Skip to main content
Latest Documentation
This is the latest documentation for the Cloud Posse Reference Architecture. To determine which version you're currently using, please see Version Identification.
Version: Latest
Sponsor @cloudposse

aws-config

This component provisions AWS Config across all accounts in an AWS Organization. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It continuously monitors and records configuration changes to your AWS resources and provides a detailed view of the relationships between those resources.

Component Features

This component is responsible for:

  • Configuration Recording: Deploys Configuration Recorders in each account and region to track resource configurations
  • Centralized Aggregation: Configures a designated account (typically security) as the central aggregation point for all AWS Config data
  • Compliance Monitoring: Deploys conformance packs to monitor resources for compliance with best practices and industry standards (e.g., CMMC, CIS, HIPAA)
  • Configuration Storage: Delivers configuration snapshots and history to a centralized S3 bucket (typically in the audit account)
  • Organization-wide Conformance Packs: Deploys organization conformance packs from the management account that automatically apply to all member accounts
  • SNS Topic Encryption: Creates encrypted SNS topics for AWS Config notifications (required for CMMC compliance)
  • Account Verification: Optional safety check that validates Terraform is running in the correct AWS account
  • Flexible Account Map: Supports both remote-state account-map lookups and static account map variables (default)

New Features

This version includes several enhancements:

  • Local Conformance Pack Support: Load conformance packs from local files in addition to remote URLs. This enables custom packs, air-gapped deployments, and version-controlled compliance rules.
  • Organization Conformance Packs: Deploy conformance packs organization-wide from the management account using the scope: organization setting.
  • SNS Topic Encryption: Built-in support for KMS encryption of AWS Config SNS topics (sns_encryption_key_id variable) for CMMC compliance.
  • Flexible Component Naming: The global_collector_component_name_pattern variable allows customization of how the component looks up the global collector region's remote state.
  • GovCloud Support: Full support for AWS GovCloud regions and partitions.

Key AWS Config Capabilities

  • Configuration History: Maintains a detailed history of changes to AWS resources, showing when changes were made, who made them, and what the changes were
  • Configuration Snapshots: Takes periodic snapshots of resource configurations for point-in-time views
  • Compliance Monitoring: Provides pre-built rules and checks for compliance with best practices and industry standards
  • Relationship Mapping: Maps relationships between AWS resources to understand change impacts
  • Notifications and Alerts: Sends notifications when configuration changes impact compliance or security posture

Architecture

The component deploys a multi-account, multi-region architecture:

┌─────────────────────────────────────────────────────────────────────────────┐
│                           AWS Organization                                   │
│                                                                              │
│  ┌────────────────────────────────────────────────────────────────────────┐ │
│  │ Management Account (Organization Conformance Packs)                    │ │
│  │  - Deploys organization-wide conformance packs                         │ │
│  │  - Packs automatically apply to all member accounts                    │ │
│  └────────────────────────────────────────────────────────────────────────┘ │
│                                                                              │
│  ┌────────────────────────────────────────────────────────────────────────┐ │
│  │ Security Account (Central Aggregator)                                  │ │
│  │  - AWS Config Aggregator (collects from ALL accounts)                  │ │
│  │  - Centralized compliance dashboard                                    │ │
│  └────────────────────────────────────────────────────────────────────────┘ │
│                              ▲ ▲ ▲                                          │
│                              │ │ │ Aggregate Authorizations                 │
│                              │ │ │                                          │
│  ┌────────────────────────────────────────────────────────────────────────┐ │
│  │ Audit Account                                                          │ │
│  │  - S3 Bucket (aws-config-bucket)                                       │ │
│  │  - Stores ALL Config data from all accounts ◄───────────────┐          │ │
│  └──────────────────────────────────────────────────────────────│──────────┘ │
│                                                                  │           │
│  ┌────────────────────────────────────────────────────────────┐ │           │
│  │ Each Member Account                                        │ │           │
│  │                                                            │ │           │
│  │  Global Collector Region (e.g., us-east-1):               │ │           │
│  │    ✓ Configuration Recorder                               │ │           │
│  │    ✓ IAM Role (created once per account)                  │ │           │
│  │    ✓ Tracks global resources (IAM, Route53, etc.)         │ │           │
│  │    ✓ Aggregate Authorization → Security Account           │─┘           │
│  │    ✓ Delivery Channel → S3 Bucket (audit) ────────────────────────────────┘
│  │                                                            │              │
│  │  Additional Regions (e.g., us-west-2):                    │              │
│  │    ✓ Configuration Recorder                               │              │
│  │    ✓ References IAM Role from global collector region     │              │
│  │    ✓ Tracks regional resources (EC2, VPC, RDS, etc.)      │              │
│  │    ✓ Delivery Channel → S3 Bucket (audit) ────────────────────────────────┘
│  └────────────────────────────────────────────────────────────┘              │
│                                                                              │
└──────────────────────────────────────────────────────────────────────────────┘

