Esta página foi traduzida pela API Cloud Translation.

Crie um relatório de validação de IaC de amostra

Este tutorial descreve como pode verificar se a sua infraestrutura como código (IaC) não viola as políticas da organização nem os detetores do Security Health Analytics.

Prepare o ambiente

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Install the Google Cloud CLI.

Se estiver a usar um fornecedor de identidade (IdP) externo, tem primeiro de iniciar sessão na CLI gcloud com a sua identidade federada.

Para inicializar a CLI gcloud, execute o seguinte comando:

gcloud init

Create or select a Google Cloud project.

Roles required to select or create a project

Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

Create a Google Cloud project:
```
gcloud projects create PROJECT_ID
```
Replace PROJECT_ID with a name for the Google Cloud project you are creating.
Select the Google Cloud project that you created:
```
gcloud config set project PROJECT_ID
```
Replace PROJECT_ID with your Google Cloud project name.

Verify that billing is enabled for your Google Cloud project.

Enable the Security posture service and Security Command Center management APIs:

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

gcloud services enable securityposture.googleapis.com  securitycentermanagement.googleapis.com

Install the Google Cloud CLI.

Se estiver a usar um fornecedor de identidade (IdP) externo, tem primeiro de iniciar sessão na CLI gcloud com a sua identidade federada.

Para inicializar a CLI gcloud, execute o seguinte comando:

gcloud init

Create or select a Google Cloud project.

Roles required to select or create a project

Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

Create a Google Cloud project:
```
gcloud projects create PROJECT_ID
```
Replace PROJECT_ID with a name for the Google Cloud project you are creating.
Select the Google Cloud project that you created:
```
gcloud config set project PROJECT_ID
```
Replace PROJECT_ID with your Google Cloud project name.

Verify that billing is enabled for your Google Cloud project.

Enable the Security posture service and Security Command Center management APIs:

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

gcloud services enable securityposture.googleapis.com  securitycentermanagement.googleapis.com

Copie o número do projeto. Precisa do número do projeto para definir o recurso de destino ao implementar a postura.
```
gcloud projects describe PROJECT_ID
```
Inicialize o Terraform:
```
terraform init
```

Crie e implemente uma postura

No Cloud Shell, inicie o editor do Cloud Shell. Para iniciar o editor, clique em Abrir editor na barra de ferramentas da janela do Cloud Shell.
Crie um ficheiro YAML com o nome example-standard.yaml.
Cole o seguinte código no ficheiro:

name: organizations/ORGANIZATION_ID/locations/global/postures/example-standard
state: ACTIVE
policySets:
- policies:
  - constraint:
      orgPolicyConstraintCustom:
        customConstraint:
          actionType: ALLOW
          condition: "resource.initialNodeCount == 3"
          description: Set initial node count to be exactly 3.
          displayName: fixedNodeCount
          methodTypes:
          - CREATE
          name: organizations/ORGANIZATION_ID/customConstraints/custom.fixedNodeCount
          resourceTypes:
          - container.googleapis.com/NodePool
        policyRules:
        - enforce: true
    policyId: fixedNodeCount
  - constraint:
      securityHealthAnalyticsCustomModule:
        config:
          customOutput: {}
          description: Set MTU for a network to be exactly 1000.
          predicate:
            expression: "!(resource.mtu == 1000)"
          recommendation: Only create networks whose MTU is 1000.
          resourceSelector:
            resourceTypes:
            - compute.googleapis.com/Network
          severity: HIGH
        displayName: fixedMTU
        moduleEnablementState: ENABLED
    policyId: fixedMTU
  - constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: BUCKET_POLICY_ONLY_DISABLED
    policyId: bucket_policy_only_disabled
  - constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: BUCKET_LOGGING_DISABLED
    policyId: bucket_logging_disabled
  policySetId: policySet1

Substitua ORGANIZATION_ID pelo ID da sua organização.

No Cloud Shell, crie a postura:

gcloud scc postures create organizations/ORGANIZATION_ID/locations/global/postures/example-standard --posture-from-file=example-standard.yaml

Copie o ID de revisão da postura que o comando gera.

