Try SpotterManage AWS Config rule resources
| "added in version" 1.0.0 of community.aws"
Authors: Aaron Smith (@slapula)
Install with ansible-galaxy collection install community.aws:==5.1.0
collections:
- name: community.aws
version: 5.1.0Module manages AWS Config rules.
Prior to release 5.0.0 this module was called C(community.aws.aws_config_rule). The usage did not change.
- name: Create Config Rule for AWS Config
community.aws.config_rule:
name: test_config_rule
state: present
description: 'This AWS Config rule checks for public write access on S3 buckets'
scope:
compliance_types:
- 'AWS::S3::Bucket'
source:
owner: AWS
identifier: 'S3_BUCKET_PUBLIC_WRITE_PROHIBITED'
name:
description:
- The name of the AWS Config resource.
required: true
type: str
scope:
description:
- Defines which resources can trigger an evaluation for the rule.
suboptions:
compliance_id:
description:
- The ID of the only AWS resource that you want to trigger an evaluation for the
rule. If you specify a resource ID, you must specify one resource type for I(compliance_types).
compliance_types:
description:
- The resource types of only those AWS resources that you want to trigger an evaluation
for the rule. You can only specify one type if you also specify a resource ID
for I(compliance_id).
tag_key:
description:
- The tag key that is applied to only those AWS resources that you want to trigger
an evaluation for the rule.
tag_value:
description:
- The tag value applied to only those AWS resources that you want to trigger an
evaluation for the rule. If you specify a value for I(tag_value), you must also
specify a value for I(tag_key).
type: dict
state:
choices:
- present
- absent
default: present
description:
- Whether the Config rule should be present or absent.
type: str
region:
aliases:
- aws_region
- ec2_region
description:
- The AWS region to use.
- For global services such as IAM, Route53 and CloudFront, I(region) is ignored.
- The C(AWS_REGION) or C(EC2_REGION) environment variables may also be used.
- See the Amazon AWS documentation for more information U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region).
- The C(ec2_region) alias has been deprecated and will be removed in a release after
2024-12-01
- Support for the C(EC2_REGION) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
source:
description:
- Provides the rule owner (AWS or customer), the rule identifier, and the notifications
that cause the function to evaluate your AWS resources.
required: true
suboptions:
details:
description:
- Provides the source and type of the event that causes AWS Config to evaluate
your AWS resources.
- This parameter expects a list of dictionaries. Each dictionary expects the
following key/value pairs.
- Key C(EventSource) The source of the event, such as an AWS service, that triggers
AWS Config to evaluate your AWS resources.
- Key C(MessageType) The type of notification that triggers AWS Config to run
an evaluation for a rule.
- Key C(MaximumExecutionFrequency) The frequency at which you want AWS Config
to run evaluations for a custom rule with a periodic trigger.
identifier:
description:
- The ID of the only AWS resource that you want to trigger an evaluation for the
rule. If you specify a resource ID, you must specify one resource type for I(compliance_types).
owner:
description:
- The resource types of only those AWS resources that you want to trigger an evaluation
for the rule. You can only specify one type if you also specify a resource ID
for I(compliance_id).
type: dict
profile:
aliases:
- aws_profile
description:
- A named AWS profile to use for authentication.
- See the AWS documentation for more information about named profiles U(https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html).
- The C(AWS_PROFILE) environment variable may also be used.
- The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key)
and I(security_token) options.
type: str
access_key:
aliases:
- aws_access_key_id
- aws_access_key
- ec2_access_key
description:
- AWS access key ID.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variables
may also be used in decreasing order of preference.
- The I(aws_access_key) and I(profile) options are mutually exclusive.
- The I(aws_access_key_id) alias was added in release 5.1.0 for consistency with the
AWS botocore SDK.
- The I(ec2_access_key) alias has been deprecated and will be removed in a release
after 2024-12-01.
- Support for the C(EC2_ACCESS_KEY) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
aws_config:
description:
- A dictionary to modify the botocore configuration.
- Parameters can be found in the AWS documentation U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config).
type: dict
secret_key:
aliases:
- aws_secret_access_key
- aws_secret_key
- ec2_secret_key
description:
- AWS secret access key.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment
variables may also be used in decreasing order of preference.
- The I(secret_key) and I(profile) options are mutually exclusive.
- The I(aws_secret_access_key) alias was added in release 5.1.0 for consistency with
the AWS botocore SDK.
- The I(ec2_secret_key) alias has been deprecated and will be removed in a release
after 2024-12-01.
- Support for the C(EC2_SECRET_KEY) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
description:
description:
- The description that you provide for the AWS Config rule.
type: str
endpoint_url:
aliases:
- ec2_url
- aws_endpoint_url
- s3_url
description:
- URL to connect to instead of the default AWS endpoints. While this can be used
to connection to other AWS-compatible services the amazon.aws and community.aws
collections are only tested against AWS.
- The C(AWS_URL) or C(EC2_URL) environment variables may also be used, in decreasing
order of preference.
- The I(ec2_url) and I(s3_url) aliases have been deprecated and will be removed in
a release after 2024-12-01.
- Support for the C(EC2_URL) environment variable has been deprecated and will be
removed in a release after 2024-12-01.
type: str
aws_ca_bundle:
description:
- The location of a CA Bundle to use when validating SSL certificates.
- The C(AWS_CA_BUNDLE) environment variable may also be used.
type: path
session_token:
aliases:
- aws_session_token
- security_token
- aws_security_token
- access_token
description:
- AWS STS session token for use with temporary credentials.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_SESSION_TOKEN), C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment
variables may also be used in decreasing order of preference.
- The I(security_token) and I(profile) options are mutually exclusive.
- Aliases I(aws_session_token) and I(session_token) were added in release 3.2.0, with
the parameter being renamed from I(security_token) to I(session_token) in release
6.0.0.
- The I(security_token), I(aws_security_token), and I(access_token) aliases have been
deprecated and will be removed in a release after 2024-12-01.
- Support for the C(EC2_SECRET_KEY) and C(AWS_SECURITY_TOKEN) environment variables
has been deprecated and will be removed in a release after 2024-12-01.
type: str
validate_certs:
default: true
description:
- When set to C(false), SSL certificates will not be validated for communication with
the AWS APIs.
- Setting I(validate_certs=false) is strongly discouraged, as an alternative, consider
setting I(aws_ca_bundle) instead.
type: bool
input_parameters:
description:
- A string, in JSON format, that is passed to the AWS Config rule Lambda function.
type: str
execution_frequency:
choices:
- One_Hour
- Three_Hours
- Six_Hours
- Twelve_Hours
- TwentyFour_Hours
description:
- The maximum frequency with which AWS Config runs evaluations for a rule.
type: str
debug_botocore_endpoint_logs:
default: false
description:
- Use a C(botocore.endpoint) logger to parse the unique (rather than total) C("resource:action")
API calls made during a task, outputing the set to the resource_actions key in the
task results. Use the C(aws_resource_action) callback to output to total list made
during a playbook.
- The C(ANSIBLE_DEBUG_BOTOCORE_LOGS) environment variable may also be used.
type: bool