Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Policy Packs
GCP CIS v2.0.0 - Section 2 - Logging and Monitoring
  • GCP > DNS > Policy > Logging
  • GCP > Network > Backend Service > Logging
  • GCP > Network > Backend Service > Logging > Sample Rate
  • GCP > Project > Stack
  • GCP > Project > Stack > Source
  • GCP > Project > Stack > Terraform Version
  • GCP > Storage > Bucket > Approved
  • GCP > Storage > Bucket > Approved > Custom
  • GCP > Turbot > Event Handlers > Logging
  • GCP > Turbot > Event Handlers > Logging > Sink > Destination Topic
  • GCP > Turbot > Event Handlers > Logging > Sink > Name Prefix
  • GCP > Turbot > Event Handlers > Logging > Unique Writer Identity
  • GCP > Turbot > Event Handlers > Pub/Sub
  • GCP > Turbot > Event Handlers > Pub/Sub > Subscription > Name Prefix
  • GCP > Turbot > Event Handlers > Pub/Sub > Topic > Name Prefix
Get Involved
Discuss on Slack

Policy Setting: GCP > Storage > Bucket > Approved > Custom

Policies

This policy setting is dependent on the following policy types:

  • GCP > Storage > Bucket > Approved > Custom

Source

resource "turbot_policy_setting" "gcp_storage_bucket_approved_custom" {
  resource       = turbot_policy_pack.main.id
  type           = "tmod:@turbot/gcp-storage#/policy/types/bucketApprovedCustom"
  note           = "GCP CIS v2.0.0 - Control: 2.3"
  template_input = <<-EOT
  - |
    {
      project {
        turbot {
          id
        }
      }


      item: bucket {
        name: get(path: "name")
      }
    }
  - |
    {
      item: bucket {
        name: get(path: "name")
        retentionPolicy: get(path: "retentionPolicy")
      }


      sinkDetails: resources(filter: "resourceId:{{ $.project.turbot.id }} resourceTypeId:'tmod:@turbot/gcp-logging#/resource/types/sink' resourceTypeLevel:self $.destination:'storage.googleapis.com/{{ $.item.name }}' limit:5000") {
        items {
          name: get(path: "name")
          destination: get(path: "destination")
        }
      }
    }
  EOT
  template       = <<-EOT
    {%- if $.sinkDetails.items -%}


      {%- if $.sinkDetails.items.length > 0 and $.item.retentionPolicy and $.item.retentionPolicy.isLocked -%}


        {%- set data = {
            "title": "Retention Policy for Bucket Lock",
            "result": "Approved",
            "message": "Retention policy for bucket lock is enabled"
        } -%}


      {%- else -%}


        {%- set data = {
            "title": "Retention Policy for Bucket Lock",
            "result": "Not approved",
            "message": "Retention policy for bucket lock is not enabled"
        } -%}


      {%- endif -%}


    {%- else -%}


      {%- set data = {
          "title": "Retention Policy for Bucket Lock",
          "result": "Skip",
          "message": "Not data for bucket lock yet"
      } -%}


    {%- endif -%}
    {{ data | json }}
    EOT
}
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy