AWS Terraformテンプレート検索の例。
テンプレートの例
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.27"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
region = "us-east-2"
}
resource "aws_dynamodb_table" "dynamodb003S1" {
name = "mydynamodbtable"
hash_key = "TestTableHashKey"
billing_mode = "PAY_PER_REQUEST"
stream_enabled = true
stream_view_type = "NEW_AND_OLD_IMAGES"
attribute {
name = "TestTableHashKey"
type = "S"
}
server_side_encryption {
enabled = true
kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
}
point_in_time_recovery {
enabled = true
}
tags = {
Owner = "Sample Team"
Environment = "Test"
}
}
Terraformプランの出力例
Terraform Planの出力は、TerraformプロジェクトをTemplate Scanner APIで読み取り可能な単一のファイルにパッケージ化するための仲介として使用されます。
{
"format_version": "0.1",
"terraform_version": "0.15.3",
"planned_values": {
"root_module": {
"resources": [
{
"address": "aws_dynamodb_table.dynamodb003S1",
"mode": "managed",
"type": "aws_dynamodb_table",
"name": "dynamodb003S1",
"provider_name": "registry.terraform.io/hashicorp/aws",
"schema_version": 1,
"values": {
"attribute": [{ "name": "TestTableHashKey", "type": "S" }],
"billing_mode": "PAY_PER_REQUEST",
"global_secondary_index": [],
"hash_key": "TestTableHashKey",
"local_secondary_index": [],
"name": "mydynamodbtable",
"point_in_time_recovery": [{ "enabled": true }],
"range_key": null,
"read_capacity": null,
"replica": [],
"server_side_encryption": [
{
"enabled": true,
"kms_key_arn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
}
],
"stream_enabled": true,
"stream_view_type": "NEW_AND_OLD_IMAGES",
"tags": { "Environment": "test", "Owner": "Sample Team" },
"tags_all": { "Environment": "test", "Owner": "Sample Team" },
"timeouts": null,
"ttl": [],
"write_capacity": null
}
}
]
}
},
"resource_changes": [
{
"address": "aws_dynamodb_table.dynamodb003S1",
"mode": "managed",
"type": "aws_dynamodb_table",
"name": "dynamodb003S1",
"provider_name": "registry.terraform.io/hashicorp/aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"attribute": [{ "name": "TestTableHashKey", "type": "S" }],
"billing_mode": "PAY_PER_REQUEST",
"global_secondary_index": [],
"hash_key": "TestTableHashKey",
"local_secondary_index": [],
"name": "mydynamodbtable",
"point_in_time_recovery": [{ "enabled": true }],
"range_key": null,
"read_capacity": null,
"replica": [],
"server_side_encryption": [
{
"enabled": true,
"kms_key_arn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
}
],
"stream_enabled": true,
"stream_view_type": "NEW_AND_OLD_IMAGES",
"tags": { "Environment": "test", "Owner": "Sample Team" },
"tags_all": { "Environment": "test", "Owner": "Sample Team" },
"timeouts": null,
"ttl": [],
"write_capacity": null
},
"after_unknown": {
"arn": true,
"attribute": [{}],
"global_secondary_index": [],
"id": true,
"local_secondary_index": [],
"point_in_time_recovery": [{}],
"replica": [],
"server_side_encryption": [{}],
"stream_arn": true,
"stream_label": true,
"tags": {},
"tags_all": {},
"ttl": []
},
"before_sensitive": false,
"after_sensitive": {
"attribute": [{}],
"global_secondary_index": [],
"local_secondary_index": [],
"point_in_time_recovery": [{}],
"replica": [],
"server_side_encryption": [{}],
"tags": {},
"tags_all": {},
"ttl": []
}
}
}
],
"configuration": {
"provider_config": {
"aws": {
"name": "aws",
"version_constraint": "~\u003e 3.27",
"expressions": { "region": { "constant_value": "us-east-2" } }
}
},
"root_module": {
"resources": [
{
"address": "aws_dynamodb_table.dynamodb003S1",
"mode": "managed",
"type": "aws_dynamodb_table",
"name": "dynamodb003S1",
"provider_config_key": "aws",
"expressions": {
"attribute": [
{
"name": { "constant_value": "TestTableHashKey" },
"type": { "constant_value": "S" }
}
],
"billing_mode": { "constant_value": "PAY_PER_REQUEST" },
"hash_key": { "constant_value": "TestTableHashKey" },
"name": { "constant_value": "mydynamodbtable" },
"point_in_time_recovery": [
{ "enabled": { "constant_value": true } }
],
"server_side_encryption": [
