AWS Terraform 模板掃描範例。
範例範本
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 3.27" } } required_version = ">= 0.14.9" } provider "aws" { region = "us-east-2" } resource "aws_dynamodb_table" "dynamodb003S1" { name = "mydynamodbtable" hash_key = "TestTableHashKey" billing_mode = "PAY_PER_REQUEST" stream_enabled = true stream_view_type = "NEW_AND_OLD_IMAGES" attribute { name = "TestTableHashKey" type = "S" } server_side_encryption { enabled = true kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234" } point_in_time_recovery { enabled = true } tags = { Owner = "Sample Team" Environment = "Test" } }
範例 Terraform 計劃輸出
Terraform Plan 輸出用作中介,將您的 terraform 專案打包成一個由 Template Scanner API 可讀取的單一檔案。
{ "format_version": "0.1", "terraform_version": "0.15.3", "planned_values": { "root_module": { "resources": [ { "address": "aws_dynamodb_table.dynamodb003S1", "mode": "managed", "type": "aws_dynamodb_table", "name": "dynamodb003S1", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 1, "values": { "attribute": [{ "name": "TestTableHashKey", "type": "S" }], "billing_mode": "PAY_PER_REQUEST", "global_secondary_index": [], "hash_key": "TestTableHashKey", "local_secondary_index": [], "name": "mydynamodbtable", "point_in_time_recovery": [{ "enabled": true }], "range_key": null, "read_capacity": null, "replica": [], "server_side_encryption": [ { "enabled": true, "kms_key_arn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234" } ], "stream_enabled": true, "stream_view_type": "NEW_AND_OLD_IMAGES", "tags": { "Environment": "test", "Owner": "Sample Team" }, "tags_all": { "Environment": "test", "Owner": "Sample Team" }, "timeouts": null, "ttl": [], "write_capacity": null } } ] } }, "resource_changes": [ { "address": "aws_dynamodb_table.dynamodb003S1", "mode": "managed", "type": "aws_dynamodb_table", "name": "dynamodb003S1", "provider_name": "registry.terraform.io/hashicorp/aws", "change": { "actions": ["create"], "before": null, "after": { "attribute": [{ "name": "TestTableHashKey", "type": "S" }], "billing_mode": "PAY_PER_REQUEST", "global_secondary_index": [], "hash_key": "TestTableHashKey", "local_secondary_index": [], "name": "mydynamodbtable", "point_in_time_recovery": [{ "enabled": true }], "range_key": null, "read_capacity": null, "replica": [], "server_side_encryption": [ { "enabled": true, "kms_key_arn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234" } ], "stream_enabled": true, "stream_view_type": "NEW_AND_OLD_IMAGES", "tags": { "Environment": "test", "Owner": "Sample Team" }, "tags_all": { "Environment": "test", "Owner": "Sample Team" }, "timeouts": null, "ttl": [], "write_capacity": null }, "after_unknown": { "arn": true, "attribute": [{}], "global_secondary_index": [], "id": true, "local_secondary_index": [], "point_in_time_recovery": [{}], "replica": [], "server_side_encryption": [{}], "stream_arn": true, "stream_label": true, "tags": {}, "tags_all": {}, "ttl": [] }, "before_sensitive": false, "after_sensitive": { "attribute": [{}], "global_secondary_index": [], "local_secondary_index": [], "point_in_time_recovery": [{}], "replica": [], "server_side_encryption": [{}], "tags": {}, "tags_all": {}, "ttl": [] } } } ], "configuration": { "provider_config": { "aws": { "name": "aws", "version_constraint": "~\u003e 3.27", "expressions": { "region": { "constant_value": "us-east-2" } } } }, "root_module": { "resources": [ { "address": "aws_dynamodb_table.dynamodb003S1", "mode": "managed", "type": "aws_dynamodb_table", "name": "dynamodb003S1", "provider_config_key": "aws", "expressions": { "attribute": [ { "name": { "constant_value": "TestTableHashKey" }, "type": { "constant_value": "S" } } ], "billing_mode": { "constant_value": "PAY_PER_REQUEST" }, "hash_key": { "constant_value": "TestTableHashKey" }, "name": { "constant_value": "mydynamodbtable" }, "point_in_time_recovery": [ { "enabled": { "constant_value": true } } ], "server_side_encryption": [ { "enabled": { "constant_value": true }, "kms_key_arn": { "constant_value": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234" } } ], "stream_enabled": { "constant_value": true }, "stream_view_type": { "constant_value": "NEW_AND_OLD_IMAGES" }, "tags": { "constant_value": { "Environment": "test", "Owner": "Sample Team" } } }, "schema_version": 1 } ] } } }
