Pulumi's Policy as Code SDK, CrossGuard. Define infrastructure checks in code to enforce security, compliance, cost, and other practices, enforced at deployment time.
import { PolicyPack, validateResourceOfType, remediateResourceOfType, validateRemediateResourceOfType } from "@pulumi/policy";
import { policyManager } from "@pulumi/compliance-policy-manager";
import * as aws from "@pulumi/aws";
new PolicyPack("aws-check-tags", {
policies: [
{
name: "my-stack-policy",
enforcementLevel: "remediate",
description: "Do some stack validation.",
validateStack: (_, reportViolation) => {
reportViolation("The stack is busted.");
},
}
],
});
Causes this panic:
Previewing update (dev)
View Live: https://app.pulumi.com/jkodrofftest/remediation-policy-test/dev/previews/f23ca1a3-974f-4a2b-ab8b-dc2dbc29ec03
Loading policy packs...
pulumi:pulumi:Stack remediation-policy-test-dev (node:10787) DeprecationWarning: Calling start() is no longer necessary. It can be safely omitted.
pulumi:pulumi:Stack remediation-policy-test-dev (Use `node --trace-deprecation ...` to show where the warning was created)
@ Previewing update....
pulumi:pulumi:Stack remediation-policy-test-dev running (Use `node --trace-deprecation ...` to show where the warning was created)
@ Previewing update.....
aws:s3:Bucket remediation-policies
goroutine 108 [running]:
github.com/pulumi/pulumi/sdk/v3/go/common/util/contract.failfast(...)
/private/tmp/pulumi-20240207-3581-vvr5zl/sdk/go/common/util/contract/failfast.go:23
github.com/pulumi/pulumi/sdk/v3/go/common/util/contract.Failf({0x1045e1dd4?, 0x104d63e60?}, {0x14001a3f7b8?, 0x10453c11c?, 0x1046583d2?})
/private/tmp/pulumi-20240207-3581-vvr5zl/sdk/go/common/util/contract/fail.go:32 +0xbc
github.com/pulumi/pulumi/pkg/v3/engine.(*eventEmitter).policyViolationEvent(0x14001fc7df8, {0x14000f37da0, 0x59}, {{0x14001a33080, 0xf}, {0x14001a33090, 0xe}, {0x14001a33078, 0x5}, {0x1400209adc0, ...}, ...})
/private/tmp/pulumi-20240207-3581-vvr5zl/pkg/engine/events.go:484 +0x140
github.com/pulumi/pulumi/pkg/v3/engine.(*previewActions).OnPolicyViolation(0x102deedb4?, {0x14000f37da0?, 0x102896074?}, {{0x14001a33080, 0xf}, {0x14001a33090, 0xe}, {0x14001a33078, 0x5}, {0x1400209adc0, ...}, ...})
/private/tmp/pulumi-20240207-3581-vvr5zl/pkg/engine/update.go:782 +0x54
github.com/pulumi/pulumi/pkg/v3/resource/deploy.(*stepGenerator).AnalyzeResources(0x1400185df00)
/private/tmp/pulumi-20240207-3581-vvr5zl/pkg/resource/deploy/step_generator.go:2026 +0x15c
github.com/pulumi/pulumi/pkg/v3/resource/deploy.(*deploymentExecutor).Execute(0x14001e73ce0, {0x10549ca28?, 0x14000eea180}, {{0x12e4bde38, 0x14001e87d20}, 0x20, 0x0, 0x0, {{0x1069f2440, 0x0, ...}, ...}, ...}, ...)
/private/tmp/pulumi-20240207-3581-vvr5zl/pkg/resource/deploy/deployment_executor.go:316 +0x5f4
github.com/pulumi/pulumi/pkg/v3/resource/deploy.(*Deployment).Execute(...)
/private/tmp/pulumi-20240207-3581-vvr5zl/pkg/resource/deploy/deployment.go:578
github.com/pulumi/pulumi/pkg/v3/engine.(*deployment).run.func1()
/private/tmp/pulumi-20240207-3581-vvr5zl/pkg/engine/deployment.go:323 +0x1e0
created by github.com/pulumi/pulumi/pkg/v3/engine.(*deployment).run in goroutine 1
/private/tmp/pulumi-20240207-3581-vvr5zl/pkg/engine/deployment.go:308 +0x204
%
Looks like it only happens when set to remediate.
Example
n/a - see above
Output of pulumi about
CLI
Version 3.105.0
Go Version go1.21.6
Go Compiler gc
Plugins
NAME VERSION
aws 6.22.0
awsx 2.5.0
docker 4.5.1
docker 3.6.1
nodejs unknown
Host
OS darwin
Version 14.3.1
Arch arm64
This project is written in nodejs: executable='/opt/homebrew/bin/node' version='v21.2.0'
Current Stack: jkodrofftest/remediation-policy-test/dev
TYPE URN
pulumi:pulumi:Stack urn:pulumi:dev::remediation-policy-test::pulumi:pulumi:Stack::remediation-policy-test-dev
pulumi:providers:aws urn:pulumi:dev::remediation-policy-test::pulumi:providers:aws::default_6_22_0
aws:s3/bucket:Bucket urn:pulumi:dev::remediation-policy-test::aws:s3/bucket:Bucket::remediation-policies
Found no pending operations associated with dev
Backend
Name pulumi.com
URL https://app.pulumi.com/josh-pulumi-corp
User josh-pulumi-corp
Organizations josh-pulumi-corp, pulumi-gitlab-demo2, jkodrofftest, policy-as-code-on-aws-20240214, zephyr, pulumi
Token type personal
Dependencies:
NAME VERSION
@pulumi/aws 6.22.0
@pulumi/awsx 2.5.0
@pulumi/pulumi 3.105.0
@types/node 18.19.15
Pulumi locates its logs in /var/folders/5m/4n1x3f8151s35wc80w06z5k80000gn/T/ by default
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
What happened?
Running this policy against a stack:
Causes this panic:
Looks like it only happens when set to
remediate
.Example
n/a - see above
Output of
pulumi about
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).