Update Baselines with AWS, Azure and GCP Mod Installs

baselines/README.md

@@ -4,120 +4,63 @@ Turbot Guardrails Baselines provide best-practice configurations and examples fo
 
 ## Current Baselines
 
-| Baseline                    | Path                                                               | Description                                                                                             |
-| --------------------------- | ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------- |
-| Local Directory             | [local_directory](./turbot/local_directory)                        | Create local directory and users in your workspace                                                      |
-| AWS Setup                   | [aws_setup](./aws/aws_setup)                                       | Common quickstart setup for AWS - prepare your environment to import an AWS account                     |
-| AWS Account Import          | [aws_account_import](./aws/aws_account_import)                     | Import an AWS Account into Guardrails                                                                       |
-| AWS Services                | [aws_services](./aws/aws_services)                                 | Enable/Disable AWS Services in Guardrails                                                                   |
-| GCP Setup                   | [gcp_setup](./gcp/gcp_setup)                                       | Common quickstart setup for GCP - prepare your environment to import GCP Projects                       |
-| GCP Services                | [gcp_services](./gcp/gcp_services)                                 | Enable/Disable GCP Services in Guardrails & also enforce api enabled policy based on service Enable/Disable |
-| Azure Subscription Import   | [azure_sub_import](./azure/azure_sub_import)                       | Import an Azure subscription into Guardrails                                                                |
-| Azure Subscription Readonly | [azure_sub_import_ro](./azure/azure_sub_create_then_import_ro)     | Import an Azure subscription into Guardrails with event handler and readonly mode                           |
-| Azure Services              | [azure_services](./azure/azure_services)                           | Enable/Disable Azure Services in Guardrails                                                                 |
-| Azure Provider Registration | [azure_provider_registration](./azure/azure_provider_registration) | Set the policy for Azure provider registration                                                          |
-
-## Prerequisites
-
-To run Turbot Guardrails baselines, you must install:
+| Baseline              | Path                                                   | Description                                                                      |
+|-----------------------|--------------------------------------------------------|----------------------------------------------------------------------------------|
+| AWS Mods              | [aws_mods](./aws/aws_mods)                             | A common list of AWS mods to install                                             |
+| AWS Service Enabled   | [aws_service_enabled](./aws/aws_service_enabled)       | Enable or disable AWS services in Guardrails                                     |
+| Azure Mods            | [azure_mods](./azure/azure_mods)                       | A common list of Azure mods to install                                           |
+| Azure Service Enabled | [azure_service_enabled](./azure/azure_service_enabled) | Enable or disable Azure services in Guardrails; register or deregister Azure providers |
+| GCP Mods              | [gcp_mods](./gcp/gcp_mods)                             | A common list of Google Cloud Platform (GCP) mods to install                     |
+| GCP Service Enabled   | [gcp_service_enabled](./gcp/gcp_service_enabled)       | Enable or disable GCP services in Guardrails; enable or disable GCP Service APIs |
+| Folder Hierarchy      | [folder_hierarchy](./guardrails/folder_hierarchy)      | Create a folder hierarchy in your workspace                                      |
+| Guardrails Mods       | [guardrails_mods](./guardrails/guardrails_mods)        | A common list of Guardrails mods to install                                      |
+| Local Directory       | [local_directory](./guardrails/local_directory)        | Create a local directory and users in your workspace                             |
+| Turbot Directory      | [turbot_directory](./guardrails/turbot_profiles)       | Create Turbot directory and profiles in your workspace                           |
+| Workspace Settings    | [workspace_settings](./guardrails/workspace_settings)  | Apply a common set of policies for better management of your workspace           |
+
+## Getting Started
+
+### Requirements
 
 - [Terraform](https://developer.hashicorp.com/terraform/install)
-- [Turbot Guardrails Terraform Provider](https://turbot.com/guardrails/docs/reference/terraform)
 
-Additionally, You must set your `config.tf` or environment variables to connect to your Turbot Guardrails workspace, as detail in the Turbot Guardrails Terraform Provider [Installation Instructions](https://turbot.com/guardrails/docs/reference/terraform/setup)
+### Credentials
 
-## Running a Baseline
+To create a policy pack through Terraform:
 
-To run a baseline:
+- Ensure you have `Turbot/Owner` permissions in Guardrails
+- [Create access keys](https://turbot.com/guardrails/docs/guides/iam/access-keys#generate-a-new-guardrails-api-access-key) in Guardrails
 
