// Code generated by smithy-go-codegen DO NOT EDIT. package types import ( smithydocument "github.com/aws/smithy-go/document" "time" ) // A collection of accounts and regions. type AccountAggregationSource struct { // The 12-digit account ID of the account being aggregated. // // This member is required. AccountIds []string // If true, aggregate existing Config regions and future regions. AllAwsRegions bool // The source regions being aggregated. AwsRegions []string noSmithyDocumentSerde } // Indicates whether an Config rule is compliant based on account ID, region, // compliance, and rule name. A rule is compliant if all of the resources that the // rule evaluated comply with it. It is noncompliant if any of these resources do // not comply. type AggregateComplianceByConfigRule struct { // The 12-digit account ID of the source account. AccountId *string // The source region from where the data is aggregated. AwsRegion *string // Indicates whether an Amazon Web Services resource or Config rule is compliant // and provides the number of contributors that affect the compliance. Compliance *Compliance // The name of the Config rule. ConfigRuleName *string noSmithyDocumentSerde } // Provides aggregate compliance of the conformance pack. Indicates whether a // conformance pack is compliant based on the name of the conformance pack, account // ID, and region. A conformance pack is compliant if all of the rules in a // conformance packs are compliant. It is noncompliant if any of the rules are not // compliant. The compliance status of a conformance pack is INSUFFICIENT_DATA only // if all rules within a conformance pack cannot be evaluated due to insufficient // data. If some of the rules in a conformance pack are compliant but the // compliance status of other rules in that same conformance pack is // INSUFFICIENT_DATA, the conformance pack shows compliant. type AggregateComplianceByConformancePack struct { // The 12-digit Amazon Web Services account ID of the source account. AccountId *string // The source Amazon Web Services Region from where the data is aggregated. AwsRegion *string // The compliance status of the conformance pack. Compliance *AggregateConformancePackCompliance // The name of the conformance pack. ConformancePackName *string noSmithyDocumentSerde } // Returns the number of compliant and noncompliant rules for one or more accounts // and regions in an aggregator. type AggregateComplianceCount struct { // The number of compliant and noncompliant Config rules. ComplianceSummary *ComplianceSummary // The 12-digit account ID or region based on the GroupByKey value. GroupName *string noSmithyDocumentSerde } // Provides the number of compliant and noncompliant rules within a conformance // pack. Also provides the compliance status of the conformance pack and the total // rule count which includes compliant rules, noncompliant rules, and rules that // cannot be evaluated due to insufficient data. A conformance pack is compliant if // all of the rules in a conformance packs are compliant. It is noncompliant if any // of the rules are not compliant. The compliance status of a conformance pack is // INSUFFICIENT_DATA only if all rules within a conformance pack cannot be // evaluated due to insufficient data. If some of the rules in a conformance pack // are compliant but the compliance status of other rules in that same conformance // pack is INSUFFICIENT_DATA, the conformance pack shows compliant. type AggregateConformancePackCompliance struct { // The compliance status of the conformance pack. ComplianceType ConformancePackComplianceType // The number of compliant Config Rules. CompliantRuleCount int32 // The number of noncompliant Config Rules. NonCompliantRuleCount int32 // Total number of compliant rules, noncompliant rules, and the rules that do not // have any applicable resources to evaluate upon resulting in insufficient data. TotalRuleCount int32 noSmithyDocumentSerde } // The number of conformance packs that are compliant and noncompliant. type AggregateConformancePackComplianceCount struct { // Number of compliant conformance packs. CompliantConformancePackCount int32 // Number of noncompliant conformance packs. NonCompliantConformancePackCount int32 noSmithyDocumentSerde } // Filters the conformance packs based on an account ID, region, compliance type, // and the name of the conformance pack. type AggregateConformancePackComplianceFilters struct { // The 12-digit Amazon Web Services account ID of the source account. AccountId *string // The source Amazon Web Services Region from where the data is aggregated. AwsRegion *string // The compliance status of the conformance pack. ComplianceType ConformancePackComplianceType // The name of the conformance pack. ConformancePackName *string noSmithyDocumentSerde } // Provides a summary of compliance based on either account ID or region. type AggregateConformancePackComplianceSummary struct { // Returns an AggregateConformancePackComplianceCount object. ComplianceSummary *AggregateConformancePackComplianceCount // Groups the result based on Amazon Web Services account ID or Amazon Web // Services Region. GroupName *string noSmithyDocumentSerde } // Filters the results based on account ID and region. type AggregateConformancePackComplianceSummaryFilters struct { // The 12-digit Amazon Web Services account ID of the source account. AccountId *string // The source Amazon Web Services Region from where the data is aggregated. AwsRegion *string noSmithyDocumentSerde } // The current sync status between the source and the aggregator account. type AggregatedSourceStatus struct { // The region authorized to collect aggregated data. AwsRegion *string // The error code that Config returned when the source account aggregation last // failed. LastErrorCode *string // The message indicating that the source account aggregation failed due to an // error. LastErrorMessage *string // Filters the last updated status type. // - Valid value FAILED indicates errors while moving data. // - Valid value SUCCEEDED indicates the data was successfully moved. // - Valid value OUTDATED indicates the data is not the most recent. LastUpdateStatus AggregatedSourceStatusType // The time of the last update. LastUpdateTime *time.Time // The source account ID or an organization. SourceId *string // The source account or an organization. SourceType AggregatedSourceType noSmithyDocumentSerde } // The details of an Config evaluation for an account ID and region in an // aggregator. Provides the Amazon Web Services resource that was evaluated, the // compliance of the resource, related time stamps, and supplementary information. type AggregateEvaluationResult struct { // The 12-digit account ID of the source account. AccountId *string // Supplementary information about how the agrregate evaluation determined the // compliance. Annotation *string // The source region from where the data is aggregated. AwsRegion *string // The resource compliance status. For the AggregationEvaluationResult data type, // Config supports only the COMPLIANT and NON_COMPLIANT . Config does not support // the NOT_APPLICABLE and INSUFFICIENT_DATA value. ComplianceType ComplianceType // The time when the Config rule evaluated the Amazon Web Services resource. ConfigRuleInvokedTime *time.Time // Uniquely identifies the evaluation result. EvaluationResultIdentifier *EvaluationResultIdentifier // The time when Config recorded the aggregate evaluation result. ResultRecordedTime *time.Time noSmithyDocumentSerde } // The details that identify a resource that is collected by Config aggregator, // including the resource type, ID, (if available) the custom resource name, the // source account, and source region. type AggregateResourceIdentifier struct { // The ID of the Amazon Web Services resource. // // This member is required. ResourceId *string // The type of the Amazon Web Services resource. // // This member is required. ResourceType ResourceType // The 12-digit account ID of the source account. // // This member is required. SourceAccountId *string // The source region where data is aggregated. // // This member is required. SourceRegion *string // The name of the Amazon Web Services resource. ResourceName *string noSmithyDocumentSerde } // An object that represents the authorizations granted to aggregator accounts and // regions. type AggregationAuthorization struct { // The Amazon Resource Name (ARN) of the aggregation object. AggregationAuthorizationArn *string // The 12-digit account ID of the account authorized to aggregate data. AuthorizedAccountId *string // The region authorized to collect aggregated data. AuthorizedAwsRegion *string // The time stamp when the aggregation authorization was created. CreationTime *time.Time noSmithyDocumentSerde } // The detailed configuration of a specified resource. type BaseConfigurationItem struct { // The 12-digit Amazon Web Services account ID associated with the resource. AccountId *string // The Amazon Resource Name (ARN) of the resource. Arn *string // The Availability Zone associated with the resource. AvailabilityZone *string // The region where the resource resides. AwsRegion *string // The description of the resource configuration. Configuration *string // The time when the configuration recording was initiated. ConfigurationItemCaptureTime *time.Time // The configuration item status. The valid values are: // - OK – The resource configuration has been updated // - ResourceDiscovered – The resource was newly discovered // - ResourceNotRecorded – The resource was discovered but its configuration was // not recorded since the recorder excludes the recording of resources of this type // // - ResourceDeleted – The resource was deleted // - ResourceDeletedNotRecorded – The resource was deleted but its configuration // was not recorded since the recorder excludes the recording of resources of this // type // The CIs do not incur any cost. ConfigurationItemStatus ConfigurationItemStatus // An identifier that indicates the ordering of the configuration items of a // resource. ConfigurationStateId *string // The time stamp when the resource was created. ResourceCreationTime *time.Time // The ID of the resource (for example., sg-xxxxxx). ResourceId *string // The custom name of the resource, if available. ResourceName *string // The type of Amazon Web Services resource. ResourceType ResourceType // Configuration attributes that Config returns for certain resource types to // supplement the information returned for the configuration parameter. SupplementaryConfiguration map[string]string // The version number of the resource configuration. Version *string noSmithyDocumentSerde } // Indicates whether an Amazon Web Services resource or Config rule is compliant // and provides the number of contributors that affect the compliance. type Compliance struct { // The number of Amazon Web Services resources or Config rules that cause a result // of NON_COMPLIANT , up to a maximum number. ComplianceContributorCount *ComplianceContributorCount // Indicates whether an Amazon Web Services resource or Config rule is compliant. // A resource is compliant if it complies with all of the Config rules that // evaluate it. A resource is noncompliant if it does not comply with one or more // of these rules. A rule is compliant if all of the resources that the rule // evaluates comply with it. A rule is noncompliant if any of these resources do // not comply. Config returns the INSUFFICIENT_DATA value when no evaluation // results are available for the Amazon Web Services resource or Config rule. For // the Compliance data type, Config supports only COMPLIANT , NON_COMPLIANT , and // INSUFFICIENT_DATA values. Config does not support the NOT_APPLICABLE value for // the Compliance data type. ComplianceType ComplianceType noSmithyDocumentSerde } // Indicates whether an Config rule is compliant. A rule is compliant if all of // the resources that the rule evaluated comply with it. A rule is noncompliant if // any of these resources do not comply. type ComplianceByConfigRule struct { // Indicates whether the Config rule is compliant. Compliance *Compliance // The name of the Config rule. ConfigRuleName *string noSmithyDocumentSerde } // Indicates whether an Amazon Web Services resource that is evaluated according // to one or more Config rules is compliant. A resource is compliant if it complies // with all of the rules that evaluate it. A resource is noncompliant if it does // not comply with one or more of these rules. type ComplianceByResource struct { // Indicates whether the Amazon Web Services resource complies with all of the // Config rules that evaluated it. Compliance *Compliance // The ID of the Amazon Web Services resource that was evaluated. ResourceId *string // The type of the Amazon Web Services resource that was evaluated. ResourceType *string noSmithyDocumentSerde } // The number of Amazon Web Services resources or Config rules responsible for the // current compliance of the item, up to a maximum number. type ComplianceContributorCount struct { // Indicates whether the maximum count is reached. CapExceeded bool // The number of Amazon Web Services resources or Config rules responsible for the // current compliance of the item. CappedCount int32 noSmithyDocumentSerde } // The number of Config rules or Amazon Web Services resources that are compliant // and noncompliant. type ComplianceSummary struct { // The time that Config created the compliance summary. ComplianceSummaryTimestamp *time.Time // The number of Config rules or Amazon Web Services resources