Updated on 2024-05-16 GMT+08:00
Custom Conformance Packages
If you need to create a custom conformance package, you can write a package template based on the sample template provided in this section. Then you can upload the template directly or through an OBS bucket when creating a conformance package.
Template Sections
Resource: the most important section of a template. Currently, only the huaweicloud_rms_policy_assignment resource (including predefined rules and custom rules) is supported. You need to specify the name or other information about a rule for this section.
variable: Specifies parameters included in a template. By defining defining parameters through the section variable, you can flexibly modify related configurations without altering template source code. If there are no parameters, this section does not need to be declared.
terraform: Specifies service providers. For details see Provider. The following example shows a template format:
"terraform": {
"required_providers": {
"huaweicloud": {
"source": "huawei.com/provider/huaweicloud",
"version": "1.46.0"
}
}
}
The version must be 1.46.0 or later. For details about the supported versions, see Supported Provider Versions.
Conformance package sample file: example-conformance-pack.tf.json
{
"resource": {
"huaweicloud_rms_policy_assignment": {
"AccessKeysRotated": {
"name": "access-keys-rotated",
"description": "An IAM users is noncompliant if the access keys have not been rotated for more than maxAccessKeyAge number of days.",
"policy_definition_id": "2a2938894ae786dc306a647a",
"period": "TwentyFour_Hours",
"parameters": {
"maxAccessKeyAge": "${jsonencode(var.maxAccessKeyAge)}"
}
},
"IamGroupHasUsersCheck": {
"name": "iam-group-has-users-check",
"description": "An IAM groups is noncompliant if it does not add any IAM user.",
"policy_definition_id": "f7dd9c02266297f6e8c8445e",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "groups"
},
"parameters": {}
},
"IamPasswordPolicy": {
"name": "iam-password-policy",
"description": "An IAM users is noncompliant if password policy for IAM users matches the specified password strength.",
"policy_definition_id": "2d8d3502539a623ba1907644",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {
"pwdStrength": "${jsonencode(var.pwdStrength)}"
}
},
"IamRootAccessKeyCheck": {
"name": "iam-root-access-key-check",
"description": "An account is noncompliant if the the root iam user have active access key.",
"policy_definition_id": "66cac2ddc17b6a25ad077253",
"period": "TwentyFour_Hours",
"parameters": {}
},
"IamUserConsoleAndApiAccessAtCreation": {
"name": "iam-user-console-and-api-access-at-creation",
"description": "An IAM user with console access is noncompliant if access keys are setup during the initial user setup.",
"policy_definition_id": "a5f29eb45cddce8e6baa033d",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {}
},
"IamUserGroupMembershipCheck": {
"name": "iam-user-group-membership-check",
"description": "An IAM user is noncompliant if it does not belong to any IAM user group.",
"policy_definition_id": "846f5708463c1490c4eebd60",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {
"groupIds": "${jsonencode(var.groupIds)}"
}
},
"IamUserLastLoginCheck": {
"name": "iam-user-last-login-check",
"description": "An IAM user is noncompliant if it has never signed in within the allowed number of days.",
"policy_definition_id": "6e4bf7ee7053b683f28d7f57",
"period": "TwentyFour_Hours",
"parameters": {
"allowedInactivePeriod": "${jsonencode(var.allowedInactivePeriod)}"
}
},
"IamUserMfaEnabled": {
"name": "iam-user-mfa-enabled",
"description": "An IAM user is noncompliant if it does not have multi-factor authentication (MFA) enabled.",
"policy_definition_id": "b92372b5eb51330306cec9c2",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {}
},
"IamUserSingleAccessKey": {
"name": "iam-user-single-access-key",
"description": "An IAM user with console access is noncompliant if iam user have multiple active access keys.",
"policy_definition_id": "6deae3856c41b240b3c0bf8d",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {}
},
"MfaEnabledForIamConsoleAccess": {
"name": "mfa-enabled-for-iam-console-access",
"description": "An IAM user is noncompliant if it uses a console password and does not have multi-factor authentication (MFA) enabled.",
"policy_definition_id": "63f8301e47b122062a68b868",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {}
},
"RootAccountMfaEnabled": {
"name": "root-account-mfa-enabled",
"description": "An account is noncompliant if the the root iam user does not have multi-factor authentication (MFA) enabled.",
"policy_definition_id": "61d787a75cf7f5965da5d647",
"period": "TwentyFour_Hours",
"parameters": {}
}
}
},
"variable": {
"maxAccessKeyAge": {
"description": "The maximum number of days without rotation. ",
"type": "string",
"default": "90"
},
"pwdStrength": {
"description": "The requirements of password strength. The parameter value can only be 'Strong', 'Medium', or 'Low'.",
"type": "string",
"default": "Strong"
},
"groupIds": {
"description": "The list of allowed IAM group IDs. If the list is empty, all values are allowed.",
"type": "list(string)",
"default": []
},
"allowedInactivePeriod": {
"description": "Maximum number of days without login.",
"type": "number",
"default": 90
}
},
"terraform": {
"required_providers": {
"huaweicloud": {
"source": "huawei.com/provider/huaweicloud",
"version": "1.46.0"
}
}
}
}
Conformance package sample file: example-conformance-pack-with-custom-policy.tf.json
{
"resource": {
"huaweicloud_rms_policy_assignment": {
"CustomPolicyAssignment": {
"name": "customPolicy${var.name_suffix}",
"description": Custom rules. All resources are non-compliant.
"policy_filter": {
"resource_provider": "obs",
"resource_type": "buckets"
},
"parameters": {},
"custom_policy": {
"function_urn": "${var.function_urn}",
"auth_type": "agency",
"auth_value": {
"agency_name": "\"config_custom_policy_agency\""
}
}
}
}
},
"variable": {
"name_suffix": {
"description": "",
"type": "string"
},
"function_urn": {
"description": "",
"type": "string"
}
},
"terraform": {
"required_providers": {
"huaweicloud": {
"source": "huawei.com/provider/huaweicloud",
"version": "1.46.0"
}
}
}
}
Parent topic: Conformance Packages
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
