1. Packages
  2. AWS Classic
  3. API Docs
  4. cfg
  5. Rule

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.27.0 published on Monday, Mar 18, 2024 by Pulumi

aws.cfg.Rule

Explore with Pulumi AI

aws logo

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.27.0 published on Monday, Mar 18, 2024 by Pulumi

    Provides an AWS Config Rule.

    Note: Config Rule requires an existing Configuration Recorder to be present. Use of depends_on is recommended (as shown below) to avoid race conditions.

    Example Usage

    AWS Managed Rules

    AWS managed rules can be used by setting the source owner to AWS and the source identifier to the name of the managed rule. More information about AWS managed rules can be found in the AWS Config Developer Guide.

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const r = new aws.cfg.Rule("r", {
        name: "example",
        source: {
            owner: "AWS",
            sourceIdentifier: "S3_BUCKET_VERSIONING_ENABLED",
        },
    });
    const assumeRole = aws.iam.getPolicyDocument({
        statements: [{
            effect: "Allow",
            principals: [{
                type: "Service",
                identifiers: ["config.amazonaws.com"],
            }],
            actions: ["sts:AssumeRole"],
        }],
    });
    const rRole = new aws.iam.Role("r", {
        name: "my-awsconfig-role",
        assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json),
    });
    const foo = new aws.cfg.Recorder("foo", {
        name: "example",
        roleArn: rRole.arn,
    });
    const p = aws.iam.getPolicyDocument({
        statements: [{
            effect: "Allow",
            actions: ["config:Put*"],
            resources: ["*"],
        }],
    });
    const pRolePolicy = new aws.iam.RolePolicy("p", {
        name: "my-awsconfig-policy",
        role: rRole.id,
        policy: p.then(p => p.json),
    });
    
    import pulumi
    import pulumi_aws as aws
    
    r = aws.cfg.Rule("r",
        name="example",
        source=aws.cfg.RuleSourceArgs(
            owner="AWS",
            source_identifier="S3_BUCKET_VERSIONING_ENABLED",
        ))
    assume_role = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
        effect="Allow",
        principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
            type="Service",
            identifiers=["config.amazonaws.com"],
        )],
        actions=["sts:AssumeRole"],
    )])
    r_role = aws.iam.Role("r",
        name="my-awsconfig-role",
        assume_role_policy=assume_role.json)
    foo = aws.cfg.Recorder("foo",
        name="example",
        role_arn=r_role.arn)
    p = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
        effect="Allow",
        actions=["config:Put*"],
        resources=["*"],
    )])
    p_role_policy = aws.iam.RolePolicy("p",
        name="my-awsconfig-policy",
        role=r_role.id,
        policy=p.json)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cfg"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := cfg.NewRule(ctx, "r", &cfg.RuleArgs{
    			Name: pulumi.String("example"),
    			Source: &cfg.RuleSourceArgs{
    				Owner:            pulumi.String("AWS"),
    				SourceIdentifier: pulumi.String("S3_BUCKET_VERSIONING_ENABLED"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		assumeRole, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    			Statements: []iam.GetPolicyDocumentStatement{
    				{
    					Effect: pulumi.StringRef("Allow"),
    					Principals: []iam.GetPolicyDocumentStatementPrincipal{
    						{
    							Type: "Service",
    							Identifiers: []string{
    								"config.amazonaws.com",
    							},
    						},
    					},
    					Actions: []string{
    						"sts:AssumeRole",
    					},
    				},
    			},
    		}, nil)
    		if err != nil {
    			return err
    		}
    		rRole, err := iam.NewRole(ctx, "r", &iam.RoleArgs{
    			Name:             pulumi.String("my-awsconfig-role"),
    			AssumeRolePolicy: *pulumi.String(assumeRole.Json),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = cfg.NewRecorder(ctx, "foo", &cfg.RecorderArgs{
    			Name:    pulumi.String("example"),
    			RoleArn: rRole.Arn,
    		})
    		if err != nil {
    			return err
    		}
    		p, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    			Statements: []iam.GetPolicyDocumentStatement{
    				{
    					Effect: pulumi.StringRef("Allow"),
    					Actions: []string{
    						"config:Put*",
    					},
    					Resources: []string{
    						"*",
    					},
    				},
    			},
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewRolePolicy(ctx, "p", &iam.RolePolicyArgs{
    			Name:   pulumi.String("my-awsconfig-policy"),
    			Role:   rRole.ID(),
    			Policy: *pulumi.String(p.Json),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var r = new Aws.Cfg.Rule("r", new()
        {
            Name = "example",
            Source = new Aws.Cfg.Inputs.RuleSourceArgs
            {
                Owner = "AWS",
                SourceIdentifier = "S3_BUCKET_VERSIONING_ENABLED",
            },
        });
    
        var assumeRole = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "Service",
                            Identifiers = new[]
                            {
                                "config.amazonaws.com",
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "sts:AssumeRole",
                    },
                },
            },
        });
    
        var rRole = new Aws.Iam.Role("r", new()
        {
            Name = "my-awsconfig-role",
            AssumeRolePolicy = assumeRole.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
        });
    
