Docs Home
AWS v6.60.0 published on Tuesday, Nov 19, 2024 by Pulumi
aws.cfg.Rule
Explore with Pulumi AI
Provides an AWS Config Rule.
Note: Config Rule requires an existing Configuration Recorder to be present. Use of
depends_onis recommended (as shown below) to avoid race conditions.
Example Usage
AWS Managed Rules
AWS managed rules can be used by setting the source owner to AWS and the source identifier to the name of the managed rule. More information about AWS managed rules can be found in the AWS Config Developer Guide.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const assumeRole = aws.iam.getPolicyDocument({
statements: [{
effect: "Allow",
principals: [{
type: "Service",
identifiers: ["config.amazonaws.com"],
}],
actions: ["sts:AssumeRole"],
}],
});
const rRole = new aws.iam.Role("r", {
name: "my-awsconfig-role",
assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json),
});
const foo = new aws.cfg.Recorder("foo", {
name: "example",
roleArn: rRole.arn,
});
const r = new aws.cfg.Rule("r", {
name: "example",
source: {
owner: "AWS",
sourceIdentifier: "S3_BUCKET_VERSIONING_ENABLED",
},
}, {
dependsOn: [foo],
});
const p = aws.iam.getPolicyDocument({
statements: [{
effect: "Allow",
actions: ["config:Put*"],
resources: ["*"],
}],
});
const pRolePolicy = new aws.iam.RolePolicy("p", {
name: "my-awsconfig-policy",
role: rRole.id,
policy: p.then(p => p.json),
});
import pulumi
import pulumi_aws as aws
assume_role = aws.iam.get_policy_document(statements=[{
"effect": "Allow",
"principals": [{
"type": "Service",
"identifiers": ["config.amazonaws.com"],
}],
"actions": ["sts:AssumeRole"],
}])
r_role = aws.iam.Role("r",
name="my-awsconfig-role",
assume_role_policy=assume_role.json)
foo = aws.cfg.Recorder("foo",
name="example",
role_arn=r_role.arn)
r = aws.cfg.Rule("r",
name="example",
source={
"owner": "AWS",
"source_identifier": "S3_BUCKET_VERSIONING_ENABLED",
},
opts = pulumi.ResourceOptions(depends_on=[foo]))
p = aws.iam.get_policy_document(statements=[{
"effect": "Allow",
"actions": ["config:Put*"],
"resources": ["*"],
}])
p_role_policy = aws.iam.RolePolicy("p",
name="my-awsconfig-policy",
role=r_role.id,
policy=p.json)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cfg"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
assumeRole, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "Service",
Identifiers: []string{
"config.amazonaws.com",
},
},
},
Actions: []string{
"sts:AssumeRole",
},
},
},
}, nil)
if err != nil {
return err
}
rRole, err := iam.NewRole(ctx, "r", &iam.RoleArgs{
Name: pulumi.String("my-awsconfig-role"),
AssumeRolePolicy: pulumi.String(assumeRole.Json),
})
if err != nil {
return err
}
foo, err := cfg.NewRecorder(ctx, "foo", &cfg.RecorderArgs{
Name: pulumi.String("example"),
RoleArn: rRole.Arn,
})
if err != nil {
return err
}
_, err = cfg.NewRule(ctx, "r", &cfg.RuleArgs{
Name: pulumi.String("example"),
Source: &cfg.RuleSourceArgs{
Owner: pulumi.String("AWS"),
SourceIdentifier: pulumi.String("S3_BUCKET_VERSIONING_ENABLED"),
},
}, pulumi.DependsOn([]pulumi.Resource{
foo,
}))
if err != nil {
return err
}
p, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"config:Put*",
},
Resources: []string{
"*",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = iam.NewRolePolicy(ctx, "p", &iam.RolePolicyArgs{
Name: pulumi.String("my-awsconfig-policy"),
Role: rRole.ID(),
Policy: pulumi.String(p.Json),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var assumeRole = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "Service",
Identifiers = new[]
{
"config.amazonaws.com",
},
},
},
Actions = new[]
{
"sts:AssumeRole",
},
},
},
});
var rRole = new Aws.Iam.Role("r", new()
{
Name = "my-awsconfig-role",
AssumeRolePolicy = assumeRole.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
var foo = new Aws.Cfg.Recorder("foo", new()
{
Name = "example",
RoleArn = rRole.Arn,
});
var r = new Aws.Cfg.Rule("r", new()
{
Name = "example",
Source = new Aws.Cfg.Inputs.RuleSourceArgs
{
Owner = "AWS",
SourceIdentifier = "S3_BUCKET_VERSIONING_ENABLED",
},
}, new CustomResourceOptions
{
DependsOn =
{
foo,
},
});
var p = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"config:Put*",
},
Resources = new[]
{
"*",
},
},
},
});
var pRolePolicy = new Aws.Iam.RolePolicy("p", new()
{
Name = "my-awsconfig-policy",
Role = rRole.Id,
Policy = p.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.cfg.Recorder;
import com.pulumi.aws.cfg.RecorderArgs;
import com.pulumi.aws.cfg.Rule;
import com.pulumi.aws.cfg.RuleArgs;
import com.pulumi.aws.cfg.inputs.RuleSourceArgs;
import com.pulumi.aws.iam.RolePolicy;
import com.pulumi.aws.iam.RolePolicyArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("config.amazonaws.com")
.build())
.actions("sts:AssumeRole")
.build())
.build());
var rRole = new Role("rRole", RoleArgs.builder()
.name("my-awsconfig-role")
.assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
var foo = new Recorder("foo", RecorderArgs.builder()
.name("example")
.roleArn(rRole.arn())
.build());
var r = new Rule("r", RuleArgs.builder()
.name("example")
.source(RuleSourceArgs.builder()
.owner("AWS")
.sourceIdentifier("S3_BUCKET_VERSIONING_ENABLED")
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(foo)
.build());
