Only", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Enabled: Metadata Only", "Disabled" ], "example": [ "Enabled" ], "default": "Disabled"}
GCP > Network > Firewall > Active
Determine the action to take when an GCP Network firewall, based on the GCP > Network > Firewall > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Firewall > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/firewallActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Firewall > Active > Age
The age after which the GCP Network firewall
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Firewall > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/firewallActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Firewall > Active > Last Modified
The number of days since the GCP Network firewall was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Firewall > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/firewallActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Firewall > Approved
Determine the action to take when a GCP Network firewall is not approved based on GCP > Network > Firewall > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/firewallApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Firewall > Approved > Custom
Determine whether the GCP Network firewall is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network firewall is not approved, it will be subject to the action specified in the GCP > Network > Firewall > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/firewallApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Firewall > Approved > Usage
Determine whether the GCP Network firewall is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network firewall is not approved, it will be subject to the action specified in the GCP > Network > Firewall > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/firewallApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Firewall > CMDB
Configure whether to record and synchronize details for the GCP Network firewall into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Firewall > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-network#/policy/types/firewallCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Compute Engine API is enabled"}
GCP > Network > Firewall > Configured
Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/gcp-network#/policy/types/firewallConfigured
[ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source"]
{ "enum": [ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source" ], "default": "Enforce: Configured if using Configured > Source"}
GCP > Network > Firewall > Configured > Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence
tmod:@turbot/gcp-network#/policy/types/firewallConfiguredPrecedence
{ "type": "array", "items": { "type": "string" }, "default": [ "**" ]}
GCP > Network > Firewall > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/gcp-network#/policy/types/firewallConfiguredSource
{ "type": "string", "default": "{\"resource\": {}}\n", "x-schema-form": { "type": "code", "language": "hcl" }}
GCP > Network > Firewall > Ingress Rules
tmod:@turbot/gcp-network#/policy/types/firewallIngressRules
GCP > Network > Firewall > Ingress Rules > Approved
Configure Firewall Ingress Rule checking. This policy defines whether
to verify the firewall ingress rules are approved, as well as the
subsequent action to take on unapproved items.
If set to Enforce: Delete unapproved
, any unapproved rules will be
revoked from the firewall.
tmod:@turbot/gcp-network#/policy/types/firewallIngressRulesApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved" ], "example": [ "Skip" ], "default": "Skip"}
GCP > Network > Firewall > Ingress Rules > Approved > Rules
An Object Control List (OCL)
with a list of filter rules to approve or reject firewall rules.
Examples:
<br /> Allow HTTP and HTTPS rules for RFC1918 private space<br /> APPROVE $.turbot.fromPort:=80 $.turbot.toPort:=80 $.turbot.cidr:<=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16<br /> APPROVE $.turbot.fromPort:=443 $.turbot.toPort:=443 $.turbot.cidr:<=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16<br /><br /> Reject any rule from 0.0.0.0/0<br /> REJECT $.turbot.cidr:0.0.0.0/0<br />
tmod:@turbot/gcp-network#/policy/types/firewallIngressRulesApprovedRules
{ "type": "string", "default": "# Approve unmatched rules\nAPPROVE *", "x-schema-form": { "type": "textarea" }}
GCP > Network > Firewall > Logging
Define the Logging settings required for GCP > Network > Firewall > Logging
.
Firewall Rules Logging allows you to audit, verify, and analyze the effects of your firewall rules.
Note: Turning on firewall logs can generate a large number of logs which can increase costs in Stackdriver.
tmod:@turbot/gcp-network#/policy/types/firewallLogging
[ "Skip", "Check: Enabled", "Check: Disabled", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Check: Enabled", "Check: Disabled", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Check: Enabled" ], "default": "Skip"}
GCP > Network > Firewall > Usage
Configure the number of GCP Network firewalls that can be used for this project and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Firewall > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/firewallUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Firewall > Usage > Limit
Maximum number of items that can be created for this project
tmod:@turbot/gcp-network#/policy/types/firewallUsageLimit
{ "type": "integer", "minimum": 0, "default": 200}
GCP > Network > Forwarding Rule > Active
Determine the action to take when an GCP Network forwarding rule, based on the GCP > Network > Forwarding Rule > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Forwarding Rule > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/forwardingRuleActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Forwarding Rule > Active > Age
The age after which the GCP Network forwarding rule
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Forwarding Rule > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/forwardingRuleActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Forwarding Rule > Active > Last Modified
The number of days since the GCP Network forwarding rule was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Forwarding Rule > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/forwardingRuleActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Forwarding Rule > Approved
Determine the action to take when a GCP Network forwarding rule is not approved based on GCP > Network > Forwarding Rule > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/forwardingRuleApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Forwarding Rule > Approved > Custom
Determine whether the GCP Network forwarding rule is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network forwarding rule is not approved, it will be subject to the action specified in the GCP > Network > Forwarding Rule > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/forwardingRuleApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Forwarding Rule > Approved > Regions
A list of GCP regions in which GCP Network forwarding rules are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If a GCP Network forwarding rule is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Forwarding Rule > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/forwardingRuleApprovedRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Forwarding Rule > Approved > Usage
Determine whether the GCP Network forwarding rule is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network forwarding rule is not approved, it will be subject to the action specified in the GCP > Network > Forwarding Rule > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/forwardingRuleApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Forwarding Rule > CMDB
Configure whether to record and synchronize details for the GCP Network forwarding rule into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Forwarding Rule > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-network#/policy/types/forwardingRuleCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Compute Engine API is enabled"}
GCP > Network > Forwarding Rule > Labels
Determine the action to take when an GCP Network forwarding rule labels are not updated based on the GCP > Network > Forwarding Rule > Labels > *
policies.
The control ensure GCP Network forwarding rule labels include labels defined in GCP > Network > Forwarding Rule > Labels > Template
.
Labels not defined in Forwarding Rule Labels Template will not be modified or deleted. Setting a label value to undefined
will result in the label being deleted.
See Labels for more information.
tmod:@turbot/gcp-network#/policy/types/forwardingRuleLabels
[ "Skip", "Check: Labels are correct", "Enforce: Set labels"]
{ "type": "string", "enum": [ "Skip", "Check: Labels are correct", "Enforce: Set labels" ], "example": [ "Check: Labels are correct" ], "default": "Skip"}
GCP > Network > Forwarding Rule > Labels > Template
The template is used to generate the keys and values for GCP Network forwarding rule.
Labels not defined in Forwarding Rule Labels Template will not be modified or deleted. Setting a label value to undefined
will result in the label being deleted.
See Labels for more information.
tmod:@turbot/gcp-network#/policy/types/forwardingRuleLabelsTemplate
[ "{\n project {\n turbot {\n id\n }\n }\n}\n", "{\n defaultLabels: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceLabelsTemplate\" resourceId: \"{{ $.project.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultLabels.value | length == 0 %} [] {%- elif $.defaultLabels.value != undefined %}{{ $.defaultLabels.value | dump | safe }}{%- else %}{% for item in $.defaultLabels.value %}- {{ item }}{% endfor %}{% endif %}"
GCP > Network > Forwarding Rule > Regions
A list of GCP regions in which GCP Network forwarding rules are supported for use.
Any forwarding rules in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/gcp-network#/policy/types/forwardingRuleRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Forwarding Rule > Usage
Configure the number of GCP Network forwarding rules that can be used for this project and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Forwarding Rule > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/forwardingRuleUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Forwarding Rule > Usage > Limit
Maximum number of items that can be created for this project
tmod:@turbot/gcp-network#/policy/types/forwardingRuleUsageLimit
{ "type": "integer", "minimum": 0, "default": 150}
GCP > Network > Global Address > Active
Determine the action to take when an GCP Network global address, based on the GCP > Network > Global Address > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Global Address > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/globalAddressActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Global Address > Active > Age
The age after which the GCP Network global address
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Global Address > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/globalAddressActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Global Address > Active > Last Modified
The number of days since the GCP Network global address was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Global Address > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/globalAddressActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Global Address > Approved
Determine the action to take when a GCP Network global address is not approved based on GCP > Network > Global Address > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/globalAddressApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Global Address > Approved > Custom
Determine whether the GCP Network global address is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network global address is not approved, it will be subject to the action specified in the GCP > Network > Global Address > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/globalAddressApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Global Address > Approved > Usage
Determine whether the GCP Network global address is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network global address is not approved, it will be subject to the action specified in the GCP > Network > Global Address > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/globalAddressApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Global Address > CMDB
Configure whether to record and synchronize details for the GCP Network global address into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/gcp-network#/policy/types/globalAddressCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Compute Engine API is enabled"}
GCP > Network > Global Address > Usage
Configure the number of GCP Network global addresss that can be used for this project and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Global Address > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/globalAddressUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Global Address > Usage > Limit
Maximum number of items that can be created for this project
tmod:@turbot/gcp-network#/policy/types/globalAddressUsageLimit
{ "type": "integer", "minimum": 0, "default": 200}
GCP > Network > Global Forwarding Rule > Active
Determine the action to take when an GCP Network global forwarding rule, based on the GCP > Network > Global Forwarding Rule > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Global Forwarding Rule > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Global Forwarding Rule > Active > Age
The age after which the GCP Network global forwarding rule
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Global Forwarding Rule > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Global Forwarding Rule > Active > Last Modified
The number of days since the GCP Network global forwarding rule was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Global Forwarding Rule > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Global Forwarding Rule > Approved
Determine the action to take when a GCP Network global forwarding rule is not approved based on GCP > Network > Global Forwarding Rule > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Global Forwarding Rule > Approved > Custom
Determine whether the GCP Network global forwarding rule is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network global forwarding rule is not approved, it will be subject to the action specified in the GCP > Network > Global Forwarding Rule > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Global Forwarding Rule > Approved > Usage
Determine whether the GCP Network global forwarding rule is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network global forwarding rule is not approved, it will be subject to the action specified in the GCP > Network > Global Forwarding Rule > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Global Forwarding Rule > CMDB
Configure whether to record and synchronize details for the GCP Network global forwarding rule into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Global Forwarding Rule > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Compute Engine API is enabled"}
GCP > Network > Global Forwarding Rule > Labels
Determine the action to take when an GCP Network global forwarding rule labels are not updated based on the GCP > Network > Global Forwarding Rule > Labels > *
policies.
