search

pulumi / pulumi-policy

Pulumi's Policy as Code SDK, CrossGuard. Define infrastructure checks in code to enforce security, compliance, cost, and other practices, enforced at deployment time.
https://www.pulumi.com/docs/guides/crossguard/
Apache License 2.0
34 stars 5 forks source link

Exemptions should be baked into Configuration #225

Open ekrengel opened 4 years ago

ekrengel commented 4 years ago

There may be resources we want to exempt from a certain policy. The ability to exempt a resource or stack from a policy should be baked into the configuration schema like we do with enforcement levels.

See relevant slack convo

lukehoban commented 4 years ago

I see two ways to accomplish this in practice:

  1. Configure the policy pack to allow the exemptions
  2. Have the policy pack open-code exempting policies based on tags

The latter puts more power in the hands of individual infrastructure devs to override rules, so is not ideal for truly mandatory compliance rules.

But for the majority of "best practices" rules, it seems the ability of the deployment to opt-out with a tag like PublicAccessApprovedBy: "Luke Hoban" would be a lot more flexible.

This is partly just a question for what we do for our own (and example) policy packs as best practice. But may play into general features we want to support.