-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for writing policies in Python #212
Conversation
@@ -0,0 +1,707 @@ | |||
# Copyright 2016-2020, Pulumi Corporation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: I started breaking up this file into smaller files, but ran into circular imports that I need to chase down, so keeping it all in one file for the time-being.
Adds a new policy SDK for writing policies in Python.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Theres a ton here! Is there a specific area you want me to look at?
def s3_no_public_read(args: ResourceValidationArgs, report_violation: ReportViolation): | ||
if args.resource_type == "aws:s3/bucket:Bucket" and "acl" in args.props: | ||
acl = args.props["acl"] | ||
if acl == "public-read" or acl == "public-read-write": | ||
report_violation("You cannot set public-read or public-read-write on an S3 bucket.") | ||
|
||
PolicyPack( | ||
name="aws-policy-pack", | ||
enforcement_level=EnforcementLevel.MANDATORY, | ||
policies=[ | ||
ResourceValidationPolicy( | ||
name="s3-no-public-read", | ||
description="Prohibits setting the publicRead or publicReadWrite permission on AWS S3 buckets.", | ||
validate=s3_no_public_read, | ||
), | ||
], | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Worth mentioning: there are two ways to define policies in Python that Luke and I discussed.
First is this way, which is similar to how policies are declared in TypeScript. Unfortunately, lambdas in Python must be expressions and cannot have statements, so it necessitates defining the handler function separately.
The second way involves inheriting from ResourceValidationPolicy
or StackValidationPolicy
and overriding the validate
function. This would look like:
class S3NoPublicReadPolicy(ResourceValidationPolicy):
def __init__(self):
super().__init__(
name="s3-no-public-read",
description="Prohibits setting the publicRead or publicReadWrite permission on AWS S3 buckets.")
def validate(self, args, report_violation):
if args.resource_type == "aws:s3/bucket:Bucket" and "acl" in args.props:
acl = args.props["acl"]
if acl == "public-read" or acl == "public-read-write":
report_violation("You cannot set public-read or public-read-write on an S3 bucket.")
PolicyPack(
name="aws-policy-pack",
enforcement_level=EnforcementLevel.MANDATORY,
policies=[
S3NoPublicReadPolicy(),
],
)
I will document these in the actual docs for writing Python policies.
Luke and I also chatted about possibly using Python decorators to automatically add policies with a certain decorator to a Policy Pack, but that is not implemented in this PR (but could potentially be built on-top of this lower-level support). I have not yet had a chance to experiment with this.
ResourceValidationArgs is the argument bag passed to a resource validation. | ||
""" | ||
|
||
resource_type: str |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally, this would be type
, but type
is reserved, so we could either go with type_
or something more meaningful like resource_type
. Luke and I chatted about this and decided to go with the latter, even though that's different than what we've done with resource transformations here. (We probably should have used resource_type
for transformations.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great. Thank you for the thorough test coverage here!
Just emit the semver directly in the source
v1.13.0 of the CLI modified the output for policy violations to include the resource type, so this commit reacts to that change.
Adds basic support for writing policies in Python.
Depends on pulumi/pulumi#4057 (will fail until we have a new dev release of the CLI along with new dev release of the
pulumi
PyPi package that we can take a dependency on).There are some remaining TODOs noted in comments, that I'll address in follow-up changes, tracked as tasks in #208.
Part of #208