创建 IaC 验证报告示例


本教程介绍了如何验证基础架构即代码 (IaC) 是否违反了贵组织政策或 Security Health Analytics 检测器。

目标

  • 创建安全状况。
  • 在项目中部署状况。
  • 检查 Terraform 示例文件是否存在违规行为。
  • 修正 Terraform 文件中的违规问题,然后再次检查该文件以验证修正情况。

准备工作

设置权限

  1. Make sure that you have the following role or roles on the organization: Project Creator and Security Posture Admin

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the organization.
    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      前往 IAM
    2. 选择组织。
    3. 点击 授予访问权限
    4. 新的主账号字段中,输入您的用户标识符。 这通常是 Google 账号的电子邮件地址。

    5. 选择角色列表中,选择一个角色。
    6. 如需授予其他角色,请点击 添加其他角色,然后添加其他各个角色。
    7. 点击 Save(保存)。

    设置 Cloud Shell

    1. In the Google Cloud console, activate Cloud Shell.

      Activate Cloud Shell

      At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

    2. 查找您的组织 ID:
      gcloud organizations list

准备环境

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. Install the Google Cloud CLI.

  3. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  4. To initialize the gcloud CLI, run the following command:

    gcloud init
  5. Create or select a Google Cloud project.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  6. Make sure that billing is enabled for your Google Cloud project.

  7. Enable the Security posture service and Security Command Center management APIs:

    gcloud services enable securityposture.googleapis.com  securitycentermanagement.googleapis.com
  8. Install the Google Cloud CLI.

  9. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  10. To initialize the gcloud CLI, run the following command:

    gcloud init
  11. Create or select a Google Cloud project.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  12. Make sure that billing is enabled for your Google Cloud project.

  13. Enable the Security posture service and Security Command Center management APIs:

    gcloud services enable securityposture.googleapis.com  securitycentermanagement.googleapis.com
  14. 复制项目编号。在部署状况时,您需要使用项目编号来设置目标资源。
    gcloud projects describe PROJECT_ID
  15. 初始化 Terraform:
    terraform init
  16. 创建和部署状况

    1. 在 Cloud Shell 中,启动 Cloud Shell 编辑器。如需启动编辑器,请点击 Cloud Shell 窗口工具栏上的 代码编辑器按钮 打开编辑器

    2. 创建一个名为 example-standard.yaml 的 YAML 文件。

    3. 将以下代码粘贴到您的文件中:

    name: organizations/ORGANIZATION_ID/locations/global/postures/example-standard
    state: ACTIVE
    policySets:
    - policies:
      - constraint:
          orgPolicyConstraintCustom:
            customConstraint:
              actionType: ALLOW
              condition: "resource.initialNodeCount == 3"
              description: Set initial node count to be exactly 3.
              displayName: fixedNodeCount
              methodTypes:
              - CREATE
              name: organizations/ORGANIZATION_ID/customConstraints/custom.fixedNodeCount
              resourceTypes:
              - container.googleapis.com/NodePool
            policyRules:
            - enforce: true
        policyId: fixedNodeCount
      - constraint:
          securityHealthAnalyticsCustomModule:
            config:
              customOutput: {}
              description: Set MTU for a network to be exactly 1000.
              predicate:
                expression: "!(resource.mtu == 1000)"
              recommendation: Only create networks whose MTU is 1000.
              resourceSelector:
                resourceTypes:
                - compute.googleapis.com/Network
              severity: HIGH
            displayName: fixedMTU
            moduleEnablementState: ENABLED
        policyId: fixedMTU
      - constraint:
          securityHealthAnalyticsModule:
            moduleEnablementState: ENABLED
            moduleName: BUCKET_POLICY_ONLY_DISABLED
        policyId: bucket_policy_only_disabled
      - constraint:
          securityHealthAnalyticsModule:
            moduleEnablementState: ENABLED
            moduleName: BUCKET_LOGGING_DISABLED
        policyId: bucket_logging_disabled
      policySetId: policySet1

    ORGANIZATION_ID 替换为您的组织 ID。

    1. 在 Cloud Shell 中,创建状况:

      gcloud scc postures create organizations/ORGANIZATION_ID/locations/global/postures/example-standard --posture-from-file=example-standard.yaml
      
    2. 复制该命令生成的状况修订版本 ID。

    3. 将状况部署到您的项目:

      gcloud scc posture-deployments create organizations/ORGANIZATION_ID/locations/global/postureDeployments/example-standard \
      --posture-name=organizations/ORGANIZATION_ID/locations/global/postures/example-standard \
      --posture-revision-id="POSTURE_REVISION_ID" \
      --target-resource=projects/PROJECT_NUMBER
      

