» Resource: aws_config_config_rule

Provides an AWS Config Rule.

» Example Usage

» AWS Managed Rules

AWS managed rules can be used by setting the source owner to AWS and the source identifier to the name of the managed rule. More information about AWS managed rules can be found in the AWS Config Developer Guide.

resource "aws_config_config_rule" "r" {
  name = "example"

  source {
    owner             = "AWS"
    source_identifier = "S3_BUCKET_VERSIONING_ENABLED"
  }

  depends_on = ["aws_config_configuration_recorder.foo"]
}

resource "aws_config_configuration_recorder" "foo" {
  name     = "example"
  role_arn = "${aws_iam_role.r.arn}"
}

resource "aws_iam_role" "r" {
  name = "my-awsconfig-role"

  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
POLICY
}

resource "aws_iam_role_policy" "p" {
  name = "my-awsconfig-policy"
  role = "${aws_iam_role.r.id}"

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Action": "config:Put*",
        "Effect": "Allow",
        "Resource": "*"

    }
  ]
}
POLICY
}

» Custom Rules

Custom rules can be used by setting the source owner to CUSTOM_LAMBDA and the source identifier to the Amazon Resource Name (ARN) of the Lambda Function. The AWS Config service must have permissions to invoke the Lambda Function, e.g. via the aws_lambda_permission resource. More information about custom rules can be found in the AWS Config Developer Guide.

resource "aws_config_configuration_recorder" "example" {
  # ... other configuration ...
}

resource "aws_lambda_function" "example" {
  # ... other configuration ...
}

resource "aws_lambda_permission" "example" {
  action        = "lambda:InvokeFunction"
  function_name = "${aws_lambda_function.example.arn}"
  principal     = "config.amazonaws.com"
  statement_id  = "AllowExecutionFromConfig"
}

resource "aws_config_config_rule" "example" {
  # ... other configuration ...

  source {
    owner             = "CUSTOM_LAMBDA"
    source_identifier = "${aws_lambda_function.example.arn}"
  }

  depends_on = ["aws_config_configuration_recorder.example", "aws_lambda_permission.example"]
}

» Argument Reference

The following arguments are supported:

  • name - (Required) The name of the rule
  • description - (Optional) Description of the rule
  • input_parameters - (Optional) A string in JSON format that is passed to the AWS Config rule Lambda function.
  • maximum_execution_frequency - (Optional) The maximum frequency with which AWS Config runs evaluations for a rule.
  • scope - (Optional) Scope defines which resources can trigger an evaluation for the rule as documented below.
  • source - (Required) Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources as documented below.

» scope

Defines which resources can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.

  • compliance_resource_id - (Optional) The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for compliance_resource_types.
  • compliance_resource_types - (Optional) A list of resource types of only those AWS resources that you want to trigger an evaluation for the rule. e.g. AWS::EC2::Instance. You can only specify one type if you also specify a resource ID for compliance_resource_id. See relevant part of AWS Docs for available types.
  • tag_key - (Optional, Required if tag_value is specified) The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.
  • tag_value - (Optional) The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule.

» source

Provides the rule owner (AWS or customer), the rule identifier, and the notifications that cause the function to evaluate your AWS resources.

  • owner - (Required) Indicates whether AWS or the customer owns and manages the AWS Config rule. Valid values are AWS or CUSTOM_LAMBDA. For more information about managed rules, see the AWS Config Managed Rules documentation. For more information about custom rules, see the AWS Config Custom Rules documentation. Custom Lambda Functions require permissions to allow the AWS Config service to invoke them, e.g. via the aws_lambda_permission resource.
  • source_identifier - (Required) For AWS Config managed rules, a predefined identifier, e.g IAM_PASSWORD_POLICY. For custom Lambda rules, the identifier is the ARN of the Lambda Function, such as arn:aws:lambda:us-east-1:123456789012:function:custom_rule_name or the arn attribute of the aws_lambda_function resource.
  • source_detail - (Optional) Provides the source and type of the event that causes AWS Config to evaluate your AWS resources. Only valid if owner is CUSTOM_LAMBDA.
    • event_source - (Optional) The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWS resources. This defaults to aws.config and is the only valid value.
    • maximum_execution_frequency - (Optional) The frequency that you want AWS Config to run evaluations for a rule that is triggered periodically. If specified, requires message_type to be ScheduledNotification.
    • message_type - (Optional) The type of notification that triggers AWS Config to run an evaluation for a rule. You can specify the following notification types:

» Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - The ARN of the config rule
  • rule_id - The ID of the config rule

» Import

Config Rule can be imported using the name, e.g.

$ terraform import aws_config_config_rule.foo example