        var foo = new Aws.Cfg.Recorder("foo", new()
        {
            Name = "example",
            RoleArn = rRole.Arn,
        });
    
        var p = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Effect = "Allow",
                    Actions = new[]
                    {
                        "config:Put*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var pRolePolicy = new Aws.Iam.RolePolicy("p", new()
        {
            Name = "my-awsconfig-policy",
            Role = rRole.Id,
            Policy = p.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.cfg.Rule;
    import com.pulumi.aws.cfg.RuleArgs;
    import com.pulumi.aws.cfg.inputs.RuleSourceArgs;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import com.pulumi.aws.iam.Role;
    import com.pulumi.aws.iam.RoleArgs;
    import com.pulumi.aws.cfg.Recorder;
    import com.pulumi.aws.cfg.RecorderArgs;
    import com.pulumi.aws.iam.RolePolicy;
    import com.pulumi.aws.iam.RolePolicyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var r = new Rule("r", RuleArgs.builder()        
                .name("example")
                .source(RuleSourceArgs.builder()
                    .owner("AWS")
                    .sourceIdentifier("S3_BUCKET_VERSIONING_ENABLED")
                    .build())
                .build());
    
            final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .effect("Allow")
                    .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                        .type("Service")
                        .identifiers("config.amazonaws.com")
                        .build())
                    .actions("sts:AssumeRole")
                    .build())
                .build());
    
            var rRole = new Role("rRole", RoleArgs.builder()        
                .name("my-awsconfig-role")
                .assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .build());
    
            var foo = new Recorder("foo", RecorderArgs.builder()        
                .name("example")
                .roleArn(rRole.arn())
                .build());
    
            final var p = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .effect("Allow")
                    .actions("config:Put*")
                    .resources("*")
                    .build())
                .build());
    
            var pRolePolicy = new RolePolicy("pRolePolicy", RolePolicyArgs.builder()        
                .name("my-awsconfig-policy")
                .role(rRole.id())
                .policy(p.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .build());
    
        }
    }
    
    resources:
      r:
        type: aws:cfg:Rule
        properties:
          name: example
          source:
            owner: AWS
            sourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
      foo:
        type: aws:cfg:Recorder
        properties:
          name: example
          roleArn: ${rRole.arn}
      rRole:
        type: aws:iam:Role
        name: r
        properties:
          name: my-awsconfig-role
          assumeRolePolicy: ${assumeRole.json}
      pRolePolicy:
        type: aws:iam:RolePolicy
        name: p
        properties:
          name: my-awsconfig-policy
          role: ${rRole.id}
          policy: ${p.json}
    variables:
      assumeRole:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - effect: Allow
                principals:
                  - type: Service
                    identifiers:
                      - config.amazonaws.com
                actions:
                  - sts:AssumeRole
      p:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - effect: Allow
                actions:
                  - config:Put*
                resources:
                  - '*'
    

    Custom Rules

    Custom rules can be used by setting the source owner to CUSTOM_LAMBDA and the source identifier to the Amazon Resource Name (ARN) of the Lambda Function. The AWS Config service must have permissions to invoke the Lambda Function, e.g., via the aws.lambda.Permission resource. More information about custom rules can be found in the AWS Config Developer Guide.

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.cfg.Recorder("example", {});
    const exampleFunction = new aws.lambda.Function("example", {});
    const examplePermission = new aws.lambda.Permission("example", {
        action: "lambda:InvokeFunction",
        "function": exampleFunction.arn,
        principal: "config.amazonaws.com",
        statementId: "AllowExecutionFromConfig",
    });
    const exampleRule = new aws.cfg.Rule("example", {source: {
        owner: "CUSTOM_LAMBDA",
        sourceIdentifier: exampleFunction.arn,
    }});
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.cfg.Recorder("example")
    example_function = aws.lambda_.Function("example")
    example_permission = aws.lambda_.Permission("example",
        action="lambda:InvokeFunction",
        function=example_function.arn,
        principal="config.amazonaws.com",
        statement_id="AllowExecutionFromConfig")
    example_rule = aws.cfg.Rule("example", source=aws.cfg.RuleSourceArgs(
        owner="CUSTOM_LAMBDA",
        source_identifier=example_function.arn,
    ))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cfg"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lambda"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := cfg.NewRecorder(ctx, "example", nil)
    		if err != nil {
    			return err
    		}
    		exampleFunction, err := lambda.NewFunction(ctx, "example", nil)
    		if err != nil {
    			return err
    		}
    		_, err = lambda.NewPermission(ctx, "example", &lambda.PermissionArgs{
    			Action:      pulumi.String("lambda:InvokeFunction"),
    			Function:    exampleFunction.Arn,
    			Principal:   pulumi.String("config.amazonaws.com"),
    			StatementId: pulumi.String("AllowExecutionFromConfig"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = cfg.NewRule(ctx, "example", &cfg.RuleArgs{
    			Source: &cfg.RuleSourceArgs{
    				Owner:            pulumi.String("CUSTOM_LAMBDA"),
    				SourceIdentifier: exampleFunction.Arn,
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.Cfg.Recorder("example");
    
