AWS DevOps & Developer Productivity Blog
Deploying custom AWS Config rules developed for Terraform using AWS Config RDK
To help customers using Terraform for multi-cloud infrastructure deployment, we have introduced a new feature in the AWS Config Rule Development Kit (RDK) that allows you to export custom AWS Config rules to Terraform files so that you can deploy the RDK rules with Terraform.
This blog post is a complement to the previous post – How to develop custom AWS Config rules using the Rule Development Kit. Here I will show you how to prototype, develop, and deploy custom AWS Config rules. The steps for prototyping and developing the custom AWS Config rules remain identical, while a variation exists in the deployment step, which I’ll walk you through in detail.
In this post, you will learn how to export the custom AWS Config rule to Terraform files and deploy to AWS using Terraform.
Background
RDK doesn’t support Terraform for rules deployment, which is impacting customers using Terraform (“Infrastructure As Code”) to provision AWS infrastructure. Therefore, we have provided one more option to deploy the rules by using Terraform.
Getting Started
The first step is making sure that you installed the latest RDK version. After you have defined an AWS Config rule and prototyped using the AWS Config RDK as described in the previous blog post, follow the steps below to deploy the various AWS Config components across the compliance and satellite accounts.
Prerequisites
Validate that you downloaded the RDK that supports “export”, using the command “rdk export -h”, and you should see the below output. If the installed RDK doesn’t support the export feature, then update it by using the command “pip install rdk”
Create your rule
Create your rule by using the command below which creates the MY_FIRST_RULE rule.
This creates the three files below. Edit the “MY_FIRST_RULE.py” as per your business requirement, as described in the “Edit” section of this blog.
Export your rule to Terraform
Use the command below to export your rule to Terraform files, which supports the two versions of Terraform (0.11 and 0.12). Use the “-v” argument to specify the version.
This creates the four files.
- << rule-name >>_rule.tf :
- This script uploads the rule to the Amazon S3 bucket, deploys the lambda, and creates the AWS config rule and the required IAM roles/policies.
- << rule-name >>_variables.tf: Terraform variable definitions.
- << rule-name >>.tfvars.json: Terraform variable values.
- << rule-name >>.zip: Compiled rule code.
Deploy your rule using Terraform
Initialize Terraform by using “terraform init” to download the AWS provider Plug-In.
To deploy the config rules, your role should have the permissions and should mention the role ARN in my_rule.tfvars.json
To apply Terraform, it requires two arguments:
- var-file: Terraform script variable file name, created while exporting the rule using RDK.
- source_bucket: Your Amazon S3 bucket name, to upload the config rule lambda code.
Make sure that AWS provider is configured for your Terraform environment as mentioned in the docs.
Login to your AWS console to validate the deployed config rule.
Clean up
Once all your tests are completed, enter the following command to remove all the resources.
MY_FIRST_RULE test$ terraform destroy
Conclusion
With this new feature, you can export the AWS config rules developed by RDK to Terraform, and integrate these files into your Terraform CI/CD pipeline to provision the config rules in AWS without using the RDK.