OrganizationManagedRule

Manages a Config Organization Managed Rule. More information about these rules can be found in the Enabling AWS Config Rules Across all Accounts in Your Organization and AWS Config Managed Rules documentation. For working with Organization Custom Rules (those invoking a custom Lambda Function), see the aws.cfg.OrganizationCustomRule resource.

NOTE: This resource must be created in the Organization master account and rules will include the master account unless its ID is added to the excluded_accounts argument.
NOTE: Every Organization account except those configured in the excluded_accounts argument must have a Configuration Recorder with proper IAM permissions before the rule will successfully create or update. See also the aws.cfg.Recorder resource.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var exampleOrganization = new Aws.Organizations.Organization("exampleOrganization", new Aws.Organizations.OrganizationArgs
        {
            AwsServiceAccessPrincipals = 
            {
                "config-multiaccountsetup.amazonaws.com",
            },
            FeatureSet = "ALL",
        });
        var exampleOrganizationManagedRule = new Aws.Cfg.OrganizationManagedRule("exampleOrganizationManagedRule", new Aws.Cfg.OrganizationManagedRuleArgs
        {
            RuleIdentifier = "IAM_PASSWORD_POLICY",
        }, new CustomResourceOptions
        {
            DependsOn = 
            {
                "aws_organizations_organization.example",
            },
        });
    }

}

package main

import (
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/cfg"
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/organizations"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := organizations.NewOrganization(ctx, "exampleOrganization", &organizations.OrganizationArgs{
            AwsServiceAccessPrincipals: pulumi.StringArray{
                pulumi.String("config-multiaccountsetup.amazonaws.com"),
            },
            FeatureSet: pulumi.String("ALL"),
        })
        if err != nil {
            return err
        }
        _, err = cfg.NewOrganizationManagedRule(ctx, "exampleOrganizationManagedRule", &cfg.OrganizationManagedRuleArgs{
            RuleIdentifier: pulumi.String("IAM_PASSWORD_POLICY"),
        }, pulumi.DependsOn([]pulumi.Resource{
            "aws_organizations_organization.example",
        }))
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_aws as aws

example_organization = aws.organizations.Organization("exampleOrganization",
    aws_service_access_principals=["config-multiaccountsetup.amazonaws.com"],
    feature_set="ALL")
example_organization_managed_rule = aws.cfg.OrganizationManagedRule("exampleOrganizationManagedRule", rule_identifier="IAM_PASSWORD_POLICY",
opts=ResourceOptions(depends_on=["aws_organizations_organization.example"]))

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const exampleOrganization = new aws.organizations.Organization("example", {
    awsServiceAccessPrincipals: ["config-multiaccountsetup.amazonaws.com"],
    featureSet: "ALL",
});
const exampleOrganizationManagedRule = new aws.cfg.OrganizationManagedRule("example", {
    ruleIdentifier: "IAM_PASSWORD_POLICY",
}, { dependsOn: [exampleOrganization] });

Create a OrganizationManagedRule Resource

new OrganizationManagedRule(name: string, args: OrganizationManagedRuleArgs, opts?: CustomResourceOptions);

def OrganizationManagedRule(resource_name, opts=None, description=None, excluded_accounts=None, input_parameters=None, maximum_execution_frequency=None, name=None, resource_id_scope=None, resource_types_scopes=None, rule_identifier=None, tag_key_scope=None, tag_value_scope=None, __props__=None);

func NewOrganizationManagedRule(ctx *Context, name string, args OrganizationManagedRuleArgs, opts ...ResourceOption) (*OrganizationManagedRule, error)

public OrganizationManagedRule(string name, OrganizationManagedRuleArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args OrganizationManagedRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args OrganizationManagedRuleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args OrganizationManagedRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

OrganizationManagedRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The OrganizationManagedRule resource accepts the following input properties:

RuleIdentifier string: Identifier of an available AWS Config Managed Rule to call. For available values, see the List of AWS Config Managed Rules documentation
Description string: Description of the rule
ExcludedAccounts List<string>: List of AWS account identifiers to exclude from the rule
InputParameters string: A string in JSON format that is passed to the AWS Config Rule Lambda Function
MaximumExecutionFrequency string: The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.
Name string: The name of the rule
ResourceIdScope string: Identifier of the AWS resource to evaluate
ResourceTypesScopes List<string>: List of types of AWS resources to evaluate
TagKeyScope string: Tag key of AWS resources to evaluate
TagValueScope string: Tag value of AWS resources to evaluate

RuleIdentifier string: Identifier of an available AWS Config Managed Rule to call. For available values, see the List of AWS Config Managed Rules documentation
Description string: Description of the rule
ExcludedAccounts []string: List of AWS account identifiers to exclude from the rule
InputParameters string: A string in JSON format that is passed to the AWS Config Rule Lambda Function
MaximumExecutionFrequency string: The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.
Name string: The name of the rule
ResourceIdScope string: Identifier of the AWS resource to evaluate
ResourceTypesScopes []string: List of types of AWS resources to evaluate
TagKeyScope string: Tag key of AWS resources to evaluate
TagValueScope string: Tag value of AWS resources to evaluate

ruleIdentifier string: Identifier of an available AWS Config Managed Rule to call. For available values, see the List of AWS Config Managed Rules documentation
description string: Description of the rule
excludedAccounts string[]: List of AWS account identifiers to exclude from the rule
inputParameters string: A string in JSON format that is passed to the AWS Config Rule Lambda Function
maximumExecutionFrequency string: The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.
name string: The name of the rule
resourceIdScope string: Identifier of the AWS resource to evaluate
resourceTypesScopes string[]: List of types of AWS resources to evaluate
tagKeyScope string: Tag key of AWS resources to evaluate
tagValueScope string: Tag value of AWS resources to evaluate

rule_identifier str: Identifier of an available AWS Config Managed Rule to call. For available values, see the List of AWS Config Managed Rules documentation
description str: Description of the rule
excluded_accounts List[str]: List of AWS account identifiers to exclude from the rule
input_parameters str: A string in JSON format that is passed to the AWS Config Rule Lambda Function
maximum_execution_frequency str: The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.
name str: The name of the rule
resource_id_scope str: Identifier of the AWS resource to evaluate
resource_types_scopes List[str]: List of types of AWS resources to evaluate
tag_key_scope str: Tag key of AWS resources to evaluate
tag_value_scope str: Tag value of AWS resources to evaluate

Outputs

All input properties are implicitly available as output properties. Additionally, the OrganizationManagedRule resource produces the following output properties:

Arn string: Amazon Resource Name (ARN) of the rule
Id string: The provider-assigned unique ID for this managed resource.

Arn string: Amazon Resource Name (ARN) of the rule
Id string: The provider-assigned unique ID for this managed resource.

arn string: Amazon Resource Name (ARN) of the rule
id string: The provider-assigned unique ID for this managed resource.

arn str: Amazon Resource Name (ARN) of the rule
id str: The provider-assigned unique ID for this managed resource.

Look up an Existing OrganizationManagedRule Resource

Get an existing OrganizationManagedRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: OrganizationManagedRuleState, opts?: CustomResourceOptions): OrganizationManagedRule

static get(resource_name, id, opts=None, arn=None, description=None, excluded_accounts=None, input_parameters=None, maximum_execution_frequency=None, name=None, resource_id_scope=None, resource_types_scopes=None, rule_identifier=None, tag_key_scope=None, tag_value_scope=None, __props__=None);

func GetOrganizationManagedRule(ctx *Context, name string, id IDInput, state *OrganizationManagedRuleState, opts ...ResourceOption) (*OrganizationManagedRule, error)

public static OrganizationManagedRule Get(string name, Input<string> id, OrganizationManagedRuleState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Arn string: Amazon Resource Name (ARN) of the rule
Description string: Description of the rule
ExcludedAccounts List<string>: List of AWS account identifiers to exclude from the rule
InputParameters string: A string in JSON format that is passed to the AWS Config Rule Lambda Function
MaximumExecutionFrequency string: The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.
Name string: The name of the rule
ResourceIdScope string: Identifier of the AWS resource to evaluate
ResourceTypesScopes List<string>: List of types of AWS resources to evaluate
RuleIdentifier string: Identifier of an available AWS Config Managed Rule to call. For available values, see the List of AWS Config Managed Rules documentation
TagKeyScope string: Tag key of AWS resources to evaluate
TagValueScope string: Tag value of AWS resources to evaluate

Arn string: Amazon Resource Name (ARN) of the rule
Description string: Description of the rule
ExcludedAccounts []string: List of AWS account identifiers to exclude from the rule
InputParameters string: A string in JSON format that is passed to the AWS Config Rule Lambda Function
MaximumExecutionFrequency string: The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.
Name string: The name of the rule
ResourceIdScope string: Identifier of the AWS resource to evaluate
ResourceTypesScopes []string: List of types of AWS resources to evaluate
RuleIdentifier string: Identifier of an available AWS Config Managed Rule to call. For available values, see the List of AWS Config Managed Rules documentation
TagKeyScope string: Tag key of AWS resources to evaluate
TagValueScope string: Tag value of AWS resources to evaluate

arn string: Amazon Resource Name (ARN) of the rule
description string: Description of the rule
excludedAccounts string[]: List of AWS account identifiers to exclude from the rule
inputParameters string: A string in JSON format that is passed to the AWS Config Rule Lambda Function
maximumExecutionFrequency string: The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.
name string: The name of the rule
resourceIdScope string: Identifier of the AWS resource to evaluate
resourceTypesScopes string[]: List of types of AWS resources to evaluate
ruleIdentifier string: Identifier of an available AWS Config Managed Rule to call. For available values, see the List of AWS Config Managed Rules documentation
tagKeyScope string: Tag key of AWS resources to evaluate
tagValueScope string: Tag value of AWS resources to evaluate

arn str: Amazon Resource Name (ARN) of the rule
description str: Description of the rule
excluded_accounts List[str]: List of AWS account identifiers to exclude from the rule
input_parameters str: A string in JSON format that is passed to the AWS Config Rule Lambda Function
maximum_execution_frequency str: The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.
name str: The name of the rule
resource_id_scope str: Identifier of the AWS resource to evaluate
resource_types_scopes List[str]: List of types of AWS resources to evaluate
rule_identifier str: Identifier of an available AWS Config Managed Rule to call. For available values, see the List of AWS Config Managed Rules documentation
tag_key_scope str: Tag key of AWS resources to evaluate
tag_value_scope str: Tag value of AWS resources to evaluate

Package Details

Repository: https://github.com/pulumi/pulumi-aws
License: Apache-2.0
Notes: This Pulumi package is based on the aws Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud