AWS Feed
AWS Config RDK: Deploying the Custom Rules using the Terraform

To help customers using the Terraform for multi-cloud infrastructure deployment, we have introduced a new feature in the AWS Config Rule Development Kit (RDK) that allows you to export custom AWS Config rules to Terraform files so that you can deploy the RDK rules with Terraform.

This blog post is a complement to the previous post – How to develop custom AWS Config rules using the Rule Development Kit. Here I will show you how to prototype, develop, and deploy custom AWS Config rules. The steps for prototyping and developing the custom AWS Config rules remain identical, while a variation exists in the deployment step, which I’ll walk you through in detail.

In this post, you will learn how to export the custom AWS Config rule to Terraform files and deploy to AWS using the Terraform.

Background

RDK doesn’t support the Terraform for rules deployment, which is impacting customers using the Terraform (“Infrastructure As Code”) to provision AWS infrastructure. Therefore, we have provided one more option to deploy the rules by using the Terraform.

Getting Started

The first step is making sure that you installed the latest RDK version. After you have defined an AWS Config rule and prototyped using the AWS Config RDK as described in the previous blog post, follow the steps below to deploy the various AWS Config components across the compliance and satellite accounts.

Prerequisites

Validate that you downloaded the RDK that supports “export”, using the command “rdk export -h”, and you should see the below output. If the installed RDK doesn’t support the export feature, then update it by using the command  “pip install rdk”

(venv) 8c85902e4110:7RDK test$ rdk export -h usage: rdk export [-h] [-s RULESETS] [--all] [--lambda-layers LAMBDA_LAYERS] [--lambda-subnets LAMBDA_SUBNETS] [--lambda-security-groups LAMBDA_SECURITY_GROUPS] [--lambda-role-arn LAMBDA_ROLE_ARN] [--rdklib-layer-arn RDKLIB_LAYER_ARN] -v {0.11,0.12} -f {terraform} [<rulename> [<rulename> ...]] Used to export the Config Rule to terraform file. positional arguments: <rulename> Rule name(s) to export to a file. optional arguments: -h, --help show this help message and exit -s RULESETS, --rulesets RULESETS comma-delimited list of RuleSet names --all, -a All rules in the working directory will be deployed. --lambda-layers LAMBDA_LAYERS [optional] Comma-separated list of Lambda Layer ARNs to deploy with your Lambda function(s). --lambda-subnets LAMBDA_SUBNETS [optional] Comma-separated list of Subnets to deploy your Lambda function(s). --lambda-security-groups LAMBDA_SECURITY_GROUPS [optional] Comma-separated list of Security Groups to deploy with your Lambda function(s). --lambda-role-arn LAMBDA_ROLE_ARN [optional] Assign existing iam role to lambda functions. If omitted, new lambda role will be created. --rdklib-layer-arn RDKLIB_LAYER_ARN [optional] Lambda Layer ARN that contains the desired rdklib. Note that Lambda Layers are region-specific. -v {0.11,0.12}, --version {0.11,0.12} Terraform version -f {terraform}, --format {terraform} Export Format 

Create your rule

Create your rule by using the command below which creates the MY_FIRST_RULE rule.

7RDK test$ rdk create MY_FIRST_RULE --runtime python3.6 --resource-types AWS::EC2::SecurityGroup Running create! Local Rule files created. 

This creates the three files below. Edit the “MY_FIRST_RULE.py” as per your business requirement, as described in the “Edit” section of this blog.

7RDK test$ cd MY_FIRST_RULE/ 
(venv) 8c85902e4110:MY_FIRST_RULE test$ls 
MY_FIRST_RULE.py        MY_FIRST_RULE_test.py   parameters.json

Export your rule to Terraform

Use the command below to export your rule to the Terraform files, which supports the two versions of Terraform (0.11 and 0.12). Use the “-v” argument to specify the version.

test$ cd .. 7RDK test$ rdk export MY_FIRST_RULE -f terraform -v 0.12 Running export Found Custom Rule. Zipping MY_FIRST_RULE Zipping complete. terraform version: 0.12 Export completed.This will generate three .tf files. 7RDK test$

This creates the four files.

