Organization
Manages a Config Organization Custom Policy Rule. More information about these rules can be found in the Enabling AWS Config Rules Across all Accounts in Your Organization and AWS Config Managed Rules documentation. For working with Organization Managed Rules (those invoking an AWS managed rule), see the aws_config_organization_managed__rule resource.
NOTE: This resource must be created in the Organization master account and rules will include the master account unless its ID is added to the
excluded_accountsargument.
Example Usage
Basic Usage
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cfg.OrganizationCustomPolicyRule;
import com.pulumi.aws.cfg.OrganizationCustomPolicyRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new OrganizationCustomPolicyRule("example", OrganizationCustomPolicyRuleArgs.builder()
.policyRuntime("guard-2.x.x")
.policyText("""
let status = ['ACTIVE']
rule tableisactive when
resourceType == "AWS::DynamoDB::Table" {
configuration.tableStatus == %status
}
rule checkcompliance when
resourceType == "AWS::DynamoDB::Table"
tableisactive {
let pitr = supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus
%pitr == "ENABLED"
}
""")
.resourceTypesScopes("AWS::DynamoDB::Table")
.build());
}
}Import
A Config Organization Custom Policy Rule can be imported using the name argument, e.g.,
$ pulumi import aws:cfg/organizationCustomPolicyRule:OrganizationCustomPolicyRule example example_rule_nameProperties
List of AWS account identifiers to exclude from the rule
Description of the rule
List of AWS account identifiers to exclude from the rule
A string in JSON format that is passed to the AWS Config Rule Lambda Function
Maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.
runtime system for your organization AWS Config Custom Policy rules
policy definition containing the logic for your organization AWS Config Custom Policy rule
Identifier of the AWS resource to evaluate
List of types of AWS resources to evaluate
Tag key of AWS resources to evaluate
Tag value of AWS resources to evaluate
List of notification types that trigger AWS Config to run an evaluation for the rule. Valid values: ConfigurationItemChangeNotification, OversizedConfigurationItemChangeNotification The following arguments are optional: