Product logo
DocsBlogPricing

Policy types for @turbot/gcp-network

GCP > Network > API Enabled

Configure whether the GCP Network API is enabled.

URI
tmod:@turbot/gcp-network#/policy/types/networkServiceApiEnabled
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Disabled",
  "Check: Enabled",
  "Check: Enabled if Network > Enabled",
  "Enforce: Disabled",
  "Enforce: Enabled",
  "Enforce: Enabled if Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Disabled",
    "Check: Enabled",
    "Check: Enabled if Network > Enabled",
    "Enforce: Disabled",
    "Enforce: Enabled",
    "Enforce: Enabled if Network > Enabled"
  ],
  "default": "Skip"
}

GCP > Network > Address > Active

Determine the action to take when an GCP Network address, based on the GCP > Network > Address > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Address > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/addressActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Address > Active > Age

The age after which the GCP Network address
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Address > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/addressActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Address > Active > Last Modified

The number of days since the GCP Network address was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Address > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/addressActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Address > Active > Status

The policy allows you to
check which status determines if the GCP Network address is active.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Address > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/addressActiveStatus
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if $.status is in_use",
  "Force active if $.status is in_use"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if $.status is in_use",
    "Force active if $.status is in_use"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

GCP > Network > Address > Approved

Determine the action to take when a GCP Network address is not approved based on GCP > Network > Address > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/addressApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Address > Approved > Custom

Determine whether the GCP Network address is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network address is not approved, it will be subject to the action specified in the GCP > Network > Address > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/addressApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Address > Approved > Network Tier

Determine whether the GCP Network address is allowed to have a Network Tier enabled.

This policy will be evaluated by the Approved control. If an GCP Compute engine instance is not approved, it will be subject to the action specified in the GCP > Compute engine > Instance > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/addressApprovedNetworkTier
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Approved if enabled",
  "Approved if disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Approved if enabled",
    "Approved if disabled"
  ],
  "example": [
    "Approved if enabled"
  ],
  "default": "Skip"
}

GCP > Network > Address > Approved > Regions

A list of GCP regions in which GCP Network addresss are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If a GCP Network address is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Address > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/addressApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Address > Approved > Usage

Determine whether the GCP Network address is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network address is not approved, it will be subject to the action specified in the GCP > Network > Address > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/addressApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Address > CMDB

Configure whether to record and synchronize details for the GCP Network address into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Address > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/gcp-network#/policy/types/addressCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute Engine API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute Engine API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute Engine API is enabled"
}

GCP > Network > Address > Configured

Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/gcp-network#/policy/types/addressConfigured
Category
Parent
Targets
Valid Value
[
  "Skip if using Configured > Source",
  "Check: Configured if using Configured > Source",
  "Enforce: Configured if using Configured > Source"
]
Schema
{
  "enum": [
    "Skip if using Configured > Source",
    "Check: Configured if using Configured > Source",
    "Enforce: Configured if using Configured > Source"
  ],
  "default": "Enforce: Configured if using Configured > Source"
}

GCP > Network > Address > Configured > Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence

URI
tmod:@turbot/gcp-network#/policy/types/addressConfiguredPrecedence
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  },
  "default": [
    "**"
  ]
}

GCP > Network > Address > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/gcp-network#/policy/types/addressConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "{\"resource\": {}}\n",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

GCP > Network > Address > Regions

A list of GCP regions in which GCP Network addresss are supported for use.

Any addresss in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/gcp-network#/policy/types/addressRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Address > Usage

Configure the number of GCP Network addresss that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Address > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/addressUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Address > Usage > Limit

Maximum number of items that can be created for this region

URI
tmod:@turbot/gcp-network#/policy/types/addressUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 200
}

GCP > Network > Approved Regions [Default]

A list of GCP regions in which GCP Network resources are approved for use.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

This policy is the default value for all GCP Network resources' Approved > Regions policies.

URI
tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp#/policy/types/approvedRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Backend Bucket > Active

Determine the action to take when an GCP Network backend bucket, based on the GCP > Network > Backend Bucket > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Backend Bucket > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/backendBucketActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Backend Bucket > Active > Age

The age after which the GCP Network backend bucket
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Backend Bucket > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/backendBucketActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Backend Bucket > Active > Last Modified

The number of days since the GCP Network backend bucket was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Backend Bucket > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/backendBucketActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Backend Bucket > Approved

Determine the action to take when a GCP Network backend bucket is not approved based on GCP > Network > Backend Bucket > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/backendBucketApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Backend Bucket > Approved > Custom

Determine whether the GCP Network backend bucket is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network backend bucket is not approved, it will be subject to the action specified in the GCP > Network > Backend Bucket > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/backendBucketApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Backend Bucket > Approved > Usage

Determine whether the GCP Network backend bucket is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network backend bucket is not approved, it will be subject to the action specified in the GCP > Network > Backend Bucket > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/backendBucketApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Backend Bucket > CMDB

Configure whether to record and synchronize details for the GCP Network backend bucket into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Backend Bucket > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/gcp-network#/policy/types/backendBucketCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute Engine API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute Engine API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute Engine API is enabled"
}

GCP > Network > Backend Bucket > Configured

Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/gcp-network#/policy/types/backendBucketConfigured
Category
Parent
Targets
Valid Value
[
  "Skip if using Configured > Source",
  "Check: Configured if using Configured > Source",
  "Enforce: Configured if using Configured > Source"
]
Schema
{
  "enum": [
    "Skip if using Configured > Source",
    "Check: Configured if using Configured > Source",
    "Enforce: Configured if using Configured > Source"
  ],
  "default": "Enforce: Configured if using Configured > Source"
}

GCP > Network > Backend Bucket > Configured > Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence

URI
tmod:@turbot/gcp-network#/policy/types/backendBucketConfiguredPrecedence
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  },
  "default": [
    "**"
  ]
}

GCP > Network > Backend Bucket > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/gcp-network#/policy/types/backendBucketConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "{\"resource\": {}}\n",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

GCP > Network > Backend Bucket > Usage

Configure the number of GCP Network backend buckets that can be used for this project and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Backend Bucket > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/backendBucketUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Backend Bucket > Usage > Limit

Maximum number of items that can be created for this project

URI
tmod:@turbot/gcp-network#/policy/types/backendBucketUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 9
}

GCP > Network > Backend Service > Active

Determine the action to take when an GCP Network backend service, based on the GCP > Network > Backend Service > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Backend Service > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/backendServiceActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Backend Service > Active > Age

The age after which the GCP Network backend service
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Backend Service > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/backendServiceActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Backend Service > Active > Last Modified

The number of days since the GCP Network backend service was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Backend Service > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/backendServiceActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Backend Service > Approved

Determine the action to take when a GCP Network backend service is not approved based on GCP > Network > Backend Service > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/backendServiceApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Backend Service > Approved > Custom

Determine whether the GCP Network backend service is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network backend service is not approved, it will be subject to the action specified in the GCP > Network > Backend Service > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/backendServiceApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Backend Service > Approved > Usage

Determine whether the GCP Network backend service is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network backend service is not approved, it will be subject to the action specified in the GCP > Network > Backend Service > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/backendServiceApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Backend Service > CMDB

Configure whether to record and synchronize details for the GCP Network backend service into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Backend Service > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/gcp-network#/policy/types/backendServiceCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute Engine API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute Engine API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute Engine API is enabled"
}

GCP > Network > Backend Service > Configured

Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/gcp-network#/policy/types/backendServiceConfigured
Category
Parent
Targets
Valid Value
[
  "Skip if using Configured > Source",
  "Check: Configured if using Configured > Source",
  "Enforce: Configured if using Configured > Source"
]
Schema
{
  "enum": [
    "Skip if using Configured > Source",
    "Check: Configured if using Configured > Source",
    "Enforce: Configured if using Configured > Source"
  ],
  "default": "Enforce: Configured if using Configured > Source"
}

GCP > Network > Backend Service > Configured > Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence

URI
tmod:@turbot/gcp-network#/policy/types/backendServiceConfiguredPrecedence
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  },
  "default": [
    "**"
  ]
}

GCP > Network > Backend Service > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/gcp-network#/policy/types/backendServiceConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "{\"resource\": {}}\n",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

GCP > Network > Backend Service > Logging

Define the Logging settings required for GCP > Network > Backend Service > Logging.

Backend Service Logging allows you to audit, verify, and analyze the effects of your Backend Service.

URI
tmod:@turbot/gcp-network#/policy/types/backendServiceLogging
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Enabled",
  "Check: Disabled",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Enabled",
    "Check: Disabled",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Check: Enabled"
  ],
  "default": "Skip"
}

GCP > Network > Backend Service > Logging > Sample Rate

The value of the field must be in [0, 1]. This configures the sampling rate of
requests to the load balancer where 1 means all logged requests are reported and
0 means no logged requests are reported. The default value is 1.

URI
tmod:@turbot/gcp-network#/policy/types/backendServiceLoggingSampleRate
Category
Parent
Targets
Schema
{
  "type": "number",
  "default": 1,
  "minimum": 0,
  "maximum": 1
}

GCP > Network > Backend Service > Usage

Configure the number of GCP Network backend services that can be used for this project and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Backend Service > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/backendServiceUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Backend Service > Usage > Limit

Maximum number of items that can be created for this project

URI
tmod:@turbot/gcp-network#/policy/types/backendServiceUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 9
}

GCP > Network > CMDB

Record and synchronize details for GCP Network network service(s) into the CMDB.

URI
tmod:@turbot/gcp-network#/policy/types/networkServiceCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled"
}

GCP > Network > Enabled

Enabled Network.

URI
tmod:@turbot/gcp-network#/policy/types/networkServiceEnabled
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Enabled: Metadata Only",
  "Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Enabled: Metadata Only",
    "Disabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Disabled"
}

GCP > Network > Firewall > Active

Determine the action to take when an GCP Network firewall, based on the GCP > Network > Firewall > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Firewall > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/firewallActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Firewall > Active > Age

The age after which the GCP Network firewall
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Firewall > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/firewallActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Firewall > Active > Last Modified

The number of days since the GCP Network firewall was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Firewall > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/firewallActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Firewall > Approved

Determine the action to take when a GCP Network firewall is not approved based on GCP > Network > Firewall > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/firewallApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Firewall > Approved > Custom

Determine whether the GCP Network firewall is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network firewall is not approved, it will be subject to the action specified in the GCP > Network > Firewall > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/firewallApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Firewall > Approved > Usage

Determine whether the GCP Network firewall is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network firewall is not approved, it will be subject to the action specified in the GCP > Network > Firewall > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/firewallApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Firewall > CMDB

Configure whether to record and synchronize details for the GCP Network firewall into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Firewall > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/gcp-network#/policy/types/firewallCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute Engine API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute Engine API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute Engine API is enabled"
}

GCP > Network > Firewall > Configured

Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/gcp-network#/policy/types/firewallConfigured
Category
Parent
Targets
Valid Value
[
  "Skip if using Configured > Source",
  "Check: Configured if using Configured > Source",
  "Enforce: Configured if using Configured > Source"
]
Schema
{
  "enum": [
    "Skip if using Configured > Source",
    "Check: Configured if using Configured > Source",
    "Enforce: Configured if using Configured > Source"
  ],
  "default": "Enforce: Configured if using Configured > Source"
}

GCP > Network > Firewall > Configured > Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence

URI
tmod:@turbot/gcp-network#/policy/types/firewallConfiguredPrecedence
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  },
  "default": [
    "**"
  ]
}

GCP > Network > Firewall > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/gcp-network#/policy/types/firewallConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "{\"resource\": {}}\n",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

GCP > Network > Firewall > Ingress Rules

URI
tmod:@turbot/gcp-network#/policy/types/firewallIngressRules
Category
Parent
Targets

GCP > Network > Firewall > Ingress Rules > Approved

Configure Firewall Ingress Rule checking. This policy defines whether
to verify the firewall ingress rules are approved, as well as the
subsequent action to take on unapproved items.

