AWS Config Organization Custom Rule
This page shows how to write Terraform and CloudFormation for AWS Config Organization Custom Rule and write them securely.
aws_config_organization_custom_rule (Terraform)
The Organization Custom Rule in AWS Config can be configured in Terraform with the resource name aws_config_organization_custom_rule
. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_config_organization_custom_rule" "my_config_organization_custom_rule" {
lambda_function_arn = "fake"
name = "example"
trigger_types = ["ConfigurationItemChangeNotification"]
}
resource "aws_config_organization_custom_rule" "my_config_organization_custom_rule" {
lambda_function_arn = "fake"
name = "example"
trigger_types = ["ConfigurationItemChangeNotification"]
}
resource "aws_config_organization_custom_rule" "this" {
description = var.description
excluded_accounts = var.excluded_accounts
input_parameters = var.input_parameters
lambda_function_arn = var.lambda_function_arn
maximum_execution_frequency = var.maximum_execution_frequency
resource "aws_config_organization_custom_rule" "this" {
for_each = { for rule in var.custom_rules : rule.name => rule }
lambda_function_arn = module.lambda[each.value.name].function_arn
name = each.value.name
trigger_types = each.value.trigger_types
Parameters
-
arn
optional computed - string -
description
optional - string -
excluded_accounts
optional - set of string -
id
optional computed - string -
input_parameters
optional - string -
lambda_function_arn
required - string -
maximum_execution_frequency
optional - string -
name
required - string -
resource_id_scope
optional - string -
resource_types_scope
optional - set of string -
tag_key_scope
optional - string -
tag_value_scope
optional - string -
trigger_types
required - set of string -
timeouts
single block
Explanation in Terraform Registry
Manages a Config Organization Custom Rule. More information about these rules can be found in the Enabling AWS Config Rules Across all Accounts in Your Organization and AWS Config Managed Rules documentation. For working with Organization Managed Rules (those invoking an AWS managed rule), see the
aws_config_organization_managed__rule
resource.NOTE: This resource must be created in the Organization master account and rules will include the master account unless its ID is added to the
excluded_accounts
argument. NOTE: The proper Lambda permission to allow the AWS Config service invoke the Lambda Function must be in place before the rule will successfully create or update. See also theaws_lambda_permission
resource.
Tips: Best Practices for The Other AWS Config Resources
In addition to the aws_config_configuration_aggregator, AWS Config has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_config_configuration_aggregator
Ensure to enable AWS Config in all Regions
It's better to enable AWS Config in all Regions. AWS Config can aggregate configurations from all regions. It will reduce the risk that unmonitored configurations might cause.
AWS::Config::OrganizationConfigRule OrganizationCustomRuleMetadata (CloudFormation)
The OrganizationConfigRule OrganizationCustomRuleMetadata in Config can be configured in CloudFormation with the resource name AWS::Config::OrganizationConfigRule OrganizationCustomRuleMetadata
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
Description
The description that you provide for organization config rule.
Required: No
Type: String
Minimum: 0
Maximum: 256
Update requires: No interruption
InputParameters
A string, in JSON format, that is passed to organization config rule Lambda function.
Required: No
Type: String
Minimum: 1
Maximum: 2048
Update requires: No interruption
LambdaFunctionArn
The lambda function ARN.
Required: Yes
Type: String
Minimum: 1
Maximum: 256
Update requires: No interruption
MaximumExecutionFrequency
The maximum frequency with which AWS Config runs evaluations for a rule. Your custom rule is triggered when AWS Config delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties.
By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the MaximumExecutionFrequency
parameter.
Required: No
Type: String
Allowed values: One_Hour | Six_Hours | Three_Hours | Twelve_Hours | TwentyFour_Hours
Update requires: No interruption
OrganizationConfigRuleTriggerTypes
The type of notification that triggers AWS Config to run an evaluation for a rule. You can specify the following notification types:
ConfigurationItemChangeNotification
- Triggers an evaluation when AWS Config delivers a configuration item as a result of a resource change.OversizedConfigurationItemChangeNotification
- Triggers an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.ScheduledNotification
- Triggers a periodic evaluation at the frequency specified forMaximumExecutionFrequency
.Required: Yes
Type: List of String
Update requires: No interruption
ResourceIdScope
The ID of the AWS resource that was evaluated.
Required: No
Type: String
Minimum: 1
Maximum: 768
Update requires: No interruption
ResourceTypesScope
The type of the AWS resource that was evaluated.
Required: No
Type: List of String
Maximum: 100
Update requires: No interruption
TagKeyScope
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
Required: No
Type: String
Minimum: 1
Maximum: 128
Update requires: No interruption
TagValueScope
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
Required: No
Type: String
Minimum: 1
Maximum: 256
Update requires: No interruption
Explanation in CloudFormation Registry
An object that specifies organization custom rule metadata such as resource type, resource ID of AWS resource, Lambda function ARN, and organization trigger types that trigger AWS Config to evaluate your AWS resources against a rule. It also provides the frequency with which you want AWS Config to run evaluations for the rule if the trigger type is periodic.
Frequently asked questions
What is AWS Config Organization Custom Rule?
AWS Config Organization Custom Rule is a resource for Config of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Config Organization Custom Rule?
For Terraform, the gilyas/infracost, infracost/infracost and niveklabs/aws source code examples are useful. See the Terraform Example section for further details.