The control ensure GCP Network global forwarding rule labels include labels defined in GCP > Network > Global Forwarding Rule > Labels > Template
.
Labels not defined in Global Forwarding Rule Labels Template will not be modified or deleted. Setting a label value to undefined
will result in the label being deleted.
See Labels for more information.
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleLabels
[ "Skip", "Check: Labels are correct", "Enforce: Set labels"]
{ "type": "string", "enum": [ "Skip", "Check: Labels are correct", "Enforce: Set labels" ], "example": [ "Check: Labels are correct" ], "default": "Skip"}
GCP > Network > Global Forwarding Rule > Labels > Template
The template is used to generate the keys and values for GCP Network global forwarding rule.
Labels not defined in Global Forwarding Rule Labels Template will not be modified or deleted. Setting a label value to undefined
will result in the label being deleted.
See Labels for more information.
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleLabelsTemplate
[ "{\n project {\n turbot {\n id\n }\n }\n}\n", "{\n defaultLabels: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceLabelsTemplate\" resourceId: \"{{ $.project.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultLabels.value | length == 0 %} [] {%- elif $.defaultLabels.value != undefined %}{{ $.defaultLabels.value | dump | safe }}{%- else %}{% for item in $.defaultLabels.value %}- {{ item }}{% endfor %}{% endif %}"
GCP > Network > Global Forwarding Rule > Usage
Configure the number of GCP Network global forwarding rules that can be used for this project and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Global Forwarding Rule > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Global Forwarding Rule > Usage > Limit
Maximum number of items that can be created for this project
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleUsageLimit
{ "type": "integer", "minimum": 0, "default": 150}
GCP > Network > Interconnect > Active
Determine the action to take when an GCP Network interconnect, based on the GCP > Network > Interconnect > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Interconnect > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/interconnectActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Interconnect > Active > Age
The age after which the GCP Network interconnect
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Interconnect > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/interconnectActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Interconnect > Active > Last Modified
The number of days since the GCP Network interconnect was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Interconnect > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/interconnectActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Interconnect > Approved
Determine the action to take when a GCP Network interconnect is not approved based on GCP > Network > Interconnect > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/interconnectApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Interconnect > Approved > Custom
Determine whether the GCP Network interconnect is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network interconnect is not approved, it will be subject to the action specified in the GCP > Network > Interconnect > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/interconnectApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Interconnect > Approved > Usage
Determine whether the GCP Network interconnect is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network interconnect is not approved, it will be subject to the action specified in the GCP > Network > Interconnect > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/interconnectApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Interconnect > CMDB
Configure whether to record and synchronize details for the GCP Network interconnect into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Interconnect > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-network#/policy/types/interconnectCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Compute Engine API is enabled"}
GCP > Network > Interconnect > Usage
Configure the number of GCP Network interconnects that can be used for this project and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Interconnect > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/interconnectUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Interconnect > Usage > Limit
Maximum number of items that can be created for this project
tmod:@turbot/gcp-network#/policy/types/interconnectUsageLimit
{ "type": "integer", "minimum": 0, "default": 6}
GCP > Network > Labels Template [Default]
A template used to generate the keys and values for GCP Network resources.
By default, all Network resource Labels > Template policies will use this value.
tmod:@turbot/gcp-network#/policy/types/networkServiceLabelsTemplate
"{\n defaultLabels: policyValue(uri:\"tmod:@turbot/gcp#/policy/types/defaultLabelsTemplate\") {\n value\n }\n}\n"
"{%- if $.defaultLabels.value | length == 0 %} [] {%- elif $.defaultLabels.value != undefined %}{{ $.defaultLabels.value | dump | safe }}{%- else %}{% for item in $.defaultLabels.value %}- {{ item }}{% endfor %}{% endif %}"
GCP > Network > Network > Active
Determine the action to take when an GCP Network network, based on the GCP > Network > Network > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Network > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/networkActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Network > Active > Age
The age after which the GCP Network network
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Network > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/networkActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Network > Active > Last Modified
The number of days since the GCP Network network was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Network > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/networkActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Network > Approved
Determine the action to take when a GCP Network network is not approved based on GCP > Network > Network > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/networkApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Network > Approved > Custom
Determine whether the GCP Network network is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network network is not approved, it will be subject to the action specified in the GCP > Network > Network > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/networkApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Network > Approved > Usage
Determine whether the GCP Network network is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network network is not approved, it will be subject to the action specified in the GCP > Network > Network > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/networkApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Network > CMDB
Configure whether to record and synchronize details for the GCP Network network into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Network > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-network#/policy/types/networkCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Compute Engine API is enabled"}
GCP > Network > Network > Configured
Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/gcp-network#/policy/types/networkConfigured
[ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source"]
{ "enum": [ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source" ], "default": "Enforce: Configured if using Configured > Source"}
GCP > Network > Network > Configured > Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence
tmod:@turbot/gcp-network#/policy/types/networkConfiguredPrecedence
{ "type": "array", "items": { "type": "string" }, "default": [ "**" ]}
GCP > Network > Network > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/gcp-network#/policy/types/networkConfiguredSource
{ "type": "string", "default": "{\"resource\": {}}\n", "x-schema-form": { "type": "code", "language": "hcl" }}
GCP > Network > Network > Trusted Domains [Default]
List of GCP Domains that are trusted for access in the GCP Network policy.
This policy is used by the GCP > Network > Policy > Trusted Access
control to determine which members of type "domain" are allowed
to be granted access.You may use the '*' and '?' wildcard characters.<br />example:<br /> - company.com<br /> - company-dev.org<br />
Note: Setting the policy to Empty
array will remove all domains.
tmod:@turbot/gcp-network#/policy/types/networkTrustedDomains
"{\n value: policy(uri: \"tmod:@turbot/gcp#/policy/types/trustedDomains\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > Network > Network > Trusted Groups [Default]
List of GCP Groups that are trusted for access in the GCP Network policy.
This policy is used by the GCP > Network > Policy > Trusted Access
control to determine which members of type "group" are allowed
to be granted access.You may use the '' and '?' wildcard characters.
```
example:
- notification@company.com
- "@company.com"
``<br /><br />**Note**: Setting the policy to an
Empty` array will remove all groups.
tmod:@turbot/gcp-network#/policy/types/networkTrustedGroups
"{\n value: policy(uri: \"tmod:@turbot/gcp#/policy/types/trustedGroups\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > Network > Network > Trusted Projects [Default]
List of GCP Projects that are trusted for access in the GCP Network policy.
This policy is used by the GCP > Network > Policy > Trusted Access
control to determine whether members of type "project" are allowed
to be granted access.You may use the '*' and '?' wildcard characters.<br />example:<br /> - dev-aaa<br /> - dev-aab<br />
Note: Setting the policy to an Empty
array will remove all projects.
tmod:@turbot/gcp-network#/policy/types/networkTrustedProjects
"{\n value: policy(uri: \"tmod:@turbot/gcp#/policy/types/trustedProjects\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > Network > Network > Trusted Service Accounts [Default]
List of GCP Service Accounts that are trusted for access in the GCP Network policy.
This policy is used by the GCP > Network > Policy > Trusted Access
control to determine which members of type "serviceAccount" are allowed
to be granted access.You may use the '' and '?' wildcard characters.
```
example:
- project-owner@dev-aaa.iam.gserviceaccount.com
- "" # All service account trusted
``<br /><br />**Note**: Setting the policy to an
Empty` array will remove all service accounts.
tmod:@turbot/gcp-network#/policy/types/networkTrustedServiceAccounts
"{\n value: policy(uri: \"tmod:@turbot/gcp#/policy/types/trustedServiceAccounts\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > Network > Network > Trusted Users [Default]
List of GCP Users that are trusted for access in the GCP Network policy.
This policy is used by the GCP > Network > Trusted Access
control to determine which members of type "user" are allowed
to be granted access.You may use the '' and '?' wildcard characters.
