檢視次數:

AWS Terraform 模板掃描範例。

範例範本

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }
  required_version = ">= 0.14.9"
}
provider "aws" {
  region = "us-east-2"
}
resource "aws_dynamodb_table" "dynamodb003S1" {
  name             = "mydynamodbtable"
  hash_key         = "TestTableHashKey"
  billing_mode     = "PAY_PER_REQUEST"
  stream_enabled   = true
  stream_view_type = "NEW_AND_OLD_IMAGES"
  attribute {
    name = "TestTableHashKey"
    type = "S"
  }
  server_side_encryption {
    enabled     = true
    kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
  }
  point_in_time_recovery {
    enabled = true
  }
  tags = {
    Owner       = "Sample Team"
    Environment = "Test"
  }
}

範例 Terraform 計劃輸出

Terraform Plan 輸出用作中介,將您的 terraform 專案打包成一個由 Template Scanner API 可讀取的單一檔案。
{
  "format_version": "0.1",
  "terraform_version": "0.15.3",
  "planned_values": {
    "root_module": {
      "resources": [
        {
          "address": "aws_dynamodb_table.dynamodb003S1",
          "mode": "managed",
          "type": "aws_dynamodb_table",
          "name": "dynamodb003S1",
          "provider_name": "registry.terraform.io/hashicorp/aws",
          "schema_version": 1,
          "values": {
            "attribute": [{ "name": "TestTableHashKey", "type": "S" }],
            "billing_mode": "PAY_PER_REQUEST",
            "global_secondary_index": [],
            "hash_key": "TestTableHashKey",
            "local_secondary_index": [],
            "name": "mydynamodbtable",
            "point_in_time_recovery": [{ "enabled": true }],
            "range_key": null,
            "read_capacity": null,
            "replica": [],
            "server_side_encryption": [
              {
                "enabled": true,
                "kms_key_arn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
              }
            ],
            "stream_enabled": true,
            "stream_view_type": "NEW_AND_OLD_IMAGES",
            "tags": { "Environment": "test", "Owner": "Sample Team" },
            "tags_all": { "Environment": "test", "Owner": "Sample Team" },
            "timeouts": null,
            "ttl": [],
            "write_capacity": null
          }
        }
      ]
    }
  },
  "resource_changes": [
    {
      "address": "aws_dynamodb_table.dynamodb003S1",
      "mode": "managed",
      "type": "aws_dynamodb_table",
      "name": "dynamodb003S1",
      "provider_name": "registry.terraform.io/hashicorp/aws",
      "change": {
        "actions": ["create"],
        "before": null,
        "after": {
          "attribute": [{ "name": "TestTableHashKey", "type": "S" }],
          "billing_mode": "PAY_PER_REQUEST",
          "global_secondary_index": [],
          "hash_key": "TestTableHashKey",
          "local_secondary_index": [],
          "name": "mydynamodbtable",
          "point_in_time_recovery": [{ "enabled": true }],
          "range_key": null,
          "read_capacity": null,
          "replica": [],
          "server_side_encryption": [
            {
              "enabled": true,
              "kms_key_arn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
            }
          ],
          "stream_enabled": true,
          "stream_view_type": "NEW_AND_OLD_IMAGES",
          "tags": { "Environment": "test", "Owner": "Sample Team" },
          "tags_all": { "Environment": "test", "Owner": "Sample Team" },
          "timeouts": null,
          "ttl": [],
          "write_capacity": null
        },
        "after_unknown": {
          "arn": true,
          "attribute": [{}],
          "global_secondary_index": [],
          "id": true,
          "local_secondary_index": [],
          "point_in_time_recovery": [{}],
          "replica": [],
          "server_side_encryption": [{}],
          "stream_arn": true,
          "stream_label": true,
          "tags": {},
          "tags_all": {},
          "ttl": []
        },
        "before_sensitive": false,
        "after_sensitive": {
          "attribute": [{}],
          "global_secondary_index": [],
          "local_secondary_index": [],
          "point_in_time_recovery": [{}],
          "replica": [],
          "server_side_encryption": [{}],
          "tags": {},
          "tags_all": {},
          "ttl": []
        }
      }
    }
  ],
  "configuration": {
    "provider_config": {
      "aws": {
        "name": "aws",
        "version_constraint": "~\u003e 3.27",
        "expressions": { "region": { "constant_value": "us-east-2" } }
      }
    },
    "root_module": {
      "resources": [
        {
          "address": "aws_dynamodb_table.dynamodb003S1",
          "mode": "managed",
          "type": "aws_dynamodb_table",
          "name": "dynamodb003S1",
          "provider_config_key": "aws",
          "expressions": {
            "attribute": [
              {
                "name": { "constant_value": "TestTableHashKey" },
                "type": { "constant_value": "S" }
              }
            ],
            "billing_mode": { "constant_value": "PAY_PER_REQUEST" },
            "hash_key": { "constant_value": "TestTableHashKey" },
            "name": { "constant_value": "mydynamodbtable" },
            "point_in_time_recovery": [
              { "enabled": { "constant_value": true } }
            ],
            "server_side_encryption": [
              {
                "enabled": { "constant_value": true },
                "kms_key_arn": {
                  "constant_value": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
                }
              }
            ],
            "stream_enabled": { "constant_value": true },
            "stream_view_type": { "constant_value": "NEW_AND_OLD_IMAGES" },
            "tags": {
              "constant_value": {
                "Environment": "test",
                "Owner": "Sample Team"
              }
            }
          },
          "schema_version": 1
        }
      ]
    }
  }
}

