Set Up Your Prisma Cloud Configuration File for IaC Scan

Describes the .prismacloud/config.yml file for IaC Scan.
Prisma Cloud IaC Scan requires a Prisma Cloud configuration file in the repository where your templates are stored. This configuration file can include information about your IaC module structure, runtime variables, and tags that help refine your IaC Scan use. It enables Prisma Cloud IaC scan to support complex module structures and variable formats. This YAML file format is shared across all template types.
Make sure to use a syntax validation tool when you copy and paste content from this page.
Create this file as
.prismaCloud/config.yml
in the root directory of your repository branch.
# This is the configuration file for Iac Scan APIv2. # Specify the template types.The valid values are TF, CFT, K8S template_type: TF # For Terraform, it is recommended to provide one of the following values: 0.11, 0.12 or 0.13. # For CFT and K8s, this can be omitted. template_version: 0.11 # For your template_type, fill in the details where applicable. # variables: Specify any environment variables(TF) or parameters(CFT) as key:value pairs under this attribute. # variable_files: Specify all the custom variable_files under here. It is an array of strings. # variable_files: If it is standard extension(.tfvars for terraform), then this can be omitted. # variable_files: For a custom extension, specify the variable file path from the root of the repo. template_parameters: variables: key1 : value1 key2 : value2 variable_files: - ./filepath/filename1 - ./filepath/filename2 # Define tags to identify your particular scan. You can use these tags to search the scan details on the Prisma Cloud. tags: org: Engineering team: Shift_Left

IaC Scan Support for Version 1 (Deprecated)

The content of your Prisma Cloud configuration file depends on the IaC Scan support you need. The following show configuration details.
Make sure to use a syntax validation tool when you copy and paste content from this page.

Configure IaC Scan to Support Terraform

The following shows the parameters in the Prisma Cloud configuration file that enable you to configure the IaC scan for Terraform 0.11 module with a variable file and/or input variables.
Make sure to use a syntax validation tool when you copy and paste content from this page.
# Specify the template type. Valid values are as follows. # - For Terraform: TF # - For AWS CloudFormation: CFT # - For Kubernetes: K8S template_type: TF # The valid values for terraform_version are 0.11 or 0.12 terraform_version: 0.11 # If terraform_version is 0.11, then terraform_011_parameters is required. # The value for variable_files is an array of custom variable file names.The path of each file is relative to your repository branch root directory # The value for variable_values is an array of name/value pairs that identify the input variables your template uses. terraform_011_parameters: variable_files: - scan/rich-value-types/network/variables.tf variable_values: - name: check value: public-read-write
The following shows the parameters in the Prisma Cloud configuration file that enable you to configure the IaC scan for Terraform 0.12.
# Specify the template type. Valid values are as follows. # - For Terraform: TF # - For AWS CloudFormation: CFT # - For Kubernetes: K8S template_type: TF # Valid values for terraform_version are 0.11 or 0.12. terraform_version: 0.12 # If terraform_version is 0.12, then terraform_012_parameters is required. # The value of terraform_012_parameters is an array of root_modules. The value for root_module is relative to your repository branch root directory. # Each root module can have: # - variable_files, which is an array of variable file names relative to your repository branch root directory # - variables, which is an array of name/value pairs that identify the input variables for the module terraform_012_parameters: - root_module: scan/rich-value-types/ variables: - name: check value: public-read-write - name: varName2 value: varValue2 - root_module: scan/for-expressions/ variable_files: - scan/rich-value-types/expressions/variables.tf

Configure IaC Scan to Support AWS CloudFormation

The following shows the parameters in the Prisma Cloud configuration file that enable you to configure the IaC scan for Amazon CloudFormation templates with variables.
# Specify the template type. Valid values are as follows. # For Terraform: TF # For AWS CloudFormation: CFT # For Kubernetes: K8S template_type: CFT # If template_type value is CFT, set cft_parameters (optional) # variable_values is an array of name/value pairs, which identifies the # template variables cft_parameters: variable_values: - name:KeyName value: 10 - name: AMI value: ami-45785

Configure IaC Scan to Support Kubernetes

The following shows the parameters in the Prisma Cloud configuration file that enable you to configure the IaC scan for Kubernetes.
# Specify the template type. Valid values are as follows. # For Terraform: TF # For AWS CloudFormation: CFT # For Kubernetes: K8S template_type: K8S

Configure Prisma Cloud Tags

The following shows the parameters in the Prisma Cloud configuration file that enable you to identify Prisma Cloud tags in your template. These tags offer a flexible way to identify and organize your resources in Prisma Cloud.
# Prisma Cloud Tags # tags is an array of labels that enable you to organize your resources # with these key/value pairs in Prisma Cloud tags: - Org:Engineering - Team:Shift_Left

Recommended For You