Campaign Agent
Last updated
Last updated
If Campaigns is not enabled for your account. Login to Resourcely -> Campaigns -> Request Access
Once Campaigns is activated for your account, you'll need to set up the Resourcely Campaign Agent, a lightweight Docker container. The agent's primary goal is to continuously fetch your Terraform state files and scan them for guardrail violations and sends the findings back to Resourcely. For the Agent to work, it must have access to your Terraform state file storage.
Resourcely places a high priority on the security of customers' state files. For that reason, the Campaign Agent proxy scanner is designed to operate entirely within the customer's environment. This approach ensures that the state file is scanned locally using the resourcely-cli
, maintaining strict data security. Any findings are securely sent back to Resourcely, without granting direct access to the customer's state file.
The Resourcely Campaign agent needs to authenticate with both ngrok and Resourcely. To do so, the following environment variables should be supplied.
The agent requires the following environment variables for authentication. to obtain RESOURCELY_NGROK_TUNNEL_SEED
and RESOURCELY_NGROK_TOKEN
login to Resourcely → Settings → Campaign settings → update settings → Provision ngrok.
Please copy both RESOURCELY_NGROK_TUNNEL_SEED
and RESOURCELY_NGROK_TOKEN
as you will not be able to retrieve them again if you navigate away from the page.
For the RESOURCELY_API_TOKEN
(Generate this in Resourcely: Settings → Generate API Token → CI Runner → Generate Token
)
Optional Environment Variables
SPACELIFT_API_TOKEN
(used for Spacelift state integration)
TF_API_TOKEN
(used for HCP Terraform state integration)
Ensure the following egress rules are configured for the container running the agent:
Port 443 to tunnel.<region>.proxy.resourcely.io
(Regions: in
, us
, us-cal-1
, eu
, au
, ap
, jp
).
Port 443 to api.resourcely.io
.
Next you will have two options to deploy the container, either Kubernetes route or docker-compose:
You can use docker-compose.yml to run the container with the required environment variables and configurations, similar to what’s specified in the Kubernetes deployment.yaml file:
Replace the placeholders in angle brackets (<...>) with your actual values. Now run:
Directly with Docker
For all environments that have the campaigns-agent configured, the last piece is to ensure that the source for the state file is associated with the config root in the .resourcely.yaml.
For a config root to be configured for campaigns, it will need to have the following block. If the config root has multiple environments, then it needs this block in each environment, similarly to how context is managed.
Make sure to run "queue scan" when you update your resourcely.yaml file
For other state file support check out State File Support
Once you set everything, you can confirm that campaigns is configured by
Navigate to Metrics → Integrations
.
Confirm all integrations are marked green.
Congratulations! Your next step is to create your First Campaign, and then Remediate Resources!