Turbot Guardrails + Steampipe

Turbot Guardrails is the leading platform for policy-based control and automatic remediation of enterprise clouds.

Steampipe is an open-source zero-ETL engine to instantly query cloud APIs using SQL.

For example:

select
  trunk_title,
  uri
from
  guardrails_resource_type;

+---------------------------------+---------------------------------------------------------+
| trunk_title                     | uri                                                     |
+---------------------------------+---------------------------------------------------------+
| Turbot > IAM > Access Key       | tmod:@turbot/turbot-iam#/resource/types/accessKey       |
| GCP > Monitoring > Alert Policy | tmod:@turbot/gcp-monitoring#/resource/types/alertPolicy |
| AWS > IAM > Access Key          | tmod:@turbot/aws-iam#/resource/types/accessKey          |
| AWS > EC2 > AMI                 | tmod:@turbot/aws-ec2#/resource/types/ami                |
| AWS > SSM > Association         | tmod:@turbot/aws-ssm#/resource/types/association        |
| GCP > Network > Address         | tmod:@turbot/gcp-network#/resource/types/address        |
+---------------------------------+---------------------------------------------------------+

Documentation

Table definitions & examples →

Get started

Install

Download and install the latest Turbot Guardrails plugin:

steampipe plugin install guardrails

Credentials

Installing the latest guardrails plugin will create a config file (~/.steampipe/config/guardrails.spc) with a single connection named guardrails. By default, Steampipe will use your Turbot Guardrails profiles and credentials exactly the same as the Turbot Guardrails CLI and Turbot Guardrails Terraform provider. In many cases, no extra configuration is required to use Steampipe.

connection "guardrails" {
  plugin = "guardrails"
}

Advanced configuration options

If you have a default profile setup using the Turbot Guardrails CLI, Steampipe just works with that connection.

For users with multiple workspaces and more complex authentication use cases, here are some examples of advanced configuration options:

Credentials via key pair

The Turbot Guardrails plugin allows you to set static credentials with the access_key, secret_key, and workspace arguments in any connection profile.

connection "guardrails" {
  plugin = "guardrails"
  access_key = "c8e2c2ed-1ca8-429b-b369-010e3cf75aac"
  secret_key = "a3d8385d-47f7-40c5-a90c-bfdf5b43c8dd"
  workspace  = "https://turbot-acme.cloud.turbot.com/"
}

Credentials via Turbot Guardrails config profiles

You can use an existing Turbot Guardrails named profile configured in /Users/jsmyth/.config/turbot/credentials.yml. A connect per workspace is a common configuration:

connection "guardrails_acme" {
  plugin = "guardrails"
  profile = "turbot-acme"
}

connection "guardrails_dmi" {
  plugin = "guardrails"
  profile = "turbot-dmi"
}

Credentials from environment variables

Environment variables provide another way to specify default Turbot Guardrails CLI credentials:

export TURBOT_SECRET_KEY=3d397816-575f-4b2a-a470-a96abe29b81a
export TURBOT_ACCESS_KEY=86835f29-1c88-46d9-b6ce-cbe5016842d3
export TURBOT_WORKSPACE=https://turbot-acme.cloud.turbot.com

You can also change the default profile to a named profile with the TURBOT_PROFILE environment variable:

export TURBOT_PROFILE=turbot-acme

Postgres FDW

This plugin is available as a native Postgres FDW. Unlike Steampipe CLI, which ships with an embedded Postgres server instance, the Postgres FDW can be installed in any supported Postgres database version.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_postgres_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/postgres.sh)" -- guardrails

The installer will prompt you for the plugin name and version, download and install the appropriate files for your OS, system architecture, and Postgres version.

To configure the Postgres FDW, you will create an extension, foreign server, and schema and import the foreign schema.

CREATE EXTENSION IF NOT EXISTS steampipe_postgres_guardrails;
CREATE SERVER steampipe_guardrails FOREIGN DATA WRAPPER steampipe_postgres_guardrails OPTIONS (config '<your_config>');
CREATE SCHEMA guardrails;
IMPORT FOREIGN SCHEMA guardrails FROM SERVER steampipe_guardrails INTO guardrails;

SQLite Extension

This plugin is available as a SQLite Extension, making the tables available as SQLite virtual tables.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_sqlite_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/sqlite.sh)" -- guardrails

The installer will prompt you for the plugin name, version, and destination directory. It will then determine the OS and system architecture, and it will download and install the appropriate package.

To configure the SQLite extension, load the extension module and then run the steampipe_configure_guardrails function to configure it with plugin-specific options.

$ sqlite3
sqlite> .load ./steampipe_sqlite_extension_guardrails.so
sqlite> select steampipe_configure_guardrails('<your_config>');

Export

This plugin is available as a standalone Export CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- guardrails

You can pass the configuration to the command with the --config argument:

steampipe_export_guardrails --config '<your_config>' <table_name>