AWS DevOps Blog
Deploying custom AWS Config rules developed for Terraform using AWS Config RDK
To help customers using Terraform for multi-cloud infrastructure deployment, we have introduced a new feature in the AWS Config Rule Development Kit (RDK) that allows you to export custom AWS Config rules to Terraform files so that you can deploy the RDK rules with Terraform.
This blog post is a complement to the previous post – How to develop custom AWS Config rules using the Rule Development Kit. Here I will show you how to prototype, develop, and deploy custom AWS Config rules. The steps for prototyping and developing the custom AWS Config rules remain identical, while a variation exists in the deployment step, which I’ll walk you through in detail.
In this post, you will learn how to export the custom AWS Config rule to Terraform files and deploy to AWS using Terraform.
Background
RDK doesn’t support Terraform for rules deployment, which is impacting customers using Terraform (“Infrastructure As Code”) to provision AWS infrastructure. Therefore, we have provided one more option to deploy the rules by using Terraform.
Getting Started
The first step is making sure that you installed the latest RDK version. After you have defined an AWS Config rule and prototyped using the AWS Config RDK as described in the previous blog post, follow the steps below to deploy the various AWS Config components across the compliance and satellite accounts.
Prerequisites
Validate that you downloaded the RDK that supports “export”, using the command “rdk export -h”, and you should see the below output. If the installed RDK doesn’t support the export feature, then update it by using the command “pip install rdk”
(venv) 8c85902e4110:7RDK test$ rdk export -h
usage: rdk export [-h] [-s RULESETS] [--all] [--lambda-layers LAMBDA_LAYERS]
[--lambda-subnets LAMBDA_SUBNETS]
[--lambda-security-groups LAMBDA_SECURITY_GROUPS]
[--lambda-role-arn LAMBDA_ROLE_ARN]
[--rdklib-layer-arn RDKLIB_LAYER_ARN] -v {0.11,0.12} -f
{terraform}
[<rulename> [<rulename> ...]]
Used to export the Config Rule to terraform file.
positional arguments:
<rulename> Rule name(s) to export to a file.
optional arguments:
-h, --help show this help message and exit
-s RULESETS, --rulesets RULESETS
comma-delimited list of RuleSet names
--all, -a All rules in the working directory will be deployed.
--lambda-layers LAMBDA_LAYERS
[optional] Comma-separated list of Lambda Layer ARNs
to deploy with your Lambda function(s).
--lambda-subnets LAMBDA_SUBNETS
[optional] Comma-separated list of Subnets to deploy
your Lambda function(s).
--lambda-security-groups LAMBDA_SECURITY_GROUPS
[optional] Comma-separated list of Security Groups to
deploy with your Lambda function(s).
--lambda-role-arn LAMBDA_ROLE_ARN
[optional] Assign existing iam role to lambda
functions. If omitted, new lambda role will be
created.
--rdklib-layer-arn RDKLIB_LAYER_ARN
[optional] Lambda Layer ARN that contains the desired
rdklib. Note that Lambda Layers are region-specific.
-v {0.11,0.12}, --version {0.11,0.12}
Terraform version
-f {terraform}, --format {terraform}
Export Format
Create your rule
Create your rule by using the command below which creates the MY_FIRST_RULE rule.
7RDK test$ rdk create MY_FIRST_RULE --runtime python3.6 --resource-types AWS::EC2::SecurityGroup
Running create!
Local Rule files created.
This creates the three files below. Edit the “MY_FIRST_RULE.py” as per your business requirement, as described in the “Edit” section of this blog.
7RDK test$ cd MY_FIRST_RULE/
(venv) 8c85902e4110:MY_FIRST_RULE test$ls
MY_FIRST_RULE.py MY_FIRST_RULE_test.py parameters.json
Export your rule to Terraform
Use the command below to export your rule to Terraform files, which supports the two versions of Terraform (0.11 and 0.12). Use the “-v” argument to specify the version.
test$ cd ..
7RDK test$ rdk export MY_FIRST_RULE -f terraform -v 0.12
Running export
Found Custom Rule.
Zipping MY_FIRST_RULE
Zipping complete.
terraform version: 0.12
Export completed.This will generate three .tf files.
