Resource: awsConfigConfigRule
Provides an AWS Config Rule.
\~> Note: Config Rule requires an existing Configuration Recorder to be present. Use of dependsOn
is recommended (as shown below) to avoid race conditions.
Example Usage
AWS Managed Rules
AWS managed rules can be used by setting the source owner to aws
and the source identifier to the name of the managed rule. More information about AWS managed rules can be found in the AWS Config Developer Guide.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsIamPolicyDocumentAssumeRole =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
this,
"assume_role",
{
statement: [
{
actions: ["sts:AssumeRole"],
effect: "Allow",
principals: [
{
identifiers: ["config.amazonaws.com"],
type: "Service",
},
],
},
],
}
);
const dataAwsIamPolicyDocumentP =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "p", {
statement: [
{
actions: ["config:Put*"],
effect: "Allow",
resources: ["*"],
},
],
});
const awsIamRoleR = new aws.iamRole.IamRole(this, "r", {
assumeRolePolicy: dataAwsIamPolicyDocumentAssumeRole.json,
name: "my-awsconfig-role",
});
const awsIamRolePolicyP = new aws.iamRolePolicy.IamRolePolicy(this, "p_3", {
name: "my-awsconfig-policy",
policy: dataAwsIamPolicyDocumentP.json,
role: awsIamRoleR.id,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRolePolicyP.overrideLogicalId("p");
const awsConfigConfigurationRecorderFoo =
new aws.configConfigurationRecorder.ConfigConfigurationRecorder(this, "foo", {
name: "example",
roleArn: awsIamRoleR.arn,
});
const awsConfigConfigRuleR = new aws.configConfigRule.ConfigConfigRule(
this,
"r_5",
{
depends_on: [`\${${awsConfigConfigurationRecorderFoo.fqn}}`],
name: "example",
source: {
owner: "AWS",
sourceIdentifier: "S3_BUCKET_VERSIONING_ENABLED",
},
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsConfigConfigRuleR.overrideLogicalId("r");
Custom Rules
Custom rules can be used by setting the source owner to CUSTOM_LAMBDA
and the source identifier to the Amazon Resource Name (ARN) of the Lambda Function. The AWS Config service must have permissions to invoke the Lambda Function, e.g., via the awsLambdaPermission
resource. More information about custom rules can be found in the AWS Config Developer Guide.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsConfigConfigurationRecorderExample =
new aws.configConfigurationRecorder.ConfigConfigurationRecorder(
this,
"example",
{}
);
const awsLambdaFunctionExample = new aws.lambdaFunction.LambdaFunction(
this,
"example_1",
{}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsLambdaFunctionExample.overrideLogicalId("example");
const awsLambdaPermissionExample = new aws.lambdaPermission.LambdaPermission(
this,
"example_2",
{
action: "lambda:InvokeFunction",
functionName: awsLambdaFunctionExample.arn,
principal: "config.amazonaws.com",
statementId: "AllowExecutionFromConfig",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsLambdaPermissionExample.overrideLogicalId("example");
const awsConfigConfigRuleExample = new aws.configConfigRule.ConfigConfigRule(
this,
"example_3",
{
depends_on: [
`\${${awsConfigConfigurationRecorderExample.fqn}}`,
`\${${awsLambdaPermissionExample.fqn}}`,
],
source: {
owner: "CUSTOM_LAMBDA",
sourceIdentifier: awsLambdaFunctionExample.arn,
},
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsConfigConfigRuleExample.overrideLogicalId("example");
Custom Policies
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.configConfigRule.ConfigConfigRule(this, "example", {
name: "example",
source: {
customPolicyDetails: {
policyRuntime: "guard-2.x.x",
policyText:
'\t rule tableisactive when\n\t\t resourceType == "AWS::DynamoDB::Table" {\n\t\t configuration.tableStatus == [\'ACTIVE\']\n\t }\n\t \n\t rule checkcompliance when\n\t\t resourceType == "AWS::DynamoDB::Table"\n\t\t tableisactive {\n\t\t\t supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus == "ENABLED"\n\t }\n',
},
owner: "CUSTOM_POLICY",
sourceDetail: [
{
messageType: "ConfigurationItemChangeNotification",
},
],
},
});
Argument Reference
The following arguments are supported:
name
- (Required) The name of the ruledescription
- (Optional) Description of the ruleinputParameters
- (Optional) A string in JSON format that is passed to the AWS Config rule Lambda function.maximumExecutionFrequency
- (Optional) The maximum frequency with which AWS Config runs evaluations for a rule.scope
- (Optional) Scope defines which resources can trigger an evaluation for the rule. See Source Below.source
- (Required) Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Scope Below.tags
- (Optional) A map of tags to assign to the resource. If configured with a providerdefaultTags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
Scope
Defines which resources can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.