If set to Enforce: Delete unapproved, any unapproved rules will be
revoked from the firewall.

URI
tmod:@turbot/gcp-network#/policy/types/firewallIngressRulesApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

GCP > Network > Firewall > Ingress Rules > Approved > Rules

An Object Control List (OCL)
with a list of filter rules to approve or reject firewall rules.

Examples:
<br /> Allow HTTP and HTTPS rules for RFC1918 private space<br /> APPROVE $.turbot.fromPort:=80 $.turbot.toPort:=80 $.turbot.cidr:&lt;=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16<br /> APPROVE $.turbot.fromPort:=443 $.turbot.toPort:=443 $.turbot.cidr:&lt;=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16<br /><br /> Reject any rule from 0.0.0.0/0<br /> REJECT $.turbot.cidr:0.0.0.0/0<br />

URI
tmod:@turbot/gcp-network#/policy/types/firewallIngressRulesApprovedRules
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "# Approve unmatched rules\nAPPROVE *",
  "x-schema-form": {
    "type": "textarea"
  }
}

GCP > Network > Firewall > Logging

Define the Logging settings required for GCP > Network > Firewall > Logging.

Firewall Rules Logging allows you to audit, verify, and analyze the effects of your firewall rules.

Note: Turning on firewall logs can generate a large number of logs which can increase costs in Stackdriver.

URI
tmod:@turbot/gcp-network#/policy/types/firewallLogging
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Enabled",
  "Check: Disabled",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Enabled",
    "Check: Disabled",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Check: Enabled"
  ],
  "default": "Skip"
}

GCP > Network > Firewall > Usage

Configure the number of GCP Network firewalls that can be used for this project and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Firewall > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/firewallUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Firewall > Usage > Limit

Maximum number of items that can be created for this project

URI
tmod:@turbot/gcp-network#/policy/types/firewallUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 200
}

GCP > Network > Forwarding Rule > Active

Determine the action to take when an GCP Network forwarding rule, based on the GCP > Network > Forwarding Rule > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Forwarding Rule > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/forwardingRuleActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Forwarding Rule > Active > Age

The age after which the GCP Network forwarding rule
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Forwarding Rule > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/forwardingRuleActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Forwarding Rule > Active > Last Modified

The number of days since the GCP Network forwarding rule was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Forwarding Rule > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/forwardingRuleActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Forwarding Rule > Approved

Determine the action to take when a GCP Network forwarding rule is not approved based on GCP > Network > Forwarding Rule > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/forwardingRuleApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Forwarding Rule > Approved > Custom

Determine whether the GCP Network forwarding rule is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network forwarding rule is not approved, it will be subject to the action specified in the GCP > Network > Forwarding Rule > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/forwardingRuleApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Forwarding Rule > Approved > Regions

A list of GCP regions in which GCP Network forwarding rules are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If a GCP Network forwarding rule is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Forwarding Rule > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/forwardingRuleApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Forwarding Rule > Approved > Usage

Determine whether the GCP Network forwarding rule is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network forwarding rule is not approved, it will be subject to the action specified in the GCP > Network > Forwarding Rule > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/forwardingRuleApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Forwarding Rule > CMDB

Configure whether to record and synchronize details for the GCP Network forwarding rule into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Forwarding Rule > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/gcp-network#/policy/types/forwardingRuleCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute Engine API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute Engine API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute Engine API is enabled"
}

GCP > Network > Forwarding Rule > Labels

Determine the action to take when an GCP Network forwarding rule labels are not updated based on the GCP > Network > Forwarding Rule > Labels > * policies.

The control ensure GCP Network forwarding rule labels include labels defined in GCP > Network > Forwarding Rule > Labels > Template.

Labels not defined in Forwarding Rule Labels Template will not be modified or deleted. Setting a label value to undefined will result in the label being deleted.

See Labels for more information.

URI
tmod:@turbot/gcp-network#/policy/types/forwardingRuleLabels
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Labels are correct",
  "Enforce: Set labels"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Labels are correct",
    "Enforce: Set labels"
  ],
  "example": [
    "Check: Labels are correct"
  ],
  "default": "Skip"
}

GCP > Network > Forwarding Rule > Labels > Template

The template is used to generate the keys and values for GCP Network forwarding rule.

Labels not defined in Forwarding Rule Labels Template will not be modified or deleted. Setting a label value to undefined will result in the label being deleted.

See Labels for more information.

URI
tmod:@turbot/gcp-network#/policy/types/forwardingRuleLabelsTemplate
Category
Parent
Targets
Default Template Input
[
  "{\n  project {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultLabels: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceLabelsTemplate\" resourceId: \"{{ $.project.turbot.id }}\") {\n    value\n  }\n}\n"
]
Default Template
"{%- if $.defaultLabels.value | length == 0 %} [] {%- elif $.defaultLabels.value != undefined %}{{ $.defaultLabels.value | dump | safe }}{%- else %}{% for item in $.defaultLabels.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

GCP > Network > Forwarding Rule > Regions

A list of GCP regions in which GCP Network forwarding rules are supported for use.

Any forwarding rules in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/gcp-network#/policy/types/forwardingRuleRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Forwarding Rule > Usage

Configure the number of GCP Network forwarding rules that can be used for this project and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Forwarding Rule > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/forwardingRuleUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Forwarding Rule > Usage > Limit

Maximum number of items that can be created for this project

URI
tmod:@turbot/gcp-network#/policy/types/forwardingRuleUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 150
}

GCP > Network > Global Address > Active

Determine the action to take when an GCP Network global address, based on the GCP > Network > Global Address > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Global Address > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/globalAddressActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Global Address > Active > Age

The age after which the GCP Network global address
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Global Address > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/globalAddressActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Global Address > Active > Last Modified

The number of days since the GCP Network global address was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Global Address > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/globalAddressActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Global Address > Approved

Determine the action to take when a GCP Network global address is not approved based on GCP > Network > Global Address > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/globalAddressApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Global Address > Approved > Custom

Determine whether the GCP Network global address is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network global address is not approved, it will be subject to the action specified in the GCP > Network > Global Address > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/globalAddressApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Global Address > Approved > Usage

Determine whether the GCP Network global address is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network global address is not approved, it will be subject to the action specified in the GCP > Network > Global Address > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/globalAddressApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Global Address > CMDB

Configure whether to record and synchronize details for the GCP Network global address into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

URI
tmod:@turbot/gcp-network#/policy/types/globalAddressCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute Engine API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute Engine API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute Engine API is enabled"
}

GCP > Network > Global Address > Usage

Configure the number of GCP Network global addresss that can be used for this project and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Global Address > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/globalAddressUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Global Address > Usage > Limit

Maximum number of items that can be created for this project

URI
tmod:@turbot/gcp-network#/policy/types/globalAddressUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 200
}

GCP > Network > Global Forwarding Rule > Active

Determine the action to take when an GCP Network global forwarding rule, based on the GCP > Network > Global Forwarding Rule > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Global Forwarding Rule > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Global Forwarding Rule > Active > Age

The age after which the GCP Network global forwarding rule
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Global Forwarding Rule > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Global Forwarding Rule > Active > Last Modified

The number of days since the GCP Network global forwarding rule was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Global Forwarding Rule > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Global Forwarding Rule > Approved

Determine the action to take when a GCP Network global forwarding rule is not approved based on GCP > Network > Global Forwarding Rule > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Global Forwarding Rule > Approved > Custom

Determine whether the GCP Network global forwarding rule is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network global forwarding rule is not approved, it will be subject to the action specified in the GCP > Network > Global Forwarding Rule > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Global Forwarding Rule > Approved > Usage

Determine whether the GCP Network global forwarding rule is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network global forwarding rule is not approved, it will be subject to the action specified in the GCP > Network > Global Forwarding Rule > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Global Forwarding Rule > CMDB

Configure whether to record and synchronize details for the GCP Network global forwarding rule into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Global Forwarding Rule > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute Engine API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute Engine API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute Engine API is enabled"
}

GCP > Network > Global Forwarding Rule > Labels

Determine the action to take when an GCP Network global forwarding rule labels are not updated based on the GCP > Network > Global Forwarding Rule > Labels > * policies.

The control ensure GCP Network global forwarding rule labels include labels defined in GCP > Network > Global Forwarding Rule > Labels > Template.

Labels not defined in Global Forwarding Rule Labels Template will not be modified or deleted. Setting a label value to undefined will result in the label being deleted.

See Labels for more information.

URI
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleLabels
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Labels are correct",
  "Enforce: Set labels"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Labels are correct",
    "Enforce: Set labels"
  ],
  "example": [
    "Check: Labels are correct"
  ],
  "default": "Skip"
}

GCP > Network > Global Forwarding Rule > Labels > Template

The template is used to generate the keys and values for GCP Network global forwarding rule.

Labels not defined in Global Forwarding Rule Labels Template will not be modified or deleted. Setting a label value to undefined will result in the label being deleted.

See Labels for more information.

URI
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleLabelsTemplate
Category
Parent
Targets
Default Template Input
[
  "{\n  project {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultLabels: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceLabelsTemplate\" resourceId: \"{{ $.project.turbot.id }}\") {\n    value\n  }\n}\n"
]
Default Template
"{%- if $.defaultLabels.value | length == 0 %} [] {%- elif $.defaultLabels.value != undefined %}{{ $.defaultLabels.value | dump | safe }}{%- else %}{% for item in $.defaultLabels.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

GCP > Network > Global Forwarding Rule > Usage

Configure the number of GCP Network global forwarding rules that can be used for this project and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Global Forwarding Rule > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Global Forwarding Rule > Usage > Limit

Maximum number of items that can be created for this project

URI
tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 150
}

GCP > Network > Interconnect > Active

Determine the action to take when an GCP Network interconnect, based on the GCP > Network > Interconnect > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Interconnect > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/interconnectActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Interconnect > Active > Age

The age after which the GCP Network interconnect
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Interconnect > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/interconnectActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Interconnect > Active > Last Modified

The number of days since the GCP Network interconnect was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Interconnect > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/interconnectActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Interconnect > Approved

Determine the action to take when a GCP Network interconnect is not approved based on GCP > Network > Interconnect > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/interconnectApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Interconnect > Approved > Custom

Determine whether the GCP Network interconnect is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network interconnect is not approved, it will be subject to the action specified in the GCP > Network > Interconnect > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/interconnectApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Interconnect > Approved > Usage

Determine whether the GCP Network interconnect is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network interconnect is not approved, it will be subject to the action specified in the GCP > Network > Interconnect > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/interconnectApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Interconnect > CMDB

Configure whether to record and synchronize details for the GCP Network interconnect into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Interconnect > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/gcp-network#/policy/types/interconnectCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute Engine API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute Engine API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute Engine API is enabled"
}

GCP > Network > Interconnect > Usage

Configure the number of GCP Network interconnects that can be used for this project and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Interconnect > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/interconnectUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Interconnect > Usage > Limit

Maximum number of items that can be created for this project

URI
tmod:@turbot/gcp-network#/policy/types/interconnectUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 6
}

GCP > Network > Labels Template [Default]

A template used to generate the keys and values for GCP Network resources.

By default, all Network resource Labels > Template policies will use this value.