final var p = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("config:Put*")
.resources("*")
.build())
.build());
var pRolePolicy = new RolePolicy("pRolePolicy", RolePolicyArgs.builder()
.name("my-awsconfig-policy")
.role(rRole.id())
.policy(p.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
}
}
resources:
r:
type: aws:cfg:Rule
properties:
name: example
source:
owner: AWS
sourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
options:
dependson:
- ${foo}
foo:
type: aws:cfg:Recorder
properties:
name: example
roleArn: ${rRole.arn}
rRole:
type: aws:iam:Role
name: r
properties:
name: my-awsconfig-role
assumeRolePolicy: ${assumeRole.json}
pRolePolicy:
type: aws:iam:RolePolicy
name: p
properties:
name: my-awsconfig-policy
role: ${rRole.id}
policy: ${p.json}
variables:
assumeRole:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- effect: Allow
principals:
- type: Service
identifiers:
- config.amazonaws.com
actions:
- sts:AssumeRole
p:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- effect: Allow
actions:
- config:Put*
resources:
- '*'
Custom Rules
Custom rules can be used by setting the source owner to CUSTOM_LAMBDA and the source identifier to the Amazon Resource Name (ARN) of the Lambda Function. The AWS Config service must have permissions to invoke the Lambda Function, e.g., via the aws.lambda.Permission resource. More information about custom rules can be found in the AWS Config Developer Guide.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.cfg.Recorder("example", {});
const exampleFunction = new aws.lambda.Function("example", {});
const examplePermission = new aws.lambda.Permission("example", {
action: "lambda:InvokeFunction",
"function": exampleFunction.arn,
principal: "config.amazonaws.com",
statementId: "AllowExecutionFromConfig",
});
const exampleRule = new aws.cfg.Rule("example", {source: {
owner: "CUSTOM_LAMBDA",
sourceIdentifier: exampleFunction.arn,
}}, {
dependsOn: [
example,
examplePermission,
],
});
import pulumi
import pulumi_aws as aws
example = aws.cfg.Recorder("example")
example_function = aws.lambda_.Function("example")
example_permission = aws.lambda_.Permission("example",
action="lambda:InvokeFunction",
function=example_function.arn,
principal="config.amazonaws.com",
statement_id="AllowExecutionFromConfig")
example_rule = aws.cfg.Rule("example", source={
"owner": "CUSTOM_LAMBDA",
"source_identifier": example_function.arn,
},
opts = pulumi.ResourceOptions(depends_on=[
example,
example_permission,
]))
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cfg"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lambda"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := cfg.NewRecorder(ctx, "example", nil)
if err != nil {
return err
}
exampleFunction, err := lambda.NewFunction(ctx, "example", nil)
if err != nil {
return err
}
examplePermission, err := lambda.NewPermission(ctx, "example", &lambda.PermissionArgs{
Action: pulumi.String("lambda:InvokeFunction"),
Function: exampleFunction.Arn,
Principal: pulumi.String("config.amazonaws.com"),
StatementId: pulumi.String("AllowExecutionFromConfig"),
})
if err != nil {
return err
}
_, err = cfg.NewRule(ctx, "example", &cfg.RuleArgs{
Source: &cfg.RuleSourceArgs{
Owner: pulumi.String("CUSTOM_LAMBDA"),
SourceIdentifier: exampleFunction.Arn,
},
}, pulumi.DependsOn([]pulumi.Resource{
example,
examplePermission,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Cfg.Recorder("example");
var exampleFunction = new Aws.Lambda.Function("example");
var examplePermission = new Aws.Lambda.Permission("example", new()
{
Action = "lambda:InvokeFunction",
Function = exampleFunction.Arn,
Principal = "config.amazonaws.com",
StatementId = "AllowExecutionFromConfig",
});
var exampleRule = new Aws.Cfg.Rule("example", new()
{
Source = new Aws.Cfg.Inputs.RuleSourceArgs
{
Owner = "CUSTOM_LAMBDA",
SourceIdentifier = exampleFunction.Arn,
},
}, new CustomResourceOptions
{
DependsOn =
{
example,
examplePermission,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cfg.Recorder;
import com.pulumi.aws.lambda.Function;
import com.pulumi.aws.lambda.Permission;
import com.pulumi.aws.lambda.PermissionArgs;
import com.pulumi.aws.cfg.Rule;
import com.pulumi.aws.cfg.RuleArgs;
import com.pulumi.aws.cfg.inputs.RuleSourceArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Recorder("example");
var exampleFunction = new Function("exampleFunction");
var examplePermission = new Permission("examplePermission", PermissionArgs.builder()
.action("lambda:InvokeFunction")
.function(exampleFunction.arn())
.principal("config.amazonaws.com")
.statementId("AllowExecutionFromConfig")
.build());
var exampleRule = new Rule("exampleRule", RuleArgs.builder()
.source(RuleSourceArgs.builder()
.owner("CUSTOM_LAMBDA")
.sourceIdentifier(exampleFunction.arn())
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(
example,
examplePermission)
.build());
}
}
resources:
example:
type: aws:cfg:Recorder
exampleFunction:
type: aws:lambda:Function
name: example
examplePermission:
type: aws:lambda:Permission
name: example
properties:
action: lambda:InvokeFunction
function: ${exampleFunction.arn}
principal: config.amazonaws.com
statementId: AllowExecutionFromConfig
exampleRule:
type: aws:cfg:Rule
name: example
properties:
source:
owner: CUSTOM_LAMBDA
sourceIdentifier: ${exampleFunction.arn}
