Policy pack configuration using policy enable cmd

[sean1588]

Issue #3756

Support adding policy pack configuration through CLI by specifying a policy configuration json file.

Example cmd:

pulumi policy enable {orgName}/{policyPackName} --config config.json --version={version}

Right now all policy pack config validation is being done server side. Maybe if we feel there would be an advantage to doing config validation on the client we can move to that at some point, but I believe we would have to request the schema from the server anyway, so either way we would need to make an additional api call. I feel we can revisit this at some point if need be. We can always do a follow up PR if we feel doing validation client side is necessary.

[ekrengel]

Since the changelog is actually used for our releases, we may want to clarify this. "Add support for enabling Policy Packs with configuration" ... or something to that effect.

[justinvp]

Rather than having this function here, I am wondering if we should call the same function we use to load local config specified to the --policy-pack-config flag of pulumi up/preview/watch.

pulumi/pkg/resource/analyzer/config.go

Lines 31 to 37 in 61928f0

	func LoadPolicyPackConfigFromFile(file string) (map[string]plugin.AnalyzerPolicyConfig, error) {
	b, err := ioutil.ReadFile(file)
	if err != nil {
	return nil, err
	}
	return parsePolicyPackConfig(b)
	}

That way we have consistent behavior of loading local policy config from a file.

This existing function does some validation of the EnforcementLevel values, and also, as a convenience, allows specifying enforcement level for a policy like:

{
    "some-policy": "advisory"
}

Rather than having to specify it like:

{
    "some-policy": {
        "enforcementLevel": "advisory"
    }
}

This would require adding some code to convert map[string]plugin.AnalyzerPolicyConfig to map[string]*json.RawMessage. Probably the easiest way to do that is to loop through the map and json.Marshal each plugin.AnalyzerPolicyConfig value to bytes. The bytes can then be cast to json.RawMessage. Similar to what's done here:

pulumi/pkg/backend/httpstate/client/client.go

Lines 633 to 641 in c28c602

	properties := map[string]*json.RawMessage{}
	for k, v := range schema.Properties {
	bytes, err := json.Marshal(v)
	if err != nil {
	return nil, err
	}
	raw := json.RawMessage(bytes)
	properties[k] = &raw
	}

[sean1588]

Ok. I will leverage that function so we can use the validations it has and then just convert the types.

[ekrengel]

Some comments.. ALSO thinking we should definitely add a pulumi policy validate-config command to allow people to validate config before enabling. You can open another issue if you dont want to do it as part of this?

[ekrengel]

I think we talked about have one Policy Pack using an older version of the policy repo to ensure backwards compatibility.. is there a reason you changed your mind?

[sean1588]

nope, was actually just a miss on my part. the only way I could get this to work was just to add another test policy pack directory with the old version of the policy sdk. Not sure how far back in versions you want to test, so I just used the version that we were using for the tests before I made these changes. I also just made a completely different test case with all the old existing tests, since the set of commands we were using in the test I believe are only backwards compatible not forwards compatible with the changes, so I had to keep a lot of the old commands that we were testing with previously as well, for example the way we were specifying pp versions.

[ekrengel]

nit: I think type, minLength and maxLength do not need to be quotes & may make this look cleaner.

[ekrengel]

I think when running a policy-pack locally there is a different flag name used for the config file. Should we use the same here for consistency?

[justinvp]

For pulumi preview/up/watch, the flag is --policy-pack-config. Since this command is already about policies, I think we can leave off the policy-pack prefix, and just use --config.

[ekrengel]

Since this is in a generic util file, maybe be more specific about its use in the comment? Or just move it to the pkg/cmd/policy_enable.go file. I dont think its used anywhere else?

[sean1588]

Ok, I went ahead and relocated to policy_enable.co and then leveraged the function justin is suggesting since it does some validations.

[justinvp]

Nit:

Suggested change

	"s3-no-public-read":{
	"s3-no-public-read": {

[justinvp]

Nit:

Suggested change

	"enforcementLevel":"mandatory",
	"enforcementLevel": "mandatory",

[justinvp]

Nit:

Suggested change

	"message":"this message is invalid because it is way more than 10 characters......"
	"message": "this message is invalid because it is way more than 10 characters......"

[justinvp]

Nit:

Suggested change

	"all":{
	"all": {

[justinvp]

Nit:

Suggested change

	"enforcementLevel":"advisory"
	"enforcementLevel": "advisory"

[justinvp]

Nit:

Suggested change

	"enforcementLevel":"mandatory",
	"enforcementLevel": "mandatory",

[justinvp]

Nit:

Suggested change

	"message":"test msg"
	"message": "test msg"

[justinvp]

I don't think we can just marshal v directly.

Doing so results in JSON like:

{"EnforcementLevel":"mandatory","Properties":{"foo":"bar"}}

The value needs to be converted into the format expected by the service. Something like:

func marshalAnalyzerPolicyConfig(c AnalyzerPolicyConfig) (*json.RawMessage, error) {
	m := make(map[string]interface{})
	for k, v := range c.Properties {
		m[k] = v
	}
	if c.EnforcementLevel != "" {
		m["enforcementLevel"] = c.EnforcementLevel
	}
	bytes, err := json.Marshal(m)
	if err != nil {
		return nil, err
	}
	raw := json.RawMessage(bytes)
	return &raw, nil
}

Which will result in:

{"enforcementLevel":"mandatory","foo":"bar"}

I created a Go Playground to demonstrate: https://play.golang.org/p/L8GYTzTAsOR

[sean1588]

Correct, I noticed it structured the configurable values under the Properties key. Thanks for adding that code snippet btw. I updated to convert the values.

[sean1588]

OK, this is ready for a re-review. I made a few changes since last review:

1. I updated the code to load the policy config to use the function in the resource analyzer package that Justin suggested so that we could leverage some of the validations it had. This also involved doing some conversion to convert the type being returned from that function to what the api service was expecting.

2. I also added the tests to test for backwards compatibility with other versions of the policy sdk. The only way I could reasonably do this is by adding another test policy pack directory with the old version. We could probably do this in a way that we could dynamically manipulate this through code at runtime and have only one test policy pack, but it ended up being a PITA and not worth the time because we need to also generate the index.ts file as well that is compatible with that particular version of the sdk. I also a specific test case with all the old tests for that specific version and just copied over all the old tests we were running prior to the change. I needed to retain the old commands because they are only backwards compatible not forwards. It looks like a lot of changes and the test code could be dry-ed up to some degree but would probably make them less readable and hard to follow, so I think its best not to IMO and just leave as is.

[ekrengel]

wondering if it makes more sense to call this dir policy_pack_w_config since the version is probably meaningless to most people?

[sean1588]

Agreed, that's a more meaningful name. will update

[ekrengel]

Same with naming here.

[ekrengel]

Lets change naming here too

[ekrengel]

Policy Pack

[ekrengel]

Hmm not sure how this is working, but don't you normally have to use make for a map? 🤔

[sean1588]

It is equivalent to initalizing an empty map using make. Only difference is not including the curly braces at the end when using the make function. make(map[string]*json.RawMessage).

[sean1588]

Using make seems to be the more consistent pattern for us from a quick glance in our code base. So went and just changed to using make while I was in there. 😃

[justinvp]

One suggestion about deleting a commented-out line, and aside from Erin's feedback, LGTM.

[justinvp]

Suggested change

// config, err = loadJSONConfigFile(args.configFile)

[sean1588]

lol... sorry. completely missed that. will make change.