that are compliant, // up to a maximum of 25 for rules and 100 for resources. CompliantResourceCount *ComplianceContributorCount // The number of Config rules or Amazon Web Services resources that are // noncompliant, up to a maximum of 25 for rules and 100 for resources. NonCompliantResourceCount *ComplianceContributorCount noSmithyDocumentSerde } // The number of Amazon Web Services resources of a specific type that are // compliant or noncompliant, up to a maximum of 100 for each. type ComplianceSummaryByResourceType struct { // The number of Amazon Web Services resources that are compliant or noncompliant, // up to a maximum of 100 for each. ComplianceSummary *ComplianceSummary // The type of Amazon Web Services resource. ResourceType *string noSmithyDocumentSerde } // Provides status of the delivery of the snapshot or the configuration history to // the specified Amazon S3 bucket. Also provides the status of notifications about // the Amazon S3 delivery to the specified Amazon SNS topic. type ConfigExportDeliveryInfo struct { // The time of the last attempted delivery. LastAttemptTime *time.Time // The error code from the last attempted delivery. LastErrorCode *string // The error message from the last attempted delivery. LastErrorMessage *string // Status of the last attempted delivery. LastStatus DeliveryStatus // The time of the last successful delivery. LastSuccessfulTime *time.Time // The time that the next delivery occurs. NextDeliveryTime *time.Time noSmithyDocumentSerde } // Config rules evaluate the configuration settings of your Amazon Web Services // resources. A rule can run when Config detects a configuration change to an // Amazon Web Services resource or at a periodic frequency that you choose (for // example, every 24 hours). There are two types of rules: Config Managed Rules and // Config Custom Rules. Config Managed Rules are predefined, customizable rules // created by Config. For a list of managed rules, see List of Config Managed Rules (https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html) // . Config Custom Rules are rules that you create from scratch. There are two ways // to create Config custom rules: with Lambda functions ( Lambda Developer Guide (https://docs.aws.amazon.com/config/latest/developerguide/gettingstarted-concepts.html#gettingstarted-concepts-function) // ) and with Guard ( Guard GitHub Repository (https://github.com/aws-cloudformation/cloudformation-guard) // ), a policy-as-code language. Config custom rules created with Lambda are called // Config Custom Lambda Rules and Config custom rules created with Guard are called // Config Custom Policy Rules. For more information about developing and using // Config rules, see Evaluating Resource with Config Rules (https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) // in the Config Developer Guide. You can use the Amazon Web Services CLI and // Amazon Web Services SDKs if you want to create a rule that triggers evaluations // for your resources when Config delivers the configuration snapshot. For more // information, see ConfigSnapshotDeliveryProperties . type ConfigRule struct { // Provides the rule owner ( Amazon Web Services for managed rules, CUSTOM_POLICY // for Custom Policy rules, and CUSTOM_LAMBDA for Custom Lambda rules), the rule // identifier, and the notifications that cause the function to evaluate your // Amazon Web Services resources. // // This member is required. Source *Source // The Amazon Resource Name (ARN) of the Config rule. ConfigRuleArn *string // The ID of the Config rule. ConfigRuleId *string // The name that you assign to the Config rule. The name is required if you are // adding a new rule. ConfigRuleName *string // Indicates whether the Config rule is active or is currently being deleted by // Config. It can also indicate the evaluation status for the Config rule. Config // sets the state of the rule to EVALUATING temporarily after you use the // StartConfigRulesEvaluation request to evaluate your resources against the Config // rule. Config sets the state of the rule to DELETING_RESULTS temporarily after // you use the DeleteEvaluationResults request to delete the current evaluation // results for the Config rule. Config temporarily sets the state of a rule to // DELETING after you use the DeleteConfigRule request to delete the rule. After // Config deletes the rule, the rule and all of its evaluations are erased and are // no longer available. ConfigRuleState ConfigRuleState // Service principal name of the service that created the rule. The field is // populated only if the service-linked rule is created by a service. The field is // empty if you create your own rule. CreatedBy *string // The description that you provide for the Config rule. Description *string // The modes the Config rule can be evaluated in. The valid values are distinct // objects. By default, the value is Detective evaluation mode only. EvaluationModes []EvaluationModeConfiguration // A string, in JSON format, that is passed to the Config rule Lambda function. InputParameters *string // The maximum frequency with which Config runs evaluations for a rule. You can // specify a value for MaximumExecutionFrequency when: // - This is for an Config managed rule that is triggered at a periodic // frequency. // - Your custom rule is triggered when Config delivers the configuration // snapshot. For more information, see ConfigSnapshotDeliveryProperties . // By default, rules with a periodic trigger are evaluated every 24 hours. To // change the frequency, specify a valid value for the MaximumExecutionFrequency // parameter. MaximumExecutionFrequency MaximumExecutionFrequency // Defines which resources can trigger an evaluation for the rule. The scope can // include one or more resource types, a combination of one resource type and one // resource ID, or a combination of a tag key and value. Specify a scope to // constrain the resources that can trigger an evaluation for the rule. If you do // not specify a scope, evaluations are triggered when any resource in the // recording group changes. The scope can be empty. Scope *Scope noSmithyDocumentSerde } // Filters the compliance results based on account ID, region, compliance type, // and rule name. type ConfigRuleComplianceFilters struct { // The 12-digit account ID of the source account. AccountId *string // The source region where the data is aggregated. AwsRegion *string // The rule compliance status. For the ConfigRuleComplianceFilters data type, // Config supports only COMPLIANT and NON_COMPLIANT . Config does not support the // NOT_APPLICABLE and the INSUFFICIENT_DATA values. ComplianceType ComplianceType // The name of the Config rule. ConfigRuleName *string noSmithyDocumentSerde } // Filters the results based on the account IDs and regions. type ConfigRuleComplianceSummaryFilters struct { // The 12-digit account ID of the source account. AccountId *string // The source region where the data is aggregated. AwsRegion *string noSmithyDocumentSerde } // Status information for your Config Managed rules and Config Custom Policy // rules. The status includes information such as the last time the rule ran, the // last time it failed, and the related error for the last failure. This action // does not return status information about Config Custom Lambda rules. type ConfigRuleEvaluationStatus struct { // The Amazon Resource Name (ARN) of the Config rule. ConfigRuleArn *string // The ID of the Config rule. ConfigRuleId *string // The name of the Config rule. ConfigRuleName *string // The time that you first activated the Config rule. FirstActivatedTime *time.Time // Indicates whether Config has evaluated your resources against the rule at least // once. // - true - Config has evaluated your Amazon Web Services resources against the // rule at least once. // - false - Config has not finished evaluating your Amazon Web Services // resources against the rule at least once. FirstEvaluationStarted bool // The time that you last turned off the Config rule. LastDeactivatedTime *time.Time // The status of the last attempted delivery of a debug log for your Config Custom // Policy rules. Either Successful or Failed . LastDebugLogDeliveryStatus *string // The reason Config was not able to deliver a debug log. This is for the last // failed attempt to retrieve a debug log for your Config Custom Policy rules. LastDebugLogDeliveryStatusReason *string // The time Config last attempted to deliver a debug log for your Config Custom // Policy rules. LastDebugLogDeliveryTime *time.Time // The error code that Config returned when the rule last failed. LastErrorCode *string // The error message that Config returned when the rule last failed. LastErrorMessage *string // The time that Config last failed to evaluate your Amazon Web Services resources // against the rule. LastFailedEvaluationTime *time.Time // The time that Config last failed to invoke the Config rule to evaluate your // Amazon Web Services resources. LastFailedInvocationTime *time.Time // The time that Config last successfully evaluated your Amazon Web Services // resources against the rule. LastSuccessfulEvaluationTime *time.Time // The time that Config last successfully invoked the Config rule to evaluate your // Amazon Web Services resources. LastSuccessfulInvocationTime *time.Time noSmithyDocumentSerde } // Provides options for how often Config delivers configuration snapshots to the // Amazon S3 bucket in your delivery channel. The frequency for a rule that // triggers evaluations for your resources when Config delivers the configuration // snapshot is set by one of two values, depending on which is less frequent: // - The value for the deliveryFrequency parameter within the delivery channel // configuration, which sets how often Config delivers configuration snapshots. // This value also sets how often Config invokes evaluations for Config rules. // - The value for the MaximumExecutionFrequency parameter, which sets the // maximum frequency with which Config invokes evaluations for the rule. For more // information, see ConfigRule . // // If the deliveryFrequency value is less frequent than the // MaximumExecutionFrequency value for a rule, Config invokes the rule only as // often as the deliveryFrequency value. // - For example, you want your rule to run evaluations when Config delivers the // configuration snapshot. // - You specify the MaximumExecutionFrequency value for Six_Hours . // - You then specify the delivery channel deliveryFrequency value for // TwentyFour_Hours . // - Because the value for deliveryFrequency is less frequent than // MaximumExecutionFrequency , Config invokes evaluations for the rule every 24 // hours. // // You should set the MaximumExecutionFrequency value to be at least as frequent // as the deliveryFrequency value. You can view the deliveryFrequency value by // using the DescribeDeliveryChannnels action. To update the deliveryFrequency // with which Config delivers your configuration snapshots, use the // PutDeliveryChannel action. type ConfigSnapshotDeliveryProperties struct { // The frequency with which Config delivers configuration snapshots. DeliveryFrequency MaximumExecutionFrequency noSmithyDocumentSerde } // A list that contains the status of the delivery of the configuration stream // notification to the Amazon SNS topic. type ConfigStreamDeliveryInfo struct { // The error code from the last attempted delivery. LastErrorCode *string // The error message from the last attempted delivery. LastErrorMessage *string // Status of the last attempted delivery. Note Providing an SNS topic on a // DeliveryChannel (https://docs.aws.amazon.com/config/latest/APIReference/API_DeliveryChannel.html) // for Config is optional. If the SNS delivery is turned off, the last status will // be Not_Applicable. LastStatus DeliveryStatus // The time from the last status change. LastStatusChangeTime *time.Time noSmithyDocumentSerde } // The details about the configuration aggregator, including information about // source accounts, regions, and metadata of the aggregator. type ConfigurationAggregator struct { // Provides a list of source accounts and regions to be aggregated. AccountAggregationSources []AccountAggregationSource // The Amazon Resource Name (ARN) of the aggregator. ConfigurationAggregatorArn *string // The name of the aggregator. ConfigurationAggregatorName *string // Amazon Web Services service that created the configuration aggregator. CreatedBy *string // The time stamp when the configuration aggregator was created. CreationTime *time.Time // The time of the last update. LastUpdatedTime *time.Time // Provides an organization and list of regions to be aggregated. OrganizationAggregationSource *OrganizationAggregationSource noSmithyDocumentSerde } // A list that contains detailed configurations of a specified resource. type ConfigurationItem struct { // The 12-digit Amazon Web Services account ID associated with the resource. AccountId *string // Amazon Resource Name (ARN) associated with the resource. Arn *string // The Availability Zone associated with the resource. AvailabilityZone *string // The region where the resource resides. AwsRegion *string // The description of the resource configuration. Configuration *string // The time when the configuration recording was initiated. ConfigurationItemCaptureTime *time.Time // Unique MD5 hash that represents the configuration item's state. You can use MD5 // hash to compare the states of two or more configuration items that are // associated with the same resource. ConfigurationItemMD5Hash *string // The configuration item status. The valid values are: // - OK – The resource configuration has been updated // - ResourceDiscovered – The resource was newly discovered // - ResourceNotRecorded – The resource was discovered but its configuration was // not recorded since the recorder excludes the recording of resources of this type // // - ResourceDeleted – The resource was deleted // - ResourceDeletedNotRecorded – The resource was deleted but its configuration // was not recorded since the recorder excludes the recording of resources of this // type // The CIs do not incur any cost. ConfigurationItemStatus ConfigurationItemStatus // An identifier that indicates the ordering of the configuration items of a // resource. ConfigurationStateId *string // A list of CloudTrail event IDs. A populated field indicates that the current // configuration was initiated by the events recorded in the CloudTrail log. For // more information about CloudTrail, see What Is CloudTrail (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_top_level.html) // . An empty field indicates that the current configuration was not initiated by // any event. As of Version 1.3, the relatedEvents field is empty. You can access // the LookupEvents API (https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_LookupEvents.html) // in the CloudTrail API Reference to retrieve the events for the resource. RelatedEvents []string // A list of related Amazon Web Services resources. Relationships []Relationship // The time stamp when the resource was created. ResourceCreationTime *time.Time // The ID of the resource (for example, sg-xxxxxx ). ResourceId *string // The custom name of the resource, if available. ResourceName *string // The type of Amazon Web Services resource. ResourceType ResourceType // Configuration attributes that Config returns for certain resource types to // supplement the information returned for the configuration parameter. SupplementaryConfiguration map[string]string // A mapping of key value tags associated with the resource. Tags map[string]string // The version number of the resource configuration. Version *string noSmithyDocumentSerde } // Records configuration changes to specified resource types. For more information // about the configuration recorder, see Managing the Configuration Recorder (https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html) // in the Config Developer Guide. type ConfigurationRecorder struct { // The name of the configuration recorder. Config automatically assigns the name // of "default" when creating the configuration recorder. You cannot change the // name of the configuration recorder after it has been created. To change the // configuration recorder name, you must delete it and create a new configuration // recorder with a new name. Name *string // Specifies which resource types Config records for configuration changes. High // Number of Config Evaluations You may notice increased activity in your account // during your initial month recording with Config when compared to subsequent // months. During the initial bootstrapping process, Config runs evaluations on all // the resources in your account that you have selected for Config to record. If // you are running ephemeral workloads, you may see increased activity from Config // as it records configuration changes associated with creating and deleting these // temporary resources. An ephemeral workload is a temporary use of computing // resources that are loaded and run when needed. Examples include Amazon Elastic // Compute Cloud (Amazon EC2) Spot Instances, Amazon EMR jobs, and Auto Scaling. If // you want to avoid the increased activity from running ephemeral workloads, you // can run these types of workloads in a separate account with Config turned off to // avoid increased configuration recording and rule evaluations. RecordingGroup *RecordingGroup // Amazon Resource Name (ARN) of the IAM role assumed by Config and used by the // configuration recorder. While the API model does not require this field, the // server will reject a request without a defined roleARN for the configuration // recorder. Pre-existing Config role If you have used an Amazon Web Services // service that uses Config, such as Security Hub or Control Tower, and an Config // role has already been created, make sure that the IAM role that you use when // setting up Config keeps the same minimum permissions as the already created // Config role. You must do this so that the other Amazon Web Services service // continues to run as expected. For example, if Control Tower has an IAM role that // allows Config to read Amazon Simple Storage Service (Amazon S3) objects, make // sure that the same permissions are granted within the IAM role you use when // setting up Config. Otherwise, it may interfere with how Control Tower operates. // For more information about IAM roles for Config, see Identity and Access // Management for Config (https://docs.aws.amazon.com/config/latest/developerguide/security-iam.html) // in the Config Developer Guide. RoleARN *string noSmithyDocumentSerde } // The current status of the configuration recorder. For a detailed status of // recording events over time, add your Config events to CloudWatch metrics and use // CloudWatch metrics. type ConfigurationRecorderStatus struct { // The latest error code from when the recorder last failed. LastErrorCode *string // The latest error message from when the recorder last failed. LastErrorMessage *string // The time the recorder was last started. LastStartTime *time.Time // The status of the latest recording event processed by the recorder. LastStatus RecorderStatus // The time of the latest change in status of an recording event processed by the // recorder. LastStatusChangeTime *time.Time // The time the recorder was last stopped. LastStopTime *time.Time // The name of the configuration recorder. Name *string // Specifies whether or not the recorder is currently recording. Recording bool noSmithyDocumentSerde } // Filters the conformance pack by compliance types and Config rule names. type ConformancePackComplianceFilters struct { // Filters the results by compliance. The allowed values are COMPLIANT and // NON_COMPLIANT . INSUFFICIENT_DATA is not supported. ComplianceType ConformancePackComplianceType // Filters the results by Config rule names. ConfigRuleNames []string noSmithyDocumentSerde } // A compliance score is the percentage of the number of compliant rule-resource // combinations in a conformance pack compared to the number of total possible // rule-resource combinations in the conformance pack. This metric provides you // with a high-level view of the compliance state of your conformance packs. You // can use it to identify, investigate, and understand the level of compliance in // your conformance packs. type ConformancePackComplianceScore struct { // The name of the conformance pack. ConformancePackName *string // The time that the conformance pack compliance score was last updated. LastUpdatedTime *time.Time // Compliance score for the conformance pack. Conformance packs with no evaluation // results will have a compliance score of INSUFFICIENT_DATA . Score *string noSmithyDocumentSerde } // A list of filters to apply to the conformance pack compliance score result set. type ConformancePackComplianceScoresFilters struct { // The names of the conformance packs whose compliance scores you want to include // in the conformance pack compliance score result set. You can include up to 25 // conformance packs in the ConformancePackNames array of strings, each with a // character limit of 256 characters for the conformance pack name. // // This member is required. ConformancePackNames []string noSmithyDocumentSerde } // Summary includes the name and status of the conformance pack. type ConformancePackComplianceSummary struct { // The status of the conformance pack. // // This member is required. ConformancePackComplianceStatus ConformancePackComplianceType // The name of the conformance pack name. // // This member is required. ConformancePackName *string noSmithyDocumentSerde } // Returns details of a conformance pack. A conformance pack is a collection of // Config rules and remediation actions that can be easily deployed in an account // and a region. type ConformancePackDetail struct { // Amazon Resource Name (ARN) of the conformance pack. // // This member is required. ConformancePackArn *string // ID of the conformance pack. // // This member is required. ConformancePackId *string // Name of the conformance pack. // // This member is required. ConformancePackName *string // A list of ConformancePackInputParameter objects. ConformancePackInputParameters []ConformancePackInputParameter // The Amazon Web Services service that created the conformance pack. CreatedBy *string // The name of the Amazon S3 bucket where Config stores conformance pack // templates. This field is optional. DeliveryS3Bucket *string // The prefix for the Amazon S3 bucket. This field is optional. DeliveryS3KeyPrefix *string // The last time a conformation pack update was requested. LastUpdateRequestedTime *time.Time // An object that contains the name or Amazon Resource Name (ARN) of the Amazon // Web Services Systems Manager document (SSM document) and the version of the SSM // document that is used to create a conformance pack. TemplateSSMDocumentDetails *TemplateSSMDocumentDetails noSmithyDocumentSerde } // Filters a conformance pack by Config rule names, compliance types, Amazon Web // Services resource types, and resource IDs. type ConformancePackEvaluationFilters struct { // Filters the results by compliance. The allowed values are COMPLIANT and // NON_COMPLIANT . INSUFFICIENT_DATA is not supported. ComplianceType ConformancePackComplianceType // Filters the results by Config rule names. ConfigRuleNames []string // Filters the results by resource IDs. This is valid only when you provide // resource type. If there is no resource type, you will see an error. ResourceIds []string // Filters the results by the resource type (for example, "AWS::EC2::Instance" ). ResourceType *string noSmithyDocumentSerde } // The details of a conformance pack evaluation. Provides Config rule and Amazon // Web Services resource type that was evaluated, the compliance of the conformance // pack, related time stamps, and supplementary information. type ConformancePackEvaluationResult struct { // The compliance type. The allowed values are COMPLIANT and NON_COMPLIANT . // INSUFFICIENT_DATA is not supported. // // This member is required. ComplianceType ConformancePackComplianceType // The time when Config rule evaluated Amazon Web Services resource. // // This member is required. ConfigRuleInvokedTime *time.Time // Uniquely identifies an evaluation result. // // This member is required. EvaluationResultIdentifier *EvaluationResultIdentifier // The time when Config recorded the evaluation result. // // This member is required. ResultRecordedTime *time.Time // Supplementary information about how the evaluation determined the compliance. Annotation *string noSmithyDocumentSerde } // Input parameters in the form of key-value pairs for the conformance pack, both // of which you define. Keys can have a maximum character length of 255 characters, // and values can have a maximum length of 4096 characters. type ConformancePackInputParameter struct { // One part of a key-value pair. // // This member is required. ParameterName *string // Another part of the key-value pair. // // This member is required. ParameterValue *string noSmithyDocumentSerde } // Compliance information of one or more Config rules within a conformance pack. // You can filter using Config rule names and compliance types. type ConformancePackRuleCompliance struct { // Compliance of the Config rule. ComplianceType ConformancePackComplianceType // Name of the Config rule. ConfigRuleName *string // Controls for the conformance pack. A control is a process to prevent or detect // problems while meeting objectives. A control can align with a specific // compliance regime or map to internal controls defined by an organization. Controls []string noSmithyDocumentSerde } // Status details of a conformance pack. type ConformancePackStatusDetail struct { // Amazon Resource Name (ARN) of comformance pack. // // This member is required. ConformancePackArn *string // ID of the conformance pack. // // This member is required. ConformancePackId *string // Name of the conformance pack. // // This member is required. ConformancePackName *string // Indicates deployment status of conformance pack. Config sets the state of the // conformance pack to: // - CREATE_IN_PROGRESS when a conformance pack creation is in progress for an // account. // - CREATE_COMPLETE when a conformance pack has been successfully created in // your account. // - CREATE_FAILED when a conformance pack creation failed in your account. // - DELETE_IN_PROGRESS when a conformance pack deletion is in progress. // - DELETE_FAILED when a conformance pack deletion failed in your account. // // This member is required. ConformancePackState ConformancePackState // Last time when conformation pack creation and update was requested. // // This member is required. LastUpdateRequestedTime *time.Time // Amazon Resource Name (ARN) of CloudFormation stack. // // This member is required. StackArn *string // The reason of conformance pack creation failure. ConformancePackStatusReason *string // Last time when conformation pack creation and update was successful. LastUpdateCompletedTime *time.Time noSmithyDocumentSerde } // Provides