Installing Guard as an Amazon Lambda function - Amazon CloudFormation Guard
PrerequisitesInstall the Rust package managerTo install Guard as a Lambda functionTo build and runCalling the Lambda function
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Installing Guard as an Amazon Lambda function

You can install Amazon CloudFormation Guard through Cargo, the Rust package manager. Guard as an Amazon Lambda function (cfn-guard-lambda) is a lightweight wrapper around Guard (cfn-guard) that can be used as a Lambda function.

Prerequisites

Before you can install Guard as a Lambda function, you must fulfill the following prerequisites:

  • Amazon Command Line Interface (Amazon CLI) configured with permissions to deploy and invoke Lambda functions. For more information, see Configuring the Amazon CLI.

  • An Amazon Lambda execution role in Amazon Identity and Access Management (IAM). For more information, see Amazon Lambda execution role.

  • In CentOS/RHEL environments, add the musl-libc package repository to your yum config. For more information, see ngompa/musl-libc.

Install the Rust package manager

Cargo is the Rust package manager. Complete the following steps to install Rust, which includes Cargo.

  1. Run the following command from a terminal, and then follow the onscreen instructions to install Rust.

    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

    1. (Optional) For Ubuntu environments, run the following command.

      sudo apt-get update; sudo apt install build-essential

  2. Configure your PATH environment variable, and run the following command.

    source $HOME/.cargo/env

Install Guard as a Lambda function (Linux, macOS, or Unix)

To install Guard as a Lambda function, complete the following steps.

  1. From your command terminal, run the following command.

    cargo install cfn-guard-lambda

    1. (Optional) To confirm the installation of Guard as a Lambda function, run the following command.

      cfn-guard-lambda --version

      The command returns the following output.

      cfn-guard-lambda 3.1.2

  2. To install musl support, run the following command.

    rustup target add x86_64-unknown-linux-musl

  3. Build with musl, and then run the following command in your terminal.

    cargo build --release --target x86_64-unknown-linux-musl

    For a custom runtime, Amazon Lambda requires an executable with the name bootstrap in the deployment package .zip file. Rename the generated cfn-lambda executable to bootstrap and then add it to the .zip archive.

    1. For macOS environments, create your cargo configuration file in the root of the Rust project or in ~/.cargo/config.

      [target.x86_64-unknown-linux-musl]
linker = "x86_64-linux-musl-gcc"

  4. Change to the cfn-guard-lambda root directory.

    cd ~/.cargo/bin/cfn-guard-lambda

  5. Run the following command in your terminal.

    cp ./../target/x86_64-unknown-linux-musl/release/cfn-guard-lambda ./bootstrap && zip lambda.zip bootstrap && rm bootstrap

  6. Run the following command to submit cfn-guardas a Lambda function to your account.

    aws lambda create-function --function-name cfnGuard \
 --handler guard.handler \
 --zip-file fileb://./lambda.zip \
 --runtime provided \
 --role arn:aws-cn:iam::444455556666:role/your_lambda_execution_role \
 --environment Variables={RUST_BACKTRACE=1} \
 --tracing-config Mode=Active

To build and run Guard as a Lambda function

To invoke the submitted cfn-guard-lambda as a Lambda function, run the following command.

aws lambda invoke --function-name cfnGuard \
  --payload '{"data":"input data","rules":["rule1","rule2"]}' \
  output.json

To call the Lambda function request structure

Requests to cfn-guard-lambda require the following fields:

  • data – The string version of the YAML or JSON template

  • rules – The string version of the rule set file