• Overview
• Prerequisites
• Steps
  • Step 1. Create an IAM User for programmatic access
  • Step 2. Upload the discovery container to your Amazon ECR repository
  • Step 3. Create a Lambda

Overview

This article describes how to use Amazon Web Services (AWS) serverless tooling - AWS Lambda and Amazon EventBridge - to regularly and automatically synchronize your AWS resources into the Cloud Secure Edge’s (CSE) inventory. You can then publish these discovered resources that need to be accessed by your end users as specific CSE services.

If you wish to run the discovery scripts manually or create your own custom automation workflows, you can use our open-source pybanyan tool. Review the docs on AWS Workflows to leverage the Boto3 AWS SDK for Python to synchronize AWS resources into CSE’s inventory.

Prerequisites

Before proceeding through the steps below, ensure you have:

• Administrator access to your AWS account with the AWS CLI installed and configured
• API credentials to interact with the CSE (formerly Banyan) API

Steps

Step 1. Create an IAM User for programmatic access

In the AWS console, navigate to IAM

AmazonEC2ReadOnlyAccess AmazonRDSReadOnlyAccess ElasticLoadBalancingReadOnly

Download the credentials for future use.

Step 2. Upload the discovery container to your Amazon ECR repository

We’ll leverage AWS Lambda’s support for container images for our discovery workflow. Note that AWS Lambda can only run containers that are located in your private Amazon Elastic Container Registry (ECR) repository in your account.

Download the iaas-discovery-aws container from Banyan’s registry and upload it into your ECR registry. Be sure to set the region and URL correctly for your private ECR repository.

$> aws ecr create-repository --repository-name iaas-discovery-aws

$> docker pull gcr.io/banyan-pub/iaas-discovery-aws:latest
$> docker tag gcr.io/banyan-pub/iaas-discovery-aws:latest 123412341234.dkr.ecr.us-west-2.amazonaws.com/iaas-discovery-aws:latest

$> aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 123412341234.dkr.ecr.us-west-2.amazonaws.com
$> docker push 123412341234.dkr.ecr.us-west-2.amazonaws.com/iaas-discovery-aws:latest

Step 3. Create a Lambda

3.1 In the AWS console, navigate to Lambda.

3.2 Click on Create function and enter deployment details.

3.3 Go into Configuration > Environment variables and enter the parameters needed for container.

You must specify:

• BANYAN_API_URL = URL of your Banyan Command Center
• BANYAN_REFRESH_TOKEN = Credential for API access to the Banyan Command Center
• RESOURCE_TYPE = all or vm or rds or elb, to indicate the types of AWS resources to sync

You may also optionally specify parameters to discover more specific resources:

• REGION = only sync resources in this AWS Region
• TAG_NAME = only sync resources with this tag name

Congrats! You have discovered your AWS resources and published them for your end-users. You can repeat this process as often as you need.