範例掃瞄指令
以下的 bash 腳本將處理建立 terraform 計劃文件並調用模板掃描器 API。請在與您的 terraform 專案相同的目錄中運行腳本。
#!/usr/bin/env bash # Scans a template file # Requires "jq" (https://stedolan.github.io/jq/) to be installed api_key="Your Trend Vision One API Key" api_base_url="https://api.xdr.trendmicro.com" terraform plan -out=outputfile content=$(terraform show -json outputfile | jq '.' -MRs) payload="{\"type\":\"terraform-template\",\"content\":${content}}" echo Request: echo ${payload} | jq '.' -M echo Response: curl -s -X POST \ -H "Authorization: Bearer ${api_key}" \ -H "Content-Type: application/json" \ ${api_base_url}/beta/cloudPosture/scanTemplate \ --data-binary "${payload}" | jq '.' -M
範例範本掃描器 API 輸出
{ "scanResults": [ { "id": "ccc:OrganisationId:RG-001:ResourceGroup:us-east-1:aws_dynamodb_table.dynamodb003S1", "accountId": "", "ruleId": "RG-001", "provider": "aws", "ruleTitle": "Tags", "riskLevel": "LOW", "status": "FAILURE", "service": "ResourceGroup", "description": "dynamodb-table aws_dynamodb_table.dynamodb003S1 has [Role, Name] tags missing", "resource": "aws_dynamodb_table.dynamodb003S1", "resourceType": "dynamodb-table", "ignored": false, "categories": [ "security", "reliability", "performance-efficiency", "cost-optimisation", "operational-excellence", "sustainability" ], "compliances": [ "AWAF", "CIS-V8", "NIST4", "NIST5", "SOC2", "NIST-CSF", "ISO27001", "ISO27001-2022", "AGISM", "HITRUST", "ASAE-3150", "PCI-V4", "FEDRAMP", "MAS", "CSA" ], "region": "us-east-1", "notScored": false, "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/ResourceGroup/tags.html" }, { "id": "ccc:OrganisationId:DynamoDB-003:DynamoDB:us-east-1:aws_dynamodb_table.dynamodb003S1", "accountId": "", "ruleId": "DynamoDB-003", "provider": "aws", "ruleTitle": "DynamoDB Continuous Backups", "riskLevel": "HIGH", "status": "SUCCESS", "service": "DynamoDB", "description": "Continuous Backups are enabled for [aws_dynamodb_table.dynamodb003S1]", "resource": "aws_dynamodb_table.dynamodb003S1", "resourceType": "dynamodb-table", "resourceId": "aws_dynamodb_table.dynamodb003S1", "ignored": false, "categories": ["reliability"], "compliances": [ "AWAF", "CIS-V8", "NIST4", "NIST5", "SOC2", "NIST-CSF", "ISO27001", "ISO27001-2022", "AGISM", "HIPAA", "HITRUST", "ASAE-3150", "PCI", "PCI-V4", "APRA", "FEDRAMP", "MAS", "CSA", "ENISA", "FISC-V9" ], "region": "us-east-1", "tags": ["Environment::test", "Owner::automated-tests"], "notScored": false, "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/DynamoDB/continuous-backups.html" }, { "id": "ccc:OrganisationId:DynamoDB-004:DynamoDB:us-east-1:dynamodb003S1", "accountId": "", "ruleId": "DynamoDB-004", "provider": "aws", "ruleTitle": "Enable Encryption at Rest with Amazon KMS Keys", "riskLevel": "HIGH", "status": "SUCCESS", "service": "DynamoDB", "description": "Table [dynamodb003S1] is encrypted at rest using the AWS managed key or Customer managed key", "resource": "dynamodb003S1", "resourceType": "dynamodb-table", "resourceId": "aws_dynamodb_table.dynamodb003S1", "ignored": false, "categories": ["security"], "compliances": [ "GDPR", "AWAF", "CIS-V8", "NIST4", "NIST5", "SOC2", "NIST-CSF", "ISO27001", "ISO27001-2022", "AGISM", "HIPAA", "HITRUST", "ASAE-3150", "PCI", "PCI-V4", "APRA", "FEDRAMP", "MAS", "CSA", "ENISA", "FISC-V9", "LGPD" ], "region": "us-east-1", "tags": ["Environment::test", "Owner::automated-tests"], "notScored": false, "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/DynamoDB/encrypted-with-cmk.html" } ], "missingParameters": [], "skippedRules": [] }