URI
tmod:@turbot/gcp-network#/policy/types/networkServiceLabelsTemplate
Category
Parent
Targets
Default Template Input
"{\n  defaultLabels: policyValue(uri:\"tmod:@turbot/gcp#/policy/types/defaultLabelsTemplate\") {\n    value\n  }\n}\n"
Default Template
"{%- if $.defaultLabels.value | length == 0 %} [] {%- elif $.defaultLabels.value != undefined %}{{ $.defaultLabels.value | dump | safe }}{%- else %}{% for item in $.defaultLabels.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

GCP > Network > Network > Active

Determine the action to take when an GCP Network network, based on the GCP > Network > Network > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Network > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/networkActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Network > Active > Age

The age after which the GCP Network network
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Network > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/networkActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Network > Active > Last Modified

The number of days since the GCP Network network was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Network > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/networkActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Network > Approved

Determine the action to take when a GCP Network network is not approved based on GCP > Network > Network > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/networkApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Network > Approved > Custom

Determine whether the GCP Network network is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network network is not approved, it will be subject to the action specified in the GCP > Network > Network > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/networkApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Network > Approved > Usage

Determine whether the GCP Network network is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network network is not approved, it will be subject to the action specified in the GCP > Network > Network > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/networkApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Network > CMDB

Configure whether to record and synchronize details for the GCP Network network into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Network > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/gcp-network#/policy/types/networkCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute Engine API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute Engine API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute Engine API is enabled"
}

GCP > Network > Network > Configured

Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/gcp-network#/policy/types/networkConfigured
Category
Parent
Targets
Valid Value
[
  "Skip if using Configured > Source",
  "Check: Configured if using Configured > Source",
  "Enforce: Configured if using Configured > Source"
]
Schema
{
  "enum": [
    "Skip if using Configured > Source",
    "Check: Configured if using Configured > Source",
    "Enforce: Configured if using Configured > Source"
  ],
  "default": "Enforce: Configured if using Configured > Source"
}

GCP > Network > Network > Configured > Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence

URI
tmod:@turbot/gcp-network#/policy/types/networkConfiguredPrecedence
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  },
  "default": [
    "**"
  ]
}

GCP > Network > Network > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/gcp-network#/policy/types/networkConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "{\"resource\": {}}\n",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

GCP > Network > Network > Trusted Domains [Default]

List of GCP Domains that are trusted for access in the GCP Network policy.

This policy is used by the GCP > Network > Policy > Trusted Access
control to determine which members of type "domain" are allowed
to be granted access.You may use the '*' and '?' wildcard characters.

<br />example:<br /> - company.com<br /> - company-dev.org<br />

Note: Setting the policy to Empty array will remove all domains.

URI
tmod:@turbot/gcp-network#/policy/types/networkTrustedDomains
Category
Parent
Targets
Default Template Input
"{\n  value: policy(uri: \"tmod:@turbot/gcp#/policy/types/trustedDomains\")\n}\n"
Default Template
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

GCP > Network > Network > Trusted Groups [Default]

List of GCP Groups that are trusted for access in the GCP Network policy.

This policy is used by the GCP > Network > Policy > Trusted Access
control to determine which members of type "group" are allowed
to be granted access.You may use the '' and '?' wildcard characters.

```
example:
- notification@company.com
- "@company.com"
``<br /><br />**Note**: Setting the policy to an Empty` array will remove all groups.

URI
tmod:@turbot/gcp-network#/policy/types/networkTrustedGroups
Category
Parent
Targets
Default Template Input
"{\n  value: policy(uri: \"tmod:@turbot/gcp#/policy/types/trustedGroups\")\n}\n"
Default Template
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

GCP > Network > Network > Trusted Projects [Default]

List of GCP Projects that are trusted for access in the GCP Network policy.

This policy is used by the GCP > Network > Policy > Trusted Access
control to determine whether members of type "project" are allowed
to be granted access.You may use the '*' and '?' wildcard characters.
<br />example:<br /> - dev-aaa<br /> - dev-aab<br />
Note: Setting the policy to an Empty array will remove all projects.

URI
tmod:@turbot/gcp-network#/policy/types/networkTrustedProjects
Category
Parent
Targets
Default Template Input
"{\n  value: policy(uri: \"tmod:@turbot/gcp#/policy/types/trustedProjects\")\n}\n"
Default Template
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

GCP > Network > Network > Trusted Service Accounts [Default]

List of GCP Service Accounts that are trusted for access in the GCP Network policy.

This policy is used by the GCP > Network > Policy > Trusted Access
control to determine which members of type "serviceAccount" are allowed
to be granted access.You may use the '' and '?' wildcard characters.

```
example:
- project-owner@dev-aaa.iam.gserviceaccount.com
- "" # All service account trusted
``<br /><br />**Note**: Setting the policy to an Empty` array will remove all service accounts.

URI
tmod:@turbot/gcp-network#/policy/types/networkTrustedServiceAccounts
Category
Parent
Targets
Default Template Input
"{\n  value: policy(uri: \"tmod:@turbot/gcp#/policy/types/trustedServiceAccounts\")\n}\n"
Default Template
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

GCP > Network > Network > Trusted Users [Default]

List of GCP Users that are trusted for access in the GCP Network policy.

This policy is used by the GCP > Network > Trusted Access
control to determine which members of type "user" are allowed
to be granted access.You may use the '' and '?' wildcard characters.

```
example:
- "@company.com" # All users with email ending in @company.com are trusted
- "test@dev-company.com"
- "dummy@gmail.com"
``<br /><br />**Note**: Setting the policy to an Empty` array will remove all users.

URI
tmod:@turbot/gcp-network#/policy/types/networkTrustedUsers
Category
Parent
Targets
Default Template Input
"{\n  value: policy(uri: \"tmod:@turbot/gcp#/policy/types/trustedUsers\")\n}\n"
Default Template
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

GCP > Network > Network > Usage

Configure the number of GCP Network networks that can be used for this project and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Network > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/networkUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Network > Usage > Limit

Maximum number of items that can be created for this project

URI
tmod:@turbot/gcp-network#/policy/types/networkUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 15
}

GCP > Network > Packet Mirroring > Active

Determine the action to take when an GCP Network packet mirroring, based on the GCP > Network > Packet Mirroring > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Packet Mirroring > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/packetMirroringActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Packet Mirroring > Active > Age

The age after which the GCP Network packet mirroring
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Packet Mirroring > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/packetMirroringActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Packet Mirroring > Active > Last Modified

The number of days since the GCP Network packet mirroring was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Packet Mirroring > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/packetMirroringActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Packet Mirroring > Approved

Determine the action to take when a GCP Network packet mirroring is not approved based on GCP > Network > Packet Mirroring > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/packetMirroringApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Packet Mirroring > Approved > Custom

Determine whether the GCP Network packet mirroring is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network packet mirroring is not approved, it will be subject to the action specified in the GCP > Network > Packet Mirroring > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/packetMirroringApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Packet Mirroring > Approved > Regions

A list of GCP regions in which GCP Network packet mirrorings are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If a GCP Network packet mirroring is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Packet Mirroring > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/packetMirroringApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Packet Mirroring > Approved > Usage

Determine whether the GCP Network packet mirroring is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network packet mirroring is not approved, it will be subject to the action specified in the GCP > Network > Packet Mirroring > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/packetMirroringApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Packet Mirroring > CMDB

Configure whether to record and synchronize details for the GCP Network packet mirroring into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Packet Mirroring > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/gcp-network#/policy/types/packetMirroringCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network API is enabled"
}

GCP > Network > Packet Mirroring > Regions

A list of GCP regions in which GCP Network packet mirrorings are supported for use.

Any packet mirrorings in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/gcp-network#/policy/types/packetMirroringRegions
Category
Parent
Targets
Schema
{
  "allOf": [
    {
      "$ref": "gcp#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "asia-east1",
        "asia-east2",
        "asia-northeast1",
        "asia-northeast2",
        "asia-northeast3",
        "asia-south1",
        "asia-southeast1",
        "asia-southeast2",
        "australia-southeast1",
        "europe-north1",
        "europe-west1",
        "europe-west2",
        "europe-west3",
        "europe-west4",
        "europe-west6",
        "northamerica-northeast1",
        "southamerica-east1",
        "us-central1",
        "us-east1",
        "us-east4",
        "us-west1",
        "us-west2",
        "us-west3",
        "us-west5"
      ]
    }
  ]
}

GCP > Network > Packet Mirroring > Usage

Configure the number of GCP Network packet mirrorings that can be used for this project and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Packet Mirroring > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/packetMirroringUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Packet Mirroring > Usage > Limit

Maximum number of items that can be created for this project

URI
tmod:@turbot/gcp-network#/policy/types/packetMirroringUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 150
}

GCP > Network > Permissions

Configure whether permissions policies are in effect for GCP Network.
This setting does not affect Project level permissions (GCP/Admin, GCP/Owner, etc).

Note: The behavior of this policy depends on the value of GCP > Permissions.

URI
tmod:@turbot/gcp-network#/policy/types/networkServicePermissions
Category
Parent
Targets
Valid Value
[
  "Enabled",
  "Disabled",
  "Enabled if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Enabled",
    "Disabled",
    "Enabled if GCP > Network > Enabled"
  ],
  "example": [
    "Enabled"
  ],
  "default": "Enabled if GCP > Network > Enabled"
}

GCP > Network > Permissions > Levels

Define the permissions levels that can be used to grant access to Network
an GCP project. Permissions levels defined will appear in the UI to assign access to Guardrails users.

Note: Some services do not use all permissions levels, and any permissions level that has
no permissions associated will not be created even if it is selected here.

URI
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevels
Category
Parent
Targets
Default Template Input
[
  "{\n  item: project {\n    turbot{\n      id\n    }\n  }\n}\n",
  "{\n  availableLevels: policyValues(filter:\"policyTypeLevel:self resourceId:{{ $.item.turbot.id }} policyTypeId:'tmod:@turbot/gcp-iam#/policy/types/permissionsLevelsDefault'\") {\n    items {\n      value\n    }\n  }\n}\n"
]
Default Template
"{% if $.availableLevels.items[0].value | length == 0 %} [] {% endif %}{% for item in $.availableLevels.items[0].value %}- {{ item }}&#92;n{% endfor %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string",
    "enum": [
      "Metadata",
      "ReadOnly",
      "Operator",
      "Admin",
      "Owner"
    ]
  }
}

GCP > Network > Permissions > Levels > Address Administration

Determines which Guardrails permissions level can manage Address Administration.

URI
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsAddressAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

GCP > Network > Permissions > Levels > Firewall Administration

Determines which Guardrails permissions level can manage Firewall Administration.

URI
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsFirewallAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

GCP > Network > Permissions > Levels > Forwarding Rules Administration

Determines which Guardrails permissions level can manage Forwarding Rules Administration.

URI
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsForwardingRulesAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

GCP > Network > Permissions > Levels > Global Addresses Administration

Determines which Guardrails permissions level can manage Global Addresses Administration.

URI
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsGlobalAddressesAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

GCP > Network > Permissions > Levels > Global Forwarding Rules Administration

Determines which Guardrails permissions level can manage Global Forwarding Rules Administration.

URI
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsGlobalForwardingRulesAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

GCP > Network > Permissions > Levels > HTTP Load Balancer Administration

Determines which Guardrails permissions level can manage HTTP Load Balancer Administration.

URI
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsHttpLoadBalancerAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

GCP > Network > Permissions > Levels > Modifiers

A map of GCP API to Guardrails Permission Level used to customize Guardrails' standard permissions.
You can add, remove or redefine the mapping of GCP API operations to Guardrails permissions levels here.

Note: Modifiers are cumulative - if you add a permission to the metadata level, it is also added
to readOnly, operator and admin. Modifier policies set here will “roll up” to the GCP level too - if
you add a permission to Admin, it will be granted to GCP/Storage/Admin and also GCP/Admin

<br />example:<br /> - &quot;storage.bucket.create&quot;: admin<br /> - &quot;sql.database.create&quot;: metadata<br />

URI
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsModifiers
Category
Parent
Targets
Schema

GCP > Network > Permissions > Levels > Network Administration

Determines which Guardrails permissions level can manage Network Administration.

URI
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsNetworkAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

GCP > Network > Permissions > Levels > Route Administration

Determines which Guardrails permissions level can manage Route Administration.

URI
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsRouteAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

GCP > Network > Permissions > Levels > Router Administration

Determines which Guardrails permissions level can manage Router Administration.

URI
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsRouterAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

GCP > Network > Permissions > Levels > Subnetwork Administration

Determines which Guardrails permissions level can manage Subnetwork Administration.

URI
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsSubnetworkAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

GCP > Network > Permissions > Levels > VPN Gateway Administration

Determines which Guardrails permissions level can manage VPN Gateway Administration.

URI
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsVpnGatewayAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

GCP > Network > Permissions > Levels > VPN Tunnel Administration

Determines which Guardrails permissions level can manage VPN Tunnel Administration.

URI
tmod:@turbot/gcp-network#/policy/types/networkServicePermissionsLevelsVpnTunnelAdministration
Category
Parent
Targets
Valid Value
[
  "None",
  "Admin"
]
Schema
{
  "type": "string",
  "enum": [
    "None",
    "Admin"
  ],
  "example": [
    "None"
  ],
  "default": "None"
}

GCP > Network > Region Backend Service > Active

Determine the action to take when an GCP Network region backend service, based on the GCP > Network > Region Backend Service > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region Backend Service > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Region Backend Service > Active > Age

The age after which the GCP Network region backend service
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region Backend Service > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Region Backend Service > Active > Last Modified

The number of days since the GCP Network region backend service was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region Backend Service > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Region Backend Service > Approved

Determine the action to take when a GCP Network region backend service is not approved based on GCP > Network > Region Backend Service > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Region Backend Service > Approved > Custom

Determine whether the GCP Network region backend service is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network region backend service is not approved, it will be subject to the action specified in the GCP > Network > Region Backend Service > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Region Backend Service > Approved > Regions

A list of GCP regions in which GCP Network region backend services are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If a GCP Network region backend service is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Region Backend Service > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Region Backend Service > Approved > Usage

Determine whether the GCP Network region backend service is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network region backend service is not approved, it will be subject to the action specified in the GCP > Network > Region Backend Service > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Region Backend Service > CMDB

Configure whether to record and synchronize details for the GCP Network region backend service into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Region Backend Service > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute Engine API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute Engine API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute Engine API is enabled"
}

GCP > Network > Region Backend Service > Configured

Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceConfigured
Category
Parent
Targets
Valid Value
[
  "Skip if using Configured > Source",
  "Check: Configured if using Configured > Source",
  "Enforce: Configured if using Configured > Source"
]
Schema
{
  "enum": [
    "Skip if using Configured > Source",
    "Check: Configured if using Configured > Source",
    "Enforce: Configured if using Configured > Source"
  ],
  "default": "Enforce: Configured if using Configured > Source"
}

GCP > Network > Region Backend Service > Configured > Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence

URI
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceConfiguredPrecedence
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  },
  "default": [
    "**"
  ]
}

GCP > Network > Region Backend Service > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "{\"resource\": {}}\n",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

GCP > Network > Region Backend Service > Logging

Define the Logging settings required for GCP > Network > Region Backend Service > Logging.

Region Backend Service Logging allows you to audit, verify, and analyze the effects of your Region Backend Service.

URI
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceLogging
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Enabled",
  "Check: Disabled",
  "Enforce: Enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Enabled",
    "Check: Disabled",
    "Enforce: Enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Check: Enabled"
  ],
  "default": "Skip"
}

GCP > Network > Region Backend Service > Logging > Sample Rate

The value of the field must be in [0, 1]. This configures the sampling rate of
requests to the load balancer where 1 means all logged requests are reported and
0 means no logged requests are reported. The default value is 1.

URI
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceLoggingSampleRate
Category
Parent
Targets
Schema
{
  "type": "number",
  "default": 1,
  "minimum": 0,
  "maximum": 1
}

GCP > Network > Region Backend Service > Regions

A list of GCP regions in which GCP Network region backend services are supported for use.

Any region backend services in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Region Backend Service > Usage

Configure the number of GCP Network region backend services that can be used for this project and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Region Backend Service > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Region Backend Service > Usage > Limit

Maximum number of items that can be created for this project

URI
tmod:@turbot/gcp-network#/policy/types/regionBackendServiceUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 9
}

GCP > Network > Region SSL Certificate > Active

Determine the action to take when an GCP Network region ssl certificate, based on the GCP > Network > Region SSL Certificate > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region SSL Certificate > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Region SSL Certificate > Active > Age

The age after which the GCP Network region ssl certificate
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region SSL Certificate > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Region SSL Certificate > Active > Last Modified

The number of days since the GCP Network region ssl certificate was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region SSL Certificate > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Region SSL Certificate > Approved

Determine the action to take when a GCP Network region ssl certificate is not approved based on GCP > Network > Region SSL Certificate > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Region SSL Certificate > Approved > Custom

Determine whether the GCP Network region ssl certificate is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network region ssl certificate is not approved, it will be subject to the action specified in the GCP > Network > Region SSL Certificate > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Region SSL Certificate > Approved > Regions

A list of GCP regions in which GCP Network region ssl certificates are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If a GCP Network region ssl certificate is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Region SSL Certificate > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Region SSL Certificate > Approved > Usage

Determine whether the GCP Network region ssl certificate is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network region ssl certificate is not approved, it will be subject to the action specified in the GCP > Network > Region SSL Certificate > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Region SSL Certificate > CMDB

Configure whether to record and synchronize details for the GCP Network region ssl certificate into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Region SSL Certificate > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network API is enabled"
}

GCP > Network > Region SSL Certificate > Regions

A list of GCP regions in which GCP Network region ssl certificates are supported for use.

Any region ssl certificates in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Region SSL Certificate > Usage

Configure the number of GCP Network region ssl certificates that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Region SSL Certificate > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Region SSL Certificate > Usage > Limit

Maximum number of items that can be created for this region

URI
tmod:@turbot/gcp-network#/policy/types/regionSslCertificateUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 100
}

GCP > Network > Region Target HTTPS Proxy > Active

Determine the action to take when an GCP Network region target https proxy, based on the GCP > Network > Region Target HTTPS Proxy > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region Target HTTPS Proxy > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Region Target HTTPS Proxy > Active > Age

The age after which the GCP Network region target https proxy
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region Target HTTPS Proxy > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Region Target HTTPS Proxy > Active > Last Modified

The number of days since the GCP Network region target https proxy was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region Target HTTPS Proxy > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Region Target HTTPS Proxy > Approved

Determine the action to take when a GCP Network region target https proxy is not approved based on GCP > Network > Region Target HTTPS Proxy > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Region Target HTTPS Proxy > Approved > Custom

Determine whether the GCP Network region target https proxy is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network region target https proxy is not approved, it will be subject to the action specified in the GCP > Network > Region Target HTTPS Proxy > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Region Target HTTPS Proxy > Approved > Regions

A list of GCP regions in which GCP Network region target https proxys are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If a GCP Network region target https proxy is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Region Target HTTPS Proxy > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Region Target HTTPS Proxy > Approved > Usage

Determine whether the GCP Network region target https proxy is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network region target https proxy is not approved, it will be subject to the action specified in the GCP > Network > Region Target HTTPS Proxy > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Region Target HTTPS Proxy > CMDB

Configure whether to record and synchronize details for the GCP Network region target https proxy into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Region Target HTTPS Proxy > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network API is enabled"
}

GCP > Network > Region Target HTTPS Proxy > Regions

A list of GCP regions in which GCP Network region target https proxys are supported for use.

Any region target https proxys in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Region Target HTTPS Proxy > SSL Policy

Determine whether a GCP Network region target HTTPS proxy is using an allowed SSL policy.

If a region target HTTPS proxy is not using an allowed SSL policy and this policy is set to
Check: SSL policy in allowed list, the control would raise an alarm.

URI
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxySslPolicy
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: SSL policy in allowed list"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: SSL policy in allowed list"
  ],
  "example": [
    "Check: SSL policy in allowed list"
  ],
  "default": "Skip"
}

GCP > Network > Region Target HTTPS Proxy > SSL Policy > Allowed

A list of SSL policies that the GCP Network target HTTPS proxy is allowed to use.

URI
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxySslPolicyAllowed
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  },
  "default": [
    "*"
  ]
}

GCP > Network > Region Target HTTPS Proxy > Usage

Configure the number of GCP Network region target https proxys that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Region Target HTTPS Proxy > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Region Target HTTPS Proxy > Usage > Limit

Maximum number of items that can be created for this region

URI
tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 100
}

GCP > Network > Region URL Map > Active

Determine the action to take when an GCP Network region url map, based on the GCP > Network > Region URL Map > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region URL Map > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionUrlMapActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Region URL Map > Active > Age

The age after which the GCP Network region url map
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region URL Map > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionUrlMapActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Region URL Map > Active > Last Modified

