Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policy resources are not present in the provider #186

Open
jkodroff opened this issue Nov 3, 2023 · 1 comment
Open

Policy resources are not present in the provider #186

jkodroff opened this issue Nov 3, 2023 · 1 comment
Labels
kind/enhancement Improvements or new features

Comments

@jkodroff
Copy link
Member

jkodroff commented Nov 3, 2023

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

It's not possible today to manage Policy Groups via the Pulumi Cloud provider (nor via the REST API, which I would assume is a pre-req for having it present in the provider).

I would like to be able to do all of the following with the provider:

  1. Manage policy packs (publish, un-publish) from a location on disk (this could be tricky, or might be best left to the command provider, so I'm more flexible on this one)
  2. Query published policy packs
  3. Query (projects and) stacks (by tag)
  4. Manage policy groups
  5. Manage policy group policy packs (that is, the settings for each policy rule and the version of the policy pack)
  6. Manage policy group stacks (that is, the stacks that are included in the policy group)

Out of scope, but this is what I would be doing next:
7. Trigger a Pulumi Deployments Refresh on all affected stacks and alert upon failure

Affected area/feature
@jkodroff jkodroff added kind/enhancement Improvements or new features needs-triage Needs attention from the triage team labels Nov 3, 2023
@cleverguy25 cleverguy25 removed the needs-triage Needs attention from the triage team label Nov 6, 2023
@lukehoban
Copy link
Member

As part of some discussions recently we sketched out what we think these APIs could look like. Leaving notes here in case they help as input to implementing this:

const policyGroup = new pulumiservice.PolicyGroup("production", {

});

for (const stack in productionStacks) {
    new pulumiservice.PolicyGroupStack(stack, {
        policyGroup: policyGroup.name,
        stack: stack,
    });
}

for (const policy of ["soc2" , "pci-dss" ]) {
    const policyPack = new pulumiservice.PolicyPack({
        name: policy,
        source: new pulumi.asset.FileArchive("../policy/"+policy),
    });
    new pulumiservice.PolicyGroupPolicyPack(policy, {
        policyGroup: policyGroup.name,
        policyPack: policyPack.name,
    });

}

A few notes:

  1. We believe the assignment of a PolicyGroup to a Stack should be done through its own resource (instead of inline in the PolicyGroup or Stack).
  2. Similarly, we believe the assignment of a PolicyPack to a PolicyGroup should be done through its own resource.
  3. It would be really nice if the policy pack could be provided as an Archive, effectively doing the policy publish automatically from that archive (which could be a folder on disk, or an in-memory constructed policy pack, programmatically configured based inputs in the users' program!). This allows automating the lifecycle of policies completely within the provider.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement Improvements or new features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lukehoban @jkodroff @cleverguy25