Crates.io | cfn-guard-rulegen-lambda |
lib.rs | cfn-guard-rulegen-lambda |
version | 1.0.0 |
source | src |
created_at | 2020-09-18 09:22:46.922967 |
updated_at | 2020-10-01 18:47:05.016467 |
description | Lambda version of cfn-guard-rulegen. Takes a CloudFormation template and autogenerates a set of cfn-guard rules that match the properties of its resources. This is a useful way to get started rule-writing or just create ready-to-use rulesets from known-good templates. |
homepage | |
repository | https://github.com/aws-cloudformation/cloudformation-guard |
max_upload_size | |
id | 290040 |
size | 41,236 |
CFN_GUARD_LAMBDA_ROLE_ARN
set to the ARN of that rolesudo apt-get update; sudo apt install build-essential
if you haven't already~/.cargo/config
:
[target.x86_64-unknown-linux-musl]
linker = "x86_64-linux-musl-gcc"
cfn-guard-lambda
directorymake pre-reqs
.make install
.To build, deploy and test the function after you edit its source code, run make test
.
To merely invoke the function, run make invoke
. The variables in the Makefile used to make the calls can be manipulated to provide different payloads.
This project is licensed under the Apache-2.0 License.
We will be working to improve the quality of lambda messages, but as a general rule, cfn-guard-rulegen-lambda
is just a wrapper for the cfn-guard-rulegen
code and each can be used to test the other.
Requests to cfn-guard-rulegen-lambda
require the following field:
template
- The string version of the YAML or JSON CloudFormation TemplateThere are example payloads in the Makefile. Here's one we use to test a rule set that should not pass:
request_payload = '{ "template": "{\n \"Resources\": {\n \"NewVolume\" : {\n \"Type\" : \"AWS::EC2::Volume\",\n \"Properties\" : {\n \"Size\" : 100,\n \"Encrypted\": true,\n \"AvailabilityZone\" : \"us-east-1b\"\n }\n },\n \"NewVolume2\" : {\n \"Type\" : \"AWS::EC2::Volume\",\n \"Properties\" : {\n \"Size\" : 99,\n \"Encrypted\": true,\n \"AvailabilityZone\" : \"us-east-1b\"\n }\n } }\n}"}'
#======================================================================
# Request Payload
#======================================================================
# Template
# {"Resources": {
# "NewVolume" : {
# "Type" : "AWS::EC2::Volume",
# "Properties" : {
# "Size" : 100,
# "Encrypted": true,
# "AvailabilityZone" : "us-east-1b"
# }
# },
# "NewVolume2" : {
# "Type" : "AWS::EC2::Volume",
# "Properties" : {
# "Size" : 99,
# "Encrypted": true,
# "AvailabilityZone" : "us-east-1b"
# }
# }
#}
#======================================================================
Q: How do I troubleshoot a lambda call returning an opaque error message like:
{"errorType": "Runtime.ExitError", "errorMessage": "RequestId: 1c0c0620-0f83-40bc-8eca-3cf2cf24820f Error: Runtime exited with error: exit status 101"}
A: Run the same template locally with cfn-guard-rulegen
to get a better message:
thread 'main' panicked at 'Bad Rule Operator: REQUIRE', src/rule_proc.rs:344:2
We will be working to improve the quality of lambda messages, but as a general rule, cfn-guard-rulegen-lambda
is just a wrapper for the cfn-guard-rulegen
code and each can be used to test the other.