Campaign Agent

To start using Campaigns, you'll need to set up the Resourcely Campaign Agent, a lightweight Docker container. The agent's primary goal is to continuously fetch your Terraform state files and scan them for guardrail violations and sends the findings back to Resourcely. For the Agent to work, it must have access to your Terraform state file storage.

Currently, only AWS S3 buckets are supported for state file scanning, but support for additional terraform remote states is coming soon.

Why Resourcely Campaign Agent?

Resourcely places a high priority on the security of customers' state files. For that reason, the Campaign Agent proxy scanner is designed to operate entirely within the customer's environment. This approach ensures that the state file is scanned locally using the resourcely-cli, maintaining strict data security. Any findings are securely sent back to Resourcely, without granting direct access to the customer's state file.

Setting up Resourcely Campaign Agent

Networking Configuration

Ensure the following egress rules are configured for the container running the agent:

Port 443 to tunnel.<region>.proxy.resourcely.io (Regions: in, us, us-cal-1, eu, au, ap, jp).
Port 443 to api.resourcely.io.

IAM Policy

Grant the agent read-only access to the S3 bucket containing your Terraform state file:

s3:GetObject
s3:GetObjectVersion
s3:ListBucket

Alternatively, attach the AWS canned policy AmazonS3ReadOnlyAccess.

Example Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["s3:GetObject", "s3:GetObjectVersion", "s3:ListBucket"],
            "Resource": "<arn_of_s3_bucket_with_state_files>"
        }
    ]
}

Deploying Resourcely Campaign Agent

The Resourcely Campaign agent needs to authenticate with both ngrok and Resourcely. To do so, the following environment variables should be supplied.

Environment Variables

The agent requires the following environment variables for authentication. Please contact the Resourcely team to request access to campaigns and securely obtain these, pick option "Request Campaigns Access" :

RESOURCELY_NGROK_EDGE
RESOURCELY_NGROK_TOKEN
RESOURCELY_API_TOKEN (Generate this in Resourcely: Settings → Generate API Token → CI Runner → Generate Token)

Deployment Options

Next you will have two options to deploy the container, either Kubernetes route or docker-compose:

Option 1: Kubernetes

# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    app: campaigns-agent
  name: campaigns-agent
spec:
  replicas: 1
  selector:
    matchLabels:
      app: campaigns-agent
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: campaigns-agent
    spec:
      containers:
      - image: ghcr.io/resourcely-inc/campaigns-agent:latest
        name: campaigns-agent
        env:
          - name: RESOURCELY_NGROK_EDGE
            value: <RESOURCELY_NGROK_EDGE>
          - name: RESOURCELY_NGROK_TOKEN
            value: <TOKEN>
          - name: RESOURCELY_API_TOKEN
            value: <TOKEN>

# kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - deployment.yaml

Option 2: Docker Compose

You can use docker-compose.yml to run the container with the required environment variables and configurations, similar to what’s specified in the Kubernetes deployment.yaml file:

version: '3.8'

services:
  campaigns-agent:
    image: ghcr.io/resourcely-inc/campaigns-agent:latest
    container_name: campaigns-agent
    environment:
      - RESOURCELY_NGROK_EDGE=<RESOURCELY_NGROK_EDGE>
      - RESOURCELY_NGROK_TOKEN=<TOKEN>
      - RESOURCELY_API_TOKEN=<TOKEN>
    restart: unless-stopped

Replace the placeholders in angle brackets (<...>) with your actual values.

Running the Agent

Using Docker Compose

docker-compose up -d

Directly with Docker


docker run -d \\
  --name campaigns-agent \\
  -e RESOURCELY_NGROK_EDGE=<RESOURCELY_NGROK_EDGE> \\
  -e RESOURCELY_NGROK_TOKEN=<TOKEN> \\
  -e RESOURCELY_API_TOKEN=<TOKEN> \\
  ghcr.io/resourcely-inc/campaigns-agent:latest

Configuration Changes

.resourcely.yaml Setup

For all environments that have the campaigns-agent configured, the last piece is to ensure that the source for the state file is associated with the config root in the .resourcely.yaml.
For a config root to be configured for campaigns, it will need to have the following block. If the config root has multiple environments, then it needs this block in each environment, similarly to how context is managed.

# Required
version: "2"

# Array of Terraform config roots that Resourcely should care about
terraform_config_roots:
  -
    name: basic
    default_file: main.tf
    path: .
    skip: false
    campaign_config:
      state_file_config:
        s3:
          path: s3://campaigns-terraform-state/terraform.tfstate

Make sure to run "queue scan" when you update your resourcely.yaml file

Validating the setup

Once you set everything, you can confirm that campaigns is configured by

Navigate to Metrics → Integrations.
Confirm all integrations are marked green.

Next steps

Congratulations! Your next step is to create your First Campaign, and then Remediate Resources!

PreviousAzure Repos NextRunning Campaigns with GitHub Actions and a Repo-Hosted State File

Last updated 3 days ago