```
example:
- "@company.com" # All users with email ending in @company.com are trusted
- "test@dev-company.com"
- "dummy@gmail.com"
``<br /><br />**Note**: Setting the policy to an
Empty` array will remove all users.
tmod:@turbot/gcp-network#/policy/types/networkTrustedUsers
"{\n value: policy(uri: \"tmod:@turbot/gcp#/policy/types/trustedUsers\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > Network > Network > Usage
Configure the number of GCP Network networks that can be used for this project and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Network > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/networkUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Network > Usage > Limit
Maximum number of items that can be created for this project
tmod:@turbot/gcp-network#/policy/types/networkUsageLimit
{ "type": "integer", "minimum": 0, "default": 15}
GCP > Network > Packet Mirroring > Active
Determine the action to take when an GCP Network packet mirroring, based on the GCP > Network > Packet Mirroring > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Packet Mirroring > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/packetMirroringActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Packet Mirroring > Active > Age
The age after which the GCP Network packet mirroring
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Packet Mirroring > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/packetMirroringActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Packet Mirroring > Active > Last Modified
The number of days since the GCP Network packet mirroring was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Packet Mirroring > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/packetMirroringActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Packet Mirroring > Approved
Determine the action to take when a GCP Network packet mirroring is not approved based on GCP > Network > Packet Mirroring > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/packetMirroringApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Packet Mirroring > Approved > Custom
Determine whether the GCP Network packet mirroring is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network packet mirroring is not approved, it will be subject to the action specified in the GCP > Network > Packet Mirroring > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/packetMirroringApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Packet Mirroring > Approved > Regions
A list of GCP regions in which GCP Network packet mirrorings are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If a GCP Network packet mirroring is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Packet Mirroring > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/packetMirroringApprovedRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Packet Mirroring > Approved > Usage
Determine whether the GCP Network packet mirroring is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network packet mirroring is not approved, it will be subject to the action specified in the GCP > Network > Packet Mirroring > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/packetMirroringApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Packet Mirroring > CMDB
Configure whether to record and synchronize details for the GCP Network packet mirroring into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Packet Mirroring > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-network#/policy/types/packetMirroringCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Network API is enabled"}
GCP > Network > Packet Mirroring > Regions
A list of GCP regions in which GCP Network packet mirrorings are supported for use.
Any packet mirrorings in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/gcp-network#/policy/types/packetMirroringRegions
{ "allOf": [ { "$ref": "gcp#/definitions/regionNameMatcherList" }, { "default": [ "asia-east1", "asia-east2", "asia-northeast1", "asia-northeast2", "asia-northeast3", "asia-south1", "asia-southeast1", "asia-southeast2", "australia-southeast1", "europe-north1", "europe-west1", "europe-west2", "europe-west3", "europe-west4", "europe-west6", "northamerica-northeast1", "southamerica-east1", "us-central1", "us-east1", "us-east4", "us-west1", "us-west2", "us-west3", "us-west5" ] } ]}
GCP > Network > Packet Mirroring > Usage
Configure the number of GCP Network packet mirrorings that can be used for this project and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Packet Mirroring > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/packetMirroringUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Packet Mirroring > Usage > Limit
Maximum number of items that can be created for this project
tmod:@turbot/gcp-network#/policy/types/packetMirroringUsageLimit
{ "type": "integer", "minimum": 0, "default": 150}
GCP > Network > Permissions
Configure whether permissions policies are in effect for GCP Network.
This setting does not affect Project level permissions (GCP/Admin, GCP/Owner, etc).
Note: The behavior of this policy depends on the value of GCP > Permissions.
tmod:@turbot/gcp-network#/policy/types/networkServicePermissions
[ "Enabled", "Disabled", "Enabled if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled", "Enabled if GCP > Network > Enabled" ], "example": [ "Enabled" ], "default": "Enabled if GCP > Network > Enabled"}
GCP > Network > Permissions > Levels
Define the permissions levels that can be used to grant access to Network
an GCP project. Permissions levels defined will appear in the UI to assign access to Guardrails users.
Note: Some services do not use all permissions levels, and any permissions level that has
no permissions associated will not be created even if it is selected here.
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevels
[ "{\n item: project {\n turbot{\n id\n }\n }\n}\n", "{\n availableLevels: policyValues(filter:\"policyTypeLevel:self resourceId:{{ $.item.turbot.id }} policyTypeId:'tmod:@turbot/gcp-iam#/policy/types/permissionsLevelsDefault'\") {\n items {\n value\n }\n }\n}\n"]
"{% if $.availableLevels.items[0].value | length == 0 %} [] {% endif %}{% for item in $.availableLevels.items[0].value %}- {{ item }}\n{% endfor %}"
{ "type": "array", "items": { "type": "string", "enum": [ "Metadata", "ReadOnly", "Operator", "Admin", "Owner" ] }}
GCP > Network > Permissions > Levels > Address Administration
Determines which Guardrails permissions level can manage Address Administration.
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsAddressAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
GCP > Network > Permissions > Levels > Firewall Administration
Determines which Guardrails permissions level can manage Firewall Administration.
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsFirewallAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
GCP > Network > Permissions > Levels > Forwarding Rules Administration
Determines which Guardrails permissions level can manage Forwarding Rules Administration.
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsForwardingRulesAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
GCP > Network > Permissions > Levels > Global Addresses Administration
Determines which Guardrails permissions level can manage Global Addresses Administration.
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsGlobalAddressesAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
GCP > Network > Permissions > Levels > Global Forwarding Rules Administration
Determines which Guardrails permissions level can manage Global Forwarding Rules Administration.
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsGlobalForwardingRulesAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
GCP > Network > Permissions > Levels > HTTP Load Balancer Administration
Determines which Guardrails permissions level can manage HTTP Load Balancer Administration.
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsHttpLoadBalancerAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
GCP > Network > Permissions > Levels > Modifiers
A map of GCP API to Guardrails Permission Level used to customize Guardrails' standard permissions.
You can add, remove or redefine the mapping of GCP API operations to Guardrails permissions levels here.
Note: Modifiers are cumulative - if you add a permission to the metadata level, it is also added
to readOnly, operator and admin. Modifier policies set here will “roll up” to the GCP level too - if
you add a permission to Admin, it will be granted to GCP/Storage/Admin and also GCP/Admin<br />example:<br /> - "storage.bucket.create": admin<br /> - "sql.database.create": metadata<br />
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsModifiers
GCP > Network > Permissions > Levels > Network Administration
Determines which Guardrails permissions level can manage Network Administration.
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsNetworkAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
GCP > Network > Permissions > Levels > Route Administration
Determines which Guardrails permissions level can manage Route Administration.
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsRouteAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
GCP > Network > Permissions > Levels > Router Administration
Determines which Guardrails permissions level can manage Router Administration.
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsRouterAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
GCP > Network > Permissions > Levels > Subnetwork Administration
Determines which Guardrails permissions level can manage Subnetwork Administration.
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsSubnetworkAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
GCP > Network > Permissions > Levels > VPN Gateway Administration
Determines which Guardrails permissions level can manage VPN Gateway Administration.
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsVpnGatewayAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
GCP > Network > Permissions > Levels > VPN Tunnel Administration
Determines which Guardrails permissions level can manage VPN Tunnel Administration.
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsVpnTunnelAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
GCP > Network > Region Backend Service > Active
Determine the action to take when an GCP Network region backend service, based on the GCP > Network > Region Backend Service > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region Backend Service > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Region Backend Service > Active > Age
The age after which the GCP Network region backend service
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region Backend Service > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Region Backend Service > Active > Last Modified
The number of days since the GCP Network region backend service was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region Backend Service > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Region Backend Service > Approved
Determine the action to take when a GCP Network region backend service is not approved based on GCP > Network > Region Backend Service > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Region Backend Service > Approved > Custom
Determine whether the GCP Network region backend service is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network region backend service is not approved, it will be subject to the action specified in the GCP > Network > Region Backend Service > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Region Backend Service > Approved > Regions
A list of GCP regions in which GCP Network region backend services are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If a GCP Network region backend service is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Region Backend Service > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceApprovedRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Region Backend Service > Approved > Usage
Determine whether the GCP Network region backend service is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network region backend service is not approved, it will be subject to the action specified in the GCP > Network > Region Backend Service > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Region Backend Service > CMDB
Configure whether to record and synchronize details for the GCP Network region backend service into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Region Backend Service > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Compute Engine API is enabled"}
GCP > Network > Region Backend Service > Configured
Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceConfigured
[ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source"]
{ "enum": [ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source" ], "default": "Enforce: Configured if using Configured > Source"}
GCP > Network > Region Backend Service > Configured > Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceConfiguredPrecedence
{ "type": "array", "items": { "type": "string" }, "default": [ "**" ]}
GCP > Network > Region Backend Service > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceConfiguredSource
{ "type": "string", "default": "{\"resource\": {}}\n", "x-schema-form": { "type": "code", "language": "hcl" }}
GCP > Network > Region Backend Service > Logging
Define the Logging settings required for GCP > Network > Region Backend Service > Logging
.
Region Backend Service Logging allows you to audit, verify, and analyze the effects of your Region Backend Service.
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceLogging
[ "Skip", "Check: Enabled", "Check: Disabled", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Check: Enabled", "Check: Disabled", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Check: Enabled" ], "default": "Skip"}
GCP > Network > Region Backend Service > Logging > Sample Rate
The value of the field must be in [0, 1]. This configures the sampling rate of
requests to the load balancer where 1 means all logged requests are reported and
0 means no logged requests are reported. The default value is 1.
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceLoggingSampleRate
{ "type": "number", "default": 1, "minimum": 0, "maximum": 1}
GCP > Network > Region Backend Service > Regions
A list of GCP regions in which GCP Network region backend services are supported for use.
Any region backend services in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Region Backend Service > Usage
Configure the number of GCP Network region backend services that can be used for this project and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Region Backend Service > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Region Backend Service > Usage > Limit
Maximum number of items that can be created for this project
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceUsageLimit
{ "type": "integer", "minimum": 0, "default": 9}
GCP > Network > Region SSL Certificate > Active
Determine the action to take when an GCP Network region ssl certificate, based on the GCP > Network > Region SSL Certificate > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region SSL Certificate > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Region SSL Certificate > Active > Age
The age after which the GCP Network region ssl certificate
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region SSL Certificate > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Region SSL Certificate > Active > Last Modified
The number of days since the GCP Network region ssl certificate was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region SSL Certificate > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Region SSL Certificate > Approved
Determine the action to take when a GCP Network region ssl certificate is not approved based on GCP > Network > Region SSL Certificate > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Region SSL Certificate > Approved > Custom
Determine whether the GCP Network region ssl certificate is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network region ssl certificate is not approved, it will be subject to the action specified in the GCP > Network > Region SSL Certificate > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Region SSL Certificate > Approved > Regions
A list of GCP regions in which GCP Network region ssl certificates are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If a GCP Network region ssl certificate is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Region SSL Certificate > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateApprovedRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Region SSL Certificate > Approved > Usage
Determine whether the GCP Network region ssl certificate is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network region ssl certificate is not approved, it will be subject to the action specified in the GCP > Network > Region SSL Certificate > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Region SSL Certificate > CMDB
Configure whether to record and synchronize details for the GCP Network region ssl certificate into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Region SSL Certificate > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Network API is enabled"}
GCP > Network > Region SSL Certificate > Regions
A list of GCP regions in which GCP Network region ssl certificates are supported for use.
