search

pulumi / pulumi-azure

A Microsoft Azure Pulumi resource package, providing multi-language access to Azure
Apache License 2.0
134 stars 51 forks source link

get_shared_image_version() resources do not show in policy-pack #914

Open yellowhat opened 3 years ago

yellowhat commented 3 years ago

Hi, I would like to apply PolicyPack against resources imported using the function azure.compute.get_shared_image_version. Consider the following example:

vm_image = azure.compute.get_shared_image_version( name="0.1.0", image_name="node", gallery_name="sig", resource_group_name="z", )

- `policypack/__main__.py`:
```python
from pulumi_policy import EnforcementLevel, PolicyPack, ReportViolation, ResourceValidationArgs, ResourceValidationPolicy

def example_validator(args: ResourceValidationArgs, report_violation: ReportViolation):    
    print("----------------------------")
    print(args.resource_type)
    print("----------------------------")

example = ResourceValidationPolicy(
    name="example",
    description="desc",
    validate=example_validator,
)

PolicyPack(
    name="azure-python",
    enforcement_level=EnforcementLevel.MANDATORY,
    policies=[
        example,
    ],
)

If I run:

$ pulumi preview --policy-pack policypack
Previewing update (dev):
     Type                 Name            Plan       Info
 +   pulumi:pulumi:Stack  cyclecloud-dev  create     6 messages

Diagnostics:
  pulumi:pulumi:Stack (cyclecloud-dev):
    ----------------------------
    pulumi:providers:azure
    ----------------------------
    ----------------------------
    pulumi:pulumi:Stack
    ----------------------------

Policy Packs run:
    Name           Version
     (policypack)  (local)

So seems that no shared_image_version resource is shown in policypack. If a parameter for get_shared_image_version is wrong pulumi preview will complain because the resource does not exist.

My expectation would be that imported resources should behave like the one created by pulumi. Am I wrong?

Thanks

lukehoban commented 3 years ago

My expectation would be that imported resources should behave like the one created by pulumi.

Yes - this is true that imported resources would behave the same as ones created by Pulumi. However, in your code example, you are using a "get" function instead of importing the resource. You could do something like what's documented at https://www.pulumi.com/docs/guides/adopting/import/#pulumi-import-resource-operation to import the resource and have it be managed as a first-class resource in the Pulumi program and state.

Hopefully that is a way to accomplish what you would like here. If not, feel free to reopen.

yellowhat commented 3 years ago

@lukehoban, thanks for your suggestion.

I have tried to following:

import pulumi_azure as azure
from pulumi import ResourceOptions

RG = "z"
SIG = "sig"
IMAGE = "node"
VER = "0.1.0"

image_rg = azure.core.get_resource_group(name=RG)

image_rg = azure.core.ResourceGroup(
    "image_rg",
    name=image_rg.name,
    location=image_rg.location,
    opts=ResourceOptions(
        import_=image_rg.id,
#        protect=True
    ),
)

sig = azure.compute.get_shared_image_gallery(
    name=SIG,
    resource_group_name=image_rg.name,
)

sig = azure.compute.SharedImageGallery(
    "sig",
    name=sig.name,
    resource_group_name=image_rg.name,
    location=image_rg.location,
    opts=ResourceOptions(
        import_=sig.id,
#        protect=True
    ),
)

vm_image_node = azure.compute.get_shared_image(
    name=IMAGE,
    gallery_name=sig.name,
    resource_group_name=sig.resource_group_name,
)

vm_image_node = azure.compute.SharedImage(
    "vm_image_node",
    name=vm_image_node.name,
    gallery_name=sig.name,
    resource_group_name=sig.resource_group_name,
    location=sig.location,
    os_type=vm_image_node.os_type,
    identifier=vm_image_node.identifiers[0],
    hyper_v_generation=vm_image_node.hyper_v_generation,
    opts=ResourceOptions(
        import_=vm_image_node.id,
#        protect=True
    ),
)

vm_image_node_ver = azure.compute.get_shared_image_version(
    name=VER,
    image_name=vm_image_node.name,
    gallery_name=vm_image_node.gallery_name,
    resource_group_name=sig.resource_group_name,
)

vm_image_node_ver = azure.compute.SharedImageVersion(
    "vm_image_node_ver",
    name=vm_image_node_ver.name,
    image_name=vm_image_node_ver.image_name,
    gallery_name=sig.name,
    resource_group_name=sig.resource_group_name,
    location=sig.location,
    managed_image_id=vm_image_node_ver.managed_image_id,
    target_regions=vm_image_node_ver.target_regions,
    tags=vm_image_node_ver.tags,
    opts=ResourceOptions(
        import_=vm_image_node_ver.id,
#        protect=True
    ),
)

This partially solves my problem (no new resources in policy-pack):

Also this creates a new (more dangerous) problem: if I update the image version (ie VER = 0.1.1), pulumi will delete the previous 0.1.0 image version.

Adding protect=True prevents pulumi from deleting the resources but will not just update the stack (pulumi errors anyway).

Any suggestions for the policypack from scratch? Is there a way to instruct pulumi to just update the stack but do not really delete the resource?

Thanks

yellowhat commented 3 years ago

May I ask to reopen this issues?

Thanks

yellowhat commented 3 years ago

Dear @lukehoban, Is there something else I can do to move this forward?

Thanks

yellowhat commented 3 years ago

Hi, does the latest 3.10.x version allow to make this happen?

Thanks