Compliance as code means defining the compliance requirements of your enterprise as rule code. Rule code is essentially the logic for determining whether the configuration of a resource is compliant. Cloud Config uses functions of Function Compute to run rule code. Such functions are called rule functions. A rule is created in Cloud Config after you reference the related rule function and configure information such as the linked resources and trigger type in Cloud Config.

When detecting real-time configuration changes of a resource in actual compliance monitoring, Cloud Config triggers the related rule function to determine whether the new resource configuration is compliant. A combination of rules can be used to monitor the compliance of all configuration items of a resource.

Rule definition

A rule is the logic that determines whether a configuration item of a resource is compliant. It has the following features:

  • The input parameters of a rule function are configuration items whose values can be obtained by calling a resource query operation. Such configuration items can be resource specifications, region where the resource resides, resource name, resource status, and port or network interface status. The names of the input parameters must be the same as those of the configuration items.
  • A rule function uses the logic determined by your code to check whether the value of an input parameter is compliant. For example, a rule function considers a Server Load Balancer (SLB) instance as compliant if an HTTPS listener is enabled for the SLB instance. For this rule function, the input parameter is the configuration item that specifies the HTTPS listener status of the SLB instance. If the value of the configuration item specifies that the HTTPS listener is disabled, the rule function determines that the SLB instance is non-compliant.
  • The output parameters of a rule function indicate the compliance evaluation result.

Targeted resource types of a rule

The rule functions you create in Function Compute do not target any specific resource types. In addition, the names of input parameters for different resources may be the same. Therefore, Cloud Config cannot accurately evaluate the compliance merely based on the input parameters of rule functions.

In this case, you need to link the created rule functions to specified types of resources in Cloud Config. When you change the configuration of a resource of a specified type, Cloud Config first locates the rules linked to the resource, and then determines the rule to be triggered based on the changed configuration item.

Trigger

When you change the configuration of a resource, Cloud Config can exactly detect the changed configuration item. Then it triggers the rule function that uses the configuration item as the input parameter to determine whether the new configuration is compliant. Therefore, the name of the input parameter of a rule function must be the same as that of the actual configuration item of a resource.

Cloud Config can also trigger a rule function at the frequency you specify to periodically evaluate the compliance of a resource.

Compliance evaluation result

When Cloud Config detects the configuration item that you change, it triggers the rule function that uses the configuration item as the input parameter. After the rule function returns the compliance evaluation result to Cloud Config, you can view the compliance evaluation result and compliance statistics in three ways in the Cloud Config console. For more information, see View rule assessment results.

You can create custom rule functions in Function Compute. For more information, see Create a custom rule. You can also use the existing managed rules that Cloud Config provides. For more information, see List of preset rules.