Skip to content

Resource: awsConfigDeliveryChannel

Provides an AWS Config Delivery Channel.

\~> Note: Delivery Channel requires a Configuration Recorder to be present. Use of dependsOn (as shown below) is recommended to avoid race conditions.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsS3BucketB = new aws.s3Bucket.S3Bucket(this, "b", {
  bucket: "example-awsconfig",
  forceDestroy: true,
});
const dataAwsIamPolicyDocumentAssumeRole =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "assume_role",
    {
      statement: [
        {
          actions: ["sts:AssumeRole"],
          effect: "Allow",
          principals: [
            {
              identifiers: ["config.amazonaws.com"],
              type: "Service",
            },
          ],
        },
      ],
    }
  );
const dataAwsIamPolicyDocumentP =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "p", {
    statement: [
      {
        actions: ["s3:*"],
        effect: "Allow",
        resources: [awsS3BucketB.arn, `\${${awsS3BucketB.arn}}/*`],
      },
    ],
  });
const awsIamRoleR = new aws.iamRole.IamRole(this, "r", {
  assumeRolePolicy: dataAwsIamPolicyDocumentAssumeRole.json,
  name: "awsconfig-example",
});
const awsIamRolePolicyP = new aws.iamRolePolicy.IamRolePolicy(this, "p_4", {
  name: "awsconfig-example",
  policy: dataAwsIamPolicyDocumentP.json,
  role: awsIamRoleR.id,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRolePolicyP.overrideLogicalId("p");
const awsConfigConfigurationRecorderFoo =
  new aws.configConfigurationRecorder.ConfigConfigurationRecorder(this, "foo", {
    name: "example",
    roleArn: awsIamRoleR.arn,
  });
const awsConfigDeliveryChannelFoo =
  new aws.configDeliveryChannel.ConfigDeliveryChannel(this, "foo_6", {
    depends_on: [`\${${awsConfigConfigurationRecorderFoo.fqn}}`],
    name: "example",
    s3BucketName: awsS3BucketB.bucket,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsConfigDeliveryChannelFoo.overrideLogicalId("foo");

Argument Reference

The following arguments are supported:

  • name - (Optional) The name of the delivery channel. Defaults to default. Changing it recreates the resource.
  • s3BucketName - (Required) The name of the S3 bucket used to store the configuration history.
  • s3KeyPrefix - (Optional) The prefix for the specified S3 bucket.
  • s3KmsKeyArn - (Optional) The ARN of the AWS KMS key used to encrypt objects delivered by AWS Config. Must belong to the same Region as the destination S3 bucket.
  • snsTopicArn - (Optional) The ARN of the SNS topic that AWS Config delivers notifications to.
  • snapshotDeliveryProperties - (Optional) Options for how AWS Config delivers configuration snapshots. See below

snapshotDeliveryProperties

  • deliveryFrequency - (Optional) - The frequency with which AWS Config recurringly delivers configuration snapshotsE.g., oneHour or threeHours. Valid values are listed here.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The name of the delivery channel.

Import

Delivery Channel can be imported using the name, e.g.,

$ terraform import aws_config_delivery_channel.foo example