Support for writing policies in Python #212
Conversation
| @@ -0,0 +1,707 @@ | |||
| # Copyright 2016-2020, Pulumi Corporation. | |||
There was a problem hiding this comment.
Note: I started breaking up this file into smaller files, but ran into circular imports that I need to chase down, so keeping it all in one file for the time-being.
Adds a new policy SDK for writing policies in Python.
| def s3_no_public_read(args: ResourceValidationArgs, report_violation: ReportViolation): | ||
| if args.resource_type == "aws:s3/bucket:Bucket" and "acl" in args.props: | ||
| acl = args.props["acl"] | ||
| if acl == "public-read" or acl == "public-read-write": | ||
| report_violation("You cannot set public-read or public-read-write on an S3 bucket.") | ||
|
|
||
| PolicyPack( | ||
| name="aws-policy-pack", | ||
| enforcement_level=EnforcementLevel.MANDATORY, | ||
| policies=[ | ||
| ResourceValidationPolicy( | ||
| name="s3-no-public-read", | ||
| description="Prohibits setting the publicRead or publicReadWrite permission on AWS S3 buckets.", | ||
| validate=s3_no_public_read, | ||
| ), | ||
| ], | ||
| ) |
There was a problem hiding this comment.
Worth mentioning: there are two ways to define policies in Python that Luke and I discussed.
First is this way, which is similar to how policies are declared in TypeScript. Unfortunately, lambdas in Python must be expressions and cannot have statements, so it necessitates defining the handler function separately.
The second way involves inheriting from ResourceValidationPolicy or StackValidationPolicy and overriding the validate function. This would look like:
class S3NoPublicReadPolicy(ResourceValidationPolicy):
def __init__(self):
super().__init__(
name="s3-no-public-read",
description="Prohibits setting the publicRead or publicReadWrite permission on AWS S3 buckets.")
def validate(self, args, report_violation):
if args.resource_type == "aws:s3/bucket:Bucket" and "acl" in args.props:
acl = args.props["acl"]
if acl == "public-read" or acl == "public-read-write":
report_violation("You cannot set public-read or public-read-write on an S3 bucket.")
PolicyPack(
name="aws-policy-pack",
enforcement_level=EnforcementLevel.MANDATORY,
policies=[
S3NoPublicReadPolicy(),
],
)I will document these in the actual docs for writing Python policies.
Luke and I also chatted about possibly using Python decorators to automatically add policies with a certain decorator to a Policy Pack, but that is not implemented in this PR (but could potentially be built on-top of this lower-level support). I have not yet had a chance to experiment with this.
| ResourceValidationArgs is the argument bag passed to a resource validation. | ||
| """ | ||
|
|
||
| resource_type: str |
There was a problem hiding this comment.
Ideally, this would be type, but type is reserved, so we could either go with type_ or something more meaningful like resource_type. Luke and I chatted about this and decided to go with the latter, even though that's different than what we've done with resource transformations here. (We probably should have used resource_type for transformations.)
Just emit the semver directly in the source
v1.13.0 of the CLI modified the output for policy violations to include the resource type, so this commit reacts to that change.
Adds basic support for writing policies in Python.
Depends on pulumi/pulumi#4057 (will fail until we have a new dev release of the CLI along with new dev release of the
pulumiPyPi package that we can take a dependency on).There are some remaining TODOs noted in comments, that I'll address in follow-up changes, tracked as tasks in #208.
Part of #208