        var exampleFunction = new Aws.Lambda.Function("example");
    
        var examplePermission = new Aws.Lambda.Permission("example", new()
        {
            Action = "lambda:InvokeFunction",
            Function = exampleFunction.Arn,
            Principal = "config.amazonaws.com",
            StatementId = "AllowExecutionFromConfig",
        });
    
        var exampleRule = new Aws.Cfg.Rule("example", new()
        {
            Source = new Aws.Cfg.Inputs.RuleSourceArgs
            {
                Owner = "CUSTOM_LAMBDA",
                SourceIdentifier = exampleFunction.Arn,
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.cfg.Recorder;
    import com.pulumi.aws.lambda.Function;
    import com.pulumi.aws.lambda.Permission;
    import com.pulumi.aws.lambda.PermissionArgs;
    import com.pulumi.aws.cfg.Rule;
    import com.pulumi.aws.cfg.RuleArgs;
    import com.pulumi.aws.cfg.inputs.RuleSourceArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new Recorder("example");
    
            var exampleFunction = new Function("exampleFunction");
    
            var examplePermission = new Permission("examplePermission", PermissionArgs.builder()        
                .action("lambda:InvokeFunction")
                .function(exampleFunction.arn())
                .principal("config.amazonaws.com")
                .statementId("AllowExecutionFromConfig")
                .build());
    
            var exampleRule = new Rule("exampleRule", RuleArgs.builder()        
                .source(RuleSourceArgs.builder()
                    .owner("CUSTOM_LAMBDA")
                    .sourceIdentifier(exampleFunction.arn())
                    .build())
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:cfg:Recorder
      exampleFunction:
        type: aws:lambda:Function
        name: example
      examplePermission:
        type: aws:lambda:Permission
        name: example
        properties:
          action: lambda:InvokeFunction
          function: ${exampleFunction.arn}
          principal: config.amazonaws.com
          statementId: AllowExecutionFromConfig
      exampleRule:
        type: aws:cfg:Rule
        name: example
        properties:
          source:
            owner: CUSTOM_LAMBDA
            sourceIdentifier: ${exampleFunction.arn}
    

    Custom Policies

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.cfg.Rule("example", {
        name: "example",
        source: {
            owner: "CUSTOM_POLICY",
            sourceDetails: [{
                messageType: "ConfigurationItemChangeNotification",
            }],
            customPolicyDetails: {
                policyRuntime: "guard-2.x.x",
                policyText: `	  rule tableisactive when
    		  resourceType == "AWS::DynamoDB::Table" {
    		  configuration.tableStatus == ['ACTIVE']
    	  }
    	  
    	  rule checkcompliance when
    		  resourceType == "AWS::DynamoDB::Table"
    		  tableisactive {
    			  supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus == "ENABLED"
    	  }
    `,
            },
        },
    });
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.cfg.Rule("example",
        name="example",
        source=aws.cfg.RuleSourceArgs(
            owner="CUSTOM_POLICY",
            source_details=[aws.cfg.RuleSourceSourceDetailArgs(
                message_type="ConfigurationItemChangeNotification",
            )],
            custom_policy_details=aws.cfg.RuleSourceCustomPolicyDetailsArgs(
                policy_runtime="guard-2.x.x",
                policy_text="""	  rule tableisactive when
    		  resourceType == "AWS::DynamoDB::Table" {
    		  configuration.tableStatus == ['ACTIVE']
    	  }
    	  
    	  rule checkcompliance when
    		  resourceType == "AWS::DynamoDB::Table"
    		  tableisactive {
    			  supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus == "ENABLED"
    	  }
    """,
            ),
        ))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cfg"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := cfg.NewRule(ctx, "example", &cfg.RuleArgs{
    			Name: pulumi.String("example"),
    			Source: &cfg.RuleSourceArgs{
    				Owner: pulumi.String("CUSTOM_POLICY"),
    				SourceDetails: cfg.RuleSourceSourceDetailArray{
    					&cfg.RuleSourceSourceDetailArgs{
    						MessageType: pulumi.String("ConfigurationItemChangeNotification"),
    					},
    				},
    				CustomPolicyDetails: &cfg.RuleSourceCustomPolicyDetailsArgs{
    					PolicyRuntime: pulumi.String("guard-2.x.x"),
    					PolicyText: pulumi.String(`	  rule tableisactive when
    		  resourceType == "AWS::DynamoDB::Table" {
    		  configuration.tableStatus == ['ACTIVE']
    	  }
    	  
    	  rule checkcompliance when
    		  resourceType == "AWS::DynamoDB::Table"
    		  tableisactive {
    			  supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus == "ENABLED"
    	  }
    `),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.Cfg.Rule("example", new()
        {
            Name = "example",
            Source = new Aws.Cfg.Inputs.RuleSourceArgs
            {
                Owner = "CUSTOM_POLICY",
                SourceDetails = new[]
                {
                    new Aws.Cfg.Inputs.RuleSourceSourceDetailArgs
                    {
                        MessageType = "ConfigurationItemChangeNotification",
                    },
                },
                CustomPolicyDetails = new Aws.Cfg.Inputs.RuleSourceCustomPolicyDetailsArgs
                {
                    PolicyRuntime = "guard-2.x.x",
                    PolicyText = @"	  rule tableisactive when
    		  resourceType == ""AWS::DynamoDB::Table"" {
    		  configuration.tableStatus == ['ACTIVE']
    	  }
    	  
    	  rule checkcompliance when
    		  resourceType == ""AWS::DynamoDB::Table""
    		  tableisactive {
    			  supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus == ""ENABLED""
    	  }
    ",
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.cfg.Rule;
    import com.pulumi.aws.cfg.RuleArgs;
    import com.pulumi.aws.cfg.inputs.RuleSourceArgs;
    import com.pulumi.aws.cfg.inputs.RuleSourceCustomPolicyDetailsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new Rule("example", RuleArgs.builder()        
                .name("example")
                .source(RuleSourceArgs.builder()
                    .owner("CUSTOM_POLICY")
                    .sourceDetails(RuleSourceSourceDetailArgs.builder()
                        .messageType("ConfigurationItemChangeNotification")
                        .build())
                    .customPolicyDetails(RuleSourceCustomPolicyDetailsArgs.builder()
                        .policyRuntime("guard-2.x.x")
                        .policyText("""
    	  rule tableisactive when
    		  resourceType == "AWS::DynamoDB::Table" {
    		  configuration.tableStatus == ['ACTIVE']
    	  }
    	  
    	  rule checkcompliance when
    		  resourceType == "AWS::DynamoDB::Table"
    		  tableisactive {
    			  supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus == "ENABLED"
    	  }
                        """)
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:cfg:Rule
        properties:
          name: example
          source:
            owner: CUSTOM_POLICY
            sourceDetails:
              - messageType: ConfigurationItemChangeNotification
            customPolicyDetails:
              policyRuntime: guard-2.x.x
              policyText: "\t  rule tableisactive when\n\t\t  resourceType == \"AWS::DynamoDB::Table\" {\n\t\t  configuration.tableStatus == ['ACTIVE']\n\t  }\n\t  \n\t  rule checkcompliance when\n\t\t  resourceType == \"AWS::DynamoDB::Table\"\n\t\t  tableisactive {\n\t\t\t  supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus == \"ENABLED\"\n\t  }\n"
    

    Create Rule Resource

    new Rule(name: string, args: RuleArgs, opts?: CustomResourceOptions);
    @overload
    def Rule(resource_name: str,
             opts: Optional[ResourceOptions] = None,
             description: Optional[str] = None,
             evaluation_modes: Optional[Sequence[RuleEvaluationModeArgs]] = None,
             input_parameters: Optional[str] = None,
             maximum_execution_frequency: Optional[str] = None,
             name: Optional[str] = None,
             scope: Optional[RuleScopeArgs] = None,
             source: Optional[RuleSourceArgs] = None,
             tags: Optional[Mapping[str, str]] = None)
    @overload
    def Rule(resource_name: str,
             args: RuleArgs,
             opts: Optional[ResourceOptions] = None)
    func NewRule(ctx *Context, name string, args RuleArgs, opts ...ResourceOption) (*Rule, error)
    public Rule(string name, RuleArgs args, CustomResourceOptions? opts = null)
    public Rule(String name, RuleArgs args)
    public Rule(String name, RuleArgs args, CustomResourceOptions options)
    
    type: aws:cfg:Rule
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args RuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args RuleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args RuleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args RuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args RuleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Rule Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Rule resource accepts the following input properties:

    Source RuleSource
    Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
    Description string
    Description of the rule
    EvaluationModes List<RuleEvaluationMode>
    The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
    InputParameters string
    A string in JSON format that is passed to the AWS Config rule Lambda function.
    MaximumExecutionFrequency string
    The maximum frequency with which AWS Config runs evaluations for a rule.
    Name string
    The name of the rule
    Scope RuleScope
    Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
    Tags Dictionary<string, string>
    A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    Source RuleSourceArgs
    Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
    Description string
    Description of the rule
    EvaluationModes []RuleEvaluationModeArgs
    The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
    InputParameters string
    A string in JSON format that is passed to the AWS Config rule Lambda function.
    MaximumExecutionFrequency string
    The maximum frequency with which AWS Config runs evaluations for a rule.
    Name string
    The name of the rule
    Scope RuleScopeArgs
    Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
    Tags map[string]string
    A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    source RuleSource
    Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
    description String
    Description of the rule
    evaluationModes List<RuleEvaluationMode>
    The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
    inputParameters String
    A string in JSON format that is passed to the AWS Config rule Lambda function.
    maximumExecutionFrequency String
    The maximum frequency with which AWS Config runs evaluations for a rule.
    name String
    The name of the rule
    scope RuleScope
    Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
    tags Map<String,String>
    A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    source RuleSource
    Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
    description string
    Description of the rule
    evaluationModes RuleEvaluationMode[]
    The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
    inputParameters string
    A string in JSON format that is passed to the AWS Config rule Lambda function.
    maximumExecutionFrequency string
    The maximum frequency with which AWS Config runs evaluations for a rule.
    name string
    The name of the rule
    scope RuleScope
    Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
    tags {[key: string]: string}
    A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    source RuleSourceArgs
    Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
    description str
    Description of the rule
    evaluation_modes Sequence[RuleEvaluationModeArgs]
    The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
    input_parameters str
    A string in JSON format that is passed to the AWS Config rule Lambda function.
    maximum_execution_frequency str
    The maximum frequency with which AWS Config runs evaluations for a rule.
    name str
    The name of the rule
    scope RuleScopeArgs
    Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
    tags Mapping[str, str]
    A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    source Property Map
    Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
    description String
    Description of the rule
    evaluationModes List<Property Map>
    The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
    inputParameters String
    A string in JSON format that is passed to the AWS Config rule Lambda function.
    maximumExecutionFrequency String
    The maximum frequency with which AWS Config runs evaluations for a rule.
    name String
    The name of the rule
    scope Property Map
    Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
    tags Map<String>
    A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Rule resource produces the following output properties:

    Arn string
    The ARN of the config rule
    Id string
    The provider-assigned unique ID for this managed resource.
    RuleId string
    The ID of the config rule
    TagsAll Dictionary<string, string>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    Arn string
    The ARN of the config rule
    Id string
    The provider-assigned unique ID for this managed resource.
    RuleId string
    The ID of the config rule
    TagsAll map[string]string
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    arn String
    The ARN of the config rule
    id String
    The provider-assigned unique ID for this managed resource.
    ruleId String
    The ID of the config rule
    tagsAll Map<String,String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    arn string
    The ARN of the config rule
    id string
    The provider-assigned unique ID for this managed resource.
    ruleId string
    The ID of the config rule
    tagsAll {[key: string]: string}
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    arn str
    The ARN of the config rule
    id str
    The provider-assigned unique ID for this managed resource.
    rule_id str
    The ID of the config rule
    tags_all Mapping[str, str]
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    arn String
    The ARN of the config rule
    id String
    The provider-assigned unique ID for this managed resource.
    ruleId String
    The ID of the config rule
    tagsAll Map<String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    Look up Existing Rule Resource

    Get an existing Rule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: RuleState, opts?: CustomResourceOptions): Rule
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            arn: Optional[str] = None,
            description: Optional[str] = None,
            evaluation_modes: Optional[Sequence[RuleEvaluationModeArgs]] = None,
            input_parameters: Optional[str] = None,
            maximum_execution_frequency: Optional[str] = None,
            name: Optional[str] = None,
            rule_id: Optional[str] = None,
            scope: Optional[RuleScopeArgs] = None,
            source: Optional[RuleSourceArgs] = None,
            tags: Optional[Mapping[str, str]] = None,
            tags_all: Optional[Mapping[str, str]] = None) -> Rule
    func GetRule(ctx *Context, name string, id IDInput, state *RuleState, opts ...ResourceOption) (*Rule, error)
    public static Rule Get(string name, Input<string> id, RuleState? state, CustomResourceOptions? opts = null)
    public static Rule get(String name, Output<String> id, RuleState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Arn string
    The ARN of the config rule
    Description string
    Description of the rule
    EvaluationModes List<RuleEvaluationMode>
    The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
    InputParameters string
    A string in JSON format that is passed to the AWS Config rule Lambda function.
    MaximumExecutionFrequency string
    The maximum frequency with which AWS Config runs evaluations for a rule.
    Name string
    The name of the rule
    RuleId string
    The ID of the config rule
    Scope RuleScope
    Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
    Source RuleSource
    Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
    Tags Dictionary<string, string>
    A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll Dictionary<string, string>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    Arn string
    The ARN of the config rule
    Description string
    Description of the rule
    EvaluationModes []RuleEvaluationModeArgs
    The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
    InputParameters string
    A string in JSON format that is passed to the AWS Config rule Lambda function.
    MaximumExecutionFrequency string
    The maximum frequency with which AWS Config runs evaluations for a rule.
    Name string
    The name of the rule
    RuleId string
    The ID of the config rule
    Scope RuleScopeArgs
    Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
    Source RuleSourceArgs
    Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
    Tags map[string]string
    A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll map[string]string
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    arn String
    The ARN of the config rule
    description String
    Description of the rule
    evaluationModes List<RuleEvaluationMode>
    The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
    inputParameters String
    A string in JSON format that is passed to the AWS Config rule Lambda function.
    maximumExecutionFrequency String
    The maximum frequency with which AWS Config runs evaluations for a rule.
    name String
    The name of the rule
    ruleId String
    The ID of the config rule
    scope RuleScope
    Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
    source RuleSource
    Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
    tags Map<String,String>
    A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String,String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    arn string
    The ARN of the config rule
    description string
    Description of the rule
    evaluationModes RuleEvaluationMode[]
    The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
    inputParameters string
    A string in JSON format that is passed to the AWS Config rule Lambda function.
    maximumExecutionFrequency string
    The maximum frequency with which AWS Config runs evaluations for a rule.
    name string
    The name of the rule
    ruleId string
    The ID of the config rule
    scope RuleScope
    Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
    source RuleSource
    Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
    tags {[key: string]: string}
    A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll {[key: string]: string}
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    arn str
    The ARN of the config rule
    description str
    Description of the rule
    evaluation_modes Sequence[RuleEvaluationModeArgs]
    The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
    input_parameters str
    A string in JSON format that is passed to the AWS Config rule Lambda function.
    maximum_execution_frequency str
    The maximum frequency with which AWS Config runs evaluations for a rule.
    name str
    The name of the rule
    rule_id str
    The ID of the config rule
    scope RuleScopeArgs
    Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
    source RuleSourceArgs
    Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
    tags Mapping[str, str]
    A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tags_all Mapping[str, str]
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    arn String
    The ARN of the config rule
    description String
    Description of the rule
    evaluationModes List<Property Map>
    The modes the Config rule can be evaluated in. See Evaluation Mode for more details.
    inputParameters String
    A string in JSON format that is passed to the AWS Config rule Lambda function.
    maximumExecutionFrequency String
    The maximum frequency with which AWS Config runs evaluations for a rule.
    name String
    The name of the rule
    ruleId String
    The ID of the config rule
    scope Property Map
    Scope defines which resources can trigger an evaluation for the rule. See Scope Below.
    source Property Map
    Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Source Below.
    tags Map<String>
    A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    Supporting Types

    RuleEvaluationMode, RuleEvaluationModeArgs

    Mode string
    The mode of an evaluation.
    Mode string
    The mode of an evaluation.
    mode String
    The mode of an evaluation.
    mode string
    The mode of an evaluation.
    mode str
    The mode of an evaluation.
    mode String
    The mode of an evaluation.

    RuleScope, RuleScopeArgs

    ComplianceResourceId string
    The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for compliance_resource_types.
    ComplianceResourceTypes List<string>
    A list of resource types of only those AWS resources that you want to trigger an evaluation for the ruleE.g., AWS::EC2::Instance. You can only specify one type if you also specify a resource ID for compliance_resource_id. See relevant part of AWS Docs for available types.
    TagKey string
    The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.
    TagValue string
    The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule.
    ComplianceResourceId string
    The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for compliance_resource_types.
    ComplianceResourceTypes []string
    A list of resource types of only those AWS resources that you want to trigger an evaluation for the ruleE.g., AWS::EC2::Instance. You can only specify one type if you also specify a resource ID for compliance_resource_id. See relevant part of AWS Docs for available types.
    TagKey string
    The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.
    TagValue string
    The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule.
    complianceResourceId String
    The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for compliance_resource_types.
    complianceResourceTypes List<String>
    A list of resource types of only those AWS resources that you want to trigger an evaluation for the ruleE.g., AWS::EC2::Instance. You can only specify one type if you also specify a resource ID for compliance_resource_id. See relevant part of AWS Docs for available types.
    tagKey String
    The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.
    tagValue String
    The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule.
    complianceResourceId string
    The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for compliance_resource_types.
    complianceResourceTypes string[]
    A list of resource types of only those AWS resources that you want to trigger an evaluation for the ruleE.g., AWS::EC2::Instance. You can only specify one type if you also specify a resource ID for compliance_resource_id. See relevant part of AWS Docs for available types.
    tagKey string
    The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.
    tagValue string
    The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule.
    compliance_resource_id str
    The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for compliance_resource_types.
    compliance_resource_types Sequence[str]
    A list of resource types of only those AWS resources that you want to trigger an evaluation for the ruleE.g., AWS::EC2::Instance. You can only specify one type if you also specify a resource ID for compliance_resource_id. See relevant part of AWS Docs for available types.
    tag_key str
    The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.
    tag_value str
    The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule.
    complianceResourceId String
    The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for compliance_resource_types.
    complianceResourceTypes List<String>
    A list of resource types of only those AWS resources that you want to trigger an evaluation for the ruleE.g., AWS::EC2::Instance. You can only specify one type if you also specify a resource ID for compliance_resource_id. See relevant part of AWS Docs for available types.
    tagKey String
    The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.
    tagValue String
    The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule.

