npm install -g https://artifactory.app.protego.io/cloudguard-serverless-plugin.tgz
( Note that plugin version might chnage , the most up-to-date version is listed at your cloudguard portal under integrations / CI-CD Integration and Deployment tab. )
In order to run the examples You will need to create a cloudguard-config.json file with the cloudguard details in it.
you can just login to the cloudguard ui and grab the api-token and secret from the settings -> credentials page.
Cloudguard proact tool supports the following integrations:
A full documentation of cloudguard.yml can be found here.
basic :
cloudguard proact -i cloudguard/basic/cloudguard.yml
global :
With tags and global features override:
cloudguard proact -i cloudguard/global/cloudguard.yml
function :
With function skip and per function features override:
cloudguard proact -i cloudguard/function/cloudguard.yml
layers :
A function with local defined layers:
cloudguard proact -i cloudguard/layers/cloudguard.yml
First we need to install the cloudguard plugin
cd ./serverless
npm install
Note that you will need to copy the file cloudguard-config.json to every serverless examples directory you want to run.
basic :
cd ./serverless/basic
sls package
global :
With tags and global features override:
cd ./serverless/global
sls package
function :
With function skip and per function features override:
cd ./serverless/function
sls package
we will use Cloudformation template to extract the functions properties.
In order to scan the functions code the tool will look for the CodeLocation property that points to the local path to the function code.
If the CodeLocation key is missing the tool will try to download the code from s3 location.
The cloudguard.yml will point to the Cloudformation template file.
basic :
cloudguard proact -i cloudformation/basic/cloudguard.yml
global :
yaml cloudformation with features override:
cloudguard proact -i cloudformation/global/cloudguard.yml
With cloudformation parameters:
cloudguard proact -i cloudformation/parameters/cloudguard.yml
function :
With function properties override and job tags:
cloudguard proact -i cloudformation/function/cloudguard.yml
In this case we will add a Cloudguard section to the cloudformation template, under the Metadata block.
This section can contain all the information as in a cloudguard.yml file.
global :
Note: To properly run this example change the bucket name and key to a real s3 location. with features override in the cloudformation template:
cloudguard proact -C cloudformation/cloudformation_only/global/template.yaml
function :
with function properties override in the cloudformation template:
cloudguard proact -C cloudformation/cloudformation_only/function/cf.json
we will use Sam template to extract the functions and each function properties.
A additional cloudguard.yml is optional, will be used for overrides of features and function properties.
cloudguard.yml will point to the sam template file.
basic :
No need to specify the functions in the cloudguard.yml file
cloudguard proact -i sam/with_cloudguard/basic/cloudguard.yml
With Sam template parameters:
cloudguard proact -i sam/with_cloudguard/parameters/cloudguard.yml
function :
With functions list and function properties override:
cloudguard proact -i sam/with_cloudguard/function/cloudguard.yml
layers :
A function with local and remote layers:
cloudguard proact -i sam/with_cloudguard/layers/cloudguard.yml
In this case we will add a Cloudguard section to the sam template.
This section can contain all the sections and information as in a cloudguard.yml file.
global :
with tags and features override in the sam template:
cloudguard proact -m sam/sam_only/global/template.yaml
function :
with function properties override in the sam template:
cloudguard proact -m sam/sam_only/function/template.yaml
We will use azure pipelines yaml file to extract the functions properties.
Cloudguard tool will parse only the LambdaDeployFunction tasks from the pipeline file.
in addition cloudguard.yml will point to the Azure pipelines file.
basic :
Note: To properly run this example change the role ARN in azure-pipelines.yml to a real role ARN.
cloudguard proact -i azure-pipelines/basic/cloudguard.yml
function :
With additional functions and function properties override:
cloudguard proact -i azure-pipelines/function/cloudguard.yml
Cloudguard.yml Template
The entire template of cloudguard.yml can be found here:
cloudguard/template/cloudguard.yml