Campaign Agent
Host an agent to scan for policy violations in your environment, securely
Last updated
Host an agent to scan for policy violations in your environment, securely
Last updated
If Campaigns is not enabled for your account. Login to Resourcely -> Campaigns -> Request Access
Once Campaigns is activated for your account, you'll need to set up the Resourcely Campaign Agent, a lightweight Docker container. The agent's primary goal is to continuously fetch your Terraform state files and scan them for guardrail violations and sends the findings back to Resourcely. For the Agent to work, it must have access to your Terraform state file storage.
Resourcely places a high priority on the security of customers' state files. For that reason, the Campaign Agent proxy scanner is designed to operate entirely within the customer's environment. This approach ensures that the state file is scanned locally using the resourcely-cli, maintaining strict data security. Any findings are securely sent back to Resourcely, without granting direct access to the customer's state file.
The agent requires the following environment variables for authentication. to obtain RESOURCELY_NGROK_TUNNEL_SEED and RESOURCELY_NGROK_TOKEN login to Resourcely → Settings → Campaign settings → update settings → Provision ngrok.
Please copy both RESOURCELY_NGROK_TUNNEL_SEED and RESOURCELY_NGROK_TOKEN as you will not be able to retrieve them again if you navigate away from the page.
For the RESOURCELY_API_TOKEN (Generate this in Resourcely: Settings → Generate API Token → CI Runner → Generate Token)
Optional Environment Variables
SPACELIFT_API_TOKEN (used for Spacelift state integration)
TF_API_TOKEN (used for HCP Terraform state integration)
Ensure the following egress rules are configured for the container running the agent:
Port 443 to tunnel.<region>.proxy.resourcely.io (Regions: in, us, us-cal-1, eu, au, ap, jp).
Port 443 to api.resourcely.io.
Next you will have two options to deploy the container, either Kubernetes route or docker-compose:
You can use docker-compose.yml to run the container with the required environment variables and configurations, similar to what’s specified in the Kubernetes deployment.yaml file:
Replace the placeholders in angle brackets (<...>) with your actual values. Now run:
Directly with Docker
For a config root to be configured for campaigns, it will need to have the following block. If the config root has multiple environments, then it needs this block in each environment, similarly to how context is managed.
For other state file support check out State File Support
Once you set everything, you can confirm that campaigns is configured by
Navigate to Metrics → Integrations.
Confirm all integrations are marked green.
Congratulations! Your next step is to create your Remediate policy violations in existing infrastructure, and then Remediate Resources!
The Resourcely Campaign agent needs to authenticate with both and Resourcely. To do so, the following environment variables should be supplied.
For all environments that have the campaigns-agent configured, the last piece is to ensure that the source for the state file is associated with the config root in the .
Make sure to run "" when you update your resourcely.yaml file
