OrganizationCustomRule

Manages a Config Organization Custom Rule. More information about these rules can be found in the Enabling AWS Config Rules Across all Accounts in Your Organization and AWS Config Managed Rules documentation. For working with Organization Managed Rules (those invoking an AWS managed rule), see the aws_config_organization_managed__rule resource.

NOTE: This resource must be created in the Organization master account and rules will include the master account unless its ID is added to the excluded_accounts argument.
NOTE: The proper Lambda permission to allow the AWS Config service invoke the Lambda Function must be in place before the rule will successfully create or update. See also the aws.lambda.Permission resource.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var examplePermission = new Aws.Lambda.Permission("examplePermission", new Aws.Lambda.PermissionArgs
        {
            Action = "lambda:InvokeFunction",
            Function = aws_lambda_function.Example.Arn,
            Principal = "config.amazonaws.com",
        });
        var exampleOrganization = new Aws.Organizations.Organization("exampleOrganization", new Aws.Organizations.OrganizationArgs
        {
            AwsServiceAccessPrincipals = 
            {
                "config-multiaccountsetup.amazonaws.com",
            },
            FeatureSet = "ALL",
        });
        var exampleOrganizationCustomRule = new Aws.Cfg.OrganizationCustomRule("exampleOrganizationCustomRule", new Aws.Cfg.OrganizationCustomRuleArgs
        {
            LambdaFunctionArn = aws_lambda_function.Example.Arn,
            TriggerTypes = 
            {
                "ConfigurationItemChangeNotification",
            },
        }, new CustomResourceOptions
        {
            DependsOn = 
            {
                "aws_lambda_permission.example",
                "aws_organizations_organization.example",
            },
        });
    }

}

package main

import (
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/cfg"
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/lambda"
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/organizations"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := lambda.NewPermission(ctx, "examplePermission", &lambda.PermissionArgs{
            Action:    pulumi.String("lambda:InvokeFunction"),
            Function:  pulumi.String(aws_lambda_function.Example.Arn),
            Principal: pulumi.String("config.amazonaws.com"),
        })
        if err != nil {
            return err
        }
        _, err = organizations.NewOrganization(ctx, "exampleOrganization", &organizations.OrganizationArgs{
            AwsServiceAccessPrincipals: pulumi.StringArray{
                pulumi.String("config-multiaccountsetup.amazonaws.com"),
            },
            FeatureSet: pulumi.String("ALL"),
        })
        if err != nil {
            return err
        }
        _, err = cfg.NewOrganizationCustomRule(ctx, "exampleOrganizationCustomRule", &cfg.OrganizationCustomRuleArgs{
            LambdaFunctionArn: pulumi.String(aws_lambda_function.Example.Arn),
            TriggerTypes: pulumi.StringArray{
                pulumi.String("ConfigurationItemChangeNotification"),
            },
        }, pulumi.DependsOn([]pulumi.Resource{
            "aws_lambda_permission.example",
            "aws_organizations_organization.example",
        }))
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_aws as aws

example_permission = aws.lambda_.Permission("examplePermission",
    action="lambda:InvokeFunction",
    function=aws_lambda_function["example"]["arn"],
    principal="config.amazonaws.com")
example_organization = aws.organizations.Organization("exampleOrganization",
    aws_service_access_principals=["config-multiaccountsetup.amazonaws.com"],
    feature_set="ALL")
example_organization_custom_rule = aws.cfg.OrganizationCustomRule("exampleOrganizationCustomRule",
    lambda_function_arn=aws_lambda_function["example"]["arn"],
    trigger_types=["ConfigurationItemChangeNotification"],
    opts=ResourceOptions(depends_on=[
            "aws_lambda_permission.example",
            "aws_organizations_organization.example",
        ]))

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const examplePermission = new aws.lambda.Permission("example", {
    action: "lambda:InvokeFunction",
    function: aws_lambda_function_example.arn,
    principal: "config.amazonaws.com",
});
const exampleOrganization = new aws.organizations.Organization("example", {
    awsServiceAccessPrincipals: ["config-multiaccountsetup.amazonaws.com"],
    featureSet: "ALL",
});
const exampleOrganizationCustomRule = new aws.cfg.OrganizationCustomRule("example", {
    lambdaFunctionArn: aws_lambda_function_example.arn,
    triggerTypes: ["ConfigurationItemChangeNotification"],
}, { dependsOn: [examplePermission, exampleOrganization] });

