├── .github
    ├── CODEOWNERS
    └── workflows
    │   ├── artifact-cleanup.yml
    │   ├── command-dispatch.yml
    │   ├── main.yml
    │   ├── pull-request.yml
    │   ├── release.yml
    │   └── run-acceptance-tests.yml
├── .gitignore
├── CHANGELOG.md
├── CODE-OF-CONDUCT.md
├── CONTRIBUTING.md
├── LICENSE
├── Makefile
├── README.md
├── build
    └── common.mk
├── design
    ├── 01-nouns.md
    └── 02-policy-validation.md
├── scripts
    ├── promote.js
    ├── publish_packages.sh
    └── reversion.js
├── sdk
    ├── nodejs
    │   └── policy
    │   │   ├── .eslintrc.js
    │   │   ├── Makefile
    │   │   ├── deserialize.ts
    │   │   ├── index.ts
    │   │   ├── package.json
    │   │   ├── policy.ts
    │   │   ├── protoutil.ts
    │   │   ├── proxy.ts
    │   │   ├── schema.ts
    │   │   ├── secret.ts
    │   │   ├── server.ts
    │   │   ├── tests
    │   │       ├── deserialize.spec.ts
    │   │       ├── pb.spec.ts
    │   │       ├── policy.spec.ts
    │   │       ├── proxy.spec.ts
    │   │       └── util.ts
    │   │   ├── tsconfig.json
    │   │   └── version.ts
    └── python
    │   ├── .gitignore
    │   ├── .pylintrc
    │   ├── Makefile
    │   ├── Pipfile
    │   ├── lib
    │       ├── pulumi_policy
    │       │   ├── __init__.py
    │       │   ├── deserialize.py
    │       │   ├── policy.py
    │       │   ├── proxy.py
    │       │   ├── pulumi-plugin.json
    │       │   ├── py.typed
    │       │   ├── secret.py
    │       │   └── version.py
    │       ├── setup.py
    │       └── test
    │       │   ├── __init__.py
    │       │   ├── test_config.py
    │       │   ├── test_deserialize.py
    │       │   ├── test_policy.py
    │       │   └── test_proxy.py
    │   └── mypy.ini
└── tests
    └── integration
        ├── config
            ├── policy-pack-python
            │   ├── PulumiPolicy.yaml
            │   ├── __main__.py
            │   └── requirements.txt
            ├── policy-pack
            │   ├── PulumiPolicy.yaml
            │   ├── index.ts
            │   ├── package.json
            │   └── tsconfig.json
            └── program
            │   ├── Pulumi.yaml
            │   ├── index.ts
            │   ├── package.json
            │   └── tsconfig.json
        ├── deserialize
            ├── policy-pack-python
            │   ├── PulumiPolicy.yaml
            │   ├── __main__.py
            │   └── requirements.txt
            ├── policy-pack
            │   ├── PulumiPolicy.yaml
            │   ├── index.ts
            │   ├── package.json
            │   └── tsconfig.json
            └── program
            │   ├── Pulumi.yaml
            │   ├── index.ts
            │   ├── package.json
            │   ├── resource.ts
            │   └── tsconfig.json
        ├── enforcementlevel
            ├── policy-pack-python
            │   ├── PulumiPolicy.yaml
            │   ├── __main__.py
            │   └── requirements.txt
            ├── policy-pack
            │   ├── PulumiPolicy.yaml
            │   ├── index.ts
            │   ├── package.json
            │   └── tsconfig.json
            └── program
            │   ├── Pulumi.yaml
            │   ├── index.ts
            │   ├── package.json
            │   └── tsconfig.json
        ├── go.mod
        ├── go.sum
        ├── integration_test.go
        ├── invalid_policy
            ├── policy-pack
            │   ├── PulumiPolicy.yaml
            │   ├── index.ts
            │   ├── package.json
            │   └── tsconfig.json
            └── program
            │   ├── Pulumi.yaml
            │   ├── index.ts
            │   ├── package.json
            │   └── tsconfig.json
        ├── parent_dependencies
            ├── policy-pack-python
            │   ├── PulumiPolicy.yaml
            │   └── __main__.py
            ├── policy-pack
            │   ├── PulumiPolicy.yaml
            │   ├── index.ts
            │   ├── package.json
            │   └── tsconfig.json
            └── program
            │   ├── Pulumi.yaml
            │   ├── index.ts
            │   ├── package.json
            │   ├── resource.ts
            │   └── tsconfig.json
        ├── provider
            ├── policy-pack-python
            │   ├── PulumiPolicy.yaml
            │   ├── __main__.py
            │   └── requirements.txt
            ├── policy-pack
            │   ├── PulumiPolicy.yaml
            │   ├── index.ts
            │   ├── package.json
            │   └── tsconfig.json
            └── program
            │   ├── Pulumi.yaml
            │   ├── index.ts
            │   ├── package.json
            │   ├── resource.ts
            │   └── tsconfig.json
        ├── remote_component
            ├── policy-pack-python
            │   ├── PulumiPolicy.yaml
            │   ├── __main__.py
            │   └── requirements.txt
            ├── policy-pack
            │   ├── PulumiPolicy.yaml
            │   ├── index.ts
            │   ├── package.json
            │   └── tsconfig.json
            ├── program
            │   ├── Pulumi.yaml
            │   ├── component.ts
            │   ├── index.ts
            │   └── package.json
            └── testcomponent
            │   ├── go.mod
            │   ├── go.sum
            │   ├── main.go
            │   ├── pulumi-resource-testcomponent
            │   ├── pulumi-resource-testcomponent.cmd
            │   └── pulumiTypes.go
        ├── resource_options
            ├── policy-pack-python
            │   ├── PulumiPolicy.yaml
            │   ├── __main__.py
            │   └── requirements.txt
            ├── policy-pack
            │   ├── PulumiPolicy.yaml
            │   ├── index.ts
            │   ├── package.json
            │   └── tsconfig.json
            └── program
            │   ├── Pulumi.yaml
            │   ├── index.ts
            │   ├── package.json
            │   ├── resource.ts
            │   └── tsconfig.json
        ├── runtime_data
            ├── policy-pack-python
            │   ├── PulumiPolicy.yaml
            │   ├── __main__.py
            │   └── requirements.txt
            ├── policy-pack
            │   ├── PulumiPolicy.yaml
            │   ├── index.ts
            │   ├── package.json
            │   └── tsconfig.json
            └── program
            │   ├── Pulumi.yaml
            │   ├── index.ts
            │   ├── package.json
            │   ├── resource.ts
            │   └── tsconfig.json
        ├── unknown_values
            ├── policy-pack-python
            │   ├── PulumiPolicy.yaml
            │   ├── __main__.py
            │   └── requirements.txt
            ├── policy-pack
            │   ├── PulumiPolicy.yaml
            │   ├── index.ts
            │   ├── package.json
            │   └── tsconfig.json
            └── program
            │   ├── Pulumi.yaml
            │   ├── index.ts
            │   ├── package.json
            │   └── tsconfig.json
        ├── validate_python_resource
            ├── policy-pack-python
            │   ├── PulumiPolicy.yaml
            │   └── __main__.py
            ├── policy-pack
            │   ├── PulumiPolicy.yaml
            │   ├── index.ts
            │   ├── package.json
            │   └── tsconfig.json
            └── program
            │   ├── .gitignore
            │   ├── Pulumi.yaml
            │   ├── __main__.py
            │   └── requirements.txt
        ├── validate_resource
            ├── policy-pack-python
            │   ├── PulumiPolicy.yaml
            │   └── __main__.py
            ├── policy-pack
            │   ├── PulumiPolicy.yaml
            │   ├── index.ts
            │   ├── package.json
            │   └── tsconfig.json
            └── program
            │   ├── Pulumi.yaml
            │   ├── index.ts
            │   ├── package.json
            │   ├── resource.ts
            │   └── tsconfig.json
        └── validate_stack
            ├── policy-pack-python
                ├── PulumiPolicy.yaml
                └── __main__.py
            ├── policy-pack
                ├── PulumiPolicy.yaml
                ├── index.ts
                ├── package.json
                └── tsconfig.json
            └── program
                ├── Pulumi.yaml
                ├── index.ts
                ├── package.json
                ├── resource.ts
                └── tsconfig.json


/.github/CODEOWNERS:
--------------------------------------------------------------------------------
1 | * @pulumi/platform
2 | 


--------------------------------------------------------------------------------
/.github/workflows/artifact-cleanup.yml:
--------------------------------------------------------------------------------
 1 | jobs:
 2 |   remove-old-artifacts:
 3 |     runs-on: ubuntu-latest
 4 |     steps:
 5 |       - name: Remove old artifacts
 6 |         uses: c-hive/gha-remove-artifacts@v1
 7 |         with:
 8 |           age: 1 month
 9 |           skip-tags: true
10 | name: cleanup
11 | "on":
12 |   schedule:
13 |     - cron: 0 1 1 * *
14 | 


--------------------------------------------------------------------------------
/.github/workflows/command-dispatch.yml:
--------------------------------------------------------------------------------
 1 | name: command-dispatch-for-testing
 2 | on:
 3 |   issue_comment:
 4 |     types: [created, edited]
 5 | 
 6 | jobs:
 7 |   command-dispatch-for-testing:
 8 |     runs-on: ubuntu-latest
 9 |     steps:
10 |       - uses: actions/checkout@v2
11 |       - name: Run Build
12 |         uses: peter-evans/slash-command-dispatch@v2
13 |         with:
14 |           token: ${{ secrets.PULUMI_BOT_TOKEN }}
15 |           reaction-token: ${{ secrets.GITHUB_TOKEN }}
16 |           commands: run-acceptance-tests
17 |           permission: write
18 |           issue-type: pull-request
19 |           repository: pulumi/pulumi-policy
20 | 


