Compliance as code refers to defining the compliance requirements of your enterprise as rule code. Rule code is the logic that determines whether the configuration of a resource is compliant. Cloud Config uses functions of Function Compute to run rule code. These functions are called rule functions. You can specify the associated resources, trigger type, and input parameters to create a rule in Cloud Config based on the rule functions.
When the configuration of a resource changes, Cloud Config runs the rule function to determine whether the configuration is compliant. You can use multiple rules to monitor the compliance of all configuration items of a resource.
Rule definition
A rule is a logic that determines whether a configuration item of a resource is compliant. Each rule has the following features:
The input parameters of a rule are the configuration items that can be obtained by calling the API operations of the corresponding cloud service. The configuration items can be the resource specifications, resource region, resource name, resource status, HTTP port, or Internet network port. The keys of the input parameters must be the same as the names of the configuration items of a resource.
A rule function uses the logic that is defined by your code to check whether the value of an input parameter is compliant. For example, a rule considers a Server Load Balancer (SLB) instance as compliant if an HTTPS listener is enabled for the instance. For this rule, the input parameter is the configuration item that specifies the HTTPS listener status of the SLB instance. If the value of the configuration item indicates that an HTTPS listener is disabled, the rule determines that the SLB instance is non-compliant.
The output parameters of a rule function indicate the compliance evaluation result.
Associated resource types of a rule
After you create a rule function in the Function Compute console, the rule function is not associated with a resource type. In addition, the input parameters of different resources may have the same name. Cloud Config cannot accurately evaluate the compliance based only on the input parameters of the rule function.
Therefore, you must associate the rule function with a resource type in Cloud Config. If you change the configuration of a resource type, Cloud Config identifies the rules that are associated with the resource type. Then, Cloud Config determines whether the rules need to be triggered based on the specific configuration changes.
Triggering of a rule
If you change the configuration of a resource, Cloud Config identifies the changed configuration item and uses the value of the item as the value of the input parameter. Then, Cloud Config triggers one or more rules to evaluate whether the changed configuration is compliant. Therefore, the keys of the input parameters must be the same as the names of configuration items of a resource.
Cloud Config can also trigger a rule at a specified frequency to periodically evaluate the compliance of a resource.
Compliance evaluation results
Cloud Config passes the obtained configuration change result as an input parameter to the rule function. Then, the rule function returns the compliance evaluation result to the Cloud Config. The rule function displays and collects statistics in the Cloud Config console by using different methods. For more information, see View the compliance evaluation results.
You can create custom rule functions in Function Compute. For more information, see Create a custom rule function. You can also use the rule templates of Cloud Config. For more information, see Rule templates.