本教學課程說明如何驗證基礎架構即程式碼 (IaC) 是否違反機構政策或 Security Health Analytics 偵測器。
準備環境
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
- 
      Install the Google Cloud CLI. 
- 
          如果您使用外部識別資訊提供者 (IdP),請先 使用聯合身分登入 gcloud CLI。 
- 
        如要初始化 gcloud CLI,請執行下列指令: gcloud init
- 
  
  
    Create or select a Google Cloud project. Roles required to select or create a project - Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- 
      Create a project: To create a project, you need the Project Creator
      (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
 - 
        Create a Google Cloud project: gcloud projects create PROJECT_ID Replace PROJECT_IDwith a name for the Google Cloud project you are creating.
- 
        Select the Google Cloud project that you created: gcloud config set project PROJECT_ID Replace PROJECT_IDwith your Google Cloud project name.
 
- 
  
    Verify that billing is enabled for your Google Cloud project. 
- 
  
  
    
      Enable the Security posture service and Security Command Center management APIs: Roles required to enable APIs To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.gcloud services enable securityposture.googleapis.com securitycentermanagement.googleapis.com 
- 
      Install the Google Cloud CLI. 
- 
          如果您使用外部識別資訊提供者 (IdP),請先 使用聯合身分登入 gcloud CLI。 
- 
        如要初始化 gcloud CLI,請執行下列指令: gcloud init
- 
  
  
    Create or select a Google Cloud project. Roles required to select or create a project - Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- 
      Create a project: To create a project, you need the Project Creator
      (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
 - 
        Create a Google Cloud project: gcloud projects create PROJECT_ID Replace PROJECT_IDwith a name for the Google Cloud project you are creating.
- 
        Select the Google Cloud project that you created: gcloud config set project PROJECT_ID Replace PROJECT_IDwith your Google Cloud project name.
 
- 
  
    Verify that billing is enabled for your Google Cloud project. 
- 
  
  
    
      Enable the Security posture service and Security Command Center management APIs: Roles required to enable APIs To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.gcloud services enable securityposture.googleapis.com securitycentermanagement.googleapis.com 
- 複製專案編號。部署安全狀況時,您需要專案編號才能設定目標資源。
  gcloud projects describe PROJECT_ID 
- 初始化 Terraform:
  terraform init 
- 在 Cloud Shell 中啟動 Cloud Shell 編輯器。如要啟動編輯器,請按一下 Cloud Shell 視窗工具列上的「Open Editor」  。 。
- 建立名為 - example-standard.yaml的 YAML 檔案。
- 將下列程式碼貼入檔案: 
- 在 Cloud Shell 中建立姿勢: - gcloud scc postures create organizations/ORGANIZATION_ID/locations/global/postures/example-standard --posture-from-file=example-standard.yaml 
- 複製指令產生的姿勢修訂版本 ID。 
- 將姿勢部署至專案: - gcloud scc posture-deployments create organizations/ORGANIZATION_ID/locations/global/postureDeployments/example-standard \ --posture-name=organizations/ORGANIZATION_ID/locations/global/postures/example-standard \ --posture-revision-id="POSTURE_REVISION_ID" \ --target-resource=projects/PROJECT_NUMBER - 更改下列內容: - ORGANIZATION_ID:您的機構 ID。
- POSTURE REVISION_ID:您複製的姿勢修訂 ID。
- PROJECT_NUMBER:您的專案編號。
 
- 在 Cloud Shell 中啟動 Cloud Shell 編輯器。 
- 建立名為 - main.tf的 Terraform 檔案。
- 將下列程式碼貼入檔案: - terraform { required_providers { google = { source = "hashicorp/google" } } } provider "google" { region = "us-central1" zone = "us-central1-c" } resource "google_compute_network" "example_network"{ name = "example-network-1" delete_default_routes_on_create = false auto_create_subnetworks = false routing_mode = "REGIONAL" mtu = 100 project = "PROJECT_ID" } resource "google_container_node_pool" "example_node_pool" { name = "example-node-pool-1" cluster = "example-cluster-1" project = "PROJECT_ID" initial_node_count = 2 node_config { preemptible = true machine_type = "e2-medium" } } resource "google_storage_bucket" "example_bucket" { name = "example-bucket-1" location = "EU" force_destroy = true project = "PROJECT_ID" uniform_bucket_level_access = false }- 將 - PROJECT_ID替換為您建立的專案 ID。
- 在 Cloud Shell 中建立 Terraform 方案檔案,並轉換為 JSON 格式: - terraform plan -out main.plan terraform show -json main.plan > mainplan.json 
- 為「 - mainplan.json」建立 IaC 驗證報告:- gcloud scc iac-validation-reports create organizations/ORGANIZATION_ID/locations/global --tf-plan-file=mainplan.json - 這項指令會傳回 IaC 驗證報告,說明下列違規事項: - example_network的- mtu不是 1000。
- example_node_pool的- initial_node_count不是 3。
- example_bucket未啟用統一值區層級存取權。
- example_bucket未啟用記錄功能。
 
- 在 Cloud Shell 中啟動 Cloud Shell 編輯器。 
- 更新 - main.tf檔案,進行下列變更:- terraform { required_providers { google = { source = "hashicorp/google" } } } provider "google" { region = "us-central1" zone = "us-central1-c" } resource "google_compute_network" "example_network"{ name = "example-network-1" delete_default_routes_on_create = false auto_create_subnetworks = false routing_mode = "REGIONAL" mtu = 1000 project = "PROJECT_ID" } resource "google_container_node_pool" "example_node_pool" { name = "example-node-pool-1" cluster = "example-cluster-1" project = "PROJECT_ID" initial_node_count = 3 node_config { preemptible = true machine_type = "e2-medium" } } resource "google_storage_bucket" "example_bucket" { name = "example-bucket-1" location = "EU" force_destroy = true project = "PROJECT_ID" uniform_bucket_level_access = true logging { log_bucket = "my-unique-logging-bucket" // Create a separate bucket for logs log_object_prefix = "tf-logs/" // Optional prefix for better structure } }- 將 - PROJECT_ID替換為您建立的專案 ID。
- 在 Cloud Shell 中建立 Terraform 方案檔案,並轉換為 JSON 格式: - terraform plan -out main.plan terraform show -json main.plan > mainplan.json 
- 為「 - mainplan.json」重新建立 IaC 驗證報告:- gcloud scc iac-validation-reports create organizations/ORGANIZATION_ID/locations/global --tf-plan-file=mainplan.json 
建立及部署防護機制
name: organizations/ORGANIZATION_ID/locations/global/postures/example-standard state: ACTIVE policySets: - policies: - constraint: orgPolicyConstraintCustom: customConstraint: actionType: ALLOW condition: "resource.initialNodeCount == 3" description: Set initial node count to be exactly 3. displayName: fixedNodeCount methodTypes: - CREATE name: organizations/ORGANIZATION_ID/customConstraints/custom.fixedNodeCount resourceTypes: - container.googleapis.com/NodePool policyRules: - enforce: true policyId: fixedNodeCount - constraint: securityHealthAnalyticsCustomModule: config: customOutput: {} description: Set MTU for a network to be exactly 1000. predicate: expression: "!(resource.mtu == 1000)" recommendation: Only create networks whose MTU is 1000. resourceSelector: resourceTypes: - compute.googleapis.com/Network severity: HIGH displayName: fixedMTU moduleEnablementState: ENABLED policyId: fixedMTU - constraint: securityHealthAnalyticsModule: moduleEnablementState: ENABLED moduleName: BUCKET_POLICY_ONLY_DISABLED policyId: bucket_policy_only_disabled - constraint: securityHealthAnalyticsModule: moduleEnablementState: ENABLED moduleName: BUCKET_LOGGING_DISABLED policyId: bucket_logging_disabled policySetId: policySet1
將 ORGANIZATION_ID 替換為機構 ID。