1. Docs
  2. Reference
  3. API
  4. pulumi_aws
  5. cfg

This page documents the language specification for the aws package. If you're looking for help working with the inputs, outputs, or functions of aws resources in a Pulumi program, please see the resource documentation for examples and API reference.

cfg

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-aws repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-aws repo.

class pulumi_aws.cfg.AggregateAuthorization(resource_name, opts=None, account_id=None, region=None, tags=None, __props__=None, __name__=None, __opts__=None)

Manages an AWS Config Aggregate Authorization

import pulumi
import pulumi_aws as aws

example = aws.cfg.AggregateAuthorization("example",
    account_id="123456789012",
    region="eu-west-2")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • account_id (pulumi.Input[str]) – Account ID

  • region (pulumi.Input[str]) – Region

  • tags (pulumi.Input[dict]) – A map of tags to assign to the resource.

account_id: pulumi.Output[str] = None

Account ID

arn: pulumi.Output[str] = None

The ARN of the authorization

region: pulumi.Output[str] = None

Region

tags: pulumi.Output[dict] = None

A map of tags to assign to the resource.

static get(resource_name, id, opts=None, account_id=None, arn=None, region=None, tags=None)

Get an existing AggregateAuthorization resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • account_id (pulumi.Input[str]) – Account ID

  • arn (pulumi.Input[str]) – The ARN of the authorization

  • region (pulumi.Input[str]) – Region

  • tags (pulumi.Input[dict]) – A map of tags to assign to the resource.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.cfg.ConfigurationAggregator(resource_name, opts=None, account_aggregation_source=None, name=None, organization_aggregation_source=None, tags=None, __props__=None, __name__=None, __opts__=None)

Manages an AWS Config Configuration Aggregator

import pulumi
import pulumi_aws as aws

account = aws.cfg.ConfigurationAggregator("account", account_aggregation_source={
    "accountIds": ["123456789012"],
    "regions": ["us-west-2"],
})

import pulumi
import pulumi_aws as aws

organization_role = aws.iam.Role("organizationRole", assume_role_policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

""")
organization_configuration_aggregator = aws.cfg.ConfigurationAggregator("organizationConfigurationAggregator", organization_aggregation_source={
    "allRegions": True,
    "role_arn": organization_role.arn,
})
organization_role_policy_attachment = aws.iam.RolePolicyAttachment("organizationRolePolicyAttachment",
    policy_arn="arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations",
    role=organization_role.name)
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • account_aggregation_source (pulumi.Input[dict]) – The account(s) to aggregate config data from as documented below.

  • name (pulumi.Input[str]) – The name of the configuration aggregator.

  • organization_aggregation_source (pulumi.Input[dict]) – The organization to aggregate config data from as documented below.

  • tags (pulumi.Input[dict]) – A map of tags to assign to the resource.

The account_aggregation_source object supports the following:

  • accountIds (pulumi.Input[list]) - List of 12-digit account IDs of the account(s) being aggregated.

  • allRegions (pulumi.Input[bool]) - If true, aggregate existing AWS Config regions and future regions.

  • regions (pulumi.Input[list]) - List of source regions being aggregated.

The organization_aggregation_source object supports the following:

  • allRegions (pulumi.Input[bool]) - If true, aggregate existing AWS Config regions and future regions.

  • regions (pulumi.Input[list]) - List of source regions being aggregated.

  • role_arn (pulumi.Input[str]) - ARN of the IAM role used to retrieve AWS Organization details associated with the aggregator account.

account_aggregation_source: pulumi.Output[dict] = None

The account(s) to aggregate config data from as documented below.

  • accountIds (list) - List of 12-digit account IDs of the account(s) being aggregated.

  • allRegions (bool) - If true, aggregate existing AWS Config regions and future regions.

  • regions (list) - List of source regions being aggregated.

arn: pulumi.Output[str] = None

The ARN of the aggregator

name: pulumi.Output[str] = None

The name of the configuration aggregator.

organization_aggregation_source: pulumi.Output[dict] = None

The organization to aggregate config data from as documented below.

  • allRegions (bool) - If true, aggregate existing AWS Config regions and future regions.

  • regions (list) - List of source regions being aggregated.

