Integration Test Strategy/tool/library for AWS config rules
Hi,We are using the RDK to build/test/deploy our config rules using multi-account architecture.We would like to perform the integration tests for our config rules deployed in the accounts , Hence i am looking for suggestions for any library or suggestion that can help me to test my rules . ( the ideas is to deploy the dummy resources in the test account and run the rule against the resources , then collect the test result of all the rules and send it back to pipeline ).
Hello,
Firstly, from the standpoint view of AWS services, one can leverage CloudFormation [1] stack templates to deploy resources to automate the integration testing in comparison to a manual creation of dummy resources for testing Config rule compliance.
With CloudFormation, you can write your own templates which can then help you to spin up the resources in the test account.
Secondly, moving on to the scenario for a multi-account architecture, AWS CloudFormation StackSets extends the capability of stacks by enabling you to create, update, or delete stacks across multiple accounts and AWS Regions with a single operation.
Please feel free to refer to our AWS Documentation on the same here [2] for more details.
Finally, in regards to the collection/exporting of results, one can leverage any of the below methods -
-
If you want the information related to the current Configuration Items, you can use the "Advanced Query" option on the AWS Config dashboard and you can then download that information in CSV format [3].
-
In addition to Advanced Query, we can also use the API - GetResourceConfigHistory [4]
For example -
$ aws configservice get-resource-config-history --resource-type AWS::Config::ResourceCompliance --resource-id <resource_id>
- Basically, this command will returns a list of ConfigurationItems for the specified resource.
- You can also leverage the usage of Config snapshot, however, in such a case use of Amazon Athena would be recommended to query the data as a Config snapshot collects CIs of all supported resources that exist in an account.
I would highly recommend checking our AWS Blogpost [5] which provides detailed information on the difference between configuration history and configuration snapshot files in AWS Config.
I hope the above shared information is able to shed light on some of the options available for your use case. Please feel free to reach out if you have any questions.
References:
[1] https://aws.amazon.com/cloudformation/
[2] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html
[3] https://docs.aws.amazon.com/config/latest/developerguide/querying-AWS-resources.html
[4] https://docs.aws.amazon.com/config/latest/APIReference/API_GetResourceConfigHistory.html
Relevant questions
Config: AWS maintained required tags rule parameter limit increase
asked 2 months agoExclude resources from AWS Config Managed rules?
asked 6 months agoIntegration Test Strategy/tool/library for AWS config rules
asked 19 days agoAWS Config : Accessing AWS Config NonComplaint rules and resources
Accepted Answerasked 4 months agoAre the AWS Config Managed Rules open source?
Accepted Answerasked 7 months agoAWS Config Rule Naming
asked 3 months agoGetting test results for each test
asked 3 years agoAWS Config - OrganizationConformancePack fails with NoAvailableConfigurationRecorderException
Accepted Answerasked 5 days agoHow to turn off AWS Config and reduce cost?
Accepted Answerasked 5 months agoCan we trigger AWS Cloudwatch event bridge from AWS config aggregator?
asked 2 months ago