feat(config): add constructs for managed and custom rules

[jogold]

Specific classes are exposed for an AWS managed rule (ManagedRule) and a custom rule
(CustomRule) with support for compliance and re-evaluation events.

Higher level constructs for configured AWS managed rules are also exposed (starting with Access
Keys Rotated and CloudFormation rules). This defines a pattern for future configured managed rules.

---

Pull Request Checklist

• Testing
  • Unit test added (prefer not to modify an existing test, otherwise, it's probably a breaking change)
  • CLI change?: coordinate update of integration tests with team
  • cdk-init template change?: coordinated update of integration tests with team
• Docs
  • jsdocs: All public APIs documented
  • README: README and/or documentation topic updated
• Title and Description
  • Change type: title prefixed with fix, feat will appear in changelog
  • Title: use lower-case and doesn't end with a period
  • Breaking?: last paragraph: "BREAKING CHANGE: <describe what changed + link for details>"
  • Issues: Indicate issues fixed via: "Fixes #xxx" or "Closes #xxx"
• Sensitive Modules (requires 2 PR approvers)
  • IAM Policy Document (in @aws-cdk/aws-iam)
  • EC2 Security Groups and ACLs (in @aws-cdk/aws-ec2)
  • Grant APIs (only if not based on official documentation with a reference)

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.

[rix0rrr]

Solid work as always Jonathan. Thanks!

Just some small things

[rix0rrr]

Is this really optional?

[jogold]

I don't need configRuleArn, configRuleId or configRuleComplianceType when working with an imported rule. And I don't directly see why a user importing a rule would have to specify those.

Using only configRuleName, I can set up the onEvent(), onComplianceChange() and onReEvaluationStatus() for both new and imported rules.

If remove those properties (configRuleArn, configRuleId, configRuleComplianceType) from the IRule interface, I'm faced with the new awslint:attribute-tag rule errors:

error: [awslint:attribute-tag:@aws-cdk/aws-config.CloudFormationStackDriftDetectionCheck.configRuleArn] attribute properties must have an "@attribute" doctag on:  @aws-cdk/aws-config.ManagedRule.configRuleArn
error: [awslint:attribute-tag:@aws-cdk/aws-config.ManagedRule.configRuleId] attribute properties must have an "@attribute" doctag on:  @aws-cdk/aws-config.ManagedRule.configRuleId
error: [awslint:attribute-tag:@aws-cdk/aws-config.ManagedRule.configRuleComplianceType] attribute properties must have an "@attribute" doctag on:  @aws-cdk/aws-config.ManagedRule.configRuleComplianceType
error: [awslint:attribute-tag:@aws-cdk/aws-config.ManagedRule.configRuleArn] attribute properties must have an "@attribute" doctag on:  @aws-cdk/aws-config.ManagedRule.configRuleArn
error: [awslint:attribute-tag:@aws-cdk/aws-config.CustomRule.configRuleId] attribute properties must have an "@attribute" doctag on:  @aws-cdk/aws-config.CustomRule.configRuleId
error: [awslint:attribute-tag:@aws-cdk/aws-config.CustomRule.configRuleComplianceType] attribute properties must have an "@attribute" doctag on:  @aws-cdk/aws-config.CustomRule.configRuleComplianceType
error: [awslint:attribute-tag:@aws-cdk/aws-config.CustomRule.configRuleArn] attribute properties must have an "@attribute" doctag on:  @aws-cdk/aws-config.CustomRule.configRuleArn
error: [awslint:attribute-tag:@aws-cdk/aws-config.CloudFormationStackNotificationCheck.configRuleId] attribute properties must have an "@attribute" doctag on:  @aws-cdk/aws-config.ManagedRule.configRuleId
error: [awslint:attribute-tag:@aws-cdk/aws-config.CloudFormationStackNotificationCheck.configRuleComplianceType] attribute properties must have an "@attribute" doctag on:  @aws-cdk/aws-config.ManagedRule.configRuleComplianceType
error: [awslint:attribute-tag:@aws-cdk/aws-config.AccessKeysRotated.configRuleArn] attribute properties must have an "@attribute" doctag on:  @aws-cdk/aws-config.ManagedRule.configRuleArnerror: [awslint:attribute-tag:@aws-cdk/aws-config.AccessKeysRotated.configRuleComplianceType] attribute properties must have an "@attribute" doctag on:  @aws-cdk/aws-config.ManagedRule.configRuleComplianceType
error: [awslint:attribute-tag:@aws-cdk/aws-config.AccessKeysRotated.configRuleId] attribute properties must have an "@attribute" doctag on:  @aws-cdk/aws-config.ManagedRule.configRuleId
error: [awslint:attribute-tag:@aws-cdk/aws-config.CloudFormationStackNotificationCheck.configRuleArn] attribute properties must have an "@attribute" doctag on:  @aws-cdk/aws-config.ManagedRule.configRuleArn
error: [awslint:attribute-tag:@aws-cdk/aws-config.CloudFormationStackDriftDetectionCheck.configRuleComplianceType] attribute properties must have an "@attribute" doctag on:  @aws-cdk/aws-config.ManagedRule.configRuleComplianceType
error: [awslint:attribute-tag:@aws-cdk/aws-config.CloudFormationStackDriftDetectionCheck.configRuleId] attribute properties must have an "@attribute" doctag on:  @aws-cdk/aws-config.ManagedRule.configRuleId