--------------------------------------------------------------------------------
/.github/workflows/main.yml:
--------------------------------------------------------------------------------
  1 | env:
  2 |   AWS_REGION: us-west-2
  3 |   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  4 |   GO111MODULE: "on"
  5 |   NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
  6 |   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  7 |   PROVIDER: policy
  8 |   PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  9 |   PULUMI_API: https://api.pulumi-staging.io
 10 |   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
 11 |   PYPI_USERNAME: __token__
 12 |   PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
 13 |   VERSION: ${{ github.event.client_payload.ref }}
 14 | jobs:
 15 |   lint:
 16 |     name: lint
 17 |     runs-on: ubuntu-latest
 18 |     steps:
 19 |       - name: Set up Go ${{ matrix.go-version }}
 20 |         uses: actions/setup-go@v4
 21 |         with:
 22 |           go-version: ${{ matrix.go-version }}
 23 |       - name: Set up Python ${{ matrix.python-version }}
 24 |         uses: actions/setup-python@v4
 25 |         with:
 26 |           python-version: ${{ matrix.python-version }}
 27 |       - name: Set up Node
 28 |         uses: actions/setup-node@v3
 29 |         with:
 30 |           node-version: ${{matrix.node-version}}
 31 |           registry-url: https://registry.npmjs.org
 32 |       - name: Install pipenv
 33 |         run: |
 34 |           python -m pip install --upgrade pipenv pip requests wheel urllib3 chardet
 35 |       - name: Install pulumictl
 36 |         uses: jaxxstorm/action-install-gh-release@v1.5.0
 37 |         with:
 38 |           repo: pulumi/pulumictl
 39 |       - name: Checkout Repo
 40 |         uses: actions/checkout@v2
 41 |       - name: Unshallow clone for tags
 42 |         run: git fetch --prune --unshallow --tags
 43 |       - name: Install Yarn
 44 |         run: curl -o- -L https://yarnpkg.com/install.sh | bash -s -- --version 1.13.0
 45 |       - name: Ensure
 46 |         run: |
 47 |           make ensure
 48 |       - name: Lint Node
 49 |         run: |
 50 |           cd sdk/nodejs/policy && make lint
 51 |       - name: Lint Python
 52 |         run: |
 53 |           cd sdk/python && make lint
 54 |     strategy:
 55 |       fail-fast: true
 56 |       matrix:
 57 |         platform: [ ubuntu-latest ]
 58 |         go-version: [ 1.21.x ]
 59 |         python-version: [ 3.9.x ]
 60 |         node-version: [ 18.x ]
 61 |   build_test_publish:
 62 |     name: Build, Test, and Publish
 63 |     runs-on: ubuntu-latest
 64 |     steps:
 65 |       - name: Checkout Repo
 66 |         uses: actions/checkout@v2
 67 |       - name: Unshallow clone for tags
 68 |         run: git fetch --prune --unshallow --tags
 69 |       - name: Install Go
 70 |         uses: actions/setup-go@v4
 71 |         with:
 72 |           go-version: ${{ matrix.go-version }}
 73 |       - name: Install pulumictl
 74 |         uses: jaxxstorm/action-install-gh-release@v1.5.0
 75 |         with:
 76 |           repo: pulumi/pulumictl
 77 |       - name: Install Pulumi CLI
 78 |         uses: pulumi/actions@v4
 79 |         with:
 80 |           pulumi-version: ">=3.157.0"
 81 |       - name: Setup Node
 82 |         uses: actions/setup-node@v3
 83 |         with:
 84 |           node-version: ${{matrix.node-version}}
 85 |           registry-url: https://registry.npmjs.org
 86 |       - name: Setup Python
 87 |         uses: actions/setup-python@v4
 88 |         with:
 89 |           python-version: ${{matrix.python-version}}
 90 |       - name: Install pipenv
 91 |         run: |
 92 |           python -m pip install --upgrade pipenv pip requests wheel urllib3 chardet twine
 93 |       - name: Ensure dependencies
 94 |         run: make ensure
 95 |       - name: Checkout Scripts Repo
 96 |         uses: actions/checkout@v2
 97 |         with:
 98 |           path: ci-scripts
 99 |           repository: pulumi/scripts
100 |       - name: Configure AWS Credentials
101 |         uses: aws-actions/configure-aws-credentials@v1
102 |         with:
103 |           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
104 |           aws-region: ${{ env.AWS_REGION }}
105 |           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
106 |           role-duration-seconds: 3600
107 |           role-session-name: ${{ env.PROVIDER }}@githubActions
108 |           role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
109 |       - name: Build SDK
110 |         run: make only_build
111 |       - name: Check worktree clean
112 |         run: ./ci-scripts/ci/check-worktree-is-clean
113 |       - name: Run Unit Tests
114 |         run: make only_test_fast
115 |       - name: Run Integration Tests
116 |         run: make test_all
117 |       - name: Publish
118 |         run: make publish_packages
119 |       - name: Trigger Docs Build
120 |         run: |
121 |           ./ci-scripts/ci/build-package-docs.sh "policy"
122 |         env:
123 |           TRAVIS: true
124 |           PULUMI_BOT_GITHUB_API_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
125 |           TRAVIS_TAG: ${{ env.VERSION }}
126 |     strategy:
127 |       fail-fast: true
128 |       matrix:
129 |         platform: [ ubuntu-latest ]
130 |         go-version: [ 1.21.x ]
131 |         python-version: [ 3.9.x ]
132 |         node-version: [ 18.x ]
133 | name: main
134 | "on":
135 |   push:
136 |     branches:
137 |       - main
138 |     paths-ignore:
139 |       - CHANGELOG.md
140 |     tags-ignore:
141 |       - v*
142 |       - sdk/*
143 |       - '**'
144 | 


--------------------------------------------------------------------------------
/.github/workflows/pull-request.yml:
--------------------------------------------------------------------------------
 1 | name: pull-request
 2 | "on":
 3 |   pull_request_target:
 4 | 
 5 | env:
 6 |   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 7 | 
 8 | jobs:
 9 |   comment-on-pr:
10 |     # We only care about commenting on a PR if the PR is from a fork
11 |     if: github.event.pull_request.head.repo.full_name != github.repository
12 |     runs-on: ubuntu-latest
13 |     steps:
14 |       - uses: actions/checkout@v2
15 |       - name: Comment PR
16 |         uses: thollander/actions-comment-pull-request@v2
17 |         with:
18 |           message: |
19 |             PR is now waiting for a maintainer to run the acceptance tests. This PR will only perform build and linting.
20 |             **Note for the maintainer:** To run the acceptance tests, please comment */run-acceptance-tests* on the PR
21 |           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
22 | 


--------------------------------------------------------------------------------
/.github/workflows/release.yml:
--------------------------------------------------------------------------------
  1 | env:
  2 |   AWS_REGION: us-west-2
  3 |   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  4 |   GO111MODULE: "on"
  5 |   NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
  6 |   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  7 |   PROVIDER: policy
  8 |   PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  9 |   PULUMI_API: https://api.pulumi-staging.io
 10 |   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
 11 |   PYPI_USERNAME: __token__
 12 |   PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
 13 |   VERSION: ${{ github.event.client_payload.ref }}
 14 | jobs:
 15 |   lint:
 16 |     name: lint
 17 |     runs-on: ubuntu-latest
 18 |     steps:
 19 |       - name: Set up Go ${{ matrix.go-version }}
 20 |         uses: actions/setup-go@v4
 21 |         with:
 22 |           go-version: ${{ matrix.go-version }}
 23 |       - name: Set up Python ${{ matrix.python-version }}
 24 |         uses: actions/setup-python@v4
 25 |         with:
 26 |           python-version: ${{ matrix.python-version }}
 27 |       - name: Set up Node
 28 |         uses: actions/setup-node@v3
 29 |         with:
 30 |           node-version: ${{matrix.node-version}}
 31 |           registry-url: https://registry.npmjs.org
 32 |       - name: Install pipenv
 33 |         run: |
 34 |           python -m pip install --upgrade pipenv pip requests wheel urllib3 chardet
 35 |       - name: Install pulumictl
 36 |         uses: jaxxstorm/action-install-gh-release@v1.5.0
 37 |         with:
 38 |           repo: pulumi/pulumictl
 39 |       - name: Checkout Repo
 40 |         uses: actions/checkout@v2
 41 |       - name: Unshallow clone for tags
 42 |         run: git fetch --prune --unshallow --tags
 43 |       - name: Install Yarn
 44 |         run: curl -o- -L https://yarnpkg.com/install.sh | bash -s -- --version 1.13.0
 45 |       - name: Ensure
 46 |         run: |
 47 |           make ensure
 48 |       - name: Lint Node
 49 |         run: |
 50 |           cd sdk/nodejs/policy && make lint
 51 |       - name: Lint Python
 52 |         run: |
 53 |           cd sdk/python && make lint
 54 |     strategy:
 55 |       fail-fast: true
 56 |       matrix:
 57 |         platform: [ ubuntu-latest ]
 58 |         go-version: [ 1.21.x ]
 59 |         python-version: [ 3.9.x ]
 60 |         node-version: [ 18.x ]
 61 |   build_test_publish:
 62 |     name: Build, Test, and Publish
 63 |     runs-on: ubuntu-latest
 64 |     steps:
 65 |       - name: Checkout Repo
 66 |         uses: actions/checkout@v2
 67 |       - name: Unshallow clone for tags
 68 |         run: git fetch --prune --unshallow --tags
 69 |       - name: Install Go
 70 |         uses: actions/setup-go@v4
 71 |         with:
 72 |           go-version: ${{ matrix.go-version }}
 73 |       - name: Install pulumictl
 74 |         uses: jaxxstorm/action-install-gh-release@v1.5.0
 75 |         with:
 76 |           repo: pulumi/pulumictl
 77 |       - name: Install Pulumi CLI
 78 |         uses: pulumi/actions@v4
 79 |         with:
 80 |           pulumi-version: ">=3.157.0"
 81 |       - name: Setup Node
 82 |         uses: actions/setup-node@v3
 83 |         with:
 84 |           node-version: ${{matrix.node-version}}
 85 |           registry-url: https://registry.npmjs.org
 86 |       - name: Setup Python
 87 |         uses: actions/setup-python@v4
 88 |         with:
 89 |           python-version: ${{matrix.python-version}}
 90 |       - name: Install pipenv
 91 |         run: |
 92 |           python -m pip install --upgrade pipenv pip requests wheel urllib3 chardet twine
 93 |       - name: Ensure dependencies
 94 |         run: make ensure
 95 |       - name: Checkout Scripts Repo
 96 |         uses: actions/checkout@v2
 97 |         with:
 98 |           path: ci-scripts
 99 |           repository: pulumi/scripts
100 |       - name: Build SDK
101 |         run: make only_build
102 |       - name: Check worktree clean
103 |         run: ./ci-scripts/ci/check-worktree-is-clean
104 |       - name: Run Unit Tests
105 |         run: make only_test_fast
106 |       - name: Run Integration Tests
107 |         run: make test_all
108 |       - name: Publish
109 |         run: make publish_packages
110 |       - name: Trigger Docs Build
111 |         run: |
112 |           ./ci-scripts/ci/build-package-docs.sh "policy"
113 |         env:
114 |           TRAVIS: true
115 |           PULUMI_BOT_GITHUB_API_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
116 |           TRAVIS_TAG: ${{ env.VERSION }}
117 |     strategy:
118 |       fail-fast: true
119 |       matrix:
120 |         platform: [ ubuntu-latest ]
121 |         go-version: [ 1.21.x ]
122 |         python-version: [ 3.9.x ]
123 |         node-version: [ 18.x ]
124 | name: release
125 | "on":
126 |   push:
127 |     tags:
128 |       - v*.*.*
129 | 


--------------------------------------------------------------------------------
/.github/workflows/run-acceptance-tests.yml:
--------------------------------------------------------------------------------
  1 | env:
  2 |   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  3 |   GO111MODULE: "on"
  4 |   NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
  5 |   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  6 |   PROVIDER: policy
  7 |   PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  8 |   PULUMI_API: https://api.pulumi-staging.io
  9 |   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
 10 |   PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
 11 | jobs:
 12 |   comment-notification:
 13 |     # We only care about adding the result to the PR if it's a repository_dispatch event
 14 |     if: github.event_name == 'repository_dispatch'
 15 |     runs-on: ubuntu-latest
 16 |     steps:
 17 |       - name: Create URL to the run output
 18 |         id: vars
 19 |         run: echo run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID >> "$GITHUB_OUTPUT"
 20 |       - name: Update with Result
 21 |         uses: peter-evans/create-or-update-comment@v1
 22 |         with:
 23 |           token: ${{ secrets.GITHUB_TOKEN }}
 24 |           repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
 25 |           issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
 26 |           body: |
 27 |             Please view the PR build - ${{ steps.vars.outputs.run-url }}
 28 |   lint:
 29 |     name: lint
 30 |     runs-on: ubuntu-latest
 31 |     steps:
 32 |       - name: Set up Go ${{ matrix.go-version }}
 33 |         uses: actions/setup-go@v4
 34 |         with:
 35 |           go-version: ${{ matrix.go-version }}
 36 |       - name: Set up Python ${{ matrix.python-version }}
 37 |         uses: actions/setup-python@v4
 38 |         with:
 39 |           python-version: ${{ matrix.python-version }}
 40 |       - name: Set up Node
 41 |         uses: actions/setup-node@v3
 42 |         with:
 43 |           node-version: ${{matrix.node-version}}
 44 |           registry-url: https://registry.npmjs.org
 45 |       - name: Install pipenv
 46 |         run: |
 47 |           python -m pip install --upgrade pipenv pip requests wheel urllib3 chardet
 48 |       - name: Install pulumictl
 49 |         uses: jaxxstorm/action-install-gh-release@v1.5.0
 50 |         with:
 51 |           repo: pulumi/pulumictl
 52 |       - name: Checkout Repo
 53 |         uses: actions/checkout@v2
 54 |       - name: Unshallow clone for tags
 55 |         run: git fetch --prune --unshallow --tags
 56 |       - name: Install Yarn
 57 |         run: curl -o- -L https://yarnpkg.com/install.sh | bash -s -- --version 1.13.0
 58 |       - name: Ensure
 59 |         run: |
 60 |           make ensure
 61 |       - name: Lint Node
 62 |         run: |
 63 |           cd sdk/nodejs/policy && make lint
 64 |       - name: Lint Python
 65 |         run: |
 66 |           cd sdk/python && make lint
 67 |     strategy:
 68 |       fail-fast: true
 69 |       matrix:
 70 |         platform: [ ubuntu-latest ]
 71 |         go-version: [ 1.21.x ]
 72 |         python-version: [ 3.9.x ]
 73 |         node-version: [ 18.x ]
 74 |   build_and_test:
 75 |     name: Build and Test SDK
 76 |     runs-on: ${{ matrix.platform }}
 77 |     if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository
 78 |     steps:
 79 |       - name: Checkout Repo
 80 |         uses: actions/checkout@v2
 81 |         with:
 82 |           ref: ${{ env.PR_COMMIT_SHA }}
 83 |       - name: Unshallow clone for tags
 84 |         run: git fetch --prune --unshallow --tags
 85 |       - name: Install Go
 86 |         uses: actions/setup-go@v4
 87 |         with:
 88 |           go-version: ${{ matrix.go-version }}
 89 |       - name: Install pulumictl
 90 |         uses: jaxxstorm/action-install-gh-release@v1.5.0
 91 |         with:
 92 |           repo: pulumi/pulumictl
 93 |       - name: Install Pulumi CLI
 94 |         uses: pulumi/actions@v4
 95 |         with:
 96 |           pulumi-version: ">=3.157.0"
 97 |       - name: Setup Node
 98 |         uses: actions/setup-node@v3
 99 |         with:
100 |           node-version: ${{matrix.node-version}}
101 |           registry-url: https://registry.npmjs.org
102 |       - name: Setup Python
103 |         uses: actions/setup-python@v4
104 |         with:
105 |           python-version: ${{matrix.python-version}}
106 |       - name: Install pipenv
107 |         run: |
108 |           python -m pip install --upgrade pipenv pip requests wheel urllib3 chardet
109 |       - name: Ensure dependencies
110 |         run: make ensure
111 |       - name: Checkout Scripts Repo
112 |         uses: actions/checkout@v2
113 |         with:
114 |           path: ci-scripts
115 |           repository: pulumi/scripts
116 |       - name: Build SDK
117 |         run: make only_build
118 |       - name: Check worktree clean
119 |         run: ./ci-scripts/ci/check-worktree-is-clean
120 |       - name: Run Unit Tests
121 |         run: make only_test_fast
122 |       - name: Run Integration Tests
123 |         run: make test_all
124 |     strategy:
125 |       fail-fast: true
126 |       matrix:
127 |         platform: [ ubuntu-latest ]
128 |         go-version: [ 1.21.x ]
129 |         python-version: [ 3.9.x ]
130 |         node-version: [ 18.x ]
131 | name: Run Acceptance Tests from PR
132 | on:
133 |   repository_dispatch:
134 |     types: [run-acceptance-tests-command]
135 |   pull_request:
136 |     branches:
137 |       - main
138 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | .pulumi
 2 | **/bin/
 3 | **/node_modules/
 4 | vendor/
 5 | **/Pulumi.*.yaml
 6 | **/yarn-error.log
 7 | **/yarn.lock
 8 | .idea
 9 | **/Pipfile.lock
10 | ci-scripts
11 | 


