Help Center/ Config/ User Guide/ Conformance Packages/ Custom Conformance Packages

Updated on 2024-07-29 GMT+08:00

View PDF

Custom Conformance Packages

If you need to create a custom conformance package, you can write a package template based on the example template provided in this section. Then you can upload the template directly or through an OBS bucket to create a conformance package.

Template Description

resource: The most important section in a template. Currently, only the huaweicloud_rms_policy_assignment resource type is supported. You can add both predefined rules and custom rules in the resource section.

variable: The parameters included of a template. By defining variable, you can flexibly modify related configurations without altering the source code. If there are no parameters, this section does not need to be declared.

terraform: The service provider. For details see Provider. The following example shows the format of a template:

"terraform": {
    "required_providers": {
        "huaweicloud": {
            "source": "huawei.com/provider/huaweicloud",
            "version": "1.46.0"
        }
    }
}

The version must be 1.46.0 or later. For details about the supported versions, see Supported Provider Versions.

Example file: example-conformance-pack.tf.json

{
  "resource": {
    "huaweicloud_rms_policy_assignment": {
      "AccessKeysRotated": {
        "name": "access-keys-rotated",
        "description": "An IAM users is noncompliant if the access keys have not been rotated for more than maxAccessKeyAge number of days.",
        "policy_definition_id": "2a2938894ae786dc306a647a",
        "period": "TwentyFour_Hours",
        "parameters": {
          "maxAccessKeyAge": "${jsonencode(var.maxAccessKeyAge)}"
        }
      },
      "IamGroupHasUsersCheck": {
        "name": "iam-group-has-users-check",
        "description": "An IAM groups is noncompliant if it does not add any IAM user.",
        "policy_definition_id": "f7dd9c02266297f6e8c8445e",
        "policy_filter": {
          "resource_provider": "iam",
          "resource_type": "groups"
        },
        "parameters": {}
      },
      "IamPasswordPolicy": {
        "name": "iam-password-policy",
        "description": "An IAM users is noncompliant if password policy for IAM users matches the specified password strength.",
        "policy_definition_id": "2d8d3502539a623ba1907644",
        "policy_filter": {
          "resource_provider": "iam",
          "resource_type": "users"
        },
        "parameters": {
          "pwdStrength": "${jsonencode(var.pwdStrength)}"
        }
      },
      "IamRootAccessKeyCheck": {
        "name": "iam-root-access-key-check",
        "description": "An account is noncompliant if the the root iam user have active access key.",
        "policy_definition_id": "66cac2ddc17b6a25ad077253",
        "period": "TwentyFour_Hours",
        "parameters": {}
      },
      "IamUserConsoleAndApiAccessAtCreation": {
        "name": "iam-user-console-and-api-access-at-creation",
        "description": "An IAM user with console access is noncompliant if access keys are setup during the initial user setup.",
        "policy_definition_id": "a5f29eb45cddce8e6baa033d",
        "policy_filter": {
          "resource_provider": "iam",
          "resource_type": "users"
        },
        "parameters": {}
      },
      "IamUserGroupMembershipCheck": {
        "name": "iam-user-group-membership-check",
        "description": "An IAM user is noncompliant if it does not belong to any IAM user group.",
        "policy_definition_id": "846f5708463c1490c4eebd60",
        "policy_filter": {
          "resource_provider": "iam",
          "resource_type": "users"
        },
        "parameters": {
          "groupIds": "${jsonencode(var.groupIds)}"
        }
      },
      "IamUserLastLoginCheck": {
        "name": "iam-user-last-login-check",
        "description": "An IAM user is noncompliant if it has never signed in within the allowed number of days.",
        "policy_definition_id": "6e4bf7ee7053b683f28d7f57",
        "period": "TwentyFour_Hours",
        "parameters": {
          "allowedInactivePeriod": "${jsonencode(var.allowedInactivePeriod)}"
        }
      },
      "IamUserMfaEnabled": {
        "name": "iam-user-mfa-enabled",
        "description": "An IAM user is noncompliant if it does not have multi-factor authentication (MFA) enabled.",
        "policy_definition_id": "b92372b5eb51330306cec9c2",
        "policy_filter": {
          "resource_provider": "iam",
          "resource_type": "users"
        },
        "parameters": {}
      },
      "IamUserSingleAccessKey": {
        "name": "iam-user-single-access-key",
        "description": "An IAM user with console access is noncompliant if iam user have multiple active access keys.",
        "policy_definition_id": "6deae3856c41b240b3c0bf8d",
        "policy_filter": {
          "resource_provider": "iam",
          "resource_type": "users"
        },
        "parameters": {}
      },
      "MfaEnabledForIamConsoleAccess": {
        "name": "mfa-enabled-for-iam-console-access",
        "description": "An IAM user is noncompliant if it uses a console password and does not have multi-factor authentication (MFA) enabled.",
        "policy_definition_id": "63f8301e47b122062a68b868",
        "policy_filter": {
          "resource_provider": "iam",
          "resource_type": "users"
        },
        "parameters": {}
      },
      "RootAccountMfaEnabled": {
        "name": "root-account-mfa-enabled",
        "description": "An account is noncompliant if the the root iam user does not have multi-factor authentication (MFA) enabled.",
        "policy_definition_id": "61d787a75cf7f5965da5d647",
        "period": "TwentyFour_Hours",
        "parameters": {}
      }
    }
  },
  "variable": {
    "maxAccessKeyAge": {
      "description": "The maximum number of days without rotation. ",
      "type": "string",
      "default": "90"
    },
    "pwdStrength": {
      "description": "The requirements of password strength. The parameter value can only be 'Strong', 'Medium', or 'Low'.",
      "type": "string",
      "default": "Strong"
    },
    "groupIds": {
      "description": "The list of allowed IAM group IDs. If the list is empty, all values are allowed.",
      "type": "list(string)",
      "default": []
    },
    "allowedInactivePeriod": {
      "description": "Maximum number of days without login.",
      "type": "number",
      "default": 90
    }
  },
  "terraform": {
    "required_providers": {
      "huaweicloud": {
        "source": "huawei.com/provider/huaweicloud",
        "version": "1.46.0"
      }
    }
  }
}

Example file: example-conformance-pack-with-custom-policy.tf.json

{
    "resource": {
        "huaweicloud_rms_policy_assignment": {
            "CustomPolicyAssignment": {
                "name": "customPolicy${var.name_suffix}",
"description": Custom rules. All resources are non-compliant.
                "policy_filter": {
                    "resource_provider": "obs",
                    "resource_type": "buckets"
                },
                "parameters": {},
                "custom_policy": {
                    "function_urn": "${var.function_urn}",
                    "auth_type": "agency",
                    "auth_value": {
                        "agency_name": "\"config_custom_policy_agency\""
                    }
                }
            }
        }
    },
    "variable": {
        "name_suffix": {
            "description": "",
            "type": "string"
        },
        "function_urn": {
            "description": "",
            "type": "string"
        }
    },
    "terraform": {
        "required_providers": {
            "huaweicloud": {
                "source": "huawei.com/provider/huaweicloud",
                "version": "1.46.0"
            }
        }
    }
}

Parent topic: Conformance Packages

Previous topic: Deleting an Organization Conformance Package

Next topic: Conformance Package Templates