AWS Terraformの例
テンプレートの例
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.27"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
region = "us-east-2"
}
resource "aws_dynamodb_table" "dynamodb003S1" {
name = "mydynamodbtable"
hash_key = "TestTableHashKey"
billing_mode = "PAY_PER_REQUEST"
stream_enabled = true
stream_view_type = "NEW_AND_OLD_IMAGES"
attribute {
name = "TestTableHashKey"
type = "S"
}
server_side_encryption {
enabled = true
kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
}
point_in_time_recovery {
enabled = true
}
tags = {
Owner = "Sample Team"
Environment = "Test"
}
}
Terraform Planの出力例
Terraform Planの出力は、TerraformプロジェクトをTemplate Scanner APIで読み取り可能な単一のファイルにパッケージ化するための仲介として使用されます。
{
"format_version": "0.1",
"terraform_version": "0.15.3",
"planned_values": {
"root_module": {
"resources": [
{
"address": "aws_dynamodb_table.dynamodb003S1",
"mode": "managed",
"type": "aws_dynamodb_table",
"name": "dynamodb003S1",
"provider_name": "registry.terraform.io/hashicorp/aws",
"schema_version": 1,
"values": {
"attribute": [{ "name": "TestTableHashKey", "type": "S" }],
"billing_mode": "PAY_PER_REQUEST",
"global_secondary_index": [],
"hash_key": "TestTableHashKey",
"local_secondary_index": [],
"name": "mydynamodbtable",
"point_in_time_recovery": [{ "enabled": true }],
"range_key": null,
"read_capacity": null,
"replica": [],
"server_side_encryption": [
{
"enabled": true,
"kms_key_arn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
}
],
"stream_enabled": true,
"stream_view_type": "NEW_AND_OLD_IMAGES",
"tags": { "Environment": "test", "Owner": "Sample Team" },
"tags_all": { "Environment": "test", "Owner": "Sample Team" },
"timeouts": null,
"ttl": [],
"write_capacity": null
}
}
]
}
},
"resource_changes": [
{
"address": "aws_dynamodb_table.dynamodb003S1",
"mode": "managed",
"type": "aws_dynamodb_table",
"name": "dynamodb003S1",
"provider_name": "registry.terraform.io/hashicorp/aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"attribute": [{ "name": "TestTableHashKey", "type": "S" }],
"billing_mode": "PAY_PER_REQUEST",
"global_secondary_index": [],
"hash_key": "TestTableHashKey",
"local_secondary_index": [],
"name": "mydynamodbtable",
"point_in_time_recovery": [{ "enabled": true }],
"range_key": null,
"read_capacity": null,
"replica": [],
"server_side_encryption": [
{
"enabled": true,
"kms_key_arn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
}
],
"stream_enabled": true,
"stream_view_type": "NEW_AND_OLD_IMAGES",
"tags": { "Environment": "test", "Owner": "Sample Team" },
"tags_all": { "Environment": "test", "Owner": "Sample Team" },
"timeouts": null,
"ttl": [],
"write_capacity": null
},
"after_unknown": {
"arn": true,
"attribute": [{}],
"global_secondary_index": [],
"id": true,
"local_secondary_index": [],
"point_in_time_recovery": [{}],
"replica": [],
"server_side_encryption": [{}],
"stream_arn": true,
"stream_label": true,
"tags": {},
"tags_all": {},
"ttl": []
},
"before_sensitive": false,
"after_sensitive": {
"attribute": [{}],
"global_secondary_index": [],
"local_secondary_index": [],
"point_in_time_recovery": [{}],
"replica": [],
"server_side_encryption": [{}],
"tags": {},
"tags_all": {},
"ttl": []
}
}
}
],
"configuration": {
"provider_config": {
"aws": {
"name": "aws",
"version_constraint": "~\u003e 3.27",
"expressions": { "region": { "constant_value": "us-east-2" } }
}
},
"root_module": {
"resources": [
{
"address": "aws_dynamodb_table.dynamodb003S1",
"mode": "managed",
"type": "aws_dynamodb_table",
"name": "dynamodb003S1",
"provider_config_key": "aws",
"expressions": {
"attribute": [
{
"name": { "constant_value": "TestTableHashKey" },
"type": { "constant_value": "S" }
}
],
"billing_mode": { "constant_value": "PAY_PER_REQUEST" },
"hash_key": { "constant_value": "TestTableHashKey" },
"name": { "constant_value": "mydynamodbtable" },
"point_in_time_recovery": [
{ "enabled": { "constant_value": true } }
],
"server_side_encryption": [
{
"enabled": { "constant_value": true },
"kms_key_arn": {
"constant_value": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
}
}
],
"stream_enabled": { "constant_value": true },
"stream_view_type": { "constant_value": "NEW_AND_OLD_IMAGES" },
"tags": {
"constant_value": {
"Environment": "test",
"Owner": "Sample Team"
}
}
},
"schema_version": 1
}
]
}
}
}
検索コマンドの例
次のbashスクリプトは、テラフォームプランファイルの作成とテンプレートScannerAPIの呼び出しを処理します。 Terraformプロジェクトと同じディレクトリでスクリプトを実行してください。
#!/usr/bin/env bash
# Scans a template file
# Requires "jq" (https://stedolan.github.io/jq/) to be installed
api_key="Your Trend API Key"
api_base_url="https://conformity.us-1.cloudone.trendmicro.com/api"
terraform plan -out=outputfile
contents=$(terraform show -json outputfile | jq '.' -MRs)
payload="{\"data\":{\"attributes\":{\"type\":\"terraform-template\",\"contents\":${contents}}}}"
echo Request:
echo ${payload} | jq '.' -M
echo Response:
curl -s -X POST \
-H "Authorization: ApiKey ${api_key}" \
-H "Content-Type: application/vnd.api+json" \
${api_base_url}/template-scanner/scan \
--data-binary "${payload}" | jq '.' -M
Template Scanner APIの出力例
{
"data": [
{
"type": "checks",
"id": "ccc:OrganisationId:RG-001:ResourceGroup:us-east-1:aws_dynamodb_table.dynamodb003S1",
"attributes": {
"region": "us-east-1",
"status": "FAILURE",
"risk-level": "LOW",
"pretty-risk-level": "Low",
"message": "dynamodb-table aws_dynamodb_table.dynamodb003S1 has [Role, Name] tags missing",
"resource": "aws_dynamodb_table.dynamodb003S1",
"descriptorType": "dynamodb-table",
"categories": [
"security",
"reliability",
"performance-efficiency",
"cost-optimisation",
"operational-excellence",
"sustainability"
],
"compliances": [
"AWAF",
"CIS-V8",
"NIST4",
"NIST5",
"SOC2",
"NIST-CSF",
"ISO27001",
"ISO27001-2022",
"AGISM",
"HITRUST",
"ASAE-3150",
"PCI-V4",
"FEDRAMP",
"MAS",
"CSA"
],
"extradata": [
{
"name": "DETAILED_STATUS",
"label": "Resource tags status for dynamodb-table aws_dynamodb_table.dynamodb003S1",
"value": "{\"service\":\"DynamoDB\",\"descriptorType\":\"dynamodb-table\",\"resourceName\":\"aws_dynamodb_table.dynamodb003S1\",\"tags\":[{\"key\":\"Environment\",\"hasValue\":true},{\"key\":\"Role\",\"hasValue\":false},{\"key\":\"Owner\",\"hasValue\":true},{\"key\":\"Name\",\"hasValue\":false}]}",
"type": "META",
"internal": true
}
],
"cost": 0,
"waste": 0,
"not-scored": false,
"ignored": false,
"rule-title": "Tags",
"provider": "aws",
"resolution-page-url": "https://wSample Team.cloudconformity.com/knowledge-base/aws/ResourceGroup/tags.html",
"service": "ResourceGroup"
},
"relationships": {
"rule": {
"data": {
"type": "rules",
"id": "RG-001"
}
},
"account": {
"data": null
}
}
},
{
"type": "checks",
"id": "ccc:OrganisationId:DynamoDB-003:DynamoDB:us-east-1:aws_dynamodb_table.dynamodb003S1",
"attributes": {
"region": "us-east-1",
"status": "SUCCESS",
"risk-level": "HIGH",
"pretty-risk-level": "High",
"message": "Continuous Backups are enabled for [aws_dynamodb_table.dynamodb003S1]",
"resource": "aws_dynamodb_table.dynamodb003S1",
"descriptorType": "dynamodb-table",
"categories": ["reliability"],
"compliances": [
"AWAF",
"CIS-V8",
"NIST4",
"NIST5",
"SOC2",
"NIST-CSF",
"ISO27001",
"ISO27001-2022",
"AGISM",
"HIPAA",
"HITRUST",
"ASAE-3150",
"PCI",
"PCI-V4",
"APRA",
"FEDRAMP",
"MAS",
"CSA",
"ENISA",
"FISC-V9"
],
"last-updated-date": null,
"extradata": [
{
"name": "EarliestRestorableDateTime",
"label": "Earliest Restorable DateTime",
"value": 1707793280148,
"type": "META"
},
{
"name": "LatestRestorableDateTime",
"label": "Latest Restorable DateTime",
"value": 1707793280148,
"type": "META"
}
],
"tags": ["Environment::test", "Owner::Sample Team"],
"cost": 0,
"waste": 0,
"not-scored": false,
"ignored": false,
"rule-title": "DynamoDB Continuous Backups",
"provider": "aws",
"resolution-page-url": "https://wSample Team.cloudconformity.com/knowledge-base/aws/DynamoDB/continuous-backups.html",
"service": "DynamoDB",
"logicalResourceId": "aws_dynamodb_table.dynamodb003S1"
},
"relationships": {
"rule": {
"data": {
"type": "rules",
"id": "DynamoDB-003"
}
},
"account": {
"data": null
}
}
},
{
"type": "checks",
"id": "ccc:OrganisationId:DynamoDB-004:DynamoDB:us-east-1:dynamodb003S1",
"attributes": {
"region": "us-east-1",
"status": "SUCCESS",
"risk-level": "HIGH",
"pretty-risk-level": "High",
"message": "Table [dynamodb003S1] is encrypted at rest using the AWS managed key or Customer managed key",
"resource": "dynamodb003S1",
"descriptorType": "dynamodb-table",
"categories": ["security"],
"compliances": [
"GDPR",
"AWAF",
"CIS-V8",
"NIST4",
"NIST5",
"SOC2",
"NIST-CSF",
"ISO27001",
"ISO27001-2022",
"AGISM",
"HIPAA",
"HITRUST",
"ASAE-3150",
"PCI",
"PCI-V4",
"APRA",
"FEDRAMP",
"MAS",
"CSA",
"ENISA",
"FISC-V9",
"LGPD"
],
"last-updated-date": null,
"tags": ["Environment::test", "Owner::Sample Team"],
"cost": 0,
"waste": 0,
"not-scored": false,
"ignored": false,
"rule-title": "Enable Encryption at Rest with Amazon KMS Keys",
"provider": "aws",
"resolution-page-url": "https://wSample Team.cloudconformity.com/knowledge-base/aws/DynamoDB/encrypted-with-cmk.html",
"service": "DynamoDB",
"logicalResourceId": "aws_dynamodb_table.dynamodb003S1"
},
"relationships": {
"rule": {
"data": {
"type": "rules",
"id": "DynamoDB-004"
}
},
"account": {
"data": null
}
}
}
],
"meta": {
"missingParameters": [],
"errors": []
}
}