--------------------------------------------------------------------------------
/CODE-OF-CONDUCT.md:
--------------------------------------------------------------------------------
 1 | # Contributor Covenant Code of Conduct
 2 | 
 3 | ## Our Pledge
 4 | 
 5 | In the interest of fostering an open and welcoming environment, we as
 6 | contributors and maintainers pledge to making participation in our project and
 7 | our community a harassment-free experience for everyone, regardless of age, body
 8 | size, disability, ethnicity, gender identity and expression, level of experience,
 9 | education, socio-economic status, nationality, personal appearance, race,
10 | religion, or sexual identity and orientation.
11 | 
12 | ## Our Standards
13 | 
14 | Examples of behavior that contributes to creating a positive environment
15 | include:
16 | 
17 | * Using welcoming and inclusive language
18 | * Being respectful of differing viewpoints and experiences
19 | * Gracefully accepting constructive criticism
20 | * Focusing on what is best for the community
21 | * Showing empathy towards other community members
22 | 
23 | Examples of unacceptable behavior by participants include:
24 | 
25 | * The use of sexualized language or imagery and unwelcome sexual attention or
26 |   advances
27 | * Trolling, insulting/derogatory comments, and personal or political attacks
28 | * Public or private harassment
29 | * Publishing others' private information, such as a physical or electronic
30 |   address, without explicit permission
31 | * Other conduct which could reasonably be considered inappropriate in a
32 |   professional setting
33 | 
34 | ## Our Responsibilities
35 | 
36 | Project maintainers are responsible for clarifying the standards of acceptable
37 | behavior and are expected to take appropriate and fair corrective action in
38 | response to any instances of unacceptable behavior.
39 | 
40 | Project maintainers have the right and responsibility to remove, edit, or
41 | reject comments, commits, code, wiki edits, issues, and other contributions
42 | that are not aligned to this Code of Conduct, or to ban temporarily or
43 | permanently any contributor for other behaviors that they deem inappropriate,
44 | threatening, offensive, or harmful.
45 | 
46 | ## Scope
47 | 
48 | This Code of Conduct applies both within project spaces and in public spaces
49 | when an individual is representing the project or its community. Examples of
50 | representing a project or community include using an official project e-mail
51 | address, posting via an official social media account, or acting as an appointed
52 | representative at an online or offline event. Representation of a project may be
53 | further defined and clarified by project maintainers.
54 | 
55 | ## Enforcement
56 | 
57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be
58 | reported by contacting the project team at code-of-conduct@pulumi.com. All
59 | complaints will be reviewed and investigated and will result in a response that
60 | is deemed necessary and appropriate to the circumstances. The project team is
61 | obligated to maintain confidentiality with regard to the reporter of an incident.
62 | Further details of specific enforcement policies may be posted separately.
63 | 
64 | Project maintainers who do not follow or enforce the Code of Conduct in good
65 | faith may face temporary or permanent repercussions as determined by other
66 | members of the project's leadership.
67 | 
68 | ## Attribution
69 | 
70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
71 | available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
72 | 
73 | [homepage]: https://www.contributor-covenant.org
74 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contributing
 2 | 
 3 | ## Changelog
 4 | 
 5 | The changelog in this repo is managed manually in the `CHANGELOG.md` file.
 6 | PRs with a notable change should include an entry in the `HEAD (Unreleased)`
 7 | section of the file.
 8 | 
 9 | ## Releasing
10 | 
11 | To release a new version of `pulumi-policy`, update the `CHANGELOG.md` file,
12 | moving all items from the `HEAD (Unreleased)` section to a new section with
13 | the new version number. Once this is merged, a new version will be published
14 | when a tag of the form `v*.*.*` is pushed to the repo. To push the tag,
15 | ask the `@release-bot` in the internal Pulumi Slack channel `#release-ops`
16 | to do a release, for example:
17 | 
18 | ```
19 | @release-bot release pulumi-policy minor
20 | ```
21 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | PROJECT_NAME := policy
 2 | SUB_PROJECTS := sdk/nodejs/policy sdk/python
 3 | include build/common.mk
 4 | 
 5 | .PHONY: ensure
 6 | ensure::
 7 | 	# Golang dependencies for the integration tests.
 8 | 	cd ./tests/integration && go mod download && go mod tidy
 9 | 
10 | .PHONY: publish_packages
11 | publish_packages:
12 | 	$(call STEP_MESSAGE)
13 | 	./scripts/publish_packages.sh
14 | 
15 | .PHONY: test_all
16 | test_all::
17 | 	cd ./tests/integration && go test . -v -timeout 30m
18 | 
19 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ![Build Status](https://github.com/pulumi/pulumi-policy/actions/workflows/main.yml/badge.svg)
 2 | 
 3 | # Pulumi Policy SDK
 4 | 
 5 | ## Overview
 6 | 
 7 | Define and manage policy for cloud resources deployed through Pulumi.
 8 | 
 9 | Policy rules run during `pulumi preview` and `pulumi up`, asserting that cloud resource definitions
10 | comply with the policy immediately before they are created or updated. Policies may optionally define
11 | remediations that automatically fix policy violations rather than issue warnings.
12 | 
13 | During `preview`, every rule is run on every resource, and policy violations are batched up
14 | into a final report. During the update, the first policy violation will halt the deployment.
15 | 
16 | Policy violations can have enforcement levels that are **advisory**, which results in a printed
17 | warning, or **mandatory**, which results in an error after `pulumi preview` or `pulumi up` completes.
18 | The enforcement level **remediate** is stronger than both and enables automatic remediations.
19 | 
20 | ## Getting Started
21 | 
22 | Please see [Get Started with Policy as Code](https://www.pulumi.com/docs/get-started/crossguard/) to get
23 | started authoring and enforcing policies.
24 | 
25 | ## Documentation
26 | 
27 | For additional documentation, guides, best practices, and FAQs, see [Policy as Code](https://www.pulumi.com/docs/guides/crossguard/).
28 | 
29 | ## Examples
30 | 
31 | Looking for examples? Please refer to the [examples repo](https://github.com/pulumi/examples/tree/master/policy-packs).
32 | 
33 | ## Languages
34 | 
35 | Policies can be written in TypeScript/JavaScript (Node.js) or Python and can be applied to Pulumi stacks written in any language.
36 | 
37 | |    | Language | Status |
38 | | -- | -------- | ------ |
39 | | <img src="https://www.pulumi.com/logos/tech/logo-ts.png" height=38 />     | [TypeScript](./sdk/nodejs) | Stable      |
40 | | <img src="https://www.pulumi.com/logos/tech/logo-js.png" height=38 />     | [JavaScript](./sdk/nodejs) | Stable      |
41 | | <img src="https://www.pulumi.com/logos/tech/logo-python.png" height=38 /> | [Python](./sdk/python)     | Preview     |
42 | | <img src="https://www.pulumi.com/logos/tech/dotnet.png" height=38 />      | .NET                       | Coming Soon |
43 | | <img src="https://www.pulumi.com/logos/tech/logo-golang.png" height=38 /> | Go                         | Coming Soon |
44 | 


--------------------------------------------------------------------------------
/design/02-policy-validation.md:
--------------------------------------------------------------------------------
  1 | # Policy validation API by example
  2 | 
  3 | In this text, we'll talk generally about the sequence of API calls required to validate a resource
  4 | against a bunch of policies, and to push information about validation failures to the Pulumi
  5 | service. As we will see, this contains two API boundaries: the gRPC API for the analyzer API (which
  6 | validates resources against the policies), and the Pulumi service API for receiving policy
  7 | violations.
  8 | 
  9 | ## Step 1: The Analyzer API
 10 | 
 11 | The `StepGenerator`, broadly, is in charge of taking events from the running Pulumi program and
 12 | turning them into goal states and operations that Pulumi is supposed to drive towards.
 13 | 
 14 | Before any step can be executed, the goal state for the given resource must be validated against the
 15 | current analyzers (in this case including a `PolicyPack`).
 16 | 
 17 | Thus, the first API boundary we cross is the interface between the `StepGenerator` and the analyzer
 18 | plugins. This section will describe this API.
 19 | 
 20 | ### `PolicyPack` is registered
 21 | 
 22 | The engine will lazily load the analyzer plugins as they are needed. Policies are implemented as
 23 | analyzer plugins, using the `PolicyPack` abstraction. The `PolicyPack` will start a gRPC server that
 24 | can respond to `Analyze(...)` RPC calls.
 25 | 
 26 | The code looks like this:
 27 | 
 28 | ```typescript
 29 | const policies = new PolicyPack("k8s-sec-rules", {
 30 |     policies: [
 31 |         {
 32 |             name: "no-public-services",
 33 |             description: "No Kubernetes Service objects should have type `LoadBalancer`",
 34 |             message:
 35 |                 "Security team requires all publicly-exposed services to go through audit and approval "
 36 |             tags: ["security"],
 37 |             enforcementLevel: "mandatory",
 38 |             rule: (type, svc) => {
 39 |                 return type === "kubernetes:core/v1:Service" && svc.type === "LoadBalancer";
 40 |             },
 41 |         },
 42 |     ],
 43 | });
 44 | ```
 45 | 
 46 | ### `Analyze(...)` is called
 47 | 
 48 | When `RegisterResource` is called, the Pulumi engine will call the `Analyze(...)` RPC on each
 49 | analyzer -- in this case, there is just one analyzer, and it contains the `PolicyPack`.
 50 | 
 51 | The raw RPC request (i.e., beneath all the sugar) will look something like this:
 52 | 
 53 | ```javascript
 54 | // Request
 55 | {
 56 |     Type: "kubernetes:core/v1:Service",
 57 |     Properties: { kind: "Service", apiVersion: "v1", ... },
 58 | }
 59 | ```
 60 | 
 61 | The policy registered in the previous step will receive this property bag and validate it. In the
 62 | event of a failure, we would get the following response back.
 63 | 
 64 | ```javascript
 65 | // Response: list of policy violations
 66 | {
 67 |     Diagnostics: [{
 68 |         ID:               "k8s-sec-rules/no-public-services",
 69 |         Description:      "No Kubernetes Service objects should have type `LoadBalancer`",
 70 |         Message:          "Security team requires all publicly-exposed services to go through audit and approval ",
 71 |         Tags:             ["security"],
 72 |         EnforcementLevel: "mandatory", // Technically, gRPC implements this field as an enum.
 73 |     }],
 74 | }
 75 | ```
 76 | 
 77 | Note that this response does not contain the URN of the resource. In general, analyzer plugins don’t
 78 | know about URNs -- since the `StepGenerator` invoked `Analyze(...)`, it keeps track of the
 79 | additional metadata needed to communicate with the Pulumi service about what resources failed.
 80 | 
 81 | In the next section, we will see that the `StepGenerator` takes this diagnostic information and
 82 | marshals it into an _event_ representing a policy violation, which the Pulumi service can
 83 | understand.
 84 | 
 85 | ## Step 2: The Pulumi service events API
 86 | 
 87 | As we mentioned in the previous section, when the `StepGenerator` calls `Analyze(...)` on a
 88 | particular goal state, it receives back only enough information to know that the goal state is
 89 | invalid. To make this useful to the Pulumi service, it must now convert this response into an
 90 | _event_ that contains enough information that the Pulumi service can understand it.
 91 | 
 92 | Thus, the second API boundary we reach is the event sink boundary.
 93 | 
 94 | ### Results of `Analyze` are turned into a policy violation event
 95 | 
 96 | The response `Analyze` returned in the last step is converted by the `StepGenerator` into the
 97 | following event. Notably, it now contains:
 98 | 
 99 | 1. The URN of the resource that failed validation
100 | 1. The ID of the policy (taking the form `<policy-pack-name>/<policy-name>`)
101 | 1. Information useful for printing and colorizing the message
102 | 
103 | > NOTE: If there were multiple policy violations, they would be "rendered" as multiple policy
104 | > violation events, and each individually sent to the Pulumi service.
105 | 
106 | ```typescript
107 | {
108 |     Type: "policy-violation",
109 |     Payload: {
110 |         URN              "<urn>",
111 |         Message          "No Kubernetes Service objects should have type `LoadBalancer`: " +
112 |             "Security team requires all publicly-exposed services to go through audit and approval ",
113 |         Color            "<color>",
114 |         ID               "k8s-sec-rules/no-public-services",
115 |         EnforcementLevel "mandatory",
116 |         Prefix           "<prefix>",
117 |     }
118 | }
119 | ```
120 | 
121 | ### Policy violation event is sent to the Pulumi service
122 | 
123 | Finally, once this is converted to an event that the Pulumi service understands, it is sent to the
124 | Pulumi service.
125 | 


