Issue with "Serverless Runtime Policy" TW_POLICY: Missing Documentation #258
Description
Describe the problem
Currently we are automating our Twistlock deployment process through custom Terraform Modules that we've created. In order to defend and assess any vulnerabilities that are related to our AWS Lambda functions, for example, will require us to create a Lambda Layer to append the NodeJS twistlock.handler function. In order to achieve this, we make a cURL request to obtain our images/twistlock_defender_layer.zip file. However the configuration will only work if we have the following environment variables:
ORIGINAL_HANDLER- Which points to the original handler if Twistlock is enabled for that Lambda resourceTW_POLICY- Which provides the Twistlock function with the configuration as a base64 encoded string.
The Issue
The issue we currently have, in order to fully automate this process as part of our CI/CD, is that there is no properly documented way of obtaining the TW_POLICY without using the Console UI. After inspecting the network calls, I found that when generating the policy, there's a payload sent to a specific endpoint which isn't documented under Policies.
Suggested fix
After inspecting the calls, it was found that a POST request is made to the console:
{{CONSOLE_URL}}/{{CONSOLE_ID}}/api/v1/policies/runtime/serverless/encode
With the following payload:
{
"consoleAddr": "us-west1.cloud.twistlock.com",
"function": "LAMBDA_NAME",
"provider": "CLOUD_PROVIDER",
"region": "CLOUD_REGION"
}
Response:
{
"data": "TW_POLICY_BASE64",
}
The suggestion is to update the documentation to reflect that additional endpoint which should be available via the API. If there proves to be an issue with this approach, please advise as we believe this is the best way to obtain the policy.