範例掃瞄指令

以下的 bash 腳本將處理建立 terraform 計劃文件並調用模板掃描器 API。請在與您的 terraform 專案相同的目錄中運行腳本。
#!/usr/bin/env bash
# Scans a template file
# Requires "jq" (https://stedolan.github.io/jq/) to be installed

api_key="Your Trend Vision One API Key"
api_base_url="https://api.xdr.trendmicro.com"

terraform plan -out=outputfile

content=$(terraform show -json outputfile | jq '.' -MRs)
payload="{\"type\":\"terraform-template\",\"content\":${content}}"

echo Request:
echo ${payload} | jq '.' -M

echo Response:
curl -s -X POST \
     -H "Authorization: Bearer ${api_key}" \
     -H "Content-Type: application/json" \
     ${api_base_url}/beta/cloudPosture/scanTemplate \
     --data-binary "${payload}" | jq '.' -M

範例範本掃描器 API 輸出

{
  "scanResults": [
    {
      "id": "ccc:OrganisationId:RG-001:ResourceGroup:us-east-1:aws_dynamodb_table.dynamodb003S1",
      "accountId": "",
      "ruleId": "RG-001",
      "provider": "aws",
      "ruleTitle": "Tags",
      "riskLevel": "LOW",
      "status": "FAILURE",
      "service": "ResourceGroup",
      "description": "dynamodb-table aws_dynamodb_table.dynamodb003S1 has [Role, Name] tags missing",
      "resource": "aws_dynamodb_table.dynamodb003S1",
      "resourceType": "dynamodb-table",
      "ignored": false,
      "categories": [
        "security",
        "reliability",
        "performance-efficiency",
        "cost-optimisation",
        "operational-excellence",
        "sustainability"
      ],
      "compliances": [
        "AWAF",
        "CIS-V8",
        "NIST4",
        "NIST5",
        "SOC2",
        "NIST-CSF",
        "ISO27001",
        "ISO27001-2022",
        "AGISM",
        "HITRUST",
        "ASAE-3150",
        "PCI-V4",
        "FEDRAMP",
        "MAS",
        "CSA"
      ],
      "region": "us-east-1",
      "notScored": false,
      "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/ResourceGroup/tags.html"
    },
    {
      "id": "ccc:OrganisationId:DynamoDB-003:DynamoDB:us-east-1:aws_dynamodb_table.dynamodb003S1",
      "accountId": "",
      "ruleId": "DynamoDB-003",
      "provider": "aws",
      "ruleTitle": "DynamoDB Continuous Backups",
      "riskLevel": "HIGH",
      "status": "SUCCESS",
      "service": "DynamoDB",
      "description": "Continuous Backups are enabled for [aws_dynamodb_table.dynamodb003S1]",
      "resource": "aws_dynamodb_table.dynamodb003S1",
      "resourceType": "dynamodb-table",
      "resourceId": "aws_dynamodb_table.dynamodb003S1",
      "ignored": false,
      "categories": ["reliability"],
      "compliances": [
        "AWAF",
        "CIS-V8",
        "NIST4",
        "NIST5",
        "SOC2",
        "NIST-CSF",
        "ISO27001",
        "ISO27001-2022",
        "AGISM",
        "HIPAA",
        "HITRUST",
        "ASAE-3150",
        "PCI",
        "PCI-V4",
        "APRA",
        "FEDRAMP",
        "MAS",
        "CSA",
        "ENISA",
        "FISC-V9"
      ],
      "region": "us-east-1",
      "tags": ["Environment::test", "Owner::automated-tests"],
      "notScored": false,
      "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/DynamoDB/continuous-backups.html"
    },
    {
      "id": "ccc:OrganisationId:DynamoDB-004:DynamoDB:us-east-1:dynamodb003S1",
      "accountId": "",
      "ruleId": "DynamoDB-004",
      "provider": "aws",
      "ruleTitle": "Enable Encryption at Rest with Amazon KMS Keys",
      "riskLevel": "HIGH",
      "status": "SUCCESS",
      "service": "DynamoDB",
      "description": "Table [dynamodb003S1] is encrypted at rest using the AWS managed key or Customer managed key",
      "resource": "dynamodb003S1",
      "resourceType": "dynamodb-table",
      "resourceId": "aws_dynamodb_table.dynamodb003S1",
      "ignored": false,
      "categories": ["security"],
      "compliances": [
        "GDPR",
        "AWAF",
        "CIS-V8",
        "NIST4",
        "NIST5",
        "SOC2",
        "NIST-CSF",
        "ISO27001",
        "ISO27001-2022",
        "AGISM",
        "HIPAA",
        "HITRUST",
        "ASAE-3150",
        "PCI",
        "PCI-V4",
        "APRA",
        "FEDRAMP",
        "MAS",
        "CSA",
        "ENISA",
        "FISC-V9",
        "LGPD"
      ],
      "region": "us-east-1",
      "tags": ["Environment::test", "Owner::automated-tests"],
      "notScored": false,
      "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/DynamoDB/encrypted-with-cmk.html"
    }
  ],
  "missingParameters": [],
  "skippedRules": []
}