建立 IaC 驗證報告範例


本教學課程說明如何確認基礎架構即程式碼 (IaC) 未違反貴機構政策或 Security Health Analytics 偵測器。

目標

  • 建立安全防護機制。
  • 在專案中部署姿勢。
  • 檢查 Terraform 檔案範例是否違規。
  • 修正 Terraform 檔案中的違規事項,然後再次檢查檔案,確認修正內容。

事前準備

設定權限

  1. Make sure that you have the following role or roles on the organization: Project Creator and Security Posture Admin

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the organization.
    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      前往「IAM」頁面
    2. 選取機構。
    3. 按一下「授予存取權」
    4. 在「New principals」(新增主體) 欄位中,輸入您的使用者 ID。 這通常是 Google 帳戶的電子郵件地址。

    5. 在「Select a role」(選取角色) 清單中,選取角色。
    6. 如要授予其他角色,請按一下 「新增其他角色」,然後新增每個其他角色。
    7. 按一下 [Save]

    設定 Cloud Shell

    1. In the Google Cloud console, activate Cloud Shell.

      Activate Cloud Shell

      At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

    2. 找出機構 ID:
      gcloud organizations list

準備環境

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. Install the Google Cloud CLI.

  3. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  4. To initialize the gcloud CLI, run the following command:

    gcloud init
  5. Create or select a Google Cloud project.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  6. Make sure that billing is enabled for your Google Cloud project.

  7. Enable the Security posture service and Security Command Center management APIs:

    gcloud services enable securityposture.googleapis.com  securitycentermanagement.googleapis.com
  8. Install the Google Cloud CLI.

  9. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  10. To initialize the gcloud CLI, run the following command:

    gcloud init
  11. Create or select a Google Cloud project.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  12. Make sure that billing is enabled for your Google Cloud project.

  13. Enable the Security posture service and Security Command Center management APIs:

    gcloud services enable securityposture.googleapis.com  securitycentermanagement.googleapis.com
  14. 複製專案編號。部署安全防護時,您需要專案編號來設定目標資源。
    gcloud projects describe PROJECT_ID
  15. 初始化 Terraform:
    terraform init
  16. 建立及部署防護機制

    1. 在 Cloud Shell 中啟動 Cloud Shell 編輯器。如要啟動編輯器,請按一下 Cloud Shell 視窗工具列上的「Open Editor」(開啟編輯器) 程式碼編輯器按鈕

    2. 建立名為 example-standard.yaml 的 YAML 檔案。

    3. 將下列程式碼貼到檔案中:

    name: organizations/ORGANIZATION_ID/locations/global/postures/example-standard
    state: ACTIVE
    policySets:
    - policies:
      - constraint:
          orgPolicyConstraintCustom:
            customConstraint:
              actionType: ALLOW
              condition: "resource.initialNodeCount == 3"
              description: Set initial node count to be exactly 3.
              displayName: fixedNodeCount
              methodTypes:
              - CREATE
              name: organizations/ORGANIZATION_ID/customConstraints/custom.fixedNodeCount
              resourceTypes:
              - container.googleapis.com/NodePool
            policyRules:
            - enforce: true
        policyId: fixedNodeCount
      - constraint:
          securityHealthAnalyticsCustomModule:
            config:
              customOutput: {}
              description: Set MTU for a network to be exactly 1000.
              predicate:
                expression: "!(resource.mtu == 1000)"
              recommendation: Only create networks whose MTU is 1000.
              resourceSelector:
                resourceTypes:
                - compute.googleapis.com/Network
              severity: HIGH
            displayName: fixedMTU
            moduleEnablementState: ENABLED
        policyId: fixedMTU
      - constraint:
          securityHealthAnalyticsModule:
            moduleEnablementState: ENABLED
            moduleName: BUCKET_POLICY_ONLY_DISABLED
        policyId: bucket_policy_only_disabled
      - constraint:
          securityHealthAnalyticsModule:
            moduleEnablementState: ENABLED
            moduleName: BUCKET_LOGGING_DISABLED
        policyId: bucket_logging_disabled
      policySetId: policySet1

    ORGANIZATION_ID 替換為機構 ID。

    1. 在 Cloud Shell 中建立姿勢:

      gcloud scc postures create organizations/ORGANIZATION_ID/locations/global/postures/example-standard --posture-from-file=example-standard.yaml
      