Architecture Benefits

  • Centralized Compliance: Security team can view all resource configurations from one account
  • Cost Efficiency: Single S3 bucket for all AWS Config data (in audit account)
  • Security Best Practices: Aggregation in security account aligns with AWS Well-Architected Framework
  • Scalability: Easy to add new accounts and regions without changing the aggregation setup
  • GovCloud Compatible: Supports AWS GovCloud regions and partitions
warning

AWS Config Limitations

Be aware of these AWS Config limitations:

  • Maximum 1000 AWS Config rules per account can be evaluated
  • Mitigate by removing duplicate rules across packs
  • Remove rules that don't apply to any resources
  • Consider scheduling pack deployment with Lambda for more than 1000 rules
  • See the Audit Manager docs for converting conformance packs to custom Audit Manager assessments
  • Maximum 50 conformance packs per account

Usage

Prerequisites

Before deploying this AWS Config component:

  1. AWS Config Bucket: The aws-config-bucket component must be provisioned first in the audit account:

    atmos terraform apply aws-config-bucket -s core-use1-audit

  2. Support IAM Role (CIS AWS Foundations 1.20): A designated support IAM role should be deployed to every account:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowSupport",
          "Effect": "Allow",
          "Action": ["support:*"],
          "Resource": "*"
        },
        {
          "Sid": "AllowTrustedAdvisor",
          "Effect": "Allow",
          "Action": "trustedadvisor:Describe*",
          "Resource": "*"
        }
      ]
    }

  3. Service Access Principals (for organization-level conformance packs): Enable trusted access for AWS Config in your organization:

    How to Verify:

    aws organizations list-aws-service-access-for-organization | grep config

    Enable if Disabled:

    aws organizations enable-aws-service-access --service-principal config.amazonaws.com
    aws organizations enable-aws-service-access --service-principal config-multiaccountsetup.amazonaws.com

    Or if using our account component, add these principals to aws_service_access_principals.

Usage

Stack Level: Regional

AWS Config is a regional service. The component must be deployed to each region where you want to track resources.

Scope Configuration

The default_scope variable controls how conformance packs are deployed:

ScopeDescriptionUse Case
accountConformance packs deployed per-accountMember accounts
organizationConformance packs deployed organization-wideManagement account only
tip

Using Account Scope (Member Accounts)

For member accounts, use default_scope: account. The component will:

  • Create a Configuration Recorder in each region
  • Create an IAM role only in the global collector region
  • Authorize the central aggregator account to collect data
  • Deploy account-level conformance packs
tip

Using Organization Scope (Management Account)

For the management account, use default_scope: organization. The component will:

  • Deploy organization-wide conformance packs that apply to ALL member accounts
  • Require the config-multiaccountsetup.amazonaws.com service access principal

Key Configuration Variables

VariableDescriptionExample
global_resource_collector_regionRegion that tracks global resources (IAM, Route53)us-east-1
central_resource_collector_accountAccount that aggregates all Config datasecurity
create_iam_roleSet to true - component auto-detects global collector regiontrue
config_bucket_*References the S3 bucket in audit accountSee example below
sns_encryption_key_idKMS key for SNS topic encryption (CMMC compliance)alias/aws/sns

Catalog Configuration

Default Configuration (stacks/catalog/aws-config/defaults.yaml)

components:
  terraform:
    aws-config/defaults:
      metadata:
        type: abstract
        component: "aws-config"
      vars:
        enabled: true
        default_scope: account
        create_iam_role: true
        az_abbreviation_type: fixed
        account_map_component_name: "account-map"
        account_map_tenant: core
        root_account_stage: root
        global_environment: gbl
        global_resource_collector_region: "us-east-1"
        central_resource_collector_account: security
        config_bucket_component_name: "aws-config-bucket"
        config_bucket_tenant: core
        config_bucket_env: ue1
        config_bucket_stage: audit
        sns_encryption_key_id: "alias/aws/sns"
        conformance_packs: []

Member Account Configuration (stacks/catalog/aws-config/member-account.yaml)

import:
  - catalog/aws-config/defaults

components:
  terraform:
    aws-config:
      metadata:
        component: "aws-config"
        inherits:
          - "aws-config/defaults"

Organization Account Configuration (stacks/catalog/aws-config/organization.yaml)

import:
  - catalog/aws-config/defaults

components:
  terraform:
    aws-config:
      metadata:
        component: "aws-config"
        inherits:
          - "aws-config/defaults"
      vars:
        default_scope: organization
        conformance_packs:
          - name: "Operational-Best-Practices-for-CIS-AWS-v1.4-Level2"
            conformance_pack: "https://raw.githubusercontent.com/awslabs/aws-config-rules/master/aws-config-conformance-packs/Operational-Best-Practices-for-CIS-AWS-v1.4-Level2.yaml"
            parameter_overrides: {}

Conformance Packs

Conformance packs define a collection of AWS Config rules for compliance monitoring. This component supports loading conformance packs from both remote URLs and local files.

Local File Support (New Feature)

The component now supports loading conformance packs from the local filesystem in addition to remote URLs. This enables:

  • Custom conformance packs: Create organization-specific compliance rules
  • Modified AWS packs: Customize AWS-provided packs for your requirements
  • Air-gapped environments: Deploy in environments without internet access
  • Version control: Track conformance pack changes alongside infrastructure code

The component automatically detects whether the conformance_pack value is a URL (starts with http:// or https://) or a local file path. Local paths are resolved relative to the component's root directory.

Conformance Pack Examples

conformance_packs:
  # Remote URL (AWS Labs managed packs)
  - name: "CIS-AWS-v1.4-Level2"
    conformance_pack: "https://raw.githubusercontent.com/awslabs/aws-config-rules/master/aws-config-conformance-packs/Operational-Best-Practices-for-CIS-AWS-v1.4-Level2.yaml"
    parameter_overrides:
      AccessKeysRotatedParamMaxAccessKeyAge: "45"

  # Local file (relative to component directory)
  - name: "Custom-CMMC-Pack"
    conformance_pack: "conformance-packs/custom-cmmc-pack.yaml"
    parameter_overrides: {}

  # Another local file example
  - name: "CMMC-Level2-Best-Practices"
    conformance_pack: "conformance-packs/cmmc-l2-v2-AWS-Best-Practices.yaml"
    parameter_overrides:
      IamPasswordPolicyParamMaxPasswordAge: "60"

  # Override scope for specific pack
  - name: "Org-Wide-Security-Pack"
    conformance_pack: "https://example.com/pack.yaml"
    scope: "organization"  # Override default_scope
    parameter_overrides: {}

Creating Custom Conformance Packs

To create a custom conformance pack:

  1. Create a conformance-packs/ directory in your component:

    components/terraform/aws-config/
    ├── conformance-packs/
    │   ├── custom-security-rules.yaml
    │   └── cmmc-l2-v2-customized.yaml
    ├── main.tf
    ├── variables.tf
    └── ...

  2. Define rules in CloudFormation format:

    # conformance-packs/custom-security-rules.yaml
    Parameters:
      MaxAccessKeyAge:
        Default: '90'
        Type: String
    Resources:
      AccessKeysRotated:
        Type: AWS::Config::ConfigRule
        Properties:
          ConfigRuleName: custom-access-keys-rotated
          InputParameters:
            maxAccessKeyAge:
              Ref: MaxAccessKeyAge
          Source:
            Owner: AWS
            SourceIdentifier: ACCESS_KEYS_ROTATED

  3. Reference the local file in your configuration:

    conformance_packs:
      - name: "Custom-Security-Rules"
        conformance_pack: "conformance-packs/custom-security-rules.yaml"
        parameter_overrides:
          MaxAccessKeyAge: "45"

SNS Topic Encryption

AWS Config creates an SNS topic for notifications. For CMMC compliance, this topic must be encrypted:

# Option 1: AWS Managed Key (Recommended)
sns_encryption_key_id: "alias/aws/sns"

# Option 2: Customer Managed KMS Key
sns_encryption_key_id: "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"

Deployment

Provisioning Order

important

Critical: Deploy Member Accounts BEFORE Organization Account

Organization conformance packs require all member accounts to have configuration recorders already set up. Always deploy member accounts first, then the organization/management account last.

Step 1: Deploy to Member Accounts (Global Collector Region First)

All member accounts can be deployed in parallel:

# Core tenant accounts
atmos terraform apply aws-config -s core-use1-audit
atmos terraform apply aws-config -s core-use1-security
atmos terraform apply aws-config -s core-use1-network
atmos terraform apply aws-config -s core-use1-identity
atmos terraform apply aws-config -s core-use1-dns
atmos terraform apply aws-config -s core-use1-automation

# Platform tenant accounts (if applicable)
atmos terraform apply aws-config -s plat-use1-dev
atmos terraform apply aws-config -s plat-use1-staging
atmos terraform apply aws-config -s plat-use1-prod

Step 2: Deploy to Organization/Management Account (LAST)

atmos terraform apply aws-config -s core-use1-root

Multi-Region Deployment

AWS Config is regional. For multi-region coverage, deploy to each region:

How Multi-Region Works

  • Global Collector Region (e.g., us-east-1): Creates the IAM role, tracks global resources
  • Additional Regions (e.g., us-west-2): References IAM role via remote state, tracks regional resources only

Prerequisites for Additional Regions

Add the aws-config import to regional baseline files:

# stacks/orgs/acme/core/security/us-west-2/baseline.yaml
import:
  - orgs/acme/core/security/_defaults
  - mixins/region/us-west-2
  - catalog/aws-config/member-account  # Add this

Deploy Additional Regions

Follow the same order: member accounts first, then organization account.

# Step 1: Member accounts in us-west-2
atmos terraform apply aws-config -s core-usw2-audit
atmos terraform apply aws-config -s core-usw2-security
# ... all other member accounts

# Step 2: Organization account in us-west-2 (LAST)
atmos terraform apply aws-config -s core-usw2-root

Known Issues and False Positives

IAM Inline Policy Check - Service-Linked Roles

The IAM_NO_INLINE_POLICY_CHECK rule flags AWS Service-Linked Roles (SLRs) as NON_COMPLIANT. This is a known false positive.