  • role_arn (str) - ARN of the IAM role used to retrieve AWS Organization details associated with the aggregator account.

tags: pulumi.Output[dict] = None

A map of tags to assign to the resource.

static get(resource_name, id, opts=None, account_aggregation_source=None, arn=None, name=None, organization_aggregation_source=None, tags=None)

Get an existing ConfigurationAggregator resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • account_aggregation_source (pulumi.Input[dict]) – The account(s) to aggregate config data from as documented below.

  • arn (pulumi.Input[str]) – The ARN of the aggregator

  • name (pulumi.Input[str]) – The name of the configuration aggregator.

  • organization_aggregation_source (pulumi.Input[dict]) – The organization to aggregate config data from as documented below.

  • tags (pulumi.Input[dict]) – A map of tags to assign to the resource.

The account_aggregation_source object supports the following:

  • accountIds (pulumi.Input[list]) - List of 12-digit account IDs of the account(s) being aggregated.

  • allRegions (pulumi.Input[bool]) - If true, aggregate existing AWS Config regions and future regions.

  • regions (pulumi.Input[list]) - List of source regions being aggregated.

The organization_aggregation_source object supports the following:

  • allRegions (pulumi.Input[bool]) - If true, aggregate existing AWS Config regions and future regions.

  • regions (pulumi.Input[list]) - List of source regions being aggregated.

  • role_arn (pulumi.Input[str]) - ARN of the IAM role used to retrieve AWS Organization details associated with the aggregator account.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.cfg.DeliveryChannel(resource_name, opts=None, name=None, s3_bucket_name=None, s3_key_prefix=None, snapshot_delivery_properties=None, sns_topic_arn=None, __props__=None, __name__=None, __opts__=None)

Provides an AWS Config Delivery Channel.

Note: Delivery Channel requires a Configuration Recorder to be present. Use of depends_on (as shown below) is recommended to avoid race conditions.

import pulumi
import pulumi_aws as aws

bucket = aws.s3.Bucket("bucket", force_destroy=True)
foo_delivery_channel = aws.cfg.DeliveryChannel("fooDeliveryChannel", s3_bucket_name=bucket.bucket)
role = aws.iam.Role("role", assume_role_policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}

""")
foo_recorder = aws.cfg.Recorder("fooRecorder", role_arn=role.arn)
role_policy = aws.iam.RolePolicy("rolePolicy",
    policy=pulumi.Output.all(bucket.arn, bucket.arn).apply(lambda bucketArn, bucketArn1: f"""{{
  "Version": "2012-10-17",
  "Statement": [
    {{
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "{bucket_arn}",
        "{bucket_arn1}/*"
      ]
    }}
  ]
}}

"""),
    role=role.id)
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – The name of the delivery channel. Defaults to default. Changing it recreates the resource.

  • s3_bucket_name (pulumi.Input[str]) – The name of the S3 bucket used to store the configuration history.

  • s3_key_prefix (pulumi.Input[str]) – The prefix for the specified S3 bucket.

  • snapshot_delivery_properties (pulumi.Input[dict]) – Options for how AWS Config delivers configuration snapshots. See below

  • sns_topic_arn (pulumi.Input[str]) – The ARN of the SNS topic that AWS Config delivers notifications to.

The snapshot_delivery_properties object supports the following:

  • deliveryFrequency (pulumi.Input[str]) - - The frequency with which AWS Config recurringly delivers configuration snapshots. e.g. One_Hour or Three_Hours. Valid values are listed here.

name: pulumi.Output[str] = None

The name of the delivery channel. Defaults to default. Changing it recreates the resource.

s3_bucket_name: pulumi.Output[str] = None

The name of the S3 bucket used to store the configuration history.

s3_key_prefix: pulumi.Output[str] = None

The prefix for the specified S3 bucket.

snapshot_delivery_properties: pulumi.Output[dict] = None

Options for how AWS Config delivers configuration snapshots. See below

  • deliveryFrequency (str) - - The frequency with which AWS Config recurringly delivers configuration snapshots. e.g. One_Hour or Three_Hours. Valid values are listed here.

sns_topic_arn: pulumi.Output[str] = None

The ARN of the SNS topic that AWS Config delivers notifications to.

static get(resource_name, id, opts=None, name=None, s3_bucket_name=None, s3_key_prefix=None, snapshot_delivery_properties=None, sns_topic_arn=None)

Get an existing DeliveryChannel resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – The name of the delivery channel. Defaults to default. Changing it recreates the resource.

  • s3_bucket_name (pulumi.Input[str]) – The name of the S3 bucket used to store the configuration history.

  • s3_key_prefix (pulumi.Input[str]) – The prefix for the specified S3 bucket.

  • snapshot_delivery_properties (pulumi.Input[dict]) – Options for how AWS Config delivers configuration snapshots. See below

  • sns_topic_arn (pulumi.Input[str]) – The ARN of the SNS topic that AWS Config delivers notifications to.

The snapshot_delivery_properties object supports the following:

  • deliveryFrequency (pulumi.Input[str]) - - The frequency with which AWS Config recurringly delivers configuration snapshots. e.g. One_Hour or Three_Hours. Valid values are listed here.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.cfg.OrganizationCustomRule(resource_name, opts=None, description=None, excluded_accounts=None, input_parameters=None, lambda_function_arn=None, maximum_execution_frequency=None, name=None, resource_id_scope=None, resource_types_scopes=None, tag_key_scope=None, tag_value_scope=None, trigger_types=None, __props__=None, __name__=None, __opts__=None)

Manages a Config Organization Custom Rule. More information about these rules can be found in the Enabling AWS Config Rules Across all Accounts in Your Organization and AWS Config Managed Rules documentation. For working with Organization Managed Rules (those invoking an AWS managed rule), see the aws_config_organization_managed__rule resource.

NOTE: This resource must be created in the Organization master account and rules will include the master account unless its ID is added to the excluded_accounts argument.

NOTE: The proper Lambda permission to allow the AWS Config service invoke the Lambda Function must be in place before the rule will successfully create or update. See also the lambda.Permission resource.

import pulumi
import pulumi_aws as aws

example_permission = aws.lambda_.Permission("examplePermission",
    action="lambda:InvokeFunction",
    function=aws_lambda_function["example"]["arn"],
    principal="config.amazonaws.com")
example_organization = aws.organizations.Organization("exampleOrganization",
    aws_service_access_principals=["config-multiaccountsetup.amazonaws.com"],
    feature_set="ALL")
example_organization_custom_rule = aws.cfg.OrganizationCustomRule("exampleOrganizationCustomRule",
    lambda_function_arn=aws_lambda_function["example"]["arn"],
    trigger_types=["ConfigurationItemChangeNotification"])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • description (pulumi.Input[str]) – Description of the rule

  • excluded_accounts (pulumi.Input[list]) – List of AWS account identifiers to exclude from the rule

  • input_parameters (pulumi.Input[str]) – A string in JSON format that is passed to the AWS Config Rule Lambda Function

  • lambda_function_arn (pulumi.Input[str]) – Amazon Resource Name (ARN) of the rule Lambda Function

  • maximum_execution_frequency (pulumi.Input[str]) – The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.

  • name (pulumi.Input[str]) – The name of the rule

  • resource_id_scope (pulumi.Input[str]) – Identifier of the AWS resource to evaluate

  • resource_types_scopes (pulumi.Input[list]) – List of types of AWS resources to evaluate

  • tag_key_scope (pulumi.Input[str]) – Tag key of AWS resources to evaluate

  • tag_value_scope (pulumi.Input[str]) – Tag value of AWS resources to evaluate

  • trigger_types (pulumi.Input[list]) – List of notification types that trigger AWS Config to run an evaluation for the rule. Valid values: ConfigurationItemChangeNotification, OversizedConfigurationItemChangeNotification, and ScheduledNotification

arn: pulumi.Output[str] = None

Amazon Resource Name (ARN) of the rule

description: pulumi.Output[str] = None

Description of the rule

excluded_accounts: pulumi.Output[list] = None

List of AWS account identifiers to exclude from the rule

input_parameters: pulumi.Output[str] = None

A string in JSON format that is passed to the AWS Config Rule Lambda Function

lambda_function_arn: pulumi.Output[str] = None

Amazon Resource Name (ARN) of the rule Lambda Function

maximum_execution_frequency: pulumi.Output[str] = None

The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.