options:
dependson:
- ${example}
- ${examplePermission}
Custom Policies
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.cfg.Rule("example", {
name: "example",
source: {
owner: "CUSTOM_POLICY",
sourceDetails: [{
messageType: "ConfigurationItemChangeNotification",
}],
customPolicyDetails: {
policyRuntime: "guard-2.x.x",
policyText: `\x09 rule tableisactive when
\x09\x09 resourceType == "AWS::DynamoDB::Table" {
\x09\x09 configuration.tableStatus == ['ACTIVE']
\x09 }
\x09
\x09 rule checkcompliance when
\x09\x09 resourceType == "AWS::DynamoDB::Table"
\x09\x09 tableisactive {
\x09\x09\x09 supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus == "ENABLED"
\x09 }
`,
},
},
});
import pulumi
import pulumi_aws as aws
example = aws.cfg.Rule("example",
name="example",
source={
"owner": "CUSTOM_POLICY",
"source_details": [{
"message_type": "ConfigurationItemChangeNotification",
}],
"custom_policy_details": {
"policy_runtime": "guard-2.x.x",
"policy_text": """\x09 rule tableisactive when
\x09\x09 resourceType == "AWS::DynamoDB::Table" {
\x09\x09 configuration.tableStatus == ['ACTIVE']
\x09 }
\x09
\x09 rule checkcompliance when
\x09\x09 resourceType == "AWS::DynamoDB::Table"
\x09\x09 tableisactive {
\x09\x09\x09 supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus == "ENABLED"
\x09 }
""",
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cfg"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cfg.NewRule(ctx, "example", &cfg.RuleArgs{
Name: pulumi.String("example"),
Source: &cfg.RuleSourceArgs{
Owner: pulumi.String("CUSTOM_POLICY"),
SourceDetails: cfg.RuleSourceSourceDetailArray{
&cfg.RuleSourceSourceDetailArgs{
MessageType: pulumi.String("ConfigurationItemChangeNotification"),
},
},
CustomPolicyDetails: &cfg.RuleSourceCustomPolicyDetailsArgs{
PolicyRuntime: pulumi.String("guard-2.x.x"),
PolicyText: pulumi.String(` rule tableisactive when
resourceType == "AWS::DynamoDB::Table" {
configuration.tableStatus == ['ACTIVE']
}
rule checkcompliance when
resourceType == "AWS::DynamoDB::Table"
tableisactive {
supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus == "ENABLED"
}
`),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Cfg.Rule("example", new()
{
Name = "example",
Source = new Aws.Cfg.Inputs.RuleSourceArgs
{
Owner = "CUSTOM_POLICY",
SourceDetails = new[]
{
new Aws.Cfg.Inputs.RuleSourceSourceDetailArgs
{
MessageType = "ConfigurationItemChangeNotification",
},
},
CustomPolicyDetails = new Aws.Cfg.Inputs.RuleSourceCustomPolicyDetailsArgs
{
PolicyRuntime = "guard-2.x.x",
PolicyText = @" rule tableisactive when
resourceType == ""AWS::DynamoDB::Table"" {
configuration.tableStatus == ['ACTIVE']
}
rule checkcompliance when
resourceType == ""AWS::DynamoDB::Table""
tableisactive {
supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus == ""ENABLED""
}
",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cfg.Rule;
import com.pulumi.aws.cfg.RuleArgs;
import com.pulumi.aws.cfg.inputs.RuleSourceArgs;
import com.pulumi.aws.cfg.inputs.RuleSourceCustomPolicyDetailsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Rule("example", RuleArgs.builder()
.name("example")
.source(RuleSourceArgs.builder()
.owner("CUSTOM_POLICY")
.sourceDetails(RuleSourceSourceDetailArgs.builder()
.messageType("ConfigurationItemChangeNotification")
.build())
.customPolicyDetails(RuleSourceCustomPolicyDetailsArgs.builder()
.policyRuntime("guard-2.x.x")
.policyText("""
rule tableisactive when
resourceType == "AWS::DynamoDB::Table" {
configuration.tableStatus == ['ACTIVE']
}
rule checkcompliance when
resourceType == "AWS::DynamoDB::Table"
tableisactive {
supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus == "ENABLED"
}
""")
.build())
.build())
.build());
}
}
resources:
example:
type: aws:cfg:Rule
properties:
name: example
source:
owner: CUSTOM_POLICY
sourceDetails:
- messageType: ConfigurationItemChangeNotification
customPolicyDetails:
policyRuntime: guard-2.x.x
policyText: "\t rule tableisactive when\n\t\t resourceType == \"AWS::DynamoDB::Table\" {\n\t\t configuration.tableStatus == ['ACTIVE']\n\t }\n\t \n\t rule checkcompliance when\n\t\t resourceType == \"AWS::DynamoDB::Table\"\n\t\t tableisactive {\n\t\t\t supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus == \"ENABLED\"\n\t }\n"
Create Rule Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Rule(name: string, args: RuleArgs, opts?: CustomResourceOptions);@overload
def Rule(resource_name: str,
args: RuleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Rule(resource_name: str,
opts: Optional[ResourceOptions] = None,
source: Optional[RuleSourceArgs] = None,
description: Optional[str] = None,
evaluation_modes: Optional[Sequence[RuleEvaluationModeArgs]] = None,
input_parameters: Optional[str] = None,
maximum_execution_frequency: Optional[str] = None,
name: Optional[str] = None,
scope: Optional[RuleScopeArgs] = None,
tags: Optional[Mapping[str, str]] = None)func NewRule(ctx *Context, name string, args RuleArgs, opts ...ResourceOption) (*Rule, error)public Rule(string name, RuleArgs args, CustomResourceOptions? opts = null)type: aws:cfg:Rule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args RuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args RuleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args RuleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args RuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args RuleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var ruleResource = new Aws.Cfg.Rule("ruleResource", new()
