AWS
Our integration with AWS provides the ability to export your AWS resources to Port, according to your configuration. You can define the integration to run both on schedule and on events.
Our integration with AWS supports real-time event processing, this allows for an accurate real-time representation of your AWS infrastructure inside Port.
Port's AWS exporter is open source, view the source code here.
💡 AWS exporter common use cases​
Our AWS exporter allows you to easily enrich your software catalog with data from your AWS accounts, for instance:
- Map resources in your accounts, including S3 buckets, lambda functions, SQS queues, RDS DB instances, ECS services and many other resource types.
- Use relations to create a complete, easily digestible map of your AWS accounts inside Port.
How it works​
Port's AWS exporter can retrieve all the resources supported by the AWS Cloud Control API.
The open source AWS exporter allows you to perform extract, transform, load (ETL) on data from AWS into the desired software catalog data model.
The exporter is deployed using an AWS serverless application that is installed on the account.
The serverless application requires a JSON configuration file to describe the ETL process to load data into the developer portal, and an IAM policy with the necessary permissions to list and read the configured resources.
The exporter makes use of JQ JSON processor to select, modify, concatenate, transform and perform other operations on existing fields and values from the AWS objects.
Exporter config.json file​
The config.json file is how you specify the exact resources you want to export from your AWS account, and also which entities and which properties in Port, you want to fill in with data.
Here is an example snippet of the config.json file which demonstrates the ETL process for getting lambda functions data from the account into the software catalog:
{
"resources": [
{
"kind": "AWS::Lambda::Function",
"selector": {
"aws": {
"regions": ["us-east-1", "us-west-1"]
}
},
"port": {
"entity": {
"mappings": [
{
"identifier": ".FunctionName",
"title": ".FunctionName",
"blueprint": "function",
"properties": {
"memory": ".MemorySize",
"timeout": ".Timeout",
"runtime": ".Runtime"
}
}
]
}
}
}
]
}
Structure​
-
The root key of the
config.jsonfile is theresourceskey; -
The
kindkey is a specifier for a resource type from the AWS Cloud Control API following theservice-provider::service-name::data-type-nameformat:"resources": [
{
"kind": "AWS::Lambda::Function",
...tipTo generate a list of supported resource types using AWS CLI, combine the results of the following commands:
aws cloudformation list-types --type RESOURCE --visibility PUBLIC --provisioning-type FULLY_MUTABLE
aws cloudformation list-types --type RESOURCE --visibility PUBLIC --provisioning-type IMMUTABLE
aws cloudformation list-types --type RESOURCE --visibility PRIVATE --provisioning-type FULLY_MUTABLE
aws cloudformation list-types --type RESOURCE --visibility PRIVATE --provisioning-type IMMUTABLETo determine if a specific
<RESOURCE_TYPE>is supported, use this command (JQ required, output istrueorfalse):aws cloudformation describe-type --type RESOURCE --type-name <RESOURCE_TYPE> --query "ProvisioningType" | jq -c '. == "FULLY_MUTABLE" or . == "IMMUTABLE"'For more information, read here.
-
The
selectorkey let you filter exactly which objects from the specifiedkindwill be ingested to the software catalog; -
The
querykey in theselectoris a JQ boolean query. If evaluated to false for an object, the object will not be synced; -
The
awskey in theselectorlet you specify a list ofregionsto sync from."resources": [
{
"kind": "AWS::Lambda::Function",
"selector": {
"query": "true",
"aws": {
"regions": [
"us-east-1",
"us-west-1"
]
}
},
"port":
...tipYou can choose to deploy the exporter per region, or in one region of your choice. The
regionsconfiguration key might be useful if you want to install the exporter in one region, but to export data from multiple regions.Some example use cases:
-
To sync all objects from the specified
kindin the default region - do not specify aselector; -
To sync all lambdas that are not owned by AWS Amplify service:
query: .FunctionName | startswith("amplify") | not -
etc.
info-
For some resources you have to provide additional information. For example, in order to sync all
AWS ELB Listenersof a specific load balancer, use theregions_configandresources_modelskeys:"selector": {
"aws": {
"regions": [
"eu-west-1"
],
"regions_config": {
"eu-west-1": {
"resources_models": [
"{\"LoadBalancerArn\": \"<AWS_ELB_ARN>\"}"
]
}
}
}
}
The table of the special resources with the required properties can be found here.
-
-
The
port,entityand themappingskeys open the section used to map the AWS resource fields to Port entities, themappingskey is an array where each object matches the structure of an entity. -
Each mapping value is a JQ query, except for
blueprintwhich has to be a static string. -
The
itemsToParsekey in a mapping, makes it possible to create multiple entities from a single AWS resource.- Any JQ expression can be used here, as long as it evaluates to an array of items.
itemwill be added to the JQ context as a key containing a reference to items in the array specified initemsToParse. For array of objects, keys from an object can be accessed using the.item.KEY_NAMEsyntax.
"resources": [
{
"kind": "AWS::Lambda::Function",
"selector": {
"aws": {
"regions": [
"us-east-1",
"us-west-1"
]
}
},
"port": {
"entity": {
"mappings": [
{
"identifier": ".FunctionName",
"title": ".FunctionName",
"blueprint": "function",
"properties": {
"memory": ".MemorySize",
"timeout": ".Timeout",
"runtime": ".Runtime"
}
},
{
"itemsToParse": ".Layers",
"identifier": ".item",
"title": ".item",
"blueprint": "functionLayer",
"properties": {}
}
]
}
}
}
...
-
The order of the resources matters when you have relations between resources. The AWS exporter will sync the resources in the same order as they appear in the
config.json, so make sure to sort the resources by a logical order.For example, if you have a relation from SNS Topic to lambda function, put the Lambda function configuration first.
-
By its nature, the AWS exporter will keep the values of unmapped properties untouched. Go here for further explanation about different entity creation strategies.
To view a resource type schema and use it to compose a mapping, use this reference.
Note that not all of the resource types listed in the reference are available for use with the Cloud Control API. A method to determine if a resource type is available discussed here.
For additional options and information, read here.
Changing the configuration​
By default, the exporter saves a preconfigured config.json file to an AWS S3 Bucket upon installation.
The S3 bucket is named port-aws-exporter-<AWS_REGION>-<AWS_ACCOUNT_ID>, and is created by the exporter.
To make a change to the configuration (e.g. change the mapping of a certain property):
- Create a copy of the
config.jsonfile from the bucket, make the desired changes, and save it locally. - Use the AWS CLI to upload the file to the bucket, replacing the existing file.
Replace<BUCKET_NAME>and<PATH_TO_CONFIG_FILE>with your values, then run the following command:
aws s3api put-object --bucket "<BUCKET_NAME>" --key "config.json" --body "<PATH_TO_CONFIG_FILE>"
IAM Policy​
The AWS exporter uses an AWS IAM Policy which specifies the permissions to list and read the AWS resources you want to export (the ones you configured in the config.json).
For example, in order to export lambda functions, you need to create a policy with the following definition:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:GetFunctionCodeSigningConfig",
"lambda:ListFunctions"
],
"Resource": "*"
}
]
}
In order to find the resource actions that should be added to the policy, you should view the resource type schema, and locate the permissions for the read and list handlers.
Use the following command to get the resource action for a specific <RESOURCE_TYPE> (AWS CLI and JQ required):
aws cloudformation describe-type --type RESOURCE --type-name <RESOURCE_TYPE> --query "Schema" | jq -c 'fromjson | .handlers | with_entries(select([.key] | inside(["list", "read"]))) | map(.permissions) | flatten'
More details can be found here.
Port Credentials Secret​
In order to manage entities in Port, the exporter needs access to your Port credentials, these are provided to the exporter via an AWS Secrets Manager secret.
The secret value should be in the following format:
{ "id": "<CLIENT_ID>", "clientSecret": "<CLIENT_SECRET>" }
Similarly to the bucket, you can create and manage your own secret, or delegate it to the exporter. Either way, you need to add Port's credentials to the secret on your own, when the secret is ready.
Exporter AWS serverless application​
The Exporter AWS serverless application is how you install the exporter's CloudFormation stack.
The stack consists of several components:
- S3 bucket - where the
config.jsonshould be saved; - ASM secret - where you should save your Port credentials (client id and secret), to allow the exporter to interact with Port's API;
- Lambda function - a resource that you can invoke to run the exporter code. The IAM policy is attached to the execution role of the Lambda function;
- SQS queue - a queue of events, to be consumed by the exporter. Read here to learn how to use the exporter to consume and act on live events from different AWS services;
- EventsBridge scheduled rule - a rule to run the exporter on a schedule.
Getting started​
Continue to the Installation section to setup the AWS exporter in your Port environment.