Any region ssl certificates in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Region SSL Certificate > Usage
Configure the number of GCP Network region ssl certificates that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Region SSL Certificate > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Region SSL Certificate > Usage > Limit
Maximum number of items that can be created for this region
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateUsageLimit
{ "type": "integer", "minimum": 0, "default": 100}
GCP > Network > Region Target HTTPS Proxy > Active
Determine the action to take when an GCP Network region target https proxy, based on the GCP > Network > Region Target HTTPS Proxy > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region Target HTTPS Proxy > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Region Target HTTPS Proxy > Active > Age
The age after which the GCP Network region target https proxy
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region Target HTTPS Proxy > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Region Target HTTPS Proxy > Active > Last Modified
The number of days since the GCP Network region target https proxy was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region Target HTTPS Proxy > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Region Target HTTPS Proxy > Approved
Determine the action to take when a GCP Network region target https proxy is not approved based on GCP > Network > Region Target HTTPS Proxy > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Region Target HTTPS Proxy > Approved > Custom
Determine whether the GCP Network region target https proxy is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network region target https proxy is not approved, it will be subject to the action specified in the GCP > Network > Region Target HTTPS Proxy > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Region Target HTTPS Proxy > Approved > Regions
A list of GCP regions in which GCP Network region target https proxys are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If a GCP Network region target https proxy is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Region Target HTTPS Proxy > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyApprovedRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Region Target HTTPS Proxy > Approved > Usage
Determine whether the GCP Network region target https proxy is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network region target https proxy is not approved, it will be subject to the action specified in the GCP > Network > Region Target HTTPS Proxy > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Region Target HTTPS Proxy > CMDB
Configure whether to record and synchronize details for the GCP Network region target https proxy into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Region Target HTTPS Proxy > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Network API is enabled"}
GCP > Network > Region Target HTTPS Proxy > Regions
A list of GCP regions in which GCP Network region target https proxys are supported for use.
Any region target https proxys in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Region Target HTTPS Proxy > SSL Policy
Determine whether a GCP Network region target HTTPS proxy is using an allowed SSL policy.
If a region target HTTPS proxy is not using an allowed SSL policy and this policy is set toCheck: SSL policy in allowed list
, the control would raise an alarm.
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxySslPolicy
[ "Skip", "Check: SSL policy in allowed list"]
{ "type": "string", "enum": [ "Skip", "Check: SSL policy in allowed list" ], "example": [ "Check: SSL policy in allowed list" ], "default": "Skip"}
GCP > Network > Region Target HTTPS Proxy > SSL Policy > Allowed
A list of SSL policies that the GCP Network target HTTPS proxy is allowed to use.
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxySslPolicyAllowed
{ "type": "array", "items": { "type": "string" }, "default": [ "*" ]}
GCP > Network > Region Target HTTPS Proxy > Usage
Configure the number of GCP Network region target https proxys that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Region Target HTTPS Proxy > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Region Target HTTPS Proxy > Usage > Limit
Maximum number of items that can be created for this region
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyUsageLimit
{ "type": "integer", "minimum": 0, "default": 100}
GCP > Network > Region URL Map > Active
Determine the action to take when an GCP Network region url map, based on the GCP > Network > Region URL Map > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region URL Map > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/regionUrlMapActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Region URL Map > Active > Age
The age after which the GCP Network region url map
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region URL Map > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/regionUrlMapActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Region URL Map > Active > Last Modified
The number of days since the GCP Network region url map was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region URL Map > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/regionUrlMapActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Region URL Map > Approved
Determine the action to take when a GCP Network region url map is not approved based on GCP > Network > Region URL Map > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/regionUrlMapApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Region URL Map > Approved > Custom
Determine whether the GCP Network region url map is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network region url map is not approved, it will be subject to the action specified in the GCP > Network > Region URL Map > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/regionUrlMapApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Region URL Map > Approved > Regions
A list of GCP regions in which GCP Network region url maps are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If a GCP Network region url map is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Region URL Map > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/regionUrlMapApprovedRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Region URL Map > Approved > Usage
Determine whether the GCP Network region url map is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network region url map is not approved, it will be subject to the action specified in the GCP > Network > Region URL Map > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/regionUrlMapApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Region URL Map > CMDB
Configure whether to record and synchronize details for the GCP Network region url map into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Region URL Map > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-network#/policy/types/regionUrlMapCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Network API is enabled"}
GCP > Network > Region URL Map > Regions
A list of GCP regions in which GCP Network region url maps are supported for use.
Any region url maps in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/gcp-network#/policy/types/regionUrlMapRegions
{ "allOf": [ { "$ref": "gcp#/definitions/regionNameMatcherList" }, { "default": [ "asia-east1", "asia-east2", "asia-northeast1", "asia-northeast2", "asia-northeast3", "asia-south1", "asia-southeast1", "asia-southeast2", "australia-southeast1", "europe-north1", "europe-west1", "europe-west2", "europe-west3", "europe-west4", "europe-west6", "northamerica-northeast1", "southamerica-east1", "us-central1", "us-east1", "us-east4", "us-west1", "us-west2", "us-west3", "us-west5" ] } ]}
GCP > Network > Region URL Map > Usage
Configure the number of GCP Network region url maps that can be used for this project and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Region URL Map > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/regionUrlMapUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Region URL Map > Usage > Limit
Maximum number of items that can be created for this project
tmod:@turbot/gcp-network#/policy/types/regionUrlMapUsageLimit
{ "type": "integer", "minimum": 0, "default": 100}
GCP > Network > Regions
A list of GCP regions in which GCP Network resources are supported for use.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
This policy is the default value for all GCP Network resources' Regions policies.
tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp#/policy/types/regionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Route > Active
Determine the action to take when an GCP Network route, based on the GCP > Network > Route > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Route > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/routeActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Route > Active > Age
The age after which the GCP Network route
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Route > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/routeActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Route > Active > Last Modified
The number of days since the GCP Network route was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Route > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/routeActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Route > Approved
Determine the action to take when a GCP Network route is not approved based on GCP > Network > Route > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/routeApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Route > Approved > Custom
Determine whether the GCP Network route is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network route is not approved, it will be subject to the action specified in the GCP > Network > Route > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/routeApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Route > Approved > Usage
Determine whether the GCP Network route is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network route is not approved, it will be subject to the action specified in the GCP > Network > Route > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/routeApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Route > CMDB
Configure whether to record and synchronize details for the GCP Network route into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Route > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-network#/policy/types/routeCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Compute Engine API is enabled"}
GCP > Network > Route > Configured
Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/gcp-network#/policy/types/routeConfigured
[ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source"]
{ "enum": [ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source" ], "default": "Enforce: Configured if using Configured > Source"}
GCP > Network > Route > Configured > Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence
tmod:@turbot/gcp-network#/policy/types/routeConfiguredPrecedence
{ "type": "array", "items": { "type": "string" }, "default": [ "**" ]}
GCP > Network > Route > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/gcp-network#/policy/types/routeConfiguredSource
{ "type": "string", "default": "{\"resource\": {}}\n", "x-schema-form": { "type": "code", "language": "hcl" }}
GCP > Network > Route > Regions
A list of GCP regions in which GCP Network routes are supported for use.
Any routes in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/gcp-network#/policy/types/routeRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Route > Usage
Configure the number of GCP Network routes that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Route > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/routeUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Route > Usage > Limit
Maximum number of items that can be created for this region
tmod:@turbot/gcp-network#/policy/types/routeUsageLimit
{ "type": "integer", "minimum": 0, "default": 250}
GCP > Network > Router > Active
Determine the action to take when an GCP Network router, based on the GCP > Network > Router > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Router > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/routerActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Router > Active > Age
The age after which the GCP Network router
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Router > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/routerActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Router > Active > Last Modified
The number of days since the GCP Network router was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Router > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/routerActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Router > Approved
Determine the action to take when a GCP Network router is not approved based on GCP > Network > Router > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/routerApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Router > Approved > Custom
Determine whether the GCP Network router is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network router is not approved, it will be subject to the action specified in the GCP > Network > Router > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/routerApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Router > Approved > Regions
A list of GCP regions in which GCP Network routers are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If a GCP Network router is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Router > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/routerApprovedRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Router > Approved > Usage
Determine whether the GCP Network router is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network router is not approved, it will be subject to the action specified in the GCP > Network > Router > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/routerApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Router > CMDB
Configure whether to record and synchronize details for the GCP Network router into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Router > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-network#/policy/types/routerCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Compute Engine API is enabled"}
GCP > Network > Router > Configured
Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/gcp-network#/policy/types/routerConfigured
[ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source"]
{ "enum": [ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source" ], "default": "Enforce: Configured if using Configured > Source"}
GCP > Network > Router > Configured > Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence
tmod:@turbot/gcp-network#/policy/types/routerConfiguredPrecedence
{ "type": "array", "items": { "type": "string" }, "default": [ "**" ]}
GCP > Network > Router > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/gcp-network#/policy/types/routerConfiguredSource
{ "type": "string", "default": "{\"resource\": {}}\n", "x-schema-form": { "type": "code", "language": "hcl" }}
GCP > Network > Router > Regions
A list of GCP regions in which GCP Network routers are supported for use.
