Organiza tus páginas con colecciones
Guarda y categoriza el contenido según tus preferencias.
Puedes escribir una configuración de compilación que le indique a Cloud Build que valide la infraestructura como código (IaC) que forma parte de tu compilación. La validación de IaC te permite determinar si las definiciones de recursos de Terraform infringen las políticas de la organización existentes y los detectores de Security Health Analytics que se aplican a tus recursos de Google Cloud .
In the Principal column, find all rows that identify you or a group that
you're included in. To learn which groups you're included in, contact your
administrator.
For all rows that specify or include you, check the Role column to see whether
the list of roles includes the required roles.
Reemplaza SCAN_RESULT_FILE_BUCKET por el bucket de Cloud Storage en el que se subirá el archivo de resultados.
Para ver los resultados en formato SARIF, haz lo siguiente:
Convierte el archivo:
-name:golangargs:-'-c'-|go run github.com/google/gcp-scc-iac-validation-utils/SARIFConverter@latest \--inputFilePath=IaCScanReport_$BUILD_ID.json--outputFilePath=IaCScanReport_$BUILD_ID.sarif.jsondir:FOLDERid:Convert to SARIF formatentrypoint:/bin/bash
Valida los resultados. Completa este paso en el archivo JSON de resultados que no convertiste al formato SARIF:
-name:golangargs:-'-c'-|go run github.com/google/gcp-scc-iac-validation-utils/ReportValidator@latest \--inputFilePath=IaCScanReport_$BUILD_ID.json --failure_expression=FAILURE_CRITERIAdir:FOLDERid:Validate resultsentrypoint:/bin/bash
Reemplaza FAILURE_CRITERIA por los criterios del umbral de fallas que determinan cuándo falla la compilación. Los criterios de umbral se basan en la cantidad de problemas de gravedad crítica, alta, media y baja que encuentra el análisis de validación de IaC. FAILURE_CRITERIA especifica cuántos problemas de cada gravedad se permiten y cómo se agregan los problemas (AND o OR). Por ejemplo, si deseas que la compilación falle si encuentra un problema crítico o un problema de gravedad alta, establece FAILURE_CRITERIA en Critical:1,High:1,Operator:OR. El valor predeterminado es Critical:1,High:1,Medium:1,Low:1,Operator:OR, lo que significa que, si el análisis de validación de IaC detecta un incumplimiento de cualquier gravedad, la compilación debe fallar.
Si falla la compilación, resuelve los incumplimientos en tu código de Terraform.
[[["Fácil de comprender","easyToUnderstand","thumb-up"],["Resolvió mi problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Información o código de muestra incorrectos","incorrectInformationOrSampleCode","thumb-down"],["Faltan la información o los ejemplos que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-09-05 (UTC)"],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers) (requires [organization-level activation](/security-command-center/docs/activate-scc-overview#overview_of_organization-level_activation))\n\nYou can write a [build config](/build/docs/build-config-file-schema) that\ninstructs Cloud Build to validate the infrastructure as code (IaC)\nthat is part of your build. Validating IaC lets you determine whether your\nTerraform resource definitions violate the existing organization policies and\nSecurity Health Analytics detectors that are applied to your Google Cloud resources.\n\nFor more information about IaC validation, see\n[Validate your IaC against your Google Cloud organization's policies](/security-command-center/docs/validate-iac).\n\nBefore you begin\n\nComplete these tasks to get started with IaC validation using\nCloud Build.\n\nActivate the Security Command Center Premium tier or Enterprise tier\n\nVerify that the\n[Security Command Center Premium tier or Enterprise tier](/security-command-center/docs/activate-scc-overview)\nis activated at the organization level.\n\nActivating Security Command Center enables the `securityposture.googleapis.com` and\n`securitycentermanagement.googleapis.com` APIs.\n\nSet up permissions\n\n1.\n\n Make sure that you have the following role or roles on the organization:\n\n\n - Security Posture Shift-Left Validator\n - Log Writer\n - Storage Writer\n - Storage Reader\n\n \u003cbr /\u003e\n\n Check for the roles\n 1.\n In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=organizationId)\n 2. Select the organization.\n 3.\n In the **Principal** column, find all rows that identify you or a group that\n you're included in. To learn which groups you're included in, contact your\n administrator.\n\n 4. For all rows that specify or include you, check the **Role** column to see whether the list of roles includes the required roles.\n\n Grant the roles\n 1.\n In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=organizationId)\n 2. Select the organization.\n 3. Click person_add **Grant access**.\n 4.\n In the **New principals** field, enter your user identifier.\n\n This is typically the email address for a Google Account.\n\n 5. In the **Select a role** list, select a role.\n 6. To grant additional roles, click add **Add\n another role** and add each additional role.\n 7. Click **Save**.\n\n\u003cbr /\u003e\n\nFor more information about IaC validation permissions, see\n[IAM for organization-level activations](/security-command-center/docs/access-control-org).\n\nEnable the Cloud Build API\n\n1.\n\n\n Enable the Cloud Build API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=cloudbuild.googleapis.com)\n\n\u003cbr /\u003e\n\nDefine your policies\n\nDefine your\n[organization policies](/resource-manager/docs/organization-policy/creating-managing-policies)\nand\n[Security Health Analytics detectors](/security-command-center/docs/concepts-security-health-analytics).\nTo define these policies using a security posture, complete the tasks in\n[Create and deploy a posture](/security-command-center/docs/how-to-use-security-posture#create_and_deploy_a_posture).\n\nCreate your Terraform code\n\nFor instructions, see\n[Create your Terraform code](/security-command-center/docs/validate-iac#create_your_terraform_code).\n\nValidate your IAC in Cloud Build **Note:** The samples in this section are YAML samples. IaC validation also supports JSON buildconfigs.\n\nAdd the following tasks to your `cloudbuild.yaml` file:\n\n1. Initialize Terraform:\n\n - name: hashicorp/terraform\n args:\n - '-c'\n - |\n terraform init \\\n -backend-config=\"bucket=\u003cvar translate=\"no\"\u003eSTATE_BUCKET\u003c/var\u003e\" \\\n -backend-config=\"prefix=\u003cvar translate=\"no\"\u003eREPOSITORY_NAME\u003c/var\u003e\" \\\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Terraform Init\n entrypoint: sh\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSTATE_BUCKET\u003c/var\u003e with the name of the Cloud Storage bucket to [store the Terraform state](/docs/terraform/resource-management/store-state) in\n - \u003cvar translate=\"no\"\u003eREPOSITORY_NAME\u003c/var\u003e with the repository that hosts your Terraform code.\n - \u003cvar translate=\"no\"\u003eFOLDER\u003c/var\u003e with the name of the folder to save the Terraform artifacts to.\n2. Create a plan file:\n\n - name: hashicorp/terraform\n args:\n - '-c'\n - |\n terraform plan -out tf.plan\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Terraform Plan\n entrypoint: sh\n\n3. Convert the plan file to JSON format:\n\n - name: hashicorp/terraform\n args:\n - '-c'\n - |\n terraform show -json tf.plan \u003e plan.json\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Terraform Show\n entrypoint: sh\n\n4. Create the IaC validation report:\n\n - name: gcr.io/cloud-builders/gcloud\n args:\n - '-c'\n - |\n gcloud scc iac-validation-reports create \\\n organizations/\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e/locations/global --tf-plan-file=plan.json \\\n --format=\"json(response.iacValidationReport)\" \u003e IaCScanReport_$BUILD_ID.json\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Run IaC scan\n entrypoint: /bin/bash\n\n Replace \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e with your organization's ID.\n5. If you're using Cloud Storage, upload the JSON results file to\n Cloud Storage:\n\n - name: gcr.io/cloud-builders/gsutil\n args:\n - cp\n - IaCScanReport_$BUILD_ID.json\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSCAN_RESULT_FILE_BUCKET\u003c/span\u003e\u003c/var\u003e\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Upload report file\n\n Replace \u003cvar translate=\"no\"\u003eSCAN_RESULT_FILE_BUCKET\u003c/var\u003e with the\n Cloud Storage bucket to upload the results file to.\n6. To view the results in SARIF format, complete the following:\n\n 1. Convert the file:\n\n - name: golang\n args:\n - '-c'\n - |\n go run github.com/google/gcp-scc-iac-validation-utils/SARIFConverter@latest \\\n --inputFilePath=IaCScanReport_$BUILD_ID.json\n --outputFilePath=IaCScanReport_$BUILD_ID.sarif.json\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Convert to SARIF format\n entrypoint: /bin/bash\n\n 2. Optional: upload the file to Cloud Storage:\n\n - name: gcr.io/cloud-builders/gsutil\n args:\n - cp\n - IaCScanReport_$BUILD_ID.sarif.json\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSCAN_RESULT_FILE_BUCKET\u003c/span\u003e\u003c/var\u003e\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Upload report file\n\n7. Validate the results. Complete this step on the\n results JSON file that you haven't converted to SARIF format:\n\n - name: golang\n args:\n - '-c'\n - |\n go run github.com/google/gcp-scc-iac-validation-utils/ReportValidator@latest \\\n --inputFilePath=IaCScanReport_$BUILD_ID.json --failure_expression=\u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Validate results\n entrypoint: /bin/bash\n\n Replace \u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e with the failure threshold\n criteria that determines when the build fails. The threshold criteria is\n based on the number of critical, high, medium, and low severity issues that\n the IaC validation scan encounters. \u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e\n specifies how many issues of each severity are permitted, and also specifies\n how the issues are aggregated (either `AND` or `OR`). For example, if you\n want the build to fail if it encounters one critical issue *or* one high\n severity issue, set the \u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e to\n `Critical:1,High:1,Operator:OR`. The default is\n `Critical:1,High:1,Medium:1,Low:1,Operator:OR`, which means that if the IaC\n validation scan encounters a violation of any severity, the build must fail.\n8. If the build fails, resolve any violations within your Terraform code.\n\nWhat's next\n\n- View the [IaC validation report in Cloud Storage](/storage/docs/listing-objects#list-objects).\n- Review the [IaC validation scripts in GitHub](https://github.com/google/gcp-scc-iac-validation-utils).\n- Review the [`cloud.yaml` sample](https://github.com/google/devops-governance/blob/main/examples/guardrails/cloudbuild/folder-factory/.cloudbuild/workflows/cloudbuild.yaml)."]]