Mantieni tutto organizzato con le raccolte
Salva e classifica i contenuti in base alle tue preferenze.
Puoi scrivere una configurazione di compilazione che
indica a Cloud Build di convalidare l'infrastruttura come codice (IaC)
che fa parte della build. La convalida dell'IaC ti consente di determinare se le definizioni delle risorse Terraform violano le policy dell'organizzazione esistenti e i rilevatori di Security Health Analytics applicati alle tue risorse Google Cloud .
In the Principal column, find all rows that identify you or a group that
you're included in. To learn which groups you're included in, contact your
administrator.
For all rows that specify or include you, check the Role column to see whether
the list of roles includes the required roles.
Sostituisci SCAN_RESULT_FILE_BUCKET con il bucket Cloud Storage in cui caricare il file dei risultati.
Per visualizzare i risultati in formato SARIF:
Converti il file:
-name:golangargs:-'-c'-|go run github.com/google/gcp-scc-iac-validation-utils/SARIFConverter@latest \--inputFilePath=IaCScanReport_$BUILD_ID.json--outputFilePath=IaCScanReport_$BUILD_ID.sarif.jsondir:FOLDERid:Convert to SARIF formatentrypoint:/bin/bash
Convalida i risultati. Completa questo passaggio nel file JSON dei risultati che non hai convertito in formato SARIF:
-name:golangargs:-'-c'-|go run github.com/google/gcp-scc-iac-validation-utils/ReportValidator@latest \--inputFilePath=IaCScanReport_$BUILD_ID.json --failure_expression=FAILURE_CRITERIAdir:FOLDERid:Validate resultsentrypoint:/bin/bash
Sostituisci FAILURE_CRITERIA con i criteri per la soglia di errore
che determina quando la build non va a buon fine. I criteri di soglia si basano sul numero di problemi di gravità critica, elevata, media e bassa rilevati dalla scansione di convalida dell'infrastruttura come codice. FAILURE_CRITERIA
specifica il numero di problemi di ogni gravità consentiti e anche
come vengono aggregati i problemi (AND o OR). Ad esempio, se
vuoi che la build non vada a buon fine se rileva un problema critico o un problema di gravità
elevata, imposta FAILURE_CRITERIA su
Critical:1,High:1,Operator:OR. Il valore predefinito è
Critical:1,High:1,Medium:1,Low:1,Operator:OR, il che significa che se la scansione di convalida IaC
rileva una violazione di qualsiasi gravità, la build deve non riuscire.
Se la build non va a buon fine, risolvi eventuali violazioni nel codice Terraform.
[[["Facile da capire","easyToUnderstand","thumb-up"],["Il problema è stato risolto","solvedMyProblem","thumb-up"],["Altra","otherUp","thumb-up"]],[["Difficile da capire","hardToUnderstand","thumb-down"],["Informazioni o codice di esempio errati","incorrectInformationOrSampleCode","thumb-down"],["Mancano le informazioni o gli esempi di cui ho bisogno","missingTheInformationSamplesINeed","thumb-down"],["Problema di traduzione","translationIssue","thumb-down"],["Altra","otherDown","thumb-down"]],["Ultimo aggiornamento 2025-09-05 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers) (requires [organization-level activation](/security-command-center/docs/activate-scc-overview#overview_of_organization-level_activation))\n\nYou can write a [build config](/build/docs/build-config-file-schema) that\ninstructs Cloud Build to validate the infrastructure as code (IaC)\nthat is part of your build. Validating IaC lets you determine whether your\nTerraform resource definitions violate the existing organization policies and\nSecurity Health Analytics detectors that are applied to your Google Cloud resources.\n\nFor more information about IaC validation, see\n[Validate your IaC against your Google Cloud organization's policies](/security-command-center/docs/validate-iac).\n\nBefore you begin\n\nComplete these tasks to get started with IaC validation using\nCloud Build.\n\nActivate the Security Command Center Premium tier or Enterprise tier\n\nVerify that the\n[Security Command Center Premium tier or Enterprise tier](/security-command-center/docs/activate-scc-overview)\nis activated at the organization level.\n\nActivating Security Command Center enables the `securityposture.googleapis.com` and\n`securitycentermanagement.googleapis.com` APIs.\n\nSet up permissions\n\n1.\n\n Make sure that you have the following role or roles on the organization:\n\n\n - Security Posture Shift-Left Validator\n - Log Writer\n - Storage Writer\n - Storage Reader\n\n \u003cbr /\u003e\n\n Check for the roles\n 1.\n In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=organizationId)\n 2. Select the organization.\n 3.\n In the **Principal** column, find all rows that identify you or a group that\n you're included in. To learn which groups you're included in, contact your\n administrator.\n\n 4. For all rows that specify or include you, check the **Role** column to see whether the list of roles includes the required roles.\n\n Grant the roles\n 1.\n In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=organizationId)\n 2. Select the organization.\n 3. Click person_add **Grant access**.\n 4.\n In the **New principals** field, enter your user identifier.\n\n This is typically the email address for a Google Account.\n\n 5. In the **Select a role** list, select a role.\n 6. To grant additional roles, click add **Add\n another role** and add each additional role.\n 7. Click **Save**.\n\n\u003cbr /\u003e\n\nFor more information about IaC validation permissions, see\n[IAM for organization-level activations](/security-command-center/docs/access-control-org).\n\nEnable the Cloud Build API\n\n1.