Skip to content

Resource: awsConfigConformancePack

Manages a Config Conformance Pack. More information about this collection of Config rules and remediation actions can be found in the Conformance Packs documentation. Sample Conformance Pack templates may be found in the AWS Config Rules Repository.

\~> NOTE: The account must have a Configuration Recorder with proper IAM permissions before the Conformance Pack will successfully create or update. See also the awsConfigConfigurationRecorder resource.

Example Usage

Template Body

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.configConformancePack.ConfigConformancePack(this, "example", {
  depends_on: ["${aws_config_configuration_recorder.example}"],
  inputParameter: [
    {
      parameterName: "AccessKeysRotatedParameterMaxAccessKeyAge",
      parameterValue: "90",
    },
  ],
  name: "example",
  templateBody:
    "Parameters:\n  AccessKeysRotatedParameterMaxAccessKeyAge:\n    Type: String\nResources:\n  IAMPasswordPolicy:\n    Properties:\n      ConfigRuleName: IAMPasswordPolicy\n      Source:\n        Owner: AWS\n        SourceIdentifier: IAM_PASSWORD_POLICY\n    Type: AWS::Config::ConfigRule\n",
});

Template S3 URI

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsS3BucketExample = new aws.s3Bucket.S3Bucket(this, "example", {
  bucket: "example",
});
const awsS3ObjectExample = new aws.s3Object.S3Object(this, "example_1", {
  bucket: awsS3BucketExample.id,
  content:
    "Resources:\n  IAMPasswordPolicy:\n    Properties:\n      ConfigRuleName: IAMPasswordPolicy\n      Source:\n        Owner: AWS\n        SourceIdentifier: IAM_PASSWORD_POLICY\n    Type: AWS::Config::ConfigRule\n",
  key: "example-key",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3ObjectExample.overrideLogicalId("example");
const awsConfigConformancePackExample =
  new aws.configConformancePack.ConfigConformancePack(this, "example_2", {
    depends_on: ["${aws_config_configuration_recorder.example}"],
    name: "example",
    templateS3Uri: `s3://\${${awsS3BucketExample.bucket}}/\${${awsS3ObjectExample.key}}`,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsConfigConformancePackExample.overrideLogicalId("example");

Argument Reference

\~> Note: If both templateBody and templateS3Uri are specified, AWS Config uses the templateS3Uri and ignores the templateBody.

The following arguments are supported:

  • name - (Required, Forces new resource) The name of the conformance pack. Must begin with a letter and contain from 1 to 256 alphanumeric characters and hyphens.
  • deliveryS3Bucket - (Optional) Amazon S3 bucket where AWS Config stores conformance pack templates. Maximum length of 63.
  • deliveryS3KeyPrefix - (Optional) The prefix for the Amazon S3 bucket. Maximum length of 1024.
  • inputParameter - (Optional) Set of configuration blocks describing input parameters passed to the conformance pack template. Documented below. When configured, the parameters must also be included in the templateBody or in the template stored in Amazon S3 if using templateS3Uri.
  • templateBody - (Optional, required if templateS3Uri is not provided) A string containing full conformance pack template body. Maximum length of 51200. Drift detection is not possible with this argument.
  • templateS3Uri - (Optional, required if templateBody is not provided) Location of file, e.g., s3://bucketname/prefix, containing the template body. The uri must point to the conformance pack template that is located in an Amazon S3 bucket in the same region as the conformance pack. Maximum length of 1024. Drift detection is not possible with this argument.

input_parameter Argument Reference

The inputParameter configuration block supports the following arguments:

  • parameterName - (Required) The input key.
  • parameterValue - (Required) The input value.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - Amazon Resource Name (ARN) of the conformance pack.

Import

Config Conformance Packs can be imported using the name, e.g.,

$ terraform import aws_config_conformance_pack.example example