Namespace Pulumi.Aws.Cfg

Classes

AggregateAuthorization

Manages an AWS Config Aggregate Authorization

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var example = new Aws.Cfg.AggregateAuthorization("example", new Aws.Cfg.AggregateAuthorizationArgs
    {
        AccountId = "123456789012",
        Region = "eu-west-2",
    });
}

}

AggregateAuthorizationArgs

AggregateAuthorizationState

ConfigurationAggregator

Manages an AWS Config Configuration Aggregator

Example Usage

Account Based Aggregation

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var account = new Aws.Cfg.ConfigurationAggregator("account", new Aws.Cfg.ConfigurationAggregatorArgs
    {
        AccountAggregationSource = new Aws.Cfg.Inputs.ConfigurationAggregatorAccountAggregationSourceArgs
        {
            AccountIds = 
            {
                "123456789012",
            },
            Regions = 
            {
                "us-west-2",
            },
        },
    });
}

}

Organization Based Aggregation

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var organizationRole = new Aws.Iam.Role("organizationRole", new Aws.Iam.RoleArgs
    {
        AssumeRolePolicy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
  ""Sid"": """",
  ""Effect"": ""Allow"",
  ""Principal"": {
    ""Service"": ""config.amazonaws.com""
  },
  ""Action"": ""sts:AssumeRole""
}
]
}

",
    });
    var organizationConfigurationAggregator = new Aws.Cfg.ConfigurationAggregator("organizationConfigurationAggregator", new Aws.Cfg.ConfigurationAggregatorArgs
    {
        OrganizationAggregationSource = new Aws.Cfg.Inputs.ConfigurationAggregatorOrganizationAggregationSourceArgs
        {
            AllRegions = true,
            RoleArn = organizationRole.Arn,
        },
    });
    var organizationRolePolicyAttachment = new Aws.Iam.RolePolicyAttachment("organizationRolePolicyAttachment", new Aws.Iam.RolePolicyAttachmentArgs
    {
        PolicyArn = "arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations",
        Role = organizationRole.Name,
    });
}

}

ConfigurationAggregatorArgs

ConfigurationAggregatorState

DeliveryChannel

Provides an AWS Config Delivery Channel.

Note: Delivery Channel requires a Configuration Recorder to be present. Use of depends_on (as shown below) is recommended to avoid race conditions.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var bucket = new Aws.S3.Bucket("bucket", new Aws.S3.BucketArgs
    {
        ForceDestroy = true,
    });
    var fooDeliveryChannel = new Aws.Cfg.DeliveryChannel("fooDeliveryChannel", new Aws.Cfg.DeliveryChannelArgs
    {
        S3BucketName = bucket.BucketName,
    });
    var role = new Aws.Iam.Role("role", new Aws.Iam.RoleArgs
    {
        AssumeRolePolicy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
  ""Action"": ""sts:AssumeRole"",
  ""Principal"": {
    ""Service"": ""config.amazonaws.com""
  },
  ""Effect"": ""Allow"",
  ""Sid"": """"
}
]
}

",
    });
    var fooRecorder = new Aws.Cfg.Recorder("fooRecorder", new Aws.Cfg.RecorderArgs
    {
        RoleArn = role.Arn,
    });
    var rolePolicy = new Aws.Iam.RolePolicy("rolePolicy", new Aws.Iam.RolePolicyArgs
    {
        Policy = Output.Tuple(bucket.Arn, bucket.Arn).Apply(values =>
        {
            var bucketArn = values.Item1;
            var bucketArn1 = values.Item2;
            return @$"{{
""Version"": ""2012-10-17"",
""Statement"": [
{{
  ""Action"": [
    ""s3:*""
  ],
  ""Effect"": ""Allow"",
  ""Resource"": [
    ""{bucketArn}"",
    ""{bucketArn1}/*""
  ]
}}
]
}}

";
        }),
        Role = role.Id,
    });
}

}

DeliveryChannelArgs

DeliveryChannelState

OrganizationCustomRule

Manages a Config Organization Custom Rule. More information about these rules can be found in the Enabling AWS Config Rules Across all Accounts in Your Organization and AWS Config Managed Rules documentation. For working with Organization Managed Rules (those invoking an AWS managed rule), see the aws_config_organization_managed__rule resource.

NOTE: This resource must be created in the Organization master account and rules will include the master account unless its ID is added to the excluded_accounts argument.

NOTE: The proper Lambda permission to allow the AWS Config service invoke the Lambda Function must be in place before the rule will successfully create or update. See also the aws.lambda.Permission resource.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var examplePermission = new Aws.Lambda.Permission("examplePermission", new Aws.Lambda.PermissionArgs
    {
        Action = "lambda:InvokeFunction",
        Function = aws_lambda_function.Example.Arn,
        Principal = "config.amazonaws.com",
    });
    var exampleOrganization = new Aws.Organizations.Organization("exampleOrganization", new Aws.Organizations.OrganizationArgs
    {
        AwsServiceAccessPrincipals = 
        {
            "config-multiaccountsetup.amazonaws.com",
        },
        FeatureSet = "ALL",
    });
    var exampleOrganizationCustomRule = new Aws.Cfg.OrganizationCustomRule("exampleOrganizationCustomRule", new Aws.Cfg.OrganizationCustomRuleArgs
    {
        LambdaFunctionArn = aws_lambda_function.Example.Arn,
        TriggerTypes = 
        {
            "ConfigurationItemChangeNotification",
        },
    });
}

}

OrganizationCustomRuleArgs

OrganizationCustomRuleState

OrganizationManagedRule

Manages a Config Organization Managed Rule. More information about these rules can be found in the Enabling AWS Config Rules Across all Accounts in Your Organization and AWS Config Managed Rules documentation. For working with Organization Custom Rules (those invoking a custom Lambda Function), see the aws.cfg.OrganizationCustomRule resource.

NOTE: This resource must be created in the Organization master account and rules will include the master account unless its ID is added to the excluded_accounts argument.

NOTE: Every Organization account except those configured in the excluded_accounts argument must have a Configuration Recorder with proper IAM permissions before the rule will successfully create or update. See also the aws.cfg.Recorder resource.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var exampleOrganization = new Aws.Organizations.Organization("exampleOrganization", new Aws.Organizations.OrganizationArgs
    {
        AwsServiceAccessPrincipals = 
        {
            "config-multiaccountsetup.amazonaws.com",
        },
        FeatureSet = "ALL",
    });
    var exampleOrganizationManagedRule = new Aws.Cfg.OrganizationManagedRule("exampleOrganizationManagedRule", new Aws.Cfg.OrganizationManagedRuleArgs
    {
        RuleIdentifier = "IAM_PASSWORD_POLICY",
    });
}

}

OrganizationManagedRuleArgs

OrganizationManagedRuleState

Recorder

Provides an AWS Config Configuration Recorder. Please note that this resource does not start the created recorder automatically.

Note: Starting the Configuration Recorder requires a delivery channel (while delivery channel creation requires Configuration Recorder). This is why aws.cfg.RecorderStatus is a separate resource.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var role = new Aws.Iam.Role("role", new Aws.Iam.RoleArgs
    {
        AssumeRolePolicy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
  ""Action"": ""sts:AssumeRole"",
  ""Principal"": {
    ""Service"": ""config.amazonaws.com""
  },
  ""Effect"": ""Allow"",
  ""Sid"": """"
}
]
}

",
    });
    var foo = new Aws.Cfg.Recorder("foo", new Aws.Cfg.RecorderArgs
    {
        RoleArn = role.Arn,
    });
}

}

RecorderArgs

RecorderState

RecorderStatus

Manages status (recording / stopped) of an AWS Config Configuration Recorder.

Note: Starting Configuration Recorder requires a Delivery Channel to be present. Use of depends_on (as shown below) is recommended to avoid race conditions.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var fooRecorderStatus = new Aws.Cfg.RecorderStatus("fooRecorderStatus", new Aws.Cfg.RecorderStatusArgs
    {
        IsEnabled = true,
    });
    var role = new Aws.Iam.Role("role", new Aws.Iam.RoleArgs
    {
        AssumeRolePolicy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
  ""Action"": ""sts:AssumeRole"",
  ""Principal"": {
    ""Service"": ""config.amazonaws.com""
  },
  ""Effect"": ""Allow"",
  ""Sid"": """"
}
]
}

",
    });
    var rolePolicyAttachment = new Aws.Iam.RolePolicyAttachment("rolePolicyAttachment", new Aws.Iam.RolePolicyAttachmentArgs
    {
        PolicyArn = "arn:aws:iam::aws:policy/service-role/AWSConfigRole",
        Role = role.Name,
    });
    var bucket = new Aws.S3.Bucket("bucket", new Aws.S3.BucketArgs
    {
    });
    var fooDeliveryChannel = new Aws.Cfg.DeliveryChannel("fooDeliveryChannel", new Aws.Cfg.DeliveryChannelArgs
    {
        S3BucketName = bucket.BucketName,
    });
    var fooRecorder = new Aws.Cfg.Recorder("fooRecorder", new Aws.Cfg.RecorderArgs
    {
        RoleArn = role.Arn,
    });
    var rolePolicy = new Aws.Iam.RolePolicy("rolePolicy", new Aws.Iam.RolePolicyArgs
    {
        Policy = Output.Tuple(bucket.Arn, bucket.Arn).Apply(values =>
        {
            var bucketArn = values.Item1;
            var bucketArn1 = values.Item2;
            return @$"{{
""Version"": ""2012-10-17"",
""Statement"": [
{{
  ""Action"": [
    ""s3:*""
  ],
  ""Effect"": ""Allow"",
  ""Resource"": [
    ""{bucketArn}"",
    ""{bucketArn1}/*""
  ]
}}
]
}}

";
        }),
        Role = role.Id,
    });
}

}

RecorderStatusArgs

RecorderStatusState

Rule

Provides an AWS Config Rule.

Note: Config Rule requires an existing Configuration Recorder to be present. Use of depends_on is recommended (as shown below) to avoid race conditions.

Example Usage

AWS Managed Rules

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var rule = new Aws.Cfg.Rule("rule", new Aws.Cfg.RuleArgs
    {
        Source = new Aws.Cfg.Inputs.RuleSourceArgs
        {
            Owner = "AWS",
            SourceIdentifier = "S3_BUCKET_VERSIONING_ENABLED",
        },
    });
    var role = new Aws.Iam.Role("role", new Aws.Iam.RoleArgs
    {
        AssumeRolePolicy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
  ""Action"": ""sts:AssumeRole"",
  ""Principal"": {
    ""Service"": ""config.amazonaws.com""
  },
  ""Effect"": ""Allow"",
  ""Sid"": """"
}
]
}

",
    });
    var foo = new Aws.Cfg.Recorder("foo", new Aws.Cfg.RecorderArgs
    {
        RoleArn = role.Arn,
    });
    var rolePolicy = new Aws.Iam.RolePolicy("rolePolicy", new Aws.Iam.RolePolicyArgs
    {
        Policy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Action"": ""config:Put*"",
""Effect"": ""Allow"",
""Resource"": ""*""

}
]
}

",
        Role = role.Id,
    });
}

}

Custom Rules

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var exampleRecorder = new Aws.Cfg.Recorder("exampleRecorder", new Aws.Cfg.RecorderArgs
    {
    });
    var exampleFunction = new Aws.Lambda.Function("exampleFunction", new Aws.Lambda.FunctionArgs
    {
    });
    var examplePermission = new Aws.Lambda.Permission("examplePermission", new Aws.Lambda.PermissionArgs
    {
        Action = "lambda:InvokeFunction",
        Function = exampleFunction.Arn,
        Principal = "config.amazonaws.com",
    });
    var exampleRule = new Aws.Cfg.Rule("exampleRule", new Aws.Cfg.RuleArgs
    {
        Source = new Aws.Cfg.Inputs.RuleSourceArgs
        {
            Owner = "CUSTOM_LAMBDA",
            SourceIdentifier = exampleFunction.Arn,
        },
    });
}

}

RuleArgs

RuleState