\n\n\n Enable the Cloud Build API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=cloudbuild.googleapis.com)\n\n\u003cbr /\u003e\n\nDefine your policies\n\nDefine your\n[organization policies](/resource-manager/docs/organization-policy/creating-managing-policies)\nand\n[Security Health Analytics detectors](/security-command-center/docs/concepts-security-health-analytics).\nTo define these policies using a security posture, complete the tasks in\n[Create and deploy a posture](/security-command-center/docs/how-to-use-security-posture#create_and_deploy_a_posture).\n\nCreate your Terraform code\n\nFor instructions, see\n[Create your Terraform code](/security-command-center/docs/validate-iac#create_your_terraform_code).\n\nValidate your IAC in Cloud Build **Note:** The samples in this section are YAML samples. IaC validation also supports JSON buildconfigs.\n\nAdd the following tasks to your `cloudbuild.yaml` file:\n\n1. Initialize Terraform:\n\n - name: hashicorp/terraform\n args:\n - '-c'\n - |\n terraform init \\\n -backend-config=\"bucket=\u003cvar translate=\"no\"\u003eSTATE_BUCKET\u003c/var\u003e\" \\\n -backend-config=\"prefix=\u003cvar translate=\"no\"\u003eREPOSITORY_NAME\u003c/var\u003e\" \\\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Terraform Init\n entrypoint: sh\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSTATE_BUCKET\u003c/var\u003e with the name of the Cloud Storage bucket to [store the Terraform state](/docs/terraform/resource-management/store-state) in\n - \u003cvar translate=\"no\"\u003eREPOSITORY_NAME\u003c/var\u003e with the repository that hosts your Terraform code.\n - \u003cvar translate=\"no\"\u003eFOLDER\u003c/var\u003e with the name of the folder to save the Terraform artifacts to.\n2. Create a plan file:\n\n - name: hashicorp/terraform\n args:\n - '-c'\n - |\n terraform plan -out tf.plan\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Terraform Plan\n entrypoint: sh\n\n3. Convert the plan file to JSON format:\n\n - name: hashicorp/terraform\n args:\n - '-c'\n - |\n terraform show -json tf.plan \u003e plan.json\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Terraform Show\n entrypoint: sh\n\n4. Create the IaC validation report:\n\n - name: gcr.io/cloud-builders/gcloud\n args:\n - '-c'\n - |\n gcloud scc iac-validation-reports create \\\n organizations/\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e/locations/global --tf-plan-file=plan.json \\\n --format=\"json(response.iacValidationReport)\" \u003e IaCScanReport_$BUILD_ID.json\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Run IaC scan\n entrypoint: /bin/bash\n\n Replace \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e with your organization's ID.\n5. If you're using Cloud Storage, upload the JSON results file to\n Cloud Storage:\n\n - name: gcr.io/cloud-builders/gsutil\n args:\n - cp\n - IaCScanReport_$BUILD_ID.json\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSCAN_RESULT_FILE_BUCKET\u003c/span\u003e\u003c/var\u003e\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Upload report file\n\n Replace \u003cvar translate=\"no\"\u003eSCAN_RESULT_FILE_BUCKET\u003c/var\u003e with the\n Cloud Storage bucket to upload the results file to.\n6. To view the results in SARIF format, complete the following:\n\n 1. Convert the file:\n\n - name: golang\n args:\n - '-c'\n - |\n go run github.com/google/gcp-scc-iac-validation-utils/SARIFConverter@latest \\\n --inputFilePath=IaCScanReport_$BUILD_ID.json\n --outputFilePath=IaCScanReport_$BUILD_ID.sarif.json\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Convert to SARIF format\n entrypoint: /bin/bash\n\n 2. Optional: upload the file to Cloud Storage:\n\n - name: gcr.io/cloud-builders/gsutil\n args:\n - cp\n - IaCScanReport_$BUILD_ID.sarif.json\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSCAN_RESULT_FILE_BUCKET\u003c/span\u003e\u003c/var\u003e\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Upload report file\n\n7. Validate the results. Complete this step on the\n results JSON file that you haven't converted to SARIF format:\n\n - name: golang\n args:\n - '-c'\n - |\n go run github.com/google/gcp-scc-iac-validation-utils/ReportValidator@latest \\\n --inputFilePath=IaCScanReport_$BUILD_ID.json --failure_expression=\u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Validate results\n entrypoint: /bin/bash\n\n Replace \u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e with the failure threshold\n criteria that determines when the build fails. The threshold criteria is\n based on the number of critical, high, medium, and low severity issues that\n the IaC validation scan encounters. \u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e\n specifies how many issues of each severity are permitted, and also specifies\n how the issues are aggregated (either `AND` or `OR`). For example, if you\n want the build to fail if it encounters one critical issue *or* one high\n severity issue, set the \u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e to\n `Critical:1,High:1,Operator:OR`. The default is\n `Critical:1,High:1,Medium:1,Low:1,Operator:OR`, which means that if the IaC\n validation scan encounters a violation of any severity, the build must fail.\n8. If the build fails, resolve any violations within your Terraform code.\n\nWhat's next\n\n- View the [IaC validation report in Cloud Storage](/storage/docs/listing-objects#list-objects).\n- Review the [IaC validation scripts in GitHub](https://github.com/google/gcp-scc-iac-validation-utils).\n- Review the [`cloud.yaml` sample](https://github.com/google/devops-governance/blob/main/examples/guardrails/cloudbuild/folder-factory/.cloudbuild/workflows/cloudbuild.yaml)."]]