Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include all the input properties (the default value if not specified) in the global input variable for policy checking #9

Open
XuejiaoZhang opened this issue Sep 5, 2021 · 1 comment
Open

Include all the input properties (the default value if not specified) in the global input variable for policy checking #9

XuejiaoZhang opened this issue Sep 5, 2021 · 1 comment
Labels
kind/enhancement Improvements or new features

Comments

@XuejiaoZhang
Copy link

XuejiaoZhang commented Sep 5, 2021
edited

OPA policy written

For example,
here is the input variable of a S3 Bucket resource:
[mandatory] s3 v0.0.1 deny (aws:s3/bucket:Bucket: my-bucket)
input: {"acl": "private", "bucket": "my-bucket-395bxxx", "forceDestroy": false}

here is the input variable of a EBS Volume resource:
[mandatory] s3 v0.0.1 deny (aws:ebs/volume:Volume: example)
input: {"tags": {"Name": "HelloWorld"}, "availabilityZone": "us-east-1a", "size": 40}

I was expecting all the input properties of S3 Bucket, and all the input properties of EBS Volume included in the input variable, it seems only the configurations specified in the definition of the resource will be shown. If the properties not specified can be included with the default value will help to write policies.
@XuejiaoZhang XuejiaoZhang added the kind/enhancement Improvements or new features label Sep 5, 2021
@XuejiaoZhang XuejiaoZhang mentioned this issue Sep 5, 2021
Closed
@XuejiaoZhang XuejiaoZhang changed the title Include more information in the global input variable for policy checking Include all the input properties (include the default value if not specified) in the global input variable for policy checking Sep 5, 2021
@XuejiaoZhang XuejiaoZhang changed the title Include all the input properties (include the default value if not specified) in the global input variable for policy checking Include all the input properties (the default value if not specified) in the global input variable for policy checking Sep 5, 2021
@leezen
Copy link

leezen commented Sep 14, 2021

This makes sense. For your particular use case, would using stack validation be a potential workaround? https://www.pulumi.com/docs/guides/crossguard/core-concepts/#resource-validation-vs-stack-validation -- at this point, the outputs are available so the values you'd be interested in should be inspectable (admittedly, the resource will have been created, but in some use cases, this might be fine).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement Improvements or new features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@leezen @XuejiaoZhang