更新时间:2023-10-30 GMT+08:00
自定义合规规则包
如果您需要根据自身的需求创建自定义合规规则包,可以参考本节中的示例模板编写合规规则包模板文件,通过在创建合规规则包时选择“上传模板”或“OBS存储桶”的方式上传并使用。
概念介绍
Resource:Resource是模板中最重要的元素,通过关键字 "resource" 进行声明。当前"resource"中只支持"huaweicloud_rms_policy_assignment"一种资源,在其中指定具体的合规规则(支持预定义合规规则与自定义合规规则)的名称等配置信息。
变量:输入变量可以理解为模板的参数,通过关键字 "variable" 进行声明。通过定义输入变量,我们可以无需变更模板的源代码就能灵活修改配置。当没有变量时,不需要声明关键字 "variable" 。
Provider: Provider代表服务提供商,通过关键字 "terraform" 进行声明,详细定义请参见Provider。自定义合规规则包的格式为:
"terraform": {
"required_providers": {
"huaweicloud": {
"source": "huawei.com/provider/huaweicloud",
"version": "1.46.0"
}
}
}
其中version必须选择1.46.0或者更高的版本,支持的版本见支持Provider版本列表。
合规规则包示例文件: example-conformance-pack.tf.json
{
"resource": {
"huaweicloud_rms_policy_assignment": {
"AccessKeysRotated": {
"name": "access-keys-rotated",
"description": "An IAM users is noncompliant if the access keys have not been rotated for more than maxAccessKeyAge number of days.",
"policy_definition_id": "2a2938894ae786dc306a647a",
"period": "TwentyFour_Hours",
"parameters": {
"maxAccessKeyAge": "${jsonencode(var.maxAccessKeyAge)}"
}
},
"IamGroupHasUsersCheck": {
"name": "iam-group-has-users-check",
"description": "An IAM groups is noncompliant if it does not add any IAM user.",
"policy_definition_id": "f7dd9c02266297f6e8c8445e",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "groups"
},
"parameters": {}
},
"IamPasswordPolicy": {
"name": "iam-password-policy",
"description": "An IAM users is noncompliant if password policy for IAM users matches the specified password strength.",
"policy_definition_id": "2d8d3502539a623ba1907644",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {
"pwdStrength": "${jsonencode(var.pwdStrength)}"
}
},
"IamRootAccessKeyCheck": {
"name": "iam-root-access-key-check",
"description": "An account is noncompliant if the the root iam user have active access key.",
"policy_definition_id": "66cac2ddc17b6a25ad077253",
"period": "TwentyFour_Hours",
"parameters": {}
},
"IamUserConsoleAndApiAccessAtCreation": {
"name": "iam-user-console-and-api-access-at-creation",
"description": "An IAM user with console access is noncompliant if access keys are setup during the initial user setup.",
"policy_definition_id": "a5f29eb45cddce8e6baa033d",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {}
},
"IamUserGroupMembershipCheck": {
"name": "iam-user-group-membership-check",
"description": "An IAM user is noncompliant if it does not belong to any IAM user group.",
"policy_definition_id": "846f5708463c1490c4eebd60",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {
"groupIds": "${jsonencode(var.groupIds)}"
}
},
"IamUserLastLoginCheck": {
"name": "iam-user-last-login-check",
"description": "An IAM user is noncompliant if it has never signed in within the allowed number of days.",
"policy_definition_id": "6e4bf7ee7053b683f28d7f57",
"period": "TwentyFour_Hours",
"parameters": {
"allowedInactivePeriod": "${jsonencode(var.allowedInactivePeriod)}"
}
},
"IamUserMfaEnabled": {
"name": "iam-user-mfa-enabled",
"description": "An IAM user is noncompliant if it does not have multi-factor authentication (MFA) enabled.",
"policy_definition_id": "b92372b5eb51330306cec9c2",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {}
},
"IamUserSingleAccessKey": {
"name": "iam-user-single-access-key",
"description": "An IAM user with console access is noncompliant if iam user have multiple active access keys.",
"policy_definition_id": "6deae3856c41b240b3c0bf8d",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {}
},
"MfaEnabledForIamConsoleAccess": {
"name": "mfa-enabled-for-iam-console-access",
"description": "An IAM user is noncompliant if it uses a console password and does not have multi-factor authentication (MFA) enabled.",
"policy_definition_id": "63f8301e47b122062a68b868",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {}
},
"RootAccountMfaEnabled": {
"name": "root-account-mfa-enabled",
"description": "An account is noncompliant if the the root iam user does not have multi-factor authentication (MFA) enabled.",
"policy_definition_id": "61d787a75cf7f5965da5d647",
"period": "TwentyFour_Hours",
"parameters": {}
}
}
},
"variable": {
"maxAccessKeyAge": {
"description": "The maximum number of days without rotation. ",
"type": "string",
"default": "90"
},
"pwdStrength": {
"description": "The requirements of password strength. The parameter value can only be 'Strong', 'Medium', or 'Low'.",
"type": "string",
"default": "Strong"
},
"groupIds": {
"description": "The list of allowed IAM group IDs. If the list is empty, all values are allowed.",
"type": "list(string)",
"default": []
},
"allowedInactivePeriod": {
"description": "Maximum number of days without login.",
"type": "number",
"default": 90
}
},
"terraform": {
"required_providers": {
"huaweicloud": {
"source": "huawei.com/provider/huaweicloud",
"version": "1.46.0"
}
}
}
}
合规规则包示例文件: example-conformance-pack-with-custom-policy.tf.json
{
"resource": {
"huaweicloud_rms_policy_assignment": {
"CustomPolicyAssignment": {
"name": "customPolicy${var.name_suffix}",
"description": "合规包自定义合规规则,所有资源都是不合规的",
"policy_filter": {
"resource_provider": "obs",
"resource_type": "buckets"
},
"parameters": {},
"custom_policy": {
"function_urn": "${var.function_urn}",
"auth_type": "agency",
"auth_value": {
"agency_name": "\"config_custom_policy_agency\""
}
}
}
}
},
"variable": {
"name_suffix": {
"description": "",
"type": "string"
},
"function_urn": {
"description": "",
"type": "string"
}
},
"terraform": {
"required_providers": {
"huaweicloud": {
"source": "huawei.com/provider/huaweicloud",
"version": "1.46.0"
}
}
}
}
父主题: 合规规则包
