Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Anda dapat menulis konfigurasi build yang
menginstruksikan Cloud Build untuk memvalidasi infrastructure as code (IaC)
yang merupakan bagian dari build Anda. Memvalidasi IaC memungkinkan Anda menentukan apakah definisi resource Terraform Anda melanggar kebijakan organisasi yang ada dan detektor Security Health Analytics yang diterapkan ke resource Google Cloud Anda.
In the Principal column, find all rows that identify you or a group that
you're included in. To learn which groups you're included in, contact your
administrator.
For all rows that specify or include you, check the Role column to see whether
the list of roles includes the required roles.
Ganti SCAN_RESULT_FILE_BUCKET dengan
bucket Cloud Storage tempat file hasil akan diupload.
Untuk melihat hasil dalam format SARIF, selesaikan langkah-langkah berikut:
Konversi file:
-name:golangargs:-'-c'-|go run github.com/google/gcp-scc-iac-validation-utils/SARIFConverter@latest \--inputFilePath=IaCScanReport_$BUILD_ID.json--outputFilePath=IaCScanReport_$BUILD_ID.sarif.jsondir:FOLDERid:Convert to SARIF formatentrypoint:/bin/bash
Validasi hasilnya. Selesaikan langkah ini pada file JSON hasil yang belum Anda konversi ke format SARIF:
-name:golangargs:-'-c'-|go run github.com/google/gcp-scc-iac-validation-utils/ReportValidator@latest \--inputFilePath=IaCScanReport_$BUILD_ID.json --failure_expression=FAILURE_CRITERIAdir:FOLDERid:Validate resultsentrypoint:/bin/bash
Ganti FAILURE_CRITERIA dengan kriteria
batas kegagalan yang menentukan kapan build gagal. Kriteria nilai minimum didasarkan pada jumlah masalah dengan tingkat keparahan kritis, tinggi, sedang, dan rendah yang ditemukan oleh pemindaian validasi IaC. FAILURE_CRITERIA
menentukan jumlah masalah dengan setiap tingkat keparahan yang diizinkan, dan juga menentukan
cara masalah diagregasi (baik AND maupun OR). Misalnya, jika Anda
ingin build gagal jika menemukan satu masalah kritis atau satu masalah dengan tingkat
keparahan tinggi, tetapkan FAILURE_CRITERIA ke
Critical:1,High:1,Operator:OR. Defaultnya adalah
Critical:1,High:1,Medium:1,Low:1,Operator:OR, yang berarti bahwa jika pemindaian validasi IaC
menemukan pelanggaran dengan tingkat keparahan apa pun, build harus gagal.
Jika build gagal, selesaikan pelanggaran apa pun dalam kode Terraform Anda.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-08-19 UTC."],[],[],null,["# Integrate IaC validation with Cloud Build\n\n| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers) (requires [organization-level activation](/security-command-center/docs/activate-scc-overview#overview_of_organization-level_activation))\n\nYou can write a [build config](/build/docs/build-config-file-schema) that\ninstructs Cloud Build to validate the infrastructure as code (IaC)\nthat is part of your build. Validating IaC lets you determine whether your\nTerraform resource definitions violate the existing organization policies and\nSecurity Health Analytics detectors that are applied to your Google Cloud resources.\n\nFor more information about IaC validation, see\n[Validate your IaC against your Google Cloud organization's policies](/security-command-center/docs/validate-iac).\n\nBefore you begin\n----------------\n\nComplete these tasks to get started with IaC validation using\nCloud Build.\n\n### Activate the Security Command Center Premium tier or Enterprise tier\n\nVerify that the\n[Security Command Center Premium tier or Enterprise tier](/security-command-center/docs/activate-scc-overview)\nis activated at the organization level.\n\nActivating Security Command Center enables the `securityposture.googleapis.com` and\n`securitycentermanagement.googleapis.com` APIs.\n\n### Set up permissions\n\n1.\n\n Make sure that you have the following role or roles on the organization:\n\n\n - Security Posture Shift-Left Validator\n - Log Writer\n - Storage Writer\n - Storage Reader\n\n \u003cbr /\u003e\n\n #### Check for the roles\n\n 1.\n In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=organizationId)\n 2. Select the organization.\n 3.\n In the **Principal** column, find all rows that identify you or a group that\n you're included in. To learn which groups you're included in, contact your\n administrator.\n\n 4. For all rows that specify or include you, check the **Role** column to see whether the list of roles includes the required roles.\n\n #### Grant the roles\n\n 1.\n In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=organizationId)\n 2. Select the organization.\n 3. Click person_add **Grant access**.\n 4.\n In the **New principals** field, enter your user identifier.\n\n This is typically the email address for a Google Account.\n\n 5. In the **Select a role** list, select a role.\n 6. To grant additional roles, click add **Add\n another role** and add each additional role.\n 7. Click **Save**.\n\n\u003cbr /\u003e\n\nFor more information about IaC validation permissions, see\n[IAM for organization-level activations](/security-command-center/docs/access-control-org).\n\n### Enable the Cloud Build API\n\n1.\n\n\n Enable the Cloud Build API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=cloudbuild.googleapis.com)\n\n\u003cbr /\u003e\n\n### Define your policies\n\nDefine your\n[organization policies](/resource-manager/docs/organization-policy/creating-managing-policies)\nand\n[Security Health Analytics detectors](/security-command-center/docs/concepts-security-health-analytics).