{
Source = new Aws.Cfg.Inputs.RuleSourceArgs
{
Owner = "string",
CustomPolicyDetails = new Aws.Cfg.Inputs.RuleSourceCustomPolicyDetailsArgs
{
PolicyRuntime = "string",
PolicyText = "string",
EnableDebugLogDelivery = false,
},
SourceDetails = new[]
{
new Aws.Cfg.Inputs.RuleSourceSourceDetailArgs
{
EventSource = "string",
MaximumExecutionFrequency = "string",
MessageType = "string",
},
},
SourceIdentifier = "string",
},
Description = "string",
EvaluationModes = new[]
{
new Aws.Cfg.Inputs.RuleEvaluationModeArgs
{
Mode = "string",
},
},
InputParameters = "string",
MaximumExecutionFrequency = "string",
Name = "string",
Scope = new Aws.Cfg.Inputs.RuleScopeArgs
{
ComplianceResourceId = "string",
ComplianceResourceTypes = new[]
{
"string",
},
TagKey = "string",
TagValue = "string",
},
Tags =
{
{ "string", "string" },
},
});
example, err := cfg.NewRule(ctx, "ruleResource", &cfg.RuleArgs{
Source: &cfg.RuleSourceArgs{
Owner: pulumi.String("string"),
CustomPolicyDetails: &cfg.RuleSourceCustomPolicyDetailsArgs{
PolicyRuntime: pulumi.String("string"),
PolicyText: pulumi.String("string"),
EnableDebugLogDelivery: pulumi.Bool(false),
},
SourceDetails: cfg.RuleSourceSourceDetailArray{
&cfg.RuleSourceSourceDetailArgs{
EventSource: pulumi.String("string"),
MaximumExecutionFrequency: pulumi.String("string"),
MessageType: pulumi.String("string"),
},
},
SourceIdentifier: pulumi.String("string"),
},
Description: pulumi.String("string"),
EvaluationModes: cfg.RuleEvaluationModeArray{
&cfg.RuleEvaluationModeArgs{
Mode: pulumi.String("string"),
},
},
InputParameters: pulumi.String("string"),
MaximumExecutionFrequency: pulumi.String("string"),
Name: pulumi.String("string"),
Scope: &cfg.RuleScopeArgs{
ComplianceResourceId: pulumi.String("string"),
ComplianceResourceTypes: pulumi.StringArray{
pulumi.String("string"),
},
TagKey: pulumi.String("string"),
TagValue: pulumi.String("string"),
},
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
})
var ruleResource = new Rule("ruleResource", RuleArgs.builder()
.source(RuleSourceArgs.builder()
.owner("string")
.customPolicyDetails(RuleSourceCustomPolicyDetailsArgs.builder()
.policyRuntime("string")
.policyText("string")
.enableDebugLogDelivery(false)
.build())
.sourceDetails(RuleSourceSourceDetailArgs.builder()
.eventSource("string")
.maximumExecutionFrequency("string")
.messageType("string")
.build())
.sourceIdentifier("string")
.build())
.description("string")
.evaluationModes(RuleEvaluationModeArgs.builder()
.mode("string")
.build())
.inputParameters("string")
.maximumExecutionFrequency("string")
.name("string")
.scope(RuleScopeArgs.builder()
.complianceResourceId("string")
.complianceResourceTypes("string")
.tagKey("string")
.tagValue("string")
.build())
.tags(Map.of("string", "string"))
.build());
rule_resource = aws.cfg.Rule("ruleResource",
source={
"owner": "string",
"custom_policy_details": {
"policy_runtime": "string",
"policy_text": "string",
"enable_debug_log_delivery": False,
},
"source_details": [{
"event_source": "string",
"maximum_execution_frequency": "string",
"message_type": "string",
}],
"source_identifier": "string",
},
description="string",
evaluation_modes=[{
"mode": "string",
}],
input_parameters="string",
maximum_execution_frequency="string",
name="string",
scope={
"compliance_resource_id": "string",
"compliance_resource_types": ["string"],
"tag_key": "string",
"tag_value": "string",
},
tags={
"string": "string",
})
const ruleResource = new aws.cfg.Rule("ruleResource", {
source: {
owner: "string",
customPolicyDetails: {
policyRuntime: "string",
policyText: "string",
enableDebugLogDelivery: false,
},
sourceDetails: [{
eventSource: "string",
maximumExecutionFrequency: "string",
messageType: "string",
}],
sourceIdentifier: "string",
},
description: "string",
evaluationModes: [{
mode: "string",
}],
inputParameters: "string",
maximumExecutionFrequency: "string",
name: "string",
scope: {
complianceResourceId: "string",
complianceResourceTypes: ["string"],
tagKey: "string",
tagValue: "string",
},
tags: {
string: "string",
},
});
type: aws:cfg:Rule
properties:
description: string
evaluationModes:
- mode: string
inputParameters: string
maximumExecutionFrequency: string
name: string
scope:
complianceResourceId: string
complianceResourceTypes:
- string
tagKey: string
tagValue: string
source:
customPolicyDetails:
enableDebugLogDelivery: false
policyRuntime: string
policyText: string
owner: string
sourceDetails:
- eventSource: string
maximumExecutionFrequency: string
messageType: string
sourceIdentifier: string
tags:
string: string
Rule Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Rule resource accepts the following input properties:
- Source
Rule
Source - Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
- Description string
- Description of the rule
- Evaluation
Modes List<RuleEvaluation Mode> - The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
- Input
Parameters string - A string in JSON format that is passed to the AWS Config rule Lambda function.
