Manages a Config Organization Custom Rule. More information about these rules can be found in the Enabling AWS Config Rules Across all Accounts in Your Organization and AWS Config Managed Rules documentation. For working with Organization Managed Rules (those invoking an AWS managed rule), see the aws_config_organization_managed__rule
resource.
resource "aws_lambda_permission" "example" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.example.arn
principal = "config.amazonaws.com"
statement_id = "AllowExecutionFromConfig"
}
resource "aws_organizations_organization" "example" {
aws_service_access_principals = ["config-multiaccountsetup.amazonaws.com"]
feature_set = "ALL"
}
resource "aws_config_organization_custom_rule" "example" {
depends_on = [
aws_lambda_permission.example,
aws_organizations_organization.example,
]
lambda_function_arn = aws_lambda_function.example.arn
name = "example"
trigger_types = ["ConfigurationItemChangeNotification"]
}
This resource supports the following arguments:
lambda_function_arn
- (Required) Amazon Resource Name (ARN) of the rule Lambda Functionname
- (Required) The name of the ruletrigger_types
- (Required) List of notification types that trigger AWS Config to run an evaluation for the rule. Valid values: ConfigurationItemChangeNotification
, OversizedConfigurationItemChangeNotification
, and ScheduledNotification
description
- (Optional) Description of the ruleexcluded_accounts
- (Optional) List of AWS account identifiers to exclude from the ruleinput_parameters
- (Optional) A string in JSON format that is passed to the AWS Config Rule Lambda Functionmaximum_execution_frequency
- (Optional) The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours
for periodic frequency triggered rules. Valid values: One_Hour
, Three_Hours
, Six_Hours
, Twelve_Hours
, or TwentyFour_Hours
.resource_id_scope
- (Optional) Identifier of the AWS resource to evaluateresource_types_scope
- (Optional) List of types of AWS resources to evaluatetag_key_scope
- (Optional, Required if tag_value_scope
is configured) Tag key of AWS resources to evaluatetag_value_scope
- (Optional) Tag value of AWS resources to evaluateThis resource exports the following attributes in addition to the arguments above:
arn
- Amazon Resource Name (ARN) of the rulecreate
- (Default 5m
)delete
- (Default 5m
)update
- (Default 5m
)In Terraform v1.5.0 and later, use an import
block to import Config Organization Custom Rules using the name. For example:
import {
to = aws_config_organization_custom_rule.example
id = "example"
}
Using terraform import
, import Config Organization Custom Rules using the name. For example:
% terraform import aws_config_organization_custom_rule.example example