This section of the documentation outlines managing IaC Security configurations that will be used for scanning. Check out the IaC Overview for high-level details of the IaC feature. Configurations are a critical component for IaC Analyzer scans and allow users to determine what “checks” to scan for, with regard to resources and Insights. In most scenarios, configurations are added after you have set up your desired scanning setup (to have data coming in you want to analyze).
The Configurations section of the IaC Security interface is available under "Security → Infrastructure as Code → Configurations". Each Configuration is listed with: a link to its Insight Pack (Custom Packs or Compliance Packs), whether developer exceptions are enabled, the number of Terraform Cloud/Enterprise (TFC/E) Run Tasks associated with the configuration, various dates regarding usage and creation, and actions.
- Click "+ New Configuration" to begin creating a new IaC Configuration
- Click the "Insight Pack" name to open the Insights Library page for the pack
- Click the "Edit Configuration" icon (pencil) to open the Manage Configuration pane
- Click the "TFC/E Run Task Integrations" icon (gear) to open the Manage Run Task Integrations pane
- Click the "Delete" icon (trash can) to delete the configuration
Here are a few things to keep in mind when creating your configuration:
- There are currently no limitations on the number of configurations. However, only a single configuration can be used for scanning at one time.
- Configurations are limited to a maximum of 300 Insights.
- Configurations are only available to Domain Admins, Organization Admins, and Editor/Admin-entitled users. See the User Entitlements Matrix for more information.
First, navigate to "Security → Infrastructure as Code → Configurations", then click the “+ New Configuration” button in the top right corner. The “Create Configuration” form launches from the side of the page.
1. Provide a Name and optional Description for the new configuration.
2. Set whether the configuration requires Developer Exceptions using the toggle. Developer Exceptions provide a way for users to not flag resources as having Insight findings during the IaC analysis.
2. Under “Insight Settings”, select an Insight Pack to use for your IaC Security analysis.
- InsightCloudSec provides support for both out-of-the-box Compliance Packs and for Custom Packs (based on user-specific configurations of Insights).
- Selecting an Insight Pack (custom or otherwise) will expose a list of the Insights included in the specified pack, along with buttons to configure your desired Insight settings.
3. Select whether to fail, warn, or ignore the Insight upon verification during IaC Security analysis.
- The level of support is specified under each Insight name in grey text. If no grey text is present, the insight has full resource support.
- Partial Support - Resources are not supported for certain CSPs; these will be specifically identified.
- Unsupported - Resources specific to this Insight are not supported on any of the CSPs; these will be hidden by default. Click the "Show Unsupported Insights" button at the bottom of the "Insight Configuration" list to display them.
- Alternatively, click "Set All" and select a status to use for all Insights.
4. Optionally, click "Notifications" to configure notification upon scan.
- Provide a Slack channel and/or email address(s) to notify once the scan is complete. Note: This requires a previously configured Slack Integration or SMTP (Email Notifications) integration.
5. When you are satisfied with your settings click “Apply”. Your completed configuration will be available under the “Configurations” tab.
There are two ways to edit an existing configuration
- Click the "Edit Configuration" icon (pencil) next to a finished configuration scan on the "Scan List" tab
- Click the "Edit Configuration" icon (pencil) next to a configuration on the "Configurations" tab
After clicking the "Edit Configuration" icon, the Manage Configuration window will appear, allowing you to edit the name, description, Insight pack & settings, and notifications for the configuration. Click "Apply" once finished with your edits.
Updated 6 months ago