Package com.pulumi.aws.cfg
Class Rule
- java.lang.Object
-
- com.pulumi.resources.Resource
-
- com.pulumi.resources.CustomResource
-
- com.pulumi.aws.cfg.Rule
-
public class Rule extends com.pulumi.resources.CustomResourceProvides an AWS Config Rule. > **Note:** Config Rule requires an existing Configuration Recorder to be present. Use of `depends_on` is recommended (as shown below) to avoid race conditions. ## Example Usage ### AWS Managed Rules AWS managed rules can be used by setting the source owner to `AWS` and the source identifier to the name of the managed rule. More information about AWS managed rules can be found in the [AWS Config Developer Guide](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html). <!--Start PulumiCodeChooser -->
<!--End PulumiCodeChooser --> ### Custom Rules Custom rules can be used by setting the source owner to `CUSTOM_LAMBDA` and the source identifier to the Amazon Resource Name (ARN) of the Lambda Function. The AWS Config service must have permissions to invoke the Lambda Function, e.g., via the `aws.lambda.Permission` resource. More information about custom rules can be found in the [AWS Config Developer Guide](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html). <!--Start PulumiCodeChooser -->package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.aws.iam.IamFunctions; import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs; import com.pulumi.aws.iam.Role; import com.pulumi.aws.iam.RoleArgs; import com.pulumi.aws.cfg.Recorder; import com.pulumi.aws.cfg.RecorderArgs; import com.pulumi.aws.cfg.Rule; import com.pulumi.aws.cfg.RuleArgs; import com.pulumi.aws.cfg.inputs.RuleSourceArgs; import com.pulumi.aws.iam.RolePolicy; import com.pulumi.aws.iam.RolePolicyArgs; import com.pulumi.resources.CustomResourceOptions; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder() .statements(GetPolicyDocumentStatementArgs.builder() .effect("Allow") .principals(GetPolicyDocumentStatementPrincipalArgs.builder() .type("Service") .identifiers("config.amazonaws.com") .build()) .actions("sts:AssumeRole") .build()) .build()); var rRole = new Role("rRole", RoleArgs.builder() .name("my-awsconfig-role") .assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())) .build()); var foo = new Recorder("foo", RecorderArgs.builder() .name("example") .roleArn(rRole.arn()) .build()); var r = new Rule("r", RuleArgs.builder() .name("example") .source(RuleSourceArgs.builder() .owner("AWS") .sourceIdentifier("S3_BUCKET_VERSIONING_ENABLED") .build()) .build(), CustomResourceOptions.builder() .dependsOn(foo) .build()); final var p = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder() .statements(GetPolicyDocumentStatementArgs.builder() .effect("Allow") .actions("config:Put*") .resources("*") .build()) .build()); var pRolePolicy = new RolePolicy("pRolePolicy", RolePolicyArgs.builder() .name("my-awsconfig-policy") .role(rRole.id()) .policy(p.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())) .build()); } }
<!--End PulumiCodeChooser --> ### Custom Policies <!--Start PulumiCodeChooser -->package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.aws.cfg.Recorder; import com.pulumi.aws.lambda.Function; import com.pulumi.aws.lambda.Permission; import com.pulumi.aws.lambda.PermissionArgs; import com.pulumi.aws.cfg.Rule; import com.pulumi.aws.cfg.RuleArgs; import com.pulumi.aws.cfg.inputs.RuleSourceArgs; import com.pulumi.resources.CustomResourceOptions; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var example = new Recorder("example"); var exampleFunction = new Function("exampleFunction"); var examplePermission = new Permission("examplePermission", PermissionArgs.builder() .action("lambda:InvokeFunction") .function(exampleFunction.arn()) .principal("config.amazonaws.com") .statementId("AllowExecutionFromConfig") .build()); var exampleRule = new Rule("exampleRule", RuleArgs.builder() .source(RuleSourceArgs.builder() .owner("CUSTOM_LAMBDA") .sourceIdentifier(exampleFunction.arn()) .build()) .build(), CustomResourceOptions.builder() .dependsOn( example, examplePermission) .build()); } }
