search

pulumi / pulumi-policy-aws

A policy pack of rules to enforce AWS best practices for security, reliability, cost, and more!
https://www.pulumi.com
Apache License 2.0
33 stars 6 forks source link

acm-certificate-expiration policy doesn't correctly detect aws:region set in stack config. #77

Closed arwilczek90 closed 3 years ago

arwilczek90 commented 3 years ago

When running the policy pack the acm-certificate-expiration policy throws an error at Request.VALIDATE_REGION saying missing region in config when it exists in the pulumi config.

Expected behavior

A certificate that passes policy with the correct values for accessing an aws account in the config file should pass correctly

Current behavior

error: Error validating stack with policy acm-certificate-expiration:
    ConfigError: Missing region in config
        at Request.VALIDATE_REGION

Steps to reproduce

  1. Install AWS Crossguard policy in stack
  2. add acm certificate in component module
  3. import component module in project.
  4. add configuration in project for stack including aws:region
  5. run pulumi up

Context (Environment)

We have had to disable the acm-certificate-expiration policy which is non ideal.

Affected feature

tusharshahrs commented 3 years ago

Here is a short term work around for now:

  1. The awsguard has the following for my index.ts

      import { AwsGuard } from "@pulumi/awsguard";

  new AwsGuard({ 
      all: "disabled",
      acmCertificateExpiration: { maxDaysUntilExpiration: 10 },
  });
  2. Set the aws region to where the certificate resides 
    export AWS_REGION=us-east-2

  3. Then run the policy.

    pulumi preview  --policy-pack awsguard
Previewing update (dev)

View Live: https://app.pulumi.com/shaht/aws-ts-acm/dev/previews/1ece0735-32cb-4f02-9d05-9c8da52cf615

   Type                 Name            Plan     
   pulumi:pulumi:Stack  aws-ts-acm-dev           

Policy Violations:
  [advisory]  pulumi-awsguard v0.1.0  acm-certificate-expiration (pulumi:pulumi:Stack: aws-ts-acm-dev)
  Checks whether an ACM certificate has expired. Certificates provided by ACM are automatically renewed. ACM does not automatically renew certificates that you import.
  certificate expires in -1 (max allowed 10 days)
tusharshahrs commented 3 years ago

This has been fixed by the following release for pulumi-policy-aws. 0.2.4