Resourcely Documentation
LoginSign Up
  • Get Started
    • 🎱What is Resourcely?
    • 👋Why Resourcely
    • 🏃Quickstart
      • Terraform policies integrated into CI
      • Remediate policy violations in existing infrastructure
      • Templates for generating Terraform
      • Glossary
  • Concepts
    • Foundry
      • Create Blueprints with Foundry
      • Creating Guardrails with Foundry
      • lmport Terraform Modules
    • Guardrails
      • Writing your own Guardrails
      • Editing Guardrails
      • Releasing Guardrails
      • Enabling Inactive Guardrails
      • Guardrails in Action
        • 🐱GitHub Actions
        • 🦊GitLab Pipelines
    • Campaigns
      • Get started with Campaigns
      • Creating Campaigns
      • Remediate Resources
      • Campaign Agent
        • State File Support
          • Amazon Simple Storage Service (S3)
          • Google Cloud Storage (GCS)
          • HCP Terraform
          • Spacelift
        • Running Campaigns with GitHub Actions and a Repo-Hosted State File
        • Running Campaigns Locally
    • Blueprints
      • Authoring Your Own Blueprints
      • Using Built-in Resourcely Blueprints
      • Configuring Global Contexts
      • Deep Linking
    • Resources
      • Provisioning Infrastructure
      • Editing Infrastructure
      • Shopping Cart
      • Config Roots and Environments
    • Other Features and Settings
      • Global Values
      • Global Context
      • Metrics
      • Resourcely-cli
      • Resourcely.yaml
      • VCS Proxy
      • Settings
        • User management
        • Company Information
        • Notification Settings
        • Change Management
          • 🐱Connect to GitHub
          • 🦊Connect to Gitlab
        • Generate API Token
    • ✨Production Setup
      • Single Sign-On (SSO)
        • Auth0
        • AWS Single Sign-On
        • Azure AD
        • Google Workspace
        • JumpCloud
        • Okta
        • Omnissa Workspace ONE (formerly VMware)
        • OneLogin
        • Ping Identity
        • Other SAML / OIDC Providers
      • Source Code Management
        • Page
        • 🐱GitHub
        • 🦊GitLab
        • Atlassian Bitbucket
        • Azure Repos
  • Tutorials and guides
    • Remediation Use Cases
      • Apply tags to resources for automating backups
      • Implement centralized logging
    • Blueprints Use Cases
      • Automate Data Pipeline Creation
      • Encryption for GCP
      • AWS Account Factory
      • Streamline and govern AI
      • IAM Factory
      • Cost optimization for FinOps
      • Guardrails for Terraform Modules
    • Using the Resourcely Terraform Provider
      • Setup Resourcely Provider
      • Blueprints
      • Guardrails
      • Global Context
  • Integrate
    • CI/CD & Terraform Runners
      • Atlantis
      • 🐟AWS CodeBuild
      • Azure Pipelines
      • Buildkite
      • CircleCI
      • CloudBees CI
      • Codefresh
      • Digger
      • Env0
      • 🎏GitHub Actions
        • 🐱Local Plan
          • 🐹AWS with OpenID Connect
        • 🐶Terraform Cloud Integration
      • 🦊GitLab Pipelines
      • Harness
      • 🗻HashiCorp Cloud Platform (formerly Terraform Cloud)
      • Jenkins
      • Octopus Deploy
      • Scalr
      • 🌌Spacelift
      • Terramate
      • 🌎Terrateam
    • Cloud Providers
      • 🌨️Amazon Web Services (AWS)
      • 🤓Google Cloud Platform (GCP)
        • Guardrail Gaunlet at Google Cloud Next 2025
      • 💾Microsoft Azure
      • Alibaba Cloud
      • Huawei Cloud
      • IBM Cloud
      • Oracle Cloud Infrastructure (OCI)
      • Tencent Cloud
      • VMware vSphere
    • Developer Portals
      • Atlassian Compass
      • Backstage
      • Cortex
      • Harness IDP
      • Home grown internal developer portals
      • OpsLevel
      • Port
      • Roadie
    • ITSM
      • Atlassian Jira
      • FreshWorks
      • ServiceNow ITSM
      • ZenDesk
    • CSPM
      • Wiz
    • More Terraform Provider Integrations
      • 🚂ConductorOne Provider
      • Databricks Provider
      • Kubernetes Provider
      • 🐕Datadog Provider
      • ❄️Snowflake Provider
Powered by GitBook
On this page
  • Why Resourcely Campaign Agent?
  • Setting up Resourcely Campaign Agent
  • Step 1: Deploying Resourcely Campaign Agent
  • Step 2: Configuration .resourcely.yaml Changes
  • Step 3: Validating the setup
  • Next steps
  1. Concepts
  2. Campaigns

Campaign Agent

Host an agent to scan for policy violations in your environment, securely

PreviousRemediate ResourcesNextState File Support

Last updated 2 months ago

If Campaigns is not enabled for your account. Login to Resourcely -> Campaigns -> Request Access

Once Campaigns is activated for your account, you'll need to set up the Resourcely Campaign Agent, a lightweight Docker container. The agent's primary goal is to continuously fetch your Terraform state files and scan them for guardrail violations and sends the findings back to Resourcely. For the Agent to work, it must have access to your Terraform state file storage.

