Help Center> Config> User Guide> Resource Compliance> Rules> Adding a Custom Rule
Updated on 2024-05-29 GMT+08:00
View PDF

Adding a Custom Rule

Scenario

You can create custom rules to supplement predefined rules.

To create a custom rule, you need to use FunctionGraph. Each custom rule is associated with a Function Graph function. The function collects rule parameters and resource attributes from the event sent by Config to evaluate your resources and returns evaluation results using the OpenAPI of Config. Config sends events based on the trigger type (configuration changes or periodic) of a rule. For details about how to use FunctionGraph, see FunctionGraph User Guide.

To evaluate resources with Config rules, you need to enable the resource recorder. Resource evaluation is subject to the following rules:

  • If you have never enabled the resource recorder, no resources will be available for evaluation.
  • If you have enabled the resource recorder and a monitoring scope is configured, only resources within the monitoring scope can be evaluated.
  • If you enable the resource recorder and then disable it after a period of time, only resource data collected during the period when the resource recorder is enabled can be evaluated.

For details about how to enable and configure the resource recorder, see Configuring the Resource Recorder.

This section describes how to create a custom rule by performing the following two procedures:

  1. Creating a Function with FunctionGraph
  2. Adding a Custom Rule

Creating a Function with FunctionGraph

  1. Sign in to FunctionGraph console. In the left navigation, choose Functions > Function List.
  2. In the upper right corner, click Create Function. The Create from scratch tab is displayed by default.
  3. Set Function Type to Event Function and configure the required IAM agency. The agency is used to grant the function required permissions. It must include the rms:policyStates:update permission.
  4. Click Create Function.
  5. In the code box, enter a function and click Deploy.

    For details about example code, see Example Functions (Python).

  6. Click Configurations, modify Execution Timeout (s) and Memory (MB) in the Basic Settings area as required. Configure Concurrency.
  7. Click Save.

    For details, see Creating an Event Function.

Adding a Custom Rule

  1. Log in to the management console.
  2. Click in the upper left corner. Under Management & Governance, click Config.
  3. In the navigation pane on the left, choose Resource Compliance.
  4. Click Add Rule in the middle of the page.
  5. Set Policy Type to Custom Policy. Set related parameters, select Quick granting or Custom granting to grant permissions, and click Next.

    • Quick granting: Quick granting quickly grants you permissions of the rms_custom_policy_agency agency. The permissions ensure proper functioning of a custom policy, including the permissions for obtaining and asynchronously execute a function through FunctionGraph.
    • Custom granting: You need to use IAM to create an agency and then :attach the agency to Config. You can set the authorization statement as follows.
        {
      "Version": "1.1",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "functiongraph:function:invokeAsync",
                  "functiongraph:function:getConfig"
              ]
          }
      ]
  }

      For details about how to create an agency, see Creating an Agency (by a Delegating Party).

    Figure 1 Adding a rule using a custom policy

  6. On the displayed Configure Rule Parameters page, configure required parameters and click Next.
  7. On the Confirm page, confirm the rule information and click Submit.
Parent topic: Rules