Open justinvp opened 4 years ago
Having a StackPolicy to check the relationship between a "bucket" and its "logs bucket" is probably the best call here.
But as a potential workaround, you can have a bucket write its logs into itself. That satisfies the rule, but perhaps not the spirit of the policy:
const accessLogsBucket = new aws.s3.Bucket("accessLogs", {
bucket: testBucketName,
loggings: [{
targetBucket: testBucketName, // Write access logs into itself.
}],
});
I haven't looked in detail yet, but this may be blocked on https://github.com/pulumi/pulumi-policy/issues/153
The
s3-bucket-logging-enabled
rule checks all buckets to see if they haveloggings
specified.So the following would be in violation of the policy:
To address this, I'd ensure my bucket has logging enabled by adding a log bucket:
However, now the log bucket doesn't have
loggings
specified, which means I'm still in violation of the policy.The workaround would be to provision the log bucket outside of the Pulumi program, but I do not want to do that.
I think we need to modify this policy to ensure all buckets have
loggings
unless theid
is being used as thetargetBucket
of another bucket'sloggings
. This necessitates modifying this policy to be a stack policy rather than a resource policy.