If I add /** @attribute */ on the abstract properties of the abstract class RuleNew, the linter is not happy. The only valid alternative is to add /** @attribute */ both in ManagedRule and CustomRule properties.

What is the guideline here?

[rix0rrr]

Good point, that has to do with the base class being invisible. I have created an issue for it: aws/jsii#510

For now, best I can suggest is to put the tag on the individual rules. It feels a little silly, but that seems better to me than making it optional in the interface for the purposes of it being absent for an imported resources -- the interface is exactly meant to define the interface that can be relied upon to always be there.

[rix0rrr]

I just tested, and it seems like it should be inherited properly from the RuleNew class as long as you avoid adding docstrings to the subtype.

So if there are no docstrings on the inherited members, you can do the full docs on the base member.

[jogold]

You mean like this? Can't get this to work...

/**
 * A new managed or custom rule.
 */
abstract class RuleNew extends RuleBase {
  /**
   * The arn of the rule.
   *
   * @attribute
   */
  public abstract readonly configRuleArn: string;

/**
 * A new managed rule.
 *
 * @resource AWS::Config::ConfigRule
 */
export class ManagedRule extends RuleNew {
  public readonly configRuleName: string;
  public readonly configRuleArn: string;

error: [awslint:attribute-tag:@aws-cdk/aws-config.ManagedRule.configRuleArn] attribute properties must have an "@attribute" doctag on:  @aws-cdk/aws-config.ManagedRule.configRuleArn

[rix0rrr]

Is this really optional?

[rix0rrr]

Is this really optional?

[rix0rrr]

Maybe a check to confirm that resource and tag scopes aren't mixed?

[jogold]

Can you clarify?

Currently the last call to addXxx() sets the scope. This is to allow setting the scope even if it's already set by a managed rule, e.g. in CloudFormationStackNotificationCheck the scope is set to AWS::CloudFormation::Stack but a user could want to restrict it to a specific resource or tag by calling .addXxx():

const stackNotificationsCheck = new CloudFormationStackNotificationCheck(this, 'Check'); // The scope is set to AWS::CloudFormation::Stack
stackNotificationsCheck.addTagScope('stage', 'prod'); // Changed the scope stage=prod
// addScope() of RuleNew has now been called twice

[rix0rrr]

I see. The addXxx name confused me, seemed like they would be cumulative. I assume this is because jsii won't let you name a method like setXxx, right?

I think I would rather have names like scopeToTag(), scopeToResource() etc. then.

[jogold]

Yes exactly, tried with setXxx. OK for scopeToXxx.