Why This Happens:

  • AWS Service-Linked Roles are automatically created and managed by AWS services
  • These roles must have inline policies by AWS design
  • The rule cannot distinguish between user-created roles and AWS-managed SLRs

Common SLRs That Trigger This Finding:

Service-Linked RoleService
AWSServiceRoleForAmazonGuardDutyGuardDuty
AWSServiceRoleForConfigAWS Config
AWSServiceRoleForSecurityHubSecurity Hub
AWSServiceRoleForAccessAnalyzerIAM Access Analyzer
AWSServiceRoleForAmazonMacieMacie
AWSServiceRoleForInspector2Inspector

Recommended Action:

  • Document these as accepted false positives
  • Focus remediation on NON_COMPLIANT findings for user-created roles (not starting with AWSServiceRole)
  • Validate findings with: aws iam get-role --role-name <role> --query 'Role.Path'
    • Service-linked roles have path: /aws-service-role/<service>/

For CMMC/Compliance Auditors:

  • Service-linked roles are AWS-managed and out of customer control
  • CMMC framework recognizes AWS-managed resources as acceptable exceptions
  • Document the exception with proper justification

Verification Commands

# Verify SNS topic encryption
aws sns get-topic-attributes \
  --topic-arn arn:aws:sns:us-east-1:123456789012:config-topic \
  --query 'Attributes.KmsMasterKeyId'

# List service-linked roles
aws iam list-roles --query 'Roles[?starts_with(RoleName, `AWSServiceRole`)].RoleName'

# Check if role is service-linked
aws iam get-role --role-name AWSServiceRoleForAmazonGuardDuty --query 'Role.Path'

Variables

Required Variables

central_resource_collector_account (string) required

The name of the account that is the centralized aggregation account.

config_bucket_env (string) required

The environment of the AWS Config S3 Bucket

config_bucket_stage (string) required

The stage of the AWS Config S3 Bucket

global_resource_collector_region (string) required

The region that collects AWS Config data for global resources such as IAM

region (string) required

AWS Region

Optional Variables

account_map optional

Static account map configuration. Only used when account_map_enabled is false.
Map keys use tenant-stage format (e.g., core-security, core-audit, plat-prod).



Type:

object({
full_account_map              = map(string)
audit_account_account_name    = optional(string, "")
root_account_account_name     = optional(string, "")
identity_account_account_name = optional(string, "")
aws_partition                 = optional(string, "aws")
iam_role_arn_templates        = optional(map(string), {})
})

Default value:

{
  "audit_account_account_name": "",
  "aws_partition": "aws",
  "full_account_map": {},
  "iam_role_arn_templates": {},
  "identity_account_account_name": "",
  "root_account_account_name": ""
}
account_map_component_name (string) optional

The name of the account-map component


Default value: "account-map"

account_map_enabled (bool) optional

Enable the account map component. When true, the component fetches account mappings from the
account-map component via remote state. When false (default), the component uses the static account_map variable instead.



Default value: false

account_map_tenant (string) optional

The tenant where the account_map component required by remote-state is deployed


Default value: "core"

account_verification_enabled (bool) optional

Enable account verification. When true (default), the component verifies that Terraform is executing
in the correct AWS account by comparing the current account ID against the expected account from the
account_map based on the component's tenant-stage context.



Default value: true

az_abbreviation_type (string) optional

AZ abbreviation type, fixed or short


Default value: "fixed"

config_bucket_component_name (string) optional

The name of the config-bucket component


Default value: "config-bucket"

config_bucket_tenant (string) optional

(Optional) The tenant of the AWS Config S3 Bucket


Default value: ""

config_component_name (string) optional

The name of the aws config component (i.e., this component)


Default value: "aws-config"

conformance_packs optional

List of conformance packs. Each conformance pack is a map with the following keys: name, conformance_pack, parameter_overrides.