--------------------------------------------------------------------------------
/scripts/promote.js:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2018, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | // This program simply reads a package.json from stdin, takes a set of arguments representing
 4 | // package names, and for each one, promotes that package from a peerDependency to a real dependency.
 5 | 
 6 | // Read the package.json from stdin.
 7 | let packageJSONText = "";
 8 | const readline = require("readline");
 9 | const stdin = readline.createInterface({
10 |     input: process.stdin,
11 |     output: process.stdout,
12 |     terminal: false,
13 | });
14 | stdin.on("line", function(line) {
15 |     packageJSONText += `${line}\n`;
16 | });
17 | stdin.on("close", function() {
18 |     // All stdin is available.  Parse the JSON and move dependencies around.
19 |     const packageJSON = JSON.parse(packageJSONText);
20 |     for (const arg of process.argv.slice(2)) {
21 |         if (!packageJSON.peerDependencies || !packageJSON.peerDependencies[arg]) {
22 |             throw new Error(`No peerDependency for "${arg}" found`);
23 |         }
24 | 
25 |         // Add this dependency.
26 |         if (!packageJSON.dependencies) {
27 |             packageJSON.dependencies = {};
28 |         }
29 |         packageJSON.dependencies[arg] = packageJSON.peerDependencies[arg];
30 | 
31 |         // And now delete the peer dependency.
32 |         delete packageJSON.peerDependencies[arg];
33 |         if (Object.keys(packageJSON.peerDependencies).length === 0) {
34 |             delete packageJSON.peerDependencies;
35 |         }
36 |     }
37 | 
38 |     // Now print out the result to stdout.
39 |     console.log(JSON.stringify(packageJSON, null, 4));
40 | });
41 | 


--------------------------------------------------------------------------------
/scripts/publish_packages.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # publish.sh builds and publishes a release.
 3 | set -o nounset -o errexit -o pipefail
 4 | ROOT=$(dirname $0)/..
 5 | 
 6 | echo "Publishing NPM packages to NPMjs.com:"
 7 | 
 8 | # For each package, first create the package.json to publish.  This must be different than the one we use for
 9 | # development and testing the SDK, since we use symlinking for those workflows.  Namely, we must promote the SDK
10 | # dependencies from peerDependencies that are resolved via those links, to real installable dependencies.
11 | publish() {
12 |     node $(dirname $0)/promote.js ${@:2} < \
13 |         ${ROOT}/sdk/nodejs/$1/bin/package.json > \
14 |         ${ROOT}/sdk/nodejs/$1/bin/package.json.publish
15 |     pushd ${ROOT}/sdk/nodejs/$1/bin
16 |     mv package.json package.json.dev
17 |     mv package.json.publish package.json
18 | 
19 |     NPM_TAG="dev"
20 | 
21 |     # If the package doesn't have a pre-release tag, use the tag of latest instead of
22 |     # dev. NPM uses this tag as the default version to add, so we want it to mean
23 |     # the newest released version.
24 |     if [[ $(jq -r .version < package.json) != *-* ]]; then
25 |         NPM_TAG="latest"
26 |     fi
27 | 
28 |     # Now, perform the publish.
29 |     npm publish -tag ${NPM_TAG}
30 |     npm info 2>/dev/null
31 | 
32 |     # And finally restore the original package.json.
33 |     mv package.json package.json.publish
34 |     mv package.json.dev package.json
35 |     popd
36 | }
37 | 
38 | publish policy
39 | 
40 | echo "Publishing Pip package to pypi.org:"
41 | twine upload \
42 |     -u "${PYPI_USERNAME}" -p "${PYPI_PASSWORD}" \
43 |     "${ROOT}/sdk/python/env/src/dist"/*.whl \
44 |     --skip-existing \
45 | 


--------------------------------------------------------------------------------
/scripts/reversion.js:
--------------------------------------------------------------------------------
 1 | // Copyright 2018, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | var fs = require("fs");
 4 | 
 5 | if (process.argv.length < 4) {
 6 |     console.error("error: missing arguments; usage: <script> <file> <version>");
 7 |     process.exit(1);
 8 | }
 9 | 
10 | var file = process.argv[2];
11 | var data = fs.readFileSync(file).toString("utf8");
12 | var version = process.argv[3];
13 | if (version && version[0] === "v") {
14 |     version = version.substring(1);
15 | }
16 | fs.writeFileSync(file, data.replace(/\${VERSION}/g, version));
17 | 


--------------------------------------------------------------------------------
/sdk/nodejs/policy/.eslintrc.js:
--------------------------------------------------------------------------------
  1 | /*
  2 | 👋 Hi! This file was autogenerated by tslint-to-eslint-config.
  3 | https://github.com/typescript-eslint/tslint-to-eslint-config
  4 | 
  5 | It represents the closest reasonable ESLint configuration to this
  6 | project's original TSLint configuration.
  7 | 
  8 | We recommend eventually switching this configuration to extend from
  9 | the recommended rulesets in typescript-eslint. 
 10 | https://github.com/typescript-eslint/tslint-to-eslint-config/blob/master/docs/FAQs.md
 11 | 
 12 | Happy linting! 💖
 13 | */
 14 | module.exports = {
 15 |     "env": {
 16 |         "es6": true,
 17 |         "node": true
 18 |     },
 19 |     "parser": "@typescript-eslint/parser",
 20 |     "parserOptions": {
 21 |         "project": "tsconfig.json",
 22 |         "sourceType": "module"
 23 |     },
 24 |     "ignorePatterns": ["node_modules/", "bin/"],
 25 |     "plugins": [
 26 |         "@typescript-eslint",
 27 |         "eslint-plugin-import",
 28 |         "header"
 29 |     ],
 30 |     "rules": {
 31 |         "@typescript-eslint/class-name-casing": "error",
 32 |         "@typescript-eslint/explicit-member-accessibility": [
 33 |             "off",
 34 |             {
 35 |                 "accessibility": "explicit"
 36 |             }
 37 |         ],
 38 |         "@typescript-eslint/indent": [
 39 |             "error",
 40 |             4,
 41 |             {
 42 |                 "FunctionDeclaration": {
 43 |                     "parameters": "first"
 44 |                 },
 45 |                 "FunctionExpression": {
 46 |                     "parameters": "first"
 47 |                 },
 48 |                 "SwitchCase": 1
 49 |             }
 50 |         ],
 51 |         "@typescript-eslint/interface-name-prefix": "off",
 52 |         "@typescript-eslint/member-delimiter-style": [
 53 |             "error",
 54 |             {
 55 |                 "multiline": {
 56 |                     "delimiter": "semi",
 57 |                     "requireLast": true
 58 |                 },
 59 |                 "singleline": {
 60 |                     "delimiter": "semi",
 61 |                     "requireLast": false
 62 |                 }
 63 |             }
 64 |         ],
 65 |         "@typescript-eslint/member-ordering": "error",
 66 |         "@typescript-eslint/no-empty-function": "error",
 67 |         "@typescript-eslint/no-explicit-any": "off",
 68 |         "@typescript-eslint/no-inferrable-types": "off",
 69 |         "@typescript-eslint/no-parameter-properties": "off",
 70 |         "@typescript-eslint/no-require-imports": "off",
 71 |         "@typescript-eslint/no-use-before-define": "off",
 72 |         "@typescript-eslint/no-var-requires": "off",
 73 |         "@typescript-eslint/prefer-namespace-keyword": "error",
 74 |         "@typescript-eslint/quotes": [
 75 |             "error",
 76 |             "double",
 77 |             {
 78 |                 "avoidEscape": true
 79 |             }
 80 |         ],
 81 |         "@typescript-eslint/semi": [
 82 |             "error"
 83 |         ],
 84 |         "@typescript-eslint/type-annotation-spacing": "error",
 85 |         "camelcase": "error",
 86 |         "comma-dangle": [
 87 |             "error",
 88 |             "always-multiline"
 89 |         ],
 90 |         "curly": "error",
 91 |         "default-case": "error",
 92 |         "dot-notation": "off",
 93 |         "eol-last": "error",
 94 |         "eqeqeq": [
 95 |             "error",
 96 |             "smart"
 97 |         ],
 98 |         "guard-for-in": "error",
 99 |         "id-blacklist": [
100 |             "error",
101 |             "any",
102 |             "Number",
103 |             "number",
104 |             "String",
105 |             "string",
106 |             "Boolean",
107 |             "boolean",
108 |         ],
109 |         "id-match": "error",
110 |         "import/order": "error",
111 |         "jsdoc/check-alignment": "off",
112 |         "jsdoc/check-indentation": "off",
113 |         "jsdoc/newline-after-description": "off",
114 |         "no-bitwise": "off",
115 |         "no-caller": "error",
116 |         "no-cond-assign": "off",
117 |         "no-console": [
118 |             "error",
119 |             {
120 |                 "allow": [
121 |                     "log",
122 |                     "warn",
123 |                     "dir",
124 |                     "timeLog",
125 |                     "assert",
126 |                     "clear",
127 |                     "count",
128 |                     "countReset",
129 |                     "group",
130 |                     "groupEnd",
131 |                     "table",
132 |                     "dirxml",
133 |                     "error",
134 |                     "groupCollapsed",
135 |                     "Console",
136 |                     "profile",
137 |                     "profileEnd",
138 |                     "timeStamp",
139 |                     "context"
140 |                 ]
141 |             }
142 |         ],
143 |         "no-debugger": "error",
144 |         "no-empty": "error",
145 |         "no-eval": "error",
146 |         "no-fallthrough": "error",
147 |         "no-multiple-empty-lines": "off",
148 |         "no-new-wrappers": "error",
149 |         "no-redeclare": "error",
150 |         "no-shadow": [
151 |             "error",
152 |             {
153 |                 "hoist": "all"
154 |             }
155 |         ],
156 |         "no-trailing-spaces": "error",
157 |         "no-irregular-whitespace": "error",
158 |         "keyword-spacing": "error",
159 |         "no-unused-expressions": "error",
160 |         "no-unused-labels": "error",
161 |         "no-var": "error",
162 |         "prefer-const": "error",
163 |         "radix": "error",
164 |         "spaced-comment": [
165 |             "error",
166 |             "always",
167 |             {
168 |                 "markers": [
169 |                     "/"
170 |                 ]
171 |             }
172 |         ],
173 |         "header/header": [2, "line", [
174 |             {"pattern": "Copyright \\d{4}-\\d{4}, Pulumi Corporation."},
175 |         ]]
176 |     }
177 | };
178 | 


