Resource: awsConfigOrganizationConformancePack
Manages a Config Organization Conformance Pack. More information can be found in the Managing Conformance Packs Across all Accounts in Your Organization and AWS Config Managed Rules documentation. Example conformance pack templates may be found in the AWS Config Rules Repository.
\~> NOTE: This resource must be created in the Organization master account or a delegated administrator account, and the Organization must have all features enabled. Every Organization account except those configured in the excludedAccounts argument must have a Configuration Recorder with proper IAM permissions before the Organization Conformance Pack will successfully create or update. See also the awsConfigConfigurationRecorder resource.
Example Usage
Using Template Body
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsOrganizationsOrganizationExample =
new aws.organizationsOrganization.OrganizationsOrganization(this, "example", {
awsServiceAccessPrincipals: ["config-multiaccountsetup.amazonaws.com"],
featureSet: "ALL",
});
const awsConfigOrganizationConformancePackExample =
new aws.configOrganizationConformancePack.ConfigOrganizationConformancePack(
this,
"example_1",
{
depends_on: [
"${aws_config_configuration_recorder.example}",
`\${${awsOrganizationsOrganizationExample.fqn}}`,
],
inputParameter: [
{
parameterName: "AccessKeysRotatedParameterMaxAccessKeyAge",
parameterValue: "90",
},
],
name: "example",
templateBody:
"Parameters:\n AccessKeysRotatedParameterMaxAccessKeyAge:\n Type: String\nResources:\n IAMPasswordPolicy:\n Properties:\n ConfigRuleName: IAMPasswordPolicy\n Source:\n Owner: AWS\n SourceIdentifier: IAM_PASSWORD_POLICY\n Type: AWS::Config::ConfigRule\n",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsConfigOrganizationConformancePackExample.overrideLogicalId("example");
Using Template S3 URI
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsOrganizationsOrganizationExample =
new aws.organizationsOrganization.OrganizationsOrganization(this, "example", {
awsServiceAccessPrincipals: ["config-multiaccountsetup.amazonaws.com"],
featureSet: "ALL",
});
const awsS3BucketExample = new aws.s3Bucket.S3Bucket(this, "example_1", {
bucket: "example",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3BucketExample.overrideLogicalId("example");
const awsS3ObjectExample = new aws.s3Object.S3Object(this, "example_2", {
bucket: awsS3BucketExample.id,
content:
"Resources:\n IAMPasswordPolicy:\n Properties:\n ConfigRuleName: IAMPasswordPolicy\n Source:\n Owner: AWS\n SourceIdentifier: IAM_PASSWORD_POLICY\n Type: AWS::Config::ConfigRule\n",
key: "example-key",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3ObjectExample.overrideLogicalId("example");
const awsConfigOrganizationConformancePackExample =
new aws.configOrganizationConformancePack.ConfigOrganizationConformancePack(
this,
"example_3",
{
depends_on: [
"${aws_config_configuration_recorder.example}",
`\${${awsOrganizationsOrganizationExample.fqn}}`,
],
name: "example",
templateS3Uri: `s3://\${${awsS3BucketExample.bucket}}/\${${awsS3ObjectExample.key}}`,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsConfigOrganizationConformancePackExample.overrideLogicalId("example");
Argument Reference
The following arguments are supported:
name- (Required, Forces new resource) The name of the organization conformance pack. Must begin with a letter and contain from 1 to 128 alphanumeric characters and hyphens.deliveryS3Bucket- (Optional) Amazon S3 bucket where AWS Config stores conformance pack templates. Delivery bucket must begin withawsconfigconformsprefix. Maximum length of 63.deliveryS3KeyPrefix- (Optional) The prefix for the Amazon S3 bucket. Maximum length of 1024.excludedAccounts- (Optional) Set of AWS accounts to be excluded from an organization conformance pack while deploying a conformance pack. Maximum of 1000 accounts.inputParameter- (Optional) Set of configuration blocks describing input parameters passed to the conformance pack template. Documented below. When configured, the parameters must also be included in thetemplateBodyor in the template stored in Amazon S3 if usingtemplateS3Uri.templateBody- (Optional, Conflicts withtemplateS3Uri) A string containing full conformance pack template body. Maximum length of 51200. Drift detection is not possible with this argument.templateS3Uri- (Optional, Conflicts withtemplateBody) Location of file, e.g.,s3://bucketname/prefix, containing the template body. The uri must point to the conformance pack template that is located in an Amazon S3 bucket in the same region as the conformance pack. Maximum length of 1024. Drift detection is not possible with this argument.
input_parameter Argument Reference
The inputParameter configuration block supports the following arguments:
parameterName- (Required) The input key.parameterValue- (Required) The input value.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
arn- Amazon Resource Name (ARN) of the organization conformance pack.id- The name of the organization conformance pack.
Timeouts
create- (Default10M)update- (Default10M)delete- (Default20M)
Import
Config Organization Conformance Packs can be imported using the name, e.g.,