Use desired state templates in VMware Tanzu Guardrails to manage configuration drift

As a Cloud Ops administrator, you must define the desired state for your cloud accounts and manage any configuration drift that occurs. To define the desired states for your accounts, you apply desired state templates to those accounts. Enforcing desired states differs from an InfoSec analyst remediating violations against posture policies that are meant to ensure the security and performance of your accounts.

When a desired state template runs, any drifts from the configuration appear as findings. You monitor the findings and investigate the drifts. To remediate the drifts, you start with the findings that have the highest attention score.

Where to begin

Creating desired states to manage configuration drift

To create a desired state for one or more of your cloud accounts, follow these steps and observe the results. This example shows you how to create a desired state template that creates an AWS OU and runs the desired state.

  1. In Tanzu Hub, click Guardrails > Policies
  2. On the Templates card, click View.
  3. On the Curated Templates tab, click the Bootstrap filter.
  4. Locate the bootstrap desired state template named Create or verify AWS Organizational Unit.

    When you search for desired state templates, you can use the filters and search area to narrow the results.

    1. If you don’t find the desired state template on the Curated templates tab, click the Library tab.
    2. Click the Bootstrap filter, click the check box next to the desired state template, and click Import to Curated Templates. In the import dialog box, you can change the desired state template name if needed.
      • When you import and apply desired state templates, only select a project if you intend to monitor desired states but not enforce them.
      • If you intend to enforce desired states, do not select a project and make sure you have elevated privileges on the cloud account.
    3. Click Finish.
  5. Create the desired state for the account. This step shows you how to create the desired state from the desired state template. Be aware that you can also create the desired state from the findings or from the account results history in the desired states drop-down menu.
    1. In the list of curated desired state templates, click the check box next to the desired state template named Create or verify AWS Organizational Unit.
    2. Click Apply Policy.
    3. Enter the general selections, and select the type of accounts on which to apply the desired state template. Then, select one or more accounts, select a region, and click Next. If you select multiple accounts, review the next section of this topic.
      • Onboarded Accounts: Manually onboarded accounts and accounts that Tanzu Hub provisions and onboards.
      • All Provisioned Accounts: Existing accounts and any accounts that you will provision in Tanzu Hub.
      • All Accounts: All onboarded accounts. As accounts get added or removed, the desired state in the desired state template gets applied to those accounts.
    4. Define the desired states, validate the inputs, and click Next.
    5. Click Monitor or Enforce. If you choose to enforce desired states, you must have elevated credentials. For details, refer to the appropriate topic for your cloud provider. See Add Guardrails credentials to AWS cloud accounts or Add Guardrails credentials to Azure cloud subscriptions.
    6. Click Apply Desired State Templates.
  6. Investigate the findings.

    1. Click Governance > Findings. The findings display the open findings by default.
    2. Use the filters to narrow the display of findings for the cloud account. For example, set these filters:
      • Select the provider as AWS.
      • Select the account.
      • Select the Category as Bootstrap.
      • Select the Type as Drift.
      • Select the Severity as High.
      • Click Apply.
    3. Expand a finding and review the details.

      The finding displays all the details, including the description, drift details, finding source, desired state, provider and resource, region, account, and tags.

    4. To view the drift that occurred, click View Diff.

Applying a desired state template to multiple accounts

As a Cloud Ops administrator, you can apply a desired state template to multiple cloud accounts simultaneously. You select a desired state template, select multiple accounts, define the input parameters, then review the findings and desired states at the account level in Tanzu Hub.

When you apply the desired state template to multiple accounts, be aware that:

  • The desired state template and the input parameters get applied to all the accounts you select.
  • If an account gets moved out of the scope of an organization or a project, any open findings get marked as resolved.
  • If a desired state gets deactivated, any open findings for that desired state get marked as resolved.
Note

When enforcing desired states on multiple accounts, you must not associate the desired state and the account with a project. This approach is also referred to as None (Organizational scope) in the user interface.

To apply a desired state template to multiple accounts:

  1. In Tanzu Hub, click Guardrails > Summary.
  2. In the Key Actions widget, click Apply Desired State Templates.
  3. For the general selections:
    1. If you intend to enforce the desired states, for the project select None (Organization scope).
    2. If you intend to monitor but not enforce the desired states, select a project.
    3. For the type of accounts, select either: Onboarded Accounts, All Provisioned Accounts, or All Accounts.
    4. Select a region, and click Next.
  4. Select a desired state template, and click Next.
  5. Provide inputs in the desired state template that define the desired states, and click Next.
    • If you are creating a new desired state template from scratch, you can define global parameters that automatically populate the input values in the desired state template when you define the desired states.
    • When you define the global parameters in your desired state template, you can use the following inputs by including the __gr regex statements in your desired state template code.
    • For example, the following global parameters are supported.
      • Uid: __gr_UID
      • User email id: __gr_user_email
      • Project id: __gr_project_id
      • Org id: __gr_org_id
      • Account id: __gr_account_id
    • The code statements in your desired state template code would resemble:
      • {% set trail_bucket_name = params.get('trail_bucket_name') %}
      • {% set cloud_trail_name = params.get('cloud_trail_name', 'cloud-trail') %}
      • {% set account_id = params.get('__gr_account_id') %}
      • {% set trail_region = params.get('trail_region') %}
      • {% set kms_key_name = params.get('kms_key_name', 'cloud-trail-key') %}
      • {% set kms_key_alias = params.get('kms_key_alias', 'cloud-trail-key') %}
    • When you create the desired states, the input parameters display the global parameters that you defined.
  6. Click Monitor or Enforce, and click Apply Desired State Templates.

The desired state template runs on the accounts you selected. If any configuration drifts occur, Tanzu Hub generates drift findings.

Investigate the drift findings

To investigate the configuration drift findings for the accounts:

  1. Click Guardrails > Findings.
  2. Filter the results to display the drift findings.
  3. Resolve any drifts from the desired state that the desired state template defined.

For more information, go to Investigate VMware Tanzu Guardrails findings.

Learn more about desired states

A desired state is a combination of a desired state template, input parameters, and credentials. When you create a desired state, you select the severity, which drives the attention score of the finding that the desired state template generates.

You can set the severity of the desired state to:

  • LOW: Does not require any action.
  • MEDIUM: Investigate it, but it is not urgent.
  • HIGH: Investigate it as a priority. HIGH is the default setting.
  • CRITICAL: Remediate it immediately to avoid escalation.

Note: The data retention period for the details of a desired state is 395 days. After 395 days, the details get removed from the database.

The cloud account and project association affects which desired state templates and desired states you can apply.

  • When you apply desired states on a cloud account, if the cloud account is not scoped to a project, you can only select desired state templates that are not scoped to a project.
  • When a cloud account is scoped to a project, you can only select desired state templates that are scoped to that project.

When you create a desired state, you can select multiple regions. To run desired states in multiple regions, you configure your SLS file with the appropriate meta information. Then, run the desired state and monitor the findings. To run desired states in multiple regions, you must include metadata in your SLS file.

Metadata for running desired states in multiple regions

Type of region Metadata to include in your SLS file

uiElement: aws-regions
name: field label
description: info for signpost
required: true/fale # default true
multiselect: true/false # default false
disable: true/false #default true

uiElement: azure-regions
name: field label
description: info for signpost
required: true/false # default true
multiselect: true/false # default false
disabled: true/false # default false

Parent topic:Define and apply governance policies in VMware Tanzu Hub

check-circle-line exclamation-circle-line close-line
Scroll to top icon