Mods
Overview
Guardrails is designed in a such a way that allows organizations to selectively install policies, controls, and guardrails that are associated with particular services. This package of Guardrails resources is known as a Mod. Guardrails published mods are often focused on a specific service in a specific cloud provider. For example,
aws-sns
mod. gcp-compute
mod. This modular approach provides flexibility, extensibility, and manageability:
- Mods can be installed only if needed
- Mods can be independently deployed and updated
- Mods can be developed independently
- Custom mods can be written to extend Guardrails
Users are required to have Turbot/Owner
permissions at the top Turbot resource
level in order to install, uninstall, and/ or update mods.
Mod Dependencies
Guardrails mods often have dependencies on one another. This is due to many AWS, GCP, and Azure actions requiring permissions across services. As such, administrators must be mindful when installing specific mods and check dependencies to ensure full functionality. A list of publicly available mods and their associated resources, dependencies, and versions can be found on the Guardrails Mod Registry.
Check out the bottom of this page for the recommended mod installation sequence for new enterprise customers.
Guardrails Mod Registry
Administrators can view an overview of the mod, inspect the various resources that are created when the mod is installed, including controls, policies, and Guardrails resources. Guardrails resources are generally mapped to cloud resources, i.e. AWS > S3 > Bucket.
Each mod's inspect tab will contain a description for associated resources, the URI of that resource, schema (if applicable), and other metadata such as the category of said resource.
For example, the @turbot/aws
mod contains a policy resource
AWS > Turbot > Audit Trail
.
Configure the Guardrails CloudTrail stack.
The Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to record an audit trail of API calls to your AWS accounts.
URI: tmod:@turbot/aws#/policy/types/auditTrail
Parent: AWS > Turbot
Category: Resource > Logging
Targets: AWS > Region
Valid Values:
SkipCheck: ConfiguredCheck: Not configuredEnforce: ConfiguredEnforce: Not configured
Schema:
{ "type": "string", "enum": [ "Skip", "Check: Configured", "Check: Not configured", "Enforce: Configured", "Enforce: Not configured" ], "default": "Skip"}
Versioning
Mods are versioned independently and should follow semantic versioning rules.
Given a version number MAJOR.MINOR.PATCH, increment the:
- MAJOR version when you make incompatible API changes,
- MINOR version when you add functionality in a backwards compatible manner, and
- PATCH version when you make backwards compatible bug fixes. Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format.
Example: AWS SNS
The aws-sns mod defines all the resources, controls, and policies for managing all AWS SNS related resources, such as topics and subscriptions:
Resource types:AWS > SNSAWS > SNS > SubscriptionAWS > SNS > TopicAWS > SNS > Topic Policy
Policy types:AWS > IAM > Permissions > Compiled > Levels > @turbot/aws-snsAWS > IAM > Permissions > Compiled > Service Permissions > @turbot/aws-snsAWS > SNS > Approved Regions [Default]AWS > SNS > EnabledAWS > SNS > PermissionsAWS > SNS > Permissions > LevelsAWS > SNS > Permissions > Levels > ModifiersAWS > SNS > Regions [Default]AWS > SNS > Subscription > ActiveAWS > SNS > Subscription > Active > Last ModifiedAWS > SNS > Subscription > ApprovedAWS > SNS > Subscription > Approved > RegionsAWS > SNS > Subscription > Approved > UsageAWS > SNS > Subscription > CMDBAWS > SNS > Subscription > ConfiguredAWS > SNS > Subscription > Configured > PrecedenceAWS > SNS > Subscription > Configured > SourceAWS > SNS > Subscription > RegionsAWS > SNS > Subscription > UsageAWS > SNS > Subscription > Usage > LimitAWS > SNS > Topic > ActiveAWS > SNS > Topic > Active > Last ModifiedAWS > SNS > Topic > ApprovedAWS > SNS > Topic > Approved > RegionsAWS > SNS > Topic > Approved > UsageAWS > SNS > Topic > CMDBAWS > SNS > Topic > ConfiguredAWS > SNS > Topic > Configured > PrecedenceAWS > SNS > Topic > Configured > SourceAWS > SNS > Topic > RegionsAWS > SNS > Topic > TagsAWS > SNS > Topic > Tags > TemplateAWS > SNS > Topic > UsageAWS > SNS > Topic > Usage > LimitAWS > SNS > Topic Policy > CMDBAWS > SNS > Topic Policy > ConfiguredAWS > SNS > Topic Policy > Configured > PrecedenceAWS > SNS > Topic Policy > Configured > SourceAWS > SNS > Topic Policy > RegionsAWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-sns
Control types:AWS > SNS > Subscription > ActiveAWS > SNS > Subscription > ApprovedAWS > SNS > Subscription > CMDBAWS > SNS > Subscription > ConfiguredAWS > SNS > Subscription > DiscoveryAWS > SNS > Subscription > UsageAWS > SNS > Topic > ActiveAWS > SNS > Topic > ApprovedAWS > SNS > Topic > CMDBAWS > SNS > Topic > ConfiguredAWS > SNS > Topic > DiscoveryAWS > SNS > Topic > TagsAWS > SNS > Topic > UsageAWS > SNS > Topic Policy > CMDBAWS > SNS > Topic Policy > ConfiguredAWS > SNS > Topic Policy > Discovery
Action types:AWS > SNS > Subscription > DeleteAWS > SNS > Subscription > RouterAWS > SNS > Topic > DeleteAWS > SNS > Topic > RouterAWS > SNS > Topic > Update Tags
Permission types:AWS > SNS
Recommended Starting Mods
Although Guardrails allows organizations to pick and choose mods to install in the environment, basic functionality requires a set of baseline mods. The set will depend on which cloud provider is used. Order is important!