Compliance as code refers to defining the compliance requirements of your enterprise as rule code. Rule code is the logic that determines whether the configuration of a resource is compliant. Cloud Config uses functions of Function Compute to run rule code. These functions are called rule functions. You can create a rule in Cloud Config based on the rule functions by specifying the related resources, trigger type, and input parameters.

When the configuration of a resource changes, Cloud Config runs the rule function to determine whether the configuration is compliant. You can use multiple rules to monitor the compliance of all configuration items of a resource.

Rule definition

A rule is the logic that determines whether a configuration item of a resource is compliant. Each rule has the following features:

  • The input parameters of a rule are the configuration items that can be obtained by calling the API operations of the corresponding cloud service. The configuration items can be the resource specifications, resource region, resource name, resource status, HTTP port, or Internet network port. The keys of the input parameters must be the same as the configuration items of a resource.
  • A rule function uses the logic that is determined by your code to check whether the value of an input parameter is compliant. For example, a rule considers a Server Load Balancer (SLB) instance as compliant if an HTTPS listener is enabled for the instance. For this rule, the input parameter is the configuration item that specifies the HTTPS listener status of the SLB instance. If the value of the configuration item indicates that an HTTPS listener is disabled, then the rule determines that the SLB instance is non-compliant.
  • The output parameters of a rule function indicate the compliance evaluation result.

Associated resource types of a rule

After you create a rule function in the Function Compute console, the rule function is not associated with a resource type. In addition, different resources may have the input parameters with the same name. Cloud Config cannot accurately evaluate the compliance only based on the input parameters of the rule function.

Therefore, you must apply the rule functions to specified types of resources in Cloud Config. If you change the configuration of a resource of a specified type, Cloud Config locates the rules that are associated with the resource type. Then, Cloud Config determines the rules to be triggered based on the specific configuration changes.

Trigger type of a rule

If you change the configuration of a resource, Cloud Config locates the changed configuration item and uses the values of these items as the values of the input parameters. Then, Cloud Config triggers one or more rules to evaluate whether the changed configuration is compliant. Therefore, the keys of the input parameters must be the same as the configuration items of a resource.

Cloud Config can also trigger a rule at a specified frequency to periodically evaluate the compliance of a resource.

Compliance evaluation result

If Cloud Config detects that the value of a configuration item has been changed, Cloud Config triggers the rule that uses the configuration item as the input parameter. After the rule returns the compliance evaluation result to Cloud Config, you can view the result and relevant statistics by using various methods in the Cloud Config console. For more information, see View the compliance evaluation result.

You can create custom rule functions in Function Compute and use the rule functions to create rules. For more information, see Create a custom rule. You can also create rules based on the managed rules that Cloud Config provides. For more information, see Managed rules.