    RuleSource, RuleSourceArgs

    Owner string
    Indicates whether AWS or the customer owns and manages the AWS Config rule. Valid values are AWS, CUSTOM_LAMBDA or CUSTOM_POLICY. For more information about managed rules, see the AWS Config Managed Rules documentation. For more information about custom rules, see the AWS Config Custom Rules documentation. Custom Lambda Functions require permissions to allow the AWS Config service to invoke them, e.g., via the aws.lambda.Permission resource.
    CustomPolicyDetails RuleSourceCustomPolicyDetails
    Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to CUSTOM_POLICY. See Custom Policy Details Below.
    SourceDetails List<RuleSourceSourceDetail>
    Provides the source and type of the event that causes AWS Config to evaluate your AWS resources. Only valid if owner is CUSTOM_LAMBDA or CUSTOM_POLICY. See Source Detail Below.
    SourceIdentifier string
    For AWS Config managed rules, a predefined identifier, e.g IAM_PASSWORD_POLICY. For custom Lambda rules, the identifier is the ARN of the Lambda Function, such as arn:aws:lambda:us-east-1:123456789012:function:custom_rule_name or the arn attribute of the aws.lambda.Function resource.
    Owner string
    Indicates whether AWS or the customer owns and manages the AWS Config rule. Valid values are AWS, CUSTOM_LAMBDA or CUSTOM_POLICY. For more information about managed rules, see the AWS Config Managed Rules documentation. For more information about custom rules, see the AWS Config Custom Rules documentation. Custom Lambda Functions require permissions to allow the AWS Config service to invoke them, e.g., via the aws.lambda.Permission resource.
    CustomPolicyDetails RuleSourceCustomPolicyDetails
    Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to CUSTOM_POLICY. See Custom Policy Details Below.
    SourceDetails []RuleSourceSourceDetail
    Provides the source and type of the event that causes AWS Config to evaluate your AWS resources. Only valid if owner is CUSTOM_LAMBDA or CUSTOM_POLICY. See Source Detail Below.
    SourceIdentifier string
    For AWS Config managed rules, a predefined identifier, e.g IAM_PASSWORD_POLICY. For custom Lambda rules, the identifier is the ARN of the Lambda Function, such as arn:aws:lambda:us-east-1:123456789012:function:custom_rule_name or the arn attribute of the aws.lambda.Function resource.
    owner String
    Indicates whether AWS or the customer owns and manages the AWS Config rule. Valid values are AWS, CUSTOM_LAMBDA or CUSTOM_POLICY. For more information about managed rules, see the AWS Config Managed Rules documentation. For more information about custom rules, see the AWS Config Custom Rules documentation. Custom Lambda Functions require permissions to allow the AWS Config service to invoke them, e.g., via the aws.lambda.Permission resource.
    customPolicyDetails RuleSourceCustomPolicyDetails
    Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to CUSTOM_POLICY. See Custom Policy Details Below.
    sourceDetails List<RuleSourceSourceDetail>
    Provides the source and type of the event that causes AWS Config to evaluate your AWS resources. Only valid if owner is CUSTOM_LAMBDA or CUSTOM_POLICY. See Source Detail Below.
    sourceIdentifier String
    For AWS Config managed rules, a predefined identifier, e.g IAM_PASSWORD_POLICY. For custom Lambda rules, the identifier is the ARN of the Lambda Function, such as arn:aws:lambda:us-east-1:123456789012:function:custom_rule_name or the arn attribute of the aws.lambda.Function resource.
    owner string
    Indicates whether AWS or the customer owns and manages the AWS Config rule. Valid values are AWS, CUSTOM_LAMBDA or CUSTOM_POLICY. For more information about managed rules, see the AWS Config Managed Rules documentation. For more information about custom rules, see the AWS Config Custom Rules documentation. Custom Lambda Functions require permissions to allow the AWS Config service to invoke them, e.g., via the aws.lambda.Permission resource.
    customPolicyDetails RuleSourceCustomPolicyDetails
    Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to CUSTOM_POLICY. See Custom Policy Details Below.
    sourceDetails RuleSourceSourceDetail[]
    Provides the source and type of the event that causes AWS Config to evaluate your AWS resources. Only valid if owner is CUSTOM_LAMBDA or CUSTOM_POLICY. See Source Detail Below.
    sourceIdentifier string
    For AWS Config managed rules, a predefined identifier, e.g IAM_PASSWORD_POLICY. For custom Lambda rules, the identifier is the ARN of the Lambda Function, such as arn:aws:lambda:us-east-1:123456789012:function:custom_rule_name or the arn attribute of the aws.lambda.Function resource.
    owner str
    Indicates whether AWS or the customer owns and manages the AWS Config rule. Valid values are AWS, CUSTOM_LAMBDA or CUSTOM_POLICY. For more information about managed rules, see the AWS Config Managed Rules documentation. For more information about custom rules, see the AWS Config Custom Rules documentation. Custom Lambda Functions require permissions to allow the AWS Config service to invoke them, e.g., via the aws.lambda.Permission resource.
    custom_policy_details RuleSourceCustomPolicyDetails
    Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to CUSTOM_POLICY. See Custom Policy Details Below.
    source_details Sequence[RuleSourceSourceDetail]
    Provides the source and type of the event that causes AWS Config to evaluate your AWS resources. Only valid if owner is CUSTOM_LAMBDA or CUSTOM_POLICY. See Source Detail Below.
    source_identifier str
    For AWS Config managed rules, a predefined identifier, e.g IAM_PASSWORD_POLICY. For custom Lambda rules, the identifier is the ARN of the Lambda Function, such as arn:aws:lambda:us-east-1:123456789012:function:custom_rule_name or the arn attribute of the aws.lambda.Function resource.
    owner String
    Indicates whether AWS or the customer owns and manages the AWS Config rule. Valid values are AWS, CUSTOM_LAMBDA or CUSTOM_POLICY. For more information about managed rules, see the AWS Config Managed Rules documentation. For more information about custom rules, see the AWS Config Custom Rules documentation. Custom Lambda Functions require permissions to allow the AWS Config service to invoke them, e.g., via the aws.lambda.Permission resource.
    customPolicyDetails Property Map
    Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to CUSTOM_POLICY. See Custom Policy Details Below.
    sourceDetails List<Property Map>
    Provides the source and type of the event that causes AWS Config to evaluate your AWS resources. Only valid if owner is CUSTOM_LAMBDA or CUSTOM_POLICY. See Source Detail Below.
    sourceIdentifier String
    For AWS Config managed rules, a predefined identifier, e.g IAM_PASSWORD_POLICY. For custom Lambda rules, the identifier is the ARN of the Lambda Function, such as arn:aws:lambda:us-east-1:123456789012:function:custom_rule_name or the arn attribute of the aws.lambda.Function resource.

