diff --git a/docs/concepts/guardrails/stacks.md b/docs/concepts/guardrails/stacks.md index d2b539d0..cc7482e0 100644 --- a/docs/concepts/guardrails/stacks.md +++ b/docs/concepts/guardrails/stacks.md @@ -3,7 +3,7 @@ title: Stack [Native] Guardrails sidebar_label: Stack [Native] --- -# Stack [Native] Guardrails +# Stack [Native] Guardrails ## Overview @@ -19,63 +19,22 @@ Guardrails provides many `Stack [Native]` controls in multiple mods. These stac - Resource stacks target individual resources, allowing you to configure standard resources that should be associated with them. Resource stacks will run for every resource of that type, and will run whenever new resources of that type are discovered. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
StackTargetIntended Purpose
AWS > Account > Stack [Native]AccountAccount-level settings and global services like Route53 and CloudFront.
AWS > Region > Stack [Native]RegionRegional resources, like Lambda Functions, EC2 instances, SNS Topics, etc.
AWS > IAM > Stack [Native]AccountIAM resources, like standard users, roles, policies, and identity providers.
AWS > VPC > Stack [Native]RegionVPC resources to set your standard "landing zone" VPCs - subnets, security groups, gateways, etc.
AWS > S3 > Bucket > Stack [Native]BucketResources to associate with buckets such as lifecycle policies or replication configuration
AWS > VPC > VPC > Stack [Native]VPCStandard VPC resources that belong in every VPC, like security groups, gateways, NACLs, etc.
Azure > Subscription > Stack [Native]SubscriptionSubscription-level settings and global services
Azure > Network > Virtual Network > Stack [Native]Virtual NetworkStandard network resources that belong in every Virtual Network
GCP > Project > Stack [Native]ProjectProject-level settings and global services
- +| **Stack** | **Target** | **Intended Purpose** | +|---------------------------------------------------------------|--------------------|-----------------------------------------------------------------------------------------------------------------| +| **AWS > Account > Stack [Native]** | Account | Account-level settings and global services like Route53 and CloudFront. | +| **AWS > Region > Stack [Native]** | Region | Regional resources, like Lambda Functions, EC2 instances, SNS Topics, etc. | +| **AWS > IAM > Stack [Native]** | Account | IAM resources, like standard users, roles, policies, and identity providers. | +| **AWS > VPC > Stack [Native]** | Region | VPC resources to set your standard "landing zone" VPCs - subnets, security groups, gateways, etc. | +| **AWS > S3 > Bucket > Stack [Native]** | Bucket | Resources to associate with buckets such as lifecycle policies or replication configuration | +| **AWS > VPC > VPC > Stack [Native]** | VPC | Standard VPC resources that belong in *every* VPC, like security groups, gateways, NACLs, etc. | +| **AWS > CloudFront > Distribution > Stack [Native]** | Distribution | Resources to associate with CloudFront distributions such as logging, monitoring, or WAF configuration | +| **AWS > Secrets Manager > Secret > Stack [Native]** | Secret | Resources related to secrets such as key rotation, access policies, and tagging | +| **Azure > Subscription > Stack [Native]** | Subscription | Subscription-level settings and global services | +| **Azure > Network > Virtual Network > Stack [Native]** | Virtual Network | Standard network resources that belong in *every* Virtual Network | +| **Azure > Resource Group > Stack [Native]** | Resource Group | Resources like diagnostic settings, policies, and tags applied at the resource group level | +| **Azure > Key Vault > Vault > Stack [Native]** | Vault | Resources to associate with Key Vaults such as access policies, logging, and diagnostic settings | +| **Azure > Storage > Storage Account > Stack [Native]** | Storage Account | Resources to associate with storage accounts such as encryption, access configuration, and diagnostic settings | +| **GCP > Project > Stack [Native]** | Project | Project-level settings and global services | ## Example: Standard IAM policy @@ -133,7 +92,7 @@ Create a policy setting for the `AWS > IAM > Stack [Native]` policy on an accoun Stack behavior is controlled by the `Stack [Native]` policy and sub-policies. -| Policy | Description +| Policy | Description |---------------------------------------|----------------------------------------------------------------------- | **Stack [Native]** | Determine whether to run the stack in check mode, enforce mode, or skip | **Stack [Native] > Source** | The OpenTofu HCL configuration source code that should be applied @@ -143,9 +102,9 @@ Stack behavior is controlled by the `Stack [Native]` policy and sub-policies. The `Stack [Native]` primary policy determines what action the control will take: -| Value | Description +| Value | Description | ----------------------- | ----------------------------------------------------------------------------------- -| **Skip** | The control will not run +| **Skip** | The control will not run | **Check: Configured** | An OpenTofu plan will be generated. If the planned configuration does not match the current configuration, the control will alarm. | **Enforce: Configured** | An OpenTofu plan will be generated. If the planned configuration does not match the current configuration, the control will apply the configuration. @@ -189,13 +148,13 @@ You may also choose to trigger the stack to run when resources change, but: ### Drift Detection Policies Drift detection behavior is controlled by the following sub-policies. -| Policy | Description +| Policy | Description |---------------------------------------|----------------------------------------------------------------------- | **Stack [Native] > Drift Detection** | Specify the mechanism for drift detection. | **Stack [Native] > Drift Detection > Interval** | Specify the interval at which to run the stack, in minutes. -The `Stack [Native] > Drift Detection` policy allows you to specify the mechanism for drift detection. You may run the stack at regular intervals to keep the resources up to date, and/or automatically trigger the stack to run whenever a resource that it created is modified. Note that resource triggering will only be available for resources that exist in the Guardrails CMDB; you may install the supporting mods and enable the CMDB for those resources. +The `Stack [Native] > Drift Detection` policy allows you to specify the mechanism for drift detection. You may run the stack at regular intervals to keep the resources up to date, and/or automatically trigger the stack to run whenever a resource that it created is modified. Note that resource triggering will only be available for resources that exist in the Guardrails CMDB; you may install the supporting mods and enable the CMDB for those resources. The `Stack [Native] > Drift Detection > Interval ` allows you to specify the interval at which to run the stack, in minutes. The default is `1440` (Once a day). @@ -205,9 +164,9 @@ The `Stack [Native] > Drift Detection > Interval ` allows you to specify the int The `Stack [Native] > Version` policy allows you to select which OpenTofu version Turbot should use for the stack. -The policy supports semver semantics, allowing you to use new versions automatically, or to pin to specific versions, depending on your preference. +The policy supports semver semantics, allowing you to use new versions automatically, or to pin to specific versions, depending on your preference. -By default this policy uses the global default value set in the `Turbot > Stack > Native Stack Version [Default]` policy. The shared default allows you to change only a single setting to change your default version, but still migrate versions over time on a per-stack basis. +By default this policy uses the global default value set in the `Turbot > Stack > Native Stack Version [Default]` policy. The shared default allows you to change only a single setting to change your default version, but still migrate versions over time on a per-stack basis. Guardrails native stack containers include standard cloud [providers](https://opentofu.org/docs/language/providers/). These providers are bundled in the container image, so in practice, the provider versions are tied to the OpenTofu version. The following versions are currently supported: