0

I am trying to apply aws conformance pack to my aws account using terraform. I am using the sample aws config rules in cloudformation syntax provided in the awslabs repository.

Now from an example conformance pack provided on AWS documentation we have this:

resource "aws_config_conformance_pack" "s3conformancepack" { name = "s3conformancepack" template_body = <<EOT Resources: S3BucketPublicReadProhibited: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: S3BucketPublicReadProhibited Description: >- Checks that your Amazon S3 buckets do not allow public read access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). Scope: ComplianceResourceTypes: - "AWS::S3::Bucket" Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED MaximumExecutionFrequency: Six_Hours S3BucketPublicWriteProhibited: Type: "AWS::Config::ConfigRule" Properties: ConfigRuleName: S3BucketPublicWriteProhibited Description: "Checks that your Amazon S3 buckets do not allow public write access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL)." Scope: ComplianceResourceTypes: - "AWS::S3::Bucket" Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED MaximumExecutionFrequency: Six_Hours S3BucketReplicationEnabled: Type: "AWS::Config::ConfigRule" Properties: ConfigRuleName: S3BucketReplicationEnabled Description: "Checks whether the Amazon S3 buckets have cross-region replication enabled." Scope: ComplianceResourceTypes: - "AWS::S3::Bucket" Source: Owner: AWS SourceIdentifier: S3_BUCKET_REPLICATION_ENABLED S3BucketSSLRequestsOnly: Type: "AWS::Config::ConfigRule" Properties: ConfigRuleName: S3BucketSSLRequestsOnly Description: "Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL)." Scope: ComplianceResourceTypes: - "AWS::S3::Bucket" Source: Owner: AWS SourceIdentifier: S3_BUCKET_SSL_REQUESTS_ONLY ServerSideEncryptionEnabled: Type: "AWS::Config::ConfigRule" Properties: ConfigRuleName: ServerSideEncryptionEnabled Description: "Checks that your Amazon S3 bucket either has S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption." Scope: ComplianceResourceTypes: - "AWS::S3::Bucket" Source: Owner: AWS SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED S3BucketLoggingEnabled: Type: "AWS::Config::ConfigRule" Properties: ConfigRuleName: S3BucketLoggingEnabled Description: "Checks whether logging is enabled for your S3 buckets." Scope: ComplianceResourceTypes: - "AWS::S3::Bucket" Source: Owner: AWS SourceIdentifier: S3_BUCKET_LOGGING_ENABLED EOT }

Now in my terraform code I will pick one of the config rules in the example provided in the awslabs repo, which is this

AcmCertificateExpirationCheck: Properties: ConfigRuleName: acm-certificate-expiration-check InputParameters: daysToExpiration: Fn::If: - acmCertificateExpirationCheckParamDaysToExpiration - Ref: AcmCertificateExpirationCheckParamDaysToExpiration - Ref: AWS::NoValue Scope: ComplianceResourceTypes: - AWS::ACM::Certificate Source: Owner: AWS SourceIdentifier: ACM_CERTIFICATE_EXPIRATION_CHECK Type: AWS::Config::ConfigRule

Now I have a section in the above snippet where we have an if statement that checks for the variable acmCertificateExpirationCheckParamDaysToExpiration, then is passed the value Ref: AcmCertificateExpirationCheckParamDaysToExpiration that references a parameter:

AcmCertificateExpirationCheckParamDaysToExpiration: Default: '90' Type: String

Now in my terraform code this parameter would be set like this:

locals { AcmCertificateExpirationCheckParamDaysToExpiration = var.acm_certificate_expiration_check_param_days_to_expiration != "" } variable acm_certificate_expiration_check_param_days_to_expiration { type = string default = "90" }

Now I want to use this in the conformance pack resource in terraform. So how do I use the if section in a terraform way:

resource "aws_config_conformance_pack" "s3conformancepack" { name = "s3conformancepack" template_body = <<EOT Resources: AcmCertificateExpirationCheck: Properties: ConfigRuleName: acm-certificate-expiration-check InputParameters: daysToExpiration: Fn::If: - acmCertificateExpirationCheckParamDaysToExpiration - Ref: AcmCertificateExpirationCheckParamDaysToExpiration <======[ How to pass the locals variable into this as done on cloudformation or is this ${local.AcmCertificateExpirationCheckParamDaysToExpiration} sufficient ] - Ref: AWS::NoValue Scope: ComplianceResourceTypes: - AWS::ACM::Certificate Source: Owner: AWS SourceIdentifier: ACM_CERTIFICATE_EXPIRATION_CHECK Type: AWS::Config::ConfigRule
Improve this question

1 Answer 1

Reset to default
0

In my question I have this code snipet:

AcmCertificateExpirationCheck: Properties: ConfigRuleName: acm-certificate-expiration-check InputParameters: daysToExpiration: Fn::If: - acmCertificateExpirationCheckParamDaysToExpiration - Ref: AcmCertificateExpirationCheckParamDaysToExpiration - Ref: AWS::NoValue Scope: ComplianceResourceTypes: - AWS::ACM::Certificate Source: Owner: AWS SourceIdentifier: ACM_CERTIFICATE_EXPIRATION_CHECK Type: AWS::Config::ConfigRule

This section:

InputParameters: daysToExpiration: Fn::If: - acmCertificateExpirationCheckParamDaysToExpiration - Ref: AcmCertificateExpirationCheckParamDaysToExpiration - Ref: AWS::NoValue

can be written as:

InputParameters: daysToExpiration: ${local.AcmCertificateExpirationCheckParamDaysToExpiration ? var.acm_certificate_expiration_check_param_days_to_expiration : null}

I tested this on AWS and it deployed successfully

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.