Support for writing policies in Python (#212)

Adds basic support for writing policies in Python.
pulumi · Mar 19, 2020 · 6ded952 · 6ded952
1 parent e830f85
commit 6ded952
Show file tree

Hide file tree

Showing 40 changed files with 2,826 additions and 90 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -11,7 +11,7 @@ before_install:
     - source ${PULUMI_SCRIPTS}/ci/keep-failed-tests.sh
 install:
     # Install Pulumi 🍹
-    - curl -fsSL https://get.pulumi.com/ | bash -s -- --version "1.13.0-alpha.1583701915"
+    - curl -fsSL https://get.pulumi.com/ | bash
     - export PATH="$HOME/.pulumi/bin:$PATH"
     # Install other tools.
     - source ${PULUMI_SCRIPTS}/ci/install-common-toolchain.sh

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -38,6 +38,31 @@
   }
   ```
 
+- Add support for writing policies in Python :tada:
+  (https://github.com/pulumi/pulumi-policy/pull/212).
+
+  Example:
+
+  ```python
+  def s3_no_public_read(args: ResourceValidationArgs, report_violation: ReportViolation):
+      if args.resource_type == "aws:s3/bucket:Bucket" and "acl" in args.props:
+          acl = args.props["acl"]
+          if acl == "public-read" or acl == "public-read-write":
+              report_violation("You cannot set public-read or public-read-write on an S3 bucket.")
+
+  PolicyPack(
+      name="aws-policy-pack",
+      enforcement_level=EnforcementLevel.MANDATORY,
+      policies=[
+          ResourceValidationPolicy(
+              name="s3-no-public-read",
+              description="Prohibits setting the publicRead or publicReadWrite permission on AWS S3 buckets.",
+              validate=s3_no_public_read,
+          ),
+      ],
+  )
+  ```
+
 ## 0.4.0 (2020-01-30)
 
 ### Improvements

diff --git a/Makefile b/Makefile
@@ -1,5 +1,5 @@
 PROJECT_NAME := policy
-SUB_PROJECTS := sdk/nodejs/policy
+SUB_PROJECTS := sdk/nodejs/policy sdk/python
 include build/common.mk
 
 .PHONY: ensure

diff --git a/scripts/publish_packages.sh b/scripts/publish_packages.sh
@@ -36,3 +36,9 @@ publish() {
 }
 
 publish policy
+
+echo "Publishing Pip package to pypi.org:"
+twine upload \
+    -u pulumi -p "${PYPI_PASSWORD}" \
+    "${ROOT}/sdk/python/env/src/dist"/*.whl \
+    --skip-existing \
diff --git a/sdk/nodejs/policy/package.json b/sdk/nodejs/policy/package.json
@@ -7,7 +7,7 @@
     "homepage": "https://pulumi.io",
     "repository": "https://github.com/pulumi/pulumi-policy",
     "dependencies": {
-        "@pulumi/pulumi": "1.13.0-alpha.1583701915",
+        "@pulumi/pulumi": "^1.13.0",
         "google-protobuf": "^3.5.0",
         "grpc": "^1.20.2",
         "protobufjs": "^6.8.6"

diff --git a/sdk/nodejs/policy/policy.ts b/sdk/nodejs/policy/policy.ts
@@ -328,22 +328,22 @@ export interface PolicyCustomTimeouts {
  */
 export interface PolicyProviderResource {
     /**
-     * The type of the resource provider.
+     * The type of the provider resource.
      */
     type: string;
 
     /**
-     * The properties of the resource provider.
+     * The properties of the provider resource.
      */
     props: Record<string, any>;
 
     /**
-     * The URN of the resource provider.
+     * The URN of the provider resource.
      */
     urn: string;
 
     /**
-     * The name of the resource provider.
+     * The name of the provider resource.
      */
     name: string;
 }
@@ -419,7 +419,7 @@ export interface StackValidationPolicy extends Policy {
 export type StackValidation = (args: StackValidationArgs, reportViolation: ReportViolation) => Promise<void> | void;
 
 /**
- * StackValidationArgs is the argument bag passed to a resource validation.
+ * StackValidationArgs is the argument bag passed to a stack validation.
  */
 export interface StackValidationArgs {
     /**

diff --git a/sdk/python/.gitignore b/sdk/python/.gitignore
@@ -0,0 +1,6 @@
+.idea/
+.mypy_cache/
+*.pyc
+/env/
+/*.egg-info
+.venv/