pulumi-aws-kotlin/com.pulumi.aws.cfg.kotlin/OrganizationConformancePackArgs

OrganizationConformancePackArgs

data class OrganizationConformancePackArgs(val deliveryS3Bucket: Output<String>? = null, val deliveryS3KeyPrefix: Output<String>? = null, val excludedAccounts: Output<List<String>>? = null, val inputParameters: Output<List<OrganizationConformancePackInputParameterArgs>>? = null, val name: Output<String>? = null, val templateBody: Output<String>? = null, val templateS3Uri: Output<String>? = null) : ConvertibleToJava<OrganizationConformancePackArgs>

Manages a Config Organization Conformance Pack. More information can be found in the Managing Conformance Packs Across all Accounts in Your Organization and AWS Config Managed Rules documentation. Example conformance pack templates may be found in the AWS Config Rules Repository.

NOTE: This resource must be created in the Organization master account or a delegated administrator account, and the Organization must have all features enabled. Every Organization account except those configured in the excluded_accounts argument must have a Configuration Recorder with proper IAM permissions before the Organization Conformance Pack will successfully create or update. See also the aws.cfg.Recorder resource.

Example Usage

Using Template Body

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleOrganization = new aws.organizations.Organization("example", {
    awsServiceAccessPrincipals: ["config-multiaccountsetup&#46;amazonaws&#46;com"],
    featureSet: "ALL",
});
const example = new aws.cfg.OrganizationConformancePack("example", {
    name: "example",
    inputParameters: [{
        parameterName: "AccessKeysRotatedParameterMaxAccessKeyAge",
        parameterValue: "90",
    }],
    templateBody: `Parameters:
  AccessKeysRotatedParameterMaxAccessKeyAge:
    Type: String
Resources:
  IAMPasswordPolicy:
    Properties:
      ConfigRuleName: IAMPasswordPolicy
      Source:
        Owner: AWS
        SourceIdentifier: IAM_PASSWORD_POLICY
    Type: AWS::Config::ConfigRule
`,
}, {
    dependsOn: [
        exampleAwsConfigConfigurationRecorder,
        exampleOrganization,
    ],
});
Content copied to clipboard
import pulumi
import pulumi_aws as aws
example_organization = aws.organizations.Organization("example",
    aws_service_access_principals=["config-multiaccountsetup&#46;amazonaws&#46;com"],
    feature_set="ALL")
example = aws.cfg.OrganizationConformancePack("example",
    name="example",
    input_parameters=[aws.cfg.OrganizationConformancePackInputParameterArgs(
        parameter_name="AccessKeysRotatedParameterMaxAccessKeyAge",
        parameter_value="90",
    )],
    template_body="""Parameters:
  AccessKeysRotatedParameterMaxAccessKeyAge:
    Type: String
Resources:
  IAMPasswordPolicy:
    Properties:
      ConfigRuleName: IAMPasswordPolicy
      Source:
        Owner: AWS
        SourceIdentifier: IAM_PASSWORD_POLICY
    Type: AWS::Config::ConfigRule
""",
    opts=pulumi.ResourceOptions(depends_on=[
            example_aws_config_configuration_recorder,
            example_organization,
        ]))
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
    var exampleOrganization = new Aws.Organizations.Organization("example", new()
    {
        AwsServiceAccessPrincipals = new[]
        {
            "config-multiaccountsetup.amazonaws.com",
        },
        FeatureSet = "ALL",
    });
    var example = new Aws.Cfg.OrganizationConformancePack("example", new()
    {
        Name = "example",
        InputParameters = new[]
        {
            new Aws.Cfg.Inputs.OrganizationConformancePackInputParameterArgs
            {
                ParameterName = "AccessKeysRotatedParameterMaxAccessKeyAge",
                ParameterValue = "90",
            },
        },
        TemplateBody = @"Parameters:
  AccessKeysRotatedParameterMaxAccessKeyAge:
    Type: String
Resources:
  IAMPasswordPolicy:
    Properties:
      ConfigRuleName: IAMPasswordPolicy
      Source:
        Owner: AWS
        SourceIdentifier: IAM_PASSWORD_POLICY
    Type: AWS::Config::ConfigRule
",
    }, new CustomResourceOptions
    {
        DependsOn =
        {
            exampleAwsConfigConfigurationRecorder,
            exampleOrganization,
        },
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cfg"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/organizations"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		exampleOrganization, err := organizations.NewOrganization(ctx, "example", &organizations.OrganizationArgs{
			AwsServiceAccessPrincipals: pulumi.StringArray{
				pulumi.String("config-multiaccountsetup.amazonaws.com"),
			},
			FeatureSet: pulumi.String("ALL"),
		})
		if err != nil {
			return err
		}
		_, err = cfg.NewOrganizationConformancePack(ctx, "example", &cfg.OrganizationConformancePackArgs{
			Name: pulumi.String("example"),
			InputParameters: cfg.OrganizationConformancePackInputParameterArray{
				&cfg.OrganizationConformancePackInputParameterArgs{
					ParameterName:  pulumi.String("AccessKeysRotatedParameterMaxAccessKeyAge"),
					ParameterValue: pulumi.String("90"),
				},
			},
			TemplateBody: pulumi.String(`Parameters:
  AccessKeysRotatedParameterMaxAccessKeyAge:
    Type: String
Resources:
  IAMPasswordPolicy:
    Properties:
      ConfigRuleName: IAMPasswordPolicy
      Source:
        Owner: AWS
        SourceIdentifier: IAM_PASSWORD_POLICY
    Type: AWS::Config::ConfigRule
`),
		}, pulumi.DependsOn([]pulumi.Resource{
			exampleAwsConfigConfigurationRecorder,
			exampleOrganization,
		}))
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.organizations.Organization;
import com.pulumi.aws.organizations.OrganizationArgs;
import com.pulumi.aws.cfg.OrganizationConformancePack;
import com.pulumi.aws.cfg.OrganizationConformancePackArgs;
import com.pulumi.aws.cfg.inputs.OrganizationConformancePackInputParameterArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var exampleOrganization = new Organization("exampleOrganization", OrganizationArgs.builder()
            .awsServiceAccessPrincipals("config-multiaccountsetup.amazonaws.com")
            .featureSet("ALL")
            .build());
        var example = new OrganizationConformancePack("example", OrganizationConformancePackArgs.builder()
            .name("example")
            .inputParameters(OrganizationConformancePackInputParameterArgs.builder()
                .parameterName("AccessKeysRotatedParameterMaxAccessKeyAge")
                .parameterValue("90")
                .build())
            .templateBody("""
Parameters:
  AccessKeysRotatedParameterMaxAccessKeyAge:
    Type: String
Resources:
  IAMPasswordPolicy:
    Properties:
      ConfigRuleName: IAMPasswordPolicy
      Source:
        Owner: AWS
        SourceIdentifier: IAM_PASSWORD_POLICY
    Type: AWS::Config::ConfigRule
            """)
            .build(), CustomResourceOptions.builder()
                .dependsOn(
                    exampleAwsConfigConfigurationRecorder,
                    exampleOrganization)
                .build());
    }
}
Content copied to clipboard
resources:
  example:
    type: aws:cfg:OrganizationConformancePack
    properties:
      name: example
      inputParameters:
        - parameterName: AccessKeysRotatedParameterMaxAccessKeyAge
          parameterValue: '90'
      templateBody: |
        Parameters:
          AccessKeysRotatedParameterMaxAccessKeyAge:
            Type: String
        Resources:
          IAMPasswordPolicy:
            Properties:
              ConfigRuleName: IAMPasswordPolicy
              Source:
                Owner: AWS
                SourceIdentifier: IAM_PASSWORD_POLICY
            Type: AWS::Config::ConfigRule
    options:
      dependson:
        - ${exampleAwsConfigConfigurationRecorder}
        - ${exampleOrganization}
  exampleOrganization:
    type: aws:organizations:Organization
    name: example
    properties:
      awsServiceAccessPrincipals:
        - config-multiaccountsetup.amazonaws.com
      featureSet: ALL
Content copied to clipboard

