目次

AWS Terraformの例

テンプレートの例

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }
  required_version = ">= 0.14.9"
}
provider "aws" {
  region = "us-east-2"
}
resource "aws_dynamodb_table" "dynamodb003S1" {
  name             = "mydynamodbtable"
  hash_key         = "TestTableHashKey"
  billing_mode     = "PAY_PER_REQUEST"
  stream_enabled   = true
  stream_view_type = "NEW_AND_OLD_IMAGES"
  attribute {
    name = "TestTableHashKey"
    type = "S"
  }
  server_side_encryption {
    enabled     = true
    kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
  }
  point_in_time_recovery {
    enabled = true
  }
  tags = {
    Owner       = "Sample Team"
    Environment = "Test"
  }
}

Terraform Planの出力例

Terraform Planの出力は、TerraformプロジェクトをTemplate Scanner APIで読み取り可能な単一のファイルにパッケージ化するための仲介として使用されます。

{
  "format_version": "0.1",
  "terraform_version": "0.15.3",
  "planned_values": {
    "root_module": {
      "resources": [
        {
          "address": "aws_dynamodb_table.dynamodb003S1",
          "mode": "managed",
          "type": "aws_dynamodb_table",
          "name": "dynamodb003S1",
          "provider_name": "registry.terraform.io/hashicorp/aws",
          "schema_version": 1,
          "values": {
            "attribute": [{ "name": "TestTableHashKey", "type": "S" }],
            "billing_mode": "PAY_PER_REQUEST",
            "global_secondary_index": [],
            "hash_key": "TestTableHashKey",
            "local_secondary_index": [],
            "name": "mydynamodbtable",
            "point_in_time_recovery": [{ "enabled": true }],
            "range_key": null,
            "read_capacity": null,
            "replica": [],
            "server_side_encryption": [
              {
                "enabled": true,
                "kms_key_arn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
              }
            ],
            "stream_enabled": true,
            "stream_view_type": "NEW_AND_OLD_IMAGES",
            "tags": { "Environment": "test", "Owner": "Sample Team" },
            "tags_all": { "Environment": "test", "Owner": "Sample Team" },
            "timeouts": null,
            "ttl": [],
            "write_capacity": null
          }
        }
      ]
    }
  },
  "resource_changes": [
    {
      "address": "aws_dynamodb_table.dynamodb003S1",
      "mode": "managed",
      "type": "aws_dynamodb_table",
      "name": "dynamodb003S1",
      "provider_name": "registry.terraform.io/hashicorp/aws",
      "change": {
        "actions": ["create"],
        "before": null,
        "after": {
          "attribute": [{ "name": "TestTableHashKey", "type": "S" }],
          "billing_mode": "PAY_PER_REQUEST",
          "global_secondary_index": [],
          "hash_key": "TestTableHashKey",
          "local_secondary_index": [],
          "name": "mydynamodbtable",
          "point_in_time_recovery": [{ "enabled": true }],
          "range_key": null,
          "read_capacity": null,
          "replica": [],
          "server_side_encryption": [
            {
              "enabled": true,
              "kms_key_arn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
            }
          ],
          "stream_enabled": true,
          "stream_view_type": "NEW_AND_OLD_IMAGES",
          "tags": { "Environment": "test", "Owner": "Sample Team" },
          "tags_all": { "Environment": "test", "Owner": "Sample Team" },
          "timeouts": null,
          "ttl": [],
          "write_capacity": null
        },
        "after_unknown": {
          "arn": true,
          "attribute": [{}],
          "global_secondary_index": [],
          "id": true,
          "local_secondary_index": [],
          "point_in_time_recovery": [{}],
          "replica": [],
          "server_side_encryption": [{}],
          "stream_arn": true,
          "stream_label": true,
          "tags": {},
          "tags_all": {},
          "ttl": []
        },
        "before_sensitive": false,
        "after_sensitive": {
          "attribute": [{}],
          "global_secondary_index": [],
          "local_secondary_index": [],
          "point_in_time_recovery": [{}],
          "replica": [],
          "server_side_encryption": [{}],
          "tags": {},
          "tags_all": {},
          "ttl": []
        }
      }
    }
  ],
  "configuration": {
    "provider_config": {
      "aws": {
        "name": "aws",
        "version_constraint": "~\u003e 3.27",
        "expressions": { "region": { "constant_value": "us-east-2" } }
      }
    },
    "root_module": {
      "resources": [
        {
          "address": "aws_dynamodb_table.dynamodb003S1",
          "mode": "managed",
          "type": "aws_dynamodb_table",
          "name": "dynamodb003S1",
          "provider_config_key": "aws",
          "expressions": {
            "attribute": [
              {
                "name": { "constant_value": "TestTableHashKey" },
                "type": { "constant_value": "S" }
              }
            ],
            "billing_mode": { "constant_value": "PAY_PER_REQUEST" },
            "hash_key": { "constant_value": "TestTableHashKey" },
            "name": { "constant_value": "mydynamodbtable" },
            "point_in_time_recovery": [
              { "enabled": { "constant_value": true } }
            ],
            "server_side_encryption": [
              {
                "enabled": { "constant_value": true },
                "kms_key_arn": {
                  "constant_value": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
                }
              }
            ],
            "stream_enabled": { "constant_value": true },
            "stream_view_type": { "constant_value": "NEW_AND_OLD_IMAGES" },
            "tags": {
              "constant_value": {
                "Environment": "test",
                "Owner": "Sample Team"
              }
            }
          },
          "schema_version": 1
        }
      ]
    }
  }
}

