Template Scanner enables you to run Trend Vision One™ – Cloud Posture Rules on your
Terraform and AWS
CloudFormation templates. You can add preventative security and
governance controls to the workflow to identify and remediate issues prior to
launching any services and resources.
 |
NoteThis document covers Template Scanner from within the Cloud Posture application. For
documentation on the Github app to scan your infrastructure as code, please
refer to Trend Vision One™ - Template
Scanner
|
Contents
What is Template Scanner?
Cloud Posture provides Template Scanner
capability as a preventative measure to ensure your AWS infrastructure remains
compliant by detecting risks in template files before they are launched into
AWS.
An API endpoint is available for CI/CD pipelines and automation.
You can use this service to scan a template file. Currently, we support Terraform
plans and CloudFormation templates. You can configure rules through Cloud Posture Profiles.
Parameters can be used to customize input values to the template each time a stack
is
created. If a parameter is defined in a template, parameter values can be supplied
using the arguments field.
How to use Template Scanner?
You can use the Template Scanner for:
- Scanning a CloudFormation Template or a Terraform plan
- Using theTemplate Scanner API
API Endpoints to Retrieve Rules
You can use the following API endpoints to retrieve a list of rules that can be
scanned for:
Scan via UI
- Select the type of rule settings you want to scan for:
- Default rule settings: upload and scan using rule settings from your organization.
- Profile rule settings: upload and scan using rule settings from a selected profile.
- Account rule settings: upload and scan using rule settings from a selected account.
Scanning a CloudFormation template
- CloudFormation templates can be uploaded in either JSON or YAML format.
- You can also use the ! Condition in YAML templates.
Scanning Terraform
-
Terraform templates must be converted to a Terraform plan in JSON by following the steps below from your Command Line tool:
- In the same directory as .tf template, export your provider's access key, secret key, and export region (e.g. `export AWS_REGION=us-east-1`)
- Run the command
terraform init - Run the command
terraform plan -out=your_file - Run the command
terraform show -json your_file > your_file.json. Your Terraform JSON plan is ready to be uploaded to the Template Scanner from the same folder as your .tf file. - Follow the steps in the next section to Scan via UI or use the API endpoints.
-
Click on Upload and scan to view scan results for your selected rule settings.
-
You will get a message for missing parameters while scanning your template. Decide whether you want to Proceed or Cancel the scanning process.
|
NoteResources with missing parameters will not be scanned and thereby result in
partial scan results.
|
- Review Checks from scan results. Failed checks will display a Resolve button with a link to resolution steps. For more information on the anatomy of the rule, see Rules.
|
NoteResolution steps provided with failed checks are for workflows via CLI or
Console. You can also use these steps as a guide for resolution within
CloudFormation.
|
Why do I not see any scan results?
You may receive an empty response or an error for any of the following reasons:
- Unsupported resource type or rules: Template Scanner only supports resource-level rules. Please refer to the APIs for a list of supported rules and resource types. We have plans to add support for more source types over time. If there is a specific resource type you need as a priority, please log in to Cloud Posture and submit a ticket to our support team.
- Parameter(s) with no default value: CloudFormation templates with parameters that have no default values may fail to be processed.
- Unsupported intrinsic function: The following are not fully supported:
- Fn::ImportValue
- Fn::Cidr
- Fn::Transform
- Fn::ToJsonString
You may want to temporarily replace these functions for static values so your
template can be correctly scanned.