the runtime system, policy definition, and whether debug logging // enabled. You can specify the following CustomPolicyDetails parameter values only // for Config Custom Policy rules. type CustomPolicyDetails struct { // The runtime system for your Config Custom Policy rule. Guard is a // policy-as-code language that allows you to write policies that are enforced by // Config Custom Policy rules. For more information about Guard, see the Guard // GitHub Repository (https://github.com/aws-cloudformation/cloudformation-guard) . // // This member is required. PolicyRuntime *string // The policy definition containing the logic for your Config Custom Policy rule. // // This member is required. PolicyText *string // The boolean expression for enabling debug logging for your Config Custom Policy // rule. The default value is false . EnableDebugLogDelivery bool noSmithyDocumentSerde } // The channel through which Config delivers notifications and updated // configuration states. type DeliveryChannel struct { // The options for how often Config delivers configuration snapshots to the Amazon // S3 bucket. ConfigSnapshotDeliveryProperties *ConfigSnapshotDeliveryProperties // The name of the delivery channel. By default, Config assigns the name "default" // when creating the delivery channel. To change the delivery channel name, you // must use the DeleteDeliveryChannel action to delete your current delivery // channel, and then you must use the PutDeliveryChannel command to create a // delivery channel that has the desired name. Name *string // The name of the Amazon S3 bucket to which Config delivers configuration // snapshots and configuration history files. If you specify a bucket that belongs // to another Amazon Web Services account, that bucket must have policies that // grant access permissions to Config. For more information, see Permissions for // the Amazon S3 Bucket (https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html) // in the Config Developer Guide. S3BucketName *string // The prefix for the specified Amazon S3 bucket. S3KeyPrefix *string // The Amazon Resource Name (ARN) of the Key Management Service (KMS ) KMS key // (KMS key) used to encrypt objects delivered by Config. Must belong to the same // Region as the destination S3 bucket. S3KmsKeyArn *string // The Amazon Resource Name (ARN) of the Amazon SNS topic to which Config sends // notifications about configuration changes. If you choose a topic from another // account, the topic must have policies that grant access permissions to Config. // For more information, see Permissions for the Amazon SNS Topic (https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-policy.html) // in the Config Developer Guide. SnsTopicARN *string noSmithyDocumentSerde } // The status of a specified delivery channel. Valid values: Success | Failure type DeliveryChannelStatus struct { // A list that contains the status of the delivery of the configuration history to // the specified Amazon S3 bucket. ConfigHistoryDeliveryInfo *ConfigExportDeliveryInfo // A list containing the status of the delivery of the snapshot to the specified // Amazon S3 bucket. ConfigSnapshotDeliveryInfo *ConfigExportDeliveryInfo // A list containing the status of the delivery of the configuration stream // notification to the specified Amazon SNS topic. ConfigStreamDeliveryInfo *ConfigStreamDeliveryInfo // The name of the delivery channel. Name *string noSmithyDocumentSerde } // Returns a filtered list of Detective or Proactive Config rules. By default, if // the filter is not defined, this API returns an unfiltered list. For more // information on Detective or Proactive Config rules, see Evaluation Mode (https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html) // in the Config Developer Guide. type DescribeConfigRulesFilters struct { // The mode of an evaluation. The valid values are Detective or Proactive. EvaluationMode EvaluationMode noSmithyDocumentSerde } // Identifies an Amazon Web Services resource and indicates whether it complies // with the Config rule that it was evaluated against. type Evaluation struct { // The ID of the Amazon Web Services resource that was evaluated. // // This member is required. ComplianceResourceId *string // The type of Amazon Web Services resource that was evaluated. // // This member is required. ComplianceResourceType *string // Indicates whether the Amazon Web Services resource complies with the Config // rule that it was evaluated against. For the Evaluation data type, Config // supports only the COMPLIANT , NON_COMPLIANT , and NOT_APPLICABLE values. Config // does not support the INSUFFICIENT_DATA value for this data type. Similarly, // Config does not accept INSUFFICIENT_DATA as the value for ComplianceType from a // PutEvaluations request. For example, an Lambda function for a custom Config rule // cannot pass an INSUFFICIENT_DATA value to Config. // // This member is required. ComplianceType ComplianceType // The time of the event in Config that triggered the evaluation. For event-based // evaluations, the time indicates when Config created the configuration item that // triggered the evaluation. For periodic evaluations, the time indicates when // Config triggered the evaluation at the frequency that you specified (for // example, every 24 hours). // // This member is required. OrderingTimestamp *time.Time // Supplementary information about how the evaluation determined the compliance. Annotation *string noSmithyDocumentSerde } // Use EvaluationContext to group independently initiated proactive resource // evaluations. For example, CFN Stack. If you want to check just a resource // definition, you do not need to provide evaluation context. type EvaluationContext struct { // A unique EvaluationContextIdentifier ID for an EvaluationContext. EvaluationContextIdentifier *string noSmithyDocumentSerde } // The configuration object for Config rule evaluation mode. The Supported valid // values are Detective or Proactive. type EvaluationModeConfiguration struct { // The mode of an evaluation. The valid values are Detective or Proactive. Mode EvaluationMode noSmithyDocumentSerde } // The details of an Config evaluation. Provides the Amazon Web Services resource // that was evaluated, the compliance of the resource, related time stamps, and // supplementary information. type EvaluationResult struct { // Supplementary information about how the evaluation determined the compliance. Annotation *string // Indicates whether the Amazon Web Services resource complies with the Config // rule that evaluated it. For the EvaluationResult data type, Config supports // only the COMPLIANT , NON_COMPLIANT , and NOT_APPLICABLE values. Config does not // support the INSUFFICIENT_DATA value for the EvaluationResult data type. ComplianceType ComplianceType // The time when the Config rule evaluated the Amazon Web Services resource. ConfigRuleInvokedTime *time.Time // Uniquely identifies the evaluation result. EvaluationResultIdentifier *EvaluationResultIdentifier // The time when Config recorded the evaluation result. ResultRecordedTime *time.Time // An encrypted token that associates an evaluation with an Config rule. The token // identifies the rule, the Amazon Web Services resource being evaluated, and the // event that triggered the evaluation. ResultToken *string noSmithyDocumentSerde } // Uniquely identifies an evaluation result. type EvaluationResultIdentifier struct { // Identifies an Config rule used to evaluate an Amazon Web Services resource, and // provides the type and ID of the evaluated resource. EvaluationResultQualifier *EvaluationResultQualifier // The time of the event that triggered the evaluation of your Amazon Web Services // resources. The time can indicate when Config delivered a configuration item // change notification, or it can indicate when Config delivered the configuration // snapshot, depending on which event triggered the evaluation. OrderingTimestamp *time.Time // A Unique ID for an evaluation result. ResourceEvaluationId *string noSmithyDocumentSerde } // Identifies an Config rule that evaluated an Amazon Web Services resource, and // provides the type and ID of the resource that the rule evaluated. type EvaluationResultQualifier struct { // The name of the Config rule that was used in the evaluation. ConfigRuleName *string // The mode of an evaluation. The valid values are Detective or Proactive. EvaluationMode EvaluationMode // The ID of the evaluated Amazon Web Services resource. ResourceId *string // The type of Amazon Web Services resource that was evaluated. ResourceType *string noSmithyDocumentSerde } // Returns status details of an evaluation. type EvaluationStatus struct { // The status of an execution. The valid values are In_Progress, Succeeded or // Failed. // // This member is required. Status ResourceEvaluationStatus // An explanation for failed execution status. FailureReason *string noSmithyDocumentSerde } // Specifies whether the configuration recorder excludes resource types from being // recorded. Use the resourceTypes field to enter a comma-separated list of // resource types to exclude as exemptions. type ExclusionByResourceTypes struct { // A comma-separated list of resource types to exclude from recording by the // configuration recorder. ResourceTypes []ResourceType noSmithyDocumentSerde } // The controls that Config uses for executing remediations. type ExecutionControls struct { // A SsmControls object. SsmControls *SsmControls noSmithyDocumentSerde } // Identifies an Amazon Web Services resource and indicates whether it complies // with the Config rule that it was evaluated against. type ExternalEvaluation struct { // The evaluated compliance resource ID. Config accepts only Amazon Web Services // account ID. // // This member is required. ComplianceResourceId *string // The evaluated compliance resource type. Config accepts AWS::::Account resource // type. // // This member is required. ComplianceResourceType *string // The compliance of the Amazon Web Services resource. The valid values are // COMPLIANT, NON_COMPLIANT, and NOT_APPLICABLE . // // This member is required. ComplianceType ComplianceType // The time when the compliance was recorded. // // This member is required. OrderingTimestamp *time.Time // Supplementary information about the reason of compliance. For example, this // task was completed on a specific date. Annotation *string noSmithyDocumentSerde } // List of each of the failed delete remediation exceptions with specific reasons. type FailedDeleteRemediationExceptionsBatch struct { // Returns remediation exception resource key object of the failed items. FailedItems []RemediationExceptionResourceKey // Returns a failure message for delete remediation exception. For example, Config // creates an exception due to an internal error. FailureMessage *string noSmithyDocumentSerde } // List of each of the failed remediations with specific reasons. type FailedRemediationBatch struct { // Returns remediation configurations of the failed items. FailedItems []RemediationConfiguration // Returns a failure message. For example, the resource is already compliant. FailureMessage *string noSmithyDocumentSerde } // List of each of the failed remediation exceptions with specific reasons. type FailedRemediationExceptionBatch struct { // Returns remediation exception resource key object of the failed items. FailedItems []RemediationException // Returns a failure message. For example, the auto-remediation has failed. FailureMessage *string noSmithyDocumentSerde } // Details about the fields such as name of the field. type FieldInfo struct { // Name of the field. Name *string noSmithyDocumentSerde } // The count of resources that are grouped by the group name. type GroupedResourceCount struct { // The name of the group that can be region, account ID, or resource type. For // example, region1, region2 if the region was chosen as GroupByKey . // // This member is required. GroupName *string // The number of resources in the group. // // This member is required. ResourceCount int64 noSmithyDocumentSerde } // Organization Config rule creation or deletion status in each member account. // This includes the name of the rule, the status, error code and error message // when the rule creation or deletion failed. type MemberAccountStatus struct { // The 12-digit account ID of a member account. // // This member is required. AccountId *string // The name of Config rule deployed in the member account. // // This member is required. ConfigRuleName *string // Indicates deployment status for Config rule in the member account. When // management account calls PutOrganizationConfigRule action for the first time, // Config rule status is created in the member account. When management account // calls PutOrganizationConfigRule action for the second time, Config rule status // is updated in the member account. Config rule status is deleted when the // management account deletes OrganizationConfigRule and disables service access // for config-multiaccountsetup.amazonaws.com . Config sets the state of the rule // to: // - CREATE_SUCCESSFUL when Config rule has been created in the member account. // - CREATE_IN_PROGRESS when Config rule is being created in the member account. // - CREATE_FAILED when Config rule creation has failed in the member account. // - DELETE_FAILED when Config rule deletion has failed in the member account. // - DELETE_IN_PROGRESS when Config rule is being deleted in the member account. // - DELETE_SUCCESSFUL when Config rule has been deleted in the member