{
"enabled": { "constant_value": true },
"kms_key_arn": {
"constant_value": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
}
}
],
"stream_enabled": { "constant_value": true },
"stream_view_type": { "constant_value": "NEW_AND_OLD_IMAGES" },
"tags": {
"constant_value": {
"Environment": "test",
"Owner": "Sample Team"
}
}
},
"schema_version": 1
}
]
}
}
}
検索コマンドの例
次のbashスクリプトは、テラフォームプランファイルの作成とテンプレートスキャナAPIの呼び出しを処理します。 Terraformプロジェクトと同じディレクトリでスクリプトを実行してください。
#!/usr/bin/env bash
# Scans a template file
# Requires "jq" (https://stedolan.github.io/jq/) to be installed
api_key="Your Trend Vision One API Key"
api_base_url="https://api.xdr.trendmicro.com"
terraform plan -out=outputfile
content=$(terraform show -json outputfile | jq '.' -MRs)
payload="{\"type\":\"terraform-template\",\"content\":${content}}"
echo Request:
echo ${payload} | jq '.' -M
echo Response:
curl -s -X POST \
-H "Authorization: Bearer ${api_key}" \
-H "Content-Type: application/json" \
${api_base_url}/beta/cloudPosture/scanTemplate \
--data-binary "${payload}" | jq '.' -M
Template Scanner APIの出力例
{
"scanResults": [
{
"id": "ccc:OrganisationId:RG-001:ResourceGroup:us-east-1:aws_dynamodb_table.dynamodb003S1",
"accountId": "",
"ruleId": "RG-001",
"provider": "aws",
"ruleTitle": "Tags",
"riskLevel": "LOW",
"status": "FAILURE",
"service": "ResourceGroup",
"description": "dynamodb-table aws_dynamodb_table.dynamodb003S1 has [Role, Name] tags missing",
"resource": "aws_dynamodb_table.dynamodb003S1",
"resourceType": "dynamodb-table",
"ignored": false,
"categories": [
"security",
"reliability",
"performance-efficiency",
"cost-optimisation",
"operational-excellence",
"sustainability"
],
"compliances": [
"AWAF",
"CIS-V8",
"NIST4",
"NIST5",
"SOC2",
"NIST-CSF",
"ISO27001",
"ISO27001-2022",
"AGISM",
"HITRUST",
"ASAE-3150",
"PCI-V4",
"FEDRAMP",
"MAS",
"CSA"
],
"region": "us-east-1",
"notScored": false,
"resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/ResourceGroup/tags.html"
},
{
"id": "ccc:OrganisationId:DynamoDB-003:DynamoDB:us-east-1:aws_dynamodb_table.dynamodb003S1",
"accountId": "",
"ruleId": "DynamoDB-003",
"provider": "aws",
"ruleTitle": "DynamoDB Continuous Backups",
"riskLevel": "HIGH",
"status": "SUCCESS",
"service": "DynamoDB",
"description": "Continuous Backups are enabled for [aws_dynamodb_table.dynamodb003S1]",
"resource": "aws_dynamodb_table.dynamodb003S1",
"resourceType": "dynamodb-table",
"resourceId": "aws_dynamodb_table.dynamodb003S1",
"ignored": false,
"categories": ["reliability"],
"compliances": [
"AWAF",
"CIS-V8",
"NIST4",
"NIST5",
"SOC2",
"NIST-CSF",
"ISO27001",
"ISO27001-2022",
"AGISM",
"HIPAA",
"HITRUST",
"ASAE-3150",
"PCI",
"PCI-V4",
"APRA",
"FEDRAMP",
"MAS",
"CSA",
"ENISA",
"FISC-V9"
],
"region": "us-east-1",
"tags": ["Environment::test", "Owner::automated-tests"],
"notScored": false,
"resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/DynamoDB/continuous-backups.html"
},
{
"id": "ccc:OrganisationId:DynamoDB-004:DynamoDB:us-east-1:dynamodb003S1",
"accountId": "",
"ruleId": "DynamoDB-004",
"provider": "aws",
"ruleTitle": "Enable Encryption at Rest with Amazon KMS Keys",
"riskLevel": "HIGH",
"status": "SUCCESS",
"service": "DynamoDB",
"description": "Table [dynamodb003S1] is encrypted at rest using the AWS managed key or Customer managed key",
"resource": "dynamodb003S1",
"resourceType": "dynamodb-table",
"resourceId": "aws_dynamodb_table.dynamodb003S1",
"ignored": false,
"categories": ["security"],
"compliances": [
"GDPR",
"AWAF",
"CIS-V8",
"NIST4",
"NIST5",
"SOC2",
"NIST-CSF",
"ISO27001",
"ISO27001-2022",
"AGISM",
"HIPAA",
"HITRUST",
"ASAE-3150",
"PCI",
"PCI-V4",
"APRA",
"FEDRAMP",
"MAS",
"CSA",
"ENISA",
"FISC-V9",
"LGPD"
],
"region": "us-east-1",
"tags": ["Environment::test", "Owner::automated-tests"],
"notScored": false,
"resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/DynamoDB/encrypted-with-cmk.html"
}
],
"missingParameters": [],
"skippedRules": []
}