diff --git a/locals.tf b/locals.tf index 7a29242..1cca53a 100644 --- a/locals.tf +++ b/locals.tf @@ -38,7 +38,15 @@ locals { rule if !contains(local.rules_exclude_collected, rule) ] - final_managed_rules = merge(local.managed_rules, var.rule_overrides) + combined_rules = { + for rule in distinct(concat(keys(local.managed_rules), keys(var.rule_overrides))) : + rule => lookup(local.managed_rules, rule, lookup(var.rule_overrides, rule, {})) + } + + final_managed_rules = { + for rule, attr in local.combined_rules : + rule => merge(attr, lookup(var.rule_overrides, rule, {})) + } rules_to_apply = { for rule, attr in local.final_managed_rules : diff --git a/modules/account/main.tf b/modules/account/main.tf index e264212..afee8f4 100644 --- a/modules/account/main.tf +++ b/modules/account/main.tf @@ -10,7 +10,10 @@ resource "aws_config_config_rule" "rule" { source { owner = "AWS" - source_identifier = each.value["identifier"] + + # Custom rules don't have identifiers like AWS managed rules, so we need to + # fall back to the key if an identifier is not provided. + source_identifier = try(each.value["identifier"], upper(replace(each.key, "-", "_"))) } input_parameters = ( diff --git a/modules/organization/main.tf b/modules/organization/main.tf index 761098d..5332d44 100644 --- a/modules/organization/main.tf +++ b/modules/organization/main.tf @@ -2,7 +2,10 @@ resource "aws_config_organization_managed_rule" "rule" { for_each = var.rules name = "${var.rule_name_prefix}${each.key}" - rule_identifier = each.value["identifier"] + + # Custom rules don't have identifiers like AWS managed rules, so we need to + # fall back to the key if an identifier is not provided. + rule_identifier = try(each.value["identifier"], upper(replace(each.key, "-", "_"))) excluded_accounts = var.excluded_accounts description = try(each.value["description"], "") resource_types_scope = try(each.value["resource_types_scope"], [])