account. // - UPDATE_SUCCESSFUL when Config rule has been updated in the member account. // - UPDATE_IN_PROGRESS when Config rule is being updated in the member account. // - UPDATE_FAILED when Config rule deletion has failed in the member account. // // This member is required. MemberAccountRuleStatus MemberAccountRuleStatus // An error code that is returned when Config rule creation or deletion failed in // the member account. ErrorCode *string // An error message indicating that Config rule account creation or deletion has // failed due to an error in the member account. ErrorMessage *string // The timestamp of the last status update. LastUpdateTime *time.Time noSmithyDocumentSerde } // This object contains regions to set up the aggregator and an IAM role to // retrieve organization details. type OrganizationAggregationSource struct { // ARN of the IAM role used to retrieve Amazon Web Services Organization details // associated with the aggregator account. // // This member is required. RoleArn *string // If true, aggregate existing Config regions and future regions. AllAwsRegions bool // The source regions being aggregated. AwsRegions []string noSmithyDocumentSerde } // An organization Config rule that has information about Config rules that Config // creates in member accounts. type OrganizationConfigRule struct { // Amazon Resource Name (ARN) of organization Config rule. // // This member is required. OrganizationConfigRuleArn *string // The name that you assign to organization Config rule. // // This member is required. OrganizationConfigRuleName *string // A comma-separated list of accounts excluded from organization Config rule. ExcludedAccounts []string // The timestamp of the last update. LastUpdateTime *time.Time // An object that specifies metadata for your organization's Config Custom Policy // rule. The metadata includes the runtime system in use, which accounts have debug // logging enabled, and other custom rule metadata, such as resource type, resource // ID of Amazon Web Services resource, and organization trigger types that initiate // Config to evaluate Amazon Web Services resources against a rule. OrganizationCustomPolicyRuleMetadata *OrganizationCustomPolicyRuleMetadataNoPolicy // An OrganizationCustomRuleMetadata object. OrganizationCustomRuleMetadata *OrganizationCustomRuleMetadata // An OrganizationManagedRuleMetadata object. OrganizationManagedRuleMetadata *OrganizationManagedRuleMetadata noSmithyDocumentSerde } // Returns the status for an organization Config rule in an organization. type OrganizationConfigRuleStatus struct { // The name that you assign to organization Config rule. // // This member is required. OrganizationConfigRuleName *string // Indicates deployment status of an organization Config rule. When management // account calls PutOrganizationConfigRule action for the first time, Config rule // status is created in all the member accounts. When management account calls // PutOrganizationConfigRule action for the second time, Config rule status is // updated in all the member accounts. Additionally, Config rule status is updated // when one or more member accounts join or leave an organization. Config rule // status is deleted when the management account deletes OrganizationConfigRule in // all the member accounts and disables service access for // config-multiaccountsetup.amazonaws.com . Config sets the state of the rule to: // - CREATE_SUCCESSFUL when an organization Config rule has been successfully // created in all the member accounts. // - CREATE_IN_PROGRESS when an organization Config rule creation is in progress. // - CREATE_FAILED when an organization Config rule creation failed in one or // more member accounts within that organization. // - DELETE_FAILED when an organization Config rule deletion failed in one or // more member accounts within that organization. // - DELETE_IN_PROGRESS when an organization Config rule deletion is in progress. // - DELETE_SUCCESSFUL when an organization Config rule has been successfully // deleted from all the member accounts. // - UPDATE_SUCCESSFUL when an organization Config rule has been successfully // updated in all the member accounts. // - UPDATE_IN_PROGRESS when an organization Config rule update is in progress. // - UPDATE_FAILED when an organization Config rule update failed in one or more // member accounts within that organization. // // This member is required. OrganizationRuleStatus OrganizationRuleStatus // An error code that is returned when organization Config rule creation or // deletion has failed. ErrorCode *string // An error message indicating that organization Config rule creation or deletion // failed due to an error. ErrorMessage *string // The timestamp of the last update. LastUpdateTime *time.Time noSmithyDocumentSerde } // An organization conformance pack that has information about conformance packs // that Config creates in member accounts. type OrganizationConformancePack struct { // Last time when organization conformation pack was updated. // // This member is required. LastUpdateTime *time.Time // Amazon Resource Name (ARN) of organization conformance pack. // // This member is required. OrganizationConformancePackArn *string // The name you assign to an organization conformance pack. // // This member is required. OrganizationConformancePackName *string // A list of ConformancePackInputParameter objects. ConformancePackInputParameters []ConformancePackInputParameter // The name of the Amazon S3 bucket where Config stores conformance pack // templates. This field is optional. DeliveryS3Bucket *string // Any folder structure you want to add to an Amazon S3 bucket. This field is // optional. DeliveryS3KeyPrefix *string // A comma-separated list of accounts excluded from organization conformance pack. ExcludedAccounts []string noSmithyDocumentSerde } // Organization conformance pack creation or deletion status in each member // account. This includes the name of the conformance pack, the status, error code // and error message when the conformance pack creation or deletion failed. type OrganizationConformancePackDetailedStatus struct { // The 12-digit account ID of a member account. // // This member is required. AccountId *string // The name of conformance pack deployed in the member account. // // This member is required. ConformancePackName *string // Indicates deployment status for conformance pack in a member account. When // management account calls PutOrganizationConformancePack action for the first // time, conformance pack status is created in the member account. When management // account calls PutOrganizationConformancePack action for the second time, // conformance pack status is updated in the member account. Conformance pack // status is deleted when the management account deletes // OrganizationConformancePack and disables service access for // config-multiaccountsetup.amazonaws.com . Config sets the state of the // conformance pack to: // - CREATE_SUCCESSFUL when conformance pack has been created in the member // account. // - CREATE_IN_PROGRESS when conformance pack is being created in the member // account. // - CREATE_FAILED when conformance pack creation has failed in the member // account. // - DELETE_FAILED when conformance pack deletion has failed in the member // account. // - DELETE_IN_PROGRESS when conformance pack is being deleted in the member // account. // - DELETE_SUCCESSFUL when conformance pack has been deleted in the member // account. // - UPDATE_SUCCESSFUL when conformance pack has been updated in the member // account. // - UPDATE_IN_PROGRESS when conformance pack is being updated in the member // account. // - UPDATE_FAILED when conformance pack deletion has failed in the member // account. // // This member is required. Status OrganizationResourceDetailedStatus // An error code that is returned when conformance pack creation or deletion // failed in the member account. ErrorCode *string // An error message indicating that conformance pack account creation or deletion // has failed due to an error in the member account. ErrorMessage *string // The timestamp of the last status update. LastUpdateTime *time.Time noSmithyDocumentSerde } // Returns the status for an organization conformance pack in an organization. type OrganizationConformancePackStatus struct { // The name that you assign to organization conformance pack. // // This member is required. OrganizationConformancePackName *string // Indicates deployment status of an organization conformance pack. When // management account calls PutOrganizationConformancePack for the first time, // conformance pack status is created in all the member accounts. When management // account calls PutOrganizationConformancePack for the second time, conformance // pack status is updated in all the member accounts. Additionally, conformance // pack status is updated when one or more member accounts join or leave an // organization. Conformance pack status is deleted when the management account // deletes OrganizationConformancePack in all the member accounts and disables // service access for config-multiaccountsetup.amazonaws.com . Config sets the // state of the conformance pack to: // - CREATE_SUCCESSFUL when an organization conformance pack has been // successfully created in all the member accounts. // - CREATE_IN_PROGRESS when an organization conformance pack creation is in // progress. // - CREATE_FAILED when an organization conformance pack creation failed in one // or more member accounts within that organization. // - DELETE_FAILED when an organization conformance pack deletion failed in one // or more member accounts within that organization. // - DELETE_IN_PROGRESS when an organization conformance pack deletion is in // progress. // - DELETE_SUCCESSFUL when an organization conformance pack has been // successfully deleted from all the member accounts. // - UPDATE_SUCCESSFUL when an organization conformance pack has been // successfully updated in all the member accounts. // - UPDATE_IN_PROGRESS when an organization conformance pack update is in // progress. // - UPDATE_FAILED when an organization conformance pack update failed in one or // more member accounts within that organization. // // This member is required. Status OrganizationResourceStatus // An error code that is returned when organization conformance pack creation or // deletion has failed in a member account. ErrorCode *string // An error message indicating that organization conformance pack creation or // deletion failed due to an error. ErrorMessage *string // The timestamp of the last update. LastUpdateTime *time.Time noSmithyDocumentSerde } // An object that specifies metadata for your organization's Config Custom Policy // rule. The metadata includes the runtime system in use, which accounts have debug // logging enabled, and other custom rule metadata, such as resource type, resource // ID of Amazon Web Services resource, and organization trigger types that initiate // Config to evaluate Amazon Web Services resources against a rule. type OrganizationCustomPolicyRuleMetadata struct { // The runtime system for your organization Config Custom Policy rules. Guard is a // policy-as-code language that allows you to write policies that are enforced by // Config Custom Policy rules. For more information about Guard, see the Guard // GitHub Repository (https://github.com/aws-cloudformation/cloudformation-guard) . // // This member is required. PolicyRuntime *string // The policy definition containing the logic for your organization Config Custom // Policy rule. // // This member is required. PolicyText *string // A list of accounts that you can enable debug logging for your organization // Config Custom Policy rule. List is null when debug logging is enabled for all // accounts. DebugLogDeliveryAccounts []string // The description that you provide for your organization Config Custom Policy // rule. Description *string // A string, in JSON format, that is passed to your organization Config Custom // Policy rule. InputParameters *string // The maximum frequency with which Config runs evaluations for a rule. Your // Config Custom Policy rule is triggered when Config delivers the configuration // snapshot. For more information, see ConfigSnapshotDeliveryProperties . MaximumExecutionFrequency MaximumExecutionFrequency // The type of notification that initiates Config to run an evaluation for a rule. // For Config Custom Policy rules, Config supports change-initiated notification // types: // - ConfigurationItemChangeNotification - Initiates an evaluation when Config // delivers a configuration item as a result of a resource change. // - OversizedConfigurationItemChangeNotification - Initiates an evaluation when // Config delivers an oversized configuration item. Config may generate this // notification type when a resource changes and the notification exceeds the // maximum size allowed by Amazon SNS. OrganizationConfigRuleTriggerTypes []OrganizationConfigRuleTriggerTypeNoSN // The ID of the Amazon Web Services resource that was evaluated. ResourceIdScope *string // The type of the Amazon Web Services resource that was evaluated. ResourceTypesScope []string // One part of a key-value pair that make up a tag. A key is a general label that // acts like a category for more specific tag values. TagKeyScope *string // The optional part of a key-value pair that make up a tag. A value acts as a // descriptor within a tag category (key). TagValueScope *string noSmithyDocumentSerde } // metadata for your organization Config Custom Policy rule including the