Interface ResourceValidationPolicy

ResourceValidationPolicy is a policy that validates a resource definition.

For example:

import * as aws from "@pulumi/aws";
import { validateResourceOfType } from "@pulumi/policy";

const s3NoPublicReadPolicy: ResourceValidationPolicy = {
    name: "s3-no-public-read",
    description: "Prohibits setting the publicRead or publicReadWrite permission on AWS S3 buckets.",
    enforcementLevel: "mandatory",
    validateResource: validateResourceOfType(aws.s3.Bucket, (bucket, args, reportViolation) => {
        if (bucket.acl === "public-read" || bucket.acl === "public-read-write") {
            reportViolation("You cannot set public-read or public-read-write on an S3 bucket.");
        }
    }),
};
interface ResourceValidationPolicy {
    configSchema?: PolicyConfigSchema;
    description: string;
    enforcementLevel?: EnforcementLevel;
    name: string;
    remediateResource?: ResourceRemediation;
    validateResource?: ResourceValidation | ResourceValidation[];
}

Hierarchy (view full)

  • Policy
    • ResourceValidationPolicy

Properties

configSchema? description enforcementLevel? name remediateResource? validateResource?

Properties

Optional configSchema

configSchema?: PolicyConfigSchema

This policy's configuration schema.

For example:

{
    configSchema: {
        properties: {
            expiration: {
                type: "integer",
                default: 14,
            },
            identifier: {
                type: "string",
            },
        },
    },

    validateResource: (args, reportViolation) => {
        const { expiration, identifier } = args.getConfig<{ expiration: number; identifier?: string; }>();

        // ...
    }),
}

description

description: string

A brief description of the policy rule. e.g., "S3 buckets should have default encryption enabled."

Optional enforcementLevel

enforcementLevel?: EnforcementLevel

Indicates what to do on policy violation, e.g., block deployment but allow override with proper permissions.

name

name: string

An ID for the policy. Must be unique within the current policy set.

Optional remediateResource

remediateResource?: ResourceRemediation

Takes a resource as input and optionally returns a remediated set of properties. Remediations run prior to validations, and give a policy a chance to fix the issue rather than just flag it.

Optional validateResource

validateResource?: ResourceValidation | ResourceValidation[]

A callback function that validates if a resource definition violates a policy (e.g. "S3 buckets can't be public"). A single callback function can be specified, or multiple functions, which are called in order.

Settings

Member Visibility

Theme

On This Page

configSchemadescriptionenforcementLevelnameremediateResourcevalidateResource

Generated using TypeDoc