- API changes to enable new types of policies (i.e. validating all resource in a stack) and passing
additional information to validation functions (https://github.com/pulumi/pulumi-policy/pull/131).
- `Policy.rules` is now `ResourceValidationPolicy.validateResource`.
- `typedRule` is now `validateTypedResource`.
- Policy violations are now reported through a `reportViolation` callback, rather than using asserts.
- A new `StackValidationPolicy` policy type is available for defining policies that check all resources
in a stack.
- Validation functions can now be async and return `Promise<void>`.
Example:
typescript
new PolicyPack("aws-policy-pack", {
policies: [{
name: "s3-no-public-read",
description: "Prohibits setting the publicRead or publicReadWrite permission on AWS S3 buckets.",
enforcementLevel: "mandatory",
validateResource: validateTypedResource(aws.s3.Bucket, (bucket, args, reportViolation) => {
if (bucket.acl === "public-read" || bucket.acl === "public-read-write") {
reportViolation(
"You cannot set public-read or public-read-write on an S3 bucket. " +
"Read more about ACLs here: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html");
}
}),
}],
});
- Allow policies to deal with Pulumi secret values
(https://github.com/pulumi/pulumi-policy/pull/115).