By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Integration Test Strategy/tool/library for AWS config rules

0

Hi,We are using the RDK to build/test/deploy our config rules using multi-account architecture.We would like to perform the integration tests for our config rules deployed in the accounts , Hence i am looking for suggestions for any library or suggestion that can help me to test my rules . ( the ideas is to deploy the dummy resources in the test account and run the rule against the resources , then collect the test result of all the rules and send it back to pipeline ).

Topics
Architecture StrategyManagement & GovernanceDevOps
Tags
Architecture StrategyAWS ConfigDevOps
Language
English
coolraj
asked 2 years ago289 views
1 Answer
0

Hello,

Firstly, from the standpoint view of AWS services, one can leverage CloudFormation [1] stack templates to deploy resources to automate the integration testing in comparison to a manual creation of dummy resources for testing Config rule compliance.

With CloudFormation, you can write your own templates which can then help you to spin up the resources in the test account.

Secondly, moving on to the scenario for a multi-account architecture, AWS CloudFormation StackSets extends the capability of stacks by enabling you to create, update, or delete stacks across multiple accounts and AWS Regions with a single operation.

Please feel free to refer to our AWS Documentation on the same here [2] for more details.

Finally, in regards to the collection/exporting of results, one can leverage any of the below methods -

  1. If you want the information related to the current Configuration Items, you can use the "Advanced Query" option on the AWS Config dashboard and you can then download that information in CSV format [3].

  2. In addition to Advanced Query, we can also use the API - GetResourceConfigHistory [4]

For example - 

$ aws configservice get-resource-config-history --resource-type AWS::Config::ResourceCompliance --resource-id <resource_id>
  • Basically, this command will returns a list of ConfigurationItems for the specified resource.
  1. You can also leverage the usage of Config snapshot, however, in such a case use of Amazon Athena would be recommended to query the data as a Config snapshot collects CIs of all supported resources that exist in an account.

I would highly recommend checking our AWS Blogpost [5] which provides detailed information on the difference between configuration history and configuration snapshot files in AWS Config.

I hope the above shared information is able to shed light on some of the options available for your use case. Please feel free to reach out if you have any questions.

References:

[1] https://aws.amazon.com/cloudformation/

[2] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html

[3] https://docs.aws.amazon.com/config/latest/developerguide/querying-AWS-resources.html

[4] https://docs.aws.amazon.com/config/latest/APIReference/API_GetResourceConfigHistory.html

profile pictureAWS
SUPPORT ENGINEER
Yash_C
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content