Integrate IaC validation with Jenkins

You can use the Google Analyze Code Security plugin for Jenkins to validate the infrastructure as code (IaC) that is part of your Jenkins project. Validating IaC lets you determine whether your Terraform resource definitions violate the existing organization policies and Security Health Analytics detectors that are applied to your Google Cloud resources.

For more information about IaC validation, see Validate your IaC against your Google Cloud organization's policies.

IaC validation only works with Jenkins freestyle projects.

Before you begin

Complete these tasks to get started with IaC validation with Jenkins.

Activate the Security Command Center Premium tier or Enterprise tier

Verify that the Security Command Center Premium tier or Enterprise tier is activated at the organization level.

Activating Security Command Center enables the securityposture.googleapis.com and securitycentermanagement.googleapis.com APIs.

Create a service account

Create a service account that you can use for the Google Analyze Code Security plugin for Jenkins.

Create a service account:
1. In the Google Cloud console, go to the Create service account page.
  Go to Create service account
2. Select your project.
3. In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.
  
  In the Service account description field, enter a description. For example, Service account for quickstart.
4. Click Create and continue.
5. Grant the Security Posture Shift-Left Validator role to the service account.
  
  To grant the role, find the Select a role list, then select Security Posture Shift-Left Validator.
  
  Note: The Role field affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later. In production environments, do not grant the Owner, Editor, or Viewer roles. Instead, grant a predefined role or custom role that meets your needs.
6. Click Continue.
7. Click Done to finish creating the service account.
  
  Do not close your browser window. You will use it in the next step.
Create a service account key:
1. In the Google Cloud console, click the email address for the service account that you created.
2. Click Keys.
3. Click Add key, and then click Create new key.
4. Click Create. A JSON key file is downloaded to your computer.
5. Click Close.

For more information about IaC validation permissions, see IAM for organization-level activations.

Define your policies

Define your organization policies and Security Health Analytics detectors. To define these policies using a security posture, complete the tasks in Create and deploy a posture.

Install and configure the plug-in

In the Jenkins console, click Manage Jenkins > Manage Plugins.
In the Available tab, search for google-analyze-code-security.
Complete the installation steps.
Click Manage Jenkins > Configure System.
In the Google Analyze Code Security section, click Add credential.
In Organization ID, enter the organization ID for the Google Cloud organization that includes the Terraform resources that you want to create or modify.
In Security Command Center Credential, add the service account key.
Test the connection to verify the service account credentials.
Click Save.

Create your Terraform plan JSON file

Create your Terraform code. For instructions, see Create your Terraform code.
Install the Terraform plugin for Jenkins.
In the Jenkins console, in your Jenkins freestyle project, go to the Configuration page.
Click Source Code Management.
In Repository URL, enter the URL to the Terraform code that you created.
Click Build steps.
Add the following steps:
1. Initialize Terraform:
```
terraform init
```
2. Create a Terraform plan file.
```
terraform plan -out=TF_PLAN_FILE
```
  Replace TF_PLAN_FILE with the name for the Terraform plan file. For example, myplan.tfplan.
3. Convert your plan file into JSON format:
```
terraform show -no-color -json TF_PLAN_FILE > TF_PLAN_JSON_FILE
```
  Replace TF_PLAN_JSON_FILE with the name for the Terraform plan file, in JSON format. For example, mytfplan.json.

Add the plug-in to your Jenkins project

In the Jenkins console, in your Jenkins freestyle project, go to the Configuration page.
In Build Steps, click Add build step > Perform Code Scan during Build.
Enter your organization ID.
Provide the path to your Terraform plan file, in JSON format.
Optional: Set the build failure criteria. The failure criteria is based on the number of critical, high, medium, and low severity issues that the IaC validation scan encounters. You can specify how many issues of each severity are permitted and how the issues are aggregated (either AND or OR).
1. Click Fail on Asset Violation.
2. If you want the build to fail only if the count of issues from all severity levels is reached, select AND. If you want the build to fail if the count of issues from any severity level is reached, select OR. For example, if you want the build to fail if it encounters one critical issue or one high severity issue, set the aggregate value to OR.
3. Indicate the number of issues at the various severity levels that you want to permit before the build fails.
If you don't want to specify a failure criteria, select Ignore Asset Violation.
Click Save.

You can now run the build to validate your Terraform plan file.

View the IaC violation report

In the Jenkins console, click the most recent workflow for your build.
Click Status. The following HTML files are available as build artifacts:
- If the plug-in ran, the violation report (GoogleAnalyzeCodeSecurity_ViolationSummary.html)
The report groups violations by severity. The violation section describes which rule wasn't met and the asset ID from the Terraform plan that violated the rule.
- If the build failed, an error summary report
Resolve any violations within your Terraform code before applying it.

What's next

View the Google Analyze Code Security plugin.