Topics on this page
Terraform (AWS) Example
- Example template
- Example Terraform Plan output
- Example scan command
- Example Template Scanner API Output
Example template
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.27"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
region = "us-east-2"
}
resource "aws_dynamodb_table" "dynamodb003S1" {
name = "mydynamodbtable"
hash_key = "TestTableHashKey"
billing_mode = "PAY_PER_REQUEST"
stream_enabled = true
stream_view_type = "NEW_AND_OLD_IMAGES"
attribute {
name = "TestTableHashKey"
type = "S"
}
server_side_encryption {
enabled = true
kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
}
point_in_time_recovery {
enabled = true
}
tags = {
Owner = "Sample Team"
Environment = "Test"
}
}Example Terraform Plan output
Terraform Plan output is used as an intermediary to package your terraform project into a single file readable by Template Scanner API.
{
"format_version": "0.1",
"terraform_version": "0.15.3",
"planned_values": {
"root_module": {
"resources": [
{
"address": "aws_dynamodb_table.dynamodb003S1",
"mode": "managed",
"type": "aws_dynamodb_table",
"name": "dynamodb003S1",
"provider_name": "registry.terraform.io/hashicorp/aws",
"schema_version": 1,
"values": {
"attribute": [{ "name": "TestTableHashKey", "type": "S" }],
"billing_mode": "PAY_PER_REQUEST",
"global_secondary_index": [],
"hash_key": "TestTableHashKey",
"local_secondary_index": [],
"name": "mydynamodbtable",
"point_in_time_recovery": [{ "enabled": true }],
"range_key": null,
"read_capacity": null,
"replica": [],
"server_side_encryption": [
{
"enabled": true,
"kms_key_arn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
}
],
"stream_enabled": true,
"stream_view_type": "NEW_AND_OLD_IMAGES",
"tags": { "Environment": "test", "Owner": "Sample Team" },
"tags_all": { "Environment": "test", "Owner": "Sample Team" },
"timeouts": null,
"ttl": [],
"write_capacity": null
}
}
]
}
},
"resource_changes": [
{
"address": "aws_dynamodb_table.dynamodb003S1",
"mode": "managed",
"type": "aws_dynamodb_table",
"name": "dynamodb003S1",
"provider_name": "registry.terraform.io/hashicorp/aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"attribute": [{ "name": "TestTableHashKey", "type": "S" }],
"billing_mode": "PAY_PER_REQUEST",
"global_secondary_index": [],
"hash_key": "TestTableHashKey",
"local_secondary_index": [],
"name": "mydynamodbtable",
"point_in_time_recovery": [{ "enabled": true }],
"range_key": null,
"read_capacity": null,
"replica": [],
"server_side_encryption": [
{
"enabled": true,
"kms_key_arn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
}
],
"stream_enabled": true,
"stream_view_type": "NEW_AND_OLD_IMAGES",
"tags": { "Environment": "test", "Owner": "Sample Team" },
"tags_all": { "Environment": "test", "Owner": "Sample Team" },
"timeouts": null,
"ttl": [],
"write_capacity": null
},
"after_unknown": {
"arn": true,
"attribute": [{}],
"global_secondary_index": [],
"id": true,
"local_secondary_index": [],
"point_in_time_recovery": [{}],
"replica": [],
"server_side_encryption": [{}],
"stream_arn": true,
"stream_label": true,
"tags": {},
"tags_all": {},
"ttl": []
},
"before_sensitive": false,
"after_sensitive": {
