/terraform-aws-config-module

A Terraform Module for Controlling AWS Config (via CloudFormation)

Primary LanguageHCLApache License 2.0Apache-2.0

aws-config-custom-rules-terraform

Deprecated

A recent release of Terraform means you can control your AWS Config configuration through Terraform directly.
Please see the documentation for details.

Description

This Terraform module allows you to automatically setup custom AWS Config rules.
This module uses CloudFormation and Lambda in the back end to control the AWS Config components, due to a lack of support for AWS Config in Terraform at the time of writing.

Requirements

  • Custom rule's runtime function must be lambda_handler for Python scripts and handler for NodeJS scripts

Setup

  1. Create a bucket in which to place your config snapshots.
  2. Download and package your rules as .py or .js files named after the rules into zip files named identically bar the file extension (use the package-rule-lambda-functions.ps1 if on Windows)
  3. Place the zip files in temp/ within the repository directory (or modify the zip_folder parameter to specify another path)
  4. Run the module as per the example in usage

Variables

  • region AWS region, does not set AWS region. Used to name roles etc. (required)
  • delivery_channel_s3_bucket_name name of the bucket in which you wish to store your config snapshots (required)
  • delivery_channel_s3_bucket_prefix key prefix to be used inside the bucket (defaults to blank)
  • delivery_channel_delivery_frequency frequency to evaluate periodic config rules (defaults to TwentyFour_Hours)
  • num_custom_rules used to enumerate the custom rules (required)
  • custom_rules semicolon separated list of custom rule zip file names (required)
  • custom_rule_languages semicolon separated list of custom rule languages (affects runtime function) (required)
  • custom_rule_input_parameters semicolon separated list of rules' parameters (use {} for no parameters) (required)
  • custom_rule_message_types semicolon separated list of trigger type for each custom rule. Valid values: ConfigurationSnapshotDeliveryCompleted and ConfigurationItemChangeNotification (required)
  • custom_rule_scope semicolon separated list of rule scopes (see AWS Config ConfigRule Scope) (required)
  • zip_folder relative or absolute path to the zips of the custom rule's lambda functions (defaults to temp/)

Example Usage

variable "region" {
  type = "string"
  default = "eu-west-1"
}

provider "aws" {
  region = "${var.region}"
}

module "aws_config_rules" {
  source = "github.com/Sam-Martin/terraform-aws-config-module/module"
  region = "${var.region}"
  num_custom_rules = 4
  custom_rule_languages = "nodejs;nodejs;nodejs;python2.7"
  delivery_channel_s3_bucket_name = "awsconfigtestbucket"
  delivery_channel_s3_bucket_prefix = "logs"

  custom_rules = <<EOF
cloudtrail_enabled_all_regions-periodic;
iam_mfa_require_root-periodic;
iam_password_minimum_length-periodic;
ec2-exposed-instance
EOF

  custom_rule_input_parameters = <<EOF
{};
{};
{
       "MinimumPasswordLength": "8"
};
{
  "RDP": "3389",
  "SSH": "22"
}
EOF

  custom_rule_message_types = <<EOF
ConfigurationSnapshotDeliveryCompleted;
ConfigurationSnapshotDeliveryCompleted;
ConfigurationSnapshotDeliveryCompleted;
ConfigurationItemChangeNotification
EOF

  custom_rule_scope = <<EOF
{};
{};
{};
{
"ComplianceResourceTypes": [
    "AWS::EC2::Instance"
  ]
}
EOF
}