Using Template S3 URI

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleOrganization = new aws.organizations.Organization("example", {
    awsServiceAccessPrincipals: ["config-multiaccountsetup&#46;amazonaws&#46;com"],
    featureSet: "ALL",
});
const exampleBucketV2 = new aws.s3.BucketV2("example", {bucket: "example"});
const exampleBucketObjectv2 = new aws.s3.BucketObjectv2("example", {
    bucket: exampleBucketV2.id,
    key: "example-key",
    content: `Resources:
  IAMPasswordPolicy:
    Properties:
      ConfigRuleName: IAMPasswordPolicy
      Source:
        Owner: AWS
        SourceIdentifier: IAM_PASSWORD_POLICY
    Type: AWS::Config::ConfigRule
`,
});
const example = new aws.cfg.OrganizationConformancePack("example", {
    name: "example",
    templateS3Uri: pulumi.interpolate`s3://${exampleBucketV2.bucket}/${exampleBucketObjectv2.key}`,
}, {
    dependsOn: [
        exampleAwsConfigConfigurationRecorder,
        exampleOrganization,
    ],
});
Content copied to clipboard
import pulumi
import pulumi_aws as aws
example_organization = aws.organizations.Organization("example",
    aws_service_access_principals=["config-multiaccountsetup&#46;amazonaws&#46;com"],
    feature_set="ALL")
example_bucket_v2 = aws.s3.BucketV2("example", bucket="example")
example_bucket_objectv2 = aws.s3.BucketObjectv2("example",
    bucket=example_bucket_v2.id,
    key="example-key",
    content="""Resources:
  IAMPasswordPolicy:
    Properties:
      ConfigRuleName: IAMPasswordPolicy
      Source:
        Owner: AWS
        SourceIdentifier: IAM_PASSWORD_POLICY
    Type: AWS::Config::ConfigRule
""")
example = aws.cfg.OrganizationConformancePack("example",
    name="example",
    template_s3_uri=pulumi.Output.all(example_bucket_v2.bucket, example_bucket_objectv2.key).apply(lambda bucket, key: f"s3://{bucket}/{key}"),
    opts=pulumi.ResourceOptions(depends_on=[
            example_aws_config_configuration_recorder,
            example_organization,
        ]))
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
    var exampleOrganization = new Aws.Organizations.Organization("example", new()
    {
        AwsServiceAccessPrincipals = new[]
        {
            "config-multiaccountsetup.amazonaws.com",
        },
        FeatureSet = "ALL",
    });
    var exampleBucketV2 = new Aws.S3.BucketV2("example", new()
    {
        Bucket = "example",
    });
    var exampleBucketObjectv2 = new Aws.S3.BucketObjectv2("example", new()
    {
        Bucket = exampleBucketV2.Id,
        Key = "example-key",
        Content = @"Resources:
  IAMPasswordPolicy:
    Properties:
      ConfigRuleName: IAMPasswordPolicy
      Source:
        Owner: AWS
        SourceIdentifier: IAM_PASSWORD_POLICY
    Type: AWS::Config::ConfigRule
",
    });
    var example = new Aws.Cfg.OrganizationConformancePack("example", new()
    {
        Name = "example",
        TemplateS3Uri = Output.Tuple(exampleBucketV2.Bucket, exampleBucketObjectv2.Key).Apply(values =>
        {
            var bucket = values.Item1;
            var key = values.Item2;
            return $"s3://{bucket}/{key}";
        }),
    }, new CustomResourceOptions
    {
        DependsOn =
        {
            exampleAwsConfigConfigurationRecorder,
            exampleOrganization,
        },
    });
});
Content copied to clipboard
package main
import (
	"fmt"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cfg"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/organizations"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		exampleOrganization, err := organizations.NewOrganization(ctx, "example", &organizations.OrganizationArgs{
			AwsServiceAccessPrincipals: pulumi.StringArray{
				pulumi.String("config-multiaccountsetup.amazonaws.com"),
			},
			FeatureSet: pulumi.String("ALL"),
		})
		if err != nil {
			return err
		}
		exampleBucketV2, err := s3.NewBucketV2(ctx, "example", &s3.BucketV2Args{
			Bucket: pulumi.String("example"),
		})