\nTo define these policies using a security posture, complete the tasks in\n[Create and deploy a posture](/security-command-center/docs/how-to-use-security-posture#create_and_deploy_a_posture).\n\n### Create your Terraform code\n\nFor instructions, see\n[Create your Terraform code](/security-command-center/docs/validate-iac#create_your_terraform_code).\n\nValidate your IAC in Cloud Build\n--------------------------------\n\n| **Note:** The samples in this section are YAML samples. IaC validation also supports JSON buildconfigs.\n\nAdd the following tasks to your `cloudbuild.yaml` file:\n\n1. Initialize Terraform:\n\n - name: hashicorp/terraform\n args:\n - '-c'\n - |\n terraform init \\\n -backend-config=\"bucket=\u003cvar translate=\"no\"\u003eSTATE_BUCKET\u003c/var\u003e\" \\\n -backend-config=\"prefix=\u003cvar translate=\"no\"\u003eREPOSITORY_NAME\u003c/var\u003e\" \\\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Terraform Init\n entrypoint: sh\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSTATE_BUCKET\u003c/var\u003e with the name of the Cloud Storage bucket to [store the Terraform state](/docs/terraform/resource-management/store-state) in\n - \u003cvar translate=\"no\"\u003eREPOSITORY_NAME\u003c/var\u003e with the repository that hosts your Terraform code.\n - \u003cvar translate=\"no\"\u003eFOLDER\u003c/var\u003e with the name of the folder to save the Terraform artifacts to.\n2. Create a plan file:\n\n - name: hashicorp/terraform\n args:\n - '-c'\n - |\n terraform plan -out tf.plan\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Terraform Plan\n entrypoint: sh\n\n3. Convert the plan file to JSON format:\n\n - name: hashicorp/terraform\n args:\n - '-c'\n - |\n terraform show -json tf.plan \u003e plan.json\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Terraform Show\n entrypoint: sh\n\n4. Create the IaC validation report:\n\n - name: gcr.io/cloud-builders/gcloud\n args:\n - '-c'\n - |\n gcloud scc iac-validation-reports create \\\n organizations/\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e/locations/global --tf-plan-file=plan.json \\\n --format=\"json(response.iacValidationReport)\" \u003e IaCScanReport_$BUILD_ID.json\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Run IaC scan\n entrypoint: /bin/bash\n\n Replace \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e with your organization's ID.\n5. If you're using Cloud Storage, upload the JSON results file to\n Cloud Storage:\n\n - name: gcr.io/cloud-builders/gsutil\n args:\n - cp\n - IaCScanReport_$BUILD_ID.json\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSCAN_RESULT_FILE_BUCKET\u003c/span\u003e\u003c/var\u003e\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Upload report file\n\n Replace \u003cvar translate=\"no\"\u003eSCAN_RESULT_FILE_BUCKET\u003c/var\u003e with the\n Cloud Storage bucket to upload the results file to.\n6. To view the results in SARIF format, complete the following:\n\n 1. Convert the file:\n\n - name: golang\n args:\n - '-c'\n - |\n go run github.com/google/gcp-scc-iac-validation-utils/SARIFConverter@latest \\\n --inputFilePath=IaCScanReport_$BUILD_ID.json\n --outputFilePath=IaCScanReport_$BUILD_ID.sarif.json\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Convert to SARIF format\n entrypoint: /bin/bash\n\n 2. Optional: upload the file to Cloud Storage:\n\n - name: gcr.io/cloud-builders/gsutil\n args:\n - cp\n - IaCScanReport_$BUILD_ID.sarif.json\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSCAN_RESULT_FILE_BUCKET\u003c/span\u003e\u003c/var\u003e\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Upload report file\n\n7. Validate the results. Complete this step on the\n results JSON file that you haven't converted to SARIF format:\n\n - name: golang\n args:\n - '-c'\n - |\n go run github.com/google/gcp-scc-iac-validation-utils/ReportValidator@latest \\\n --inputFilePath=IaCScanReport_$BUILD_ID.json --failure_expression=\u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Validate results\n entrypoint: /bin/bash\n\n Replace \u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e with the failure threshold\n criteria that determines when the build fails. The threshold criteria is\n based on the number of critical, high, medium, and low severity issues that\n the IaC validation scan encounters. \u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e\n specifies how many issues of each severity are permitted, and also specifies\n how the issues are aggregated (either `AND` or `OR`). For example, if you\n want the build to fail if it encounters one critical issue *or* one high\n severity issue, set the \u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e to\n `Critical:1,High:1,Operator:OR`. The default is\n `Critical:1,High:1,Medium:1,Low:1,Operator:OR`, which means that if the IaC\n validation scan encounters a violation of any severity, the build must fail.\n8. If the build fails, resolve any violations within your Terraform code.\n\nWhat's next\n-----------\n\n- View the [IaC validation report in Cloud Storage](/storage/docs/listing-objects#list-objects).\n- Review the [IaC validation scripts in GitHub](https://github.com/google/gcp-scc-iac-validation-utils).\n- Review the [`cloud.yaml` sample](https://github.com/google/devops-governance/blob/main/examples/guardrails/cloudbuild/folder-factory/.cloudbuild/workflows/cloudbuild.yaml)."]]