Any routers in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/gcp-network#/policy/types/routerRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Router > Usage
Configure the number of GCP Network routers that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Router > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/routerUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Router > Usage > Limit
Maximum number of items that can be created for this region
tmod:@turbot/gcp-network#/policy/types/routerUsageLimit
{ "type": "integer", "minimum": 0, "default": 5}
GCP > Network > SSL Certificate > Active
Determine the action to take when an GCP Network ssl certificate, based on the GCP > Network > SSL Certificate > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > SSL Certificate > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/sslCertificateActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > SSL Certificate > Active > Age
The age after which the GCP Network ssl certificate
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > SSL Certificate > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/sslCertificateActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > SSL Certificate > Active > Last Modified
The number of days since the GCP Network ssl certificate was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > SSL Certificate > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/sslCertificateActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > SSL Certificate > Approved
Determine the action to take when a GCP Network ssl certificate is not approved based on GCP > Network > SSL Certificate > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/sslCertificateApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > SSL Certificate > Approved > Custom
Determine whether the GCP Network ssl certificate is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network ssl certificate is not approved, it will be subject to the action specified in the GCP > Network > SSL Certificate > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/sslCertificateApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > SSL Certificate > Approved > Usage
Determine whether the GCP Network ssl certificate is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network ssl certificate is not approved, it will be subject to the action specified in the GCP > Network > SSL Certificate > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/sslCertificateApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > SSL Certificate > CMDB
Configure whether to record and synchronize details for the GCP Network ssl certificate into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/gcp-network#/policy/types/sslCertificateCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Network API is enabled"}
GCP > Network > SSL Certificate > Usage
Configure the number of GCP Network ssl certificates that can be used for this project and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > SSL Certificate > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/sslCertificateUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > SSL Certificate > Usage > Limit
Maximum number of items that can be created for this project
tmod:@turbot/gcp-network#/policy/types/sslCertificateUsageLimit
{ "type": "integer", "minimum": 0, "default": 100}
GCP > Network > SSL Policy > Active
Determine the action to take when an GCP Network ssl policy, based on the GCP > Network > SSL Policy > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > SSL Policy > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/sslPolicyActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > SSL Policy > Active > Age
The age after which the GCP Network ssl policy
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > SSL Policy > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/sslPolicyActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > SSL Policy > Active > Last Modified
The number of days since the GCP Network ssl policy was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > SSL Policy > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/sslPolicyActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > SSL Policy > Approved
Determine the action to take when a GCP Network ssl policy is not approved based on GCP > Network > SSL Policy > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/sslPolicyApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > SSL Policy > Approved > Custom
Determine whether the GCP Network ssl policy is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network ssl policy is not approved, it will be subject to the action specified in the GCP > Network > SSL Policy > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/sslPolicyApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > SSL Policy > Approved > Usage
Determine whether the GCP Network ssl policy is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network ssl policy is not approved, it will be subject to the action specified in the GCP > Network > SSL Policy > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/sslPolicyApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > SSL Policy > CMDB
Configure whether to record and synchronize details for the GCP Network ssl policy into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/gcp-network#/policy/types/sslPolicyCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Network API is enabled"}
GCP > Network > SSL Policy > Minimum TLS Version
Define the minimum version of SSL protocol the clients will be able to use to establish a connection.
tmod:@turbot/gcp-network#/policy/types/sslPolicyMinimumTlsVersion
[ "Skip", "Check: TLS 1.0", "Check: TLS 1.1", "Check: TLS 1.2", "Enforce: TLS 1.0", "Enforce: TLS 1.1", "Enforce: TLS 1.2"]
{ "type": "string", "enum": [ "Skip", "Check: TLS 1.0", "Check: TLS 1.1", "Check: TLS 1.2", "Enforce: TLS 1.0", "Enforce: TLS 1.1", "Enforce: TLS 1.2" ], "example": [ "Skip" ], "default": "Skip"}
GCP > Network > SSL Policy > Profile
Define the profile which sets the features used in negotiating SSL with clients.
Managed profiles are maintained to support new SSL capabilities.
tmod:@turbot/gcp-network#/policy/types/sslPolicyProfile
[ "Skip", "Check: Compatible", "Check: Modern", "Check: Restricted", "Enforce: Compatible", "Enforce: Modern", "Enforce: Restricted"]
{ "type": "string", "enum": [ "Skip", "Check: Compatible", "Check: Modern", "Check: Restricted", "Enforce: Compatible", "Enforce: Modern", "Enforce: Restricted" ], "example": [ "Skip" ], "default": "Skip"}
GCP > Network > SSL Policy > Usage
Configure the number of GCP Network ssl policys that can be used for this project and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > SSL Policy > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/sslPolicyUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > SSL Policy > Usage > Limit
Maximum number of items that can be created for this project
tmod:@turbot/gcp-network#/policy/types/sslPolicyUsageLimit
{ "type": "integer", "minimum": 0, "default": 100}
GCP > Network > Subnetwork > Active
Determine the action to take when an GCP Network subnetwork, based on the GCP > Network > Subnetwork > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Subnetwork > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/subnetworkActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Subnetwork > Active > Age
The age after which the GCP Network subnetwork
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Subnetwork > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/subnetworkActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Subnetwork > Active > Last Modified
The number of days since the GCP Network subnetwork was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Subnetwork > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/subnetworkActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Subnetwork > Approved
Determine the action to take when a GCP Network subnetwork is not approved based on GCP > Network > Subnetwork > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/subnetworkApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Subnetwork > Approved > Custom
Determine whether the GCP Network subnetwork is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network subnetwork is not approved, it will be subject to the action specified in the GCP > Network > Subnetwork > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/subnetworkApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Subnetwork > Approved > Regions
A list of GCP regions in which GCP Network subnetworks are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If a GCP Network subnetwork is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Subnetwork > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/subnetworkApprovedRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Subnetwork > Approved > Usage
Determine whether the GCP Network subnetwork is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network subnetwork is not approved, it will be subject to the action specified in the GCP > Network > Subnetwork > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/subnetworkApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Subnetwork > CMDB
Configure whether to record and synchronize details for the GCP Network subnetwork into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Subnetwork > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-network#/policy/types/subnetworkCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Compute Engine API is enabled"}
GCP > Network > Subnetwork > Configured
Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/gcp-network#/policy/types/subnetworkConfigured
[ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source"]
{ "enum": [ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source" ], "default": "Enforce: Configured if using Configured > Source"}
GCP > Network > Subnetwork > Configured > Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence
tmod:@turbot/gcp-network#/policy/types/subnetworkConfiguredPrecedence
{ "type": "array", "items": { "type": "string" }, "default": [ "**" ]}
GCP > Network > Subnetwork > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/gcp-network#/policy/types/subnetworkConfiguredSource
{ "type": "string", "default": "{\"resource\": {}}\n", "x-schema-form": { "type": "code", "language": "hcl" }}
GCP > Network > Subnetwork > Policy
tmod:@turbot/gcp-network#/policy/types/subnetworkPolicy
GCP > Network > Subnetwork > Policy > Trusted Access
Check or Enforce access checking on the GCP Network Subnetwork policy.
Google Cloud IAM allows you to control who has access to the
network subnetwork via an IAM Policy. The Trusted Access policy
allows you to configure whether Guardrails will evaluate or
enforce restrictions on which members are allowed to be granted
access.
If enabled, the members in the IAM policy will be evaluated
against the list of allowed members in each of the Trusted
Access sub-policies (Trusted Access > Domains,
Trusted Access > Groups, etc).
If set to "Enforce: Trusted Access > *", access to non-trusted
members will be removed.
tmod:@turbot/gcp-network#/policy/types/subnetworkPolicyTrustedAccess
[ "Skip", "Check: Trusted Access > *", "Enforce: Trusted Access > *"]
{ "type": "string", "enum": [ "Skip", "Check: Trusted Access > *", "Enforce: Trusted Access > *" ], "default": "Skip"}
GCP > Network > Subnetwork > Policy > Trusted Access > Domains
List of GCP Domains that are trusted for access in the GCP Network Subnetwork policy.
This policy is used by the GCP > Network > Subnetwork > Policy > Trusted Access
control to determine which members of type "domain" are allowed
to be granted access.You may use the '*' and '?' wildcard characters.<br />example:<br /> - company.com<br /> - company-dev.org<br />
Note: Setting the policy to Empty
array will remove all domains.
tmod:@turbot/gcp-network#/policy/types/subnetworkPolicyTrustedDomains
"{\n value: policy(uri: \"tmod:@turbot/gcp-network#/policy/types/networkTrustedDomains\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > Network > Subnetwork > Policy > Trusted Access > Groups
List of GCP Groups that are trusted for access in the GCP Network Subnetwork policy.
This policy is used by the GCP > Network > Subnetwork > Policy > Trusted Access
control to determine which members of type "group" are allowed
to be granted access.You may use the '' and '?' wildcard characters.
```
example:
- notification@company.com
- "@company.com"
``<br /><br />**Note**: Setting the policy to an
Empty` array will remove all groups.
tmod:@turbot/gcp-network#/policy/types/subnetworkPolicyTrustedGroups
"{\n value: policy(uri: \"tmod:@turbot/gcp-network#/policy/types/networkTrustedGroups\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > Network > Subnetwork > Policy > Trusted Access > Projects
List of GCP Projects that are trusted for access in the GCP Network Subnetwork policy.