name: pulumi.Output[str] = None

The name of the rule

resource_id_scope: pulumi.Output[str] = None

Identifier of the AWS resource to evaluate

resource_types_scopes: pulumi.Output[list] = None

List of types of AWS resources to evaluate

tag_key_scope: pulumi.Output[str] = None

Tag key of AWS resources to evaluate

tag_value_scope: pulumi.Output[str] = None

Tag value of AWS resources to evaluate

trigger_types: pulumi.Output[list] = None

List of notification types that trigger AWS Config to run an evaluation for the rule. Valid values: ConfigurationItemChangeNotification, OversizedConfigurationItemChangeNotification, and ScheduledNotification

static get(resource_name, id, opts=None, arn=None, description=None, excluded_accounts=None, input_parameters=None, lambda_function_arn=None, maximum_execution_frequency=None, name=None, resource_id_scope=None, resource_types_scopes=None, tag_key_scope=None, tag_value_scope=None, trigger_types=None)

Get an existing OrganizationCustomRule resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – Amazon Resource Name (ARN) of the rule

  • description (pulumi.Input[str]) – Description of the rule

  • excluded_accounts (pulumi.Input[list]) – List of AWS account identifiers to exclude from the rule

  • input_parameters (pulumi.Input[str]) – A string in JSON format that is passed to the AWS Config Rule Lambda Function

  • lambda_function_arn (pulumi.Input[str]) – Amazon Resource Name (ARN) of the rule Lambda Function

  • maximum_execution_frequency (pulumi.Input[str]) – The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.

  • name (pulumi.Input[str]) – The name of the rule

  • resource_id_scope (pulumi.Input[str]) – Identifier of the AWS resource to evaluate

  • resource_types_scopes (pulumi.Input[list]) – List of types of AWS resources to evaluate

  • tag_key_scope (pulumi.Input[str]) – Tag key of AWS resources to evaluate

  • tag_value_scope (pulumi.Input[str]) – Tag value of AWS resources to evaluate

  • trigger_types (pulumi.Input[list]) – List of notification types that trigger AWS Config to run an evaluation for the rule. Valid values: ConfigurationItemChangeNotification, OversizedConfigurationItemChangeNotification, and ScheduledNotification

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.cfg.OrganizationManagedRule(resource_name, opts=None, description=None, excluded_accounts=None, input_parameters=None, maximum_execution_frequency=None, name=None, resource_id_scope=None, resource_types_scopes=None, rule_identifier=None, tag_key_scope=None, tag_value_scope=None, __props__=None, __name__=None, __opts__=None)

Manages a Config Organization Managed Rule. More information about these rules can be found in the Enabling AWS Config Rules Across all Accounts in Your Organization and AWS Config Managed Rules documentation. For working with Organization Custom Rules (those invoking a custom Lambda Function), see the cfg.OrganizationCustomRule resource.

NOTE: This resource must be created in the Organization master account and rules will include the master account unless its ID is added to the excluded_accounts argument.

NOTE: Every Organization account except those configured in the excluded_accounts argument must have a Configuration Recorder with proper IAM permissions before the rule will successfully create or update. See also the cfg.Recorder resource.

import pulumi
import pulumi_aws as aws

example_organization = aws.organizations.Organization("exampleOrganization",
    aws_service_access_principals=["config-multiaccountsetup.amazonaws.com"],
    feature_set="ALL")
example_organization_managed_rule = aws.cfg.OrganizationManagedRule("exampleOrganizationManagedRule", rule_identifier="IAM_PASSWORD_POLICY")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • description (pulumi.Input[str]) – Description of the rule

  • excluded_accounts (pulumi.Input[list]) – List of AWS account identifiers to exclude from the rule

  • input_parameters (pulumi.Input[str]) – A string in JSON format that is passed to the AWS Config Rule Lambda Function

  • maximum_execution_frequency (pulumi.Input[str]) – The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.

  • name (pulumi.Input[str]) – The name of the rule

  • resource_id_scope (pulumi.Input[str]) – Identifier of the AWS resource to evaluate

  • resource_types_scopes (pulumi.Input[list]) – List of types of AWS resources to evaluate

  • rule_identifier (pulumi.Input[str]) – Identifier of an available AWS Config Managed Rule to call. For available values, see the List of AWS Config Managed Rules documentation

  • tag_key_scope (pulumi.Input[str]) – Tag key of AWS resources to evaluate

  • tag_value_scope (pulumi.Input[str]) – Tag value of AWS resources to evaluate

arn: pulumi.Output[str] = None

Amazon Resource Name (ARN) of the rule

description: pulumi.Output[str] = None

Description of the rule

excluded_accounts: pulumi.Output[list] = None

List of AWS account identifiers to exclude from the rule

input_parameters: pulumi.Output[str] = None

A string in JSON format that is passed to the AWS Config Rule Lambda Function

maximum_execution_frequency: pulumi.Output[str] = None

The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.

name: pulumi.Output[str] = None

The name of the rule

resource_id_scope: pulumi.Output[str] = None

Identifier of the AWS resource to evaluate

resource_types_scopes: pulumi.Output[list] = None

List of types of AWS resources to evaluate

rule_identifier: pulumi.Output[str] = None

Identifier of an available AWS Config Managed Rule to call. For available values, see the List of AWS Config Managed Rules documentation

tag_key_scope: pulumi.Output[str] = None

Tag key of AWS resources to evaluate

tag_value_scope: pulumi.Output[str] = None

Tag value of AWS resources to evaluate

static get(resource_name, id, opts=None, arn=None, description=None, excluded_accounts=None, input_parameters=None, maximum_execution_frequency=None, name=None, resource_id_scope=None, resource_types_scopes=None, rule_identifier=None, tag_key_scope=None, tag_value_scope=None)

Get an existing OrganizationManagedRule resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – Amazon Resource Name (ARN) of the rule

  • description (pulumi.Input[str]) – Description of the rule

  • excluded_accounts (pulumi.Input[list]) – List of AWS account identifiers to exclude from the rule

  • input_parameters (pulumi.Input[str]) – A string in JSON format that is passed to the AWS Config Rule Lambda Function

  • maximum_execution_frequency (pulumi.Input[str]) – The maximum frequency with which AWS Config runs evaluations for a rule, if the rule is triggered at a periodic frequency. Defaults to TwentyFour_Hours for periodic frequency triggered rules. Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.

  • name (pulumi.Input[str]) – The name of the rule

  • resource_id_scope (pulumi.Input[str]) – Identifier of the AWS resource to evaluate

  • resource_types_scopes (pulumi.Input[list]) – List of types of AWS resources to evaluate

  • rule_identifier (pulumi.Input[str]) –

    Identifier of an available AWS Config Managed Rule to call. For available values, see the List of AWS Config Managed Rules documentation

  • tag_key_scope (pulumi.Input[str]) – Tag key of AWS resources to evaluate

  • tag_value_scope (pulumi.Input[str]) – Tag value of AWS resources to evaluate

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.cfg.Recorder(resource_name, opts=None, name=None, recording_group=None, role_arn=None, __props__=None, __name__=None, __opts__=None)

Provides an AWS Config Configuration Recorder. Please note that this resource does not start the created recorder automatically.

Note: Starting the Configuration Recorder requires a delivery channel (while delivery channel creation requires Configuration Recorder). This is why cfg.RecorderStatus is a separate resource.

import pulumi
import pulumi_aws as aws

role = aws.iam.Role("role", assume_role_policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}

""")
foo = aws.cfg.Recorder("foo", role_arn=role.arn)
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – The name of the recorder. Defaults to default. Changing it recreates the resource.

  • recording_group (pulumi.Input[dict]) – Recording group - see below.

  • role_arn (pulumi.Input[str]) – Amazon Resource Name (ARN) of the IAM role. used to make read or write requests to the delivery channel and to describe the AWS resources associated with the account. See AWS Docs for more details.

The recording_group object supports the following:

  • allSupported (pulumi.Input[bool]) - Specifies whether AWS Config records configuration changes for every supported type of regional resource (which includes any new type that will become supported in the future). Conflicts with resource_types. Defaults to true.

  • includeGlobalResourceTypes (pulumi.Input[bool]) - Specifies whether AWS Config includes all supported types of global resources with the resources that it records. Requires all_supported = true. Conflicts with resource_types.

  • resourceTypes (pulumi.Input[list]) - A list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail). See relevant part of AWS Docs for available types.

name: pulumi.Output[str] = None

The name of the recorder. Defaults to default. Changing it recreates the resource.

recording_group: pulumi.Output[dict] = None

Recording group - see below.

  • allSupported (bool) - Specifies whether AWS Config records configuration changes for every supported type of regional resource (which includes any new type that will become supported in the future). Conflicts with resource_types. Defaults to true.

  • includeGlobalResourceTypes (bool) - Specifies whether AWS Config includes all supported types of global resources with the resources that it records. Requires all_supported = true. Conflicts with resource_types.

