aws-cloudformation
AWS Config Organizational Custom Rules using Guard Custom policy
Name of the resource
AWS::Config::OrganizationConfigRule
Resource name
No response
Description
We can create an organizational config rule (organization-custom-policy-rule-metadata) using the CLI
$ aws configservice put-organization-config-rule --organization-config-rule-name test-1 --organization-custom-policy-rule-metadata PolicyRuntime="guard-2.x.x",PolicyText="let var=5",OrganizationConfigRuleTriggerTypes=ConfigurationItemChangeNotification
It's also possible with some SDKs like boto3:
response = client.put_organization_config_rule(
OrganizationConfigRuleName='test-rule-2',
OrganizationCustomPolicyRuleMetadata={
'OrganizationConfigRuleTriggerTypes': ['ConfigurationItemChangeNotification'],
'PolicyRuntime': 'guard-2.x.x',
'PolicyText': 'let test = 123'
}
)
Unfortunately it's not supported by CloudFormation.
Other Details
No response
The AWS Service team which owns the AWS::Config::OrganizationConfigRule resource is working on the fix for this issue.
It would be great if this resource would also accept an s3 URL as an alternative for inlining it in the template. Cloudformation Guard has a built in testing framework and it is inconvenient to have to take the guard files and pass them into the template somehow.
It's kind of almost there? When trying to define via a OrganizationCustomCodeRuleMetadata block as per the spec, it throws InvalidParameterException with
Specify either OrganizationCustomRuleMetadata, OrganizationManagedRuleMetadata, or OrganizationCustomPolicyRuleMetadata in the input. (Service: AmazonConfig; Status Code: 400; Error Code: InvalidParameterValueException
So you try OrganizationCustomPolicyRuleMetadata as instructed and it circles back to
Property validation failure: [Encountered unsupported properties in {/}: [OrganizationCustomPolicyRuleMetadata]]
ap-southeast-2
@jtobin321 any update? Seems a while ago and I don't see the possibility to create a custom config rule backed by guard in the CF docs.