Create a OrganizationCustomRule Resource

new OrganizationCustomRule(name: string, args: OrganizationCustomRuleArgs, opts?: CustomResourceOptions);

def OrganizationCustomRule(resource_name, opts=None, description=None, excluded_accounts=None, input_parameters=None, lambda_function_arn=None, maximum_execution_frequency=None, name=None, resource_id_scope=None, resource_types_scopes=None, tag_key_scope=None, tag_value_scope=None, trigger_types=None, __props__=None);

func NewOrganizationCustomRule(ctx *Context, name string, args OrganizationCustomRuleArgs, opts ...ResourceOption) (*OrganizationCustomRule, error)

public OrganizationCustomRule(string name, OrganizationCustomRuleArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args OrganizationCustomRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args OrganizationCustomRuleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args OrganizationCustomRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

OrganizationCustomRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The OrganizationCustomRule resource accepts the following input properties:

LambdaFunctionArn string: Amazon Resource Name (ARN) of the rule Lambda Function
TriggerTypes List<string>: List of notification types that trigger AWS Config to run an evaluation for the rule. Valid values: ConfigurationItemChangeNotification, OversizedConfigurationItemChangeNotification, and ScheduledNotification
Description string: Description of the rule
ExcludedAccounts List<string>: List of AWS account identifiers to exclude from the rule
InputParameters string: A string in JSON format that is passed to the AWS Config Rule Lambda Function
MaximumExecutionFrequency string: The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.
Name string: The name of the rule
ResourceIdScope string: Identifier of the AWS resource to evaluate
ResourceTypesScopes List<string>: List of types of AWS resources to evaluate
TagKeyScope string: Tag key of AWS resources to evaluate
TagValueScope string: Tag value of AWS resources to evaluate

LambdaFunctionArn string: Amazon Resource Name (ARN) of the rule Lambda Function
TriggerTypes []string: List of notification types that trigger AWS Config to run an evaluation for the rule. Valid values: ConfigurationItemChangeNotification, OversizedConfigurationItemChangeNotification, and ScheduledNotification
Description string: Description of the rule
ExcludedAccounts []string: List of AWS account identifiers to exclude from the rule
InputParameters string: A string in JSON format that is passed to the AWS Config Rule Lambda Function
MaximumExecutionFrequency string: The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.
Name string: The name of the rule
ResourceIdScope string: Identifier of the AWS resource to evaluate
ResourceTypesScopes []string: List of types of AWS resources to evaluate
TagKeyScope string: Tag key of AWS resources to evaluate
TagValueScope string: Tag value of AWS resources to evaluate

lambdaFunctionArn string: Amazon Resource Name (ARN) of the rule Lambda Function
triggerTypes string[]: List of notification types that trigger AWS Config to run an evaluation for the rule. Valid values: ConfigurationItemChangeNotification, OversizedConfigurationItemChangeNotification, and ScheduledNotification
description string: Description of the rule
excludedAccounts string[]: List of AWS account identifiers to exclude from the rule
inputParameters string: A string in JSON format that is passed to the AWS Config Rule Lambda Function
maximumExecutionFrequency string: The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.
name string: The name of the rule
resourceIdScope string: Identifier of the AWS resource to evaluate
resourceTypesScopes string[]: List of types of AWS resources to evaluate
tagKeyScope string: Tag key of AWS resources to evaluate
tagValueScope string: Tag value of AWS resources to evaluate

lambda_function_arn str: Amazon Resource Name (ARN) of the rule Lambda Function
trigger_types List[str]: List of notification types that trigger AWS Config to run an evaluation for the rule. Valid values: ConfigurationItemChangeNotification, OversizedConfigurationItemChangeNotification, and ScheduledNotification
description str: Description of the rule
excluded_accounts List[str]: List of AWS account identifiers to exclude from the rule
input_parameters str: A string in JSON format that is passed to the AWS Config Rule Lambda Function
maximum_execution_frequency str: The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.
name str: The name of the rule
resource_id_scope str: Identifier of the AWS resource to evaluate
resource_types_scopes List[str]: List of types of AWS resources to evaluate
tag_key_scope str: Tag key of AWS resources to evaluate
tag_value_scope str: Tag value of AWS resources to evaluate

Outputs

All input properties are implicitly available as output properties. Additionally, the OrganizationCustomRule resource produces the following output properties:

Arn string: Amazon Resource Name (ARN) of the rule
Id string: The provider-assigned unique ID for this managed resource.

Arn string: Amazon Resource Name (ARN) of the rule
Id string: The provider-assigned unique ID for this managed resource.

arn string: Amazon Resource Name (ARN) of the rule
id string: The provider-assigned unique ID for this managed resource.

arn str: Amazon Resource Name (ARN) of the rule
id str: The provider-assigned unique ID for this managed resource.

