cfn-guard-rulegen-lambda
| Crates.io | cfn-guard-rulegen-lambda |
| lib.rs | cfn-guard-rulegen-lambda |
| version | 1.0.0 |
| created_at | 2020-09-18 09:22:46.922967+00 |
| updated_at | 2020-10-01 18:47:05.016467+00 |
| description | Lambda version of cfn-guard-rulegen. Takes a CloudFormation template and autogenerates a set of cfn-guard rules that match the properties of its resources. This is a useful way to get started rule-writing or just create ready-to-use rulesets from known-good templates. |
| homepage | |
| repository | https://github.com/aws-cloudformation/cloudformation-guard |
| max_upload_size | |
| id | 290040 |
| size | 41,236 |
Priya Padmanaban (priyap286)
documentation
README
CloudFormation Guard Rulegen as a Lambda
Table of Contents
Installation
Dependencies
- AWS CLI configured with permissions to deploy and invoke Lambdas
- An AWS Lambda Execution Role in IAM
- A shell environment variable called
CFN_GUARD_LAMBDA_ROLE_ARNset to the ARN of that role - Rust (See the installation instructions in the top-level README)
- If building on a Mac, you'll need Homebrew.
- If building on Ubuntu, you'll need to run
sudo apt-get update; sudo apt install build-essentialif you haven't already
Mac/Ubuntu
- Install and configure the dependencies.
- If you're on a Mac, add the following to
~/.cargo/config:[target.x86_64-unknown-linux-musl] linker = "x86_64-linux-musl-gcc" - Ensure you're in the
cfn-guard-lambdadirectory - Run
make pre-reqs. - Run
make install.
To build and run post-install
To build, deploy and test the function after you edit its source code, run make test.
To merely invoke the function, run make invoke. The variables in the Makefile used to make the calls can be manipulated to provide different payloads.
This project is licensed under the Apache-2.0 License.
We will be working to improve the quality of lambda messages, but as a general rule, cfn-guard-rulegen-lambda is just a wrapper for the cfn-guard-rulegen code and each can be used to test the other.
Calling the Lambda Function
Request Structure
Requests to cfn-guard-rulegen-lambda require the following field:
template- The string version of the YAML or JSON CloudFormation Template
Example
There are example payloads in the Makefile. Here's one we use to test a rule set that should not pass:
request_payload = '{ "template": "{\n \"Resources\": {\n \"NewVolume\" : {\n \"Type\" : \"AWS::EC2::Volume\",\n \"Properties\" : {\n \"Size\" : 100,\n \"Encrypted\": true,\n \"AvailabilityZone\" : \"us-east-1b\"\n }\n },\n \"NewVolume2\" : {\n \"Type\" : \"AWS::EC2::Volume\",\n \"Properties\" : {\n \"Size\" : 99,\n \"Encrypted\": true,\n \"AvailabilityZone\" : \"us-east-1b\"\n }\n } }\n}"}'
#======================================================================
# Request Payload
#======================================================================
# Template
# {"Resources": {
# "NewVolume" : {
# "Type" : "AWS::EC2::Volume",
# "Properties" : {
# "Size" : 100,
# "Encrypted": true,
# "AvailabilityZone" : "us-east-1b"
# }
# },
# "NewVolume2" : {
# "Type" : "AWS::EC2::Volume",
# "Properties" : {
# "Size" : 99,
# "Encrypted": true,
# "AvailabilityZone" : "us-east-1b"
# }
# }
#}
#======================================================================
FAQ
-
Q: How do I troubleshoot a lambda call returning an opaque error message like:
{"errorType": "Runtime.ExitError", "errorMessage": "RequestId: 1c0c0620-0f83-40bc-8eca-3cf2cf24820f Error: Runtime exited with error: exit status 101"} -
A: Run the same template locally with
cfn-guard-rulegento get a better message:thread 'main' panicked at 'Bad Rule Operator: REQUIRE', src/rule_proc.rs:344:2We will be working to improve the quality of lambda messages, but as a general rule,
cfn-guard-rulegen-lambdais just a wrapper for thecfn-guard-rulegencode and each can be used to test the other.