本教學課程說明如何確認基礎架構即程式碼 (IaC) 未違反貴機構政策或 Security Health Analytics 偵測器。
目標
- 建立安全防護機制。
- 在專案中部署姿勢。
- 檢查 Terraform 檔案範例是否違規。
- 修正 Terraform 檔案中的違規事項,然後再次檢查檔案,確認修正內容。
事前準備
設定權限
-
Make sure that you have the following role or roles on the organization: Project Creator and Security Posture Admin
Check for the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the organization.
-
In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.
- For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.
Grant the roles
-
In the Google Cloud console, go to the IAM page.
前往「IAM」頁面 - 選取機構。
- 按一下「授予存取權」。
-
在「New principals」(新增主體) 欄位中,輸入您的使用者 ID。 這通常是 Google 帳戶的電子郵件地址。
- 在「Select a role」(選取角色) 清單中,選取角色。
- 如要授予其他角色,請按一下 「新增其他角色」,然後新增每個其他角色。
- 按一下 [Save]。
設定 Cloud Shell
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
- 找出機構 ID:
gcloud organizations list
-
準備環境
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
Install the Google Cloud CLI.
-
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
-
To initialize the gcloud CLI, run the following command:
gcloud init -
Create or select a Google Cloud project.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_IDwith a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_IDwith your Google Cloud project name.
-
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Security posture service and Security Command Center management APIs:
gcloud services enable securityposture.googleapis.com
securitycentermanagement.googleapis.com -
Install the Google Cloud CLI.
-
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
-
To initialize the gcloud CLI, run the following command:
gcloud init -
Create or select a Google Cloud project.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_IDwith a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_IDwith your Google Cloud project name.
-
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Security posture service and Security Command Center management APIs:
gcloud services enable securityposture.googleapis.com
securitycentermanagement.googleapis.com - 複製專案編號。部署安全防護時,您需要專案編號來設定目標資源。
gcloud projects describe PROJECT_ID
- 初始化 Terraform:
terraform init
在 Cloud Shell 中啟動 Cloud Shell 編輯器。如要啟動編輯器,請按一下 Cloud Shell 視窗工具列上的「Open Editor」(開啟編輯器)
。建立名為
example-standard.yaml的 YAML 檔案。將下列程式碼貼到檔案中:
在 Cloud Shell 中建立姿勢:
gcloud scc postures create organizations/ORGANIZATION_ID/locations/global/postures/example-standard --posture-from-file=example-standard.yaml
複製指令產生的姿勢修訂 ID。
將姿勢部署至專案:
gcloud scc posture-deployments create organizations/ORGANIZATION_ID/locations/global/postureDeployments/example-standard \ --posture-name=organizations/ORGANIZATION_ID/locations/global/postures/example-standard \ --posture-revision-id="POSTURE_REVISION_ID" \ --target-resource=projects/PROJECT_NUMBER
更改下列內容:
ORGANIZATION_ID:您的機構 ID。POSTURE REVISION_ID:您複製的姿勢修訂 ID。PROJECT_NUMBER:您的專案編號。
在 Cloud Shell 中啟動 Cloud Shell 編輯器。
建立名為
main.tf的 Terraform 檔案。將下列程式碼貼到檔案中:
terraform { required_providers { google = { source = "hashicorp/google" } } } provider "google" { region = "us-central1" zone = "us-central1-c" } resource "google_compute_network" "example_network"{ name = "example-network-1" delete_default_routes_on_create = false auto_create_subnetworks = false routing_mode = "REGIONAL" mtu = 100 project = "PROJECT_ID" } resource "google_container_node_pool" "example_node_pool" { name = "example-node-pool-1" cluster = "example-cluster-1" project = "PROJECT_ID" initial_node_count = 2 node_config { preemptible = true machine_type = "e2-medium" } } resource "google_storage_bucket" "example_bucket" { name = "example-bucket-1" location = "EU" force_destroy = true project = "PROJECT_ID" uniform_bucket_level_access = false }將