  • resourceTypes (list) - A list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail). See relevant part of AWS Docs for available types.

role_arn: pulumi.Output[str] = None

Amazon Resource Name (ARN) of the IAM role. used to make read or write requests to the delivery channel and to describe the AWS resources associated with the account. See AWS Docs for more details.

static get(resource_name, id, opts=None, name=None, recording_group=None, role_arn=None)

Get an existing Recorder resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – The name of the recorder. Defaults to default. Changing it recreates the resource.

  • recording_group (pulumi.Input[dict]) – Recording group - see below.

  • role_arn (pulumi.Input[str]) –

    Amazon Resource Name (ARN) of the IAM role. used to make read or write requests to the delivery channel and to describe the AWS resources associated with the account. See AWS Docs for more details.

The recording_group object supports the following:

  • allSupported (pulumi.Input[bool]) - Specifies whether AWS Config records configuration changes for every supported type of regional resource (which includes any new type that will become supported in the future). Conflicts with resource_types. Defaults to true.

  • includeGlobalResourceTypes (pulumi.Input[bool]) - Specifies whether AWS Config includes all supported types of global resources with the resources that it records. Requires all_supported = true. Conflicts with resource_types.

  • resourceTypes (pulumi.Input[list]) - A list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail). See relevant part of AWS Docs for available types.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.cfg.RecorderStatus(resource_name, opts=None, is_enabled=None, name=None, __props__=None, __name__=None, __opts__=None)

Manages status (recording / stopped) of an AWS Config Configuration Recorder.

Note: Starting Configuration Recorder requires a Delivery Channel to be present. Use of depends_on (as shown below) is recommended to avoid race conditions.

import pulumi
import pulumi_aws as aws

foo_recorder_status = aws.cfg.RecorderStatus("fooRecorderStatus", is_enabled=True)
role = aws.iam.Role("role", assume_role_policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}

""")
role_policy_attachment = aws.iam.RolePolicyAttachment("rolePolicyAttachment",
    policy_arn="arn:aws:iam::aws:policy/service-role/AWSConfigRole",
    role=role.name)
bucket = aws.s3.Bucket("bucket")
foo_delivery_channel = aws.cfg.DeliveryChannel("fooDeliveryChannel", s3_bucket_name=bucket.bucket)
foo_recorder = aws.cfg.Recorder("fooRecorder", role_arn=role.arn)
role_policy = aws.iam.RolePolicy("rolePolicy",
    policy=pulumi.Output.all(bucket.arn, bucket.arn).apply(lambda bucketArn, bucketArn1: f"""{{
  "Version": "2012-10-17",
  "Statement": [
    {{
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "{bucket_arn}",
        "{bucket_arn1}/*"
      ]
    }}
  ]
}}

"""),
    role=role.id)
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • is_enabled (pulumi.Input[bool]) – Whether the configuration recorder should be enabled or disabled.

  • name (pulumi.Input[str]) – The name of the recorder

is_enabled: pulumi.Output[bool] = None

Whether the configuration recorder should be enabled or disabled.

name: pulumi.Output[str] = None

The name of the recorder

static get(resource_name, id, opts=None, is_enabled=None, name=None)

Get an existing RecorderStatus resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • is_enabled (pulumi.Input[bool]) – Whether the configuration recorder should be enabled or disabled.

  • name (pulumi.Input[str]) – The name of the recorder

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.cfg.Rule(resource_name, opts=None, description=None, input_parameters=None, maximum_execution_frequency=None, name=None, scope=None, source=None, tags=None, __props__=None, __name__=None, __opts__=None)

Provides an AWS Config Rule.

Note: Config Rule requires an existing Configuration Recorder to be present. Use of depends_on is recommended (as shown below) to avoid race conditions.

import pulumi
import pulumi_aws as aws

rule = aws.cfg.Rule("rule", source={
    "owner": "AWS",
    "sourceIdentifier": "S3_BUCKET_VERSIONING_ENABLED",
})
role = aws.iam.Role("role", assume_role_policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}

""")
foo = aws.cfg.Recorder("foo", role_arn=role.arn)
role_policy = aws.iam.RolePolicy("rolePolicy",
    policy="""{
  "Version": "2012-10-17",
  "Statement": [
        {
                "Action": "config:Put*",
                "Effect": "Allow",
                "Resource": "*"