<!--End PulumiCodeChooser --> ## Import Using `pulumi import`, import Config Rule using the name. For example: ```sh $ pulumi import aws:cfg/rule:Rule foo example ```package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.aws.cfg.Rule; import com.pulumi.aws.cfg.RuleArgs; import com.pulumi.aws.cfg.inputs.RuleSourceArgs; import com.pulumi.aws.cfg.inputs.RuleSourceCustomPolicyDetailsArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var example = new Rule("example", RuleArgs.builder() .name("example") .source(RuleSourceArgs.builder() .owner("CUSTOM_POLICY") .sourceDetails(RuleSourceSourceDetailArgs.builder() .messageType("ConfigurationItemChangeNotification") .build()) .customPolicyDetails(RuleSourceCustomPolicyDetailsArgs.builder() .policyRuntime("guard-2.x.x") .policyText(""" rule tableisactive when resourceType == "AWS::DynamoDB::Table" { configuration.tableStatus == ['ACTIVE'] } rule checkcompliance when resourceType == "AWS::DynamoDB::Table" tableisactive { supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus == "ENABLED" } """) .build()) .build()) .build()); } }
-
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description com.pulumi.core.Output<java.lang.String>arn()com.pulumi.core.Output<java.util.Optional<java.lang.String>>description()com.pulumi.core.Output<java.util.List<RuleEvaluationMode>>evaluationModes()static Ruleget(java.lang.String name, com.pulumi.core.Output<java.lang.String> id, RuleState state, com.pulumi.resources.CustomResourceOptions options)Get an existing Host resource's state with the given name, ID, and optional extra properties used to qualify the lookup.com.pulumi.core.Output<java.util.Optional<java.lang.String>>inputParameters()com.pulumi.core.Output<java.util.Optional<java.lang.String>>maximumExecutionFrequency()com.pulumi.core.Output<java.lang.String>name()com.pulumi.core.Output<java.lang.String>ruleId()com.pulumi.core.Output<java.util.Optional<RuleScope>>scope()com.pulumi.core.Output<RuleSource>source()com.pulumi.core.Output<java.util.Optional<java.util.Map<java.lang.String,java.lang.String>>>tags()com.pulumi.core.Output<java.util.Map<java.lang.String,java.lang.String>>tagsAll()
-
-
-
Constructor Detail
-
Rule
public Rule(java.lang.String name)
- Parameters:
name- The _unique_ name of the resulting resource.
-
Rule
public Rule(java.lang.String name, RuleArgs args)- Parameters:
name- The _unique_ name of the resulting resource.args- The arguments to use to populate this resource's properties.
-
Rule
public Rule(java.lang.String name, RuleArgs args, @Nullable com.pulumi.resources.CustomResourceOptions options)- Parameters:
name- The _unique_ name of the resulting resource.args- The arguments to use to populate this resource's properties.options- A bag of options that control this resource's behavior.
-
-
Method Detail
-
arn
public com.pulumi.core.Output<java.lang.String> arn()
- Returns:
- The ARN of the config rule
-
description
public com.pulumi.core.Output<java.util.Optional<java.lang.String>> description()
- Returns:
- Description of the rule
-
evaluationModes
public com.pulumi.core.Output<java.util.List<RuleEvaluationMode>> evaluationModes()
- Returns:
- The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
-
inputParameters
public com.pulumi.core.Output<java.util.Optional<java.lang.String>> inputParameters()
- Returns:
- A string in JSON format that is passed to the AWS Config rule Lambda function.
-
maximumExecutionFrequency
public com.pulumi.core.Output<java.util.Optional<java.lang.String>> maximumExecutionFrequency()
- Returns:
- The maximum frequency with which AWS Config runs evaluations for a rule.
-
name
public com.pulumi.core.Output<java.lang.String> name()
- Returns:
- The name of the rule
-
ruleId
public com.pulumi.core.Output<java.lang.String> ruleId()
- Returns:
- The ID of the config rule
-
scope
public com.pulumi.core.Output<java.util.Optional<RuleScope>> scope()
- Returns:
- Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
-
source
public com.pulumi.core.Output<RuleSource> source()
- Returns:
- Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
-
tags
public com.pulumi.core.Output<java.util.Optional<java.util.Map<java.lang.String,java.lang.String>>> tags()
- Returns:
- A map of tags to assign to the resource. If configured with a provider `default_tags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
-
tagsAll
public com.pulumi.core.Output<java.util.Map<java.lang.String,java.lang.String>> tagsAll()
- Returns:
- A map of tags assigned to the resource, including those inherited from the provider `default_tags` configuration block.
-
get
public static Rule get(java.lang.String name, com.pulumi.core.Output<java.lang.String> id, @Nullable RuleState state, @Nullable com.pulumi.resources.CustomResourceOptions options)
Get an existing Host resource's state with the given name, ID, and optional extra properties used to qualify the lookup.- Parameters:
name- The _unique_ name of the resulting resource.id- The _unique_ provider ID of the resource to lookup.state-options- Optional settings to control the behavior of the CustomResource.
-
-