"attribute": [{}],
"global_secondary_index": [],
"local_secondary_index": [],
"point_in_time_recovery": [{}],
"replica": [],
"server_side_encryption": [{}],
"tags": {},
"tags_all": {},
"ttl": []
}
}
}
],
"configuration": {
"provider_config": {
"aws": {
"name": "aws",
"version_constraint": "~\u003e 3.27",
"expressions": { "region": { "constant_value": "us-east-2" } }
}
},
"root_module": {
"resources": [
{
"address": "aws_dynamodb_table.dynamodb003S1",
"mode": "managed",
"type": "aws_dynamodb_table",
"name": "dynamodb003S1",
"provider_config_key": "aws",
"expressions": {
"attribute": [
{
"name": { "constant_value": "TestTableHashKey" },
"type": { "constant_value": "S" }
}
],
"billing_mode": { "constant_value": "PAY_PER_REQUEST" },
"hash_key": { "constant_value": "TestTableHashKey" },
"name": { "constant_value": "mydynamodbtable" },
"point_in_time_recovery": [
{ "enabled": { "constant_value": true } }
],
"server_side_encryption": [
{
"enabled": { "constant_value": true },
"kms_key_arn": {
"constant_value": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
}
}
],
"stream_enabled": { "constant_value": true },
"stream_view_type": { "constant_value": "NEW_AND_OLD_IMAGES" },
"tags": {
"constant_value": {
"Environment": "test",
"Owner": "Sample Team"
}
}
},
"schema_version": 1
}
]
}
}
}Example scan command
The following bash script will handle creating terraform plan file and calling template scanner API. Please run script in the same directory as your terraform project.
#!/usr/bin/env bash
# Scans a template file
# Requires "jq" (https://stedolan.github.io/jq/) to be installed
api_key="Your Trend API Key"
api_base_url="https://conformity.us-1.cloudone.trendmicro.com/api"
terraform plan -out=outputfile
contents=$(terraform show -json outputfile | jq '.' -MRs)
payload="{\"data\":{\"attributes\":{\"type\":\"terraform-template\",\"contents\":${contents}}}}"
echo Request:
echo ${payload} | jq '.' -M
echo Response:
curl -s -X POST \
-H "Authorization: ApiKey ${api_key}" \
-H "Content-Type: application/vnd.api+json" \
${api_base_url}/template-scanner/scan \
--data-binary "${payload}" | jq '.' -MExample Template Scanner API Output
{
"data": [
{
"type": "checks",
"id": "ccc:OrganisationId:RG-001:ResourceGroup:us-east-1:aws_dynamodb_table.dynamodb003S1",
"attributes": {
"region": "us-east-1",
"status": "FAILURE",
"risk-level": "LOW",
"pretty-risk-level": "Low",
"message": "dynamodb-table aws_dynamodb_table.dynamodb003S1 has [Role, Name] tags missing",
"resource": "aws_dynamodb_table.dynamodb003S1",
"descriptorType": "dynamodb-table",
"categories": [
"security",
"reliability",
"performance-efficiency",
"cost-optimisation",
"operational-excellence",
"sustainability"
],
"compliances": [
"AWAF",
"CIS-V8",
"NIST4",
"NIST5",
"SOC2",
"NIST-CSF",
"ISO27001",
"ISO27001-2022",
"AGISM",
"HITRUST",
"ASAE-3150",
"PCI-V4",
"FEDRAMP",
"MAS",
"CSA"
],
"extradata": [
{
"name": "DETAILED_STATUS",
"label": "Resource tags status for dynamodb-table aws_dynamodb_table.dynamodb003S1",
"value": "{\"service\":\"DynamoDB\",\"descriptorType\":\"dynamodb-table\",\"resourceName\":\"aws_dynamodb_table.dynamodb003S1\",\"tags\":[{\"key\":\"Environment\",\"hasValue\":true},{\"key\":\"Role\",\"hasValue\":false},{\"key\":\"Owner\",\"hasValue\":true},{\"key\":\"Name\",\"hasValue\":false}]}",
