Pulumi-policy

- Increase the MaxCallRecvMsgSize for all RPC calls
(https://github.com/pulumi/pulumi-policy/pull/239).

- Add Python support for policy configuration
(https://github.com/pulumi/pulumi-policy/pull/246).

- Replace `grpc` with `grpc/grpc-js` and upgrade dependencies to 2.0
(https://github.com/pulumi/pulumi-policy/pull/235).

- Remove deprecated `validateTypedResource` helper. Use `validateResourceOfType` instead.
(https://github.com/pulumi/pulumi-policy/pull/227).

- Expose options, parent, dependencies, and provider config (https://github.com/pulumi/pulumi-policy/pull/184).

- Fix issue that prevented async policies from failing as expected when using `validateResourceOfType` or
`validateStackResourcesOfType` (https://github.com/pulumi/pulumi-policy/pull/202).

- Added a top-level optional `enforcementLevel` on `PolicyPackArgs` and made `enforcementLevel` on `Policy` optional.
This allows setting the enforcement level at the Policy Pack level which will apply to all policies. Individual
policies can set their own `enforcementLevel` to override the value specified for the Policy Pack. If no enforcement
level is specified for either the Policy Pack or Policy, `"advisory"` is used.
(https://github.com/pulumi/pulumi-policy/issues/192).

- Add support for configuring policies. Policies can now declare their config schema by setting the `config` property,
and access config values via `args.getConfig<T>()` (https://github.com/pulumi/pulumi-policy/pull/207).

Example:

typescript
{
name: "certificate-expiration",
description: "Checks whether a certificate has expired.",
configSchema: {
properties: {
expiration: {
type: "integer",
default: 14,
},
},
},
validateResource: (args, reportViolation) => {
const { expiration } = args.getConfig<{ expiration: number }>();

// ...
}),
}


- Add support for writing policies in Python :tada:
(https://github.com/pulumi/pulumi-policy/pull/212).

Example:

python
def s3_no_public_read(args: ResourceValidationArgs, report_violation: ReportViolation):
if args.resource_type == "aws:s3/bucket:Bucket" and "acl" in args.props:
acl = args.props["acl"]
if acl == "public-read" or acl == "public-read-write":
report_violation("You cannot set public-read or public-read-write on an S3 bucket.")

PolicyPack(
name="aws-policy-pack",
enforcement_level=EnforcementLevel.MANDATORY,
policies=[
ResourceValidationPolicy(
name="s3-no-public-read",
description="Prohibits setting the publicRead or publicReadWrite permission on AWS S3 buckets.",
validate=s3_no_public_read,
),
],
)

- Add support for using `Config`, `getProject()`, `getStack()`, and `isDryRun()` from Policy Packs
via upgraded dependency on `pulumi/pulumi` v1.8.0 (requires v1.8.0 or later of the Pulumi SDK) (https://github.com/pulumi/pulumi-policy/pull/169).

- Provide easier type checking for `validateStack`, along with `isType` and `asType` helper functions
(https://github.com/pulumi/pulumi-policy/pull/173).

Example:

typescript
{
validateStack: validateStackResourcesOfType(aws.s3.Bucket, (buckets, args, reportViolation) => {
for (const bucket of buckets) {
// ...
}
}),
}


- `validateTypedResource` is now deprecated in favor of `validateResourceOfType`. `validateTypedResource`
will be removed in an upcoming version. (https://github.com/pulumi/pulumi-policy/pull/173).

- Attempting to access an unknown property value during previews from a stack validation callback now results
in an advisory violation like what happens when doing the same from a resource validation callback
(https://github.com/pulumi/pulumi-policy/pull/180).

- Add `"disabled"` to `EnforcementLevel` to disable policies
(https://github.com/pulumi/pulumi-policy/pull/156).
- Add resource `urn` and `name` properties along with support for reporting the URN associated with
a stack validation policy violation (https://github.com/pulumi/pulumi-policy/pull/151).