This policy is used by the GCP > Network > Subnetwork > Policy > Trusted Access
control to determine whether members of type "project" are allowed
to be granted access.You may use the '*' and '?' wildcard characters.<br />example:<br /> - dev-aaa<br /> - dev-aab<br />
Note: Setting the policy to an Empty
array will remove all projects.
tmod:@turbot/gcp-network#/policy/types/subnetworkPolicyTrustedProjects
"{\n value: policy(uri: \"tmod:@turbot/gcp-network#/policy/types/networkTrustedProjects\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > Network > Subnetwork > Policy > Trusted Access > Service Accounts
List of GCP Service Accounts that are trusted for access in the GCP Network Subnetwork policy.
This policy is used by the GCP > Network > Subnetwork > Policy > Trusted Access
control to determine which members of type "serviceAccount" are allowed
to be granted access.You may use the '' and '?' wildcard characters.
```
example:
- project-owner@dev-aaa.iam.gserviceaccount.com
- "" # All service account trusted
``<br /><br />**Note**: Setting the policy to an
Empty` array will remove all service accounts.
tmod:@turbot/gcp-network#/policy/types/subnetworkPolicyTrustedServiceAccounts
"{\n value: policy(uri: \"tmod:@turbot/gcp-network#/policy/types/networkTrustedServiceAccounts\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > Network > Subnetwork > Policy > Trusted Access > Users
List of GCP Users that are trusted for access in the GCP Network Subnetwork policy.
This policy is used by the GCP > Network > Subnetwork > Trusted Access
control to determine which members of type "user" are allowed
to be granted access.You may use the '' and '?' wildcard characters.
```
example:
- "@company.com" # All users with email ending in @company.com are trusted
- "test@dev-company.com"
- "dummy@gmail.com"
``<br /><br />**Note**: Setting the policy to an
Empty` array will remove all users.
tmod:@turbot/gcp-network#/policy/types/subnetworkPolicyTrustedUsers
"{\n value: policy(uri: \"tmod:@turbot/gcp-network#/policy/types/networkTrustedUsers\")\n}\n"
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
GCP > Network > Subnetwork > Regions
A list of GCP regions in which GCP Network subnetworks are supported for use.
Any subnetworks in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/gcp-network#/policy/types/subnetworkRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Subnetwork > Usage
Configure the number of GCP Network subnetworks that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Subnetwork > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/subnetworkUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Subnetwork > Usage > Limit
Maximum number of items that can be created for this region
tmod:@turbot/gcp-network#/policy/types/subnetworkUsageLimit
{ "type": "integer", "minimum": 0, "default": 175}
GCP > Network > Target HTTPS Proxy > Active
Determine the action to take when an GCP Network target https proxy, based on the GCP > Network > Target HTTPS Proxy > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target HTTPS Proxy > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Target HTTPS Proxy > Active > Age
The age after which the GCP Network target https proxy
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target HTTPS Proxy > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Target HTTPS Proxy > Active > Last Modified
The number of days since the GCP Network target https proxy was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target HTTPS Proxy > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Target HTTPS Proxy > Approved
Determine the action to take when a GCP Network target https proxy is not approved based on GCP > Network > Target HTTPS Proxy > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Target HTTPS Proxy > Approved > Custom
Determine whether the GCP Network target https proxy is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network target https proxy is not approved, it will be subject to the action specified in the GCP > Network > Target HTTPS Proxy > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Target HTTPS Proxy > Approved > Usage
Determine whether the GCP Network target https proxy is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network target https proxy is not approved, it will be subject to the action specified in the GCP > Network > Target HTTPS Proxy > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Target HTTPS Proxy > CMDB
Configure whether to record and synchronize details for the GCP Network target https proxy into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Network API is enabled"}
GCP > Network > Target HTTPS Proxy > SSL Policy
Determine the action to take when an GCP Network target HTTPS proxy is not using an
allowed SSL policy.
If a target HTTPS proxy is not using an allowed SSL policy and this policy is set toEnforce: Set to default if SSL policy not in allowed list
, the target HTTPS proxy will be updated to use
the SSL policy selected in the GCP > Network > Target HTTPS Proxy > SSL Policy > Default
policy.
If the SSL policy in the GCP > Network > Target HTTPS Proxy > SSL Policy > Default
policy is not allowed
in the GCP > Network > Target HTTPS Proxy > SSL Policy > Allowed
policy, Guardrails will not attempt to set
the SSL policy to prevent continuous updates.
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxySslPolicy
[ "Skip", "Check: SSL policy in allowed list", "Enforce: Set to default if SSL policy not in allowed list"]
{ "type": "string", "enum": [ "Skip", "Check: SSL policy in allowed list", "Enforce: Set to default if SSL policy not in allowed list" ], "example": [ "Check: SSL policy in allowed list" ], "default": "Skip"}
GCP > Network > Target HTTPS Proxy > SSL Policy > Allowed
A list of SSL policies that the GCP Network target HTTPS proxy is allowed to use.
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxySslPolicyAllowed
{ "type": "array", "items": { "type": "string" }, "default": [ "*" ]}
GCP > Network > Target HTTPS Proxy > SSL Policy > Default
Define the default GCP SSL policy the GCP Network target HTTPS proxy should use if it's
not currently using an allowed SSL policy.
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxySslPolicyDefault
{ "type": "string", "default": ""}
GCP > Network > Target HTTPS Proxy > Usage
Configure the number of GCP Network target https proxys that can be used for this project and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Target HTTPS Proxy > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Target HTTPS Proxy > Usage > Limit
Maximum number of items that can be created for this project
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyUsageLimit
{ "type": "integer", "minimum": 0, "default": 100}
GCP > Network > Target Pool > Active
Determine the action to take when an GCP Network target pool, based on the GCP > Network > Target Pool > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target Pool > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/targetPoolActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Target Pool > Active > Age
The age after which the GCP Network target pool
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target Pool > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/targetPoolActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Target Pool > Active > Last Modified
The number of days since the GCP Network target pool was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target Pool > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/targetPoolActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Target Pool > Approved
Determine the action to take when a GCP Network target pool is not approved based on GCP > Network > Target Pool > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/targetPoolApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Target Pool > Approved > Custom
Determine whether the GCP Network target pool is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network target pool is not approved, it will be subject to the action specified in the GCP > Network > Target Pool > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/targetPoolApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Target Pool > Approved > Regions
A list of GCP regions in which GCP Network target pools are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If a GCP Network target pool is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Target Pool > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/targetPoolApprovedRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Target Pool > Approved > Usage
Determine whether the GCP Network target pool is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network target pool is not approved, it will be subject to the action specified in the GCP > Network > Target Pool > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/targetPoolApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Target Pool > CMDB
Configure whether to record and synchronize details for the GCP Network target pool into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Target Pool > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-network#/policy/types/targetPoolCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Network API is enabled"}
GCP > Network > Target Pool > Regions
A list of GCP regions in which GCP Network target pools are supported for use.
Any target pools in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/gcp-network#/policy/types/targetPoolRegions
{ "allOf": [ { "$ref": "gcp#/definitions/regionNameMatcherList" }, { "default": [ "asia-east1", "asia-east2", "asia-northeast1", "asia-northeast2", "asia-northeast3", "asia-south1", "asia-southeast1", "asia-southeast2", "australia-southeast1", "europe-north1", "europe-west1", "europe-west2", "europe-west3", "europe-west4", "europe-west6", "northamerica-northeast1", "southamerica-east1", "us-central1", "us-east1", "us-east4", "us-west1", "us-west2", "us-west3", "us-west5" ] } ]}
GCP > Network > Target Pool > Usage
Configure the number of GCP Network target pools that can be used for this project and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Target Pool > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/targetPoolUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Target Pool > Usage > Limit
Maximum number of items that can be created for this project
tmod:@turbot/gcp-network#/policy/types/targetPoolUsageLimit
{ "type": "integer", "minimum": 0, "default": 500}
GCP > Network > Target SSL Proxy > Active
Determine the action to take when an GCP Network target ssl proxy, based on the GCP > Network > Target SSL Proxy > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target SSL Proxy > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/targetSslProxyActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Target SSL Proxy > Active > Age
The age after which the GCP Network target ssl proxy
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target SSL Proxy > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/targetSslProxyActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Target SSL Proxy > Active > Last Modified
The number of days since the GCP Network target ssl proxy was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target SSL Proxy > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/targetSslProxyActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Target SSL Proxy > Approved
Determine the action to take when a GCP Network target ssl proxy is not approved based on GCP > Network > Target SSL Proxy > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/targetSslProxyApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Target SSL Proxy > Approved > Custom
Determine whether the GCP Network target ssl proxy is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network target ssl proxy is not approved, it will be subject to the action specified in the GCP > Network > Target SSL Proxy > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/targetSslProxyApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Target SSL Proxy > Approved > Usage
Determine whether the GCP Network target ssl proxy is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network target ssl proxy is not approved, it will be subject to the action specified in the GCP > Network > Target SSL Proxy > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/targetSslProxyApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Target SSL Proxy > CMDB
Configure whether to record and synchronize details for the GCP Network target ssl proxy into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/gcp-network#/policy/types/targetSslProxyCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Network API is enabled"}
GCP > Network > Target SSL Proxy > SSL Policy
Determine the action to take when an GCP Network target SSL proxy is not using
an allowed SSL policy.
