search

pulumi / pulumi-policy

Pulumi's Policy as Code SDK, CrossGuard. Define infrastructure checks in code to enforce security, compliance, cost, and other practices, enforced at deployment time.
https://www.pulumi.com/docs/guides/crossguard/
Apache License 2.0
31 stars 4 forks source link

Add Pulumi program context to `ResourceValidationArgs` and `StackValidationArgs` #333

Open jkodroff opened 4 months ago

jkodroff commented 4 months ago

Hello!

Issue details

I'm trying to run the Snyk CLI in a resource validation policy to validate a docker.Image resource:

const image = new docker.Image("my-image", {
  imageName: "docker.io/joshkodroff/pulumi-policy-test",
  buildOnPreview: false,
  build: {
    dockerfile: "./Dockerfile",
    platform: "linux/amd64"
  }
});

I can get it working for basic scanning, but Snyk has an option to pass a --file /path/to/Dockerfile argument to provide additional suggestions for remediation. I can't seem to find a way get the directory of the Pulumi program. (process.cwd() gives me the path to the policy instead of the path to the Pulumi program.)

It would be useful if ResourceValidationArgs included something like a stackContext or similar object with things like the stack name, program name, full path to the Pulumi program, etc. Could also be helpful to know whether we're in preview or up.

UPDATE: StackValidation would likewise benefit from the same.

Affected area/feature

justinvp commented 4 months ago

Note that some of this information you can already get via:

pulumi.runtime.isDryRun()
pulumi.getProject()
pulumi.getStack()

Which will work inside a policy.

I don't think we have a way to get the path of the program.

Having something like a stackContext that has all this information would be useful, if nothing else for discoverability of the information.

jkodroff commented 3 months ago

@justinvp And... I am kicking myself for missing this comment. I had no idea these would work, and it's damn useful that they do! I'm gonna give this a try.