search

pulumi / pulumi-policy

Pulumi's Policy as Code SDK, CrossGuard. Define infrastructure checks in code to enforce security, compliance, cost, and other practices, enforced at deployment time.
https://www.pulumi.com/docs/guides/crossguard/
Apache License 2.0
32 stars 4 forks source link

Move to ContextVars regressed access to config and other runtime data from policies #289

Closed justinvp closed 1 year ago

justinvp commented 1 year ago

These asserts are failing:

https://github.com/pulumi/pulumi-policy/blob/2c82f0249d26fd239ca61b1354938812068bfa9a/tests/integration/runtime_data/policy-pack-python/__main__.py#L37-L39

We might have regressed this in pulumi/pulumi.

justinvp commented 1 year ago

This regressed with the change to use ContextVars in https://github.com/pulumi/pulumi/pull/10402 and https://github.com/pulumi/pulumi/pull/10472.

I temporarily fixed this in https://github.com/pulumi/pulumi-policy/commit/fa8170481aa1e26a19021e07ca368e372b8c8dfe, but I think a better fix would be to fix this in pulumi/pulumi: https://github.com/pulumi/pulumi/blob/7c01f1ba05c133002dd448e0d61c99fff8c52210/sdk/python/lib/pulumi/policy/__main__.py#L37-L56

    # If any config variables are present, parse and set them, so subsequent accesses are fast.
    config_env = pulumi.runtime.get_config_env()
    for k, v in config_env.items():
        pulumi.runtime.set_config(k, v)

    # Configure the runtime so that the user program hooks up to Pulumi as appropriate.
    if (
        "PULUMI_PROJECT" in os.environ
        and "PULUMI_STACK" in os.environ
        and "PULUMI_DRY_RUN" in os.environ
    ):
        pulumi.runtime.configure(
            pulumi.runtime.Settings(
                project=os.environ["PULUMI_PROJECT"],
                stack=os.environ["PULUMI_STACK"],
                dry_run=os.environ["PULUMI_DRY_RUN"] == "true",
                # PULUMI_ORGANIZATION might not be set for filestate backends
                organization=os.environ.get("PULUMI_ORGANIZATION", "organization"),
            )
        )

Perhaps we could use a subclass of pulumi.runtime.Settings that doesn't use ContextVars (like MockSettings) and similar for CONFIG.

justinvp commented 1 year ago

I looked into addressing this in pulumi (where the regression was introduced), but that didn't pan out, so will proceed with the local fixes here in pulumi-policy. Will aim to release a new version today.

In the meantime, until the new version of pulumi-policy has been released, a workaround is to pin to an earlier version of pulumi in the policy pack's requirements.txt:

pulumi==3.38.0
pulumi-policy>=1.3.0,<2.0.0

Or use a preview release of pulumi-policy which includes the fix:

pulumi-policy==1.5.0a1665075566
justinvp commented 1 year ago

A release with the fix is now available: 1.5.0.

Fixed by https://github.com/pulumi/pulumi-policy/commit/fa8170481aa1e26a19021e07ca368e372b8c8dfe.