"type": "META",
"internal": true
}
],
"cost": 0,
"waste": 0,
"not-scored": false,
"ignored": false,
"rule-title": "Tags",
"provider": "aws",
"resolution-page-url": "https://wSample Team.cloudconformity.com/knowledge-base/aws/ResourceGroup/tags.html",
"service": "ResourceGroup"
},
"relationships": {
"rule": {
"data": {
"type": "rules",
"id": "RG-001"
}
},
"account": {
"data": null
}
}
},
{
"type": "checks",
"id": "ccc:OrganisationId:DynamoDB-003:DynamoDB:us-east-1:aws_dynamodb_table.dynamodb003S1",
"attributes": {
"region": "us-east-1",
"status": "SUCCESS",
"risk-level": "HIGH",
"pretty-risk-level": "High",
"message": "Continuous Backups are enabled for [aws_dynamodb_table.dynamodb003S1]",
"resource": "aws_dynamodb_table.dynamodb003S1",
"descriptorType": "dynamodb-table",
"categories": ["reliability"],
"compliances": [
"AWAF",
"CIS-V8",
"NIST4",
"NIST5",
"SOC2",
"NIST-CSF",
"ISO27001",
"ISO27001-2022",
"AGISM",
"HIPAA",
"HITRUST",
"ASAE-3150",
"PCI",
"PCI-V4",
"APRA",
"FEDRAMP",
"MAS",
"CSA",
"ENISA",
"FISC-V9"
],
"last-updated-date": null,
"extradata": [
{
"name": "EarliestRestorableDateTime",
"label": "Earliest Restorable DateTime",
"value": 1707793280148,
"type": "META"
},
{
"name": "LatestRestorableDateTime",
"label": "Latest Restorable DateTime",
"value": 1707793280148,
"type": "META"
}
],
"tags": ["Environment::test", "Owner::Sample Team"],
"cost": 0,
"waste": 0,
"not-scored": false,
"ignored": false,
"rule-title": "DynamoDB Continuous Backups",
"provider": "aws",
"resolution-page-url": "https://wSample Team.cloudconformity.com/knowledge-base/aws/DynamoDB/continuous-backups.html",
"service": "DynamoDB",
"logicalResourceId": "aws_dynamodb_table.dynamodb003S1"
},
"relationships": {
"rule": {
"data": {
"type": "rules",
"id": "DynamoDB-003"
}
},
"account": {
"data": null
}
}
},
{
"type": "checks",
"id": "ccc:OrganisationId:DynamoDB-004:DynamoDB:us-east-1:dynamodb003S1",
"attributes": {
"region": "us-east-1",
"status": "SUCCESS",
"risk-level": "HIGH",
"pretty-risk-level": "High",
"message": "Table [dynamodb003S1] is encrypted at rest using the AWS managed key or Customer managed key",
"resource": "dynamodb003S1",
"descriptorType": "dynamodb-table",
"categories": ["security"],
"compliances": [
"GDPR",
"AWAF",
"CIS-V8",
"NIST4",
"NIST5",
"SOC2",
"NIST-CSF",
"ISO27001",
"ISO27001-2022",
"AGISM",
"HIPAA",
"HITRUST",
"ASAE-3150",
"PCI",
"PCI-V4",
"APRA",
"FEDRAMP",
"MAS",
"CSA",
"ENISA",
"FISC-V9",
"LGPD"
],
"last-updated-date": null,
"tags": ["Environment::test", "Owner::Sample Team"],
"cost": 0,
"waste": 0,
"not-scored": false,
"ignored": false,
"rule-title": "Enable Encryption at Rest with Amazon KMS Keys",
"provider": "aws",
"resolution-page-url": "https://wSample Team.cloudconformity.com/knowledge-base/aws/DynamoDB/encrypted-with-cmk.html",
"service": "DynamoDB",
"logicalResourceId": "aws_dynamodb_table.dynamodb003S1"
},
"relationships": {
"rule": {
"data": {
"type": "rules",
"id": "DynamoDB-004"
}
},
"account": {
"data": null
}
}
}
],
"meta": {
"missingParameters": [],
"errors": []
}
}