    RuleSourceCustomPolicyDetails, RuleSourceCustomPolicyDetailsArgs

    PolicyRuntime string
    The runtime system for your Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
    PolicyText string
    The policy definition containing the logic for your Config Custom Policy rule.
    EnableDebugLogDelivery bool
    The boolean expression for enabling debug logging for your Config Custom Policy rule. The default value is false.
    PolicyRuntime string
    The runtime system for your Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
    PolicyText string
    The policy definition containing the logic for your Config Custom Policy rule.
    EnableDebugLogDelivery bool
    The boolean expression for enabling debug logging for your Config Custom Policy rule. The default value is false.
    policyRuntime String
    The runtime system for your Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
    policyText String
    The policy definition containing the logic for your Config Custom Policy rule.
    enableDebugLogDelivery Boolean
    The boolean expression for enabling debug logging for your Config Custom Policy rule. The default value is false.
    policyRuntime string
    The runtime system for your Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
    policyText string
    The policy definition containing the logic for your Config Custom Policy rule.
    enableDebugLogDelivery boolean
    The boolean expression for enabling debug logging for your Config Custom Policy rule. The default value is false.
    policy_runtime str
    The runtime system for your Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
    policy_text str
    The policy definition containing the logic for your Config Custom Policy rule.
    enable_debug_log_delivery bool
    The boolean expression for enabling debug logging for your Config Custom Policy rule. The default value is false.
    policyRuntime String
    The runtime system for your Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
    policyText String
    The policy definition containing the logic for your Config Custom Policy rule.
    enableDebugLogDelivery Boolean
    The boolean expression for enabling debug logging for your Config Custom Policy rule. The default value is false.

    RuleSourceSourceDetail, RuleSourceSourceDetailArgs

    EventSource string
    The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWSresources. This defaults to aws.config and is the only valid value.
    MaximumExecutionFrequency string
    The frequency that you want AWS Config to run evaluations for a rule that istriggered periodically. If specified, requires message_type to be ScheduledNotification.
    MessageType string
    The type of notification that triggers AWS Config to run an evaluation for a rule. You canspecify the following notification types:
    EventSource string
    The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWSresources. This defaults to aws.config and is the only valid value.
    MaximumExecutionFrequency string
    The frequency that you want AWS Config to run evaluations for a rule that istriggered periodically. If specified, requires message_type to be ScheduledNotification.
    MessageType string
    The type of notification that triggers AWS Config to run an evaluation for a rule. You canspecify the following notification types:
    eventSource String
    The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWSresources. This defaults to aws.config and is the only valid value.
    maximumExecutionFrequency String
    The frequency that you want AWS Config to run evaluations for a rule that istriggered periodically. If specified, requires message_type to be ScheduledNotification.
    messageType String
    The type of notification that triggers AWS Config to run an evaluation for a rule. You canspecify the following notification types:
    eventSource string
    The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWSresources. This defaults to aws.config and is the only valid value.
    maximumExecutionFrequency string
    The frequency that you want AWS Config to run evaluations for a rule that istriggered periodically. If specified, requires message_type to be ScheduledNotification.
    messageType string
    The type of notification that triggers AWS Config to run an evaluation for a rule. You canspecify the following notification types:
    event_source str
    The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWSresources. This defaults to aws.config and is the only valid value.
    maximum_execution_frequency str
    The frequency that you want AWS Config to run evaluations for a rule that istriggered periodically. If specified, requires message_type to be ScheduledNotification.
    message_type str
    The type of notification that triggers AWS Config to run an evaluation for a rule. You canspecify the following notification types:
    eventSource String
    The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWSresources. This defaults to aws.config and is the only valid value.
    maximumExecutionFrequency String
    The frequency that you want AWS Config to run evaluations for a rule that istriggered periodically. If specified, requires message_type to be ScheduledNotification.
    messageType String
    The type of notification that triggers AWS Config to run an evaluation for a rule. You canspecify the following notification types:

    Import

    Using pulumi import, import Config Rule using the name. For example:

    $ pulumi import aws:cfg/rule:Rule foo example
    

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo

    Try AWS Native preview for resources not in the classic version.

    AWS Classic v6.27.0 published on Monday, Mar 18, 2024 by Pulumi