Custom Conformance Packages
If you need to create a custom conformance package, you can write a package template based on the example template provided in this section. Then you can upload the template directly or through an OBS bucket to create a conformance package.
If you want to use a template in your OBS bucket to create a conformance package, configure a proper IAM policy and an OBS bucket policy to ensure that the template can be accessed. For more details, see Object Storage Service User Guide and Resource Formation Service User Guide.
Template Description
resource: The most important section in a template. Currently, only the huaweicloud_rms_policy_assignment resource type is supported. You can add both predefined rules and custom rules in the resource section.
variable: The parameters included of a template. By defining variable, you can flexibly modify related configurations without altering the source code. If there are no parameters, this section does not need to be declared.
terraform: The service provider. For details see Provider. The following example shows the format of a template:
"terraform": {
"required_providers": {
"huaweicloud": {
"source": "huawei.com/provider/huaweicloud",
"version": "1.66.2"
}
}
}
The version must be 1.66.2 or later. For details about the supported versions, see Supported Provider Versions.
Example file: example-conformance-pack.tf.json
{
"resource": {
"huaweicloud_rms_policy_assignment": {
"AccessKeysRotated": {
"name": "access-keys-rotated",
"description": "An IAM users is noncompliant if the access keys have not been rotated for more than maxAccessKeyAge number of days.",
"policy_definition_id": "2a2938894ae786dc306a647a",
"period": "TwentyFour_Hours",
"parameters": {
"maxAccessKeyAge": "${jsonencode(var.maxAccessKeyAge)}"
}
},
"IamGroupHasUsersCheck": {
"name": "iam-group-has-users-check",
"description": "An IAM groups is noncompliant if it does not add any IAM user.",
"policy_definition_id": "f7dd9c02266297f6e8c8445e",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "groups"
},
"parameters": {}
},
"IamPasswordPolicy": {
"name": "iam-password-policy",
"description": "An IAM users is noncompliant if password policy for IAM users matches the specified password strength.",
"policy_definition_id": "2d8d3502539a623ba1907644",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {
"pwdStrength": "${jsonencode(var.pwdStrength)}"
}
},
"IamRootAccessKeyCheck": {
"name": "iam-root-access-key-check",
"description": "An account is noncompliant if the the root iam user have active access key.",
"policy_definition_id": "66cac2ddc17b6a25ad077253",
"period": "TwentyFour_Hours",
"parameters": {}
},
"IamUserConsoleAndApiAccessAtCreation": {
"name": "iam-user-console-and-api-access-at-creation",
"description": "An IAM user with console access is noncompliant if access keys are setup during the initial user setup.",
"policy_definition_id": "a5f29eb45cddce8e6baa033d",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {}
},
"IamUserGroupMembershipCheck": {
"name": "iam-user-group-membership-check",
"description": "An IAM user is noncompliant if it does not belong to any IAM user group.",
"policy_definition_id": "846f5708463c1490c4eebd60",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {
"groupIds": "${jsonencode(var.groupIds)}"
}
},
"IamUserLastLoginCheck": {
"name": "iam-user-last-login-check",
"description": "An IAM user is noncompliant if it has never signed in within the allowed number of days.",
"policy_definition_id": "6e4bf7ee7053b683f28d7f57",
"period": "TwentyFour_Hours",
"parameters": {
"allowedInactivePeriod": "${jsonencode(var.allowedInactivePeriod)}"
}
},
"IamUserMfaEnabled": {
"name": "iam-user-mfa-enabled",
"description": "An IAM user is noncompliant if it does not have multi-factor authentication (MFA) enabled.",
"policy_definition_id": "b92372b5eb51330306cec9c2",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {}
},
"IamUserSingleAccessKey": {
"name": "iam-user-single-access-key",
"description": "An IAM user with console access is noncompliant if iam user have multiple active access keys.",
"policy_definition_id": "6deae3856c41b240b3c0bf8d",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {}
},
"MfaEnabledForIamConsoleAccess": {
"name": "mfa-enabled-for-iam-console-access",
"description": "An IAM user is noncompliant if it uses a console password and does not have multi-factor authentication (MFA) enabled.",
"policy_definition_id": "63f8301e47b122062a68b868",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {}
},
"RootAccountMfaEnabled": {
"name": "root-account-mfa-enabled",
"description": "An account is noncompliant if the the root iam user does not have multi-factor authentication (MFA) enabled.",
"policy_definition_id": "61d787a75cf7f5965da5d647",
"period": "TwentyFour_Hours",
"parameters": {}
}
}
},
"variable": {
"maxAccessKeyAge": {
"description": "The maximum number of days without rotation. ",
"type": "string",
"default": "90"
},
"pwdStrength": {
"description": "The requirements of password strength. The parameter value can only be 'Strong', 'Medium', or 'Low'.",
"type": "string",
"default": "Strong"
},
"groupIds": {
"description": "The list of allowed IAM group IDs. If the list is empty, all values are allowed.",
"type": "list(string)",
"default": []
},
"allowedInactivePeriod": {
"description": "Maximum number of days without login.",
"type": "number",
"default": 90
}
},
"terraform": {
"required_providers": {
"huaweicloud": {
"source": "huawei.com/provider/huaweicloud",
"version": "1.66.2"
}
}
}
}
Example file: example-conformance-pack-with-custom-policy.tf.json
{
"resource": {
"huaweicloud_rms_policy_assignment": {
"CustomPolicyAssignment": {
"name": "customPolicy${var.name_suffix}",
"description": Custom rules. All resources are non-compliant.
"policy_filter": {
"resource_provider": "obs",
"resource_type": "buckets"
},
"parameters": {},
"custom_policy": {
"function_urn": "${var.function_urn}",
"auth_type": "agency",
"auth_value": {
"agency_name": "\"config_custom_policy_agency\""
}
}
}
}
},
"variable": {
"name_suffix": {
"description": "",
"type": "string"
},
"function_urn": {
"description": "",
"type": "string"
}
},
"terraform": {
"required_providers": {
"huaweicloud": {
"source": "huawei.com/provider/huaweicloud",
"version": "1.66.2"
}
}
}
}
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