- Maximum
Execution stringFrequency - The maximum frequency with which AWS Config runs evaluations for a rule.
- Name string
- The name of the rule
- Scope
Rule
Scope - Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
- Dictionary<string, string>
- A map of tags to assign to the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- Source
Rule
Source Args - Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
- Description string
- Description of the rule
- Evaluation
Modes []RuleEvaluation Mode Args - The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
- Input
Parameters string - A string in JSON format that is passed to the AWS Config rule Lambda function.
- Maximum
Execution stringFrequency - The maximum frequency with which AWS Config runs evaluations for a rule.
- Name string
- The name of the rule
- Scope
Rule
Scope Args - Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
- map[string]string
- A map of tags to assign to the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- source
Rule
Source - Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
- description String
- Description of the rule
- evaluation
Modes List<RuleEvaluation Mode> - The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
- input
Parameters String - A string in JSON format that is passed to the AWS Config rule Lambda function.
- maximum
Execution StringFrequency - The maximum frequency with which AWS Config runs evaluations for a rule.
- name String
- The name of the rule
- scope
Rule
Scope - Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
- Map<String,String>
- A map of tags to assign to the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- source
Rule
Source - Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
- description string
- Description of the rule
- evaluation
Modes RuleEvaluation Mode[] - The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
- input
Parameters string - A string in JSON format that is passed to the AWS Config rule Lambda function.
- maximum
Execution stringFrequency - The maximum frequency with which AWS Config runs evaluations for a rule.
- name string
- The name of the rule
- scope
Rule
Scope - Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
- {[key: string]: string}
- A map of tags to assign to the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- source
Rule
Source Args - Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
- description str
- Description of the rule
- evaluation_
modes Sequence[RuleEvaluation Mode Args] - The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
- input_
parameters str - A string in JSON format that is passed to the AWS Config rule Lambda function.
- maximum_
execution_ strfrequency - The maximum frequency with which AWS Config runs evaluations for a rule.
- name str
- The name of the rule
- scope
Rule
Scope Args - Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
- Mapping[str, str]
- A map of tags to assign to the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- source Property Map
- Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
- description String
- Description of the rule
- evaluation
Modes List<Property Map> - The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
- input
Parameters String - A string in JSON format that is passed to the AWS Config rule Lambda function.
- maximum
Execution StringFrequency - The maximum frequency with which AWS Config runs evaluations for a rule.
- name String
- The name of the rule
- scope Property Map
- Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
- Map<String>
- A map of tags to assign to the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
Outputs
All input properties are implicitly available as output properties. Additionally, the Rule resource produces the following output properties:
Look up Existing Rule Resource
Get an existing Rule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: RuleState, opts?: CustomResourceOptions): Rule@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
arn: Optional[str] = None,
description: Optional[str] = None,
evaluation_modes: Optional[Sequence[RuleEvaluationModeArgs]] = None,
input_parameters: Optional[str] = None,
maximum_execution_frequency: Optional[str] = None,
name: Optional[str] = None,
rule_id: Optional[str] = None,
scope: Optional[RuleScopeArgs] = None,
source: Optional[RuleSourceArgs] = None,
tags: Optional[Mapping[str, str]] = None,
tags_all: Optional[Mapping[str, str]] = None) -> Rulefunc GetRule(ctx *Context, name string, id IDInput, state *RuleState, opts ...ResourceOption) (*Rule, error)public static Rule Get(string name, Input<string> id, RuleState? state, CustomResourceOptions? opts = null)public static Rule get(String name, Output<String> id, RuleState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Arn string
- The ARN of the config rule
- Description string
- Description of the rule
- Evaluation
Modes List<RuleEvaluation Mode> - The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
- Input
Parameters string - A string in JSON format that is passed to the AWS Config rule Lambda function.
- Maximum
Execution stringFrequency - The maximum frequency with which AWS Config runs evaluations for a rule.
- Name string
- The name of the rule
- Rule
Id string - The ID of the config rule
- Scope
Rule
Scope - Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
- Source
Rule
Source - Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
- Dictionary<string, string>
- A map of tags to assign to the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Dictionary<string, string>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- Arn string
- The ARN of the config rule
- Description string
- Description of the rule
- Evaluation
Modes []RuleEvaluation Mode Args - The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
- Input
Parameters string - A string in JSON format that is passed to the AWS Config rule Lambda function.
- Maximum
Execution stringFrequency - The maximum frequency with which AWS Config runs evaluations for a rule.
- Name string
- The name of the rule
- Rule
Id string - The ID of the config rule
- Scope
Rule
Scope Args - Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
- Source
Rule
Source Args - Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
- map[string]string
- A map of tags to assign to the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - map[string]string
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn String
- The ARN of the config rule
- description String
- Description of the rule
- evaluation
Modes List<RuleEvaluation Mode> - The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
- input
Parameters String - A string in JSON format that is passed to the AWS Config rule Lambda function.
- maximum
Execution StringFrequency - The maximum frequency with which AWS Config runs evaluations for a rule.
- name String
- The name of the rule
- rule
Id String - The ID of the config rule
- scope
Rule
Scope - Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
- source
Rule
Source - Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
- Map<String,String>
- A map of tags to assign to the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String,String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn string
- The ARN of the config rule
- description string
- Description of the rule
- evaluation
Modes RuleEvaluation Mode[] - The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
- input
Parameters string - A string in JSON format that is passed to the AWS Config rule Lambda function.
- maximum
Execution stringFrequency - The maximum frequency with which AWS Config runs evaluations for a rule.