--------------------------------------------------------------------------------
/sdk/nodejs/policy/Makefile:
--------------------------------------------------------------------------------
 1 | PROJECT_NAME := policy
 2 | NODE_MODULE_NAME := @pulumi/policy
 3 | include ../../../build/common.mk
 4 | 
 5 | VERSION := $(shell cd ../../../ && pulumictl get version --language javascript)
 6 | 
 7 | export PATH := $(shell yarn bin 2>/dev/null):$(PATH)
 8 | 
 9 | TESTPARALLELISM := 10
10 | 
11 | build::
12 | 	yarn install
13 | 	rm -rf bin/
14 | 	yarn run tsc
15 | 	sed -e 's/\$${VERSION}/$(VERSION)/g' < package.json > bin/package.json
16 | 	cp ../../../README.md ../../../LICENSE bin/
17 | 	node ../../../scripts/reversion.js bin/version.js ${VERSION}
18 | 
19 | lint::
20 | 	yarn run eslint -c .eslintrc.js --ext .ts .
21 | 
22 | istanbul_tests::
23 | 	yarn run istanbul test --print none _mocha -- --timeout 15000 'bin/tests/**/*.spec.js'
24 | 	yarn run istanbul report text-summary
25 | 	yarn run istanbul report text
26 | 
27 | test_fast:: istanbul_tests
28 | 
29 | test_all:: istanbul_tests
30 | 


--------------------------------------------------------------------------------
/sdk/nodejs/policy/index.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2019, Pulumi Corporation.
 2 | //
 3 | // Licensed under the Apache License, Version 2.0 (the "License");
 4 | // you may not use this file except in compliance with the License.
 5 | // You may obtain a copy of the License at
 6 | //
 7 | //     http://www.apache.org/licenses/LICENSE-2.0
 8 | //
 9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | 
15 | export * from "./policy";
16 | 


--------------------------------------------------------------------------------
/sdk/nodejs/policy/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "@pulumi/policy",
 3 |     "version": "${VERSION}",
 4 |     "description": "A framework for writing policy as code",
 5 |     "license": "Apache-2.0",
 6 |     "keywords": [
 7 |         "pulumi",
 8 |         "policy"
 9 |     ],
10 |     "homepage": "https://pulumi.io",
11 |     "repository": "https://github.com/pulumi/pulumi-policy",
12 |     "dependencies": {
13 |         "@grpc/grpc-js": "^1.10.1",
14 |         "@pulumi/pulumi": "^3.157.0",
15 |         "google-protobuf": "^3.5.0",
16 |         "protobufjs": "^7.2.4"
17 |     },
18 |     "devDependencies": {
19 |         "@types/mocha": "^2.2.42",
20 |         "@types/node": "^10.12.7",
21 |         "@typescript-eslint/eslint-plugin": "^2.31.0",
22 |         "@typescript-eslint/parser": "^2.31.0",
23 |         "eslint": "^6.8.0",
24 |         "eslint-plugin-header": "^3.0.0",
25 |         "eslint-plugin-import": "^2.20.2",
26 |         "istanbul": "^0.4.5",
27 |         "mocha": "^3.5.0",
28 |         "typescript": "^3.7.5"
29 |     }
30 | }
31 | 


--------------------------------------------------------------------------------
/sdk/nodejs/policy/proxy.ts:
--------------------------------------------------------------------------------
  1 | // Copyright 2016-2019, Pulumi Corporation.
  2 | //
  3 | // Licensed under the Apache License, Version 2.0 (the "License");
  4 | // you may not use this file except in compliance with the License.
  5 | // You may obtain a copy of the License at
  6 | //
  7 | //     http://www.apache.org/licenses/LICENSE-2.0
  8 | //
  9 | // Unless required by applicable law or agreed to in writing, software
 10 | // distributed under the License is distributed on an "AS IS" BASIS,
 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | // See the License for the specific language governing permissions and
 13 | // limitations under the License.
 14 | 
 15 | /**
 16 |  * `unknownCheckingProxy` takes a set of resource inputs, and returns a wrapped version that
 17 |  * intercepts all property accesses to check if they are unknown, throwing an `UnknownValueError` if
 18 |  * so. For example, if the resource inputs contains a reference to an IP address that can't be known
 19 |  * until the resource has been initialized by the cloud provider, this value would be unknown during
 20 |  * `pulumi preview`, and only filled in during the update.
 21 |  *
 22 |  * @param toProxy resource inputs to create a proxy for
 23 |  * @internal
 24 |  */
 25 | export function unknownCheckingProxy<T>(toProxy: any): any {
 26 |     return proxyHelper(toProxy, []);
 27 | }
 28 | 
 29 | /**
 30 |  * isSpecialProxy can be used to detect the presence of a special proxy.
 31 |  * @internal
 32 |  */
 33 | export const isSpecialProxy = "__isSpecialProxy";
 34 | 
 35 | /**
 36 |  * getSpecialProxyTarget can be used to return the original underlying proxied object.
 37 |  * @internal
 38 |  */
 39 | export const getSpecialProxyTarget = "__getSpecialProxyTarget";
 40 | 
 41 | /**
 42 |  * `proxyHelper` is a helper for the `unknownCheckingProxy` function.
 43 |  * @param toProxy resource inputs to create a proxy for
 44 |  * @param propsAcc accumulates the property path, e.g., for `resc.foo.bar`, this would be `["foo","bar"]`
 45 |  * @internal
 46 |  */
 47 | function proxyHelper<T>(toProxy: any, propsAcc: (keyof T)[]): any {
 48 |     if (!(toProxy instanceof Object)) {
 49 |         return toProxy;
 50 |     }
 51 | 
 52 |     return new Proxy(toProxy, {
 53 |         get: (obj, prop: keyof T) => {
 54 |             if (prop === isSpecialProxy) {
 55 |                 return true;
 56 |             } else if (prop === getSpecialProxyTarget) {
 57 |                 return obj;
 58 |             }
 59 |             const newProps = propsAcc.concat([prop]);
 60 |             const field = obj[prop];
 61 |             if (isUnknown(field)) {
 62 |                 throw new UnknownValueError<T>(field, newProps);
 63 |             }
 64 |             return proxyHelper(field, newProps);
 65 |         },
 66 |     });
 67 | }
 68 | 
 69 | /**
 70 |  * UnknownValueError indicates that a property we attempted to access in some cloud resource is
 71 |  * unknown. For example, during preview, some resource fields (such as an allocated IP address)
 72 |  * can't be known until the update is executed; an attempt to access such a field will result in
 73 |  * this exception.
 74 |  * @internal
 75 |  */
 76 | export class UnknownValueError<T> extends Error {
 77 |     public readonly unknownTypeSentinel: string;
 78 |     public readonly props: (keyof T)[];
 79 | 
 80 |     constructor(unknownTypeSentinel: string, props: (keyof T)[]) {
 81 |         const path = props.join(".");
 82 |         const unknownType = unknownToString(unknownTypeSentinel);
 83 |         super(`${unknownType} value at .${path} can't be known during preview`);
 84 |         this.unknownTypeSentinel = unknownTypeSentinel;
 85 |         this.props = props;
 86 |     }
 87 | }
 88 | 
 89 | function isUnknown(o: any): boolean {
 90 |     return (
 91 |         o === unknownBooleanValue ||
 92 |         o === unknownNumberValue ||
 93 |         o === unknownStringValue ||
 94 |         o === unknownArrayValue ||
 95 |         o === unknownAssetValue ||
 96 |         o === unknownArchiveValue ||
 97 |         o === unknownObjectValue
 98 |     );
 99 | }
100 | 
101 | function unknownToString(o: string): string {
102 |     switch (o) {
103 |         case unknownBooleanValue:
104 |             return "boolean";
105 |         case unknownNumberValue:
106 |             return "number";
107 |         case unknownStringValue:
108 |             return "string";
109 |         case unknownArrayValue:
110 |             return "Array";
111 |         case unknownAssetValue:
112 |             return "asset";
113 |         case unknownArchiveValue:
114 |             return "archive";
115 |         case unknownObjectValue:
116 |             return "Object";
117 |         default:
118 |             throw new Error(`unknown value not recognized: ${o}`);
119 |     }
120 | }
121 | 
122 | // unknownBooleanValue is a sentinel indicating that a boolean property's value is not known,
123 | // because it depends on a computation with values whose values themselves are not yet known (e.g.,
124 | // dependent upon an output property).
125 | /** @internal */
126 | export const unknownBooleanValue = "1c4a061d-8072-4f0a-a4cb-0ff528b18fe7";
127 | // unknownNumberValue is a sentinel indicating that a number property's value is not known, because
128 | // it depends on a computation with values whose values themselves are not yet known (e.g.,
129 | // dependent upon an output property).
130 | /** @internal */
131 | export const unknownNumberValue = "3eeb2bf0-c639-47a8-9e75-3b44932eb421";
132 | // unknownStringValue is a sentinel indicating that a string property's value is not known, because
133 | // it depends on a computation with values whose values themselves are not yet known (e.g.,
134 | // dependent upon an output property).
135 | /** @internal */
136 | export const unknownStringValue = "04da6b54-80e4-46f7-96ec-b56ff0331ba9";
137 | // unknownArrayValue is a sentinel indicating that an array property's value is not known, because
138 | // it depends on a computation with values whose values themselves are not yet known (e.g.,
139 | // dependent upon an output property).
140 | /** @internal */
141 | export const unknownArrayValue = "6a19a0b0-7e62-4c92-b797-7f8e31da9cc2";
142 | // unknownAssetValue is a sentinel indicating that an asset property's value is not known, because
143 | // it depends on a computation with values whose values themselves are not yet known (e.g.,
144 | // dependent upon an output property).
145 | /** @internal */
146 | export const unknownAssetValue = "030794c1-ac77-496b-92df-f27374a8bd58";
147 | // unknownArchiveValue is a sentinel indicating that an archive property's value is not known,
148 | // because it depends on a computation with values whose values themselves are not yet known (e.g.,
149 | // dependent upon an output property).
150 | /** @internal */
151 | export const unknownArchiveValue = "e48ece36-62e2-4504-bad9-02848725956a";
152 | // unknownObjectValue is a sentinel indicating that an archive property's value is not known,
153 | // because it depends on a computation with values whose values themselves are not yet known (e.g.,
154 | // dependent upon an output property).
155 | /** @internal */
156 | export const unknownObjectValue = "dd056dcd-154b-4c76-9bd3-c8f88648b5ff";
157 | 


--------------------------------------------------------------------------------
/sdk/nodejs/policy/schema.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2020, Pulumi Corporation.
 2 | //
 3 | // Licensed under the Apache License, Version 2.0 (the "License");
 4 | // you may not use this file except in compliance with the License.
 5 | // You may obtain a copy of the License at
 6 | //
 7 | //     http://www.apache.org/licenses/LICENSE-2.0
 8 | //
 9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | 
15 | export interface PolicyConfigJSONSchema {
16 |     type?: PolicyConfigJSONSchemaTypeName | PolicyConfigJSONSchemaTypeName[];
17 |     enum?: PolicyConfigJSONSchemaType[];
18 |     const?: PolicyConfigJSONSchemaType;
19 | 
20 |     multipleOf?: number;
21 |     maximum?: number;
22 |     exclusiveMaximum?: number;
23 |     minimum?: number;
24 |     exclusiveMinimum?: number;
25 | 
26 |     maxLength?: number;
27 |     minLength?: number;
28 |     pattern?: string;
29 | 
30 |     items?: PolicyConfigJSONSchemaDefinition | PolicyConfigJSONSchemaDefinition[];
31 |     additionalItems?: PolicyConfigJSONSchemaDefinition;
32 |     maxItems?: number;
33 |     minItems?: number;
34 |     uniqueItems?: boolean;
35 |     contains?: PolicyConfigJSONSchema;
36 | 
37 |     maxProperties?: number;
38 |     minProperties?: number;
39 |     required?: string[];
40 |     properties?: {
41 |         [key: string]: PolicyConfigJSONSchemaDefinition;
42 |     };
43 |     patternProperties?: {
44 |         [key: string]: PolicyConfigJSONSchemaDefinition;
45 |     };
46 |     additionalProperties?: PolicyConfigJSONSchemaDefinition;
47 |     dependencies?: {
48 |         [key: string]: PolicyConfigJSONSchemaDefinition | string[];
49 |     };
50 |     propertyNames?: PolicyConfigJSONSchemaDefinition;
51 | 
52 |     format?: string;
53 | 
54 |     description?: string;
55 |     default?: PolicyConfigJSONSchemaType;
56 | }
57 | 
58 | export type PolicyConfigJSONSchemaDefinition = PolicyConfigJSONSchema | boolean;
59 | 
60 | export type PolicyConfigJSONSchemaTypeName =
61 |     "string" | "number" | "integer" | "boolean" | "object" | "array" | "null";
62 | 
63 | export type PolicyConfigJSONSchemaType = PolicyConfigJSONSchemaType[] | boolean | number | null | object | string;
64 | 


