This command will deploy the specified Rule(s) to the Account and Region determined by the credentials being used to execute the command, and the value of the AWS_DEFAULT_REGION environment variable, unless those credentials or region are overridden using the common flags.
Once deployed, RDK will _not_ explicitly start a Rule evaluation. Depending on the changes being made to your Config Rule setup AWS Config may re-evaluate the deployed Rules automatically, or you can run an evaluation using the AWS configservice CLI.
--lambda-role-arn flag can be used for assigning existing iam role to all Lambda functions created for Custom Config Rules.
--functions-only flag can be used as part of a multi-account deployment strategy to push _only_ the Lambda functions (and necessary Roles and Permssions) to the target account. This is intended to be used in conjunction with the
create-rule-template command in order to separate the compliance logic from the evaluated accounts. For an example of how this looks in practice, check out the AWS Compliance-as-Code Engine.
Note: Behind the scenes the
--functions-only flag generates a CloudFormation template and runs a “create” or “update” on the targeted AWS Account and Region. If subsequent calls to
deploy with the
--functions-only flag are made with the same stack name (either the default or otherwise) but with different Config rules targeted, any Rules deployed in previous
deploy``s but not included in the latest ``deploy will be removed. After a functions-only
deploy _only_ the Rules specifically targeted by that command (either through Rulesets or an explicit list supplied on the command line) will be deployed in the environment, all others will be removed.s
usage: rdk deploy [-h] [--all] [-s RULESETS] [-f] [--lambda-role-arn LAMBDA_ROLE_ARN] [--stack-name STACK_NAME] [--execution-role-name EXECUTION_ROLE_NAME] [--rdklib-layer-arn RDKLIB_LAYER_ARN] [--lambda-layers LAMBDA_LAYERS] [<rulename> [<rulename> ...]]
|<rulename>||Rule name(s) to deploy. Rule(s) will be pushed to AWS.|
All rules in the working directory will be deployed.
|-s, --rulesets||comma-delimited list of RuleSet names|
[optional] Only deploy Lambda functions. Useful for cross-account deployments.
|[optional] Assign existing iam role to lambda functions. If omitted, “rdkLambdaRole” will be created.|
|--stack-name||[optional] CloudFormation Stack name for use with –functions-only option. If omitted, “RDK-Config-Rule-Functions” will be used.|
|[optional] IAM Role that the Lambda function(s) will assume in each target account.|
|[optional] Lambda Layer ARN that contains the desired rdklib. Note that Lambda Layers are region-specific.|
|[optional] Comma-separated list of Lambda Layer ARNs to deploy with your Lambda function(s).|