Merge pull request #46 from seawildau/centos-build

cfn-guard-lambda CentOS / RedHat builds
aws-cloudformation · Jul 29, 2020 · 18fb11e · 18fb11e
2 parents a0beae0 + 55303f7
commit 18fb11e
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 10 deletions.
diff --git a/cfn-guard-lambda/Makefile b/cfn-guard-lambda/Makefile
@@ -1,4 +1,5 @@
 UNAME_S := $(shell uname -s)
+SYSTEM_RELEASE := $(shell cat /etc/system-release 2>/dev/null || echo 'Unknown')
 project_name = cfn-guard-lambda
 role_arn := ${CFN_GUARD_LAMBDA_ROLE_ARN}
 request_payload_fail = '{ "template": "{\n    \"Resources\": {\n        \"NewVolume\" : {\n            \"Type\" : \"AWS::EC2::Volume\",\n            \"Properties\" : {\n                \"Size\" : 100,\n                \"Encrypted\": true,\n                \"AvailabilityZone\" : \"us-east-1b\"\n            }\n        },\n        \"NewVolume2\" : {\n            \"Type\" : \"AWS::EC2::Volume\",\n            \"Properties\" : {\n                \"Size\" : 99,\n                \"Encrypted\": true,\n                \"AvailabilityZone\" : \"us-east-1b\"\n            }\n        } }\n}",\
@@ -131,15 +132,19 @@ pre-reqs:
 	rustup target add x86_64-unknown-linux-musl
     ifeq ($(UNAME_S),Linux)
 		@echo This is a $(UNAME_S) machine...
-        ifeq "$(shell lsb_release -si)" "Ubuntu"
+        ifeq "$(shell echo '$(SYSTEM_RELEASE)' | grep -v 'Amazon Linux')" ""
+			@echo Distro is Amazon Linux.
+			sudo yum install -y jq gcc zip
+        else ifeq "$(shell echo '$(SYSTEM_RELEASE)' | grep -v 'CentOS Linux')" ""
+			@echo Distro is CentOS.
+			sudo yum install -y jq gcc zip musl-devel
+        else ifeq "$(shell echo '$(SYSTEM_RELEASE)' | grep -v 'Red Hat Enterprise Linux')" ""
+			@echo Distro is RHEL.
+			sudo yum install -y jq gcc zip musl-devel
+        else ifeq "$(shell lsb_release -si)" "Ubuntu"
 			@echo Distro is Ubuntu
 			sudo apt install jq musl-dev musl-tools zip awscli build-essential
 			sudo ln -s /usr/bin/musl-gcc /usr/local/bin/x86_64-linux-musl-gcc
-        else
-			@echo Distro is CentOS. Support coming soon.
-			# sudo yum install jq
-			# sudo yum install equivalent of musl-dev musl-tools
-			# sudo ln -s /usr/bin/musl-gcc /usr/local/bin/x86_64-linux-musl-gcc
         endif
     endif
     ifeq ($(UNAME_S),Darwin)

diff --git a/cfn-guard-lambda/README.md b/cfn-guard-lambda/README.md
@@ -18,6 +18,7 @@ The primary interface for building and deploying the tool is the [Makefile](Make
 * [Rust](https://rustup.rs/) (See the installation instructions in the [top-level README](../README.md#install-rust))
 * If building on a Mac, you'll need [Homebrew](https://brew.sh/).  
 * If building on Ubuntu, you'll need to run `sudo apt-get update; sudo apt install build-essential` if you haven't already
+* If building on CentOS/RHEL you'll need to add the `musl-libc` package repository to your yum config (see https://copr.fedorainfracloud.org/coprs/ngompa/musl-libc/)
 
 ### Mac/Ubuntu
 1. Install and configure the [dependencies](#dependencies).
@@ -129,7 +130,7 @@ Requests to `cfn-guard-lambda` require the following 3 fields:
 #### Example
 There are example payloads in the [Makefile](Makefile).  Here's one we use to test a rule set that should not pass:
 
-``` 
+```
 request_payload_fail = '{ "template": "{\n    \"Resources\": {\n        \"NewVolume\" : {\n            \"Type\" : \"AWS::EC2::Volume\",\n            \"Properties\" : {\n                \"Size\" : 100,\n                \"Encrypted\": true,\n                \"AvailabilityZone\" : \"us-east-1b\"\n            }\n        },\n        \"NewVolume2\" : {\n            \"Type\" : \"AWS::EC2::Volume\",\n            \"Properties\" : {\n                \"Size\" : 99,\n                \"Encrypted\": true,\n                \"AvailabilityZone\" : \"us-east-1b\"\n            }\n        } }\n}",\
                      "ruleSet": "let require_encryption = true\nlet disallowed_azs = [us-east-1a,us-east-1b,us-east-1c]\n\nAWS::EC2::Volume AvailabilityZone NOT_IN %disallowed_azs\nAWS::EC2::Volume Encrypted != %require_encryption\nAWS::EC2::Volume Size == 101 |OR| AWS::EC2::Volume Size == 99\nAWS::IAM::Role AssumeRolePolicyDocument.Version == 2012-10-18\nAWS::EC2::Volume Lorem == true\nAWS::EC2::Volume Encrypted == %ipsum\nAWS::EC2::Volume AvailabilityZone != /us-east-.*/",\
                       "strict_checks": true}'
@@ -177,7 +178,7 @@ request_payload_fail = '{ "template": "{\n    \"Resources\": {\n        \"NewVol
 ## FAQ
 
 * **Q: How do I troubleshoot a lambda call returning an opaque error message like:**
-	
+
 	```
 	{"errorType": "Runtime.ExitError", "errorMessage": "RequestId: 1c0c0620-0f83-40bc-8eca-3cf2cf24820f Error: Runtime exited with error: exit status 101"}
 	```
@@ -187,6 +188,5 @@ request_payload_fail = '{ "template": "{\n    \"Resources\": {\n        \"NewVol
 	```
 	thread 'main' panicked at 'Bad Rule Operator: REQUIRE', src/rule_proc.rs:344:2
 	```
-	
-	We will be working to improve the quality of lambda messages, but as a general rule, `cfn-guard-lambda` is just a wrapper for the `cfn-guard` code and each can be used to test the other.
 
+	We will be working to improve the quality of lambda messages, but as a general rule, `cfn-guard-lambda` is just a wrapper for the `cfn-guard` code and each can be used to test the other.