If a target SSL proxy is not using an allowed SSL policy and this policy is set toEnforce: Set to default if SSL policy not in allowed list
, the target SSL proxy will be updated
to use the SSL policy selected in the GCP > Network > Target SSL Proxy > SSL Policy > Default
policy.
If the SSL policy in the GCP > Network > Target SSL Proxy > SSL Policy > Default
policy is
not allowed in the GCP > Network > Target SSL Proxy > SSL Policy > Allowed
policy, Guardrails will
not attempt to set the SSL policy to prevent continuous updates.
tmod:@turbot/gcp-network#/policy/types/targetSslProxySslPolicy
[ "Skip", "Check: SSL policy in allowed list", "Enforce: Set to default if SSL policy not in allowed list"]
{ "type": "string", "enum": [ "Skip", "Check: SSL policy in allowed list", "Enforce: Set to default if SSL policy not in allowed list" ], "example": [ "Check: SSL policy in allowed list" ], "default": "Skip"}
GCP > Network > Target SSL Proxy > SSL Policy > Allowed
A list of SSL policies that the GCP Network target SSL proxy is allowed to use.
tmod:@turbot/gcp-network#/policy/types/targetSslProxySslPolicyAllowed
{ "type": "array", "items": { "type": "string" }, "default": [ "*" ]}
GCP > Network > Target SSL Proxy > SSL Policy > Default
Define the default GCP SSL policy the GCP Network target SSL proxy should use if it's
not currently using an allowed SSL policy.
tmod:@turbot/gcp-network#/policy/types/targetSslProxySslPolicyDefault
{ "type": "string", "default": ""}
GCP > Network > Target SSL Proxy > Usage
Configure the number of GCP Network target ssl proxys that can be used for this project and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Target SSL Proxy > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/targetSslProxyUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Target SSL Proxy > Usage > Limit
Maximum number of items that can be created for this project
tmod:@turbot/gcp-network#/policy/types/targetSslProxyUsageLimit
{ "type": "integer", "minimum": 0, "default": 100}
GCP > Network > Target TCP Proxy > Active
Determine the action to take when an GCP Network target tcp proxy, based on the GCP > Network > Target TCP Proxy > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target TCP Proxy > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/targetTcpProxyActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Target TCP Proxy > Active > Age
The age after which the GCP Network target tcp proxy
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target TCP Proxy > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/targetTcpProxyActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Target TCP Proxy > Active > Last Modified
The number of days since the GCP Network target tcp proxy was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target TCP Proxy > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/targetTcpProxyActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Target TCP Proxy > Approved
Determine the action to take when a GCP Network target tcp proxy is not approved based on GCP > Network > Target TCP Proxy > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/targetTcpProxyApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Target TCP Proxy > Approved > Custom
Determine whether the GCP Network target tcp proxy is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network target tcp proxy is not approved, it will be subject to the action specified in the GCP > Network > Target TCP Proxy > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/targetTcpProxyApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Target TCP Proxy > Approved > Usage
Determine whether the GCP Network target tcp proxy is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network target tcp proxy is not approved, it will be subject to the action specified in the GCP > Network > Target TCP Proxy > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/targetTcpProxyApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Target TCP Proxy > CMDB
Configure whether to record and synchronize details for the GCP Network target tcp proxy into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/gcp-network#/policy/types/targetTcpProxyCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Network API is enabled"}
GCP > Network > Target TCP Proxy > Usage
Configure the number of GCP Network target tcp proxys that can be used for this project and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Target TCP Proxy > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/targetTcpProxyUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Target TCP Proxy > Usage > Limit
Maximum number of items that can be created for this project
tmod:@turbot/gcp-network#/policy/types/targetTcpProxyUsageLimit
{ "type": "integer", "minimum": 0, "default": 100}
GCP > Network > Target VPN Gateway > Active
Determine the action to take when an GCP Network target vpn gateway, based on the GCP > Network > Target VPN Gateway > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target VPN Gateway > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > Target VPN Gateway > Active > Age
The age after which the GCP Network target vpn gateway
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target VPN Gateway > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > Target VPN Gateway > Active > Last Modified
The number of days since the GCP Network target vpn gateway was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target VPN Gateway > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > Target VPN Gateway > Approved
Determine the action to take when a GCP Network target vpn gateway is not approved based on GCP > Network > Target VPN Gateway > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > Target VPN Gateway > Approved > Custom
Determine whether the GCP Network target vpn gateway is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network target vpn gateway is not approved, it will be subject to the action specified in the GCP > Network > Target VPN Gateway > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > Target VPN Gateway > Approved > Regions
A list of GCP regions in which GCP Network target vpn gateways are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If a GCP Network target vpn gateway is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Target VPN Gateway > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayApprovedRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Target VPN Gateway > Approved > Usage
Determine whether the GCP Network target vpn gateway is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network target vpn gateway is not approved, it will be subject to the action specified in the GCP > Network > Target VPN Gateway > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > Target VPN Gateway > CMDB
Configure whether to record and synchronize details for the GCP Network target vpn gateway into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Target VPN Gateway > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Compute Engine API is enabled"}
GCP > Network > Target VPN Gateway > Configured
Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayConfigured
[ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source"]
{ "enum": [ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source" ], "default": "Enforce: Configured if using Configured > Source"}
GCP > Network > Target VPN Gateway > Configured > Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayConfiguredPrecedence
{ "type": "array", "items": { "type": "string" }, "default": [ "**" ]}
GCP > Network > Target VPN Gateway > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayConfiguredSource
{ "type": "string", "default": "{\"resource\": {}}\n", "x-schema-form": { "type": "code", "language": "hcl" }}
GCP > Network > Target VPN Gateway > Regions
A list of GCP regions in which GCP Network target vpn gateways are supported for use.
Any target vpn gateways in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > Target VPN Gateway > Usage
Configure the number of GCP Network target vpn gateways that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > Target VPN Gateway > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > Target VPN Gateway > Usage > Limit
Maximum number of items that can be created for this region
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayUsageLimit
{ "type": "integer", "minimum": 0, "default": 15}
GCP > Network > URL Map > Active
Determine the action to take when an GCP Network url map, based on the GCP > Network > URL Map > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > URL Map > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/urlMapActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > URL Map > Active > Age
The age after which the GCP Network url map
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > URL Map > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/urlMapActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > URL Map > Active > Last Modified
The number of days since the GCP Network url map was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > URL Map > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/urlMapActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > URL Map > Approved
Determine the action to take when a GCP Network url map is not approved based on GCP > Network > URL Map > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/urlMapApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > URL Map > Approved > Custom
Determine whether the GCP Network url map is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network url map is not approved, it will be subject to the action specified in the GCP > Network > URL Map > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/urlMapApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > URL Map > Approved > Usage
Determine whether the GCP Network url map is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network url map is not approved, it will be subject to the action specified in the GCP > Network > URL Map > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/urlMapApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > URL Map > CMDB
Configure whether to record and synchronize details for the GCP Network url map into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/gcp-network#/policy/types/urlMapCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Network API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Network API is enabled"}
GCP > Network > URL Map > Usage
Configure the number of GCP Network url maps that can be used for this project and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > URL Map > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/urlMapUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > URL Map > Usage > Limit
Maximum number of items that can be created for this project
tmod:@turbot/gcp-network#/policy/types/urlMapUsageLimit
{ "type": "integer", "minimum": 0, "default": 100}
GCP > Network > VPN Tunnel > Active
Determine the action to take when an GCP Network vpn tunnel, based on the GCP > Network > VPN Tunnel > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > VPN Tunnel > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/vpnTunnelActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
GCP > Network > VPN Tunnel > Active > Age
The age after which the GCP Network vpn tunnel
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > VPN Tunnel > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/gcp-network#/policy/types/vpnTunnelActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
GCP > Network > VPN Tunnel > Active > Last Modified
The number of days since the GCP Network vpn tunnel was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (GCP > Network > VPN Tunnel > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/gcp-network#/policy/types/vpnTunnelActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
GCP > Network > VPN Tunnel > Approved
Determine the action to take when a GCP Network vpn tunnel is not approved based on GCP > Network > VPN Tunnel > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/vpnTunnelApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
GCP > Network > VPN Tunnel > Approved > Custom
Determine whether the GCP Network vpn tunnel is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network vpn tunnel is not approved, it will be subject to the action specified in the GCP > Network > VPN Tunnel > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/gcp-network#/policy/types/vpnTunnelApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
GCP > Network > VPN Tunnel > Approved > Regions
A list of GCP regions in which GCP Network vpn tunnels are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If a GCP Network vpn tunnel is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > VPN Tunnel > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/vpnTunnelApprovedRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > VPN Tunnel > Approved > Usage
Determine whether the GCP Network vpn tunnel is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network vpn tunnel is not approved, it will be subject to the action specified in the GCP > Network > VPN Tunnel > Approved
policy.
See Approved for more information.
tmod:@turbot/gcp-network#/policy/types/vpnTunnelApprovedUsage
[ "Not approved", "Approved", "Approved if GCP > Network > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if GCP > Network > Enabled" ], "example": [ "Not approved" ], "default": "Approved if GCP > Network > Enabled"}
GCP > Network > VPN Tunnel > CMDB
Configure whether to record and synchronize details for the GCP Network vpn tunnel into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > VPN Tunnel > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/gcp-network#/policy/types/vpnTunnelCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Compute Engine API is enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Compute Engine API is enabled"}
GCP > Network > VPN Tunnel > Configured
Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it
tmod:@turbot/gcp-network#/policy/types/vpnTunnelConfigured
[ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source"]
{ "enum": [ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source" ], "default": "Enforce: Configured if using Configured > Source"}
GCP > Network > VPN Tunnel > Configured > Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence
tmod:@turbot/gcp-network#/policy/types/vpnTunnelConfiguredPrecedence
{ "type": "array", "items": { "type": "string" }, "default": [ "**" ]}
GCP > Network > VPN Tunnel > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource
tmod:@turbot/gcp-network#/policy/types/vpnTunnelConfiguredSource
{ "type": "string", "default": "{\"resource\": {}}\n", "x-schema-form": { "type": "code", "language": "hcl" }}
GCP > Network > VPN Tunnel > Labels
Determine the action to take when an GCP Network vpn tunnel labels are not updated based on the GCP > Network > VPN Tunnel > Labels > *
policies.