		if err != nil {
			return err
		}
		exampleBucketObjectv2, err := s3.NewBucketObjectv2(ctx, "example", &s3.BucketObjectv2Args{
			Bucket: exampleBucketV2.ID(),
			Key:    pulumi.String("example-key"),
			Content: pulumi.String(`Resources:
  IAMPasswordPolicy:
    Properties:
      ConfigRuleName: IAMPasswordPolicy
      Source:
        Owner: AWS
        SourceIdentifier: IAM_PASSWORD_POLICY
    Type: AWS::Config::ConfigRule
`),
		})
		if err != nil {
			return err
		}
		_, err = cfg.NewOrganizationConformancePack(ctx, "example", &cfg.OrganizationConformancePackArgs{
			Name: pulumi.String("example"),
			TemplateS3Uri: pulumi.All(exampleBucketV2.Bucket, exampleBucketObjectv2.Key).ApplyT(func(_args []interface{}) (string, error) {
				bucket := _args[0].(string)
				key := _args[1].(string)
				return fmt.Sprintf("s3://%v/%v", bucket, key), nil
			}).(pulumi.StringOutput),
		}, pulumi.DependsOn([]pulumi.Resource{
			exampleAwsConfigConfigurationRecorder,
			exampleOrganization,
		}))
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.organizations.Organization;
import com.pulumi.aws.organizations.OrganizationArgs;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.s3.BucketObjectv2;
import com.pulumi.aws.s3.BucketObjectv2Args;
import com.pulumi.aws.cfg.OrganizationConformancePack;
import com.pulumi.aws.cfg.OrganizationConformancePackArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var exampleOrganization = new Organization("exampleOrganization", OrganizationArgs.builder()
            .awsServiceAccessPrincipals("config-multiaccountsetup.amazonaws.com")
            .featureSet("ALL")
            .build());
        var exampleBucketV2 = new BucketV2("exampleBucketV2", BucketV2Args.builder()
            .bucket("example")
            .build());
        var exampleBucketObjectv2 = new BucketObjectv2("exampleBucketObjectv2", BucketObjectv2Args.builder()
            .bucket(exampleBucketV2.id())
            .key("example-key")
            .content("""
Resources:
  IAMPasswordPolicy:
    Properties:
      ConfigRuleName: IAMPasswordPolicy
      Source:
        Owner: AWS
        SourceIdentifier: IAM_PASSWORD_POLICY
    Type: AWS::Config::ConfigRule
            """)
            .build());
        var example = new OrganizationConformancePack("example", OrganizationConformancePackArgs.builder()
            .name("example")
            .templateS3Uri(Output.tuple(exampleBucketV2.bucket(), exampleBucketObjectv2.key()).applyValue(values -> {
                var bucket = values.t1;
                var key = values.t2;
                return String.format("s3://%s/%s", bucket,key);
            }))
            .build(), CustomResourceOptions.builder()
                .dependsOn(
                    exampleAwsConfigConfigurationRecorder,
                    exampleOrganization)
                .build());
    }
}
Content copied to clipboard
resources:
  example:
    type: aws:cfg:OrganizationConformancePack
    properties:
      name: example
      templateS3Uri: s3://${exampleBucketV2.bucket}/${exampleBucketObjectv2.key}
    options:
      dependson:
        - ${exampleAwsConfigConfigurationRecorder}
        - ${exampleOrganization}
  exampleOrganization:
    type: aws:organizations:Organization
    name: example
    properties:
      awsServiceAccessPrincipals:
        - config-multiaccountsetup.amazonaws.com
      featureSet: ALL
  exampleBucketV2:
    type: aws:s3:BucketV2
    name: example
    properties:
      bucket: example
  exampleBucketObjectv2:
    type: aws:s3:BucketObjectv2
    name: example
    properties:
      bucket: ${exampleBucketV2.id}
      key: example-key
      content: |
        Resources:
          IAMPasswordPolicy:
            Properties:
              ConfigRuleName: IAMPasswordPolicy
              Source:
                Owner: AWS
                SourceIdentifier: IAM_PASSWORD_POLICY
            Type: AWS::Config::ConfigRule
Content copied to clipboard