runtime // system in use, which accounts have debug logging enabled, and other custom rule // metadata such as resource type, resource ID of Amazon Web Services resource, and // organization trigger types that trigger Config to evaluate Amazon Web Services // resources against a rule. type OrganizationCustomPolicyRuleMetadataNoPolicy struct { // A list of accounts that you can enable debug logging for your organization // Config Custom Policy rule. List is null when debug logging is enabled for all // accounts. DebugLogDeliveryAccounts []string // The description that you provide for your organization Config Custom Policy // rule. Description *string // A string, in JSON format, that is passed to your organization Config Custom // Policy rule. InputParameters *string // The maximum frequency with which Config runs evaluations for a rule. Your // Config Custom Policy rule is triggered when Config delivers the configuration // snapshot. For more information, see ConfigSnapshotDeliveryProperties . MaximumExecutionFrequency MaximumExecutionFrequency // The type of notification that triggers Config to run an evaluation for a rule. // For Config Custom Policy rules, Config supports change triggered notification // types: // - ConfigurationItemChangeNotification - Triggers an evaluation when Config // delivers a configuration item as a result of a resource change. // - OversizedConfigurationItemChangeNotification - Triggers an evaluation when // Config delivers an oversized configuration item. Config may generate this // notification type when a resource changes and the notification exceeds the // maximum size allowed by Amazon SNS. OrganizationConfigRuleTriggerTypes []OrganizationConfigRuleTriggerTypeNoSN // The runtime system for your organization Config Custom Policy rules. Guard is a // policy-as-code language that allows you to write policies that are enforced by // Config Custom Policy rules. For more information about Guard, see the Guard // GitHub Repository (https://github.com/aws-cloudformation/cloudformation-guard) . PolicyRuntime *string // The ID of the Amazon Web Services resource that was evaluated. ResourceIdScope *string // The type of the Amazon Web Services resource that was evaluated. ResourceTypesScope []string // One part of a key-value pair that make up a tag. A key is a general label that // acts like a category for more specific tag values. TagKeyScope *string // The optional part of a key-value pair that make up a tag. A value acts as a // descriptor within a tag category (key). TagValueScope *string noSmithyDocumentSerde } // organization custom rule metadata such as resource type, resource ID of Amazon // Web Services resource, Lambda function ARN, and organization trigger types that // trigger Config to evaluate your Amazon Web Services resources against a rule. It // also provides the frequency with which you want Config to run evaluations for // the rule if the trigger type is periodic. type OrganizationCustomRuleMetadata struct { // The lambda function ARN. // // This member is required. LambdaFunctionArn *string // The type of notification that triggers Config to run an evaluation for a rule. // You can specify the following notification types: // - ConfigurationItemChangeNotification - Triggers an evaluation when Config // delivers a configuration item as a result of a resource change. // - OversizedConfigurationItemChangeNotification - Triggers an evaluation when // Config delivers an oversized configuration item. Config may generate this // notification type when a resource changes and the notification exceeds the // maximum size allowed by Amazon SNS. // - ScheduledNotification - Triggers a periodic evaluation at the frequency // specified for MaximumExecutionFrequency . // // This member is required. OrganizationConfigRuleTriggerTypes []OrganizationConfigRuleTriggerType // The description that you provide for your organization Config rule. Description *string // A string, in JSON format, that is passed to your organization Config rule // Lambda function. InputParameters *string // The maximum frequency with which Config runs evaluations for a rule. Your // custom rule is triggered when Config delivers the configuration snapshot. For // more information, see ConfigSnapshotDeliveryProperties . By default, rules with // a periodic trigger are evaluated every 24 hours. To change the frequency, // specify a valid value for the MaximumExecutionFrequency parameter. MaximumExecutionFrequency MaximumExecutionFrequency // The ID of the Amazon Web Services resource that was evaluated. ResourceIdScope *string // The type of the Amazon Web Services resource that was evaluated. ResourceTypesScope []string // One part of a key-value pair that make up a tag. A key is a general label that // acts like a category for more specific tag values. TagKeyScope *string // The optional part of a key-value pair that make up a tag. A value acts as a // descriptor within a tag category (key). TagValueScope *string noSmithyDocumentSerde } // organization managed rule metadata such as resource type and ID of Amazon Web // Services resource along with the rule identifier. It also provides the frequency // with which you want Config to run evaluations for the rule if the trigger type // is periodic. type OrganizationManagedRuleMetadata struct { // For organization config managed rules, a predefined identifier from a list. For // example, IAM_PASSWORD_POLICY is a managed rule. To reference a managed rule, // see Using Config managed rules (https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html) // . // // This member is required. RuleIdentifier *string // The description that you provide for your organization Config rule. Description *string // A string, in JSON format, that is passed to your organization Config rule // Lambda function. InputParameters *string // The maximum frequency with which Config runs evaluations for a rule. This is // for an Config managed rule that is triggered at a periodic frequency. By // default, rules with a periodic trigger are evaluated every 24 hours. To change // the frequency, specify a valid value for the MaximumExecutionFrequency // parameter. MaximumExecutionFrequency MaximumExecutionFrequency // The ID of the Amazon Web Services resource that was evaluated. ResourceIdScope *string // The type of the Amazon Web Services resource that was evaluated. ResourceTypesScope []string // One part of a key-value pair that make up a tag. A key is a general label that // acts like a category for more specific tag values. TagKeyScope *string // The optional part of a key-value pair that make up a tag. A value acts as a // descriptor within a tag category (key). TagValueScope *string noSmithyDocumentSerde } // Status filter object to filter results based on specific member account ID or // status type for an organization conformance pack. type OrganizationResourceDetailedStatusFilters struct { // The 12-digit account ID of the member account within an organization. AccountId *string // Indicates deployment status for conformance pack in a member account. When // management account calls PutOrganizationConformancePack action for the first // time, conformance pack status is created in the member account. When management // account calls PutOrganizationConformancePack action for the second time, // conformance pack status is updated in the member account. Conformance pack // status is deleted when the management account deletes // OrganizationConformancePack and disables service access for // config-multiaccountsetup.amazonaws.com . Config sets the state of the // conformance pack to: // - CREATE_SUCCESSFUL when conformance pack has been created in the member // account. // - CREATE_IN_PROGRESS when conformance pack is being created in the member // account. // - CREATE_FAILED when conformance pack creation has failed in the member // account. // - DELETE_FAILED when conformance pack deletion has failed in the member // account. // - DELETE_IN_PROGRESS when conformance pack is being deleted in the member // account. // - DELETE_SUCCESSFUL when conformance pack has been deleted in the member // account. // - UPDATE_SUCCESSFUL when conformance pack has been updated in the member // account. // - UPDATE_IN_PROGRESS when conformance pack is being updated in the member // account. // - UPDATE_FAILED when conformance pack deletion has failed in the member // account. Status OrganizationResourceDetailedStatus noSmithyDocumentSerde } // An object that represents the account ID and region of an aggregator account // that is requesting authorization but is not yet authorized. type PendingAggregationRequest struct { // The 12-digit account ID of the account requesting to aggregate data. RequesterAccountId *string // The region requesting to aggregate data. RequesterAwsRegion *string noSmithyDocumentSerde } // Details about the query. type QueryInfo struct { // Returns a FieldInfo object. SelectFields []FieldInfo noSmithyDocumentSerde } // Specifies which resource types Config records for configuration changes. In the // recording group, you specify whether you want to record all supported resource // types or to include or exclude specific types of resources. By default, Config // records configuration changes for all supported types of Regional resources that // Config discovers in the Amazon Web Services Region in which it is running. // Regional resources are tied to a Region and can be used only in that Region. // Examples of Regional resources are Amazon EC2 instances and Amazon EBS volumes. // You can also have Config record supported types of global resources. Global // resources are not tied to a specific Region and can be used in all Regions. The // global resource types that Config supports include IAM users, groups, roles, and // customer managed policies. Global resource types onboarded to Config recording // after February 2022 will be recorded only in the service's home Region for the // commercial partition and Amazon Web Services GovCloud (US-West) for the Amazon // Web Services GovCloud (US) partition. You can view the Configuration Items for // these new global resource types only in their home Region and Amazon Web // Services GovCloud (US-West). If you don't want Config to record all resources, // you can specify which types of resources Config records with the resourceTypes // parameter. For a list of supported resource types, see Supported Resource Types (https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) // in the Config developer guide. For more information and a table of the Home // Regions for Global Resource Types Onboarded after February 2022, see Selecting // Which Resources Config Records (https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html) // in the Config developer guide. type RecordingGroup struct { // Specifies whether Config records configuration changes for all supported // regional resource types. If you set this field to true , when Config adds // support for a new type of regional resource, Config starts recording resources // of that type automatically. If you set this field to true , you cannot enumerate // specific resource types to record in the resourceTypes field of RecordingGroup (https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) // , or to exclude in the resourceTypes field of ExclusionByResourceTypes (https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) // . AllSupported bool // An object that specifies how Config excludes resource types from being recorded // by the configuration recorder. To use this option, you must set the useOnly // field of RecordingStrategy (https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) // to EXCLUSION_BY_RESOURCE_TYPES . ExclusionByResourceTypes *ExclusionByResourceTypes // Specifies whether Config records configuration changes for all supported global // resources. Before you set this field to true , set the allSupported field of // RecordingGroup (https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) // to true . Optionally, you can set the useOnly field of RecordingStrategy (https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) // to ALL_SUPPORTED_RESOURCE_TYPES . If you set this field to true , when Config // adds support for a new type of global resource in the Region where you set up // the configuration recorder, Config starts recording resources of that type // automatically. If you set this field to false but list global resource types in // the resourceTypes field of RecordingGroup (https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) // , Config will still record configuration changes for those specified resource // types regardless of if you set the includeGlobalResourceTypes field to false. // If you do not want to record configuration changes to global resource types, // make sure to not list them in the resourceTypes field in addition to setting // the includeGlobalResourceTypes field to false. IncludeGlobalResourceTypes bool // An object that specifies the recording strategy for the configuration recorder. // - If you set the useOnly field of RecordingStrategy (https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) // to ALL_SUPPORTED_RESOURCE_TYPES , Config records configuration changes for all // supported regional resource types. You also must set the allSupported field of // RecordingGroup (https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) // to true . When Config adds support for a new type of regional resource, Config // automatically starts recording resources of that type. // - If you set the useOnly field of RecordingStrategy (https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) // to INCLUSION_BY_RESOURCE_TYPES , Config records configuration changes for only // the resource types you specify in the resourceTypes field of RecordingGroup (https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) // . // - If you set the useOnly field of RecordingStrategy (https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) // to EXCLUSION_BY_RESOURCE_TYPES , Config records configuration changes for all // supported resource types except the resource types that you specify as // exemptions to exclude from being recorded in the resourceTypes field of // ExclusionByResourceTypes (https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) // . // The recordingStrategy field is optional when you set the allSupported field of // RecordingGroup (https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) // to true . The recordingStrategy field is optional when you list resource types // in the resourceTypes field of RecordingGroup (https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) // . The recordingStrategy field is required if you list resource types to exclude // from recording in the resourceTypes field of ExclusionByResourceTypes (https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) // . If you choose EXCLUSION_BY_RESOURCE_TYPES for the recording strategy, the // exclusionByResourceTypes field will override other properties in the request. // For example, even if you set includeGlobalResourceTypes to false, global // resource types will still be automatically recorded in this option unless those // resource types are specifically listed as exemptions in the resourceTypes field // of exclusionByResourceTypes . By default, if you choose the // EXCLUSION_BY_RESOURCE_TYPES recording strategy, when Config adds support for a // new resource type in the Region where you set up the configuration recorder, // including global resource types, Config starts recording resources of that type // automatically. RecordingStrategy *RecordingStrategy // A comma-separated list that specifies which resource types Config records. // Optionally, you can set the useOnly field of RecordingStrategy (https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) // to INCLUSION_BY_RESOURCE_TYPES . To record all configuration changes, set the // allSupported field of RecordingGroup (https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) // to true , and either omit this field or don't specify any resource types in this // field. If you set the allSupported field to false and specify values for // resourceTypes , when Config adds support for a new type of resource, it will not // record resources of that type unless you manually add that type to your // recording group. For a list of valid resourceTypes values, see the Resource // Type Value column in Supported Amazon Web Services resource Types (https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) // in the Config developer guide. Region Availability Before specifying a resource // type for Config to track, check Resource Coverage by Region Availability (https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) // to see if the resource type is supported in the Amazon Web Services Region where // you set up Config. If a resource type is supported by Config in at least one // Region, you can enable the recording of that resource type in all Regions // supported by Config, even if the specified resource type is not supported in the // Amazon Web Services Region where you set up Config. ResourceTypes []ResourceType noSmithyDocumentSerde } // Specifies the recording strategy of the configuration recorder. type RecordingStrategy struct { // The recording strategy for the configuration recorder. // - If you set this option to ALL_SUPPORTED_RESOURCE_TYPES , Config records // configuration changes for all supported regional resource types. You also must // set the allSupported field of RecordingGroup (https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) // to true . When Config adds support for a new type of regional resource, Config // automatically starts recording resources of that type. For a list of supported // resource types, see Supported Resource Types (https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) // in the Config developer guide. // - If you set this option to INCLUSION_BY_RESOURCE_TYPES , Config records // configuration changes for only the resource types that you specify in the // resourceTypes field of RecordingGroup (https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) // . // - If you set this option to EXCLUSION_BY_RESOURCE_TYPES , Config records // configuration changes for all supported resource types, except the resource // types that you specify as exemptions to exclude from being recorded in the // resourceTypes field of ExclusionByResourceTypes (https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) // . // The recordingStrategy field is optional when you set the allSupported field of // RecordingGroup (https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) // to true . The recordingStrategy field is optional when you list resource types // in the resourceTypes field of RecordingGroup (https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) // . The recordingStrategy field is required if you list resource types to exclude // from recording in the resourceTypes field of ExclusionByResourceTypes (https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) // . If you choose EXCLUSION_BY_RESOURCE_TYPES for the recording strategy, the // exclusionByResourceTypes field will override other properties in the request. // For example, even if you set includeGlobalResourceTypes to false, global // resource types will still be automatically recorded in this option unless those // resource types are specifically listed as exemptions in the resourceTypes field // of exclusionByResourceTypes . By default, if you choose the // EXCLUSION_BY_RESOURCE_TYPES recording strategy, when Config adds support for a // new resource type in the Region where you set up the configuration recorder, // including global resource types, Config starts recording resources of that type // automatically. UseOnly RecordingStrategyType noSmithyDocumentSerde } // The relationship of the related resource to the main resource. type Relationship struct { // The type of relationship with the related resource. RelationshipName *string // The ID of the related resource (for example, sg-xxxxxx ). ResourceId *string // The custom name of the related resource, if available. ResourceName *string // The resource type of the related resource. ResourceType ResourceType noSmithyDocumentSerde } // An object that represents the details about the remediation configuration that // includes the remediation action, parameters, and data to execute the action. type RemediationConfiguration struct { // The name of the Config rule. // // This member is required. ConfigRuleName *string // Target ID is the name of the SSM document. // // This member is required. TargetId *string // The type of the target. Target executes remediation. For example, SSM document. // // This member is required. TargetType RemediationTargetType // Amazon Resource Name (ARN) of remediation configuration. Arn *string // The remediation is triggered automatically. Automatic bool // Name of the service that owns the service-linked rule, if applicable. CreatedByService *string // An ExecutionControls object. ExecutionControls *ExecutionControls // The maximum number of failed attempts for auto-remediation. If you do not // select a number, the default is 5. For example, if you specify // MaximumAutomaticAttempts as 5 with RetryAttemptSeconds as 50 seconds, Config // will put a RemediationException on your behalf for the failing resource after // the 5th failed attempt within 50 seconds. MaximumAutomaticAttempts *int32 // An object of the RemediationParameterValue. Parameters map[string]RemediationParameterValue // The type of a resource. ResourceType *string // Maximum time in seconds that Config runs auto-remediation. If you do not select // a number, the default is 60 seconds. For example, if you specify // RetryAttemptSeconds as 50 seconds and MaximumAutomaticAttempts as 5, Config will // run auto-remediations 5 times within 50 seconds before throwing an exception. RetryAttemptSeconds *int64 // Version of the target. For example, version of the SSM document. If you make // backward incompatible changes to the SSM document, you must call // PutRemediationConfiguration API again to ensure the remediations can run. TargetVersion *string noSmithyDocumentSerde } // An object that represents the details about the remediation exception. The // details include the rule name, an explanation of an exception, the time when the // exception will be deleted, the resource ID, and resource type. type RemediationException struct { // The name of the Config rule. // // This member is required. ConfigRuleName *string // The ID of the resource (for example., sg-xxxxxx). // // This member is required. ResourceId *string // The type of a resource. // // This member is required. ResourceType *string // The time when the remediation exception will be deleted. ExpirationTime *time.Time // An explanation of an remediation exception. Message *string noSmithyDocumentSerde } // The details that identify a resource within Config, including the resource type // and resource ID. type RemediationExceptionResourceKey struct { // The ID of the resource (for example., sg-xxxxxx). ResourceId *string // The type of a resource. ResourceType *string noSmithyDocumentSerde } // Provides details of the current status of the invoked remediation action for // that resource. type RemediationExecutionStatus struct { // Start time when the remediation was executed. InvocationTime *time.Time // The time when the remediation execution was last updated. LastUpdatedTime *time.Time // The details that identify a resource within Config, including the resource type // and resource ID. ResourceKey *ResourceKey // ENUM of the values. State RemediationExecutionState // Details of every step. StepDetails []RemediationExecutionStep noSmithyDocumentSerde } // Name of the step from the SSM document. type RemediationExecutionStep struct { // An error message if the step was interrupted during execution. ErrorMessage *string // The details of the step. Name *string // The time when the step started. StartTime *time.Time // The valid status of the step. State RemediationExecutionStepState // The time when the step stopped. StopTime *time.Time noSmithyDocumentSerde } // The value is either a dynamic (resource) value or a static value. You must // select either a dynamic value or a static value. type RemediationParameterValue struct { // The value is dynamic and changes at run-time. ResourceValue *ResourceValue // The value is static and does not change at run-time. StaticValue *StaticValue noSmithyDocumentSerde } // An object that contains the resource type and the number of resources. type ResourceCount struct { // The number of resources. Count int64 // The resource type (for example, "AWS::EC2::Instance" ). ResourceType ResourceType noSmithyDocumentSerde } // Filters the resource count based on account ID, region, and resource type. type ResourceCountFilters struct { // The 12-digit ID of the account. AccountId *string // The region where the account is located. Region *string // The type of the Amazon Web Services resource. ResourceType ResourceType noSmithyDocumentSerde } // Returns information about the resource being evaluated. type ResourceDetails struct { // The resource definition to be evaluated as per the resource configuration // schema type. // // This member is required. ResourceConfiguration *string // A unique resource ID for an evaluation. // // This member is required. ResourceId *string // The type of resource being evaluated. // // This member is required. ResourceType *string // The schema type of the resource configuration. You can find the Resource type // schema (https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/resource-type-schema.html) // , or CFN_RESOURCE_SCHEMA , in "Amazon Web Services public extensions" within the // CloudFormation registry or with the following CLI commmand: aws cloudformation // describe-type --type-name "AWS::S3::Bucket" --type RESOURCE . For more // information, see Managing extensions through the CloudFormation registry (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html#registry-view) // and Amazon Web Services resource and property types reference (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) // in the CloudFormation User Guide. ResourceConfigurationSchemaType ResourceConfigurationSchemaType noSmithyDocumentSerde } // Returns details of a resource evaluation. type ResourceEvaluation struct { // The mode of an evaluation. The valid values are Detective or Proactive. EvaluationMode EvaluationMode // The starting time of an execution. EvaluationStartTimestamp *time.Time // The ResourceEvaluationId of a evaluation. ResourceEvaluationId *string noSmithyDocumentSerde } // Returns details of a resource evaluation based on the selected filter. type ResourceEvaluationFilters struct { // Filters evaluations for a given infrastructure deployment. For example: CFN // Stack. EvaluationContextIdentifier *string // Filters all resource evaluations results based on an evaluation mode. the valid // value for this API is Proactive . EvaluationMode EvaluationMode // Returns a TimeWindow object. TimeWindow *TimeWindow noSmithyDocumentSerde } // Filters the results by resource account ID, region, resource ID, and resource // name. type ResourceFilters struct { // The 12-digit source account ID. AccountId *string // The source region. Region *string // The ID of the resource. ResourceId *string // The name of the resource. ResourceName *string noSmithyDocumentSerde } // The details that identify a resource that is discovered by Config, including // the resource type, ID, and (if available) the custom resource name. type ResourceIdentifier struct { // The time that the resource was deleted. ResourceDeletionTime *time.Time // The ID of the resource (for example, sg-xxxxxx ). ResourceId *string // The custom name of the resource (if available). ResourceName *string // The type of resource. ResourceType ResourceType noSmithyDocumentSerde } // The details that identify a resource within Config, including the resource type // and resource ID. type ResourceKey struct { // The ID of the resource (for example., sg-xxxxxx). // // This member is required. ResourceId *string // The resource type. // // This member is required. ResourceType ResourceType noSmithyDocumentSerde } // The dynamic value of the resource. type ResourceValue struct { // The value is a resource ID. // // This member is required. Value ResourceValueType noSmithyDocumentSerde } // An object with the name of the retention configuration and the retention period // in days. The object stores the configuration for data retention in Config. type RetentionConfiguration struct { // The name of the retention configuration object. // // This member is required. Name *string // Number of days Config stores your historical information. Currently, only // applicable to the configuration item history. // // This member is required. RetentionPeriodInDays int32 noSmithyDocumentSerde } // Defines which resources trigger an evaluation for an Config rule. The scope can // include one or more resource types, a combination of a tag key and value, or a // combination of one resource type and one resource ID. Specify a scope to // constrain which resources trigger an evaluation for a rule. Otherwise, // evaluations for the rule are triggered when any resource in your recording group // changes in configuration. type Scope struct { // The ID of the only Amazon Web Services resource that you want to trigger an // evaluation for the rule. If you specify a resource ID, you must specify one // resource type for ComplianceResourceTypes . ComplianceResourceId *string // The resource types of only those Amazon Web Services resources that you want to // trigger an evaluation for the rule. You can only specify one type if you also // specify a resource ID for ComplianceResourceId . ComplianceResourceTypes []string // The tag key that is applied to only those Amazon Web Services resources that // you want to trigger an evaluation for the rule. TagKey *string // The tag value applied to only those Amazon Web Services resources that you want // to trigger an evaluation for the rule. If you specify a value for TagValue , you // must also specify a value for TagKey . TagValue *string noSmithyDocumentSerde } // Provides the CustomPolicyDetails, the rule owner ( Amazon Web Services for // managed rules, CUSTOM_POLICY for Custom Policy rules, and CUSTOM_LAMBDA for // Custom Lambda rules), the rule identifier, and the events that cause the // evaluation of your Amazon Web Services resources. type Source struct { // Indicates whether Amazon Web Services or the customer owns and manages the // Config rule. Config Managed Rules are predefined rules owned by Amazon Web // Services. For more information, see Config Managed Rules (https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html) // in the Config developer guide. Config Custom Rules are rules that you can // develop either with Guard ( CUSTOM_POLICY ) or Lambda ( CUSTOM_LAMBDA ). For // more information, see Config Custom Rules (https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html) // in the Config developer guide. // // This member is required. Owner Owner // Provides the runtime system, policy definition, and whether debug logging is // enabled. Required when owner is set to CUSTOM_POLICY . CustomPolicyDetails *CustomPolicyDetails // Provides the source and the message types that cause Config to evaluate your // Amazon Web Services resources against a rule. It also provides the frequency // with which you want Config to run evaluations for the rule if the trigger type // is periodic. If the owner is set to CUSTOM_POLICY , the only acceptable values // for the Config rule trigger message type are ConfigurationItemChangeNotification // and OversizedConfigurationItemChangeNotification . SourceDetails []SourceDetail // For Config Managed rules, a predefined identifier from a list. For example, // IAM_PASSWORD_POLICY is a managed rule. To reference a managed rule, see List of // Config Managed Rules (https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html) // . For Config Custom Lambda rules, the identifier is the Amazon Resource Name // (ARN) of the rule's Lambda function, such as // arn:aws:lambda:us-east-2:123456789012:function:custom_rule_name . For Config // Custom Policy rules, this field will be ignored. SourceIdentifier *string noSmithyDocumentSerde } // Provides the source and the message types that trigger Config to evaluate your // Amazon Web Services resources against a rule. It also provides the frequency // with which you want Config to run evaluations for the rule if the trigger type // is periodic. You can specify the parameter values for SourceDetail only for // custom rules. type SourceDetail struct { // The source of the event, such as an Amazon Web Services service, that triggers // Config to evaluate your Amazon Web Services resources. EventSource EventSource // The frequency at which you want Config to run evaluations for a custom rule // with a periodic trigger. If you specify a value for MaximumExecutionFrequency , // then MessageType must use the ScheduledNotification value. By default, rules // with a periodic trigger are evaluated every 24 hours. To change the frequency, // specify a valid value for the MaximumExecutionFrequency parameter. Based on the // valid value you choose, Config runs evaluations once for each valid value. For // example, if you choose Three_Hours , Config runs evaluations once every three // hours. In this case, Three_Hours is the frequency of this rule. MaximumExecutionFrequency MaximumExecutionFrequency // The type of notification that triggers Config to run an evaluation for a rule. // You can specify the following notification types: // - ConfigurationItemChangeNotification - Triggers an evaluation when Config // delivers a configuration item as a result of a resource change. // - OversizedConfigurationItemChangeNotification - Triggers an evaluation when // Config delivers an oversized configuration item. Config may generate this // notification type when a resource changes and the notification exceeds the // maximum size allowed by Amazon SNS. // - ScheduledNotification - Triggers a periodic evaluation at the frequency // specified for MaximumExecutionFrequency . // - ConfigurationSnapshotDeliveryCompleted - Triggers a periodic evaluation when // Config delivers a configuration snapshot. // If you want your custom rule to be triggered by configuration changes, specify // two SourceDetail objects, one for ConfigurationItemChangeNotification and one // for OversizedConfigurationItemChangeNotification . MessageType MessageType noSmithyDocumentSerde } // Amazon Web Services Systems Manager (SSM) specific remediation controls. type SsmControls struct { // The maximum percentage of remediation actions allowed to run in parallel on the // non-compliant resources for that specific rule. You can specify a percentage, // such as 10%. The default value is 10. ConcurrentExecutionRatePercentage *int32 // The percentage of errors that are allowed before SSM stops running automations // on non-compliant resources for that specific rule. You can specify a percentage // of errors, for example 10%. If you do not specifiy a percentage, the default is // 50%. For example, if you set the ErrorPercentage to 40% for 10 non-compliant // resources, then SSM stops running the automations when the fifth error is // received. ErrorPercentage *int32 noSmithyDocumentSerde } // The static value of the resource. type StaticValue struct { // A list of values. For example, the ARN of the assumed role. // // This member is required. Values []string noSmithyDocumentSerde } // Status filter object to filter results based on specific member account ID or // status type for an organization Config rule. type StatusDetailFilters struct { // The 12-digit account ID of the member account within an organization. AccountId *string // Indicates deployment status for Config rule in the member account. When // management account calls PutOrganizationConfigRule action for the first time, // Config rule status is created in the member account. When management account // calls PutOrganizationConfigRule action for the second time, Config rule status // is updated in the member account. Config rule status is deleted when the // management account deletes OrganizationConfigRule and disables service access // for config-multiaccountsetup.amazonaws.com . Config sets the state of the rule // to: // - CREATE_SUCCESSFUL when Config rule has been created in the member account. // - CREATE_IN_PROGRESS when Config rule is being created in the member account. // - CREATE_FAILED when Config rule creation has failed in the member account. // - DELETE_FAILED when Config rule deletion has failed in the member account. // - DELETE_IN_PROGRESS when Config rule is being deleted in the member account. // - DELETE_SUCCESSFUL when Config rule has been deleted in the member account. // - UPDATE_SUCCESSFUL when Config rule has been updated in the member account. // - UPDATE_IN_PROGRESS when Config rule is being updated in the member account. // - UPDATE_FAILED when Config rule deletion has failed in the member account. MemberAccountRuleStatus MemberAccountRuleStatus noSmithyDocumentSerde } // Provides the details of a stored query. type StoredQuery struct { // The name of the query. // // This member is required. QueryName *string // A unique description for the query. Description *string // The expression of the query. For example, SELECT resourceId, resourceType, // supplementaryConfiguration.BucketVersioningConfiguration.status WHERE // resourceType = 'AWS::S3::Bucket' AND // supplementaryConfiguration.BucketVersioningConfiguration.status = 'Off'. Expression *string // Amazon Resource Name (ARN) of the query. For example, // arn:partition:service:region:account-id:resource-type/resource-name/resource-id. QueryArn *string // The ID of the query. QueryId *string noSmithyDocumentSerde } // Returns details of a specific query. type StoredQueryMetadata struct { // Amazon Resource Name (ARN) of the query. For example, // arn:partition:service:region:account-id:resource-type/resource-name/resource-id. // // This member is required. QueryArn *string // The ID of the query. // // This member is required. QueryId *string // The name of the query. // // This member is required. QueryName *string // A unique description for the query. Description *string noSmithyDocumentSerde } // The tags for the resource. The metadata that you apply to a resource to help // you categorize and organize them. Each tag consists of a key and an optional // value, both of which you define. Tag keys can have a maximum character length of // 128 characters, and tag values can have a maximum length of 256 characters. type Tag struct { // One part of a key-value pair that make up a tag. A key is a general label that // acts like a category for more specific tag values. Key *string // The optional part of a key-value pair that make up a tag. A value acts as a // descriptor within a tag category (key). Value *string noSmithyDocumentSerde } // This API allows you to create a conformance pack template with an Amazon Web // Services Systems Manager document (SSM document). To deploy a conformance pack // using an SSM document, first create an SSM document with conformance pack // content, and then provide the DocumentName in the PutConformancePack API (https://docs.aws.amazon.com/config/latest/APIReference/API_PutConformancePack.html) // . You can also provide the DocumentVersion . The TemplateSSMDocumentDetails // object contains the name of the SSM document and the version of the SSM // document. type TemplateSSMDocumentDetails struct { // The name or Amazon Resource Name (ARN) of the SSM document to use to create a // conformance pack. If you use the document name, Config checks only your account // and Amazon Web Services Region for the SSM document. If you want to use an SSM // document from another Region or account, you must provide the ARN. // // This member is required. DocumentName *string // The version of the SSM document to use to create a conformance pack. By // default, Config uses the latest version. This field is optional. DocumentVersion *string noSmithyDocumentSerde } // Filters evaluation results based on start and end times. type TimeWindow struct { // The end time of an execution. The end time must be after the start date. EndTime *time.Time // The start time of an execution. StartTime *time.Time noSmithyDocumentSerde } type noSmithyDocumentSerde = smithydocument.NoSerde