getting started gcp

docs/getting-started/getting-started-gcp/apply-quick-action/index.md

@@ -0,0 +1,125 @@
+---
+title: Apply a Quick Action
+sidebar_label: Apply a Quick Action
+---
+
+
+# Apply a Quick Action
+
+In this guide we’ll show how you can enable Guardrails to perform [Quick Actions](/guardrails/docs/guides/quick-actions) that fix misconfigurations. A Quick Action empowers an administrator to quickly fix misconfigurations by applying a change directly to an underlying GCP resource. In order to use this feature,  Guardrails will need one additional permission. This guide will show you how to change the permissions specific to GCP bucket public access, other Quick Actions will require different permission grants.
+
+This is the ninth guide in the *Getting started with GCP series*.
+
+**Prerequisites**: 
+
+- Completion of the previous guides in this series.
+- Access to the Guardrails console with administrative privileges.
+- Access to a GCP account with administrative privileges to add permissions to the Guardrails service account.
+
+
+## Step 1: Begin role creation
+
+In the GCP console, select **IAM & Admin**, select **Roles**, and select **Create Role**.
+
+<p><img alt="role-1" src="/images/docs/guardrails/getting-started/getting-started-gcp/apply-quick-action/role-1.png"/></p>
+
+## Step 2: Name the role
+
+Assign a descriptive name and ID, then select **Add Permissions**.
+
+<p><img alt="role-2" src="/images/docs/guardrails/getting-started/getting-started-gcp/apply-quick-action/role-2.png"/></p>
+
+## Step 3: Find the permission
+
+In the properties filter, search for `storage.buckets.update`.
+
+<p><img alt="role-3" src="/images/docs/guardrails/getting-started/getting-started-gcp/apply-quick-action/role-3.png"/></p>
+
+## Step 4: Add the permission
+
+Enable the checkbox next to the permission and select **Add**.
+
+<p><img alt="role-4" src="/images/docs/guardrails/getting-started/getting-started-gcp/apply-quick-action/role-4.png"/></p>
+
+## Step 5: Create the role
+
+Select **Create**.
+
+<p><img alt="role-5" src="/images/docs/guardrails/getting-started/getting-started-gcp/apply-quick-action/role-5.png"/></p>
+
+## Step 6: Assign the role to your service account
+
+Select **IAM** and select the pencil icon next to your Guardrails service account.
+
+<p><img alt="assign-role-1" src="/images/docs/guardrails/getting-started/getting-started-gcp/apply-quick-action/assign-roles-1.png"/></p>
+
+Choose **Add Another Role**.
+
+<p><img alt="assign-role-2" src="/images/docs/guardrails/getting-started/getting-started-gcp/apply-quick-action/assign-roles-2.png"/></p>
+
+Search for and select the custom role you created, then select **Save**.
+
+<p><img alt="assign-role-3" src="/images/docs/guardrails/getting-started/getting-started-gcp/apply-quick-action/assign-roles-3.png"/></p>
+
+
+## Step 7: Find Quick Actions
+
+Select **Policies** from the top-level navigation. In the search box, type `quick actions`, then select the **Turbot > Quick Actions > Enabled** policy type.
+
+<p><img alt="find_quick_actions" src="/images/docs/guardrails/getting-started/getting-started-gcp/apply-quick-action/find-quick-actions.png"/></p>
+
+## Step 8: Enable Quick Actions
+
+Choose **Sandbox** as the **Resource**, and then select **Enabled**, and click the green **Create** button.  
+
+<p><img alt="aws-enable-quick-actions" src="/images/docs/guardrails/getting-started/getting-started-aws/apply-quick-action/aws-enable-quick-actions.png"/></p>
+
+## Step 9: Find a bucket in Alarm
+
+Use your bookmark to navigate back to the **Controls by State** report and filter on **GCP > Storage > Bucket > Access Control**.
+
+<p><img alt="find_bucket_in_alarm_for_quick_action" src="/images/docs/guardrails/getting-started/getting-started-gcp/apply-quick-action/find-bucket-in-alarm.png"/></p>
+
+## Step 10: Select a bucket in Alarm
+
+Select a bucket in `Alarm` state from the list of buckets.
+
+<p><img alt="select_bucket_in_alarm_for_quick_action" src="/images/docs/guardrails/getting-started/getting-started-gcp/apply-quick-action/choose-bucket-in-alarm.png"/></p>
+
+## Step 11: Use a Quick Action
+
+Select the **Actions** dropdown, and choose **Set Uniform Access Control**.
+
+<p><img alt="expand-quick-actions-dropdown" src="/images/docs/guardrails/getting-started/getting-started-gcp/apply-quick-action/quick-actions-dropdown.png"/></p>
+
+## Step 12: Observe the change
+
+Guardrails reports that the action was successful, and the control goes to the `OK` state.  
+
+<p><img alt="observe-updated-control" src="/images/docs/guardrails/getting-started/getting-started-gcp/apply-quick-action/bucket-ok.png"/></p>
+
+## Step 13: Verify it worked
+
+Open a tab to the GCP console, and navigate to the bucket. Confirm the Guardrails Quick Action has correctly set the bucket's access control property.
+
+<p><img alt="observe-aws-console-result" src="/images/docs/guardrails/getting-started/getting-started-gcp/apply-quick-action/bucket-config.png"/></p>
+
+## Step 14: Review
+
+In this guide you increased the permissions scope in GCP, enabled Guardrails Quick Actions, and used a Quick Action to change a bucket's access control property.
+
+## Next Steps
+
+In the [next guide](/guardrails/docs/getting-started/getting-started-gcp/enable-enforcement) we’ll set Guardrails to automatically enforce these actions continuously.  
+
+## Progress tracker
+- [x] Prepare a GCP Project for Import to Guardrails
+- [x] Connect a GCP Project to Guardrails
+- [x] Observe GCP Activity
+- [x] Enable Your First Guardrails Policy Pack
+- [x] Review Project-Wide Governance
+- [x] Create a Static Exception to a Guardrails Policy
+- [x] Create a Calculated Exception to a Guardrails GCP Policy
+- [x] Send an Alert to Email
+- [x] **Apply a Quick Action**
+- [ ] Enable Automatic Enforcement

docs/getting-started/getting-started-gcp/connect-project/index.md

@@ -0,0 +1,92 @@
+---
+title: Connect a GCP Project to Guardrails
+sidebar_label: Connect a GCP Project
+---
+
+
+# Connect a GCP Project to Guardrails
+
+In this guide you will connect a GCP account to Guardrails.
+
+This is the second guide in the *Getting started with GCP* series.
+
+## Prerequisites
+
+  - Completion of the previous guide: *Prepare an GCP Project for Import to Guardrails*.
+
+  - Access to the Turbot Guardrails console with admin privilege.
+
+## Step 1: Login to Guardrails
+
+Login to your Guardrails console and select the **CONNECT** option from the home page.  
+<p><img alt="locate-top-level-connect" src="/images/docs/guardrails/getting-started/getting-started-gcp/connect-project/locate-top-level-connect.png"/></p>
+
+## Step 2: Select GCP
+
+Select **GCP** from the import options.
+
+<p><img alt="choose-gcp" src="/images/docs/guardrails/getting-started/getting-started-gcp/connect-project/choose-gcp.png"/></p>
+
+## Step 3: Select import location
+
+Expand the **Parent Resource** dropdown and choose the **Sandbox** folder as the import location.
+
+<p><img alt="select-import-location" src="/images/docs/guardrails/getting-started/getting-started-gcp/connect-project/choose-sandbox.png"/></p>
+
+## Step 4: Add key file
+
+In the previous guide you created and downloaded a JSON-format key file. Locate that file and drag it to the drop target.
+
+<p><img alt="add-key-file" src="/images/docs/guardrails/getting-started/getting-started-gcp/connect-project/add-key-file.png"/></p>
+
+
+## Step 5: Connect
+
+Select the **Connect** button. 
+
+<p><img alt="select-connect" src="/images/docs/guardrails/getting-started/getting-started-gcp/connect-project/connect.png"/></p>  
+
+
+## Step 6: Observe progress
+
+Wait for the progress bar to complete. This process takes a while, and you’ll see the bars fluctuate. The number of resources will grow as Guardrails discovers them.
+
+<p><img alt="gcp_progress_bar" src="/images/docs/guardrails/getting-started/getting-started-gcp/connect-project/gcp-progress-bar.png"/></p>  
+
+
+## Step 7: View Controls by state
+
+Select **Reports** from the top navigation menu. Type `controls` into the **Search reports…** field to show only reports with the word "controls" in their name. Select the **Controls by State** report from the list. 
+
+<p><img alt="search-for-controls-reports" src="/images/docs/guardrails/getting-started/getting-started-aws/connect-an-account/search-for-controls-reports.png"/></p>
+
+## Step 8: Configure report filter
+
+Select the **Type** dropdown from the filters bar. Then enable the check box next to **GCP** to limit the report to only show GCP controls.  
+<p><img alt="set-type-filter" src="/images/docs/guardrails/getting-started/getting-started-gcp/connect-project/configure-report-filter.png"/></p>
+
+## Step 9: Review Controls
+
+Review the status of your controls for GCP.  `Alarm`, `OK`, `Skipped`, and `TBD` are all common and normal states to see in your project.  If you see controls in `Error` or `Invalid` states, those must be cleared before moving further into these guides.  
+
+Bookmark the **Controls by State** report, you’ll need it in subsequent guides.
+
+<p><img alt="gcp-controls-by-state" src="/images/docs/guardrails/getting-started/getting-started-gcp/connect-project/gcp-controls-by-state.png"/></p>
+
+## Next Steps
+
+You've now successfully connected your GCP project to Guardrails.
+
+In the [next guide](/guardrails/docs/getting-started/getting-started-gcp/observe-gcp-activity) we’ll see how Guardrails watches your project and reacts to resource changes.  
+
+## Progress tracker
+- [x] Prepare a GCP Project for Import to Guardrails
+- [x] **Connect a GCP Project to Guardrails**
+- [ ] Observe GCP Activity
+- [ ] Enable Your First Guardrails Policy Pack
+- [ ] Review Project-Wide Governance
+- [ ] Create a Static Exception to a Guardrails Policy
+- [ ] Create a Calculated Exception to a Guardrails GCP Policy
+- [ ] Send an Alert to Email
+- [ ] Apply a Quick Action
+- [ ] Enable Automatic Enforcement

docs/getting-started/getting-started-gcp/create-calculated-exception/index.md

@@ -0,0 +1,137 @@
+---
+title: Create a Calculated Exception to a Guardrails GCP Policy
+sidebar_label: Create a Calculated Exception
+---
+
+# Create a Calculated Exception to a Guardrails AWS Policy
+
+In this guide you'll learn how to make dynamic policy exceptions based on resource tags. These [Calculated Policies](/guardrails/docs/reference/glossary#calculated-policy) enable you to implement business logic when designing your governance controls. 
+
+Some typical examples of how to use calculated polices are: 
+
+- Dynamic tagging of resources based on resource metadata.
+- Creating policy exceptions for different classes of resources.
+- Taking enforcement action for based on resource tags.
+
+This guide will walk you through a simple calculated policy based on resource tags.
+
+This is the seventh guide in the *Getting started with GCP* series.
+
+**Prerequisites**
+
+- Completion of the previous guides in this series.
+- Access to the Guardrails console with administrative privileges.
+- Access to the AWS console with permissions to label GCP buckets.
+
+## Step 1: Open the Policy Pack
+
+Choose **Policies** from the top navigation bar. Select the **Enforce Uniform Access is Enabled for GCP Storage Buckets** Policy Pack from the list on the right.
+
+<p><img alt="view-policy-packs" src="/images/docs/guardrails/getting-started/getting-started-gcp/create-calculated-exception/view-policy-packs.png"/></p>
+
+
+## Step 2: Modify the policy setting
+
+The bucket's access control is currently statically set to `Check: Uniform`. Use the pencil icon on the right side of the policy setting to edit the policy.
+
+<p><img alt="view-policy-pack" src="/images/docs/guardrails/getting-started/getting-started-gcp/create-calculated-exception/view-policy-pack.png"/></p>
+
+## Step 3: Enable calculated mode
+
+Select the blue **Enable calculated mode** link.
+
+<p><img alt="enable-calculated-mode" src="/images/docs/guardrails/getting-started/getting-started-gcp/create-calculated-exception/enable-calculated-mode.png"/></p>
+
+## Step 4: Launch calculated policy builder
+
+Select **Launch calculated policy builder**.
+
+<p><img alt="launch-calculated-policy-builder" src="/images/docs/guardrails/getting-started/getting-started-gcp/create-calculated-exception/launch-builder.png"/></p>
+
+
+## Step 5: Choose test resource
+
+Calculated policies work across all resources in scope of the policy setting. While building a calc policy it is useful to test the business logic against real resources in your environment. For this guide you will find and select one of the previously-created test buckets by searching in the **Test Resource** field.
+
+<p><img alt="choose test resource" src="/images/docs/guardrails/getting-started/getting-started-gcp/create-calculated-exception/choose-test-resource.png"/></p>
+
+## Step 6: Build query
+
+In the **Query Input** field we will use **Select Snippet** to prepopulate our [GraphQL](/guardrails/docs/reference/glossary#graphql) query. Choose **Get bucket** from the dropdown.
+
+<p><img alt="snippet-dropdown-open" src="/images/docs/guardrails/getting-started/getting-started-gcp/create-calculated-exception/open-snippet-dropdown.png"/></p>
+
+## Step 7: View query result
+
+Guardrails inserts a GraphQL query for bucket tags into the **Input** pane, and then runs the query against the selected test resource. The result, in the **Output** pane, shows there are no tags on the bucket.
+
+<p><img alt="snippet-active" src="/images/docs/guardrails/getting-started/getting-started-gcp/create-calculated-exception/snippet-active.png"/></p>
+
+## Step 8: Add the Jinja2 template
+
+Our business logic is created in the `Template` section, using [Nunjucks syntax](https://mozilla.github.io/nunjucks/templating.html).
+
+Copy this template code:  
+
+```nunjucks
+{% if $.bucket.turbot.tags.environment == "development" %}
+'Skip'
+{% else %}
+'Check: Uniform'
+{% endif %}
+```
+
+And paste it into the template pane.
+
+<p><img alt="template-active" src="/images/docs/guardrails/getting-started/getting-started-gcp/create-calculated-exception/template-active.png"/></p>
+
+Guardrails evaluates the template in the context of the chosen **Test Resource**. The template output, `Check: Uniform`, is the calculated policy value that will govern any bucket’s **GCP > Storage > Bucket > Access Control** policy if the bucket is labeled with `environment:development`. Only these labeled buckets will be required to have uniform access enabled. Others will be skipped, whether or not they enable uniform access.  
+
+The result confirms that `Check: Uniform` is valid for this policy type.  Why? Because the test bucket does not have a tag `{ "environment": "development" }`.
+
+Select **Update**
+
+## Step 9: Save the calculated policy to the policy pack
+
+Select **Update**.
+
+<p><img alt="update-policy-setting" src="/images/docs/guardrails/getting-started/getting-started-gcp/create-calculated-exception/update-setting.png"/></p>
+
+## Step 10: Observe controls for bucket access control
+
+Navigate back to the **Controls by State** report and set the **Type** filter to **GCP > Storage > Bucket > Access Control**. Buckets with uniform access enabled will be in the `OK` state. Find a bucket in the `Alarm` state to modify, and note its name.
+
+<p><img alt="revisit-controls-by-state" src="/images/docs/guardrails/getting-started/getting-started-gcp/create-calculated-exception/revisit-controls-by-state.png"/></p>
+
+## Step 11: Label the bucket
+
+Open the GCP console in another tab, navigate to the bucket identified in the previous step, and assign the tag `environment:development` to it.
+
+<p><img alt="label-bucket" src="/images/docs/guardrails/getting-started/getting-started-gcp/create-calculated-exception/label-the-bucket.png"/></p>
+
+
+## Step 12: Observe the effect
+
+Return to the **Controls by State** report in the previous browser tab.  Observe that Guardrails notices the change, reevaluates the resource, runs the calculated policy, and changes the status from `Alarm` to `Skipped`.
+
+<p><img alt="labeled-bucket-now-skipped" src="/images/docs/guardrails/getting-started/getting-started-gcp/create-calculated-exception/labeled-bucket-now-skipped.png"/></p>
+
+## Step 13: Review
+
+In this guide you created your first calculated policy and tested it using the control that governs bucket access control.
+
+## Next Steps
+
+In the [next guide](/guardrails/docs/getting-started/getting-started-gcp/send-alert-to-email) we’ll see how to subscribe to these status alerts via email, Slack, or MS Teams. 
+
+## Progress tracker
+- [x] Prepare a GCP Project for Import to Guardrails
+- [x] Connect a GCP Project to Guardrails
+- [x] Observe GCP Activity
+- [x] Enable Your First Guardrails Policy Pack
+- [x] Review Project-Wide Governance
+- [x] Create a Static Exception to a Guardrails Policy
+- [x] **Create a Calculated Exception to a Guardrails GCP Policy**
+- [ ] Send an Alert to Email
+- [ ] Apply a Quick Action
+- [ ] Enable Automatic Enforcement