The number of days since the GCP Network region url map was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Region URL Map > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/regionUrlMapActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Region URL Map > Approved

Determine the action to take when a GCP Network region url map is not approved based on GCP > Network > Region URL Map > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionUrlMapApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Region URL Map > Approved > Custom

Determine whether the GCP Network region url map is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network region url map is not approved, it will be subject to the action specified in the GCP > Network > Region URL Map > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/regionUrlMapApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Region URL Map > Approved > Regions

A list of GCP regions in which GCP Network region url maps are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If a GCP Network region url map is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Region URL Map > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionUrlMapApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Region URL Map > Approved > Usage

Determine whether the GCP Network region url map is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network region url map is not approved, it will be subject to the action specified in the GCP > Network > Region URL Map > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/regionUrlMapApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Region URL Map > CMDB

Configure whether to record and synchronize details for the GCP Network region url map into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Region URL Map > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/gcp-network#/policy/types/regionUrlMapCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network API is enabled"
}

GCP > Network > Region URL Map > Regions

A list of GCP regions in which GCP Network region url maps are supported for use.

Any region url maps in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/gcp-network#/policy/types/regionUrlMapRegions
Category
Parent
Targets
Schema
{
  "allOf": [
    {
      "$ref": "gcp#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "asia-east1",
        "asia-east2",
        "asia-northeast1",
        "asia-northeast2",
        "asia-northeast3",
        "asia-south1",
        "asia-southeast1",
        "asia-southeast2",
        "australia-southeast1",
        "europe-north1",
        "europe-west1",
        "europe-west2",
        "europe-west3",
        "europe-west4",
        "europe-west6",
        "northamerica-northeast1",
        "southamerica-east1",
        "us-central1",
        "us-east1",
        "us-east4",
        "us-west1",
        "us-west2",
        "us-west3",
        "us-west5"
      ]
    }
  ]
}

GCP > Network > Region URL Map > Usage

Configure the number of GCP Network region url maps that can be used for this project and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Region URL Map > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/regionUrlMapUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Region URL Map > Usage > Limit

Maximum number of items that can be created for this project

URI
tmod:@turbot/gcp-network#/policy/types/regionUrlMapUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 100
}

GCP > Network > Regions

A list of GCP regions in which GCP Network resources are supported for use.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

This policy is the default value for all GCP Network resources' Regions policies.

URI
tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp#/policy/types/regionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Route > Active

Determine the action to take when an GCP Network route, based on the GCP > Network > Route > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Route > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/routeActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Route > Active > Age

The age after which the GCP Network route
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Route > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/routeActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Route > Active > Last Modified

The number of days since the GCP Network route was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Route > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/routeActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Route > Approved

Determine the action to take when a GCP Network route is not approved based on GCP > Network > Route > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/routeApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Route > Approved > Custom

Determine whether the GCP Network route is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network route is not approved, it will be subject to the action specified in the GCP > Network > Route > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/routeApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Route > Approved > Usage

Determine whether the GCP Network route is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network route is not approved, it will be subject to the action specified in the GCP > Network > Route > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/routeApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Route > CMDB

Configure whether to record and synchronize details for the GCP Network route into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Route > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/gcp-network#/policy/types/routeCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute Engine API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute Engine API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute Engine API is enabled"
}

GCP > Network > Route > Configured

Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/gcp-network#/policy/types/routeConfigured
Category
Parent
Targets
Valid Value
[
  "Skip if using Configured > Source",
  "Check: Configured if using Configured > Source",
  "Enforce: Configured if using Configured > Source"
]
Schema
{
  "enum": [
    "Skip if using Configured > Source",
    "Check: Configured if using Configured > Source",
    "Enforce: Configured if using Configured > Source"
  ],
  "default": "Enforce: Configured if using Configured > Source"
}

GCP > Network > Route > Configured > Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence

URI
tmod:@turbot/gcp-network#/policy/types/routeConfiguredPrecedence
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  },
  "default": [
    "**"
  ]
}

GCP > Network > Route > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/gcp-network#/policy/types/routeConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "{\"resource\": {}}\n",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

GCP > Network > Route > Regions

A list of GCP regions in which GCP Network routes are supported for use.

Any routes in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/gcp-network#/policy/types/routeRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Route > Usage

Configure the number of GCP Network routes that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Route > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/routeUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Route > Usage > Limit

Maximum number of items that can be created for this region

URI
tmod:@turbot/gcp-network#/policy/types/routeUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 250
}

GCP > Network > Router > Active

Determine the action to take when an GCP Network router, based on the GCP > Network > Router > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Router > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/routerActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Router > Active > Age

The age after which the GCP Network router
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Router > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/routerActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Router > Active > Last Modified

The number of days since the GCP Network router was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Router > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/routerActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Router > Approved

Determine the action to take when a GCP Network router is not approved based on GCP > Network > Router > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/routerApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Router > Approved > Custom

Determine whether the GCP Network router is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network router is not approved, it will be subject to the action specified in the GCP > Network > Router > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/routerApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Router > Approved > Regions

A list of GCP regions in which GCP Network routers are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If a GCP Network router is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Router > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/routerApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Router > Approved > Usage

Determine whether the GCP Network router is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network router is not approved, it will be subject to the action specified in the GCP > Network > Router > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/routerApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Router > CMDB

Configure whether to record and synchronize details for the GCP Network router into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Router > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/gcp-network#/policy/types/routerCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute Engine API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute Engine API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute Engine API is enabled"
}

GCP > Network > Router > Configured

Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/gcp-network#/policy/types/routerConfigured
Category
Parent
Targets
Valid Value
[
  "Skip if using Configured > Source",
  "Check: Configured if using Configured > Source",
  "Enforce: Configured if using Configured > Source"
]
Schema
{
  "enum": [
    "Skip if using Configured > Source",
    "Check: Configured if using Configured > Source",
    "Enforce: Configured if using Configured > Source"
  ],
  "default": "Enforce: Configured if using Configured > Source"
}

GCP > Network > Router > Configured > Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence

URI
tmod:@turbot/gcp-network#/policy/types/routerConfiguredPrecedence
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  },
  "default": [
    "**"
  ]
}

GCP > Network > Router > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/gcp-network#/policy/types/routerConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "{\"resource\": {}}\n",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

GCP > Network > Router > Regions

A list of GCP regions in which GCP Network routers are supported for use.

Any routers in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/gcp-network#/policy/types/routerRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Router > Usage

Configure the number of GCP Network routers that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Router > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/routerUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Router > Usage > Limit

Maximum number of items that can be created for this region

URI
tmod:@turbot/gcp-network#/policy/types/routerUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 5
}

GCP > Network > SSL Certificate > Active

Determine the action to take when an GCP Network ssl certificate, based on the GCP > Network > SSL Certificate > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > SSL Certificate > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/sslCertificateActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > SSL Certificate > Active > Age

The age after which the GCP Network ssl certificate
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > SSL Certificate > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/sslCertificateActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > SSL Certificate > Active > Last Modified

The number of days since the GCP Network ssl certificate was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > SSL Certificate > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/sslCertificateActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > SSL Certificate > Approved

Determine the action to take when a GCP Network ssl certificate is not approved based on GCP > Network > SSL Certificate > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/sslCertificateApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > SSL Certificate > Approved > Custom

Determine whether the GCP Network ssl certificate is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network ssl certificate is not approved, it will be subject to the action specified in the GCP > Network > SSL Certificate > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/sslCertificateApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > SSL Certificate > Approved > Usage

Determine whether the GCP Network ssl certificate is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network ssl certificate is not approved, it will be subject to the action specified in the GCP > Network > SSL Certificate > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/sslCertificateApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > SSL Certificate > CMDB

Configure whether to record and synchronize details for the GCP Network ssl certificate into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

URI
tmod:@turbot/gcp-network#/policy/types/sslCertificateCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network API is enabled"
}

GCP > Network > SSL Certificate > Usage

Configure the number of GCP Network ssl certificates that can be used for this project and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > SSL Certificate > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/sslCertificateUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > SSL Certificate > Usage > Limit

Maximum number of items that can be created for this project

URI
tmod:@turbot/gcp-network#/policy/types/sslCertificateUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 100
}

GCP > Network > SSL Policy > Active

Determine the action to take when an GCP Network ssl policy, based on the GCP > Network > SSL Policy > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > SSL Policy > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/sslPolicyActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > SSL Policy > Active > Age

The age after which the GCP Network ssl policy
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > SSL Policy > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/sslPolicyActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > SSL Policy > Active > Last Modified

The number of days since the GCP Network ssl policy was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > SSL Policy > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/sslPolicyActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > SSL Policy > Approved

Determine the action to take when a GCP Network ssl policy is not approved based on GCP > Network > SSL Policy > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/sslPolicyApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > SSL Policy > Approved > Custom

Determine whether the GCP Network ssl policy is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network ssl policy is not approved, it will be subject to the action specified in the GCP > Network > SSL Policy > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/sslPolicyApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > SSL Policy > Approved > Usage

Determine whether the GCP Network ssl policy is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network ssl policy is not approved, it will be subject to the action specified in the GCP > Network > SSL Policy > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/sslPolicyApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > SSL Policy > CMDB

Configure whether to record and synchronize details for the GCP Network ssl policy into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

URI
tmod:@turbot/gcp-network#/policy/types/sslPolicyCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network API is enabled"
}

GCP > Network > SSL Policy > Minimum TLS Version

Define the minimum version of SSL protocol the clients will be able to use to establish a connection.

URI
tmod:@turbot/gcp-network#/policy/types/sslPolicyMinimumTlsVersion
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: TLS 1.0",
  "Check: TLS 1.1",
  "Check: TLS 1.2",
  "Enforce: TLS 1.0",
  "Enforce: TLS 1.1",
  "Enforce: TLS 1.2"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: TLS 1.0",
    "Check: TLS 1.1",
    "Check: TLS 1.2",
    "Enforce: TLS 1.0",
    "Enforce: TLS 1.1",
    "Enforce: TLS 1.2"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

GCP > Network > SSL Policy > Profile

Define the profile which sets the features used in negotiating SSL with clients.

Managed profiles are maintained to support new SSL capabilities.

URI
tmod:@turbot/gcp-network#/policy/types/sslPolicyProfile
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Compatible",
  "Check: Modern",
  "Check: Restricted",
  "Enforce: Compatible",
  "Enforce: Modern",
  "Enforce: Restricted"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Compatible",
    "Check: Modern",
    "Check: Restricted",
    "Enforce: Compatible",
    "Enforce: Modern",
    "Enforce: Restricted"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

GCP > Network > SSL Policy > Usage

Configure the number of GCP Network ssl policys that can be used for this project and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > SSL Policy > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/sslPolicyUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > SSL Policy > Usage > Limit

Maximum number of items that can be created for this project

URI
tmod:@turbot/gcp-network#/policy/types/sslPolicyUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 100
}

GCP > Network > Subnetwork > Active

Determine the action to take when an GCP Network subnetwork, based on the GCP > Network > Subnetwork > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Subnetwork > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Subnetwork > Active > Age

The age after which the GCP Network subnetwork
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Subnetwork > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Subnetwork > Active > Last Modified

The number of days since the GCP Network subnetwork was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Subnetwork > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Subnetwork > Approved

Determine the action to take when a GCP Network subnetwork is not approved based on GCP > Network > Subnetwork > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Subnetwork > Approved > Custom

Determine whether the GCP Network subnetwork is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network subnetwork is not approved, it will be subject to the action specified in the GCP > Network > Subnetwork > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Subnetwork > Approved > Regions

A list of GCP regions in which GCP Network subnetworks are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If a GCP Network subnetwork is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Subnetwork > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Subnetwork > Approved > Usage

Determine whether the GCP Network subnetwork is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network subnetwork is not approved, it will be subject to the action specified in the GCP > Network > Subnetwork > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Subnetwork > CMDB

Configure whether to record and synchronize details for the GCP Network subnetwork into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Subnetwork > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute Engine API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute Engine API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute Engine API is enabled"
}

GCP > Network > Subnetwork > Configured

Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkConfigured
Category
Parent
Targets
Valid Value
[
  "Skip if using Configured > Source",
  "Check: Configured if using Configured > Source",
  "Enforce: Configured if using Configured > Source"
]
Schema
{
  "enum": [
    "Skip if using Configured > Source",
    "Check: Configured if using Configured > Source",
    "Enforce: Configured if using Configured > Source"
  ],
  "default": "Enforce: Configured if using Configured > Source"
}

GCP > Network > Subnetwork > Configured > Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkConfiguredPrecedence
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  },
  "default": [
    "**"
  ]
}

GCP > Network > Subnetwork > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "{\"resource\": {}}\n",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

GCP > Network > Subnetwork > Policy

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkPolicy
Category
Parent
Targets

GCP > Network > Subnetwork > Policy > Trusted Access

Check or Enforce access checking on the GCP Network Subnetwork policy.

Google Cloud IAM allows you to control who has access to the
network subnetwork via an IAM Policy. The Trusted Access policy
allows you to configure whether Guardrails will evaluate or
enforce restrictions on which members are allowed to be granted
access.

If enabled, the members in the IAM policy will be evaluated
against the list of allowed members in each of the Trusted
Access sub-policies (Trusted Access > Domains,
Trusted Access > Groups, etc).

If set to "Enforce: Trusted Access > *", access to non-trusted
members will be removed.

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkPolicyTrustedAccess
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Trusted Access > *",
  "Enforce: Trusted Access > *"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Trusted Access > *",
    "Enforce: Trusted Access > *"
  ],
  "default": "Skip"
}

GCP > Network > Subnetwork > Policy > Trusted Access > Domains

List of GCP Domains that are trusted for access in the GCP Network Subnetwork policy.

This policy is used by the GCP > Network > Subnetwork > Policy > Trusted Access
control to determine which members of type "domain" are allowed
to be granted access.You may use the '*' and '?' wildcard characters.

<br />example:<br /> - company.com<br /> - company-dev.org<br />

Note: Setting the policy to Empty array will remove all domains.

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkPolicyTrustedDomains
Category
Parent
Targets
Default Template Input
"{\n  value: policy(uri: \"tmod:@turbot/gcp-network#/policy/types/networkTrustedDomains\")\n}\n"
Default Template
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

GCP > Network > Subnetwork > Policy > Trusted Access > Groups

List of GCP Groups that are trusted for access in the GCP Network Subnetwork policy.

This policy is used by the GCP > Network > Subnetwork > Policy > Trusted Access
control to determine which members of type "group" are allowed
to be granted access.You may use the '' and '?' wildcard characters.

```
example:
- notification@company.com
- "@company.com"
``<br /><br />**Note**: Setting the policy to an Empty` array will remove all groups.

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkPolicyTrustedGroups
Category
Parent
Targets
Default Template Input
"{\n  value: policy(uri: \"tmod:@turbot/gcp-network#/policy/types/networkTrustedGroups\")\n}\n"
Default Template
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

GCP > Network > Subnetwork > Policy > Trusted Access > Projects

List of GCP Projects that are trusted for access in the GCP Network Subnetwork policy.
This policy is used by the GCP > Network > Subnetwork > Policy > Trusted Access
control to determine whether members of type "project" are allowed
to be granted access.You may use the '*' and '?' wildcard characters.
<br />example:<br /> - dev-aaa<br /> - dev-aab<br />
Note: Setting the policy to an Empty array will remove all projects.

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkPolicyTrustedProjects
Category
Parent
Targets
Default Template Input
"{\n  value: policy(uri: \"tmod:@turbot/gcp-network#/policy/types/networkTrustedProjects\")\n}\n"
Default Template
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

GCP > Network > Subnetwork > Policy > Trusted Access > Service Accounts

List of GCP Service Accounts that are trusted for access in the GCP Network Subnetwork policy.

This policy is used by the GCP > Network > Subnetwork > Policy > Trusted Access
control to determine which members of type "serviceAccount" are allowed
to be granted access.You may use the '' and '?' wildcard characters.

```
example:
- project-owner@dev-aaa.iam.gserviceaccount.com
- "" # All service account trusted
``<br /><br />**Note**: Setting the policy to an Empty` array will remove all service accounts.

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkPolicyTrustedServiceAccounts
Category
Parent
Targets
Default Template Input
"{\n  value: policy(uri: \"tmod:@turbot/gcp-network#/policy/types/networkTrustedServiceAccounts\")\n}\n"
Default Template
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

GCP > Network > Subnetwork > Policy > Trusted Access > Users

List of GCP Users that are trusted for access in the GCP Network Subnetwork policy.

This policy is used by the GCP > Network > Subnetwork > Trusted Access
control to determine which members of type "user" are allowed
to be granted access.You may use the '' and '?' wildcard characters.

```
example:
- "@company.com" # All users with email ending in @company.com are trusted
- "test@dev-company.com"
- "dummy@gmail.com"
``<br /><br />**Note**: Setting the policy to an Empty` array will remove all users.

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkPolicyTrustedUsers
Category
Parent
Targets
Default Template Input
"{\n  value: policy(uri: \"tmod:@turbot/gcp-network#/policy/types/networkTrustedUsers\")\n}\n"
Default Template
"{% if $.value | length == 0 %}[]{% else %}{% for item in $.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}{% endif %}"
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  }
}

GCP > Network > Subnetwork > Regions

A list of GCP regions in which GCP Network subnetworks are supported for use.

Any subnetworks in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Subnetwork > Usage

Configure the number of GCP Network subnetworks that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Subnetwork > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Subnetwork > Usage > Limit

Maximum number of items that can be created for this region

URI
tmod:@turbot/gcp-network#/policy/types/subnetworkUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 175
}

GCP > Network > Target HTTPS Proxy > Active

Determine the action to take when an GCP Network target https proxy, based on the GCP > Network > Target HTTPS Proxy > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target HTTPS Proxy > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Target HTTPS Proxy > Active > Age

The age after which the GCP Network target https proxy
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target HTTPS Proxy > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Target HTTPS Proxy > Active > Last Modified

The number of days since the GCP Network target https proxy was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target HTTPS Proxy > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Target HTTPS Proxy > Approved

Determine the action to take when a GCP Network target https proxy is not approved based on GCP > Network > Target HTTPS Proxy > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Target HTTPS Proxy > Approved > Custom

Determine whether the GCP Network target https proxy is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network target https proxy is not approved, it will be subject to the action specified in the GCP > Network > Target HTTPS Proxy > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Target HTTPS Proxy > Approved > Usage

Determine whether the GCP Network target https proxy is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network target https proxy is not approved, it will be subject to the action specified in the GCP > Network > Target HTTPS Proxy > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Target HTTPS Proxy > CMDB

Configure whether to record and synchronize details for the GCP Network target https proxy into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

URI
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network API is enabled"
}

GCP > Network > Target HTTPS Proxy > SSL Policy

Determine the action to take when an GCP Network target HTTPS proxy is not using an
allowed SSL policy.

If a target HTTPS proxy is not using an allowed SSL policy and this policy is set to
Enforce: Set to default if SSL policy not in allowed list, the target HTTPS proxy will be updated to use
the SSL policy selected in the GCP > Network > Target HTTPS Proxy > SSL Policy > Default policy.

If the SSL policy in the GCP > Network > Target HTTPS Proxy > SSL Policy > Default policy is not allowed
in the GCP > Network > Target HTTPS Proxy > SSL Policy > Allowed policy, Guardrails will not attempt to set
the SSL policy to prevent continuous updates.

URI
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxySslPolicy
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: SSL policy in allowed list",
  "Enforce: Set to default if SSL policy not in allowed list"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: SSL policy in allowed list",
    "Enforce: Set to default if SSL policy not in allowed list"
  ],
  "example": [
    "Check: SSL policy in allowed list"
  ],
  "default": "Skip"
}

GCP > Network > Target HTTPS Proxy > SSL Policy > Allowed

A list of SSL policies that the GCP Network target HTTPS proxy is allowed to use.

URI
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxySslPolicyAllowed
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  },
  "default": [
    "*"
  ]
}

GCP > Network > Target HTTPS Proxy > SSL Policy > Default

Define the default GCP SSL policy the GCP Network target HTTPS proxy should use if it's
not currently using an allowed SSL policy.

URI
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxySslPolicyDefault
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": ""
}

GCP > Network > Target HTTPS Proxy > Usage

Configure the number of GCP Network target https proxys that can be used for this project and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Target HTTPS Proxy > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Target HTTPS Proxy > Usage > Limit

Maximum number of items that can be created for this project

URI
tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 100
}

GCP > Network > Target Pool > Active

Determine the action to take when an GCP Network target pool, based on the GCP > Network > Target Pool > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target Pool > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetPoolActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Target Pool > Active > Age

The age after which the GCP Network target pool
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target Pool > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetPoolActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Target Pool > Active > Last Modified

The number of days since the GCP Network target pool was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target Pool > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/targetPoolActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Target Pool > Approved

Determine the action to take when a GCP Network target pool is not approved based on GCP > Network > Target Pool > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetPoolApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Target Pool > Approved > Custom

Determine whether the GCP Network target pool is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network target pool is not approved, it will be subject to the action specified in the GCP > Network > Target Pool > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/targetPoolApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Target Pool > Approved > Regions

A list of GCP regions in which GCP Network target pools are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If a GCP Network target pool is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Target Pool > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetPoolApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Target Pool > Approved > Usage

Determine whether the GCP Network target pool is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network target pool is not approved, it will be subject to the action specified in the GCP > Network > Target Pool > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetPoolApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Target Pool > CMDB

Configure whether to record and synchronize details for the GCP Network target pool into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Target Pool > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/gcp-network#/policy/types/targetPoolCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network API is enabled"
}

GCP > Network > Target Pool > Regions

A list of GCP regions in which GCP Network target pools are supported for use.

Any target pools in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/gcp-network#/policy/types/targetPoolRegions
Category
Parent
Targets
Schema
{
  "allOf": [
    {
      "$ref": "gcp#/definitions/regionNameMatcherList"
    },
    {
      "default": [
        "asia-east1",
        "asia-east2",
        "asia-northeast1",
        "asia-northeast2",
        "asia-northeast3",
        "asia-south1",
        "asia-southeast1",
        "asia-southeast2",
        "australia-southeast1",
        "europe-north1",
        "europe-west1",
        "europe-west2",
        "europe-west3",
        "europe-west4",
        "europe-west6",
        "northamerica-northeast1",
        "southamerica-east1",
        "us-central1",
        "us-east1",
        "us-east4",
        "us-west1",
        "us-west2",
        "us-west3",
        "us-west5"
      ]
    }
  ]
}

GCP > Network > Target Pool > Usage

Configure the number of GCP Network target pools that can be used for this project and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Target Pool > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/targetPoolUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Target Pool > Usage > Limit

Maximum number of items that can be created for this project

URI
tmod:@turbot/gcp-network#/policy/types/targetPoolUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 500
}

GCP > Network > Target SSL Proxy > Active

Determine the action to take when an GCP Network target ssl proxy, based on the GCP > Network > Target SSL Proxy > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target SSL Proxy > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetSslProxyActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Target SSL Proxy > Active > Age

The age after which the GCP Network target ssl proxy
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target SSL Proxy > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetSslProxyActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Target SSL Proxy > Active > Last Modified

The number of days since the GCP Network target ssl proxy was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target SSL Proxy > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/targetSslProxyActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Target SSL Proxy > Approved

Determine the action to take when a GCP Network target ssl proxy is not approved based on GCP > Network > Target SSL Proxy > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetSslProxyApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Target SSL Proxy > Approved > Custom

Determine whether the GCP Network target ssl proxy is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network target ssl proxy is not approved, it will be subject to the action specified in the GCP > Network > Target SSL Proxy > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/targetSslProxyApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Target SSL Proxy > Approved > Usage

Determine whether the GCP Network target ssl proxy is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network target ssl proxy is not approved, it will be subject to the action specified in the GCP > Network > Target SSL Proxy > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetSslProxyApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Target SSL Proxy > CMDB

Configure whether to record and synchronize details for the GCP Network target ssl proxy into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

URI
tmod:@turbot/gcp-network#/policy/types/targetSslProxyCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network API is enabled"
}

GCP > Network > Target SSL Proxy > SSL Policy

Determine the action to take when an GCP Network target SSL proxy is not using
an allowed SSL policy.

If a target SSL proxy is not using an allowed SSL policy and this policy is set to
Enforce: Set to default if SSL policy not in allowed list, the target SSL proxy will be updated
to use the SSL policy selected in the GCP > Network > Target SSL Proxy > SSL Policy > Default policy.

If the SSL policy in the GCP > Network > Target SSL Proxy > SSL Policy > Default policy is
not allowed in the GCP > Network > Target SSL Proxy > SSL Policy > Allowed policy, Guardrails will
not attempt to set the SSL policy to prevent continuous updates.

URI
tmod:@turbot/gcp-network#/policy/types/targetSslProxySslPolicy
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: SSL policy in allowed list",
  "Enforce: Set to default if SSL policy not in allowed list"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: SSL policy in allowed list",
    "Enforce: Set to default if SSL policy not in allowed list"
  ],
  "example": [
    "Check: SSL policy in allowed list"
  ],
  "default": "Skip"
}

GCP > Network > Target SSL Proxy > SSL Policy > Allowed

A list of SSL policies that the GCP Network target SSL proxy is allowed to use.

URI
tmod:@turbot/gcp-network#/policy/types/targetSslProxySslPolicyAllowed
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  },
  "default": [
    "*"
  ]
}

GCP > Network > Target SSL Proxy > SSL Policy > Default

Define the default GCP SSL policy the GCP Network target SSL proxy should use if it's
not currently using an allowed SSL policy.

URI
tmod:@turbot/gcp-network#/policy/types/targetSslProxySslPolicyDefault
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": ""
}

GCP > Network > Target SSL Proxy > Usage

Configure the number of GCP Network target ssl proxys that can be used for this project and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Target SSL Proxy > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/targetSslProxyUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Target SSL Proxy > Usage > Limit

Maximum number of items that can be created for this project

URI
tmod:@turbot/gcp-network#/policy/types/targetSslProxyUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 100
}

GCP > Network > Target TCP Proxy > Active

Determine the action to take when an GCP Network target tcp proxy, based on the GCP > Network > Target TCP Proxy > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target TCP Proxy > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetTcpProxyActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Target TCP Proxy > Active > Age

The age after which the GCP Network target tcp proxy
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target TCP Proxy > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetTcpProxyActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Target TCP Proxy > Active > Last Modified

The number of days since the GCP Network target tcp proxy was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target TCP Proxy > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/targetTcpProxyActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Target TCP Proxy > Approved

Determine the action to take when a GCP Network target tcp proxy is not approved based on GCP > Network > Target TCP Proxy > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetTcpProxyApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Target TCP Proxy > Approved > Custom

Determine whether the GCP Network target tcp proxy is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network target tcp proxy is not approved, it will be subject to the action specified in the GCP > Network > Target TCP Proxy > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/targetTcpProxyApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Target TCP Proxy > Approved > Usage

Determine whether the GCP Network target tcp proxy is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network target tcp proxy is not approved, it will be subject to the action specified in the GCP > Network > Target TCP Proxy > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetTcpProxyApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Target TCP Proxy > CMDB

Configure whether to record and synchronize details for the GCP Network target tcp proxy into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

URI
tmod:@turbot/gcp-network#/policy/types/targetTcpProxyCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network API is enabled"
}