        }
  ]
}

""",
    role=role.id)

import pulumi
import pulumi_aws as aws

example_recorder = aws.cfg.Recorder("exampleRecorder")
example_function = aws.lambda_.Function("exampleFunction")
example_permission = aws.lambda_.Permission("examplePermission",
    action="lambda:InvokeFunction",
    function=example_function.arn,
    principal="config.amazonaws.com")
example_rule = aws.cfg.Rule("exampleRule", source={
    "owner": "CUSTOM_LAMBDA",
    "sourceIdentifier": example_function.arn,
})
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • description (pulumi.Input[str]) – Description of the rule

  • input_parameters (pulumi.Input[str]) – A string in JSON format that is passed to the AWS Config rule Lambda function.

  • maximum_execution_frequency (pulumi.Input[str]) – The frequency that you want AWS Config to run evaluations for a rule that is triggered periodically. If specified, requires message_type to be ScheduledNotification.

  • name (pulumi.Input[str]) – The name of the rule

  • scope (pulumi.Input[dict]) – Scope defines which resources can trigger an evaluation for the rule as documented below.

  • source (pulumi.Input[dict]) – Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources as documented below.

  • tags (pulumi.Input[dict]) – A map of tags to assign to the resource.

The scope object supports the following:

  • complianceResourceId (pulumi.Input[str]) - The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for compliance_resource_types.

  • complianceResourceTypes (pulumi.Input[list]) - A list of resource types of only those AWS resources that you want to trigger an evaluation for the rule. e.g. AWS::EC2::Instance. You can only specify one type if you also specify a resource ID for compliance_resource_id. See relevant part of AWS Docs for available types.

  • tagKey (pulumi.Input[str]) - The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.

  • tagValue (pulumi.Input[str]) - The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule.

The source object supports the following:

  • owner (pulumi.Input[str]) - Indicates whether AWS or the customer owns and manages the AWS Config rule. Valid values are AWS or CUSTOM_LAMBDA. For more information about managed rules, see the AWS Config Managed Rules documentation. For more information about custom rules, see the AWS Config Custom Rules documentation. Custom Lambda Functions require permissions to allow the AWS Config service to invoke them, e.g. via the lambda.Permission resource.

  • sourceDetails (pulumi.Input[list]) - Provides the source and type of the event that causes AWS Config to evaluate your AWS resources. Only valid if owner is CUSTOM_LAMBDA.

    • eventSource (pulumi.Input[str]) - The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWS resources. This defaults to aws.config and is the only valid value.

    • maximum_execution_frequency (pulumi.Input[str]) - The frequency that you want AWS Config to run evaluations for a rule that is triggered periodically. If specified, requires message_type to be ScheduledNotification.

    • messageType (pulumi.Input[str]) - The type of notification that triggers AWS Config to run an evaluation for a rule. You can specify the following notification types:

  • sourceIdentifier (pulumi.Input[str]) - For AWS Config managed rules, a predefined identifier, e.g IAM_PASSWORD_POLICY. For custom Lambda rules, the identifier is the ARN of the Lambda Function, such as arn:aws:lambda:us-east-1:123456789012:function:custom_rule_name or the arn attribute of the lambda.Function resource.

arn: pulumi.Output[str] = None

The ARN of the config rule

description: pulumi.Output[str] = None

Description of the rule

input_parameters: pulumi.Output[str] = None

A string in JSON format that is passed to the AWS Config rule Lambda function.

maximum_execution_frequency: pulumi.Output[str] = None

The frequency that you want AWS Config to run evaluations for a rule that is triggered periodically. If specified, requires message_type to be ScheduledNotification.

name: pulumi.Output[str] = None

The name of the rule

rule_id: pulumi.Output[str] = None

The ID of the config rule

scope: pulumi.Output[dict] = None

Scope defines which resources can trigger an evaluation for the rule as documented below.

  • complianceResourceId (str) - The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for compliance_resource_types.

  • complianceResourceTypes (list) - A list of resource types of only those AWS resources that you want to trigger an evaluation for the rule. e.g. AWS::EC2::Instance. You can only specify one type if you also specify a resource ID for compliance_resource_id. See relevant part of AWS Docs for available types.

  • tagKey (str) - The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.

