Skip to content

Commit

Permalink
Support evaluation mode for config-managed-rule
Browse files Browse the repository at this point in the history
  • Loading branch information
posquit0 committed Apr 23, 2024
1 parent 18c6860 commit 454b409
Show file tree
Hide file tree
Showing 5 changed files with 34 additions and 4 deletions.
8 changes: 5 additions & 3 deletions modules/config-managed-rule/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,14 @@ This module creates following resources.

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.14 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.23 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.19.0 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.46.0 |

## Modules

Expand All @@ -43,6 +43,7 @@ This module creates following resources.
|------|-------------|------|---------|:--------:|
| <a name="input_source_rule"></a> [source\_rule](#input\_source\_rule) | (Required) The identifier for AWS Config managed rule. Use the format like `root-account-mfa-enabled` instead of predefiend format like `ROOT_ACCOUNT_MFA_ENABLED`. | `string` | n/a | yes |
| <a name="input_description"></a> [description](#input\_description) | (Optional) The description of the rule. Use default description if not provided. | `string` | `null` | no |
| <a name="input_evaluation_modes"></a> [evaluation\_modes](#input\_evaluation\_modes) | (Optional) A set of evaluation modes to enable for the Config rule. Valid values are `DETECTIVE`, `PROACTIVE`. Default value contains only `DETECTIVE`. | `set(string)` | <pre>[<br> "DETECTIVE"<br>]</pre> | no |
| <a name="input_excluded_accounts"></a> [excluded\_accounts](#input\_excluded\_accounts) | (Optional) A list of AWS account identifiers to exclude from the rule. Only need when `level` is configured with value `ORGANIZATION`. | `list(string)` | `[]` | no |
| <a name="input_level"></a> [level](#input\_level) | (Optional) Choose to create a rule across all accounts in your Organization. Valid values are `ACCOUNT` and `ORGANIZATION`. Use `ORGANIZATION` level in Organization master account or delegated administrator accounts. | `string` | `"ACCOUNT"` | no |
| <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
Expand All @@ -64,6 +65,7 @@ This module creates following resources.
|------|-------------|
| <a name="output_arn"></a> [arn](#output\_arn) | The Amazon Resource Name (ARN) of the rule. |
| <a name="output_description"></a> [description](#output\_description) | The description of the rule. |
| <a name="output_evaluation_modes"></a> [evaluation\_modes](#output\_evaluation\_modes) | A set of evaluation modes to enable for the Config rule. |
| <a name="output_excluded_accounts"></a> [excluded\_accounts](#output\_excluded\_accounts) | A list of AWS account identifiers excluded from the rule. |
| <a name="output_id"></a> [id](#output\_id) | The ID of the rule. |
| <a name="output_level"></a> [level](#output\_level) | The level of the rule. `ACOUNT` or `ORGANIZATION`. The rule is for accounts in your Organization if the value is configured with `ORGANIZATION`. |
Expand Down
8 changes: 8 additions & 0 deletions modules/config-managed-rule/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,14 @@ resource "aws_config_config_rule" "this" {
input_parameters = jsonencode(var.parameters)

### Trigger by configuration change
dynamic "evaluation_mode" {
for_each = var.evaluation_modes

content {
mode = evaluation_mode.value
}
}

## Scope: ALL_CHANGES
dynamic "scope" {
for_each = local.rule.trigger_by_change.enabled && var.scope == "ALL_CHANGES" ? ["go"] : []
Expand Down
5 changes: 5 additions & 0 deletions modules/config-managed-rule/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,11 @@ output "level" {
value = var.level
}

output "evaluation_modes" {
description = "A set of evaluation modes to enable for the Config rule."
value = var.evaluation_modes
}

output "trigger_by_change" {
description = "The information of trigger by configuration changes."
value = {
Expand Down
15 changes: 15 additions & 0 deletions modules/config-managed-rule/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,21 @@ variable "level" {
}
}

variable "evaluation_modes" {
description = "(Optional) A set of evaluation modes to enable for the Config rule. Valid values are `DETECTIVE`, `PROACTIVE`. Default value contains only `DETECTIVE`."
type = set(string)
default = ["DETECTIVE"]
nullable = false

validation {
condition = alltrue([
for mode in var.evaluation_modes :
contains(["DETECTIVE", "PROACTIVE"], mode)
])
error_message = "Valid values for `evaluation_modes` should be one of `DETECTIVE`, `PROACTIVE`."
}
}

variable "scope" {
description = "(Optional) Choose when evaluations will occur. Valid values are `ALL_CHANGES`, `RESOURCES`, or `TAGS`."
type = string
Expand Down
2 changes: 1 addition & 1 deletion modules/config-managed-rule/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.5"
version = ">= 5.23"
}
}
}

0 comments on commit 454b409

Please sign in to comment.