Pulumi Policy

The Pulumi Policy SDK for Python.

class pulumi_policy.EnforcementLevel(value)

Indicates the impact of a policy violation.

class pulumi_policy.Policy(name: str, description: str, enforcement_level: Optional[pulumi_policy.policy.EnforcementLevel, None] = None, config_schema: Optional[pulumi_policy.policy.PolicyConfigSchema, None] = None)

A policy function that returns true if a resource definition violates some policy (e.g., “no public S3 buckets”), and a set of metadata useful for generating helpful messages when the policy is violated.

Parameters
  • name (str) – An ID for the policy. Must be unique within the current policy set.

  • description (str) – A brief description of the policy rule. e.g., “S3 buckets should have default encryptionenabled.”

  • enforcement_level (Optional[EnforcementLevel]) – Indicates what to do on policy violation, e.g., block deployment but allow override with proper permissions.

  • config_schema (Optional[PolicyConfigSchema]) – This policy’s configuration schema.

name: str

An ID for the policy. Must be unique within the current policy set.

description: str

A brief description of the policy rule. e.g., “S3 buckets should have default encryption enabled.”

enforcement_level: Optional[pulumi_policy.policy.EnforcementLevel, None]

Indicates what to do on policy violation, e.g., block deployment but allow override with proper permissions.

config_schema: Optional[pulumi_policy.policy.PolicyConfigSchema, None]

This policy’s configuration schema.

class pulumi_policy.PolicyConfigSchema(properties: Dict[str, Dict[str, Any]], required: Optional[List[str], None] = None)

Represents the configuration schema for a policy.

Parameters
  • Dict[str, Any]] properties (Dict[str,) – The policy’s configuration properties.

  • required (Optional[List[str]]) – The configuration properties that are required.

properties: Dict[str, Dict[str, Any]]

The policy’s configuration properties.

required: Optional[List[str], None]

The configuration properties that are required.

class pulumi_policy.PolicyCustomTimeouts(create_seconds: float, update_seconds: float, delete_seconds: float)

Custom timeout options.

create_seconds: float

The create resource timeout.

update_seconds: float

The update resource timeout.

delete_seconds: float

The delete resource timeout.

class pulumi_policy.PolicyPack(name: str, policies: List[pulumi_policy.policy.Policy], enforcement_level: Optional[pulumi_policy.policy.EnforcementLevel, None] = None, initial_config: Optional[Dict[str, Union[pulumi_policy.policy.EnforcementLevel, Dict[str, Any]]], None] = None)

A policy pack contains one or more policies to enforce.

Parameters
  • name (str) – The name of the policy pack.

  • policies (List[Policy]) – The policies associated with a policy pack.

  • enforcement_level (Optional[EnforcementLevel]) – Indicates what to do on policy violation, e.g., block deployment but allow override with proper permissions. This is the default used for all policies in the policy pack. Individual policies can override.

  • Union['EnforcementLevel', Dict[str, Any]]]] initial_config (Optional[Dict[str,) – Initial configuration for the policy pack. Allows specifying configuration programmatically from reusable policy libraries.

class pulumi_policy.PolicyProviderResource(resource_type: str, props: Mapping[str, Any], urn: str, name: str)

Information about the provider.

resource_type: str

The type of the provider resource.

props: Mapping[str, Any]

The properties of the provider resource.

urn: str

The URN of the provider resource.

name: str

The name of the provider resource.

class pulumi_policy.PolicyResource(resource_type: str, props: Mapping[str, Any], urn: str, name: str, opts: pulumi_policy.policy.PolicyResourceOptions, provider: Optional[pulumi_policy.policy.PolicyProviderResource, None], parent: Optional[pulumi_policy.policy.PolicyResource, None], dependencies: List[pulumi_policy.policy.PolicyResource], property_dependencies: Dict[str, List[pulumi_policy.policy.PolicyResource]])

PolicyResource represents a resource in the stack.

resource_type: str

The type of the resource.

props: Mapping[str, Any]

The outputs of the resource.

urn: str

The URN of the resource.

name: str

The name of the resource.

opts: pulumi_policy.policy.PolicyResourceOptions

The options of the resource.

provider: Optional[pulumi_policy.policy.PolicyProviderResource, None]

The provider of the resource.

parent: Optional[pulumi_policy.policy.PolicyResource, None]

An optional parent that this resource belongs to.

dependencies: List[pulumi_policy.policy.PolicyResource]

The dependencies of the resource.