7RDK test$
This creates the four files.
- << rule-name >>_rule.tf :
- This script uploads the rule to the Amazon S3 bucket, deploys the lambda, and creates the AWS config rule and the required IAM roles/policies.
- << rule-name >>_variables.tf: Terraform variable definitions.
- << rule-name >>.tfvars.json: Terraform variable values.
- << rule-name >>.zip: Compiled rule code.
7RDK test$ cd MY_FIRST_RULE/
(venv) 8c85902e4110:MY_FIRST_RULE test$ ls -1
MY_FIRST_RULE.py
MY_FIRST_RULE.zip
MY_FIRST_RULE_test.py
my_first_rule.tfvars.json
my_first_rule_rule.tf
my_first_rule_variables.tf
parameters.json
Deploy your rule using Terraform
Initialize Terraform by using “terraform init” to download the AWS provider Plug-In.
MY_FIRST_RULE test$ terraform init
Initializing the backend...
Initializing provider plugins...
- Checking for available provider plugins...
- Downloading plugin for provider "aws" (hashicorp/aws) 2.70.0...
The following providers do not have any version constraints in configuration,
so the latest version was installed.
To prevent automatic upgrades to new major versions that may contain breaking
changes, it is recommended to add version = "..." constraints to the
corresponding provider blocks in configuration, with the constraint strings
suggested below.
* provider.aws: version = "~> 2.70"
Terraform has been successfully initialized!
To deploy the config rules, your role should have the permissions and should mention the role ARN in my_rule.tfvars.json
To apply Terraform, it requires two arguments:
- var-file: Terraform script variable file name, created while exporting the rule using RDK.
- source_bucket: Your Amazon S3 bucket name, to upload the config rule lambda code.
Make sure that AWS provider is configured for your Terraform environment as mentioned in the docs.
MY_FIRST_RULE test$ terraform apply -var-file=my_first_rule.tfvars.json --var source_bucket=config-bucket-xxxxx
aws_iam_policy.awsconfig_policy[0]: Creating...
aws_iam_role.awsconfig[0]: Creating...
aws_s3_bucket_object.rule_code: Creating...
aws_iam_role.awsconfig[0]: Creation complete after 3s [id=my_first_rule-awsconfig-role]
aws_iam_role_policy_attachment.readonly-role-policy-attach[0]: Creating...
aws_iam_policy.awsconfig_policy[0]: Creation complete after 4s [id=arn:aws:iam::xxxxxxxxxxxx:policy/my_first_rule-awsconfig-policy]
aws_iam_role_policy_attachment.awsconfig_policy_attach[0]: Creating...
aws_s3_bucket_object.rule_code: Creation complete after 5s [id=MY_FIRST_RULE.zip]
aws_lambda_function.rdk_rule: Creating...
aws_iam_role_policy_attachment.readonly-role-policy-attach[0]: Creation complete after 2s [id=my_first_rule-awsconfig-role-20200726023315892200000001]
aws_iam_role_policy_attachment.awsconfig_policy_attach[0]: Creation complete after 3s [id=my_first_rule-awsconfig-role-20200726023317242000000002]
aws_lambda_function.rdk_rule: Still creating... [10s elapsed]
aws_lambda_function.rdk_rule: Creation complete after 18s [id=RDK-Rule-Function-MY_FIRST_RULE]
aws_lambda_permission.lambda_invoke: Creating...
aws_config_config_rule.event_triggered[0]: Creating...
aws_lambda_permission.lambda_invoke: Creation complete after 2s [id=AllowExecutionFromConfig]
aws_config_config_rule.event_triggered[0]: Creation complete after 4s [id=MY_FIRST_RULE]
Apply complete! Resources: 8 added, 0 changed, 0 destroyed.
Login to your AWS console to validate the deployed config rule.
Clean up
Once all your tests are completed, enter the following command to remove all the resources.
MY_FIRST_RULE test$ terraform destroy
Conclusion
With this new feature, you can export the AWS config rules developed by RDK to Terraform, and integrate these files into your Terraform CI/CD pipeline to provision the config rules in AWS without using the RDK.