  • tagValue (str) - The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule.

source: pulumi.Output[dict] = None

Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources as documented below.

  • owner (str) - Indicates whether AWS or the customer owns and manages the AWS Config rule. Valid values are AWS or CUSTOM_LAMBDA. For more information about managed rules, see the AWS Config Managed Rules documentation. For more information about custom rules, see the AWS Config Custom Rules documentation. Custom Lambda Functions require permissions to allow the AWS Config service to invoke them, e.g. via the lambda.Permission resource.

  • sourceDetails (list) - Provides the source and type of the event that causes AWS Config to evaluate your AWS resources. Only valid if owner is CUSTOM_LAMBDA.

    • eventSource (str) - The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWS resources. This defaults to aws.config and is the only valid value.

    • maximum_execution_frequency (str) - The frequency that you want AWS Config to run evaluations for a rule that is triggered periodically. If specified, requires message_type to be ScheduledNotification.

    • messageType (str) - The type of notification that triggers AWS Config to run an evaluation for a rule. You can specify the following notification types:

  • sourceIdentifier (str) - For AWS Config managed rules, a predefined identifier, e.g IAM_PASSWORD_POLICY. For custom Lambda rules, the identifier is the ARN of the Lambda Function, such as arn:aws:lambda:us-east-1:123456789012:function:custom_rule_name or the arn attribute of the lambda.Function resource.

tags: pulumi.Output[dict] = None

A map of tags to assign to the resource.

static get(resource_name, id, opts=None, arn=None, description=None, input_parameters=None, maximum_execution_frequency=None, name=None, rule_id=None, scope=None, source=None, tags=None)

Get an existing Rule resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – The ARN of the config rule

  • description (pulumi.Input[str]) – Description of the rule

  • input_parameters (pulumi.Input[str]) – A string in JSON format that is passed to the AWS Config rule Lambda function.

  • maximum_execution_frequency (pulumi.Input[str]) – The frequency that you want AWS Config to run evaluations for a rule that is triggered periodically. If specified, requires message_type to be ScheduledNotification.

  • name (pulumi.Input[str]) – The name of the rule

  • rule_id (pulumi.Input[str]) – The ID of the config rule

  • scope (pulumi.Input[dict]) – Scope defines which resources can trigger an evaluation for the rule as documented below.

  • source (pulumi.Input[dict]) – Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources as documented below.

  • tags (pulumi.Input[dict]) – A map of tags to assign to the resource.

The scope object supports the following:

  • complianceResourceId (pulumi.Input[str]) - The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for compliance_resource_types.

  • complianceResourceTypes (pulumi.Input[list]) - A list of resource types of only those AWS resources that you want to trigger an evaluation for the rule. e.g. AWS::EC2::Instance. You can only specify one type if you also specify a resource ID for compliance_resource_id. See relevant part of AWS Docs for available types.

  • tagKey (pulumi.Input[str]) - The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.

  • tagValue (pulumi.Input[str]) - The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule.

The source object supports the following:

  • owner (pulumi.Input[str]) - Indicates whether AWS or the customer owns and manages the AWS Config rule. Valid values are AWS or CUSTOM_LAMBDA. For more information about managed rules, see the AWS Config Managed Rules documentation. For more information about custom rules, see the AWS Config Custom Rules documentation. Custom Lambda Functions require permissions to allow the AWS Config service to invoke them, e.g. via the lambda.Permission resource.

  • sourceDetails (pulumi.Input[list]) - Provides the source and type of the event that causes AWS Config to evaluate your AWS resources. Only valid if owner is CUSTOM_LAMBDA.

    • eventSource (pulumi.Input[str]) - The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWS resources. This defaults to aws.config and is the only valid value.

    • maximum_execution_frequency (pulumi.Input[str]) - The frequency that you want AWS Config to run evaluations for a rule that is triggered periodically. If specified, requires message_type to be ScheduledNotification.

    • messageType (pulumi.Input[str]) - The type of notification that triggers AWS Config to run an evaluation for a rule. You can specify the following notification types:

  • sourceIdentifier (pulumi.Input[str]) - For AWS Config managed rules, a predefined identifier, e.g IAM_PASSWORD_POLICY. For custom Lambda rules, the identifier is the ARN of the Lambda Function, such as arn:aws:lambda:us-east-1:123456789012:function:custom_rule_name or the arn attribute of the lambda.Function resource.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str