Skip to content

terraform-aws-arc-cloud-custodian

Module: sourcefuse/arc-cloud-custodian/aws

Registry: https://registry.terraform.io/modules/sourcefuse/arc-cloud-custodian/aws

Category: Governance / Compliance

Source: https://github.com/sourcefuse/terraform-aws-arc-cloud-custodian

Latest Release Last Updated Terraform GitHub Actions

Quality Gate

Tip

🤖 New: Use this module with AI assistants via the ARC IaC MCP Server — search, scaffold, and security-scan ARC modules from natural language. Quick setup ↓

Overview

Provisions Cloud Custodian infrastructure (IAM role, S3 output bucket, CloudTrail, SQS) and runs custodian policies from template files.

What It Does

  • IAM role for Cloud Custodian Lambda execution
  • S3 bucket for custodian output
  • CloudTrail with SQS queue for event-driven policies
  • Template-based policy files with Terraform variable interpolation
  • Automatic policy execution

For more information about this repository and its usage, please see Terraform AWS CLOUD CUSTODIAN Usage Guide

Quickstart

Requirements

1
2
3
Terraform >= 1.0.5  
Pip >= 20.0.2   
Python >= 3.8

Getting started

You must have Python 3.8 or above installed.

To install Cloud Custodian, you can download it using Pip:

1
pip install c7n
* Pip package notes * c7n is for AWS * c7n_azure us for Azure * c7n_gcp is for Google Compute

Usage

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
terraform {
  required_version = "~> 1.0.5"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_iam_policy" "ec2" {
  name        = "cloud-custodian-allow-ec2-management"
  description = "Cloud Custodian EC2 policy."

  # This policy is for example purposes only
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:*",
        "*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "aws_lambda_basic_execution_role" {
  role       = module.cloud_custodian.role_name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}

resource "aws_iam_role_policy_attachment" "ec2" {
  role       = module.cloud_custodian.role_name
  policy_arn = aws_iam_policy.ec2.arn
}

module "cloud_custodian" {
  source = "../."

  name      = "tf-cloud-custodian"
  namespace = "refarch"
  region    = "us-east-1"

  stage                    = "example"
  cloudtrail_sqs_enabled   = true
  custodian_files_path     = "${path.root}/files"
  custodian_templates_path = "${path.root}/templates"

  template_file_vars = {
    EC2_TAG_ROLE = module.cloud_custodian.role_name
    SQS_ARN      = module.cloud_custodian.sqs_arn
    REGION       = "us-east-1"
  }

  tags = {
    Module  = "terraform-aws-cloud-custodian"
    Example = "true"
  }
}

Required Inputs

Name Type Description
name string Name for the deployment
namespace string Namespace prefix
region string AWS region
stage string Deployment stage
tags map(string) Resource tags
## Key Outputs
Name Description
role_arn IAM role ARN for Cloud Custodian
bucket_id S3 output bucket name
sqs_arn SQS queue ARN
## Full Variable & Output Reference

The complete inputs/outputs reference is auto-generated below.

Requirements

Name Version
terraform ~> 1.3
aws ~> 4.0
local >= 2.0
null >= 2.0
random >= 2.0

Providers

Name Version
aws 3.68.0
local 2.1.0
null 3.1.0

Modules

Name Source Version
cloudtrail git::https://github.com/cloudposse/terraform-aws-cloudtrail.git 0.20.1
cloudtrail_s3_bucket git::https://github.com/cloudposse/terraform-aws-cloudtrail-s3-bucket.git 0.26.2
cloudtrail_sqs_queue git::https://github.com/terraform-aws-modules/terraform-aws-sqs.git v3.1.0

Resources

Name Type
aws_iam_policy.custodian_output_s3_policy resource
aws_iam_role.role resource
aws_iam_role_policy_attachment.cloudtrail resource
aws_iam_role_policy_attachment.cloudwatchlogs resource
aws_iam_role_policy_attachment.iam resource
aws_iam_role_policy_attachment.s3_output resource
aws_iam_role_policy_attachment.sqs resource
aws_iam_role_policy_attachment.tags resource
aws_s3_bucket.custodian_output resource
aws_s3_bucket_server_side_encryption_configuration.server_side_encryption resource
local_file.cc_files resource
null_resource.run_custodian resource

Inputs

Name Description Type Default Required
cloudtrail_enabled Set to false to prevent the module from creating any resources. bool true no
cloudtrail_s3_bucket_enabled Set to false to prevent the module from creating any resources. bool true no
cloudtrail_sqs_enabled Set to false to prevent the module from creating any resources. bool true no
custodian_files_path Path to where the custodian files are located. string null no
custodian_templates_path Path to where the custodian template files are located. string null no
name Name of invocation. string n/a yes
namespace A namespace for all the resources to live in. string n/a yes
region AWS Region to create objects in. string n/a yes
stage Stage of pipeline (Eg. sbx, dev, staging, uat, prod). string n/a yes
tags Additional tags to assign resources. map(string) n/a yes
template_file_vars Variable name and value maps. map(string) {} no

Outputs

Name Description
bucket_arn ARN of the bucket.
bucket_id Name of the bucket.
role_arn ARN of the role created.
role_name Name of the role created.
sqs_arn ARN of the SQS queue

Versioning

This project uses a .version file at the root of the repo which the pipeline reads from and does a git tag.

On commits to main, you will need to increment this version. Once the project is merged, the pipeline will kick off and tag the latest git commit.

Development

Prerequisites

Install the prerequisites: * pre-commit * terraform * terraform-docs

Then run pre-commit on the repo: 

1
2
pre-commit install
pre-commit run --all-files

AI Assistant Integration (ARC IaC MCP)

The ARC IaC MCP Server is a hosted Model Context Protocol service that lets AI assistants browse, search, scaffold, compare, and security-scan any of the SourceFuse ARC Terraform modules — directly from natural language.

What you can do with it:

  • Discover — search and filter modules by keyword or AWS resource type.
  • Understand — get inputs, outputs, and resources for any module without leaving your editor.
  • Scaffold — generate production-ready, multi-file Terraform with cross-module wiring already done.
  • Secure — scan generated or existing HCL for misconfigurations before it hits a PR.
  • Compare — diff modules side-by-side to make informed architectural decisions.

Setup (one minute)

The MCP endpoint is https://arc-iac-mcp.sourcef.us/mcp. Pick your client:

Claude Code CLI: 

1
claude mcp add arc-iac --transport http https://arc-iac-mcp.sourcef.us/mcp

Claude Desktop — edit ~/Library/Application Support/Claude/claude_desktop_config.json: 

1
2
3
4
5
6
7
{
  "mcpServers": {
    "arc-iac": {
      "url": "https://arc-iac-mcp.sourcef.us/mcp"
    }
  }
}

Cursor / Windsurf / Kiro — add the same block to .cursor/mcp.json (or the equivalent for your client).

Example prompts to try

  • "List all ARC modules sorted by downloads"
  • "What inputs does arc-ecs require?"
  • "Scaffold a production-ready arc-db Aurora setup with Secrets Manager"
  • "Compare arc-eks and arc-ecs for running 10 microservices"
  • "Scan this Terraform before I raise a PR: <paste HCL>"

See the ARC IaC MCP repo for the full tool reference, troubleshooting tips, and local-development instructions.

Contributing

See CONTRIBUTING.md for commit conventions and development setup.

Authors

This project is authored by: - SourceFuse ARC Team