更新时间:2023-10-30 GMT+08:00

自定义合规规则包

如果您需要根据自身的需求创建自定义合规规则包,可以参考本节中的示例模板编写合规规则包模板文件,通过在创建合规规则包时选择“上传模板”或“OBS存储桶”的方式上传并使用。

概念介绍

Resource:Resource是模板中最重要的元素,通过关键字 "resource" 进行声明。当前"resource"中只支持"huaweicloud_rms_policy_assignment"一种资源,在其中指定具体的合规规则(支持预定义合规规则与自定义合规规则)的名称等配置信息。

变量:输入变量可以理解为模板的参数,通过关键字 "variable" 进行声明。通过定义输入变量,我们可以无需变更模板的源代码就能灵活修改配置。当没有变量时,不需要声明关键字 "variable" 。

Provider: Provider代表服务提供商,通过关键字 "terraform" 进行声明,详细定义请参见Provider。自定义合规规则包的格式为:

"terraform": {
    "required_providers": {
        "huaweicloud": {
            "source": "huawei.com/provider/huaweicloud",
            "version": "1.46.0"
        }
    }
}

其中version必须选择1.46.0或者更高的版本,支持的版本见支持Provider版本列表

合规规则包示例文件: example-conformance-pack.tf.json

{
  "resource": {
    "huaweicloud_rms_policy_assignment": {
      "AccessKeysRotated": {
        "name": "access-keys-rotated",
        "description": "An IAM users is noncompliant if the access keys have not been rotated for more than maxAccessKeyAge number of days.",
        "policy_definition_id": "2a2938894ae786dc306a647a",
        "period": "TwentyFour_Hours",
        "parameters": {
          "maxAccessKeyAge": "${jsonencode(var.maxAccessKeyAge)}"
        }
      },
      "IamGroupHasUsersCheck": {
        "name": "iam-group-has-users-check",
        "description": "An IAM groups is noncompliant if it does not add any IAM user.",
        "policy_definition_id": "f7dd9c02266297f6e8c8445e",
        "policy_filter": {
          "resource_provider": "iam",
          "resource_type": "groups"
        },
        "parameters": {}
      },
      "IamPasswordPolicy": {
        "name": "iam-password-policy",
        "description": "An IAM users is noncompliant if password policy for IAM users matches the specified password strength.",
        "policy_definition_id": "2d8d3502539a623ba1907644",
        "policy_filter": {
          "resource_provider": "iam",
          "resource_type": "users"
        },
        "parameters": {
          "pwdStrength": "${jsonencode(var.pwdStrength)}"
        }
      },
      "IamRootAccessKeyCheck": {
        "name": "iam-root-access-key-check",
        "description": "An account is noncompliant if the the root iam user have active access key.",
        "policy_definition_id": "66cac2ddc17b6a25ad077253",
        "period": "TwentyFour_Hours",
        "parameters": {}
      },
      "IamUserConsoleAndApiAccessAtCreation": {
        "name": "iam-user-console-and-api-access-at-creation",
        "description": "An IAM user with console access is noncompliant if access keys are setup during the initial user setup.",
        "policy_definition_id": "a5f29eb45cddce8e6baa033d",
        "policy_filter": {
          "resource_provider": "iam",
          "resource_type": "users"
        },
        "parameters": {}
      },
      "IamUserGroupMembershipCheck": {
        "name": "iam-user-group-membership-check",
        "description": "An IAM user is noncompliant if it does not belong to any IAM user group.",
        "policy_definition_id": "846f5708463c1490c4eebd60",
        "policy_filter": {
          "resource_provider": "iam",
          "resource_type": "users"
        },
        "parameters": {
          "groupIds": "${jsonencode(var.groupIds)}"
        }
      },
      "IamUserLastLoginCheck": {
        "name": "iam-user-last-login-check",
        "description": "An IAM user is noncompliant if it has never signed in within the allowed number of days.",
        "policy_definition_id": "6e4bf7ee7053b683f28d7f57",
        "period": "TwentyFour_Hours",
        "parameters": {
          "allowedInactivePeriod": "${jsonencode(var.allowedInactivePeriod)}"
        }
      },
      "IamUserMfaEnabled": {
        "name": "iam-user-mfa-enabled",
        "description": "An IAM user is noncompliant if it does not have multi-factor authentication (MFA) enabled.",
        "policy_definition_id": "b92372b5eb51330306cec9c2",
        "policy_filter": {
          "resource_provider": "iam",
          "resource_type": "users"
        },
        "parameters": {}
      },
      "IamUserSingleAccessKey": {
        "name": "iam-user-single-access-key",
        "description": "An IAM user with console access is noncompliant if iam user have multiple active access keys.",
        "policy_definition_id": "6deae3856c41b240b3c0bf8d",
        "policy_filter": {
          "resource_provider": "iam",
          "resource_type": "users"
        },
        "parameters": {}
      },
      "MfaEnabledForIamConsoleAccess": {
        "name": "mfa-enabled-for-iam-console-access",
        "description": "An IAM user is noncompliant if it uses a console password and does not have multi-factor authentication (MFA) enabled.",
        "policy_definition_id": "63f8301e47b122062a68b868",
        "policy_filter": {
          "resource_provider": "iam",
          "resource_type": "users"
        },
        "parameters": {}
      },
      "RootAccountMfaEnabled": {
        "name": "root-account-mfa-enabled",
        "description": "An account is noncompliant if the the root iam user does not have multi-factor authentication (MFA) enabled.",
        "policy_definition_id": "61d787a75cf7f5965da5d647",
        "period": "TwentyFour_Hours",
        "parameters": {}
      }
    }
  },
  "variable": {
    "maxAccessKeyAge": {
      "description": "The maximum number of days without rotation. ",
      "type": "string",
      "default": "90"
    },
    "pwdStrength": {
      "description": "The requirements of password strength. The parameter value can only be 'Strong', 'Medium', or 'Low'.",
      "type": "string",
      "default": "Strong"
    },
    "groupIds": {
      "description": "The list of allowed IAM group IDs. If the list is empty, all values are allowed.",
      "type": "list(string)",
      "default": []
    },
    "allowedInactivePeriod": {
      "description": "Maximum number of days without login.",
      "type": "number",
      "default": 90
    }
  },
  "terraform": {
    "required_providers": {
      "huaweicloud": {
        "source": "huawei.com/provider/huaweicloud",
        "version": "1.46.0"
      }
    }
  }
}

合规规则包示例文件: example-conformance-pack-with-custom-policy.tf.json

{
    "resource": {
        "huaweicloud_rms_policy_assignment": {
            "CustomPolicyAssignment": {
                "name": "customPolicy${var.name_suffix}",
                "description": "合规包自定义合规规则,所有资源都是不合规的",
                "policy_filter": {
                    "resource_provider": "obs",
                    "resource_type": "buckets"
                },
                "parameters": {},
                "custom_policy": {
                    "function_urn": "${var.function_urn}",
                    "auth_type": "agency",
                    "auth_value": {
                        "agency_name": "\"config_custom_policy_agency\""
                    }
                }
            }
        }
    },
    "variable": {
        "name_suffix": {
            "description": "",
            "type": "string"
        },
        "function_urn": {
            "description": "",
            "type": "string"
        }
    },
    "terraform": {
        "required_providers": {
            "huaweicloud": {
                "source": "huawei.com/provider/huaweicloud",
                "version": "1.46.0"
            }
        }
    }
}