--------------------------------------------------------------------------------
/sdk/nodejs/policy/secret.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2023, Pulumi Corporation.
 2 | //
 3 | // Licensed under the Apache License, Version 2.0 (the "License");
 4 | // you may not use this file except in compliance with the License.
 5 | // You may obtain a copy of the License at
 6 | //
 7 | //     http://www.apache.org/licenses/LICENSE-2.0
 8 | //
 9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | 
15 | import { Secret } from "./policy";
16 | import { isSpecialProxy, getSpecialProxyTarget } from "./proxy";
17 | 
18 | /**
19 |  * `secretsPreservingProxy` is a helper that takes an input and ensures any properties
20 |  * that are secrets are (a) unwrapped to return raw values and (b) preserve secretness
21 |  * upon writes. This ensures that secret values are preserved even if replaced.
22 |  *
23 |  * @param toProxy the object whose property accesses to proxy.
24 |  */
25 | export function secretsPreservingProxy<T>(toProxy: any): any {
26 |     if (!(toProxy instanceof Object)) {
27 |         return toProxy;
28 |     }
29 | 
30 |     const isSecret = (target: any, p: string | number | symbol): any => {
31 |         const value = target[p];
32 |         if (value && value instanceof Secret) {
33 |             return [value.value, true];
34 |         }
35 |         return [value, false];
36 |     };
37 | 
38 |     return new Proxy(toProxy, {
39 |         get: (target: any, p: keyof T): any=> {
40 |             // Check for special symbols.
41 |             if (p === isSpecialProxy) {
42 |                 return true;
43 |             } else if (p === getSpecialProxyTarget) {
44 |                 return target;
45 |             }
46 | 
47 |             // If it's a secret, pluck out the raw value.
48 |             const [value, _] = isSecret(target, p);
49 | 
50 |             // And in either case, make sure to deeply apply this transformation.
51 |             return secretsPreservingProxy(value);
52 |         },
53 |         set: (target: any, p: keyof T, value: any, receiver: any): boolean => {
54 |             // First check if the existing value is a secret. If it is, make any new values secret too.
55 |             const [_, secret] = isSecret(target, p);
56 |             if (secret) {
57 |                 value = new Secret(value);
58 |             }
59 |             target[p] = value;
60 |             return true;
61 |         },
62 |     });
63 | }
64 | 
65 | 
66 | 


--------------------------------------------------------------------------------
/sdk/nodejs/policy/tests/policy.spec.ts:
--------------------------------------------------------------------------------
  1 | // Copyright 2016-2020, Pulumi Corporation.
  2 | //
  3 | // Licensed under the Apache License, Version 2.0 (the "License");
  4 | // you may not use this file except in compliance with the License.
  5 | // You may obtain a copy of the License at
  6 | //
  7 | //     http://www.apache.org/licenses/LICENSE-2.0
  8 | //
  9 | // Unless required by applicable law or agreed to in writing, software
 10 | // distributed under the License is distributed on an "AS IS" BASIS,
 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | // See the License for the specific language governing permissions and
 13 | // limitations under the License.
 14 | 
 15 | import * as assert from "assert";
 16 | 
 17 | import * as pulumi from "@pulumi/pulumi";
 18 | import {
 19 |     remediateResourceOfType,
 20 |     ResourceValidationPolicy,
 21 |     StackValidationPolicy,
 22 |     validateResourceOfType,
 23 |     validateStackResourcesOfType,
 24 | } from "../policy";
 25 | 
 26 | import { asyncTest, runResourcePolicy, runResourceRemediation, runStackPolicy } from "./util";
 27 | 
 28 | function delay(t: number, v: string): Promise<string> {
 29 |     return new Promise((resolve) => {
 30 |         setTimeout(() => resolve(v), t);
 31 |     });
 32 | }
 33 | 
 34 | class Foo extends pulumi.Resource {
 35 |     constructor(name: string, args: FooArgs) {
 36 |         super("my:foo", name, false);
 37 |     }
 38 | }
 39 | 
 40 | interface FooArgs {
 41 | }
 42 | 
 43 | const empytOptions = {
 44 |     protect: false,
 45 |     ignoreChanges: [],
 46 |     aliases: [],
 47 |     customTimeouts: {
 48 |         createSeconds: 0,
 49 |         updateSeconds: 0,
 50 |         deleteSeconds: 0,
 51 |     },
 52 |     additionalSecretOutputs: [],
 53 | };
 54 | 
 55 | describe("validateResourceOfType", () => {
 56 |     it("works as expected with async policies", asyncTest(async () => {
 57 |         const policy: ResourceValidationPolicy = {
 58 |             name: "foo",
 59 |             description: "A test policy.",
 60 |             enforcementLevel: "mandatory",
 61 |             validateResource: validateResourceOfType(Foo, async (_, __, reportViolation) => {
 62 |                 const response = await delay(100, "hi");
 63 |                 reportViolation(response);
 64 |             }),
 65 |         };
 66 | 
 67 |         const args = {
 68 |             isType: () => true,  // true so the validation function always runs.
 69 |             asType: () => undefined,
 70 |             getConfig: <T>() => <T>{},
 71 |             type: "",
 72 |             props: {},
 73 |             urn: "",
 74 |             name: "",
 75 |             opts: empytOptions,
 76 |         };
 77 | 
 78 |         const violations = await runResourcePolicy(policy, args);
 79 | 
 80 |         assert.deepStrictEqual(violations, [{ message: "hi" }]);
 81 |     }));
 82 | });
 83 | 
 84 | describe("remediateResourceOfType", () => {
 85 |     it("works as expected with async policies", asyncTest(async () => {
 86 |         const policy: ResourceValidationPolicy = {
 87 |             name: "foo",
 88 |             description: "A test remediation.",
 89 |             enforcementLevel: "remediate",
 90 |             remediateResource: remediateResourceOfType(Foo, async (_, __) => {
 91 |                 const response = await delay(100, "hi");
 92 |                 return { "message": "bonjour" };
 93 |             }),
 94 |         };
 95 | 
 96 |         const args = {
 97 |             isType: () => true,  // true so the validation function always runs.
 98 |             asType: () => undefined,
 99 |             getConfig: <T>() => <T>{},
100 |             type: "",
101 |             props: {},
102 |             urn: "",
103 |             name: "",
104 |             opts: empytOptions,
105 |         };
106 | 
107 |         const remediation = await runResourceRemediation(policy, args);
108 | 
109 |         assert.deepStrictEqual(remediation, { message: "bonjour" });
110 |     }));
111 | });
112 | 
113 | describe("validateStackResourcesOfType", () => {
114 |     it("works as expected with async policies", asyncTest(async () => {
115 |         const policy: StackValidationPolicy = {
116 |             name: "foo",
117 |             description: "A test policy.",
118 |             enforcementLevel: "mandatory",
119 |             validateStack: validateStackResourcesOfType(Foo, async (_, __, reportViolation) => {
120 |                 const response = await delay(100, "hi");
121 |                 reportViolation(response);
122 |             }),
123 |         };
124 | 
125 |         const args = {
126 |             getConfig: <T>() => <T>{},
127 |             resources: [{
128 |                 isType: () => true, // true so the validation function always runs.
129 |                 asType: () => undefined,
130 |                 type: "",
131 |                 props: {},
132 |                 urn: "",
133 |                 name: "",
134 |                 opts: empytOptions,
135 |                 dependencies: [],
136 |                 propertyDependencies: {},
137 |             }],
138 |         };
139 | 
140 |         const violations = await runStackPolicy(policy, args);
141 | 
142 |         assert.deepStrictEqual(violations, [{ message: "hi" }]);
143 |     }));
144 | });
145 | 


--------------------------------------------------------------------------------
/sdk/nodejs/policy/tests/proxy.spec.ts:
--------------------------------------------------------------------------------
  1 | // Copyright 2016-2019, Pulumi Corporation.
  2 | //
  3 | // Licensed under the Apache License, Version 2.0 (the "License");
  4 | // you may not use this file except in compliance with the License.
  5 | // You may obtain a copy of the License at
  6 | //
  7 | //     http://www.apache.org/licenses/LICENSE-2.0
  8 | //
  9 | // Unless required by applicable law or agreed to in writing, software
 10 | // distributed under the License is distributed on an "AS IS" BASIS,
 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | // See the License for the specific language governing permissions and
 13 | // limitations under the License.
 14 | 
 15 | import * as assert from "assert";
 16 | 
 17 | import {
 18 |     unknownArchiveValue,
 19 |     unknownArrayValue,
 20 |     unknownAssetValue,
 21 |     unknownBooleanValue,
 22 |     unknownCheckingProxy,
 23 |     unknownNumberValue,
 24 |     unknownObjectValue,
 25 |     unknownStringValue,
 26 |     UnknownValueError,
 27 | } from "../proxy";
 28 | 
 29 | function assertThrowsUnknownValue(f: Function, unknownTypeSentinel: string, path: string[]): void {
 30 |     try {
 31 |         f();
 32 |     } catch (e) {
 33 |         if (e instanceof UnknownValueError) {
 34 |             assert.strictEqual(e.unknownTypeSentinel, unknownTypeSentinel);
 35 |             assert.deepStrictEqual(e.props, path);
 36 |             return;
 37 |         }
 38 |         assert.fail(`threw something that is not an UnknownValueError: ${e}`);
 39 |     }
 40 |     assert.fail("didn't throw an error");
 41 | }
 42 | 
 43 | describe("proxy", () => {
 44 |     it("returns values at properties that are not unknown", () => {
 45 |         assert.strictEqual(unknownCheckingProxy({}).foo, undefined);
 46 |         assert.strictEqual(unknownCheckingProxy({ foo: "bar" }).foo, "bar");
 47 |         assert.strictEqual(unknownCheckingProxy({ foo: { bar: "baz" } }).foo.bar, "baz");
 48 | 
 49 |         assert.strictEqual(unknownCheckingProxy([]).foo, undefined);
 50 |         assert.strictEqual(unknownCheckingProxy([])[1], undefined);
 51 | 
 52 |         assert.strictEqual(unknownCheckingProxy(99).foo, undefined);
 53 |         assert.strictEqual(unknownCheckingProxy(99)[1], undefined);
 54 | 
 55 |         assert.strictEqual(unknownCheckingProxy("foo").foo, undefined);
 56 |         assert.strictEqual(unknownCheckingProxy("foo")[1], "o");
 57 | 
 58 |         assert.strictEqual(unknownCheckingProxy(undefined), undefined);
 59 |         assert.throws(() => unknownCheckingProxy(undefined).foo);
 60 |         assert.throws(() => unknownCheckingProxy(undefined)[1]);
 61 | 
 62 |         assert.strictEqual(unknownCheckingProxy(null), null);
 63 |         assert.throws(() => unknownCheckingProxy(null).foo);
 64 |         assert.throws(() => unknownCheckingProxy(null)[1]);
 65 |     });
 66 | 
 67 |     it("throws for properties that are unknown", () => {
 68 |         assertThrowsUnknownValue(
 69 |             () => {
 70 |                 return unknownCheckingProxy({ foo: unknownBooleanValue }).foo;
 71 |             },
 72 |             unknownBooleanValue,
 73 |             ["foo"],
 74 |         );
 75 |         assertThrowsUnknownValue(
 76 |             () => {
 77 |                 return unknownCheckingProxy({ foo: unknownNumberValue }).foo;
 78 |             },
 79 |             unknownNumberValue,
 80 |             ["foo"],
 81 |         );
 82 |         assertThrowsUnknownValue(
 83 |             () => {
 84 |                 return unknownCheckingProxy({ foo: unknownStringValue }).foo;
 85 |             },
 86 |             unknownStringValue,
 87 |             ["foo"],
 88 |         );
 89 |         assertThrowsUnknownValue(
 90 |             () => {
 91 |                 return unknownCheckingProxy({ foo: unknownArrayValue }).foo;
 92 |             },
 93 |             unknownArrayValue,
 94 |             ["foo"],
 95 |         );
 96 |         assertThrowsUnknownValue(
 97 |             () => {
 98 |                 return unknownCheckingProxy({ foo: unknownAssetValue }).foo;
 99 |             },
100 |             unknownAssetValue,
101 |             ["foo"],
102 |         );
103 |         assertThrowsUnknownValue(
104 |             () => {
105 |                 return unknownCheckingProxy({ foo: unknownArchiveValue }).foo;
106 |             },
107 |             unknownArchiveValue,
108 |             ["foo"],
109 |         );
110 |         assertThrowsUnknownValue(
111 |             () => {
112 |                 return unknownCheckingProxy({ foo: unknownObjectValue }).foo;
113 |             },
114 |             unknownObjectValue,
115 |             ["foo"],
116 |         );
117 |     });
118 | 
119 |     it("throws for nested properties that are unknown", () => {
120 |         assertThrowsUnknownValue(
121 |             () => {
122 |                 return unknownCheckingProxy({ foo: { bar: unknownBooleanValue } }).foo.bar;
123 |             },
124 |             unknownBooleanValue,
125 |             ["foo", "bar"],
126 |         );
127 |         assertThrowsUnknownValue(
128 |             () => {
129 |                 return unknownCheckingProxy({ foo: [unknownBooleanValue] }).foo[0];
130 |             },
131 |             unknownBooleanValue,
132 |             ["foo", "0"],
133 |         );
134 |         assertThrowsUnknownValue(
135 |             () => {
136 |                 const props = unknownCheckingProxy({ foo: [true, unknownBooleanValue, false] });
137 |                 let count = 0;
138 |                 for (const item of props.foo) {
139 |                     count++;
140 |                 }
141 |             },
142 |             unknownBooleanValue,
143 |             ["foo", "1"],
144 |         );
145 |         assertThrowsUnknownValue(
146 |             () => {
147 |                 const props = unknownCheckingProxy({ foo: [true, unknownBooleanValue, false] });
148 |                 let count = 0;
149 |                 props.foo.forEach(() => {
150 |                     count++;
151 |                 });
152 |             },
153 |             unknownBooleanValue,
154 |             ["foo", "1"],
155 |         );
156 |     });
157 | });
158 | 