Look up an Existing OrganizationCustomRule Resource

Get an existing OrganizationCustomRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: OrganizationCustomRuleState, opts?: CustomResourceOptions): OrganizationCustomRule

static get(resource_name, id, opts=None, arn=None, description=None, excluded_accounts=None, input_parameters=None, lambda_function_arn=None, maximum_execution_frequency=None, name=None, resource_id_scope=None, resource_types_scopes=None, tag_key_scope=None, tag_value_scope=None, trigger_types=None, __props__=None);

func GetOrganizationCustomRule(ctx *Context, name string, id IDInput, state *OrganizationCustomRuleState, opts ...ResourceOption) (*OrganizationCustomRule, error)

public static OrganizationCustomRule Get(string name, Input<string> id, OrganizationCustomRuleState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Arn string: Amazon Resource Name (ARN) of the rule
Description string: Description of the rule
ExcludedAccounts List<string>: List of AWS account identifiers to exclude from the rule
InputParameters string: A string in JSON format that is passed to the AWS Config Rule Lambda Function
LambdaFunctionArn string: Amazon Resource Name (ARN) of the rule Lambda Function
MaximumExecutionFrequency string: The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.
Name string: The name of the rule
ResourceIdScope string: Identifier of the AWS resource to evaluate
ResourceTypesScopes List<string>: List of types of AWS resources to evaluate
TagKeyScope string: Tag key of AWS resources to evaluate
TagValueScope string: Tag value of AWS resources to evaluate
TriggerTypes List<string>: List of notification types that trigger AWS Config to run an evaluation for the rule. Valid values: ConfigurationItemChangeNotification, OversizedConfigurationItemChangeNotification, and ScheduledNotification

Arn string: Amazon Resource Name (ARN) of the rule
Description string: Description of the rule
ExcludedAccounts []string: List of AWS account identifiers to exclude from the rule
InputParameters string: A string in JSON format that is passed to the AWS Config Rule Lambda Function
LambdaFunctionArn string: Amazon Resource Name (ARN) of the rule Lambda Function
MaximumExecutionFrequency string: The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.
Name string: The name of the rule
ResourceIdScope string: Identifier of the AWS resource to evaluate
ResourceTypesScopes []string: List of types of AWS resources to evaluate
TagKeyScope string: Tag key of AWS resources to evaluate
TagValueScope string: Tag value of AWS resources to evaluate
TriggerTypes []string: List of notification types that trigger AWS Config to run an evaluation for the rule. Valid values: ConfigurationItemChangeNotification, OversizedConfigurationItemChangeNotification, and ScheduledNotification

arn string: Amazon Resource Name (ARN) of the rule
description string: Description of the rule
excludedAccounts string[]: List of AWS account identifiers to exclude from the rule
inputParameters string: A string in JSON format that is passed to the AWS Config Rule Lambda Function
lambdaFunctionArn string: Amazon Resource Name (ARN) of the rule Lambda Function
maximumExecutionFrequency string: The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.
name string: The name of the rule
resourceIdScope string: Identifier of the AWS resource to evaluate
resourceTypesScopes string[]: List of types of AWS resources to evaluate
tagKeyScope string: Tag key of AWS resources to evaluate
tagValueScope string: Tag value of AWS resources to evaluate
triggerTypes string[]: List of notification types that trigger AWS Config to run an evaluation for the rule. Valid values: ConfigurationItemChangeNotification, OversizedConfigurationItemChangeNotification, and ScheduledNotification

arn str: Amazon Resource Name (ARN) of the rule
description str: Description of the rule
excluded_accounts List[str]: List of AWS account identifiers to exclude from the rule
input_parameters str: A string in JSON format that is passed to the AWS Config Rule Lambda Function
lambda_function_arn str: Amazon Resource Name (ARN) of the rule Lambda Function
maximum_execution_frequency str: The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.
name str: The name of the rule
resource_id_scope str: Identifier of the AWS resource to evaluate
resource_types_scopes List[str]: List of types of AWS resources to evaluate
tag_key_scope str: Tag key of AWS resources to evaluate
tag_value_scope str: Tag value of AWS resources to evaluate
trigger_types List[str]: List of notification types that trigger AWS Config to run an evaluation for the rule. Valid values: ConfigurationItemChangeNotification, OversizedConfigurationItemChangeNotification, and ScheduledNotification

Package Details

Repository: https://github.com/pulumi/pulumi-aws
License: Apache-2.0
Notes: This Pulumi package is based on the aws Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud