@pulumi/policy - v1.21.0
    Preparing search index...

    Interface ResourceValidationPolicy

    ResourceValidationPolicy is a policy that validates a resource definition.

    For example:

    import * as aws from "@pulumi/aws";
    import { validateResourceOfType } from "@pulumi/policy";

    const s3NoPublicReadPolicy: ResourceValidationPolicy = {
        name: "s3-no-public-read",
        description: "Prohibits setting the publicRead or publicReadWrite permission on AWS S3 buckets.",
        enforcementLevel: "mandatory",
        validateResource: validateResourceOfType(aws.s3.Bucket, (bucket, args, reportViolation) => {
            if (bucket.acl === "public-read" || bucket.acl === "public-read-write") {
                reportViolation("You cannot set public-read or public-read-write on an S3 bucket.");
            }
        }),
    };
    interface ResourceValidationPolicy {
        configSchema?: PolicyConfigSchema;
        description: string;
        displayName?: string;
        enforcementLevel?: EnforcementLevel;
        framework?: PolicyComplianceFramework;
        name: string;
        remediateResource?: ResourceRemediation;
        remediationSteps?: string;
        severity?: Severity;
        tags?: string[];
        url?: string;
        validateResource?: ResourceValidation | ResourceValidation[];
    }

    Hierarchy (View Summary)

    • Policy
      • ResourceValidationPolicy
    Index

    Properties

    configSchema? description displayName? enforcementLevel? framework? name remediateResource? remediationSteps? severity? tags? url? validateResource?

    Properties

    configSchema?: PolicyConfigSchema

    This policy's configuration schema.

    For example:

    {
        configSchema: {
            properties: {
                expiration: {
                    type: "integer",
                    default: 14,
                },
                identifier: {
                    type: "string",
                },
            },
        },

        validateResource: (args, reportViolation) => {
            const { expiration, identifier } = args.getConfig<{ expiration: number; identifier?: string; }>();

            // ...
        }),
    }
    description: string

    A brief description of the policy rule. e.g., "S3 buckets should have default encryption enabled."

    displayName?: string

    An optional pretty name for the policy.

    enforcementLevel?: EnforcementLevel

    Indicates what to do on policy violation, e.g., block deployment but allow override with proper permissions.

    framework?: PolicyComplianceFramework

    The compliance framework that this policy belongs to.

    name: string

    An ID for the policy. Must be unique within the current policy set.

    remediateResource?: ResourceRemediation

    Takes a resource as input and optionally returns a remediated set of properties. Remediations run prior to validations, and give a policy a chance to fix the issue rather than just flag it.

    remediationSteps?: string

    A description of the steps to take to remediate a policy violation.

    severity?: Severity

    The severity of the policy.

    tags?: string[]

    Tags associated with the policy.

    url?: string

    An optional URL to more information about the policy.

    validateResource?: ResourceValidation | ResourceValidation[]

    A callback function that validates if a resource definition violates a policy (e.g. "S3 buckets can't be public"). A single callback function can be specified, or multiple functions, which are called in order.

    Settings

    Member Visibility

    On This Page

    Properties