Enabling GCP Services in Turbot

All supported services have an Enabled policy.

You should enable any services that users are allowed to use. By default, the value of these policies is set to Disabled. When a service is disabled, users granted permissions to cloud accounts via Turbot will not be able to manage the service. Additionally, other policies may reference this policy to determine their behavior. For example, the default behavior of the Approvedcontrol is that any resources are unapproved unless the service is enabled.

# GCP > Storage > Enabled
resource "turbot_policy_setting" "gcp_storage_enabled" {
  resource    = "id of account or parent folder/smart folder"  type        = "tmod:@turbot/gcp-storage#/policy/types/storageEnabled"
  value       = "Enabled"
}

GCP allows explicitly enabling and disabling APIs, and Turbot provides a policy to set this as well. You should enable this policy for any service that you intend to use. By default, the value will be set to “Skip” thus Turbot will not modify the setting. For example:

Generally, you should set the API Enabled policy to align with the Enabled policy. For example, The GCP > Compute Engine > API Enabled policy should be set to "Enforce: Enabled if Compute Engine > Enabled".

# GCP > Storage > API Enabled
resource "turbot_policy_setting" "gcp_storage_api_enabled" {
  resource    = "id of account or parent folder/smart folder"  type        = "tmod:@turbot/gcp-storage#/policy/types/storageApiEnabled"
  value       = "Enforce: Enabled if Storage > Enabled"
}

Disabling an API may cause CMDB and Discovery errors from controls for the service. Admins can get rid of the discovery errors by setting the relevant CMDB policies to Skip.

For example, if the Storage API is not enabled in GCP, the GCP > Storage > Bucket > Discovery controls will be in error, as they do not have the required access to discover the bucket resources. Changing the CMDB policy to skip will cause the Discovery control to skip as well