--------------------------------------------------------------------------------
/sdk/nodejs/policy/tests/util.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2020, Pulumi Corporation.
 2 | //
 3 | // Licensed under the Apache License, Version 2.0 (the "License");
 4 | // you may not use this file except in compliance with the License.
 5 | // You may obtain a copy of the License at
 6 | //
 7 | //     http://www.apache.org/licenses/LICENSE-2.0
 8 | //
 9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | 
15 | import * as policy from "../policy";
16 | 
17 | /** @internal */
18 | export type MochaFunc = (err: Error) => void;
19 | 
20 | // A helper function for wrapping some of the boilerplate goo necessary to interface between Mocha's asynchronous
21 | // testing and our TypeScript async tests.
22 | /** @internal */
23 | export function asyncTest(test: () => Promise<void>): (func: MochaFunc) => void {
24 |     return (done: (err: any) => void) => {
25 |         const go = async () => {
26 |             let caught: Error | undefined;
27 |             try {
28 |                 await test();
29 |             }
30 |             catch (err) {
31 |                 caught = err;
32 |             }
33 |             finally {
34 |                 done(caught);
35 |             }
36 |         };
37 |         go();
38 |     };
39 | }
40 | 
41 | /** @internal */
42 | export interface PolicyViolation {
43 |     message: string;
44 |     urn?: string;
45 | }
46 | 
47 | // runResourcePolicy will run some basic checks for a policy's metadata, and then
48 | // execute its rules with the provided type and properties.
49 | /** @internal */
50 | export async function runResourcePolicy(resPolicy: policy.ResourceValidationPolicy, args: policy.ResourceValidationArgs): Promise<PolicyViolation[]> {
51 |     const violations: PolicyViolation[] = [];
52 |     const report = (message: string, urn?: string) => {
53 |         violations.push({ message: message, ...urn && { urn } });
54 |     };
55 |     const validations = Array.isArray(resPolicy.validateResource)
56 |         ? resPolicy.validateResource
57 |         : [resPolicy.validateResource];
58 |     for (const validation of validations) {
59 |         if (validation) {
60 |             await Promise.resolve(validation(args, report));
61 |         }
62 |     }
63 |     return violations;
64 | }
65 | 
66 | /** @internal */
67 | export type PolicyRemediation = Record<string, any> | undefined;
68 | 
69 | // runResourceRemediation will run some basic checks for a policy's metadata, and then
70 | // execute its remediations with the provided type and properties, returning the results.
71 | /** @internal */
72 | export async function runResourceRemediation(resPolicy: policy.ResourceValidationPolicy, args: policy.ResourceValidationArgs): Promise<PolicyRemediation> {
73 |     if (resPolicy.remediateResource) {
74 |         const result = await Promise.resolve(resPolicy.remediateResource(args));
75 |         if (result) {
76 |             return result;
77 |         }
78 |     }
79 |     return undefined;
80 | }
81 | 
82 | // runStackPolicy will run some basic checks for a policy's metadata, and then
83 | // execute its rules with the provided type and properties.
84 | /** @internal */
85 | export async function runStackPolicy(stackPolicy: policy.StackValidationPolicy, args: policy.StackValidationArgs): Promise<PolicyViolation[]> {
86 |     const violations: PolicyViolation[] = [];
87 |     const report = (message: string, urn?: string) => {
88 |         violations.push({ message: message, ...urn && { urn } });
89 |     };
90 |     await Promise.resolve(stackPolicy.validateStack(args, report));
91 |     return violations;
92 | }
93 | 


--------------------------------------------------------------------------------
/sdk/nodejs/policy/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "outDir": "bin",
 4 |         "target": "es6",
 5 |         "module": "commonjs",
 6 |         "moduleResolution": "node",
 7 |         "declaration": true,
 8 |         "sourceMap": false,
 9 |         "stripInternal": true,
10 |         "experimentalDecorators": true,
11 |         "pretty": true,
12 |         "noFallthroughCasesInSwitch": true,
13 |         "noImplicitAny": true,
14 |         "noImplicitReturns": true,
15 |         "forceConsistentCasingInFileNames": true,
16 |         "strictNullChecks": true,
17 |     },
18 |     "files": [
19 |         "deserialize.ts",
20 |         "index.ts",
21 |         "policy.ts",
22 |         "protoutil.ts",
23 |         "proxy.ts",
24 |         "server.ts",
25 |         "schema.ts",
26 |         "version.ts",
27 | 
28 |         "tests/deserialize.spec.ts",
29 |         "tests/pb.spec.ts",
30 |         "tests/policy.spec.ts",
31 |         "tests/proxy.spec.ts",
32 |         "tests/util.ts"
33 |     ]
34 | }
35 | 


--------------------------------------------------------------------------------
/sdk/nodejs/policy/version.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2019, Pulumi Corporation.
 2 | //
 3 | // Licensed under the Apache License, Version 2.0 (the "License");
 4 | // you may not use this file except in compliance with the License.
 5 | // You may obtain a copy of the License at
 6 | //
 7 | //     http://www.apache.org/licenses/LICENSE-2.0
 8 | //
 9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | 
15 | /** @internal */
16 | export const version = "${VERSION}";
17 | 


--------------------------------------------------------------------------------
/sdk/python/.gitignore:
--------------------------------------------------------------------------------
1 | .idea/
2 | .mypy_cache/
3 | *.pyc
4 | /env/
5 | *.egg-info/
6 | .venv/
7 | build/
8 | 


--------------------------------------------------------------------------------
/sdk/python/Makefile:
--------------------------------------------------------------------------------
 1 | PROJECT_NAME     := Pulumi Policy Python SDK
 2 | VERSION          := $(shell cd ../../ && pulumictl get version)
 3 | PYPI_VERSION     := $(shell cd ../../ && pulumictl get version --language python)
 4 | 
 5 | PYENV := ./env
 6 | PYENVSRC := $(PYENV)/src
 7 | PYENVSRCLIB := $(PYENVSRC)/pulumi_policy
 8 | 
 9 | include ../../build/common.mk
10 | 
11 | ensure::
12 | 	pipenv --python 3 install --dev
13 | 	mkdir -p $(PYENVSRC)
14 | 
15 | build::
16 | 	rm -rf $(PYENVSRC) && cp -R ./lib/. $(PYENVSRC)/
17 | 	sed -i.bak 's/^VERSION = .*/VERSION = "$(PYPI_VERSION)"/g' $(PYENVSRC)/setup.py && rm $(PYENVSRC)/setup.py.bak
18 | 	sed -i.bak 's/^VERSION = .*/VERSION = "$(VERSION)"/g' $(PYENVSRCLIB)/version.py && rm $(PYENVSRCLIB)/version.py.bak
19 | 
20 | 	cp ../../README.md $(PYENVSRC)
21 | 	cd $(PYENVSRC) && pipenv run python setup.py build bdist_wheel --universal
22 | 
23 | lint::
24 | 	pipenv run mypy ./lib/pulumi_policy --config-file=mypy.ini
25 | 	pipenv run pylint ./lib/pulumi_policy --rcfile=.pylintrc
26 | 
27 | test_fast::
28 | 	pipenv run pip install ./env/src
29 | 	pipenv run python -m unittest discover -s lib/test -v
30 | 
31 | test_all:: test_fast
32 | 


--------------------------------------------------------------------------------
/sdk/python/Pipfile:
--------------------------------------------------------------------------------
 1 | [[source]]
 2 | url = "https://pypi.org/simple"
 3 | verify_ssl = true
 4 | name = "pypi"
 5 | 
 6 | [packages]
 7 | pulumi = ">=3.157.0,<4.0.0"
 8 | protobuf = "~=4.21"
 9 | grpcio = "~=1.66.2"
10 | setuptools = ">=61.0"
11 | 
12 | [dev-packages]
13 | pylint = ">=3.3.0"
14 | mypy = ">=1.1.0"
15 | types-protobuf = "*"
16 | 


--------------------------------------------------------------------------------
/sdk/python/lib/pulumi_policy/__init__.py:
--------------------------------------------------------------------------------
 1 | # Copyright 2016-2018, Pulumi Corporation.
 2 | #
 3 | # Licensed under the Apache License, Version 2.0 (the "License");
 4 | # you may not use this file except in compliance with the License.
 5 | # You may obtain a copy of the License at
 6 | #
 7 | #     http://www.apache.org/licenses/LICENSE-2.0
 8 | #
 9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | 
15 | """
16 | The Pulumi Policy SDK for Python.
17 | """
18 | 
19 | # Make all module members inside of this package available as package members.
20 | from .policy import (
21 |     EnforcementLevel,
22 |     Policy,
23 |     PolicyConfigSchema,
24 |     PolicyCustomTimeouts,
25 |     PolicyPack,
26 |     PolicyProviderResource,
27 |     PolicyResource,
28 |     PolicyResourceOptions,
29 |     ReportViolation,
30 |     ResourceRemediation,
31 |     ResourceValidation,
32 |     ResourceValidationArgs,
33 |     ResourceValidationPolicy,
34 |     StackValidation,
35 |     StackValidationArgs,
36 |     StackValidationPolicy,
37 | )
38 | from .secret import (
39 |     Secret,
40 | )
41 | 
42 | __all__ = [
43 |     "EnforcementLevel",
44 |     "Policy",
45 |     "PolicyConfigSchema",
46 |     "PolicyCustomTimeouts",
47 |     "PolicyPack",
48 |     "PolicyProviderResource",
49 |     "PolicyResource",
50 |     "PolicyResourceOptions",
51 |     "ReportViolation",
52 |     "ResourceRemediation",
53 |     "ResourceValidation",
54 |     "ResourceValidationArgs",
55 |     "ResourceValidationPolicy",
56 |     "Secret",
57 |     "StackValidation",
58 |     "StackValidationArgs",
59 |     "StackValidationPolicy",
60 | ]
61 | 