- name string
- The name of the rule
- rule
Id string - The ID of the config rule
- scope
Rule
Scope - Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
- source
Rule
Source - Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
- {[key: string]: string}
- A map of tags to assign to the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - {[key: string]: string}
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn str
- The ARN of the config rule
- description str
- Description of the rule
- evaluation_
modes Sequence[RuleEvaluation Mode Args] - The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
- input_
parameters str - A string in JSON format that is passed to the AWS Config rule Lambda function.
- maximum_
execution_ strfrequency - The maximum frequency with which AWS Config runs evaluations for a rule.
- name str
- The name of the rule
- rule_
id str - The ID of the config rule
- scope
Rule
Scope Args - Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
- source
Rule
Source Args - Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
- Mapping[str, str]
- A map of tags to assign to the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Mapping[str, str]
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn String
- The ARN of the config rule
- description String
- Description of the rule
- evaluation
Modes List<Property Map> - The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
- input
Parameters String - A string in JSON format that is passed to the AWS Config rule Lambda function.
- maximum
Execution StringFrequency - The maximum frequency with which AWS Config runs evaluations for a rule.
- name String
- The name of the rule
- rule
Id String - The ID of the config rule
- scope Property Map
- Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
- source Property Map
- Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
- Map<String>
- A map of tags to assign to the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
Supporting Types
RuleEvaluationMode, RuleEvaluationModeArgs
- Mode string
- The mode of an evaluation.
- Mode string
- The mode of an evaluation.
- mode String
- The mode of an evaluation.
- mode string
- The mode of an evaluation.
- mode str
- The mode of an evaluation.
- mode String
- The mode of an evaluation.
RuleScope, RuleScopeArgs
- Compliance
Resource stringId - The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for
compliance_resource_types. - Compliance
Resource List<string>Types - A list of resource types of only those AWS resources that you want to trigger an evaluation for the ruleE.g.,
AWS::EC2::Instance. You can only specify one type if you also specify a resource ID forcompliance_resource_id. See relevant part of AWS Docs for available types. - Tag
Key string - The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.
- Tag
Value string - The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule.
- Compliance
Resource stringId - The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for
compliance_resource_types. - Compliance
Resource []stringTypes - A list of resource types of only those AWS resources that you want to trigger an evaluation for the ruleE.g.,
AWS::EC2::Instance. You can only specify one type if you also specify a resource ID forcompliance_resource_id. See relevant part of AWS Docs for available types. - Tag
Key string - The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.
- Tag
Value string - The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule.
- compliance
Resource StringId - The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for
compliance_resource_types. - compliance
Resource List<String>Types - A list of resource types of only those AWS resources that you want to trigger an evaluation for the ruleE.g.,
AWS::EC2::Instance. You can only specify one type if you also specify a resource ID forcompliance_resource_id. See relevant part of AWS Docs for available types. - tag
Key String - The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.
- tag
Value String - The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule.
- compliance
Resource stringId - The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for
compliance_resource_types. - compliance
Resource string[]Types - A list of resource types of only those AWS resources that you want to trigger an evaluation for the ruleE.g.,
AWS::EC2::Instance. You can only specify one type if you also specify a resource ID forcompliance_resource_id. See relevant part of AWS Docs for available types. - tag
Key string - The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.
- tag
Value string - The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule.
- compliance_
resource_ strid - The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for
compliance_resource_types. - compliance_
resource_ Sequence[str]types - A list of resource types of only those AWS resources that you want to trigger an evaluation for the ruleE.g.,
AWS::EC2::Instance. You can only specify one type if you also specify a resource ID forcompliance_resource_id. See relevant part of AWS Docs for available types. - tag_
key str - The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.
- tag_
value str - The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule.
- compliance
Resource StringId - The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for
compliance_resource_types. - compliance
Resource List<String>Types - A list of resource types of only those AWS resources that you want to trigger an evaluation for the ruleE.g.,
AWS::EC2::Instance. You can only specify one type if you also specify a resource ID forcompliance_resource_id. See relevant part of AWS Docs for available types. - tag
Key String - The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.
- tag
Value String - The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule.
RuleSource, RuleSourceArgs
- Owner string
- Indicates whether AWS or the customer owns and manages the AWS Config rule. Valid values are
AWS,CUSTOM_LAMBDAorCUSTOM_POLICY. For more information about managed rules, see the AWS Config Managed Rules documentation. For more information about custom rules, see the AWS Config Custom Rules documentation. Custom Lambda Functions require permissions to allow the AWS Config service to invoke them, e.g., via theaws.lambda.Permissionresource. - Custom
Policy RuleDetails Source Custom Policy Details - Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to
CUSTOM_POLICY. See Custom Policy Details Below. - Source
Details List<RuleSource Source Detail> - Provides the source and type of the event that causes AWS Config to evaluate your AWS resources. Only valid if
ownerisCUSTOM_LAMBDAorCUSTOM_POLICY. See Source Detail Below. - Source
Identifier string - For AWS Config managed rules, a predefined identifier, e.g
IAM_PASSWORD_POLICY. For custom Lambda rules, the identifier is the ARN of the Lambda Function, such asarn:aws:lambda:us-east-1:123456789012:function:custom_rule_nameor thearnattribute of theaws.lambda.Functionresource.
- Owner string
- Indicates whether AWS or the customer owns and manages the AWS Config rule. Valid values are
AWS,CUSTOM_LAMBDAorCUSTOM_POLICY. For more information about managed rules, see the AWS Config Managed Rules documentation. For more information about custom rules, see the AWS Config Custom Rules documentation. Custom Lambda Functions require permissions to allow the AWS Config service to invoke them, e.g., via theaws.lambda.Permissionresource. - Custom
Policy RuleDetails Source Custom Policy Details - Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to
CUSTOM_POLICY. See Custom Policy Details Below. - Source
Details []RuleSource Source Detail - Provides the source and type of the event that causes AWS Config to evaluate your AWS resources. Only valid if
ownerisCUSTOM_LAMBDAorCUSTOM_POLICY. See Source Detail Below. - Source
Identifier string - For AWS Config managed rules, a predefined identifier, e.g
IAM_PASSWORD_POLICY. For custom Lambda rules, the identifier is the ARN of the Lambda Function, such asarn:aws:lambda:us-east-1:123456789012:function:custom_rule_nameor thearnattribute of theaws.lambda.Functionresource.
