pulumi-aws-kotlin/com.pulumi.aws.cfg.kotlin/RuleArgs

RuleArgs

data class RuleArgs(val description: Output<String>? = null, val inputParameters: Output<String>? = null, val maximumExecutionFrequency: Output<String>? = null, val name: Output<String>? = null, val scope: Output<RuleScopeArgs>? = null, val source: Output<RuleSourceArgs>? = null, val tags: Output<Map<String, String>>? = null) : ConvertibleToJava<RuleArgs>

Provides an AWS Config Rule.

Note: Config Rule requires an existing Configuration Recorder to be present. Use of depends_on is recommended (as shown below) to avoid race conditions.

Example Usage

AWS Managed Rules

AWS managed rules can be used by setting the source owner to AWS and the source identifier to the name of the managed rule. More information about AWS managed rules can be found in the AWS Config Developer Guide.

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.cfg.Recorder;
import com.pulumi.aws.cfg.RecorderArgs;
import com.pulumi.aws.cfg.Rule;
import com.pulumi.aws.cfg.RuleArgs;
import com.pulumi.aws.cfg.inputs.RuleSourceArgs;
import com.pulumi.aws.iam.RolePolicy;
import com.pulumi.aws.iam.RolePolicyArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(GetPolicyDocumentStatementArgs.builder()
                .effect("Allow")
                .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                    .type("Service")
                    .identifiers("config.amazonaws.com")
                    .build())
                .actions("sts:AssumeRole")
                .build())
            .build());
        var role = new Role("role", RoleArgs.builder()
            .assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
            .build());
        var foo = new Recorder("foo", RecorderArgs.builder()
            .roleArn(role.arn())
            .build());
        var rule = new Rule("rule", RuleArgs.builder()
            .source(RuleSourceArgs.builder()
                .owner("AWS")
                .sourceIdentifier("S3_BUCKET_VERSIONING_ENABLED")
                .build())
            .build(), CustomResourceOptions.builder()
                .dependsOn(foo)
                .build());
        final var policyDocument = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(GetPolicyDocumentStatementArgs.builder()
                .effect("Allow")
                .actions("config:Put*")
                .resources("*")
                .build())
            .build());
        var rolePolicy = new RolePolicy("rolePolicy", RolePolicyArgs.builder()
            .role(role.id())
            .policy(policyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
            .build());
    }
}
Content copied to clipboard

Custom Rules

Custom rules can be used by setting the source owner to CUSTOM_LAMBDA and the source identifier to the Amazon Resource Name (ARN) of the Lambda Function. The AWS Config service must have permissions to invoke the Lambda Function, e.g., via the aws.lambda.Permission resource. More information about custom rules can be found in the AWS Config Developer Guide.

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cfg.Recorder;
import com.pulumi.aws.lambda.Function;
import com.pulumi.aws.lambda.Permission;
import com.pulumi.aws.lambda.PermissionArgs;
import com.pulumi.aws.cfg.Rule;
import com.pulumi.aws.cfg.RuleArgs;
import com.pulumi.aws.cfg.inputs.RuleSourceArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var exampleRecorder = new Recorder("exampleRecorder");
        var exampleFunction = new Function("exampleFunction");
        var examplePermission = new Permission("examplePermission", PermissionArgs.builder()
            .action("lambda:InvokeFunction")
            .function(exampleFunction.arn())
            .principal("config.amazonaws.com")
            .build());
        var exampleRule = new Rule("exampleRule", RuleArgs.builder()
            .source(RuleSourceArgs.builder()
                .owner("CUSTOM_LAMBDA")
                .sourceIdentifier(exampleFunction.arn())
                .build())
            .build(), CustomResourceOptions.builder()
                .dependsOn(
                    exampleRecorder,
                    examplePermission)
                .build());
    }
}
Content copied to clipboard

Custom Policies

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cfg.Rule;
import com.pulumi.aws.cfg.RuleArgs;
import com.pulumi.aws.cfg.inputs.RuleSourceArgs;
import com.pulumi.aws.cfg.inputs.RuleSourceCustomPolicyDetailsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new Rule("example", RuleArgs.builder()
            .source(RuleSourceArgs.builder()
                .owner("CUSTOM_POLICY")
                .sourceDetails(RuleSourceSourceDetailArgs.builder()
                    .messageType("ConfigurationItemChangeNotification")
                    .build())
                .customPolicyDetails(RuleSourceCustomPolicyDetailsArgs.builder()
                    .policyRuntime("guard-2.x.x")
                    .policyText("""
	  rule tableisactive when
		  resourceType == "AWS::DynamoDB::Table" {
		  configuration.tableStatus == ['ACTIVE']
	  }
	  rule checkcompliance when
		  resourceType == "AWS::DynamoDB::Table"
		  tableisactive {
			  supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus == "ENABLED"
	  }
                    """)
                    .build())
                .build())
            .build());
    }
}
Content copied to clipboard

Import

Config Rule can be imported using the name, e.g.,

$ pulumi import aws:cfg/rule:Rule foo example
Content copied to clipboard

Constructors

Link copied to clipboard
constructor(description: Output<String>? = null, inputParameters: Output<String>? = null, maximumExecutionFrequency: Output<String>? = null, name: Output<String>? = null, scope: Output<RuleScopeArgs>? = null, source: Output<RuleSourceArgs>? = null, tags: Output<Map<String, String>>? = null)

Properties

Link copied to clipboard
val description: Output<String>? = null

Description of the rule

Link copied to clipboard
val inputParameters: Output<String>? = null

A string in JSON format that is passed to the AWS Config rule Lambda function.

Link copied to clipboard
val maximumExecutionFrequency: Output<String>? = null

The maximum frequency with which AWS Config runs evaluations for a rule.

Link copied to clipboard
val name: Output<String>? = null

The name of the rule

Link copied to clipboard
val scope: Output<RuleScopeArgs>? = null

Scope defines which resources can trigger an evaluation for the rule. See Source Below.

Link copied to clipboard
val source: Output<RuleSourceArgs>? = null

Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Scope Below.

Link copied to clipboard
val tags: Output<Map<String, String>>? = null

A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Functions

Link copied to clipboard
open override fun toJava(): RuleArgs