Issue with "Serverless Runtime Policy" TW_POLICY: Missing Documentation

[Especially]

Describe the problem

Currently we are automating our Twistlock deployment process through custom Terraform Modules that we've created. In order to defend and assess any vulnerabilities that are related to our AWS Lambda functions, for example, will require us to create a Lambda Layer to append the NodeJS twistlock.handler function. In order to achieve this, we make a cURL request to obtain our images/twistlock_defender_layer.zip file. However the configuration will only work if we have the following environment variables:

• ORIGINAL_HANDLER - Which points to the original handler if Twistlock is enabled for that Lambda resource
• TW_POLICY - Which provides the Twistlock function with the configuration as a base64 encoded string.

The Issue

The issue we currently have, in order to fully automate this process as part of our CI/CD, is that there is no properly documented way of obtaining the TW_POLICY without using the Console UI. After inspecting the network calls, I found that when generating the policy, there's a payload sent to a specific endpoint which isn't documented under Policies.

Suggested fix

After inspecting the calls, it was found that a POST request is made to the console: {{CONSOLE_URL}}/{{CONSOLE_ID}}/api/v1/policies/runtime/serverless/encode

With the following payload:

{
    "consoleAddr": "us-west1.cloud.twistlock.com",
    "function": "LAMBDA_NAME",
    "provider": "CLOUD_PROVIDER",
    "region": "CLOUD_REGION"
}

Response: { "data": "TW_POLICY_BASE64", }

The suggestion is to update the documentation to reflect that additional endpoint which should be available via the API. If there proves to be an issue with this approach, please advise as we believe this is the best way to obtain the policy.

[welcome-to-palo-alto-networks[bot]]

:tada: Thanks for opening your first issue here! Welcome to the community!

[ssugandh]

Checking with Maya if this v1 endpoint approved to be documented as versioned (or v1).