- owner String
- Indicates whether AWS or the customer owns and manages the AWS Config rule. Valid values are
AWS,CUSTOM_LAMBDAorCUSTOM_POLICY. For more information about managed rules, see the AWS Config Managed Rules documentation. For more information about custom rules, see the AWS Config Custom Rules documentation. Custom Lambda Functions require permissions to allow the AWS Config service to invoke them, e.g., via theaws.lambda.Permissionresource. - custom
Policy RuleDetails Source Custom Policy Details - Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to
CUSTOM_POLICY. See Custom Policy Details Below. - source
Details List<RuleSource Source Detail> - Provides the source and type of the event that causes AWS Config to evaluate your AWS resources. Only valid if
ownerisCUSTOM_LAMBDAorCUSTOM_POLICY. See Source Detail Below. - source
Identifier String - For AWS Config managed rules, a predefined identifier, e.g
IAM_PASSWORD_POLICY. For custom Lambda rules, the identifier is the ARN of the Lambda Function, such asarn:aws:lambda:us-east-1:123456789012:function:custom_rule_nameor thearnattribute of theaws.lambda.Functionresource.
- owner string
- Indicates whether AWS or the customer owns and manages the AWS Config rule. Valid values are
AWS,CUSTOM_LAMBDAorCUSTOM_POLICY. For more information about managed rules, see the AWS Config Managed Rules documentation. For more information about custom rules, see the AWS Config Custom Rules documentation. Custom Lambda Functions require permissions to allow the AWS Config service to invoke them, e.g., via theaws.lambda.Permissionresource. - custom
Policy RuleDetails Source Custom Policy Details - Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to
CUSTOM_POLICY. See Custom Policy Details Below. - source
Details RuleSource Source Detail[] - Provides the source and type of the event that causes AWS Config to evaluate your AWS resources. Only valid if
ownerisCUSTOM_LAMBDAorCUSTOM_POLICY. See Source Detail Below. - source
Identifier string - For AWS Config managed rules, a predefined identifier, e.g
IAM_PASSWORD_POLICY. For custom Lambda rules, the identifier is the ARN of the Lambda Function, such asarn:aws:lambda:us-east-1:123456789012:function:custom_rule_nameor thearnattribute of theaws.lambda.Functionresource.
- owner str
- Indicates whether AWS or the customer owns and manages the AWS Config rule. Valid values are
AWS,CUSTOM_LAMBDAorCUSTOM_POLICY. For more information about managed rules, see the AWS Config Managed Rules documentation. For more information about custom rules, see the AWS Config Custom Rules documentation. Custom Lambda Functions require permissions to allow the AWS Config service to invoke them, e.g., via theaws.lambda.Permissionresource. - custom_
policy_ Ruledetails Source Custom Policy Details - Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to
CUSTOM_POLICY. See Custom Policy Details Below. - source_
details Sequence[RuleSource Source Detail] - Provides the source and type of the event that causes AWS Config to evaluate your AWS resources. Only valid if
ownerisCUSTOM_LAMBDAorCUSTOM_POLICY. See Source Detail Below. - source_
identifier str - For AWS Config managed rules, a predefined identifier, e.g
IAM_PASSWORD_POLICY. For custom Lambda rules, the identifier is the ARN of the Lambda Function, such asarn:aws:lambda:us-east-1:123456789012:function:custom_rule_nameor thearnattribute of theaws.lambda.Functionresource.
- owner String
- Indicates whether AWS or the customer owns and manages the AWS Config rule. Valid values are
AWS,CUSTOM_LAMBDAorCUSTOM_POLICY. For more information about managed rules, see the AWS Config Managed Rules documentation. For more information about custom rules, see the AWS Config Custom Rules documentation. Custom Lambda Functions require permissions to allow the AWS Config service to invoke them, e.g., via theaws.lambda.Permissionresource. - custom
Policy Property MapDetails - Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to
CUSTOM_POLICY. See Custom Policy Details Below. - source
Details List<Property Map> - Provides the source and type of the event that causes AWS Config to evaluate your AWS resources. Only valid if
ownerisCUSTOM_LAMBDAorCUSTOM_POLICY. See Source Detail Below. - source
Identifier String - For AWS Config managed rules, a predefined identifier, e.g
IAM_PASSWORD_POLICY. For custom Lambda rules, the identifier is the ARN of the Lambda Function, such asarn:aws:lambda:us-east-1:123456789012:function:custom_rule_nameor thearnattribute of theaws.lambda.Functionresource.
RuleSourceCustomPolicyDetails, RuleSourceCustomPolicyDetailsArgs
- Policy
Runtime string - The runtime system for your Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
- Policy
Text string - The policy definition containing the logic for your Config Custom Policy rule.
- Enable
Debug boolLog Delivery - The boolean expression for enabling debug logging for your Config Custom Policy rule. The default value is
false.
- Policy
Runtime string - The runtime system for your Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
- Policy
Text string - The policy definition containing the logic for your Config Custom Policy rule.
- Enable
Debug boolLog Delivery - The boolean expression for enabling debug logging for your Config Custom Policy rule. The default value is
false.
- policy
Runtime String - The runtime system for your Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
- policy
Text String - The policy definition containing the logic for your Config Custom Policy rule.
