自定义合规规则包
如果您需要根据自身的需求创建自定义合规规则包,可以参考本节中的示例模板编写合规规则包模板文件,通过在创建合规规则包时选择“上传模板”或“OBS存储桶”的方式上传并使用。
概念介绍
Resource:Resource是模板中最重要的元素,通过关键字 "resource" 进行声明。当前"resource"中只支持"huaweicloud_rms_policy_assignment"一种资源,在其中指定具体的合规规则(支持预定义合规规则与自定义合规规则)的名称等配置信息。
变量:输入变量可以理解为模板的参数,通过关键字 "variable" 进行声明。通过定义输入变量,我们可以无需变更模板的源代码就能灵活修改配置。当没有变量时,不需要声明关键字 "variable" 。
Provider: Provider代表服务提供商,通过关键字 "terraform" 进行声明,详细定义请参见Provider。自定义合规规则包的格式为:
"terraform": { "required_providers": { "huaweicloud": { "source": "huawei.com/provider/huaweicloud", "version": "1.46.0" } } }
其中version必须选择1.46.0或者更高的版本,支持的版本见支持Provider版本列表。
合规规则包示例文件: example-conformance-pack.tf.json
{ "resource": { "huaweicloud_rms_policy_assignment": { "AccessKeysRotated": { "name": "access-keys-rotated", "description": "An IAM users is noncompliant if the access keys have not been rotated for more than maxAccessKeyAge number of days.", "policy_definition_id": "2a2938894ae786dc306a647a", "period": "TwentyFour_Hours", "parameters": { "maxAccessKeyAge": "${jsonencode(var.maxAccessKeyAge)}" } }, "IamGroupHasUsersCheck": { "name": "iam-group-has-users-check", "description": "An IAM groups is noncompliant if it does not add any IAM user.", "policy_definition_id": "f7dd9c02266297f6e8c8445e", "policy_filter": { "resource_provider": "iam", "resource_type": "groups" }, "parameters": {} }, "IamPasswordPolicy": { "name": "iam-password-policy", "description": "An IAM users is noncompliant if password policy for IAM users matches the specified password strength.", "policy_definition_id": "2d8d3502539a623ba1907644", "policy_filter": { "resource_provider": "iam", "resource_type": "users" }, "parameters": { "pwdStrength": "${jsonencode(var.pwdStrength)}" } }, "IamRootAccessKeyCheck": { "name": "iam-root-access-key-check", "description": "An account is noncompliant if the the root iam user have active access key.", "policy_definition_id": "66cac2ddc17b6a25ad077253", "period": "TwentyFour_Hours", "parameters": {} }, "IamUserConsoleAndApiAccessAtCreation": { "name": "iam-user-console-and-api-access-at-creation", "description": "An IAM user with console access is noncompliant if access keys are setup during the initial user setup.", "policy_definition_id": "a5f29eb45cddce8e6baa033d", "policy_filter": { "resource_provider": "iam", "resource_type": "users" }, "parameters": {} }, "IamUserGroupMembershipCheck": { "name": "iam-user-group-membership-check", "description": "An IAM user is noncompliant if it does not belong to any IAM user group.", "policy_definition_id": "846f5708463c1490c4eebd60", "policy_filter": { "resource_provider": "iam", "resource_type": "users" }, "parameters": { "groupIds": "${jsonencode(var.groupIds)}" } }, "IamUserLastLoginCheck": { "name": "iam-user-last-login-check", "description": "An IAM user is noncompliant if it has never signed in within the allowed number of days.", "policy_definition_id": "6e4bf7ee7053b683f28d7f57", "period": "TwentyFour_Hours", "parameters": { "allowedInactivePeriod": "${jsonencode(var.allowedInactivePeriod)}" } }, "IamUserMfaEnabled": { "name": "iam-user-mfa-enabled", "description": "An IAM user is noncompliant if it does not have multi-factor authentication (MFA) enabled.", "policy_definition_id": "b92372b5eb51330306cec9c2", "policy_filter": { "resource_provider": "iam", "resource_type": "users" }, "parameters": {} }, "IamUserSingleAccessKey": { "name": "iam-user-single-access-key", "description": "An IAM user with console access is noncompliant if iam user have multiple active access keys.", "policy_definition_id": "6deae3856c41b240b3c0bf8d", "policy_filter": { "resource_provider": "iam", "resource_type": "users" }, "parameters": {} }, "MfaEnabledForIamConsoleAccess": { "name": "mfa-enabled-for-iam-console-access", "description": "An IAM user is noncompliant if it uses a console password and does not have multi-factor authentication (MFA) enabled.", "policy_definition_id": "63f8301e47b122062a68b868", "policy_filter": { "resource_provider": "iam", "resource_type": "users" }, "parameters": {} }, "RootAccountMfaEnabled": { "name": "root-account-mfa-enabled", "description": "An account is noncompliant if the the root iam user does not have multi-factor authentication (MFA) enabled.", "policy_definition_id": "61d787a75cf7f5965da5d647", "period": "TwentyFour_Hours", "parameters": {} } } }, "variable": { "maxAccessKeyAge": { "description": "The maximum number of days without rotation. ", "type": "string", "default": "90" }, "pwdStrength": { "description": "The requirements of password strength. The parameter value can only be 'Strong', 'Medium', or 'Low'.", "type": "string", "default": "Strong" }, "groupIds": { "description": "The list of allowed IAM group IDs. If the list is empty, all values are allowed.", "type": "list(string)", "default": [] }, "allowedInactivePeriod": { "description": "Maximum number of days without login.", "type": "number", "default": 90 } }, "terraform": { "required_providers": { "huaweicloud": { "source": "huawei.com/provider/huaweicloud", "version": "1.46.0" } } } }
合规规则包示例文件: example-conformance-pack-with-custom-policy.tf.json
{ "resource": { "huaweicloud_rms_policy_assignment": { "CustomPolicyAssignment": { "name": "customPolicy${var.name_suffix}", "description": "合规包自定义合规规则,所有资源都是不合规的", "policy_filter": { "resource_provider": "obs", "resource_type": "buckets" }, "parameters": {}, "custom_policy": { "function_urn": "${var.function_urn}", "auth_type": "agency", "auth_value": { "agency_name": "\"config_custom_policy_agency\"" } } } } }, "variable": { "name_suffix": { "description": "", "type": "string" }, "function_urn": { "description": "", "type": "string" } }, "terraform": { "required_providers": { "huaweicloud": { "source": "huawei.com/provider/huaweicloud", "version": "1.46.0" } } } }