Import

Using pulumi import, import Config Organization Conformance Packs using the name. For example:

$ pulumi import aws:cfg/organizationConformancePack:OrganizationConformancePack example example
Content copied to clipboard

Constructors

Link copied to clipboard
fun OrganizationConformancePackArgs(deliveryS3Bucket: Output<String>? = null, deliveryS3KeyPrefix: Output<String>? = null, excludedAccounts: Output<List<String>>? = null, inputParameters: Output<List<OrganizationConformancePackInputParameterArgs>>? = null, name: Output<String>? = null, templateBody: Output<String>? = null, templateS3Uri: Output<String>? = null)

Functions

Link copied to clipboard
open override fun toJava(): OrganizationConformancePackArgs

Properties

Link copied to clipboard
val deliveryS3Bucket: Output<String>? = null

Amazon S3 bucket where AWS Config stores conformance pack templates. Delivery bucket must begin with awsconfigconforms prefix. Maximum length of 63.

Link copied to clipboard
val deliveryS3KeyPrefix: Output<String>? = null

The prefix for the Amazon S3 bucket. Maximum length of 1024.

Link copied to clipboard
val excludedAccounts: Output<List<String>>? = null

Set of AWS accounts to be excluded from an organization conformance pack while deploying a conformance pack. Maximum of 1000 accounts.

Link copied to clipboard
val inputParameters: Output<List<OrganizationConformancePackInputParameterArgs>>? = null

Set of configuration blocks describing input parameters passed to the conformance pack template. Documented below. When configured, the parameters must also be included in the template_body or in the template stored in Amazon S3 if using template_s3_uri.

Link copied to clipboard
val name: Output<String>? = null

The name of the organization conformance pack. Must begin with a letter and contain from 1 to 128 alphanumeric characters and hyphens.

Link copied to clipboard
val templateBody: Output<String>? = null

A string containing full conformance pack template body. Maximum length of 51200. Drift detection is not possible with this argument.

Link copied to clipboard
val templateS3Uri: Output<String>? = null

Location of file, e.g., s3://bucketname/prefix, containing the template body. The uri must point to the conformance pack template that is located in an Amazon S3 bucket in the same region as the conformance pack. Maximum length of 1024. Drift detection is not possible with this argument.