Enforce desired states in VMware Tanzu Guardrails with event triggering

Tanzu Guardrails in Tanzu Hub supports event-driven enforcement of the desired states in your environments.

To enforce the desired states on an event-driven basis:

  • When a configuration change event occurs on a data source account in Tanzu Hub, it sends the change events from its inventory to the Tanzu Guardrails service.
  • Tanzu Hub enables the event-driven enforcement of the desired states in those accounts.
  • The Tanzu Guardrails service intercepts the cloud resource configuration change event for an environment and triggers the enforcement of the desired state again.
  • If a drift is present, it gets remediated. Otherwise, Tanzu Hub reports that no actions were performed on the cloud resource.

If no events happen in a 24-hour time span, the default internal scheduler in the Tanzu Guardrails service still enforces desired states once per day.

Cloud accounts that appear when you create a desired state

With event-driven enforcement, whenever you create a desired state, the Tanzu Guardrails service only accepts cloud accounts that have valid credentials.

All cloud accounts appear in Tanzu Hub. Cloud accounts that have valid credentials in Tanzu Hub appear, along with other discovered cloud accounts that do not have valid credentials.

When you create desired states, Tanzu Hub only displays the cloud accounts that have an association with a project, either directly or indirectly.

  • Direct association: When an account has a direct association with a project, that account is ready for use in desired states. Each account in Tanzu Hub associates with a project, and typically has the credentials required for creating a desired state and running it.
  • Indirect association: When entities get discovered in a cloud account in Tanzu Hub, those entities might have an indirect association with a project through the cloud account. The entities appear, but unless the cloud account has the required credentials, it is not available for use in desired states. These types of entities can include accounts, OUs, orgs, root accounts, and so on.

If a discovered cloud account does not have credentials in Tanzu Hub and the Tanzu Guardrails service, that account does not appear in the list of available accounts when you create a desired state.

P95 latencies can occur

When you create desired states from the desired state templates, when changes occur on the resources in the accounts, tracks the changes and reinforces the desired state in the cloud.

When you create desired states from desired state templates, the changes get tracked in the cloud account and the state of the cloud account gets compared against the desired state. If there is a difference, Tanzu Hub reports the drift.

During the real-time run of the event stream, intelligent sampling, and collection of data, certain latencies can occur. When the desired state template SLS file runs, latencies can appear in the enforcement because of the framework being used between Tanzu Hub and VMware Aria Automation for Secure Clouds.

The latency measurement, known as P95 or the 95th percentile, is a statistical measurement that represents the value below which 95% of observations fall in a dataset.

The latencies that can occur include:

  • P95 event to finding the alert latency on receipt of a change event, to the inventory and to findings is: less than 60 seconds
  • P95 time to first results of the onboarding of the cloud account, to the inventory and to findings is: less than 15 minutes

Event throttling: After receiving the events the Tanzu Guardrails service throttles the desired state reinforcement for approximately 2 minutes to protect the downstream service from an excessive load.

Supported change events for Amazon AWS resources

Real-time event triggering occurs on the following AWS resources.

AWS resource Supported real-time change events
AWS.EKS.Cluster - CreateCluster

- TagResource - UpdateClusterConfig - DeleteCluster - UntagResource - UpdateClusterVersion

| |AWS.EKS.NodeGroup|- CreateNodegroup - TagResource - UpdateNodegroupConfig - DeleteNodegroup - UntagResource - UpdateNodegroupVersion

| |AWS.IAM.UserPolicyAttachment|- AttachUserPolicy - DetachUserPolicy

| |AWS.IAM.role|- UntagRole - UpdateAssumeRolePolicy - CreateRole - DeleteServiceLinkedRole - RemoveRoleFromInstanceProfile - UpdateRole - DeleteRole - TagRole - UpdateRoleDescription

| |aws.sns.topic|- DeleteTopic - SetTopicAttributes - UntagResource - CreateTopic - RemovePermission - TagResource

| |AWS.CloudWatch.MetricAlarm|- DeleteAlarms - DisableAlarmActions - EnableAlarmActions - PutMetricAlarm

| |AWS.S3.BucketEncryption|- PutBucketEncryption - DeleteBucketEncryption

| |AWS.CloudTrail.Trail|- CreateTrail - StopLogging - DeleteTrail - StartLogging - UpdateTrail

| |AWS.IAM.User|- AddUserToGroup - TagUser - DeleteUser - UntagUser - DeleteUserPolicy - CreateUser - PutUserPolicy - UpdateUser

| |AWS.S3.BucketVersioning|- PutBucketVersioning

| |aws.config.Recorder|- DeleteConfigurationRecorder - PutConfigurationRecorder

| |aws.config.rule|- DeleteConfigRule - PutConfigRule

| |AWS.IAM.PasswordPolicy|- DeleteAccountPasswordPolicy - UpdateAccountPasswordPolicy

| |AWS.WAFv2.WebACL|- AssociateWebACL - TagResource - UpdateWebACL - CreateWebACL - DeleteWebACL - UntagResource

| |AWS.WAFv2.Rule|- UpdateRuleGroup - CreateRuleGroup - DeleteRuleGroup

| |aws.guardduty.detector|- CreateDetector - DeleteDetector - UpdateDetector

| |AWS.KMS.Alias|- CreateAlias - DeleteAlias - UpdateAlias

| |aws.config.ConfigRecorderStatus|- StartConfigurationRecorder - StopConfigurationRecorder

| |aws.config.DeliveryChannel|- DeleteDeliveryChannel - PutDeliveryChannel

| |AWS.IAM.RolePolicyAttachment|- AttachRolePolicy - DetachRolePolicy

| |AWS.IAM.policy|- CreatePolicy - DeletePolicy - SetDefaultPolicyVersion - UntagPolicy - CreatePolicyVersion - DeletePolicyVersion - TagPolicy

| |AWS.IAM.RolePolicy|- PutRolePolicy - DeleteRolePolicy

| |AWS.Organizations.PolicyAttachment|- AttachPolicy - DetachPolicy

| |AWS.S3.PublicAccessBlock|- PutBucketPublicAccessBlock - DeleteBucketPublicAccessBlock

| |AWS.S3.BucketLifecycle|- PutBucketLifecycle - DeleteBucketLifecycle

| |AWS.IAM.AccountPasswordPolicy|- DeleteAccountPasswordPolicy - UpdateAccountPasswordPolicy

| |AWS.IAM.ManagedPolicy|- CreatePolicy - DeletePolicy - SetDefaultPolicyVersion - UntagPolicy - CreatePolicyVersion - DeletePolicyVersion - TagPolicy

| |AWS.IAM.InlinePolicy|Relationship events for:

  • AWS.IAM.Group
  • AWS.IAM.PolicyStatement
  • AWS.IAM.Role
  • AWS.IAM.User

| |AWS.IAM.ServiceLinkedRole|- DeleteServiceLinkedRole - TagRole

| |AWS.S3.BucketPolicy|- PutBucketPolicy - DeleteBucketPolicy

| |AWS.s3.bucket|- CreateBucket - DeleteBucketPublicAccessBlock - PutBucketEncryption - PutBucketReplication - DeleteBucket - DeleteBucketReplication - PutBucketLifecycle - PutBucketTagging - DeleteBucketCors - DeleteBucketTagging - PutBucketLogging - PutBucketVersioning - DeleteBucketEncryption - PutBucketNotification - DeleteBucketLifecycle - PutBucketAcl - PutBucketPublicAccessBlock

| |aws.cloudwatch.log_group|- CreateLogGroup - DeleteRetentionPolicy - TagLogGroup - DeleteLogGroup - PutRetentionPolicy - UntagLogGroup


Azure resource Supported real-time change events
azure.resource_management.resource_groups - Create

| |azure.authorization.role_definitions|- Create - Delete - Permission - assignable_scopes

| |azure.authorization.role_assignments|- Create - Delete

| |azure.policy.policy_assignments|- Create - Delete - allowedLocations


More information about data sources

For more information about the data source accounts, refer to Setting up data connections in VMware Tanzu Hub.

Parent topic:Define and apply governance policies in VMware Tanzu Hub

check-circle-line exclamation-circle-line close-line
Scroll to top icon