      替换以下内容:

      • ORGANIZATION_ID:您的组织 ID。
      • POSTURE REVISION_ID:您复制的状况修订版本 ID。
      • PROJECT_NUMBER:您的项目编号。

    创建 Terraform 文件并进行验证

    1. 在 Cloud Shell 中,启动 Cloud Shell 编辑器。

    2. 创建一个名为 main.tf 的 Terraform 文件。

    3. 将以下代码粘贴到您的文件中:

      terraform {
        required_providers {
          google = {
            source  = "hashicorp/google"
          }
        }
      }
      
      provider "google" {
        region  = "us-central1"
        zone    = "us-central1-c"
      }
      
      resource "google_compute_network" "example_network"{
        name                            = "example-network-1"
        delete_default_routes_on_create = false
        auto_create_subnetworks         = false
        routing_mode                    = "REGIONAL"
        mtu                             = 100
        project                         = "PROJECT_ID"
      }
      
      resource "google_container_node_pool" "example_node_pool" {
        name               = "example-node-pool-1"
        cluster            = "example-cluster-1"
        project            = "PROJECT_ID"
        initial_node_count = 2
      
        node_config {
          preemptible  = true
          machine_type = "e2-medium"
        }
      }
      
      resource "google_storage_bucket" "example_bucket" {
        name          = "example-bucket-1"
        location      = "EU"
        force_destroy = true
      
        project = "PROJECT_ID"
      
        uniform_bucket_level_access = false
      }
      

      PROJECT_ID 替换为您创建的项目的项目 ID。

    4. 在 Cloud Shell 中,创建 Terraform 方案文件并将其转换为 JSON 格式:

      terraform plan -out main.plan
      terraform show -json main.plan > mainplan.json
      
    5. mainplan.json 创建 IaC 验证报告:

      gcloud scc iac-validation-reports create organizations/ORGANIZATION_ID/locations/global --tf-plan-file=mainplan.json
      

      此命令会返回一个 IaC 验证报告,其中描述了以下违规行为:

      • example_networkmtu 不是 1,000。
      • example_node_poolinitial_node_count 不是 3。
      • example_bucket 尚未启用统一存储桶级访问权限。
      • example_bucket 尚未启用日志记录。

    解决违规

    1. 在 Cloud Shell 中,启动 Cloud Shell 编辑器。

    2. 使用以下更改来更新 main.tf 文件:

      terraform {
        required_providers {
          google = {
            source  = "hashicorp/google"
          }
        }
      }
      
      provider "google" {
        region  = "us-central1"
        zone    = "us-central1-c"
      }
      
      resource "google_compute_network" "example_network"{
        name                            = "example-network-1"
        delete_default_routes_on_create = false
        auto_create_subnetworks         = false
        routing_mode                    = "REGIONAL"
        mtu                             = 1000
        project                         = "PROJECT_ID"
      }
      
      resource "google_container_node_pool" "example_node_pool" {
        name               = "example-node-pool-1"
        cluster            = "example-cluster-1"
        project            = "PROJECT_ID"
        initial_node_count = 3
      
        node_config {
          preemptible  = true
          machine_type = "e2-medium"
        }
      }
      
      resource "google_storage_bucket" "example_bucket" {
        name          = "example-bucket-1"
        location      = "EU"
        force_destroy = true
      
        project = "PROJECT_ID"
        uniform_bucket_level_access = true
      
        logging {
          log_bucket   = "my-unique-logging-bucket" // Create a separate bucket for logs
          log_object_prefix = "tf-logs/"             // Optional prefix for better structure
        }
      }
      

      PROJECT_ID 替换为您创建的项目的项目 ID。

    3. 在 Cloud Shell 中,创建 Terraform 方案文件并将其转换为 JSON 格式:

      terraform plan -out main.plan
      terraform show -json main.plan > mainplan.json
      
    4. mainplan.json 重新创建 IaC 验证报告:

      gcloud scc iac-validation-reports create organizations/ORGANIZATION_ID/locations/global --tf-plan-file=mainplan.json
      

清理

为避免因本教程中使用的资源导致您的 Google Cloud 账号产生费用,请删除包含这些资源的项目,或者保留项目但删除各个资源。

删除项目

    Delete a Google Cloud project:

    gcloud projects delete PROJECT_ID

后续步骤