GCP > Network > Target TCP Proxy > Usage

Configure the number of GCP Network target tcp proxys that can be used for this project and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Target TCP Proxy > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/targetTcpProxyUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Target TCP Proxy > Usage > Limit

Maximum number of items that can be created for this project

URI
tmod:@turbot/gcp-network#/policy/types/targetTcpProxyUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 100
}

GCP > Network > Target VPN Gateway > Active

Determine the action to take when an GCP Network target vpn gateway, based on the GCP > Network > Target VPN Gateway > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target VPN Gateway > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > Target VPN Gateway > Active > Age

The age after which the GCP Network target vpn gateway
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target VPN Gateway > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Target VPN Gateway > Active > Last Modified

The number of days since the GCP Network target vpn gateway was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > Target VPN Gateway > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > Target VPN Gateway > Approved

Determine the action to take when a GCP Network target vpn gateway is not approved based on GCP > Network > Target VPN Gateway > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > Target VPN Gateway > Approved > Custom

Determine whether the GCP Network target vpn gateway is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network target vpn gateway is not approved, it will be subject to the action specified in the GCP > Network > Target VPN Gateway > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > Target VPN Gateway > Approved > Regions

A list of GCP regions in which GCP Network target vpn gateways are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If a GCP Network target vpn gateway is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > Target VPN Gateway > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Target VPN Gateway > Approved > Usage

Determine whether the GCP Network target vpn gateway is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network target vpn gateway is not approved, it will be subject to the action specified in the GCP > Network > Target VPN Gateway > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > Target VPN Gateway > CMDB

Configure whether to record and synchronize details for the GCP Network target vpn gateway into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > Target VPN Gateway > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute Engine API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute Engine API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute Engine API is enabled"
}

GCP > Network > Target VPN Gateway > Configured

Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayConfigured
Category
Parent
Targets
Valid Value
[
  "Skip if using Configured > Source",
  "Check: Configured if using Configured > Source",
  "Enforce: Configured if using Configured > Source"
]
Schema
{
  "enum": [
    "Skip if using Configured > Source",
    "Check: Configured if using Configured > Source",
    "Enforce: Configured if using Configured > Source"
  ],
  "default": "Enforce: Configured if using Configured > Source"
}

GCP > Network > Target VPN Gateway > Configured > Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence

URI
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayConfiguredPrecedence
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  },
  "default": [
    "**"
  ]
}

GCP > Network > Target VPN Gateway > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "{\"resource\": {}}\n",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

GCP > Network > Target VPN Gateway > Regions

A list of GCP regions in which GCP Network target vpn gateways are supported for use.

Any target vpn gateways in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > Target VPN Gateway > Usage

Configure the number of GCP Network target vpn gateways that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > Target VPN Gateway > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > Target VPN Gateway > Usage > Limit

Maximum number of items that can be created for this region

URI
tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 15
}

GCP > Network > URL Map > Active

Determine the action to take when an GCP Network url map, based on the GCP > Network > URL Map > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > URL Map > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/urlMapActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > URL Map > Active > Age

The age after which the GCP Network url map
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > URL Map > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/urlMapActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > URL Map > Active > Last Modified

The number of days since the GCP Network url map was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > URL Map > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/urlMapActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > URL Map > Approved

Determine the action to take when a GCP Network url map is not approved based on GCP > Network > URL Map > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/urlMapApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > URL Map > Approved > Custom

Determine whether the GCP Network url map is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network url map is not approved, it will be subject to the action specified in the GCP > Network > URL Map > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/urlMapApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > URL Map > Approved > Usage

Determine whether the GCP Network url map is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network url map is not approved, it will be subject to the action specified in the GCP > Network > URL Map > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/urlMapApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > URL Map > CMDB

Configure whether to record and synchronize details for the GCP Network url map into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

URI
tmod:@turbot/gcp-network#/policy/types/urlMapCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Network API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Network API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Network API is enabled"
}

GCP > Network > URL Map > Usage

Configure the number of GCP Network url maps that can be used for this project and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > URL Map > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/urlMapUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > URL Map > Usage > Limit

Maximum number of items that can be created for this project

URI
tmod:@turbot/gcp-network#/policy/types/urlMapUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 100
}

GCP > Network > VPN Tunnel > Active

Determine the action to take when an GCP Network vpn tunnel, based on the GCP > Network > VPN Tunnel > Active > * policies.

The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > VPN Tunnel > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/vpnTunnelActive
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Active",
  "Enforce: Delete inactive with 1 day warning",
  "Enforce: Delete inactive with 3 days warning",
  "Enforce: Delete inactive with 7 days warning",
  "Enforce: Delete inactive with 14 days warning",
  "Enforce: Delete inactive with 30 days warning",
  "Enforce: Delete inactive with 60 days warning",
  "Enforce: Delete inactive with 90 days warning",
  "Enforce: Delete inactive with 180 days warning",
  "Enforce: Delete inactive with 365 days warning"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Active",
    "Enforce: Delete inactive with 1 day warning",
    "Enforce: Delete inactive with 3 days warning",
    "Enforce: Delete inactive with 7 days warning",
    "Enforce: Delete inactive with 14 days warning",
    "Enforce: Delete inactive with 30 days warning",
    "Enforce: Delete inactive with 60 days warning",
    "Enforce: Delete inactive with 90 days warning",
    "Enforce: Delete inactive with 180 days warning",
    "Enforce: Delete inactive with 365 days warning"
  ],
  "example": [
    "Check: Active"
  ],
  "default": "Skip"
}

GCP > Network > VPN Tunnel > Active > Age

The age after which the GCP Network vpn tunnel
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > VPN Tunnel > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

URI
tmod:@turbot/gcp-network#/policy/types/vpnTunnelActiveAge
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Force inactive if age > 1 day",
  "Force inactive if age > 3 days",
  "Force inactive if age > 7 days",
  "Force inactive if age > 14 days",
  "Force inactive if age > 30 days",
  "Force inactive if age > 60 days",
  "Force inactive if age > 90 days",
  "Force inactive if age > 180 days",
  "Force inactive if age > 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Force inactive if age > 1 day",
    "Force inactive if age > 3 days",
    "Force inactive if age > 7 days",
    "Force inactive if age > 14 days",
    "Force inactive if age > 30 days",
    "Force inactive if age > 60 days",
    "Force inactive if age > 90 days",
    "Force inactive if age > 180 days",
    "Force inactive if age > 365 days"
  ],
  "example": [
    "Force inactive if age > 90 days"
  ],
  "default": "Skip"
}

GCP > Network > VPN Tunnel > Active > Last Modified

The number of days since the GCP Network vpn tunnel was last modified before it is considered
inactive.

The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.

The Active control checks the status of all defined Active policies for the
resource (GCP > Network > VPN Tunnel > Active > *), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.

URI
tmod:@turbot/gcp-network#/policy/types/vpnTunnelActiveLastModified
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Active if last modified <= 1 day",
  "Active if last modified <= 3 days",
  "Active if last modified <= 7 days",
  "Active if last modified <= 14 days",
  "Active if last modified <= 30 days",
  "Active if last modified <= 60 days",
  "Active if last modified <= 90 days",
  "Active if last modified <= 180 days",
  "Active if last modified <= 365 days",
  "Force active if last modified <= 1 day",
  "Force active if last modified <= 3 days",
  "Force active if last modified <= 7 days",
  "Force active if last modified <= 14 days",
  "Force active if last modified <= 30 days",
  "Force active if last modified <= 60 days",
  "Force active if last modified <= 90 days",
  "Force active if last modified <= 180 days",
  "Force active if last modified <= 365 days"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Active if last modified <= 1 day",
    "Active if last modified <= 3 days",
    "Active if last modified <= 7 days",
    "Active if last modified <= 14 days",
    "Active if last modified <= 30 days",
    "Active if last modified <= 60 days",
    "Active if last modified <= 90 days",
    "Active if last modified <= 180 days",
    "Active if last modified <= 365 days",
    "Force active if last modified <= 1 day",
    "Force active if last modified <= 3 days",
    "Force active if last modified <= 7 days",
    "Force active if last modified <= 14 days",
    "Force active if last modified <= 30 days",
    "Force active if last modified <= 60 days",
    "Force active if last modified <= 90 days",
    "Force active if last modified <= 180 days",
    "Force active if last modified <= 365 days"
  ],
  "example": [
    "Active if last modified <= 90 days"
  ],
  "default": "Skip"
}

GCP > Network > VPN Tunnel > Approved

Determine the action to take when a GCP Network vpn tunnel is not approved based on GCP > Network > VPN Tunnel > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/vpnTunnelApproved
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Approved",
  "Enforce: Delete unapproved if new"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Approved",
    "Enforce: Delete unapproved if new"
  ],
  "example": [
    "Check: Approved"
  ],
  "default": "Skip"
}

GCP > Network > VPN Tunnel > Approved > Custom

Determine whether the GCP Network vpn tunnel is allowed to exist.
This policy will be evaluated by the Approved control. If a GCP Network vpn tunnel is not approved, it will be subject to the action specified in the GCP > Network > VPN Tunnel > Approved policy.
See Approved for more information.

Note: The policy value must be a string with a value of Approved, Not approved or Skip, or in the form of YAML objects. The object(s) must contain the key result with its value as Approved or Not approved. A custom title and message can also be added using the keys title and message respectively.

URI
tmod:@turbot/gcp-network#/policy/types/vpnTunnelApprovedCustom
Category
Parent
Targets
Schema
{
  "example": [
    "Approved",
    "Not approved",
    "Skip",
    {
      "result": "Approved"
    },
    {
      "title": "string",
      "result": "Not approved"
    },
    {
      "title": "string",
      "result": "Approved",
      "message": "string"
    },
    [
      {
        "title": "string",
        "result": "Approved",
        "message": "string"
      },
      {
        "title": "string",
        "result": "Not approved",
        "message": "string"
      }
    ]
  ],
  "anyOf": [
    {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "title": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,32}$"
          },
          "message": {
            "type": "string",
            "pattern": "^[\\W\\w]{1,128}$"
          },
          "result": {
            "type": "string",
            "pattern": "^(Approved|Not approved|Skip)$"
          }
        },
        "required": [
          "result"
        ],
        "additionalProperties": false
      }
    },
    {
      "type": "object",
      "properties": {
        "title": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,32}$"
        },
        "message": {
          "type": "string",
          "pattern": "^[\\W\\w]{1,128}$"
        },
        "result": {
          "type": "string",
          "pattern": "^(Approved|Not approved|Skip)$"
        }
      },
      "required": [
        "result"
      ],
      "additionalProperties": false
    },
    {
      "type": "string",
      "pattern": "^(Approved|Not approved|Skip)$"
    }
  ],
  "default": "Skip"
}

GCP > Network > VPN Tunnel > Approved > Regions

A list of GCP regions in which GCP Network vpn tunnels are approved for use.

The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.

This policy will be evaluated by the Approved control. If a GCP Network vpn tunnel is created in a region that is not in the approved list, it will be subject to the action specified in the GCP > Network > VPN Tunnel > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/vpnTunnelApprovedRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceApprovedRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > VPN Tunnel > Approved > Usage

Determine whether the GCP Network vpn tunnel is allowed to exist.

This policy will be evaluated by the Approved control. If a GCP Network vpn tunnel is not approved, it will be subject to the action specified in the GCP > Network > VPN Tunnel > Approved policy.

See Approved for more information.

URI
tmod:@turbot/gcp-network#/policy/types/vpnTunnelApprovedUsage
Category
Parent
Targets
Valid Value
[
  "Not approved",
  "Approved",
  "Approved if GCP > Network > Enabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Not approved",
    "Approved",
    "Approved if GCP > Network > Enabled"
  ],
  "example": [
    "Not approved"
  ],
  "default": "Approved if GCP > Network > Enabled"
}

GCP > Network > VPN Tunnel > CMDB

Configure whether to record and synchronize details for the GCP Network vpn tunnel into the CMDB.

The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".

If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.

To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".

