Membuat contoh laporan validasi IaC


Tutorial ini menjelaskan cara memverifikasi bahwa infrastruktur sebagai kode (IaC) tidak melanggar kebijakan organisasi atau pendeteksi Security Health Analytics.

Tujuan

  • Buat postur keamanan.
  • Men-deploy postur di project.
  • Periksa contoh file Terraform untuk menemukan pelanggaran.
  • Perbaiki pelanggaran dalam file Terraform, lalu periksa file lagi untuk memverifikasi perbaikan.

Sebelum memulai

Siapkan izin

  1. Make sure that you have the following role or roles on the organization: Project Creator and Security Posture Admin

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the organization.
    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      Buka IAM
    2. Pilih organisasi.
    3. Klik Berikan akses.
    4. Di kolom New principals, masukkan ID pengguna Anda. Ini biasanya adalah alamat email untuk Akun Google.

    5. Di daftar Pilih peran, pilih peran.
    6. Untuk memberikan peran tambahan, klik Tambahkan peran lain, lalu tambahkan setiap peran tambahan.
    7. Klik Simpan.

    Menyiapkan Cloud Shell

    1. In the Google Cloud console, activate Cloud Shell.

      Activate Cloud Shell

      At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

    2. Temukan ID organisasi Anda:
      gcloud organizations list

Menyiapkan lingkungan

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. Install the Google Cloud CLI.
  3. To initialize the gcloud CLI, run the following command:

    gcloud init
  4. Create or select a Google Cloud project.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  5. Make sure that billing is enabled for your Google Cloud project.

  6. Enable the Security posture service and Security Command Center management APIs:

    gcloud services enable securityposture.googleapis.com  securitycentermanagement.googleapis.com
  7. Install the Google Cloud CLI.
  8. To initialize the gcloud CLI, run the following command:

    gcloud init
  9. Create or select a Google Cloud project.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  10. Make sure that billing is enabled for your Google Cloud project.

  11. Enable the Security posture service and Security Command Center management APIs:

    gcloud services enable securityposture.googleapis.com  securitycentermanagement.googleapis.com
  12. Salin nomor project. Anda memerlukan nomor project untuk menetapkan resource target saat men-deploy postur.
    gcloud projects describe PROJECT_ID
  13. Lakukan inisialisasi Terraform:
    terraform init

Membuat dan men-deploy postur

  1. Di Cloud Shell, luncurkan Cloud Shell Editor. Untuk meluncurkan editor, klik Tombol Editor Kode Buka Editor di toolbar jendela Cloud Shell.

  2. Buat file YAML bernama example-standard.yaml.

  3. Tempelkan kode berikut ke dalam file Anda:

name: organizations/ORGANIZATION_ID/locations/global/postures/example-standard
state: ACTIVE
policySets:
- policies:
  - constraint:
      orgPolicyConstraintCustom:
        customConstraint:
          actionType: ALLOW
          condition: "resource.initialNodeCount == 3"
          description: Set initial node count to be exactly 3.
          displayName: fixedNodeCount
          methodTypes:
          - CREATE
          name: organizations/ORGANIZATION_ID/customConstraints/custom.fixedNodeCount
          resourceTypes:
          - container.googleapis.com/NodePool
        policyRules:
        - enforce: true
    policyId: fixedNodeCount
  - constraint:
      securityHealthAnalyticsCustomModule:
        config:
          customOutput: {}
          description: Set MTU for a network to be exactly 1000.
          predicate:
            expression: "!(resource.mtu == 1000)"
          recommendation: Only create networks whose MTU is 1000.
          resourceSelector:
            resourceTypes:
            - compute.googleapis.com/Network
          severity: HIGH
        displayName: fixedMTU
        moduleEnablementState: ENABLED
    policyId: fixedMTU
  - constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: BUCKET_POLICY_ONLY_DISABLED
    policyId: bucket_policy_only_disabled
  - constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: BUCKET_LOGGING_DISABLED
    policyId: bucket_logging_disabled
  policySetId: policySet1

Ganti ORGANIZATION_ID dengan ID organisasi Anda.

  1. Di Cloud Shell, buat postur:

    gcloud scc postures create organizations/ORGANIZATION_ID/locations/global/postures/example-standard --posture-from-file=example-standard.yaml
    
  2. Salin ID revisi postur yang dihasilkan perintah.

  3. Deploy postur ke project Anda:

    gcloud scc posture-deployments create organizations/ORGANIZATION_ID/locations/global/postureDeployments/example-standard \
    --posture-name=organizations/ORGANIZATION_ID/locations/global/postures/example-standard \
    --posture-revision-id="POSTURE_REVISION_ID" \
    --target-resource=projects/PROJECT_NUMBER
    

    Ganti kode berikut:

    • ORGANIZATION_ID: ID organisasi Anda.
    • POSTURE REVISION_ID: ID revisi postur yang Anda salin.
    • PROJECT_NUMBER: nomor project Anda.