PROJECT_ID替換為您建立的專案 ID。在 Cloud Shell 中建立 Terraform 方案檔案,並轉換為 JSON 格式:
terraform plan -out main.plan terraform show -json main.plan > mainplan.json
為「
mainplan.json」建立 IaC 驗證報告:gcloud scc iac-validation-reports create organizations/ORGANIZATION_ID/locations/global --tf-plan-file=mainplan.json
這項指令會傳回 IaC 驗證報告,說明下列違規事項:
example_network的mtu不是 1000。example_node_pool的initial_node_count不是 3。example_bucket未啟用統一值區層級存取權。example_bucket未啟用記錄功能。
在 Cloud Shell 中啟動 Cloud Shell 編輯器。
更新
main.tf檔案,進行下列變更:terraform { required_providers { google = { source = "hashicorp/google" } } } provider "google" { region = "us-central1" zone = "us-central1-c" } resource "google_compute_network" "example_network"{ name = "example-network-1" delete_default_routes_on_create = false auto_create_subnetworks = false routing_mode = "REGIONAL" mtu = 1000 project = "PROJECT_ID" } resource "google_container_node_pool" "example_node_pool" { name = "example-node-pool-1" cluster = "example-cluster-1" project = "PROJECT_ID" initial_node_count = 3 node_config { preemptible = true machine_type = "e2-medium" } } resource "google_storage_bucket" "example_bucket" { name = "example-bucket-1" location = "EU" force_destroy = true project = "PROJECT_ID" uniform_bucket_level_access = true logging { log_bucket = "my-unique-logging-bucket" // Create a separate bucket for logs log_object_prefix = "tf-logs/" // Optional prefix for better structure } }將
PROJECT_ID替換為您建立的專案 ID。在 Cloud Shell 中建立 Terraform 方案檔案,並轉換為 JSON 格式:
terraform plan -out main.plan terraform show -json main.plan > mainplan.json
為「
mainplan.json」重新建立 IaC 驗證報告:gcloud scc iac-validation-reports create organizations/ORGANIZATION_ID/locations/global --tf-plan-file=mainplan.json
建立及部署防護機制
name: organizations/ORGANIZATION_ID/locations/global/postures/example-standard state: ACTIVE policySets: - policies: - constraint: orgPolicyConstraintCustom: customConstraint: actionType: ALLOW condition: "resource.initialNodeCount == 3" description: Set initial node count to be exactly 3. displayName: fixedNodeCount methodTypes: - CREATE name: organizations/ORGANIZATION_ID/customConstraints/custom.fixedNodeCount resourceTypes: - container.googleapis.com/NodePool policyRules: - enforce: true policyId: fixedNodeCount - constraint: securityHealthAnalyticsCustomModule: config: customOutput: {} description: Set MTU for a network to be exactly 1000. predicate: expression: "!(resource.mtu == 1000)" recommendation: Only create networks whose MTU is 1000. resourceSelector: resourceTypes: - compute.googleapis.com/Network severity: HIGH displayName: fixedMTU moduleEnablementState: ENABLED policyId: fixedMTU - constraint: securityHealthAnalyticsModule: moduleEnablementState: ENABLED moduleName: BUCKET_POLICY_ONLY_DISABLED policyId: bucket_policy_only_disabled - constraint: securityHealthAnalyticsModule: moduleEnablementState: ENABLED moduleName: BUCKET_LOGGING_DISABLED policyId: bucket_logging_disabled policySetId: policySet1
將 ORGANIZATION_ID 替換為機構 ID。
建立 Terraform 檔案並驗證
解決違規事項
清除所用資源
如要避免系統向您的 Google Cloud 帳戶收取本教學課程中所用資源的相關費用,請刪除含有該項資源的專案,或者保留專案但刪除個別資源。
刪除專案
Delete a Google Cloud project:
gcloud projects delete PROJECT_ID
後續步驟
- 查看 根據貴機構的政策驗證 IaC。
- 探索 Google Cloud 的參考架構、圖表和最佳做法。 歡迎瀏覽我們的雲端架構中心。