-1. Install and configure the [prerequisites](#prerequisites)
-1. At the command line, go to the directory for the baseline, for example: `cd mod_install`
-1. Run `terraform init` to initialize terraform in the directory
-1. Edit any variables in the .tf file that you wish to change, or override with [environment variables](https://www.terraform.io/docs/commands/environment-variables.html) or [variable files](https://www.terraform.io/docs/configuration/variables.html#variable-definitions-tfvars-files)
-1. Run `terraform plan -var-file="<fileName>.tfvars"` and inspect the changes
-1. Run `terraform apply -var-file="<fileName>.tfvars"` to apply the configuration
+And then set your credentials:
 
-## Contributing
+```sh
+export TURBOT_WORKSPACE=myworkspace.acme.com
+export TURBOT_ACCESS_KEY=acce6ac5-access-key-here
+export TURBOT_SECRET_KEY=a8af61ec-secret-key-here
+```
 
-### Structure
+Please see [Turbot Guardrails Provider authentication](https://registry.terraform.io/providers/turbot/turbot/latest/docs#authentication) for additional authentication methods.
 
-Baselines are implemented as independently deployable terraform configurations in a sub-directory of this repository.
+## Usage
 
-Commonly changed parameters are implemented using variables. All variables have default values, but they may not be the settings that you want, you may change them as required.
+### Install Baseline
 
-The baseline mods contain an individual `README.md` file and follows a specified file structure containing the parameters and configurations. Each baseline mod contains:
+Clone:
 
-- `Variables.tf` containing the variable definitions
+```sh
+git clone https://github.com/turbot/guardrails-samples.git
+cd guardrails-samples/baselines/guardrails/local_directory
+```
 
-- `main.tf` containing the terraform resources that creates the objects
+Run the Terraform to create the policy pack in your workspace:
 
-- `outputs.tf` containing the return values defined. The file should be optionally created when there is an output block included in the configuration
+```sh
+terraform init
+terraform plan
+```
 
-- `default.tfvars` containing the defaults for the variables
+Then apply the changes:
 
+```sh
+terraform apply
 ```
-Baseline
-.
-├── README.md
-├── main.tf
-├── variables.tf
-├── outputs.tf
-└── default.tfvar
-```
-
-### Style Guide
-
-Our baselines adopts styling conventions provided by [Terraform](https://www.terraform.io/docs/configuration/style.html) like:
-
-- Align the equal to signs for arguments appearing on consecutive lines with values.
-- Variables should use snake case: `this_is_an_example`
-- Use empty lines to separate logical groups of arguments within a block.
-
-To maintain consistency between files and modules, we recommend adopting the below added styling conventions:
-
-- For each baseline, include the variable definitions in the variables.tf file, the resources in main.tf file, and the output in outputs.tf file.
-- For `turbot_policy_setting` and `turbot_policy_value` resources , include the policy type hierarchy in a comment before the resource. For example:
-
-  ```terraform
-  # AWS > Account > Turbot IAM Role > External ID
-  resource "turbot_policy_setting" "turbotIamRoleExternalId" {
-    resource    = turbot_resource.account_resource.id
-    type        = "tmod:@turbot/aws#/policy/types/turbotIamRoleExternalId"
-    value       = var.turbot_external_id
-  }
-  ```
-
-- Use a single hash for comments that refer only to a single resource, immediately before the resource, for example:
-
-  ```terraform
-  # 1.4 Ensure access keys are rotated every 90 days or less (Scored)
-  # AWS > IAM > Access Key > Active > Age
-  # Setting value to "Force inactive if age > 90" days to meet remediation
-  resource "turbot_policy_setting" "AWS_IAM_AccessKey_Active_Age" {
-    resource    = var.target_resource
-    type        = "tmod:@turbot/aws-iam#/policy/types/accessKeyActiveAge"
-    value       = "Force inactive if age > 90 days"
-  }
-  ```
-
-- Use 4 hashes for comments that describe a group of resources, or general behavior:
-
-  ```terraform
-  #### Set the credentials (Role, external id) for the account via Guardrails policies
-  ```
-
-- All variables should have a description, and as a result should not require individual comments
-- Most variables should have a reasonable default
-- Where baselines apply policies, they generally should use a variable for the target resource
-
-  - it should be called target_resource
-  - it should default to "tmod:@turbot/turbot#/"
-  - it should have a comment that states that it may be changes or overridden
-
-  ```terraform
-  variable "target_resource" {
-      type    = "string"
-      description = "Enter the target resource id or aka"
-      default = "tmod:@turbot/turbot#/" # You may change/override this value to the id of target folder or resource
-  }
-  ```