search

pulumi / pulumi-policy

Pulumi's Policy as Code SDK, CrossGuard. Define infrastructure checks in code to enforce security, compliance, cost, and other practices, enforced at deployment time.
https://www.pulumi.com/docs/guides/crossguard/
Apache License 2.0
34 stars 5 forks source link

Panic on failed stack policy when `enforcementLevel` is `remediate` #332

Closed jkodroff closed 7 months ago

jkodroff commented 7 months ago

What happened?

Running this policy against a stack:

import { PolicyPack, validateResourceOfType, remediateResourceOfType, validateRemediateResourceOfType } from "@pulumi/policy";
import { policyManager } from "@pulumi/compliance-policy-manager";
import * as aws from "@pulumi/aws";

new PolicyPack("aws-check-tags", {
    policies: [
        {
            name: "my-stack-policy",
            enforcementLevel: "remediate",
            description: "Do some stack validation.",
            validateStack: (_, reportViolation) => {
                reportViolation("The stack is busted.");
            },
        }
    ],
});

Causes this panic:

Previewing update (dev)

View Live: https://app.pulumi.com/jkodrofftest/remediation-policy-test/dev/previews/f23ca1a3-974f-4a2b-ab8b-dc2dbc29ec03

Loading policy packs...

    pulumi:pulumi:Stack remediation-policy-test-dev  (node:10787) DeprecationWarning: Calling start() is no longer necessary. It can be safely omitted.
    pulumi:pulumi:Stack remediation-policy-test-dev  (Use `node --trace-deprecation ...` to show where the warning was created)

@ Previewing update....
    pulumi:pulumi:Stack remediation-policy-test-dev running (Use `node --trace-deprecation ...` to show where the warning was created)
@ Previewing update.....
    aws:s3:Bucket remediation-policies

goroutine 108 [running]:
github.com/pulumi/pulumi/sdk/v3/go/common/util/contract.failfast(...)
  /private/tmp/pulumi-20240207-3581-vvr5zl/sdk/go/common/util/contract/failfast.go:23
github.com/pulumi/pulumi/sdk/v3/go/common/util/contract.Failf({0x1045e1dd4?, 0x104d63e60?}, {0x14001a3f7b8?, 0x10453c11c?, 0x1046583d2?})
  /private/tmp/pulumi-20240207-3581-vvr5zl/sdk/go/common/util/contract/fail.go:32 +0xbc
github.com/pulumi/pulumi/pkg/v3/engine.(*eventEmitter).policyViolationEvent(0x14001fc7df8, {0x14000f37da0, 0x59}, {{0x14001a33080, 0xf}, {0x14001a33090, 0xe}, {0x14001a33078, 0x5}, {0x1400209adc0, ...}, ...})
        /private/tmp/pulumi-20240207-3581-vvr5zl/pkg/engine/events.go:484 +0x140
github.com/pulumi/pulumi/pkg/v3/engine.(*previewActions).OnPolicyViolation(0x102deedb4?, {0x14000f37da0?, 0x102896074?}, {{0x14001a33080, 0xf}, {0x14001a33090, 0xe}, {0x14001a33078, 0x5}, {0x1400209adc0, ...}, ...})
                                /private/tmp/pulumi-20240207-3581-vvr5zl/pkg/engine/update.go:782 +0x54
github.com/pulumi/pulumi/pkg/v3/resource/deploy.(*stepGenerator).AnalyzeResources(0x1400185df00)
                                                                        /private/tmp/pulumi-20240207-3581-vvr5zl/pkg/resource/deploy/step_generator.go:2026 +0x15c
github.com/pulumi/pulumi/pkg/v3/resource/deploy.(*deploymentExecutor).Execute(0x14001e73ce0, {0x10549ca28?, 0x14000eea180}, {{0x12e4bde38, 0x14001e87d20}, 0x20, 0x0, 0x0, {{0x1069f2440, 0x0, ...}, ...}, ...}, ...)
                                                                                                                /private/tmp/pulumi-20240207-3581-vvr5zl/pkg/resource/deploy/deployment_executor.go:316 +0x5f4
github.com/pulumi/pulumi/pkg/v3/resource/deploy.(*Deployment).Execute(...)
                /private/tmp/pulumi-20240207-3581-vvr5zl/pkg/resource/deploy/deployment.go:578
github.com/pulumi/pulumi/pkg/v3/engine.(*deployment).run.func1()
                                /private/tmp/pulumi-20240207-3581-vvr5zl/pkg/engine/deployment.go:323 +0x1e0

created by github.com/pulumi/pulumi/pkg/v3/engine.(*deployment).run in goroutine 1
                                                                /private/tmp/pulumi-20240207-3581-vvr5zl/pkg/engine/deployment.go:308 +0x204
      %

Looks like it only happens when set to remediate.

Example

n/a - see above

Output of pulumi about

CLI          
Version      3.105.0
Go Version   go1.21.6
Go Compiler  gc

Plugins
NAME    VERSION
aws     6.22.0
awsx    2.5.0
docker  4.5.1
docker  3.6.1
nodejs  unknown

Host     
OS       darwin
Version  14.3.1
Arch     arm64

This project is written in nodejs: executable='/opt/homebrew/bin/node' version='v21.2.0'

Current Stack: jkodrofftest/remediation-policy-test/dev

TYPE                  URN
pulumi:pulumi:Stack   urn:pulumi:dev::remediation-policy-test::pulumi:pulumi:Stack::remediation-policy-test-dev
pulumi:providers:aws  urn:pulumi:dev::remediation-policy-test::pulumi:providers:aws::default_6_22_0
aws:s3/bucket:Bucket  urn:pulumi:dev::remediation-policy-test::aws:s3/bucket:Bucket::remediation-policies

Found no pending operations associated with dev

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/josh-pulumi-corp
User           josh-pulumi-corp
Organizations  josh-pulumi-corp, pulumi-gitlab-demo2, jkodrofftest, policy-as-code-on-aws-20240214, zephyr, pulumi
Token type     personal

Dependencies:
NAME            VERSION
@pulumi/aws     6.22.0
@pulumi/awsx    2.5.0
@pulumi/pulumi  3.105.0
@types/node     18.19.15

Pulumi locates its logs in /var/folders/5m/4n1x3f8151s35wc80w06z5k80000gn/T/ by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

jkodroff commented 7 months ago

NICE!