The control ensure GCP Network vpn tunnel labels include labels defined in GCP > Network > VPN Tunnel > Labels > Template
.
Labels not defined in VPN Tunnel Labels Template will not be modified or deleted. Setting a label value to undefined
will result in the label being deleted.
See Labels for more information.
tmod:@turbot/gcp-network#/policy/types/vpnTunnelLabels
[ "Skip", "Check: Labels are correct", "Enforce: Set labels"]
{ "type": "string", "enum": [ "Skip", "Check: Labels are correct", "Enforce: Set labels" ], "example": [ "Check: Labels are correct" ], "default": "Skip"}
GCP > Network > VPN Tunnel > Labels > Template
The template is used to generate the keys and values for GCP Network vpn tunnel.
Labels not defined in VPN Tunnel Labels Template will not be modified or deleted. Setting a label value to undefined
will result in the label being deleted.
See Labels for more information.
tmod:@turbot/gcp-network#/policy/types/vpnTunnelLabelsTemplate
[ "{\n project {\n turbot {\n id\n }\n }\n}\n", "{\n defaultLabels: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceLabelsTemplate\" resourceId: \"{{ $.project.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultLabels.value | length == 0 %} [] {%- elif $.defaultLabels.value != undefined %}{{ $.defaultLabels.value | dump | safe }}{%- else %}{% for item in $.defaultLabels.value %}- {{ item }}{% endfor %}{% endif %}"
GCP > Network > VPN Tunnel > Regions
A list of GCP regions in which GCP Network vpn tunnels are supported for use.
Any vpn tunnels in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/gcp-network#/policy/types/vpnTunnelRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
GCP > Network > VPN Tunnel > Usage
Configure the number of GCP Network vpn tunnels that can be used for this region and the current consumption against the limit.
You can configure the behavior of the control with this GCP > Network > VPN Tunnel > Usage
policy.
tmod:@turbot/gcp-network#/policy/types/vpnTunnelUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
GCP > Network > VPN Tunnel > Usage > Limit
Maximum number of items that can be created for this region
tmod:@turbot/gcp-network#/policy/types/vpnTunnelUsageLimit
{ "type": "integer", "minimum": 0, "default": 30}
GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-network
GCP logs advanced filter
used to specify a subset of log entries that is forwarded to the Guardrails Event Handlers
by the logging sink on behalf of GCP Network.
tmod:@turbot/gcp-network#/policy/types/networkEventPatterns
{ "type": "string", "default": "((resource.type = gce_ssl_certificate AND (protoPayload.authorizationInfo.permission = compute.sslCertificates.create OR protoPayload.authorizationInfo.permission = compute.sslCertificates.delete)) OR (resource.type = gce_target_https_proxy AND (protoPayload.authorizationInfo.permission = compute.targetHttpsProxies.create OR protoPayload.authorizationInfo.permission = compute.targetHttpProxies.delete)) OR (resource.type = gce_target_ssl_proxy AND (protoPayload.authorizationInfo.permission = compute.targetSslProxies.create OR protoPayload.authorizationInfo.permission = compute.targetSslProxies.delete OR protoPayload.authorizationInfo.permission = compute.targetSslProxies.update)) OR (resource.type = gce_packet_mirroring AND (protoPayload.authorizationInfo.permission = compute.packetMirrorings.create OR protoPayload.authorizationInfo.permission = compute.packetMirrorings.delete OR protoPayload.authorizationInfo.permission = compute.packetMirrorings.update)) OR (resource.type = gce_url_map AND (protoPayload.authorizationInfo.permission = compute.urlMaps.create OR protoPayload.authorizationInfo.permission = compute.urlMaps.delete OR protoPayload.authorizationInfo.permission = compute.urlMaps.update)) OR (resource.type = gce_target_pool AND (protoPayload.authorizationInfo.permission = compute.targetPools.create OR protoPayload.authorizationInfo.permission = compute.targetPools.delete OR protoPayload.authorizationInfo.permission = compute.targetPools.update)) OR (resource.type = gce_forwarding_rule AND (protoPayload.authorizationInfo.permission = compute.forwardingRules.create OR protoPayload.authorizationInfo.permission = compute.forwardingRules.delete OR protoPayload.authorizationInfo.permission = compute.forwardingRules.setLabels OR protoPayload.authorizationInfo.permission = compute.forwardingRules.setTarget OR protoPayload.authorizationInfo.permission = compute.globalForwardingRules.create OR protoPayload.authorizationInfo.permission = compute.globalForwardingRules.delete OR protoPayload.authorizationInfo.permission = compute.globalForwardingRules.setLabels OR protoPayload.authorizationInfo.permission = compute.globalForwardingRules.setTarget)) OR (resource.type = gce_network AND (protoPayload.authorizationInfo.permission = compute.networks.create OR protoPayload.authorizationInfo.permission = compute.networks.delete OR protoPayload.authorizationInfo.permission = compute.networks.removePeering OR protoPayload.authorizationInfo.permission = compute.networks.switchToCustomMode OR protoPayload.authorizationInfo.permission = compute.networks.update OR protoPayload.authorizationInfo.permission = compute.networks.updatePolicy)) OR (resource.type = gce_route AND (protoPayload.authorizationInfo.permission = compute.routes.create OR protoPayload.authorizationInfo.permission = compute.routes.delete)) OR (resource.type = gce_subnetwork AND (protoPayload.authorizationInfo.permission = compute.subnetworks.create OR protoPayload.authorizationInfo.permission = compute.subnetworks.delete OR protoPayload.authorizationInfo.permission = compute.subnetworks.expandIpCidrRange OR protoPayload.authorizationInfo.permission = compute.subnetworks.setIamPolicy OR protoPayload.authorizationInfo.permission = compute.subnetworks.setPrivateIpGoogleAccess OR protoPayload.authorizationInfo.permission = compute.subnetworks.update OR protoPayload.authorizationInfo.permission = compute.subnetworks.updatePolicy)) OR (resource.type = gce_reserved_address AND (protoPayload.authorizationInfo.permission = compute.addresses.create OR protoPayload.authorizationInfo.permission = compute.addresses.createInternal OR protoPayload.authorizationInfo.permission = compute.addresses.delete OR protoPayload.authorizationInfo.permission = compute.addresses.deleteInternal OR protoPayload.authorizationInfo.permission = compute.addresses.setLabels OR protoPayload.authorizationInfo.permission = compute.globalAddresses.create OR protoPayload.authorizationInfo.permission = compute.globalAddresses.createInternal OR protoPayload.authorizationInfo.permission = compute.globalAddresses.delete OR protoPayload.authorizationInfo.permission = compute.globalAddresses.deleteInternal OR protoPayload.authorizationInfo.permission = compute.globalAddresses.setLabels)) OR (resource.type = gce_backend_bucket AND (protoPayload.authorizationInfo.permission = compute.backendBuckets.create OR protoPayload.authorizationInfo.permission = compute.backendBuckets.delete OR protoPayload.authorizationInfo.permission = compute.backendBuckets.update)) OR (resource.type = gce_backend_service AND (protoPayload.authorizationInfo.permission = compute.backendServices.create OR protoPayload.authorizationInfo.permission = compute.backendServices.delete OR protoPayload.authorizationInfo.permission = compute.backendServices.update OR protoPayload.authorizationInfo.permission = compute.backendServices.setSecurityPolicy)) OR (resource.type = gce_firewall_rule AND (protoPayload.authorizationInfo.permission = compute.firewalls.create OR protoPayload.authorizationInfo.permission = compute.firewalls.delete OR protoPayload.authorizationInfo.permission = compute.firewalls.update)) OR (resource.type = gce_router AND (protoPayload.authorizationInfo.permission = compute.routers.create OR protoPayload.authorizationInfo.permission = compute.routers.delete OR protoPayload.authorizationInfo.permission = compute.routers.update)) OR (resource.type = vpn_tunnel AND (protoPayload.authorizationInfo.permission = compute.vpnTunnels.create OR protoPayload.authorizationInfo.permission = compute.vpnTunnels.delete OR protoPayload.authorizationInfo.permission = compute.vpnTunnels.setLabels)) OR (resource.type = vpn_gateway AND (protoPayload.authorizationInfo.permission = compute.targetVpnGateways.create OR protoPayload.authorizationInfo.permission = compute.targetVpnGateways.delete OR protoPayload.authorizationInfo.permission = compute.targetVpnGateways.setLabels OR protoPayload.authorizationInfo.permission = compute.targetVpnGateways.update)) AND severity>=INFO )"}
GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-network
A calculated policy that Guardrails uses to create a compiled list of ALL permission
levels for GCP Network that is used as input to
the stack that manages the Guardrails IAM permissions objects.
tmod:@turbot/gcp-network#/policy/types/gcpLevelsCompiled
GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-network
A calculated policy that Guardrails uses to create a compiled list of ALL
permissions for GCP Network that is used as
input to the control that manages the IAM stack.
tmod:@turbot/gcp-network#/policy/types/gcpCompiledServicePermissions