For example:
conformance_packs = [
{
name = "Operational-Best-Practices-for-CIS-AWS-v1.4-Level1"
conformance_pack = "https://raw.githubusercontent.com/awslabs/aws-config-rules/master/aws-config-conformance-packs/Operational-Best-Practices-for-CIS-AWS-v1.4-Level1.yaml"
parameter_overrides = {
"AccessKeysRotatedParamMaxAccessKeyAge" = "45"
}
},
{
name = "Operational-Best-Practices-for-CIS-AWS-v1.4-Level2"
conformance_pack = "https://raw.githubusercontent.com/awslabs/aws-config-rules/master/aws-config-conformance-packs/Operational-Best-Practices-for-CIS-AWS-v1.4-Level2.yaml"
parameter_overrides = {
"IamPasswordPolicyParamMaxPasswordAge" = "45"
}
}
]


Complete list of AWS Conformance Packs managed by AWSLabs can be found here:
https://github.com/awslabs/aws-config-rules/tree/master/aws-config-conformance-packs



Type:

list(object({
name                = string
conformance_pack    = string
parameter_overrides = map(any)
scope               = optional(string, null)
}))

Default value: [ ]

create_iam_role (bool) optional

Flag to indicate whether an IAM Role should be created to grant the proper permissions for AWS Config


Default value: false

default_scope (string) optional

The default scope of the conformance pack. Valid values are account and organization.


Default value: "account"

delegated_accounts (set(string)) optional

The account IDs of other accounts that will send their AWS Configuration or Security Hub data to this account


Default value: null

global_collector_component_name_pattern (string) optional

A string formatting pattern used to construct or look up the name of the
global AWS Config collector region component.


This pattern should align with the regional naming convention of the
aws-config component. For example, if the pattern is "%s-%s" and you pass
("aws-config", "use1"), the resulting component name will be "aws-config-use1".


Adjust this pattern if your environment uses a different naming convention
for regional AWS Config components.



Default value: "%s-%s"

global_environment (string) optional

Global environment name


Default value: "gbl"

iam_role_arn (string) optional

The ARN for an IAM Role AWS Config uses to make read or write requests to the delivery channel and to describe the
AWS resources associated with the account. This is only used if create_iam_role is false.


If you want to use an existing IAM Role, set the variable to the ARN of the existing role and set create_iam_role to false.


See the AWS Docs for further information:
http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html



Default value: null

managed_rules optional

A list of AWS Managed Rules that should be enabled on the account.


See the following for a list of possible rules to enable:
https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html


Example:

managed_rules = {<br/>
  access-keys-rotated = {<br/>
    identifier  = &#34;ACCESS_KEYS_ROTATED&#34;<br/>
    description = &#34;Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days.&#34;<br/>
    input_parameters = {<br/>
      maxAccessKeyAge : &#34;90&#34;<br/>
    }<br/>
    enabled = true<br/>
    tags = {}<br/>
  }<br/>
}<br/>
```<br/>
<br/>
<br/>

**Type:**
```hcl
map(object({
description      = string
identifier       = string
input_parameters = any
tags             = map(string)
enabled          = bool
}))

Default value: { }

privileged (bool) optional

True if the default provider already has access to the backend


Default value: false

root_account_stage (string) optional

The stage name for the Organization root (master) account


Default value: "root"

sns_encryption_key_id (string) optional

The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CMK.


Use "alias/aws/sns" for AWS managed key (recommended for compliance).
Use a custom KMS key ARN or alias for organization-specific encryption requirements.


IMPORTANT: This is required for CMMC compliance (cmmc-2-v2-sns-encrypted-kms rule).
The SNS topic created by AWS Config must be encrypted with KMS.



Default value: "alias/aws/sns"

Context Variables

The following variables are defined in the context.tf file of this module and part of the terraform-null-label pattern.

additional_tag_map (map(string)) optional

Additional key-value pairs to add to each map in tags_as_list_of_maps. Not added to tags or id.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration.


Required: No

Default value: { }

attributes (list(string)) optional

ID element. Additional attributes (e.g. workers or cluster) to add to id,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the delimiter
and treated as a single ID element.


Required: No

Default value: [ ]

context (any) optional

Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as null to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged.


Required: No

Default value:

{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
delimiter (string) optional

Delimiter to be used between ID elements.
Defaults to - (hyphen). Set to &#34;&#34; to use no delimiter at all.


