CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/npm-pulumi--aws

A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources with infrastructure-as-code.

Pending

Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Overview
Eval results
Files

config.mddocs/services/

Config - Configuration Management

AWS Config records AWS resource configurations and evaluates compliance.

Common Tasks

import { cfg } from "@pulumi/aws";

// Create a configuration recorder
const recorder = new cfg.Recorder("config-recorder", {
    roleArn: configRole.arn,
    recordingGroup: {
        allSupported: true,
        includeGlobalResourceTypes: true,
    },
});

// Create a delivery channel to S3
const deliveryChannel = new cfg.DeliveryChannel("config-delivery", {
    s3BucketName: configBucket.id,
    snsTopicArn: configTopic.arn,
});

// Create a managed rule for checking encryption
const s3EncryptionRule = new cfg.Rule("s3-encryption", {
    source: {
        owner: "AWS",
        sourceIdentifier: "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED",
    },
});

Core Resources

Recorder

Configuration recorders capture resource configuration changes.

class Recorder extends pulumi.CustomResource {
    constructor(name: string, args: RecorderArgs, opts?: pulumi.CustomResourceOptions);

    readonly id: pulumi.Output<string>;
}

interface RecorderArgs {
    roleArn: pulumi.Input<string>;
    name?: pulumi.Input<string>;
    recordingGroup?: pulumi.Input<RecordingGroup>;
}

interface RecordingGroup {
    allSupported?: pulumi.Input<boolean>;
    includeGlobalResourceTypes?: pulumi.Input<boolean>;
    resourceTypes?: pulumi.Input<pulumi.Input<string>[]>;
}

Example - Record all supported resources

const configRole = new aws.iam.Role("config-role", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Action: "sts:AssumeRole",
            Principal: {
                Service: "config.amazonaws.com",
            },
            Effect: "Allow",
        }],
    }),
});

new aws.iam.RolePolicyAttachment("config-policy", {
    role: configRole.name,
    policyArn: "arn:aws:iam::aws:policy/service-role/ConfigRole",
});

const recorder = new cfg.Recorder("main", {
    roleArn: configRole.arn,
    recordingGroup: {
        allSupported: true,
        includeGlobalResourceTypes: true,
    },
});

new cfg.RecorderStatus("main", {
    isEnabled: true,
    name: recorder.name,
});

DeliveryChannel

Delivery channels specify where Config sends configuration snapshots and history.

class DeliveryChannel extends pulumi.CustomResource {
    constructor(name: string, args: DeliveryChannelArgs, opts?: pulumi.CustomResourceOptions);
}

interface DeliveryChannelArgs {
    s3BucketName: pulumi.Input<string>;
    name?: pulumi.Input<string>;
    s3KeyPrefix?: pulumi.Input<string>;
    snsTopicArn?: pulumi.Input<string>;
    snapshotDeliveryProperties?: pulumi.Input<SnapshotDeliveryProperties>;
}

Rule

Config rules evaluate resource compliance against desired configurations.

class Rule extends pulumi.CustomResource {
    constructor(name: string, args: RuleArgs, opts?: pulumi.CustomResourceOptions);

    readonly arn: pulumi.Output<string>;
}

interface RuleArgs {
    source: pulumi.Input<RuleSource>;
    name?: pulumi.Input<string>;
    description?: pulumi.Input<string>;
    inputParameters?: pulumi.Input<string>;
    maximumExecutionFrequency?: pulumi.Input<string>;
    scope?: pulumi.Input<RuleScope>;
}

Example - Create managed and custom rules

// Managed rule from AWS
const encryptionRule = new cfg.Rule("require-encryption", {
    description: "Ensure S3 buckets have encryption enabled",
    source: {
        owner: "AWS",
        sourceIdentifier: "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED",
    },
});

// Custom Lambda-based rule
const customRule = new cfg.Rule("custom-tagging", {
    description: "Ensure resources have required tags",
    source: {
        owner: "CUSTOM_LAMBDA",
        sourceIdentifier: customRuleLambda.arn,
        sourceDetails: [{
            eventSource: "aws.config",
            messageType: "ConfigurationItemChangeNotification",
        }],
    },
    scope: {
        complianceResourceTypes: ["AWS::EC2::Instance", "AWS::S3::Bucket"],
    },
});

new aws.lambda.Permission("config-invoke", {
    action: "lambda:InvokeFunction",
    function: customRuleLambda.name,
    principal: "config.amazonaws.com",
});

ConformancePack

Conformance packs bundle Config rules and remediation actions.

class ConformancePack extends pulumi.CustomResource {
    constructor(name: string, args: ConformancePackArgs, opts?: pulumi.CustomResourceOptions);

    readonly arn: pulumi.Output<string>;
}

interface ConformancePackArgs {
    name: pulumi.Input<string>;
    templateBody?: pulumi.Input<string>;
    templateS3Uri?: pulumi.Input<string>;
    deliveryS3Bucket?: pulumi.Input<string>;
    inputParameters?: pulumi.Input<pulumi.Input<ConformancePackInputParameter>[]>;
}

Additional Resources

AWS Config provides 13 resources including:

  • RemediationConfiguration - Automatic remediation for non-compliant resources
  • AggregateAuthorization - Multi-account/region aggregation
  • ConfigurationAggregator - Aggregate configuration data
  • OrganizationManagedRule - Organization-wide managed rules
  • OrganizationConformancePack - Organization-wide conformance packs
  • RetentionConfiguration - Configure retention for configuration items

See All Services for complete Config API.

Related Services

Install with Tessl CLI

npx tessl i tessl/npm-pulumi--aws@7.16.0

docs

services

all-services.md

analytics.md

athena.md

bedrock.md

cloudtrail.md

cloudwatch.md

comprehend.md

config.md

cost.md

devtools.md

emr.md

eventbridge.md

glue.md

kinesis.md

migration.md

ml.md

opensearch.md

overview.md

rekognition.md

sagemaker.md

sfn.md

sns.md

sqs.md

ssm.md

xray.md

index.md

quickstart.md

README.md

tile.json