Membuat file Terraform dan memvalidasinya

  1. Di Cloud Shell, luncurkan Cloud Shell Editor.

  2. Buat file Terraform bernama main.tf.

  3. Tempelkan kode berikut ke dalam file Anda:

    terraform {
      required_providers {
        google = {
          source  = "hashicorp/google"
        }
      }
    }
    
    provider "google" {
      region  = "us-central1"
      zone    = "us-central1-c"
    }
    
    resource "google_compute_network" "example_network"{
      name                            = "example-network-1"
      delete_default_routes_on_create = false
      auto_create_subnetworks         = false
      routing_mode                    = "REGIONAL"
      mtu                             = 100
      project                         = "PROJECT_ID"
    }
    
    resource "google_container_node_pool" "example_node_pool" {
      name               = "example-node-pool-1"
      cluster            = "example-cluster-1"
      project            = "PROJECT_ID"
      initial_node_count = 2
    
      node_config {
        preemptible  = true
        machine_type = "e2-medium"
      }
    }
    
    resource "google_storage_bucket" "example_bucket" {
      name          = "example-bucket-1"
      location      = "EU"
      force_destroy = true
    
      project = "PROJECT_ID"
    
      uniform_bucket_level_access = false
    }
    

    Ganti PROJECT_ID dengan project ID project yang Anda buat.

  4. Di Cloud Shell, buat file rencana Terraform dan konversikan ke format JSON:

    terraform plan -out main.plan
    terraform show -json main.plan > mainplan.json
    
  5. Buat laporan validasi IaC untuk mainplan.json:

    gcloud scc iac-validation-reports create organizations/ORGANIZATION_ID/locations/global --tf-plan-file=mainplan.json
    

    Perintah ini menampilkan laporan validasi IaC yang menjelaskan pelanggaran berikut:

    • mtu untuk example_network bukan 1.000.
    • initial_node_count untuk example_node_pool bukan 3.
    • example_bucket tidak mengaktifkan akses level bucket yang seragam.
    • example_bucket tidak mengaktifkan logging.

Menyelesaikan pelanggaran

  1. Di Cloud Shell, luncurkan Cloud Shell Editor.

  2. Perbarui file main.tf dengan perubahan berikut:

    terraform {
      required_providers {
        google = {
          source  = "hashicorp/google"
        }
      }
    }
    
    provider "google" {
      region  = "us-central1"
      zone    = "us-central1-c"
    }
    
    resource "google_compute_network" "example_network"{
      name                            = "example-network-1"
      delete_default_routes_on_create = false
      auto_create_subnetworks         = false
      routing_mode                    = "REGIONAL"
      mtu                             = 1000
      project                         = "PROJECT_ID"
    }
    
    resource "google_container_node_pool" "example_node_pool" {
      name               = "example-node-pool-1"
      cluster            = "example-cluster-1"
      project            = "PROJECT_ID"
      initial_node_count = 3
    
      node_config {
        preemptible  = true
        machine_type = "e2-medium"
      }
    }
    
    resource "google_storage_bucket" "example_bucket" {
      name          = "example-bucket-1"
      location      = "EU"
      force_destroy = true
    
      project = "PROJECT_ID"
      uniform_bucket_level_access = true
    
      logging {
        log_bucket   = "my-unique-logging-bucket" // Create a separate bucket for logs
        log_object_prefix = "tf-logs/"             // Optional prefix for better structure
      }
    }
    

    Ganti PROJECT_ID dengan project ID project yang Anda buat.

  3. Di Cloud Shell, buat file rencana Terraform dan konversikan ke format JSON:

    terraform plan -out main.plan
    terraform show -json main.plan > mainplan.json
    
  4. Buat ulang laporan validasi IaC untuk mainplan.json:

    gcloud scc iac-validation-reports create organizations/ORGANIZATION_ID/locations/global --tf-plan-file=mainplan.json
    

Pembersihan

Agar tidak perlu membayar biaya pada akun Google Cloud Anda untuk resource yang digunakan dalam tutorial ini, hapus project yang berisi resource tersebut, atau simpan project dan hapus setiap resource.

Menghapus project

    Delete a Google Cloud project:

    gcloud projects delete PROJECT_ID

Langkah selanjutnya