Implemente a postura no seu projeto:

gcloud scc posture-deployments create organizations/ORGANIZATION_ID/locations/global/postureDeployments/example-standard \
--posture-name=organizations/ORGANIZATION_ID/locations/global/postures/example-standard \
--posture-revision-id="POSTURE_REVISION_ID" \
--target-resource=projects/PROJECT_NUMBER

Substitua o seguinte:

ORGANIZATION_ID: o ID da sua organização.
POSTURE REVISION_ID: o ID de revisão da sua postura que copiou.
PROJECT_NUMBER: o número do seu projeto.

Crie o ficheiro Terraform e valide-o

No Cloud Shell, inicie o editor do Cloud Shell.
Crie um ficheiro do Terraform denominado main.tf.

Cole o seguinte código no ficheiro:

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
    }
  }
}

provider "google" {
  region  = "us-central1"
  zone    = "us-central1-c"
}

resource "google_compute_network" "example_network"{
  name                            = "example-network-1"
  delete_default_routes_on_create = false
  auto_create_subnetworks         = false
  routing_mode                    = "REGIONAL"
  mtu                             = 100
  project                         = "PROJECT_ID"
}

resource "google_container_node_pool" "example_node_pool" {
  name               = "example-node-pool-1"
  cluster            = "example-cluster-1"
  project            = "PROJECT_ID"
  initial_node_count = 2

  node_config {
    preemptible  = true
    machine_type = "e2-medium"
  }
}

resource "google_storage_bucket" "example_bucket" {
  name          = "example-bucket-1"
  location      = "EU"
  force_destroy = true

  project = "PROJECT_ID"

  uniform_bucket_level_access = false
}

Substitua PROJECT_ID pelo ID do projeto que criou.

No Cloud Shell, crie o ficheiro de plano do Terraform e converta-o para o formato JSON:
```
terraform plan -out main.plan
terraform show -json main.plan > mainplan.json
```
Crie o relatório de validação de IaC para mainplan.json:
```
gcloud scc iac-validation-reports create organizations/ORGANIZATION_ID/locations/global --tf-plan-file=mainplan.json
```
Este comando devolve um relatório de validação de IaC que descreve as seguintes violações:
- O valor mtu para example_network não é 1000.
- O valor initial_node_count para example_node_pool não é 3.
- O example_bucket não tem o acesso ao nível do contentor uniforme ativado.
- O example_bucket não tem o registo ativado.

Resolva violações

No Cloud Shell, inicie o editor do Cloud Shell.

Atualize o ficheiro main.tf com as seguintes alterações:

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
    }
  }
}

provider "google" {
  region  = "us-central1"
  zone    = "us-central1-c"
}

resource "google_compute_network" "example_network"{
  name                            = "example-network-1"
  delete_default_routes_on_create = false
  auto_create_subnetworks         = false
  routing_mode                    = "REGIONAL"
  mtu                             = 1000
  project                         = "PROJECT_ID"
}

resource "google_container_node_pool" "example_node_pool" {
  name               = "example-node-pool-1"
  cluster            = "example-cluster-1"
  project            = "PROJECT_ID"
  initial_node_count = 3

  node_config {
    preemptible  = true
    machine_type = "e2-medium"
  }
}

resource "google_storage_bucket" "example_bucket" {
  name          = "example-bucket-1"
  location      = "EU"
  force_destroy = true

  project = "PROJECT_ID"
  uniform_bucket_level_access = true

  logging {
    log_bucket   = "my-unique-logging-bucket" // Create a separate bucket for logs
    log_object_prefix = "tf-logs/"             // Optional prefix for better structure
  }
}

Substitua PROJECT_ID pelo ID do projeto do projeto que criou.

No Cloud Shell, crie o ficheiro de plano do Terraform e converta-o para o formato JSON:
```
terraform plan -out main.plan
terraform show -json main.plan > mainplan.json
```

Recrie o relatório de validação de IaC para mainplan.json:

gcloud scc iac-validation-reports create organizations/ORGANIZATION_ID/locations/global --tf-plan-file=mainplan.json