Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auto generate deployment policy #939

Merged
merged 1 commit into from
Feb 28, 2024
Merged

auto generate deployment policy #939

merged 1 commit into from
Feb 28, 2024

Conversation

jhsinger-klotho
Copy link
Contributor

Ability to produce a basic deployment policy for the architecture

  • Because we dont have arns we cannot limit the resource field, but as we add tags to resources we can add conditional based rules to all of our policies and start to narrow down more

added test cases to the functional tests

Standard checks

  • Unit tests: Any special considerations?
  • Docs: Do we need to update any docs, internal or public?
  • Backwards compatibility: Will this break existing apps? If so, what would be the extra work required to keep them working?

gordon-klotho
gordon-klotho approved these changes Feb 27, 2024
View reviewed changes
pkg/engine/cli.go
@@ -439,6 +440,20 @@ func (em *EngineMain) RunEngine(cmd *cobra.Command, args []string) (exitCode int
},
)

if architectureEngineCfg.provider == "aws" {
polictBytes, err := aws.DeploymentPermissionsPolicy(context.Solutions[0])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is based on provider-agnostic fields on the templates, can this be run for everything?

Edit: I guess it needs the aws:iam_policy which is provider specific. Hm... I guess this is alright, I can't think of anything better but still feels "icky" 😄

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

its run on the entire architecture but the function only considers permissions. i think its fair to have some provider specific post processing

pkg/engine/testdata/2_routes.deployment-policy.json
@@ -0,0 +1,118 @@
{
"Statement": [
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will we run into any size limits with these?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah im sure we will at some point, but i figure we will have to try to solve that if it comes up

@jhsinger-klotho jhsinger-klotho merged commit 18cc396 into main Feb 28, 2024
6 checks passed
@jhsinger-klotho jhsinger-klotho deleted the deployment_policy branch February 28, 2024 17:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gordon-klotho gordon-klotho gordon-klotho approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jhsinger-klotho @gordon-klotho