Support evaluation mode for config-managed-rule

posquit0 · posquit0 · commit a491ed99094b · 2024-04-24T03:23:29.000+09:00
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.8.0
+0.8.1
diff --git a/modules/config-managed-rule/README.md b/modules/config-managed-rule/README.md
@@ -15,14 +15,14 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.14 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.23 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.46.0 |
 
 ## Modules
 
@@ -43,6 +43,7 @@ This module creates following resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_source_rule"></a> [source\_rule](#input\_source\_rule) | (Required) The identifier for AWS Config managed rule. Use the format like `root-account-mfa-enabled` instead of predefiend format like `ROOT_ACCOUNT_MFA_ENABLED`. | `string` | n/a | yes |
 | <a name="input_description"></a> [description](#input\_description) | (Optional) The description of the rule. Use default description if not provided. | `string` | `null` | no |
+| <a name="input_evaluation_modes"></a> [evaluation\_modes](#input\_evaluation\_modes) | (Optional) A set of evaluation modes to enable for the Config rule. Valid values are `DETECTIVE`, `PROACTIVE`. Default value contains only `DETECTIVE`. | `set(string)` | <pre>[<br>  "DETECTIVE"<br>]</pre> | no |
 | <a name="input_excluded_accounts"></a> [excluded\_accounts](#input\_excluded\_accounts) | (Optional) A list of AWS account identifiers to exclude from the rule. Only need when `level` is configured with value `ORGANIZATION`. | `list(string)` | `[]` | no |
 | <a name="input_level"></a> [level](#input\_level) | (Optional) Choose to create a rule across all accounts in your Organization. Valid values are `ACCOUNT` and `ORGANIZATION`. Use `ORGANIZATION` level in Organization master account or delegated administrator accounts. | `string` | `"ACCOUNT"` | no |
 | <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
@@ -64,6 +65,7 @@ This module creates following resources.
 |------|-------------|
 | <a name="output_arn"></a> [arn](#output\_arn) | The Amazon Resource Name (ARN) of the rule. |
 | <a name="output_description"></a> [description](#output\_description) | The description of the rule. |
+| <a name="output_evaluation_modes"></a> [evaluation\_modes](#output\_evaluation\_modes) | A set of evaluation modes to enable for the Config rule. |
 | <a name="output_excluded_accounts"></a> [excluded\_accounts](#output\_excluded\_accounts) | A list of AWS account identifiers excluded from the rule. |
 | <a name="output_id"></a> [id](#output\_id) | The ID of the rule. |
 | <a name="output_level"></a> [level](#output\_level) | The level of the rule. `ACOUNT` or `ORGANIZATION`. The rule is for accounts in your Organization if the value is configured with `ORGANIZATION`. |
diff --git a/modules/config-managed-rule/main.tf b/modules/config-managed-rule/main.tf
@@ -67,6 +67,14 @@ resource "aws_config_config_rule" "this" {
   input_parameters = jsonencode(var.parameters)
 
   ### Trigger by configuration change
+  dynamic "evaluation_mode" {
+    for_each = var.evaluation_modes
+
+    content {
+      mode = evaluation_mode.value
+    }
+  }
+
   ## Scope: ALL_CHANGES
   dynamic "scope" {
     for_each = local.rule.trigger_by_change.enabled && var.scope == "ALL_CHANGES" ? ["go"] : []
diff --git a/modules/config-managed-rule/outputs.tf b/modules/config-managed-rule/outputs.tf
@@ -53,6 +53,11 @@ output "level" {
   value       = var.level
 }
 
+output "evaluation_modes" {
+  description = "A set of evaluation modes to enable for the Config rule."
+  value       = var.evaluation_modes
+}
+
 output "trigger_by_change" {
   description = "The information of trigger by configuration changes."
   value = {
diff --git a/modules/config-managed-rule/variables.tf b/modules/config-managed-rule/variables.tf
@@ -37,6 +37,21 @@ variable "level" {
   }
 }
 
+variable "evaluation_modes" {
+  description = "(Optional) A set of evaluation modes to enable for the Config rule. Valid values are `DETECTIVE`, `PROACTIVE`. Default value contains only `DETECTIVE`."
+  type        = set(string)
+  default     = ["DETECTIVE"]
+  nullable    = false
+
+  validation {
+    condition = alltrue([
+      for mode in var.evaluation_modes :
+      contains(["DETECTIVE", "PROACTIVE"], mode)
+    ])
+    error_message = "Valid values for `evaluation_modes` should be one of `DETECTIVE`, `PROACTIVE`."
+  }
+}
+
 variable "scope" {
   description = "(Optional) Choose when evaluations will occur. Valid values are `ALL_CHANGES`, `RESOURCES`, or `TAGS`."
   type        = string
diff --git a/modules/config-managed-rule/versions.tf b/modules/config-managed-rule/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.5"
+      version = ">= 5.23"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ terraform {`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`	`6`	`source = "hashicorp/aws"`
`7`		`- version = ">= 5.5"`
	`7`	`+ version = ">= 5.23"`
`8`	`8`	`}`
`9`	`9`	`}`
`10`	`10`	`}`