Module Packaging Guide

Exec Runner

How to configure the exec runner to execute scripts and CLI commands.

Edit this page on GitHub

Exec Runner (runner = "exec")

The legacy exec runner executes OS-level shell commands. It spawns a child process on the host machine. This runner is extremely flexible but carries a higher security risk, as the script inherits the permissions of the user running rescile.

Note: The generators/ directory inside your module is automatically added to the PATH environment variable. Scripts placed in this directory can be executed simply by specifying their filename.

Key Configuration Fields

  • command: An array of strings defining the executable and its arguments. This bypasses the shell entirely, mitigating shell injection vulnerabilities.
  • env: A list of environment variables to inject, formatted as "KEY=VALUE". Values can be rendered via Tera templating. By default, the command runs in a sandbox where only standard OS variables (like PATH) are exposed.
  • from_stdout: If true, captures the command’s standard output (stdout) and writes it directly to the corresponding target_input or target_asset file. Standard error (stderr) is streamed to the user’s console logs.

Examples

Output Capture (from_stdout)

The easiest way to generate data is to write the output directly to the standard output and let rescile capture it.

[generator.fetch-aws-inventory]
description = "Fetches EC2 instances via AWS CLI"
runner = "exec"
target_input = "aws_ec2.json"
command = ["aws", "ec2", "describe-instances", "--region", "{{ params.region }}", "--output", "json"]
from_stdout = true
ttl = "1h"

env = [
  "AWS_REGION={{ params.region }}",
  "AWS_ACCESS_KEY_ID={{ env.AWS_ACCESS_KEY_ID }}",
  "AWS_SECRET_ACCESS_KEY={{ env.AWS_SECRET_ACCESS_KEY }}"
]

Writing Directly to Target File

If the script expects to write the file itself, you can expose the precise sandbox path by defining an environment variable in the list (e.g., "OUT_FILE={{ target_asset }}").

[generator.vmware-discovery]
runner = "exec"
target_asset = "vmware_inventory.csv"
command = ["python3", "vmware_discover.py", "-o", "{{ target_asset }}"]
condition = "on_missing"

env = [
  "VMWARE_TOKEN={{ env.VMWARETOKEN }}"
]

Available Template Variables

For command and env:

  • {{ env.VAR_NAME }}: System environment variables. You must explicitly map system environment variables if your script needs them (e.g. "AWS_ACCESS_KEY_ID={{ env.AWS_ACCESS_KEY_ID }}").
  • {{ params.PARAM_NAME }}: Module parameters.
  • {{ target_asset }}: The absolute file path to the CSV asset file if target_asset is used.
  • {{ target_input }}: The absolute file path to the JSON input file if target_input is used.