property_dependencies: Dict[str, List[pulumi_policy.policy.PolicyResource]]

The set of dependencies that affect each property.

class pulumi_policy.PolicyResourceOptions(protect: bool, ignore_changes: List[str], delete_before_replace: Optional[bool, None], aliases: List[str], custom_timeouts: pulumi_policy.policy.PolicyCustomTimeouts, additional_secret_outputs: List[str])

PolicyResourceOptions is the bag of settings that control a resource’s behavior.

protect: bool

When set to true, protect ensures this resource cannot be deleted.

ignore_changes: List[str]

Ignore changes to any of the specified properties.

delete_before_replace: Optional[bool, None]

When set to true, indicates that this resource should be deleted before its replacement is created when replacement is necessary.

aliases: List[str]

Additional URNs that should be aliased to this resource.

custom_timeouts: pulumi_policy.policy.PolicyCustomTimeouts

Custom timeouts for resource create, update, and delete operations.

additional_secret_outputs: List[str]

Outputs that should always be treated as secrets.

class pulumi_policy.ResourceValidationArgs(resource_type: str, props: Mapping[str, Any], urn: str, name: str, opts: pulumi_policy.policy.PolicyResourceOptions, provider: Optional[pulumi_policy.policy.PolicyProviderResource, None], config: Optional[Mapping[str, Any], None] = None)

ResourceValidationArgs is the argument bag passed to a resource validation.

get_config() → Mapping[str, Any]

Returns configuration for the policy.

resource_type: str

The type of the resource.

props: Mapping[str, Any]

The inputs of the resource.

urn: str

The URN of the resource.

name: str

The name of the resource.

opts: pulumi_policy.policy.PolicyResourceOptions

The options of the resource.

provider: Optional[pulumi_policy.policy.PolicyProviderResource, None]

The provider of the resource.

class pulumi_policy.ResourceValidationPolicy(name: str, description: str, validate: Optional[Union[Callable[[pulumi_policy.policy.ResourceValidationArgs, Callable[[str, Optional[str, None]], None]], Optional[Awaitable, None]], List[Callable[[pulumi_policy.policy.ResourceValidationArgs, Callable[[str, Optional[str, None]], None]], Optional[Awaitable, None]]]]] = None, enforcement_level: Optional[pulumi_policy.policy.EnforcementLevel, None] = None, config_schema: Optional[pulumi_policy.policy.PolicyConfigSchema, None] = None)

ResourceValidationPolicy is a policy that validates a resource definition.

Parameters
  • name (str) – An ID for the policy. Must be unique within the current policy set.

  • description (str) – A brief description of the policy rule. e.g., “S3 buckets should have default encryptionenabled.”

  • List[ResourceValidation]]] validate (Optional[Union[ResourceValidation,) – A callback function that validates if a resource definition violates a policy (e.g. “S3 buckets can’t be public”). A single callback function can be specified, or multiple functions, which are called in order.

  • enforcement_level (Optional[EnforcementLevel]) – Indicates what to do on policy violation, e.g., block deployment but allow override with proper permissions.

  • config_schema (Optional[PolicyConfigSchema]) – This policy’s configuration schema.

class pulumi_policy.StackValidationArgs(resources: List[pulumi_policy.policy.PolicyResource], config: Optional[Mapping[str, Any], None] = None)

StackValidationArgs is the argument bag passed to a stack validation.

get_config() → Mapping[str, Any]

Returns configuration for the policy.

resources: List[pulumi_policy.policy.PolicyResource]

The resources in the stack.

class pulumi_policy.StackValidationPolicy(name: str, description: str, validate: Optional[Callable[[pulumi_policy.policy.StackValidationArgs, Callable[[str, Optional[str, None]], None]], Optional[Awaitable, None]], None] = None, enforcement_level: Optional[pulumi_policy.policy.EnforcementLevel, None] = None, config_schema: Optional[pulumi_policy.policy.PolicyConfigSchema, None] = None)

StackValidationPolicy is a policy that validates a stack.

Parameters
  • name (str) – An ID for the policy. Must be unique within the current policy set.

  • description (str) – A brief description of the policy rule. e.g., “S3 buckets should have default encryptionenabled.”

  • validate (Optional[StackValidation]) – A callback function that validates if a stack violates a policy.

  • enforcement_level (Optional[EnforcementLevel]) – Indicates what to do on policy violation, e.g., block deployment but allow override with proper permissions.

  • config_schema (Optional[PolicyConfigSchema]) – This policy’s configuration schema.