search

pulumi / pulumi-pulumiservice

https://pulumi.com
Apache License 2.0
13 stars 7 forks source link

Policy resources are not present in the provider #186

Open jkodroff opened 1 year ago

jkodroff commented 1 year ago

Hello!

Issue details

It's not possible today to manage Policy Groups via the Pulumi Cloud provider (nor via the REST API, which I would assume is a pre-req for having it present in the provider).

I would like to be able to do all of the following with the provider:

  1. Manage policy packs (publish, un-publish) from a location on disk (this could be tricky, or might be best left to the command provider, so I'm more flexible on this one)
  2. Query published policy packs
  3. Query (projects and) stacks (by tag)
  4. Manage policy groups
  5. Manage policy group policy packs (that is, the settings for each policy rule and the version of the policy pack)
  6. Manage policy group stacks (that is, the stacks that are included in the policy group)

Out of scope, but this is what I would be doing next:

  1. Trigger a Pulumi Deployments Refresh on all affected stacks and alert upon failure

Affected area/feature

lukehoban commented 3 months ago

As part of some discussions recently we sketched out what we think these APIs could look like. Leaving notes here in case they help as input to implementing this:

const policyGroup = new pulumiservice.PolicyGroup("production", {

});

for (const stack in productionStacks) {
    new pulumiservice.PolicyGroupStack(stack, {
        policyGroup: policyGroup.name,
        stack: stack,
    });
}

for (const policy of ["soc2" , "pci-dss" ]) {
    const policyPack = new pulumiservice.PolicyPack({
        name: policy,
        source: new pulumi.asset.FileArchive("../policy/"+policy),
    });
    new pulumiservice.PolicyGroupPolicyPack(policy, {
        policyGroup: policyGroup.name,
        policyPack: policyPack.name,
    });

}

A few notes:

  1. We believe the assignment of a PolicyGroup to a Stack should be done through its own resource (instead of inline in the PolicyGroup or Stack).
  2. Similarly, we believe the assignment of a PolicyPack to a PolicyGroup should be done through its own resource.
  3. It would be really nice if the policy pack could be provided as an Archive, effectively doing the policy publish automatically from that archive (which could be a folder on disk, or an in-memory constructed policy pack, programmatically configured based inputs in the users' program!). This allows automating the lifecycle of policies completely within the provider.