  • << rule-name >>_rule.tf :
    • This script uploads the rule to the Amazon S3 bucket, deploys the lambda, and creates the AWS config rule and the required IAM roles/policies.
  • << rule-name >>_variables.tf:  Terraform variable definitions.
  • << rule-name >>.tfvars.json: Terraform variable values.
  • << rule-name >>.zip: Compiled rule code.
7RDK test$ cd MY_FIRST_RULE/ (venv) 8c85902e4110:MY_FIRST_RULE test$ ls -1 MY_FIRST_RULE.py MY_FIRST_RULE.zip MY_FIRST_RULE_test.py my_first_rule.tfvars.json my_first_rule_rule.tf my_first_rule_variables.tf parameters.json 

Deploy your rule using the Terraform

Initialize the Terraform by using “terraform init” to download the AWS provider Plug-In.

MY_FIRST_RULE test$ terraform init Initializing the backend... Initializing provider plugins... - Checking for available provider plugins... - Downloading plugin for provider "aws" (hashicorp/aws) 2.70.0... The following providers do not have any version constraints in configuration, so the latest version was installed. To prevent automatic upgrades to new major versions that may contain breaking changes, it is recommended to add version = "..." constraints to the corresponding provider blocks in configuration, with the constraint strings suggested below. * provider.aws: version = "~> 2.70" Terraform has been successfully initialized! 

To deploy the config rules, your role should have the permissions and should mention the role ARN in my_rule.tfvars.json

To apply the Terraform, it requires two arguments:

  • var-file: Terraform script variable file name, created while exporting the rule using RDK.
  • source_bucket: Your Amazon S3 bucket name, to upload the config rule lambda code.

Make sure that AWS provider is configured for your Terraform environment as mentioned in the docs.

MY_FIRST_RULE test$ terraform apply -var-file=my_first_rule.tfvars.json --var source_bucket=config-bucket-xxxxx aws_iam_policy.awsconfig_policy[0]: Creating... aws_iam_role.awsconfig[0]: Creating... aws_s3_bucket_object.rule_code: Creating... aws_iam_role.awsconfig[0]: Creation complete after 3s [id=my_first_rule-awsconfig-role] aws_iam_role_policy_attachment.readonly-role-policy-attach[0]: Creating... aws_iam_policy.awsconfig_policy[0]: Creation complete after 4s [id=arn:aws:iam::xxxxxxxxxxxx:policy/my_first_rule-awsconfig-policy] aws_iam_role_policy_attachment.awsconfig_policy_attach[0]: Creating... aws_s3_bucket_object.rule_code: Creation complete after 5s [id=MY_FIRST_RULE.zip] aws_lambda_function.rdk_rule: Creating... aws_iam_role_policy_attachment.readonly-role-policy-attach[0]: Creation complete after 2s [id=my_first_rule-awsconfig-role-20200726023315892200000001] aws_iam_role_policy_attachment.awsconfig_policy_attach[0]: Creation complete after 3s [id=my_first_rule-awsconfig-role-20200726023317242000000002] aws_lambda_function.rdk_rule: Still creating... [10s elapsed] aws_lambda_function.rdk_rule: Creation complete after 18s [id=RDK-Rule-Function-MY_FIRST_RULE] aws_lambda_permission.lambda_invoke: Creating... aws_config_config_rule.event_triggered[0]: Creating... aws_lambda_permission.lambda_invoke: Creation complete after 2s [id=AllowExecutionFromConfig] aws_config_config_rule.event_triggered[0]: Creation complete after 4s [id=MY_FIRST_RULE] Apply complete! Resources: 8 added, 0 changed, 0 destroyed. 

Login to your AWS console to validate the deployed config rule.

Clean up

Once all your tests are completed, enter the following command to remove all the resources.

MY_FIRST_RULE test$ terraform destroy

Conclusion

With this new feature, you can export the AWS config rules developed by RDK to the Terraform,  and integrate these files into your Terraform CI/CD pipeline to provision the config rules in AWS without using the RDK.