Treat "remediate" stack policies as "mandatory" #339
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Stack policies cannot be remediated (resource policies can). It's possible to configure a policy pack such that all or certain policies have a certain enforcement level. This means it's currently possible to specify an enforcement level of "remediate" for a stack policy even though stack policies do not support being remediated. Currently, if a stack policy has a level of "remediate" and a violation is reported, a panic occurs in the CLI. This commit addresses this by treating stack policies with a level of "remediate" as "mandatory", similar to how "remediate" resource policies are treated as "mandatory" if the policy is still in violation after a remediation has run.
|
I feel like this ought to have an engine side fix as well. If a stack policy can't be "remediate" the engine should auto-downgrade that as well. |
|
@Frassle, here is the engine change: pulumi/pulumi#15618 |
Frassle
approved these changes
Mar 7, 2024
github-merge-queue bot
pushed a commit
to pulumi/pulumi
that referenced
this pull request
Mar 7, 2024
Policy violations should not have a remediate enforcement level. The Policy SDK currently downgrades the level from remediate to mandatory for resource policy violations, but isn't currently doing that for stack policies. A change to the Policy SDK is in-progress to do that. This change applies the same behavior to the engine. If a resource policy still has a violation after running remediations and the level is remediate, "downgrade" the level to mandatory. Similarly, if a stack policy has a violation with a remediate level, downgrade it to mandatory. This avoids a panic when getting a policy violation from a stack policy and the enforcement level is remediate. Related: pulumi/pulumi-policy#339 Fixes pulumi/pulumi-policy#332
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Stack policies cannot be remediated (resource policies can). And yet, it's possible to configure a policy pack such that all or certain policies have a certain enforcement level (enforcement levels can be configured externally, such as from a file or Pulumi Cloud). This means it's possible to specify an enforcement level of "remediate" for a stack policy, even though stack policies do not support being remediated.
Currently, if a stack policy has a level of "remediate" and a violation is reported, a panic occurs in the CLI.
This commit addresses this by treating stack policies with a level of "remediate" as "mandatory", similar to how "remediate" resource policies are treated as "mandatory" if the policy is still in violation after a remediation for the policy has run:
pulumi-policy/sdk/nodejs/policy/server.ts
Lines 218 to 222 in 3a76fdf
pulumi-policy/sdk/python/lib/pulumi_policy/policy.py
Lines 756 to 759 in 3a76fdf
Related: pulumi/pulumi#15618
Part of #332