r/aws_config_organization_custom_policy_rule: New resource

[georgealton]

Description

This adds a new resource aws_config_organization_custom_policy_rule

AWS Config Rules added the capability to use a CloudFormation Guard Policy as a declarative way of performing assertions against resource configuration, without having to manage a Lambda Function.

The Provider gained the capability to manage Account Level CFN Guard Policy backed Rules, but not learn this for Organization Config Rules.

This PR adds the Organization Rule Resource, allowing a team to easily apply a policy to an entire organization, without having to manage and deploy Lambda functions to many accounts.

This feature is really useful for central enabling teams looking to validate best practice compliance in a multi AWS account, high autonomy, organization.

Relations

Closes #27987
Closes #26989

References

API Docs: https://docs.aws.amazon.com/config/latest/APIReference/API_PutOrganizationConfigRule.html
Related Config Rule Resource: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule#custom-policy-details

Output from Acceptance Testing

It was tricky to get all the Acceptance tests to pass together, there is some eventual consistency between organizations and config that sometimes in resulted in AWS Config reporting that the account wasn't a member of an Organization. This might be addressable with more thought on #11582

make testacc TESTS='TestAccConfigServiceOrganizationCustomPolicyRule' PKG=configservice
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/configservice/... -v -count 1 -parallel 20 -run='TestAccConfigServiceOrganizationCustomPolicyRule'  -timeout 180m
=== RUN   TestAccConfigServiceOrganizationCustomPolicyRule_basic
--- PASS: TestAccConfigServiceOrganizationCustomPolicyRule_basic (267.03s)
=== RUN   TestAccConfigServiceOrganizationCustomPolicyRule_disappears
--- PASS: TestAccConfigServiceOrganizationCustomPolicyRule_disappears (246.83s)
=== RUN   TestAccConfigServiceOrganizationCustomPolicyRule_PolicyText
--- PASS: TestAccConfigServiceOrganizationCustomPolicyRule_PolicyText (386.49s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/configservice	905.497s

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

• Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
• Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

[glenthomas]

Looks good to me!

[gpetrovgeorgi]

Hello guys, when we could expect this PR to be merged ? My organization is looking for this exact solution at the moment. Thank you in advance.

[georgealton]

Hello guys, when we could expect this PR to be merged ? My organization is looking for this exact solution at the moment. Thank you in advance.

@gpetrovgeorgi You've encouraged me to get the tests passing again :)

[ewbankkit]

LGTM 🚀.

[ewbankkit]

@georgealton Thanks for the contribution 🎉 👏.

[github-actions]

This functionality has been released in v4.65.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[valscion]

Looks like the changelog accidentally referred to PR #21373 rather than this PR :)

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.