def test_async_validate(self):
async def validate(args, report_violation: ReportViolation):
report_violation("first")
await asyncio.sleep(0.1)
report_violation("second")
policy = StackValidationPolicy("name", "desc", validate)
violations = run_policy(policy)
self.assertEqual(["first", "second"], violations)
return (expected.protect == actual.protect
and expected.ignore_changes == actual.ignore_changes
and expected.delete_before_replace == actual.delete_before_replace
and expected.aliases == actual.aliases
and expected.custom_timeouts.create_seconds
== actual.custom_timeouts.create_seconds
and expected.custom_timeouts.update_seconds
== actual.custom_timeouts.update_seconds
and expected.custom_timeouts.delete_seconds
== actual.custom_timeouts.delete_seconds
and expected.additional_secret_outputs
== actual.additional_secret_outputs)
PolicyPack(
name="resource-options-test-policy",
enforcement_level=EnforcementLevel.MANDATORY,
policies=[
ResourceValidationPolicy(
name="validate-resource",
description="Validates resource options during `validateResource`.",
validate=validate_resource,
),
StackValidationPolicy(
name="validate-stack",
description="Validates resource options during `validateStack`.",
validate=validate_stack,
),
],
)
def test_init_raises(self):
self.assertRaises(TypeError,
lambda: StackValidationPolicy(None, "desc", NOP))
self.assertRaises(TypeError,
lambda: StackValidationPolicy("", "desc", NOP))
self.assertRaises(TypeError,
lambda: StackValidationPolicy(1, "desc", NOP))
self.assertRaises(TypeError,
lambda: StackValidationPolicy("all", "desc", NOP))
self.assertRaises(TypeError,
lambda: StackValidationPolicy("name", None, NOP))
self.assertRaises(TypeError,
lambda: StackValidationPolicy("name", "", NOP))
self.assertRaises(TypeError,
lambda: StackValidationPolicy("name", 1, NOP))
self.assertRaises(TypeError,
lambda: StackValidationPolicy("name", "desc"))
self.assertRaises(TypeError,
lambda: StackValidationPolicy("name", "desc", None))
self.assertRaises(TypeError,
lambda: StackValidationPolicy("name", "desc", ""))
self.assertRaises(TypeError,
lambda: StackValidationPolicy("name", "desc", 1))
self.assertRaises(TypeError,
lambda: StackValidationPolicy("name", "desc", []))
self.assertRaises(TypeError,
lambda: StackValidationPolicy("name", "desc", [NOP]))
self.assertRaises(
TypeError, lambda: StackValidationPolicy("name", "desc", NOP, ""))
self.assertRaises(
TypeError, lambda: StackValidationPolicy("name", "desc", NOP, 1))
def test_init(self):
StackValidationPolicy("name", "desc", NOP)
StackValidationPolicy("name", "desc", NOP, EnforcementLevel.ADVISORY)
StackValidationPolicy("name", "desc", NOP, EnforcementLevel.MANDATORY)
StackValidationPolicy("name", "desc", NOP, EnforcementLevel.DISABLED)
verify = check
else:
raise AssertionError(f"Unexpected test_scenario {test_scenario}.")
def validate(args, report_violation):
if verify is not None:
verify(args.get_config())
PolicyPack(
name="config-policy",
enforcement_level=EnforcementLevel.MANDATORY,
policies=[
ResourceValidationPolicy(
name="resource-validation",
description="Verifies policy config during resource validation.",
validate=validate,
config_schema=schema,
),
StackValidationPolicy(
name="stack-validation",
description="Verifies policy config during stack validation.",
validate=validate,
config_schema=schema,
),
],
initial_config=initial_config,
)
for r in args.resources:
verify(r)
def verify(r):
t = r.resource_type
if t != "random:index/randomPet:RandomPet":
return
# Accessing `prefix` is expected to result in a policy violation because its value is unknown
# during previews given the associated Pulumi program.
print(r.props["prefix"])
PolicyPack(
name="unknown-values-policy",
enforcement_level=EnforcementLevel.MANDATORY,
policies=[
ResourceValidationPolicy(
name="unknown-values-resource-validation",
description="Accessing unknown values during preview results in a violation.",
validate=validate_resource,
),
StackValidationPolicy(
name="unknown-values-stack-validation",
description="Accessing unknown values during preview results in a violation.",
validate=validate_stack,
),
],
)
assert r.props["fileArchive"].path == "."
assert isinstance(r.props["assetArchive"], pulumi.AssetArchive)
assets = r.props["assetArchive"].assets
assert isinstance(assets["fileAsset"], pulumi.FileAsset)
assert assets["fileAsset"].path == "index.ts"
assert isinstance(assets["stringAsset"], pulumi.StringAsset)
assert assets["stringAsset"].text == "some text"
assert isinstance(assets["fileArchive"], pulumi.FileArchive)
assert assets["fileArchive"].path == "."
PolicyPack(
name="deserialize-policy",
enforcement_level=EnforcementLevel.MANDATORY,
policies=[
ResourceValidationPolicy(
name="resource-validation",
description=
"Verifies deserialized properties during resource validation.",
validate=validate_resource,
),
StackValidationPolicy(
name="stack-validation",
description=
"Verifies deserialized properties during stack validation.",
validate=validate_stack,
),
],
)
# Note: In the NodeJS Policy Pack, this uses the `isType` helper.
def no_randomstrings(args: StackValidationArgs,
report_violation: ReportViolation):
for r in args.resources:
if r.resource_type == "random:index/randomString:RandomString":
report_violation("RandomString resources are not allowed.")
PolicyPack(
name="validate-stack-test-policy",
enforcement_level=EnforcementLevel.MANDATORY,
policies=[
StackValidationPolicy(
name="dynamic-no-state-with-value-1",
description="Prohibits setting state to 1 on dynamic resources.",
validate=dynamic_no_state_with_value_1,
),
# More than one policy.
StackValidationPolicy(
name="dynamic-no-state-with-value-2",
description="Prohibits setting state to 2 on dynamic resources.",
validate=dynamic_no_state_with_value_2,
),
# Policy that specifies the URN of the resource violating the policy.
StackValidationPolicy(
name="dynamic-no-state-with-value-3",
description="Prohibits setting state to 3 on dynamic resources.",
validate=dynamic_no_state_with_value_3,
),
StackValidationPolicy(
def validate_resource(args, report_violation):
if validate_function_raises:
raise AssertionError("validate-resource should never be called.")
report_violation("validate-resource-violation-message")
def validate_stack(args, report_violation):
if validate_function_raises:
raise AssertionError("validate-stack should never be called.")
report_violation("validate-stack-violation-message")
PolicyPack(
name=policy_pack_name,
enforcement_level=scenario.pack,
policies=[
ResourceValidationPolicy(
name="validate-resource",
description="Always reports a resource violation.",
enforcement_level=scenario.policy,
validate=validate_resource,
),
StackValidationPolicy(
name="validate-stack",
description="Always reports a stack violation.",
enforcement_level=scenario.policy,
validate=validate_stack,
),
],
)
assert "PULUMI_TEST_STACK" in os.environ
assert get_stack() == os.environ["PULUMI_TEST_STACK"]
assert get_stack() == r.props["getStack"]
# Verify Config
assert json.dumps(CONFIG,
sort_keys=True) == json.dumps(dict(r.props["allConfig"]),
sort_keys=True)
config = Config()
value = config.require("aConfigValue")
assert value == "this value is a value"
assert aws_config.region == "us-west-2"
PolicyPack(
name="runtime-data-policy",
enforcement_level=EnforcementLevel.MANDATORY,
policies=[
ResourceValidationPolicy(
name="runtime-data-resource-validation",
description="Verifies runtime data during resource validation.",
validate=validate_resource,
),
StackValidationPolicy(
name="runtime-data-stack-validation",
description="Verifies runtime data during stack validation.",
validate=validate_stack,
),
],
)
StackValidationArgs,
StackValidationPolicy,
)
required_region = "us-west-1"
max_num_buckets = 1
def s3_region_check_validator(stack: StackValidationArgs, report_violation: ReportViolation):
for resource in stack.resources:
if resource.resource_type == "aws:s3/bucket:Bucket":
if "region" in resource.props and resource.props["region"] != required_region:
report_violation(f"Bucket, {resource.name}, must be in region {required_region}")
s3_region_check = StackValidationPolicy(
name="s3-region-check",
description= "Checks the region the bucket was deployed in.",
validate=s3_region_check_validator
)
def s3_count_check_validator(stack: StackValidationArgs, report_violation: ReportViolation):
buckets = list(filter((lambda resource: resource.resource_type == "aws:s3/bucket:Bucket"), stack.resources))
if len(buckets) > max_num_buckets:
report_violation(f"No more than {max_num_buckets} bucket(s) should be created.")
s3_count_check = StackValidationPolicy(
name="s3-count-check",
description= "Checks the number of buckets created.",
validate=s3_count_check_validator
)
PolicyPack(