Required: No

Default value: null

descriptor_formats (any) optional

Describe additional descriptors to be output in the descriptors output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
\{<br/> format = string<br/> labels = list(string)<br/> \}
(Type is any so the map values can later be enhanced to provide additional options.)
format is a Terraform format string to be passed to the format() function.
labels is a list of labels, in order, to pass to format() function.
Label values will be normalized before being passed to format() so they will be
identical to how they appear in id.
Default is {} (descriptors output will be empty).


Required: No

Default value: { }

enabled (bool) optional

Set to false to prevent the module from creating any resources
Required: No

Default value: null

environment (string) optional

ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'
Required: No

Default value: null

id_length_limit (number) optional

Limit id to this many characters (minimum 6).
Set to 0 for unlimited length.
Set to null for keep the existing setting, which defaults to 0.
Does not affect id_full.


Required: No

Default value: null

label_key_case (string) optional

Controls the letter case of the tags keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the tags input.
Possible values: lower, title, upper.
Default value: title.


Required: No

Default value: null

label_order (list(string)) optional

The order in which the labels (ID elements) appear in the id.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.


Required: No

Default value: null

label_value_case (string) optional

Controls the letter case of ID elements (labels) as included in id,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the tags input.
Possible values: lower, title, upper and none (no transformation).
Set this to title and set delimiter to &#34;&#34; to yield Pascal Case IDs.
Default value: lower.


Required: No

Default value: null

labels_as_tags (set(string)) optional

Set of labels (ID elements) to include as tags in the tags output.
Default is to include all labels.
Tags with empty values will not be included in the tags output.
Set to [] to suppress all generated tags.
Notes:
The value of the name tag, if included, will be the id, not the name.
Unlike other null-label inputs, the initial setting of labels_as_tags cannot be
changed in later chained modules. Attempts to change it will be silently ignored.


Required: No

Default value:

[
  "default"
]
name (string) optional

ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a tag.
The "name" tag is set to the full id string. There is no tag with the value of the name input.


Required: No

Default value: null

namespace (string) optional

ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique
Required: No

Default value: null

regex_replace_chars (string) optional

Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, &#34;/[^a-zA-Z0-9-]/&#34; is used to remove all characters other than hyphens, letters and digits.


Required: No

Default value: null

stage (string) optional

ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'
Required: No

Default value: null

tags (map(string)) optional

Additional tags (e.g. {&#39;BusinessUnit&#39;: &#39;XYZ&#39;}).
Neither the tag keys nor the tag values will be modified by this module.


Required: No

Default value: { }

tenant (string) optional

ID element (Rarely used, not included by default). A customer identifier, indicating who this instance of a resource is for
Required: No

Default value: null

Outputs

aws_config_configuration_recorder_id

The ID of the AWS Config Recorder

aws_config_iam_role

The ARN of the IAM Role used for AWS Config

storage_bucket_arn

Storage Config bucket ARN

storage_bucket_id

Storage Config bucket ID

Dependencies

Requirements

  • terraform, version: >= 1.4.0
  • aws, version: >= 4.0.0
  • awsutils, version: >= 0.16.0

Providers

  • aws, version: >= 4.0.0
  • terraform

Modules

NameVersionSourceDescription
account_map1.8.0cloudposse/stack-config/yaml//modules/remote-staten/a
aws_config1.5.3cloudposse/config/awsn/a
aws_config_label0.25.0cloudposse/label/nulln/a
config_bucket1.8.0cloudposse/stack-config/yaml//modules/remote-staten/a
conformance_pack1.5.3cloudposse/config/aws//modules/conformance-packn/a
global_collector_region1.8.0cloudposse/stack-config/yaml//modules/remote-staten/a
org_conformance_packlatest./modules/org-conformance-packn/a
this0.25.0cloudposse/label/nulln/a
utils1.4.0cloudposse/utils/awsn/a

Resources

The following resources are used by this module:

Data Sources

The following data sources are used by this module: