github-actions[bot]
commented
2 months ago Community Note
Voting for Prioritization
- Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
- Please see our prioritization guide for information on how we prioritize.
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
- If you are interested in working on this issue, please leave a comment.
- If this would be your first contribution, please review the contribution guide.
Description
AWS has recently released a new feature that supports checking resources against compliance rules by means of so-called proactive controls. The feature is detailed here: https://aws.amazon.com/blogs/aws/new-aws-config-rules-now-support-proactive-compliance/
From the way the feature is designed, it primarily targets CloudFormation deployments and is probably based on/integrated with CloudFormation Guard. With the new APIs released, however, the feature could potentially also be used in other IaC tools.
It would be great if the Terraform AWS provider could take advantage of proactive controls and support their evaluation when doing changes to AWS infrastructure.
The biggest hurdle to implementing this currently is the fact that the
StartResourceEvaluationAPI call only supports a CloudFormation template-like data structure as input, which means that the change plan prepared by Terraform needs to be transformed into this format.Affected Resource(s) and/or Data Source(s)
The provider block as well as all resources currently supported by CloudFormation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html
Potential Terraform Configuration
References
Would you like to implement a fix?
None