Restez organisé à l'aide des collections
Enregistrez et classez les contenus selon vos préférences.
Vous pouvez créer une configuration de compilation qui indique à Cloud Build de valider l'infrastructure as code (IaC) faisant partie de votre compilation. La validation de l'IaC vous permet de déterminer si vos définitions de ressources Terraform enfreignent les règles d'administration et les détecteurs Security Health Analytics existants appliqués à vos ressources Google Cloud .
In the Principal column, find all rows that identify you or a group that
you're included in. To learn which groups you're included in, contact your
administrator.
For all rows that specify or include you, check the Role column to see whether
the list of roles includes the required roles.
Remplacez SCAN_RESULT_FILE_BUCKET par le bucket Cloud Storage dans lequel importer le fichier de résultats.
Pour afficher les résultats au format SARIF, procédez comme suit :
Convertissez le fichier :
-name:golangargs:-'-c'-|go run github.com/google/gcp-scc-iac-validation-utils/SARIFConverter@latest \--inputFilePath=IaCScanReport_$BUILD_ID.json--outputFilePath=IaCScanReport_$BUILD_ID.sarif.jsondir:FOLDERid:Convert to SARIF formatentrypoint:/bin/bash
Facultatif : importez le fichier dans Cloud Storage :
Validez les résultats. Effectuez cette étape sur le fichier JSON de résultats que vous n'avez pas converti au format SARIF :
-name:golangargs:-'-c'-|go run github.com/google/gcp-scc-iac-validation-utils/ReportValidator@latest \--inputFilePath=IaCScanReport_$BUILD_ID.json --failure_expression=FAILURE_CRITERIAdir:FOLDERid:Validate resultsentrypoint:/bin/bash
Remplacez FAILURE_CRITERIA par les critères de seuil d'échec qui déterminent quand la compilation échoue. Les critères de seuil sont basés sur le nombre de problèmes critiques, de gravité élevée, moyenne et faible rencontrés par l'analyse de validation IaC. FAILURE_CRITERIA spécifie le nombre de problèmes autorisés pour chaque niveau de gravité, ainsi que la façon dont les problèmes sont agrégés (AND ou OR). Par exemple, si vous souhaitez que la compilation échoue si elle rencontre un problème critique ou un problème de gravité élevée, définissez FAILURE_CRITERIA sur Critical:1,High:1,Operator:OR. La valeur par défaut est Critical:1,High:1,Medium:1,Low:1,Operator:OR, ce qui signifie que si l'analyse de validation de l'IaC détecte une violation de quelque gravité que ce soit, la compilation doit échouer.
Si la compilation échoue, corrigez les éventuels cas de non-respect dans votre code Terraform.
Sauf indication contraire, le contenu de cette page est régi par une licence Creative Commons Attribution 4.0, et les échantillons de code sont régis par une licence Apache 2.0. Pour en savoir plus, consultez les Règles du site Google Developers. Java est une marque déposée d'Oracle et/ou de ses sociétés affiliées.
Dernière mise à jour le 2025/09/05 (UTC).
[[["Facile à comprendre","easyToUnderstand","thumb-up"],["J'ai pu résoudre mon problème","solvedMyProblem","thumb-up"],["Autre","otherUp","thumb-up"]],[["Difficile à comprendre","hardToUnderstand","thumb-down"],["Informations ou exemple de code incorrects","incorrectInformationOrSampleCode","thumb-down"],["Il n'y a pas l'information/les exemples dont j'ai besoin","missingTheInformationSamplesINeed","thumb-down"],["Problème de traduction","translationIssue","thumb-down"],["Autre","otherDown","thumb-down"]],["Dernière mise à jour le 2025/09/05 (UTC)."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers) (requires [organization-level activation](/security-command-center/docs/activate-scc-overview#overview_of_organization-level_activation))\n\nYou can write a [build config](/build/docs/build-config-file-schema) that\ninstructs Cloud Build to validate the infrastructure as code (IaC)\nthat is part of your build. Validating IaC lets you determine whether your\nTerraform resource definitions violate the existing organization policies and\nSecurity Health Analytics detectors that are applied to your Google Cloud resources.\n\nFor more information about IaC validation, see\n[Validate your IaC against your Google Cloud organization's policies](/security-command-center/docs/validate-iac).\n\nBefore you begin\n\nComplete these tasks to get started with IaC validation using\nCloud Build.\n\nActivate the Security Command Center Premium tier or Enterprise tier\n\nVerify that the\n[Security Command Center Premium tier or Enterprise tier](/security-command-center/docs/activate-scc-overview)\nis activated at the organization level.\n\nActivating Security Command Center enables the `securityposture.googleapis.com` and\n`securitycentermanagement.googleapis.com` APIs.\n\nSet up permissions\n\n1.\n\n Make sure that you have the following role or roles on the organization:\n\n\n - Security Posture Shift-Left Validator\n - Log Writer\n - Storage Writer\n - Storage Reader\n\n \u003cbr /\u003e\n\n Check for the roles\n 1.\n In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=organizationId)\n 2. Select the organization.\n 3.\n In the **Principal** column, find all rows that identify you or a group that\n you're included in. To learn which groups you're included in, contact your\n administrator.\n\n 4. For all rows that specify or include you, check the **Role** column to see whether the list of roles includes the required roles.\n\n Grant the roles\n 1.\n In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=organizationId)\n 2. Select the organization.\n 3. Click person_add **Grant access**.\n 4.\n In the **New principals** field, enter your user identifier.\n\n This is typically the email address for a Google Account.\n\n 5. In the **Select a role** list, select a role.\n 6. To grant additional roles, click add **Add\n another role** and add each additional role.\n 7. Click **Save**.\n\n\u003cbr /\u003e\n\nFor more information about IaC validation permissions, see\n[IAM for organization-level activations](/security-command-center/docs/access-control-org).\n\nEnable the Cloud Build API\n\n1.\n\n\n Enable the Cloud Build API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=cloudbuild.googleapis.com)\n\n\u003cbr /\u003e\n\nDefine your policies\n\nDefine your\n[organization policies](/resource-manager/docs/organization-policy/creating-managing-policies)\nand\n[Security Health Analytics detectors](/security-command-center/docs/concepts-security-health-analytics).\nTo define these policies using a security posture, complete the tasks in\n[Create and deploy a posture](/security-command-center/docs/how-to-use-security-posture#create_and_deploy_a_posture).\n\nCreate your Terraform code\n\nFor instructions, see\n[Create your Terraform code](/security-command-center/docs/validate-iac#create_your_terraform_code).\n\nValidate your IAC in Cloud Build **Note:** The samples in this section are YAML samples. IaC validation also supports JSON buildconfigs.\n\nAdd the following tasks to your `cloudbuild.yaml` file:\n\n1. Initialize Terraform:\n\n - name: hashicorp/terraform\n args:\n - '-c'\n - |\n terraform init \\\n -backend-config=\"bucket=\u003cvar translate=\"no\"\u003eSTATE_BUCKET\u003c/var\u003e\" \\\n -backend-config=\"prefix=\u003cvar translate=\"no\"\u003eREPOSITORY_NAME\u003c/var\u003e\" \\\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Terraform Init\n entrypoint: sh\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSTATE_BUCKET\u003c/var\u003e with the name of the Cloud Storage bucket to [store the Terraform state](/docs/terraform/resource-management/store-state) in\n - \u003cvar translate=\"no\"\u003eREPOSITORY_NAME\u003c/var\u003e with the repository that hosts your Terraform code.\n - \u003cvar translate=\"no\"\u003eFOLDER\u003c/var\u003e with the name of the folder to save the Terraform artifacts to.\n2. Create a plan file:\n\n - name: hashicorp/terraform\n args:\n - '-c'\n - |\n terraform plan -out tf.plan\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Terraform Plan\n entrypoint: sh\n\n3. Convert the plan file to JSON format:\n\n - name: hashicorp/terraform\n args:\n - '-c'\n - |\n terraform show -json tf.plan \u003e plan.json\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Terraform Show\n entrypoint: sh\n\n4. Create the IaC validation report:\n\n - name: gcr.io/cloud-builders/gcloud\n args:\n - '-c'\n - |\n gcloud scc iac-validation-reports create \\\n organizations/\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e/locations/global --tf-plan-file=plan.json \\\n --format=\"json(response.iacValidationReport)\" \u003e IaCScanReport_$BUILD_ID.json\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Run IaC scan\n entrypoint: /bin/bash\n\n Replace \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e with your organization's ID.\n5. If you're using Cloud Storage, upload the JSON results file to\n Cloud Storage:\n\n - name: gcr.io/cloud-builders/gsutil\n args:\n - cp\n - IaCScanReport_$BUILD_ID.json\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSCAN_RESULT_FILE_BUCKET\u003c/span\u003e\u003c/var\u003e\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Upload report file\n\n Replace \u003cvar translate=\"no\"\u003eSCAN_RESULT_FILE_BUCKET\u003c/var\u003e with the\n Cloud Storage bucket to upload the results file to.\n6. To view the results in SARIF format, complete the following:\n\n 1. Convert the file:\n\n - name: golang\n args:\n - '-c'\n - |\n go run github.com/google/gcp-scc-iac-validation-utils/SARIFConverter@latest \\\n --inputFilePath=IaCScanReport_$BUILD_ID.json\n --outputFilePath=IaCScanReport_$BUILD_ID.sarif.json\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Convert to SARIF format\n entrypoint: /bin/bash\n\n 2. Optional: upload the file to Cloud Storage:\n\n - name: gcr.io/cloud-builders/gsutil\n args:\n - cp\n - IaCScanReport_$BUILD_ID.sarif.json\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSCAN_RESULT_FILE_BUCKET\u003c/span\u003e\u003c/var\u003e\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Upload report file\n\n7. Validate the results. Complete this step on the\n results JSON file that you haven't converted to SARIF format:\n\n - name: golang\n args:\n - '-c'\n - |\n go run github.com/google/gcp-scc-iac-validation-utils/ReportValidator@latest \\\n --inputFilePath=IaCScanReport_$BUILD_ID.json --failure_expression=\u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Validate results\n entrypoint: /bin/bash\n\n Replace \u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e with the failure threshold\n criteria that determines when the build fails. The threshold criteria is\n based on the number of critical, high, medium, and low severity issues that\n the IaC validation scan encounters. \u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e\n specifies how many issues of each severity are permitted, and also specifies\n how the issues are aggregated (either `AND` or `OR`). For example, if you\n want the build to fail if it encounters one critical issue *or* one high\n severity issue, set the \u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e to\n `Critical:1,High:1,Operator:OR`. The default is\n `Critical:1,High:1,Medium:1,Low:1,Operator:OR`, which means that if the IaC\n validation scan encounters a violation of any severity, the build must fail.\n8. If the build fails, resolve any violations within your Terraform code.\n\nWhat's next\n\n- View the [IaC validation report in Cloud Storage](/storage/docs/listing-objects#list-objects).\n- Review the [IaC validation scripts in GitHub](https://github.com/google/gcp-scc-iac-validation-utils).\n- Review the [`cloud.yaml` sample](https://github.com/google/devops-governance/blob/main/examples/guardrails/cloudbuild/folder-factory/.cloudbuild/workflows/cloudbuild.yaml)."]]