@pulumi/policy
Advanced tools
Status: beta release.
Define and manage policy for cloud resources deployed through for Pulumi.
Policy rules run during pulumi preview and pulumi up, asserting that cloud resource definitions
comply with the policy immediately before they are created or updated.
During preview, every every rule is run on every resource, and policy violations are batched up
into a final report. During the update, the first policy violation will halt the deployment.
Policy violations can have enforcement levels that are advisory, which results in a printed
warning, or mandatory, which results in an error after pulumi preview or pulumi up complete.
In this guide, we'll show you how to install the required packages, and take a brief tour of the Policy SDK.
pulumi version # should be > v1.0.0-beta.1
cd sdk/nodejs/policy/examples/aws
yarn install
pulumi up with the policy packWhen you run pulumi up or pulumi preview with the --policy-pack argument, it will validate
every resource you declare against the policies in the pack. preview will attempt to run all
policies over all resource definitions, reporting as many policy violations as it can. During the
update itself, any policy violation will cause the update to halt immediately, to protect resources
You might not get errors if you don't have any resources that violate policy! We'll get to that soon enough.
In the previous step, you built the AWS examples policy pack. Supply the path to that directory in
place of the <path-to-aws-policies> argument below.
# In the directory of a Pulumi app. Make sure @pulumi/pulumi is `latest`!
yarn upgrade @pulumi/pulumi
pulumi up --policy-pack=<path-to-aws-policies>
Let's write a policy that rejects unencrypted S3 buckets. The rule below uses
typedRule(aws.s3.Bucket.isInstance, it => ...) to run the lambda it => ... only on S3 buckets.
The rule itself uses the Node.js built-in assert.notStrictEqual to make sure the
serverSideEncryptionConfiguration field is defined in the resource definition.
import * as aws from "@pulumi/aws";
import { Policy, typedRule } from "@pulumi/policy";
import * as assert from "assert";
const disallowUnencrytpedS3 = {
name: "disallow-unencrypted-s3",
description: "Checks whether S3 buckets have encryption turned on.",
enforcementLevel: "mandatory",
rules: typedRule(aws.s3.Bucket.isInstance, it => {
assert.notStrictEqual(undefined, it.serverSideEncryptionConfiguration);
}),
}
Add disallowUnencryptedS3 to the policies field of the PolicyPack in index.ts.
When you run pulumi up --policy-pack=<path> on a stack with public S3 buckets, you'll get an error
if they don't have encryption enabled.
0.1.0
FAQs
A framework for writing policy as code
The npm package @pulumi/policy receives a total of 48,899 weekly downloads. As such, @pulumi/policy popularity was classified as popular.
We found that @pulumi/policy demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
vlt's new "reproduce" tool verifies npm packages against their source code, outperforming traditional provenance adoption in the JavaScript ecosystem.
Research
Security News
Socket researchers uncovered a malicious PyPI package exploiting Deezer’s API to enable coordinated music piracy through API abuse and C2 server control.
Research
The Socket Research Team discovered a malicious npm package, '@ton-wallet/create', stealing cryptocurrency wallet keys from developers and users in the TON ecosystem.