Manages a Config Organization Custom Policy Rule. More information about these rules can be found in the Enabling AWS Config Rules Across all Accounts in Your Organization and AWS Config Managed Rules documentation. For working with Organization Managed Rules (those invoking an AWS managed rule), see the aws_config_organization_managed__rule
resource.
resource "aws_config_organization_custom_policy_rule" "example" {
name = "example_rule_name"
policy_runtime = "guard-2.x.x"
policy_text = <<-EOF
let status = ['ACTIVE']
rule tableisactive when
resourceType == "AWS::DynamoDB::Table" {
configuration.tableStatus == %status
}
rule checkcompliance when
resourceType == "AWS::DynamoDB::Table"
tableisactive {
let pitr = supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus
%pitr == "ENABLED"
}
EOF
resource_types_scope = ["AWS::DynamoDB::Table"]
}
The following arguments are required:
name
- (Required) name of the rulepolicy_text
- (Required) policy definition containing the logic for your organization AWS Config Custom Policy rulepolicy_runtime
- (Required) runtime system for your organization AWS Config Custom Policy rulestrigger_types
- (Required) List of notification types that trigger AWS Config to run an evaluation for the rule. Valid values: ConfigurationItemChangeNotification
, OversizedConfigurationItemChangeNotification
The following arguments are optional:
description
- (Optional) Description of the ruledebug_log_delivery_accounts
- (Optional) List of AWS account identifiers to exclude from the ruleexcluded_accounts
- (Optional) List of AWS account identifiers to exclude from the ruleinput_parameters
- (Optional) A string in JSON format that is passed to the AWS Config Rule Lambda Functionmaximum_execution_frequency
- (Optional) Maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours
for periodic frequency triggered rules. Valid values: One_Hour
, Three_Hours
, Six_Hours
, Twelve_Hours
, or TwentyFour_Hours
.resource_id_scope
- (Optional) Identifier of the AWS resource to evaluateresource_types_scope
- (Optional) List of types of AWS resources to evaluatetag_key_scope
- (Optional, Required if tag_value_scope
is configured) Tag key of AWS resources to evaluatetag_value_scope
- (Optional) Tag value of AWS resources to evaluateThis resource exports the following attributes in addition to the arguments above:
arn
- Amazon Resource Name (ARN) of the rulecreate
- (Default 20m
)update
- (Default 20m
)delete
- (Default 20m
)In Terraform v1.5.0 and later, use an import
block to import a Config Organization Custom Policy Rule using the name
argument. For example:
import {
to = aws_config_organization_custom_policy_rule.example
id = "example_rule_name"
}
Using terraform import
, import a Config Organization Custom Policy Rule using the name
argument. For example:
% terraform import aws_config_organization_custom_policy_rule.example example_rule_name