Document practices for writing Pulumi Policies for Dynamic Providers #14437
Description
As noted by Aledade, users leveraging Dynamic Providers in Pulumi need guidance on writing Policy Packs (SCPs) to validate or enforce rules on these resources. Currently, there is no documentation on handling dynamic provider resources in Pulumi policies, leading to confusion—especially since all dynamic resources share the same resource_type (pulumi-python:dynamic:Resource).
/docs/policy/authoring-policies.md
Add an example policy showing how to infer which dynamic provider is in use based on its properties.
Clarify that all dynamic resources share the same resource_type and that policy logic must differentiate them using properties.
/docs/iac/concepts/resources/dynamic-providers.md(https://www.pulumi.com/docs/iac/concepts/resources/dynamic-providers/)
Add a note explaining that Pulumi Policy Packs can evaluate dynamic resources, but require additional filtering logic. i.e.
# Example policy that checks dynamic provider resources.
def env_dynprov_check(args: ResourceValidationArgs, report_violation: ReportViolation):
# Look for dynamic providers and then infer this is the "environmeent" dynamic provider because it has a property called "environment_name"
if args.resource_type == "pulumi-python:dynamic:Resource" and "environment_name" in args.props:
environment_name = args.props["environment_name"]
if environment_name != "myTestEnv":
report_violation(
"Environment name must be MyTestEnv. But received: " + environment_name
)
dyn_prov_policy = ResourceValidationPolicy(
name="dyn_prov_policy",
description="Checks stuff for dynamic providers",
validate=env_dynprov_check,
)