    2. 複製指令產生的姿勢修訂 ID。

    3. 將姿勢部署至專案:

      gcloud scc posture-deployments create organizations/ORGANIZATION_ID/locations/global/postureDeployments/example-standard \
      --posture-name=organizations/ORGANIZATION_ID/locations/global/postures/example-standard \
      --posture-revision-id="POSTURE_REVISION_ID" \
      --target-resource=projects/PROJECT_NUMBER
      

      更改下列內容:

      • ORGANIZATION_ID:您的機構 ID。
      • POSTURE REVISION_ID:您複製的姿勢修訂 ID。
      • PROJECT_NUMBER:您的專案編號。

    建立 Terraform 檔案並驗證

    1. 在 Cloud Shell 中啟動 Cloud Shell 編輯器。

    2. 建立名為 main.tf 的 Terraform 檔案。

    3. 將下列程式碼貼到檔案中:

      terraform {
        required_providers {
          google = {
            source  = "hashicorp/google"
          }
        }
      }
      
      provider "google" {
        region  = "us-central1"
        zone    = "us-central1-c"
      }
      
      resource "google_compute_network" "example_network"{
        name                            = "example-network-1"
        delete_default_routes_on_create = false
        auto_create_subnetworks         = false
        routing_mode                    = "REGIONAL"
        mtu                             = 100
        project                         = "PROJECT_ID"
      }
      
      resource "google_container_node_pool" "example_node_pool" {
        name               = "example-node-pool-1"
        cluster            = "example-cluster-1"
        project            = "PROJECT_ID"
        initial_node_count = 2
      
        node_config {
          preemptible  = true
          machine_type = "e2-medium"
        }
      }
      
      resource "google_storage_bucket" "example_bucket" {
        name          = "example-bucket-1"
        location      = "EU"
        force_destroy = true
      
        project = "PROJECT_ID"
      
        uniform_bucket_level_access = false
      }
      

      PROJECT_ID 替換為您建立的專案 ID。

    4. 在 Cloud Shell 中建立 Terraform 方案檔案,並轉換為 JSON 格式:

      terraform plan -out main.plan
      terraform show -json main.plan > mainplan.json
      
    5. 為「mainplan.json」建立 IaC 驗證報告:

      gcloud scc iac-validation-reports create organizations/ORGANIZATION_ID/locations/global --tf-plan-file=mainplan.json
      

      這項指令會傳回 IaC 驗證報告,說明下列違規事項:

      • example_networkmtu 不是 1000。
      • example_node_poolinitial_node_count 不是 3。
      • example_bucket 未啟用統一值區層級存取權。
      • example_bucket 未啟用記錄功能。

    解決違規事項

    1. 在 Cloud Shell 中啟動 Cloud Shell 編輯器。

    2. 更新 main.tf 檔案,進行下列變更:

      terraform {
        required_providers {
          google = {
            source  = "hashicorp/google"
          }
        }
      }
      
      provider "google" {
        region  = "us-central1"
        zone    = "us-central1-c"
      }
      
      resource "google_compute_network" "example_network"{
        name                            = "example-network-1"
        delete_default_routes_on_create = false
        auto_create_subnetworks         = false
        routing_mode                    = "REGIONAL"
        mtu                             = 1000
        project                         = "PROJECT_ID"
      }
      
      resource "google_container_node_pool" "example_node_pool" {
        name               = "example-node-pool-1"
        cluster            = "example-cluster-1"
        project            = "PROJECT_ID"
        initial_node_count = 3
      
        node_config {
          preemptible  = true
          machine_type = "e2-medium"
        }
      }
      
      resource "google_storage_bucket" "example_bucket" {
        name          = "example-bucket-1"
        location      = "EU"
        force_destroy = true
      
        project = "PROJECT_ID"
        uniform_bucket_level_access = true
      
        logging {
          log_bucket   = "my-unique-logging-bucket" // Create a separate bucket for logs
          log_object_prefix = "tf-logs/"             // Optional prefix for better structure
        }
      }
      

      PROJECT_ID 替換為您建立的專案 ID。

    3. 在 Cloud Shell 中建立 Terraform 方案檔案,並轉換為 JSON 格式:

      terraform plan -out main.plan
      terraform show -json main.plan > mainplan.json
      
    4. 為「mainplan.json」重新建立 IaC 驗證報告:

      gcloud scc iac-validation-reports create organizations/ORGANIZATION_ID/locations/global --tf-plan-file=mainplan.json
      

清除所用資源

如要避免系統向您的 Google Cloud 帳戶收取本教學課程中所用資源的相關費用,請刪除含有該項資源的專案,或者保留專案但刪除個別資源。

刪除專案

    Delete a Google Cloud project:

    gcloud projects delete PROJECT_ID

後續步驟