検索コマンドの例

次のbashスクリプトは、テラフォームプランファイルの作成とテンプレートScannerAPIの呼び出しを処理します。 Terraformプロジェクトと同じディレクトリでスクリプトを実行してください。

#!/usr/bin/env bash
# Scans a template file
# Requires "jq" (https://stedolan.github.io/jq/) to be installed

api_key="Your Trend API Key"
api_base_url="https://conformity.us-1.cloudone.trendmicro.com/api"

terraform plan -out=outputfile

contents=$(terraform show -json outputfile | jq '.' -MRs)
payload="{\"data\":{\"attributes\":{\"type\":\"terraform-template\",\"contents\":${contents}}}}"

echo Request:
echo ${payload} | jq '.' -M

echo Response:
curl -s -X POST \
     -H "Authorization: ApiKey ${api_key}" \
     -H "Content-Type: application/vnd.api+json" \
     ${api_base_url}/template-scanner/scan \
     --data-binary "${payload}" | jq '.' -M

Template Scanner APIの出力例

{
  "data": [
    {
      "type": "checks",
      "id": "ccc:OrganisationId:RG-001:ResourceGroup:us-east-1:aws_dynamodb_table.dynamodb003S1",
      "attributes": {
        "region": "us-east-1",
        "status": "FAILURE",
        "risk-level": "LOW",
        "pretty-risk-level": "Low",
        "message": "dynamodb-table aws_dynamodb_table.dynamodb003S1 has [Role, Name] tags missing",
        "resource": "aws_dynamodb_table.dynamodb003S1",
        "descriptorType": "dynamodb-table",
        "categories": [
          "security",
          "reliability",
          "performance-efficiency",
          "cost-optimisation",
          "operational-excellence",
          "sustainability"
        ],
        "compliances": [
          "AWAF",
          "CIS-V8",
          "NIST4",
          "NIST5",
          "SOC2",
          "NIST-CSF",
          "ISO27001",
          "ISO27001-2022",
          "AGISM",
          "HITRUST",
          "ASAE-3150",
          "PCI-V4",
          "FEDRAMP",
          "MAS",
          "CSA"
        ],
        "extradata": [
          {
            "name": "DETAILED_STATUS",
            "label": "Resource tags status for dynamodb-table aws_dynamodb_table.dynamodb003S1",
            "value": "{\"service\":\"DynamoDB\",\"descriptorType\":\"dynamodb-table\",\"resourceName\":\"aws_dynamodb_table.dynamodb003S1\",\"tags\":[{\"key\":\"Environment\",\"hasValue\":true},{\"key\":\"Role\",\"hasValue\":false},{\"key\":\"Owner\",\"hasValue\":true},{\"key\":\"Name\",\"hasValue\":false}]}",
            "type": "META",
            "internal": true
          }
        ],
        "cost": 0,
        "waste": 0,
        "not-scored": false,
        "ignored": false,
        "rule-title": "Tags",
        "provider": "aws",
        "resolution-page-url": "https://wSample Team.cloudconformity.com/knowledge-base/aws/ResourceGroup/tags.html",
        "service": "ResourceGroup"
      },
      "relationships": {
        "rule": {
          "data": {
            "type": "rules",
            "id": "RG-001"
          }
        },
        "account": {
          "data": null
        }
      }
    },
    {
      "type": "checks",
      "id": "ccc:OrganisationId:DynamoDB-003:DynamoDB:us-east-1:aws_dynamodb_table.dynamodb003S1",
      "attributes": {
        "region": "us-east-1",
        "status": "SUCCESS",
        "risk-level": "HIGH",
        "pretty-risk-level": "High",
        "message": "Continuous Backups are enabled for [aws_dynamodb_table.dynamodb003S1]",
        "resource": "aws_dynamodb_table.dynamodb003S1",
        "descriptorType": "dynamodb-table",