complianceResourceId
- (Optional) The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type forcomplianceResourceTypes
.complianceResourceTypes
- (Optional) A list of resource types of only those AWS resources that you want to trigger an evaluation for the ruleE.g.,aws::ec2::instance
. You can only specify one type if you also specify a resource ID forcomplianceResourceId
. See relevant part of AWS Docs for available types.tagKey
- (Optional, Required iftagValue
is specified) The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.tagValue
- (Optional) The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule.
Source
Provides the rule owner (AWS or customer), the rule identifier, and the notifications that cause the function to evaluate your AWS resources.
owner
- (Required) Indicates whether AWS or the customer owns and manages the AWS Config rule. Valid values areaws
,CUSTOM_LAMBDA
orCUSTOM_POLICY
. For more information about managed rules, see the AWS Config Managed Rules documentation. For more information about custom rules, see the AWS Config Custom Rules documentation. Custom Lambda Functions require permissions to allow the AWS Config service to invoke them, e.g., via theawsLambdaPermission
resource.sourceIdentifier
- (Optional) For AWS Config managed rules, a predefined identifier, e.gIAM_PASSWORD_POLICY
. For custom Lambda rules, the identifier is the ARN of the Lambda Function, such asarn:aws:lambda:usEast1:123456789012:function:customRuleName
or thearn
attribute of theawsLambdaFunction
resource.sourceDetail
- (Optional) Provides the source and type of the event that causes AWS Config to evaluate your AWS resources. Only valid ifowner
isCUSTOM_LAMBDA
orCUSTOM_POLICY
. See Source Detail Below.customPolicyDetails
- (Optional) Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set toCUSTOM_POLICY
. See Custom Policy Details Below.
Source Detail
eventSource
- (Optional) The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWSresources. This defaults toawsConfig
and is the only valid value.maximumExecutionFrequency
- (Optional) The frequency that you want AWS Config to run evaluations for a rule that istriggered periodically. If specified, requiresmessageType
to bescheduledNotification
.messageType
- (Optional) The type of notification that triggers AWS Config to run an evaluation for a rule. You canspecify the following notification types:configurationItemChangeNotification
- Triggers an evaluation when AWS Config delivers a configuration item as a result of a resource change.oversizedConfigurationItemChangeNotification
- Triggers an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.scheduledNotification
- Triggers a periodic evaluation at the frequency specified formaximumExecutionFrequency
.configurationSnapshotDeliveryCompleted
- Triggers a periodic evaluation when AWS Config delivers a configuration snapshot.
Custom Policy Details
enableDebugLogDelivery
- (Optional) The boolean expression for enabling debug logging for your Config Custom Policy rule. The default value isfalse
.policyRuntime
- (Required) The runtime system for your Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.policyText
- (Required) The policy definition containing the logic for your Config Custom Policy rule.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
arn
- The ARN of the config ruleruleId
- The ID of the config ruletagsAll
- A map of tags assigned to the resource, including those inherited from the providerdefaultTags
configuration block.
Import
Config Rule can be imported using the name, e.g.,