search

pulumi / pulumi-policy-aws

A policy pack of rules to enforce AWS best practices for security, reliability, cost, and more!
https://www.pulumi.com
Apache License 2.0
33 stars 6 forks source link

AWSGuard only uses the default AWS provider #96

Open aureq opened 1 year ago

aureq commented 1 year ago

What happened?

Currently, if a user disables the default AWS provider, AWSGuard will use that default provider and its configuration regardless. More specifically, AWSGuard is unable to use a custom provider which is problematic for users who are only relying on programmatic providers.

Imagine the following scenario:

At the time of deployment, AWSGuard will:

At deployment time, the following error is returned showing that the default AWS region isn't configured.

error: Error validating stack with policy acm-certificate-expiration:
ConfigError: Missing region in config
    at Request.VALIDATE_REGION (/home/user/.pulumi/policies//pulumi-analyzer-pulumi-awsguard-v0.0.6/node_modules/aws-sdk/lib/event_listeners.js:95:47)
    at Request.callListeners (/home/user/.pulumi/policies//pulumi-analyzer-pulumi-awsguard-v0.0.6/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at callNextListener (/home/user/.pulumi/policies//pulumi-analyzer-pulumi-awsguard-v0.0.6/node_modules/aws-sdk/lib/sequential_executor.js:96:12)
    at /home/user/.pulumi/policies//pulumi-analyzer-pulumi-awsguard-v0.0.6/node_modules/aws-sdk/lib/event_listeners.js:86:9
    at finish (/home/user/.pulumi/policies//pulumi-analyzer-pulumi-awsguard-v0.0.6/node_modules/aws-sdk/lib/config.js:396:7)
    at /home/user/.pulumi/policies//pulumi-analyzer-pulumi-awsguard-v0.0.6/node_modules/aws-sdk/lib/config.js:414:9
    at SharedIniFileCredentials.get (/home/user/.pulumi/policies//pulumi-analyzer-pulumi-awsguard-v0.0.6/node_modules/aws-sdk/lib/credentials.js:127:7)
    at getAsyncCredentials (/home/user/.pulumi/policies//pulumi-analyzer-pulumi-awsguard-v0.0.6/node_modules/aws-sdk/lib/config.js:408:24)
    at Config.getCredentials (/home/user/.pulumi/policies//pulumi-analyzer-pulumi-awsguard-v0.0.6/node_modules/aws-sdk/lib/config.js:428:9)
    at Request.VALIDATE_CREDENTIALS (/home/user/.pulumi/policies//pulumi-analyzer-pulumi-awsguard-v0.0.6/node_modules/aws-sdk/lib/event_listeners.js:81:26)```

### Expected Behavior

AWSGuard uses the user's programmatic provider

### Steps to reproduce

* Create a new Pulumi app
* Disable the [default provider](https://www.pulumi.com/blog/disable-default-providers/) and remove any config associated in the `Pulumi.stackName.yaml` file
* Create a new Policy pack using AWSGuard with the certificate expiration turned on

```ts
new AwsGuard({
    acmCertificateExpiration: { maxDaysUntilExpiration: 10 },
});

Output of pulumi about

n/a

Additional context

As reported internally by a customer.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

justinvp commented 1 year ago

Thanks for opening the issue! I actually thought we already had one tracking this as it's a known limitation.

gunzy83 commented 1 year ago

This is a blocker for us too, we have very few stacks left that use the default provider. We programmatically choose a profile to use which is the same on local or CI and enforce tags over all resources in the stack using the provider. We even have some stacks that cross region boundaries so need multiple providers.