CMDB controls also use the Regions policy associated with the resource. If region is not in GCP > Network > VPN Tunnel > Regions policy, the CMDB control will delete the resource from the CMDB.

(Note: Setting CMDB to "Skip" will also pause these changes.)

URI
tmod:@turbot/gcp-network#/policy/types/vpnTunnelCmdb
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Enforce: Enabled",
  "Enforce: Enabled if Compute Engine API is enabled",
  "Enforce: Disabled"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Enforce: Enabled",
    "Enforce: Enabled if Compute Engine API is enabled",
    "Enforce: Disabled"
  ],
  "example": [
    "Skip"
  ],
  "default": "Enforce: Enabled if Compute Engine API is enabled"
}

GCP > Network > VPN Tunnel > Configured

Determine how to configure this resource. Note that if the resource
is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it

URI
tmod:@turbot/gcp-network#/policy/types/vpnTunnelConfigured
Category
Parent
Targets
Valid Value
[
  "Skip if using Configured > Source",
  "Check: Configured if using Configured > Source",
  "Enforce: Configured if using Configured > Source"
]
Schema
{
  "enum": [
    "Skip if using Configured > Source",
    "Check: Configured if using Configured > Source",
    "Enforce: Configured if using Configured > Source"
  ],
  "default": "Enforce: Configured if using Configured > Source"
}

GCP > Network > VPN Tunnel > Configured > Precedence

An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.

By default, all resources are configured to use the precedence defined
here, though they can override their Claim Precedence

URI
tmod:@turbot/gcp-network#/policy/types/vpnTunnelConfiguredPrecedence
Category
Parent
Targets
Schema
{
  "type": "array",
  "items": {
    "type": "string"
  },
  "default": [
    "**"
  ]
}

GCP > Network > VPN Tunnel > Configured > Source

A HCL or JSON format Terraform configuration source used to configure this resource

URI
tmod:@turbot/gcp-network#/policy/types/vpnTunnelConfiguredSource
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "{\"resource\": {}}\n",
  "x-schema-form": {
    "type": "code",
    "language": "hcl"
  }
}

GCP > Network > VPN Tunnel > Labels

Determine the action to take when an GCP Network vpn tunnel labels are not updated based on the GCP > Network > VPN Tunnel > Labels > * policies.

The control ensure GCP Network vpn tunnel labels include labels defined in GCP > Network > VPN Tunnel > Labels > Template.

Labels not defined in VPN Tunnel Labels Template will not be modified or deleted. Setting a label value to undefined will result in the label being deleted.

See Labels for more information.

URI
tmod:@turbot/gcp-network#/policy/types/vpnTunnelLabels
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Labels are correct",
  "Enforce: Set labels"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Labels are correct",
    "Enforce: Set labels"
  ],
  "example": [
    "Check: Labels are correct"
  ],
  "default": "Skip"
}

GCP > Network > VPN Tunnel > Labels > Template

The template is used to generate the keys and values for GCP Network vpn tunnel.

Labels not defined in VPN Tunnel Labels Template will not be modified or deleted. Setting a label value to undefined will result in the label being deleted.

See Labels for more information.

URI
tmod:@turbot/gcp-network#/policy/types/vpnTunnelLabelsTemplate
Category
Parent
Targets
Default Template Input
[
  "{\n  project {\n    turbot {\n      id\n    }\n  }\n}\n",
  "{\n  defaultLabels: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceLabelsTemplate\" resourceId: \"{{ $.project.turbot.id }}\") {\n    value\n  }\n}\n"
]
Default Template
"{%- if $.defaultLabels.value | length == 0 %} [] {%- elif $.defaultLabels.value != undefined %}{{ $.defaultLabels.value | dump | safe }}{%- else %}{% for item in $.defaultLabels.value %}- {{ item }}{% endfor %}{% endif %}"
Schema

GCP > Network > VPN Tunnel > Regions

A list of GCP regions in which GCP Network vpn tunnels are supported for use.

Any vpn tunnels in a region not listed here will not be recorded in CMDB.

The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.

URI
tmod:@turbot/gcp-network#/policy/types/vpnTunnelRegions
Category
Parent
Targets
Default Template Input
"{\n  regions: policyValue(uri:\"tmod:@turbot/gcp-network#/policy/types/networkServiceRegionsDefault\") {\n    value\n  }\n}\n"
Default Template
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- &#39;{{ item }}&#39;&#92;n{% endfor %}"
Schema

GCP > Network > VPN Tunnel > Usage

Configure the number of GCP Network vpn tunnels that can be used for this region and the current consumption against the limit.

You can configure the behavior of the control with this GCP > Network > VPN Tunnel > Usage policy.

URI
tmod:@turbot/gcp-network#/policy/types/vpnTunnelUsage
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Usage <= 85% of Limit",
  "Check: Usage <= 100% of Limit"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Usage <= 85% of Limit",
    "Check: Usage <= 100% of Limit"
  ],
  "example": [
    "Check: Usage <= 85% of Limit"
  ],
  "default": "Skip"
}

GCP > Network > VPN Tunnel > Usage > Limit

Maximum number of items that can be created for this region

URI
tmod:@turbot/gcp-network#/policy/types/vpnTunnelUsageLimit
Category
Parent
Targets
Schema
{
  "type": "integer",
  "minimum": 0,
  "default": 30
}

GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-network

GCP logs advanced filter
used to specify a subset of log entries that is forwarded to the Guardrails Event Handlers
by the logging sink on behalf of GCP Network.

URI
tmod:@turbot/gcp-network#/policy/types/networkEventPatterns
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "((resource.type = gce_ssl_certificate AND (protoPayload.authorizationInfo.permission = compute.sslCertificates.create OR protoPayload.authorizationInfo.permission = compute.sslCertificates.delete)) OR (resource.type = gce_target_https_proxy AND (protoPayload.authorizationInfo.permission = compute.targetHttpsProxies.create OR protoPayload.authorizationInfo.permission = compute.targetHttpProxies.delete)) OR (resource.type = gce_target_ssl_proxy AND (protoPayload.authorizationInfo.permission = compute.targetSslProxies.create OR protoPayload.authorizationInfo.permission = compute.targetSslProxies.delete OR protoPayload.authorizationInfo.permission = compute.targetSslProxies.update)) OR (resource.type = gce_packet_mirroring AND (protoPayload.authorizationInfo.permission = compute.packetMirrorings.create OR protoPayload.authorizationInfo.permission = compute.packetMirrorings.delete OR protoPayload.authorizationInfo.permission = compute.packetMirrorings.update)) OR (resource.type = gce_url_map AND (protoPayload.authorizationInfo.permission = compute.urlMaps.create OR protoPayload.authorizationInfo.permission = compute.urlMaps.delete OR protoPayload.authorizationInfo.permission = compute.urlMaps.update)) OR (resource.type = gce_target_pool AND (protoPayload.authorizationInfo.permission = compute.targetPools.create OR protoPayload.authorizationInfo.permission = compute.targetPools.delete OR protoPayload.authorizationInfo.permission = compute.targetPools.update)) OR (resource.type = gce_forwarding_rule AND (protoPayload.authorizationInfo.permission = compute.forwardingRules.create OR protoPayload.authorizationInfo.permission = compute.forwardingRules.delete OR protoPayload.authorizationInfo.permission = compute.forwardingRules.setLabels OR protoPayload.authorizationInfo.permission = compute.forwardingRules.setTarget OR protoPayload.authorizationInfo.permission = compute.globalForwardingRules.create OR protoPayload.authorizationInfo.permission = compute.globalForwardingRules.delete OR protoPayload.authorizationInfo.permission = compute.globalForwardingRules.setLabels OR protoPayload.authorizationInfo.permission = compute.globalForwardingRules.setTarget)) OR (resource.type = gce_network AND (protoPayload.authorizationInfo.permission = compute.networks.create OR protoPayload.authorizationInfo.permission = compute.networks.delete OR protoPayload.authorizationInfo.permission = compute.networks.removePeering OR protoPayload.authorizationInfo.permission = compute.networks.switchToCustomMode OR protoPayload.authorizationInfo.permission = compute.networks.update OR protoPayload.authorizationInfo.permission = compute.networks.updatePolicy)) OR (resource.type = gce_route AND (protoPayload.authorizationInfo.permission = compute.routes.create OR protoPayload.authorizationInfo.permission = compute.routes.delete)) OR (resource.type = gce_subnetwork AND (protoPayload.authorizationInfo.permission = compute.subnetworks.create OR protoPayload.authorizationInfo.permission = compute.subnetworks.delete OR protoPayload.authorizationInfo.permission = compute.subnetworks.expandIpCidrRange OR protoPayload.authorizationInfo.permission = compute.subnetworks.setIamPolicy OR protoPayload.authorizationInfo.permission = compute.subnetworks.setPrivateIpGoogleAccess OR protoPayload.authorizationInfo.permission = compute.subnetworks.update OR protoPayload.authorizationInfo.permission = compute.subnetworks.updatePolicy)) OR (resource.type = gce_reserved_address AND (protoPayload.authorizationInfo.permission = compute.addresses.create OR protoPayload.authorizationInfo.permission = compute.addresses.createInternal OR protoPayload.authorizationInfo.permission = compute.addresses.delete OR protoPayload.authorizationInfo.permission = compute.addresses.deleteInternal OR protoPayload.authorizationInfo.permission = compute.addresses.setLabels OR protoPayload.authorizationInfo.permission = compute.globalAddresses.create OR protoPayload.authorizationInfo.permission = compute.globalAddresses.createInternal OR protoPayload.authorizationInfo.permission = compute.globalAddresses.delete OR protoPayload.authorizationInfo.permission = compute.globalAddresses.deleteInternal OR protoPayload.authorizationInfo.permission = compute.globalAddresses.setLabels)) OR (resource.type = gce_backend_bucket AND (protoPayload.authorizationInfo.permission = compute.backendBuckets.create OR protoPayload.authorizationInfo.permission = compute.backendBuckets.delete OR protoPayload.authorizationInfo.permission = compute.backendBuckets.update)) OR (resource.type = gce_backend_service AND (protoPayload.authorizationInfo.permission = compute.backendServices.create OR protoPayload.authorizationInfo.permission = compute.backendServices.delete OR protoPayload.authorizationInfo.permission = compute.backendServices.update OR protoPayload.authorizationInfo.permission = compute.backendServices.setSecurityPolicy)) OR (resource.type = gce_firewall_rule AND (protoPayload.authorizationInfo.permission = compute.firewalls.create OR protoPayload.authorizationInfo.permission = compute.firewalls.delete OR protoPayload.authorizationInfo.permission = compute.firewalls.update)) OR (resource.type = gce_router AND (protoPayload.authorizationInfo.permission = compute.routers.create OR protoPayload.authorizationInfo.permission = compute.routers.delete OR protoPayload.authorizationInfo.permission = compute.routers.update)) OR (resource.type = vpn_tunnel AND (protoPayload.authorizationInfo.permission = compute.vpnTunnels.create OR protoPayload.authorizationInfo.permission = compute.vpnTunnels.delete OR protoPayload.authorizationInfo.permission = compute.vpnTunnels.setLabels)) OR (resource.type = vpn_gateway AND (protoPayload.authorizationInfo.permission = compute.targetVpnGateways.create OR protoPayload.authorizationInfo.permission = compute.targetVpnGateways.delete OR protoPayload.authorizationInfo.permission = compute.targetVpnGateways.setLabels OR protoPayload.authorizationInfo.permission = compute.targetVpnGateways.update)) AND severity>=INFO )"
}

GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-network

A calculated policy that Guardrails uses to create a compiled list of ALL permission
levels for GCP Network that is used as input to
the stack that manages the Guardrails IAM permissions objects.

URI
tmod:@turbot/gcp-network#/policy/types/gcpLevelsCompiled
Category
Parent
Targets
Schema

GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-network

A calculated policy that Guardrails uses to create a compiled list of ALL
permissions for GCP Network that is used as
input to the control that manages the IAM stack.

URI
tmod:@turbot/gcp-network#/policy/types/gcpCompiledServicePermissions
Category
Parent
Targets
Schema