- enable
Debug BooleanLog Delivery - The boolean expression for enabling debug logging for your Config Custom Policy rule. The default value is
false.
- policy
Runtime string - The runtime system for your Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
- policy
Text string - The policy definition containing the logic for your Config Custom Policy rule.
- enable
Debug booleanLog Delivery - The boolean expression for enabling debug logging for your Config Custom Policy rule. The default value is
false.
- policy_
runtime str - The runtime system for your Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
- policy_
text str - The policy definition containing the logic for your Config Custom Policy rule.
- enable_
debug_ boollog_ delivery - The boolean expression for enabling debug logging for your Config Custom Policy rule. The default value is
false.
- policy
Runtime String - The runtime system for your Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
- policy
Text String - The policy definition containing the logic for your Config Custom Policy rule.
- enable
Debug BooleanLog Delivery - The boolean expression for enabling debug logging for your Config Custom Policy rule. The default value is
false.
RuleSourceSourceDetail, RuleSourceSourceDetailArgs
- Event
Source string - The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWSresources. This defaults to
aws.configand is the only valid value. - Maximum
Execution stringFrequency - The frequency that you want AWS Config to run evaluations for a rule that istriggered periodically. If specified, requires
message_typeto beScheduledNotification. - Message
Type string - The type of notification that triggers AWS Config to run an evaluation for a rule. You canspecify the following notification types:
ConfigurationItemChangeNotification- Triggers an evaluation when AWS Config delivers a configuration item as a result of a resource change.OversizedConfigurationItemChangeNotification- Triggers an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.ScheduledNotification- Triggers a periodic evaluation at the frequency specified formaximum_execution_frequency.ConfigurationSnapshotDeliveryCompleted- Triggers a periodic evaluation when AWS Config delivers a configuration snapshot.
- Event
Source string - The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWSresources. This defaults to
aws.configand is the only valid value. - Maximum
Execution stringFrequency - The frequency that you want AWS Config to run evaluations for a rule that istriggered periodically. If specified, requires
message_typeto beScheduledNotification. - Message
Type string - The type of notification that triggers AWS Config to run an evaluation for a rule. You canspecify the following notification types:
ConfigurationItemChangeNotification- Triggers an evaluation when AWS Config delivers a configuration item as a result of a resource change.OversizedConfigurationItemChangeNotification- Triggers an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.ScheduledNotification- Triggers a periodic evaluation at the frequency specified formaximum_execution_frequency.ConfigurationSnapshotDeliveryCompleted- Triggers a periodic evaluation when AWS Config delivers a configuration snapshot.
- event
Source String - The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWSresources. This defaults to
aws.configand is the only valid value. - maximum
Execution StringFrequency - The frequency that you want AWS Config to run evaluations for a rule that istriggered periodically. If specified, requires
message_typeto beScheduledNotification. - message
Type String - The type of notification that triggers AWS Config to run an evaluation for a rule. You canspecify the following notification types:
ConfigurationItemChangeNotification- Triggers an evaluation when AWS Config delivers a configuration item as a result of a resource change.OversizedConfigurationItemChangeNotification- Triggers an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.ScheduledNotification- Triggers a periodic evaluation at the frequency specified formaximum_execution_frequency.ConfigurationSnapshotDeliveryCompleted- Triggers a periodic evaluation when AWS Config delivers a configuration snapshot.
- event
Source string - The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWSresources. This defaults to
aws.configand is the only valid value. - maximum
Execution stringFrequency - The frequency that you want AWS Config to run evaluations for a rule that istriggered periodically. If specified, requires
message_typeto beScheduledNotification. - message
Type string - The type of notification that triggers AWS Config to run an evaluation for a rule. You canspecify the following notification types:
ConfigurationItemChangeNotification- Triggers an evaluation when AWS Config delivers a configuration item as a result of a resource change.OversizedConfigurationItemChangeNotification- Triggers an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.ScheduledNotification- Triggers a periodic evaluation at the frequency specified formaximum_execution_frequency.ConfigurationSnapshotDeliveryCompleted- Triggers a periodic evaluation when AWS Config delivers a configuration snapshot.
- event_
source str - The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWSresources. This defaults to
aws.configand is the only valid value. - maximum_
execution_ strfrequency - The frequency that you want AWS Config to run evaluations for a rule that istriggered periodically. If specified, requires
message_typeto beScheduledNotification. - message_
type str - The type of notification that triggers AWS Config to run an evaluation for a rule. You canspecify the following notification types:
ConfigurationItemChangeNotification- Triggers an evaluation when AWS Config delivers a configuration item as a result of a resource change.OversizedConfigurationItemChangeNotification- Triggers an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.ScheduledNotification- Triggers a periodic evaluation at the frequency specified formaximum_execution_frequency.ConfigurationSnapshotDeliveryCompleted- Triggers a periodic evaluation when AWS Config delivers a configuration snapshot.
- event
Source String - The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWSresources. This defaults to
aws.configand is the only valid value. - maximum
Execution StringFrequency - The frequency that you want AWS Config to run evaluations for a rule that istriggered periodically. If specified, requires
message_typeto beScheduledNotification. - message
Type String - The type of notification that triggers AWS Config to run an evaluation for a rule. You canspecify the following notification types:
ConfigurationItemChangeNotification- Triggers an evaluation when AWS Config delivers a configuration item as a result of a resource change.OversizedConfigurationItemChangeNotification- Triggers an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.ScheduledNotification- Triggers a periodic evaluation at the frequency specified formaximum_execution_frequency.ConfigurationSnapshotDeliveryCompleted- Triggers a periodic evaluation when AWS Config delivers a configuration snapshot.
Import
Using pulumi import, import Config Rule using the name. For example:
$ pulumi import aws:cfg/rule:Rule foo example
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.