Why Resourcely Campaign Agent?

Resourcely places a high priority on the security of customers' state files. For that reason, the Campaign Agent proxy scanner is designed to operate entirely within the customer's environment. This approach ensures that the state file is scanned locally using the resourcely-cli, maintaining strict data security. Any findings are securely sent back to Resourcely, without granting direct access to the customer's state file.

Setting up Resourcely Campaign Agent

Step 1: Deploying Resourcely Campaign Agent

a. Obtaining Environment Variables

The agent requires the following environment variables for authentication. to obtain RESOURCELY_NGROK_TUNNEL_SEED and RESOURCELY_NGROK_TOKEN login to Resourcely → Settings → Campaign settings → update settings → Provision ngrok.

Please copy both RESOURCELY_NGROK_TUNNEL_SEED and RESOURCELY_NGROK_TOKEN as you will not be able to retrieve them again if you navigate away from the page.

For the RESOURCELY_API_TOKEN (Generate this in Resourcely: Settings → Generate API Token → CI Runner → Generate Token)

Optional Environment Variables

  • SPACELIFT_API_TOKEN (used for Spacelift state integration)

  • TF_API_TOKEN (used for HCP Terraform state integration)

(b) Networking Configuration

Ensure the following egress rules are configured for the container running the agent:

  • Port 443 to tunnel.<region>.proxy.resourcely.io (Regions: in, us, us-cal-1, eu, au, ap, jp).

  • Port 443 to api.resourcely.io.

(c) Deployment Options

Next you will have two options to deploy the container, either Kubernetes route or docker-compose:

Option 1: Kubernetes

# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    app: campaigns-agent
  name: campaigns-agent
spec:
  replicas: 1
  selector:
    matchLabels:
      app: campaigns-agent
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: campaigns-agent
    spec:
      containers:
      - image: ghcr.io/resourcely-inc/campaigns-agent:latest
        name: campaigns-agent
        env:
          - name: RESOURCELY_NGROK_TUNNEL_SEED
            value: <RESOURCELY_NGROK_TUNNEL_SEED>
          - name: RESOURCELY_NGROK_TOKEN
            value: <TOKEN>
          - name: RESOURCELY_API_TOKEN
            value: <TOKEN>
# kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - deployment.yaml

Option 2: Docker Compose

You can use docker-compose.yml to run the container with the required environment variables and configurations, similar to what’s specified in the Kubernetes deployment.yaml file:

version: '3.8'

services:
  campaigns-agent:
    image: ghcr.io/resourcely-inc/campaigns-agent:latest
    container_name: campaigns-agent
    environment:
      - RESOURCELY_NGROK_TUNNEL_SEED=<RESOURCELY_NGROK_TUNNEL_SEED>
      - RESOURCELY_NGROK_TOKEN=<TOKEN>
      - RESOURCELY_API_TOKEN=<TOKEN>
    restart: unless-stopped

Replace the placeholders in angle brackets (<...>) with your actual values. Now run:

docker-compose up -d

Directly with Docker


docker run -d \
  --name campaigns-agent \
  -e RESOURCELY_NGROK_TUNNEL_SEED=<RESOURCELY_NGROK_TUNNEL_SEED> \
  -e RESOURCELY_NGROK_TOKEN=<TOKEN> \
  -e RESOURCELY_API_TOKEN=<TOKEN> \
  ghcr.io/resourcely-inc/campaigns-agent:latest

Step 2: Configuration .resourcely.yaml Changes

.resourcely.yaml Setup

  • For a config root to be configured for campaigns, it will need to have the following block. If the config root has multiple environments, then it needs this block in each environment, similarly to how context is managed.

# Required
version: "2"

# Array of Terraform config roots that Resourcely should care about
terraform_config_roots:
  -
    name: basic
    default_file: main.tf
    path: .
    skip: false
    campaign_config:
      state_file_config:
        s3:
          path: s3://campaigns-terraform-state/terraform.tfstate

For other state file support check out State File Support

Step 3: Validating the setup

Once you set everything, you can confirm that campaigns is configured by

  • Navigate to Metrics → Integrations.

  • Confirm all integrations are marked green.

Next steps

Congratulations! Your next step is to create your Remediate policy violations in existing infrastructure, and then Remediate Resources!

The Resourcely Campaign agent needs to authenticate with both and Resourcely. To do so, the following environment variables should be supplied.

For all environments that have the campaigns-agent configured, the last piece is to ensure that the source for the state file is associated with the config root in the .

Make sure to run "" when you update your resourcely.yaml file

ngrok
.resourcely.yaml
queue scan
provision ngrok to create necessary environment variables
seed and token required to setup the campaigns agent
Page after ngrok environment variables are created.