- Expose options, parent, dependencies, and provider config (https://github.com/pulumi/pulumi-policy/pull/184).
- Fix issue that prevented async policies from failing as expected when using `validateResourceOfType` or
`validateStackResourcesOfType` (https://github.com/pulumi/pulumi-policy/pull/202).
- Added a top-level optional `enforcementLevel` on `PolicyPackArgs` and made `enforcementLevel` on `Policy` optional.
This allows setting the enforcement level at the Policy Pack level which will apply to all policies. Individual
policies can set their own `enforcementLevel` to override the value specified for the Policy Pack. If no enforcement
level is specified for either the Policy Pack or Policy, `"advisory"` is used.
(https://github.com/pulumi/pulumi-policy/issues/192).
- Add support for configuring policies. Policies can now declare their config schema by setting the `config` property,
and access config values via `args.getConfig<T>()` (https://github.com/pulumi/pulumi-policy/pull/207).
Example:
typescript
{
name: "certificate-expiration",
description: "Checks whether a certificate has expired.",
configSchema: {
properties: {
expiration: {
type: "integer",
default: 14,
},
},
},
validateResource: (args, reportViolation) => {
const { expiration } = args.getConfig<{ expiration: number }>();
// ...
}),
}
- Add support for writing policies in Python :tada:
(https://github.com/pulumi/pulumi-policy/pull/212).
Example:
python
def s3_no_public_read(args: ResourceValidationArgs, report_violation: ReportViolation):
if args.resource_type == "aws:s3/bucket:Bucket" and "acl" in args.props:
acl = args.props["acl"]
if acl == "public-read" or acl == "public-read-write":
report_violation("You cannot set public-read or public-read-write on an S3 bucket.")
PolicyPack(
name="aws-policy-pack",
enforcement_level=EnforcementLevel.MANDATORY,
policies=[
ResourceValidationPolicy(
name="s3-no-public-read",
description="Prohibits setting the publicRead or publicReadWrite permission on AWS S3 buckets.",
validate=s3_no_public_read,
),
],
)