search

pulumi / pulumi-policy-aws

A policy pack of rules to enforce AWS best practices for security, reliability, cost, and more!
https://www.pulumi.com
Apache License 2.0
33 stars 6 forks source link

Converting s3-bucket-logging-enabled to stack validation policy, fixes #36 #92

Open rshade opened 1 year ago

rshade commented 1 year ago

Converting s3-bucket-logging-enabled to stack validation policy to address problems in issue #36

jaxxstorm commented 1 year ago

I'm not sure why we'd switch this to a stack validation policy?

From the docs

Policies of StackValidationPolicy are run against all the resources in a stack. These policies are run after all stack resources are registered and thus do not block an out-of-compliance resource from being created, but do fail the preview or update.

Generally, stack validation policies are when you want to examine multiple resources of a different type (like, for example, check if all resources in a stack that are taggable are tagged appropriately)

In this case, we're switching a resource validation of a single resource to a stack validation - can you help me understand the reasoning?

rshade commented 1 year ago

From my understanding the user-bucket won't have the id of the logging bucket yet, so you can't create the first array to search until that is populated.