        "categories": ["reliability"],
        "compliances": [
          "AWAF",
          "CIS-V8",
          "NIST4",
          "NIST5",
          "SOC2",
          "NIST-CSF",
          "ISO27001",
          "ISO27001-2022",
          "AGISM",
          "HIPAA",
          "HITRUST",
          "ASAE-3150",
          "PCI",
          "PCI-V4",
          "APRA",
          "FEDRAMP",
          "MAS",
          "CSA",
          "ENISA",
          "FISC-V9"
        ],
        "last-updated-date": null,
        "extradata": [
          {
            "name": "EarliestRestorableDateTime",
            "label": "Earliest Restorable DateTime",
            "value": 1707793280148,
            "type": "META"
          },
          {
            "name": "LatestRestorableDateTime",
            "label": "Latest Restorable DateTime",
            "value": 1707793280148,
            "type": "META"
          }
        ],
        "tags": ["Environment::test", "Owner::Sample Team"],
        "cost": 0,
        "waste": 0,
        "not-scored": false,
        "ignored": false,
        "rule-title": "DynamoDB Continuous Backups",
        "provider": "aws",
        "resolution-page-url": "https://wSample Team.cloudconformity.com/knowledge-base/aws/DynamoDB/continuous-backups.html",
        "service": "DynamoDB",
        "logicalResourceId": "aws_dynamodb_table.dynamodb003S1"
      },
      "relationships": {
        "rule": {
          "data": {
            "type": "rules",
            "id": "DynamoDB-003"
          }
        },
        "account": {
          "data": null
        }
      }
    },
    {
      "type": "checks",
      "id": "ccc:OrganisationId:DynamoDB-004:DynamoDB:us-east-1:dynamodb003S1",
      "attributes": {
        "region": "us-east-1",
        "status": "SUCCESS",
        "risk-level": "HIGH",
        "pretty-risk-level": "High",
        "message": "Table [dynamodb003S1] is encrypted at rest using the AWS managed key or Customer managed key",
        "resource": "dynamodb003S1",
        "descriptorType": "dynamodb-table",
        "categories": ["security"],
        "compliances": [
          "GDPR",
          "AWAF",
          "CIS-V8",
          "NIST4",
          "NIST5",
          "SOC2",
          "NIST-CSF",
          "ISO27001",
          "ISO27001-2022",
          "AGISM",
          "HIPAA",
          "HITRUST",
          "ASAE-3150",
          "PCI",
          "PCI-V4",
          "APRA",
          "FEDRAMP",
          "MAS",
          "CSA",
          "ENISA",
          "FISC-V9",
          "LGPD"
        ],
        "last-updated-date": null,
        "tags": ["Environment::test", "Owner::Sample Team"],
        "cost": 0,
        "waste": 0,
        "not-scored": false,
        "ignored": false,
        "rule-title": "Enable Encryption at Rest with Amazon KMS Keys",
        "provider": "aws",
        "resolution-page-url": "https://wSample Team.cloudconformity.com/knowledge-base/aws/DynamoDB/encrypted-with-cmk.html",
        "service": "DynamoDB",
        "logicalResourceId": "aws_dynamodb_table.dynamodb003S1"
      },
      "relationships": {
        "rule": {
          "data": {
            "type": "rules",
            "id": "DynamoDB-004"
          }
        },
        "account": {
          "data": null
        }
      }
    }
  ],
  "meta": {
    "missingParameters": [],
    "errors": []
  }
}