Initial support for configuring policies #4015
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We now allow receiving disabled policies in the AnalyzerInfo metadata, to allow such policies to be enabled and configured.
justinvp
force-pushed
the
justin/pac_config
branch
from
cbc4f70 to
7498136
Compare
justinvp
commented
Mar 4, 2020
pkg/engine/update.go
Outdated
Comment on lines
260
to
267
| analyzerInfo, err := analyzer.GetAnalyzerInfo() | ||
| if err != nil { | ||
| return err | ||
| } | ||
| config, err := plugin.ReconcilePolicyPackConfig(analyzerInfo.Policies, configFromAPI) | ||
| if err != nil { | ||
| return errors.Wrapf(err, "reconciling configuration for analyzer %q", analyzerInfo.Name) | ||
| } |
There was a problem hiding this comment.
Note: An alternative to retrieving the metadata and reconciling the config here would be to just pass the config directly from the service (or from a --policy-pack-config specified file) to the Policy Pack. However, then each language SDK for policies would have to handle reconciling its default values with the specified config. Looking ahead to implementing the SDK for Python, .NET, and Go, it seemed "better" to have a single implementation here for doing this reconciliation, rather than writing it N times for each language.
justinvp
commented
Mar 4, 2020
ekrengel
reviewed
Mar 4, 2020
Instead of returning these as a single combined error, emit these as individual diagnostic messages. This allows these errors to be seen in the Pulumi Console. Also, make it so that all validation errors for all policy packs are returned. We should still consider adding a new diagnostic event for these, which would allow improved grouping and display, but that requires changes to both the CLI and service and can be done subsequently. Also, cleaned up some things and added more tests.
The way we're calling it, it's always going to be set, since we fill in the default enforcement level value from the policy metadata.
Older policy packs do not support config, so avoid sending schema for such policy packs so that the service can distinguish whether a policy pack is configurable or not. Also, avoid configuring policy packs that don't support config.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Apologies for the larger PR. It's broken up into more digestible commits.
This adds support for the
--policy-pack-configflag and underlying implementation to apply configuration to policies. It also includes support for sending config schema to the service and using configuration from the service.The
pulumi/pulumi-policyside of the change is here: pulumi/pulumi-policy#207Fixes pulumi/pulumi-policy#185
Fixes pulumi/pulumi-policy#186
Fixes pulumi/pulumi-policy#189
Fixes pulumi/pulumi-policy#190
Part of pulumi/pulumi-policy#187
Part of pulumi/pulumi-policy#188