--------------------------------------------------------------------------------
/sdk/python/lib/pulumi_policy/pulumi-plugin.json:
--------------------------------------------------------------------------------
1 | { "resource": false }
2 | 


--------------------------------------------------------------------------------
/sdk/python/lib/pulumi_policy/py.typed:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pulumi/pulumi-policy/3da5e90852d73235b1e0d66781b5bd741cd8fd7f/sdk/python/lib/pulumi_policy/py.typed


--------------------------------------------------------------------------------
/sdk/python/lib/pulumi_policy/secret.py:
--------------------------------------------------------------------------------
 1 | # Copyright 2016-2023, Pulumi Corporation.
 2 | #
 3 | # Licensed under the Apache License, Version 2.0 (the "License");
 4 | # you may not use this file except in compliance with the License.
 5 | # You may obtain a copy of the License at
 6 | #
 7 | #     http://www.apache.org/licenses/LICENSE-2.0
 8 | #
 9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | 
15 | from typing import Any, Dict, List
16 | from collections.abc import Mapping, Sequence
17 | 
18 | 
19 | class Secret:
20 |     """
21 |     Secret allows values to be marked as sensitive, such that the Pulumi engine will encrypt them
22 |     as normal with Pulumi secrets upon seeing one returned from a remediation.
23 |     """
24 |     def __init__(self, value: Any):
25 |         """
26 |         :param Any value: The plaintext value to turn into a secret.
27 |         """
28 |         self.value = value
29 | 
30 | 
31 | def secrets_preserving_proxy(to_proxy: Any) -> Any:
32 |     """
33 |     Proxies a set of resource inputs and ensures any properties that are secrets are (a) unwrapped
34 |     to return raw values and (b) preserve seceretness upon writes. This ensures that secret values
35 |     are preserved even if replaced.
36 |     """
37 |     if isinstance(to_proxy, list):
38 |         return _ListSecretsProxy(to_proxy)
39 |     if isinstance(to_proxy, dict):
40 |         return _DictSecretsProxy(to_proxy)
41 |     return to_proxy
42 | 
43 | 
44 | class _ListSecretsProxy(Sequence):
45 |     def __init__(self, target: List[Any]):
46 |         self.__target = target
47 | 
48 |     def __getitem__(self, key):
49 |         if key == "__target":
50 |             return self.__target
51 | 
52 |         value = self.__target[key]
53 |         if isinstance(value, Secret):
54 |             value = value.value
55 |         return secrets_preserving_proxy(value)
56 | 
57 |     def __setitem__(self, key, value):
58 |         if key in self.__target:
59 |             # If the prior value is a secret, maintain it on the new value also.
60 |             if isinstance(self.__target[key], Secret):
61 |                 value = Secret(value)
62 |         self.__target[key] = value
63 | 
64 |     def __len__(self):
65 |         return len(self.__target)
66 | 
67 | 
68 | class _DictSecretsProxy(Mapping):
69 |     def __init__(self, target: Dict[str, Any]):
70 |         self.__target = target
71 | 
72 |     def __getitem__(self, key):
73 |         if key == "__target":
74 |             return self.__target
75 | 
76 |         value = self.__target[key]
77 |         if isinstance(value, Secret):
78 |             value = value.value
79 |         return secrets_preserving_proxy(value)
80 | 
81 |     def __setitem__(self, key, value):
82 |         if key in self.__target:
83 |             # If the prior value is a secret, maintain it on the new value also.
84 |             if isinstance(self.__target[key], Secret):
85 |                 value = Secret(value)
86 |         self.__target[key] = value
87 | 
88 |     def __len__(self):
89 |         return self.__target.__len__()
90 | 
91 |     def __iter__(self):
92 |         return iter(self.__target)
93 | 


--------------------------------------------------------------------------------
/sdk/python/lib/pulumi_policy/version.py:
--------------------------------------------------------------------------------
 1 | # Copyright 2016-2020, Pulumi Corporation.
 2 | #
 3 | # Licensed under the Apache License, Version 2.0 (the "License");
 4 | # you may not use this file except in compliance with the License.
 5 | # You may obtain a copy of the License at
 6 | #
 7 | #     http://www.apache.org/licenses/LICENSE-2.0
 8 | #
 9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | 
15 | VERSION = "1.0.0"
16 | 


--------------------------------------------------------------------------------
/sdk/python/lib/setup.py:
--------------------------------------------------------------------------------
 1 | # Copyright 2016-2020, Pulumi Corporation.
 2 | #
 3 | # Licensed under the Apache License, Version 2.0 (the "License");
 4 | # you may not use this file except in compliance with the License.
 5 | # You may obtain a copy of the License at
 6 | #
 7 | #     http://www.apache.org/licenses/LICENSE-2.0
 8 | #
 9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | 
15 | """The Pulumi Policy Python SDK."""
16 | 
17 | from setuptools import setup, find_packages
18 | 
19 | VERSION = "1.0.0"
20 | 
21 | def readme():
22 |     try:
23 |         with open('README.md', encoding='utf-8') as f:
24 |             return f.read()
25 |     except FileNotFoundError:
26 |         return "Pulumi's Policy Python SDK - Development Version"
27 | 
28 | setup(name='pulumi_policy',
29 |       version=VERSION,
30 |       description='Pulumi\'s Policy Python SDK',
31 |       long_description=readme(),
32 |       long_description_content_type='text/markdown',
33 |       url='https://github.com/pulumi/pulumi-policy',
34 |       license='Apache 2.0',
35 |       packages=find_packages(exclude=("test*",)),
36 |       package_data={
37 |           'pulumi_policy': [
38 |               'py.typed',
39 |               'pulumi-plugin.json'
40 |           ]
41 |       },
42 |       install_requires=[
43 |           'pulumi>=3.157.0,<4.0.0',
44 |           'protobuf~=4.21',
45 |           'grpcio~=1.66.2',
46 |           'setuptools>=61.0'
47 |       ],
48 |       zip_safe=False)
49 | 


--------------------------------------------------------------------------------
/sdk/python/lib/test/__init__.py:
--------------------------------------------------------------------------------
 1 | # Copyright 2016-2020, Pulumi Corporation.
 2 | #
 3 | # Licensed under the Apache License, Version 2.0 (the "License");
 4 | # you may not use this file except in compliance with the License.
 5 | # You may obtain a copy of the License at
 6 | #
 7 | #     http://www.apache.org/licenses/LICENSE-2.0
 8 | #
 9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | 
15 | """
16 | The Pulumi Policy SDK test package.
17 | """
18 | 


--------------------------------------------------------------------------------
/sdk/python/lib/test/test_config.py:
--------------------------------------------------------------------------------
 1 | # Copyright 2016-2020, Pulumi Corporation.
 2 | #
 3 | # Licensed under the Apache License, Version 2.0 (the "License");
 4 | # you may not use this file except in compliance with the License.
 5 | # You may obtain a copy of the License at
 6 | #
 7 | #     http://www.apache.org/licenses/LICENSE-2.0
 8 | #
 9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | 
15 | # pylint: disable=protected-access
16 | 
17 | import unittest
18 | 
19 | from pulumi_policy.policy import EnforcementLevel, _NormalizedConfigValue, _normalize_config
20 | 
21 | class ConfigTests(unittest.TestCase):
22 |     def test_normalize_config(self):
23 |         test_cases = [
24 |             {
25 |                 "config": {},
26 |                 "expected": {},
27 |             },
28 |             {
29 |                 "config": {"policy": EnforcementLevel.ADVISORY},
30 |                 "expected": {"policy": _NormalizedConfigValue(EnforcementLevel.ADVISORY, None)},
31 |             },
32 |             {
33 |                 "config": {"policy": {"foo": "bar"}},
34 |                 "expected": {"policy": _NormalizedConfigValue(None, {"foo": "bar"})},
35 |             },
36 |             {
37 |                 "config": {"policy": {"enforcementLevel": EnforcementLevel.ADVISORY, "foo": "bar"}},
38 |                 "expected": {"policy": _NormalizedConfigValue(EnforcementLevel.ADVISORY, {"foo": "bar"})},
39 |             },
40 |             {
41 |                 "config": {"policy": {"enforcementLevel": EnforcementLevel.MANDATORY, "foo": "bar"}},
42 |                 "expected": {"policy": _NormalizedConfigValue(EnforcementLevel.MANDATORY, {"foo": "bar"})},
43 |             },
44 |             {
45 |                 "config": {"policy": {"enforcementLevel": EnforcementLevel.REMEDIATE, "foo": "bar"}},
46 |                 "expected": {"policy": _NormalizedConfigValue(EnforcementLevel.REMEDIATE, {"foo": "bar"})},
47 |             },
48 |         ]
49 | 
50 |         for test_case in test_cases:
51 |             result = _normalize_config(test_case["config"])
52 |             self.assertDictEqual(test_case["expected"], result)
53 | 


--------------------------------------------------------------------------------
/sdk/python/lib/test/test_proxy.py:
--------------------------------------------------------------------------------
  1 | # Copyright 2016-2020, Pulumi Corporation.
  2 | #
  3 | # Licensed under the Apache License, Version 2.0 (the "License");
  4 | # you may not use this file except in compliance with the License.
  5 | # You may obtain a copy of the License at
  6 | #
  7 | #     http://www.apache.org/licenses/LICENSE-2.0
  8 | #
  9 | # Unless required by applicable law or agreed to in writing, software
 10 | # distributed under the License is distributed on an "AS IS" BASIS,
 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | # See the License for the specific language governing permissions and
 13 | # limitations under the License.
 14 | 
 15 | import unittest
 16 | 
 17 | from typing import Callable, List
 18 | 
 19 | import pulumi_policy.proxy as proxy
 20 | 
 21 | class ProxyTests(unittest.TestCase):
 22 |     def assert_raises_unknown_value(self,
 23 |                                        c: Callable,
 24 |                                        expected_unknown_type_sentinel: str,
 25 |                                        expected_props: List[str]):
 26 |         with self.assertRaises(proxy.UnknownValueError) as cm:
 27 |             c()
 28 | 
 29 |         self.assertEqual(expected_props, cm.exception.props)
 30 |         self.assertEqual(expected_unknown_type_sentinel, cm.exception.unknown_type_sentinel)
 31 | 
 32 | 
 33 |     def test_returns_values_at_properties_that_are_not_unknown(self):
 34 |         self.assertEqual(proxy.unknown_checking_proxy({"foo": "bar"})["foo"], "bar")
 35 |         self.assertEqual(proxy.unknown_checking_proxy({"foo": 0})["foo"], 0)
 36 |         self.assertEqual(proxy.unknown_checking_proxy({"foo": True})["foo"], True)
 37 |         self.assertEqual(proxy.unknown_checking_proxy({"foo": False})["foo"], False)
 38 |         self.assertEqual(proxy.unknown_checking_proxy({"foo": {"bar": "baz"}})["foo"]["bar"], "baz")
 39 |         self.assertEqual(proxy.unknown_checking_proxy({"foo": ["bar"]})["foo"][0], "bar")
 40 |         self.assertEqual(proxy.unknown_checking_proxy({"foo": [0]})["foo"][0], 0)
 41 |         self.assertEqual(proxy.unknown_checking_proxy({"foo": [True]})["foo"][0], True)
 42 |         self.assertEqual(proxy.unknown_checking_proxy({"foo": [False]})["foo"][0], False)
 43 | 
 44 | 
 45 |     def test_raises_on_unknown_value(self):
 46 |         self.assert_raises_unknown_value(
 47 |             lambda: proxy.unknown_checking_proxy({"foo": proxy.UNKNOWN_BOOLEAN_VALUE})["foo"],
 48 |             proxy.UNKNOWN_BOOLEAN_VALUE,
 49 |             ["foo"])
 50 | 
 51 |         self.assert_raises_unknown_value(
 52 |             lambda: proxy.unknown_checking_proxy({"foo": proxy.UNKNOWN_NUMBER_VALUE})["foo"],
 53 |             proxy.UNKNOWN_NUMBER_VALUE,
 54 |             ["foo"])
 55 | 
 56 |         self.assert_raises_unknown_value(
 57 |             lambda: proxy.unknown_checking_proxy({"foo": proxy.UNKNOWN_STRING_VALUE})["foo"],
 58 |             proxy.UNKNOWN_STRING_VALUE,
 59 |             ["foo"])
 60 | 
 61 |         self.assert_raises_unknown_value(
 62 |             lambda: proxy.unknown_checking_proxy({"foo": proxy.UNKNOWN_ARRAY_VALUE})["foo"],
 63 |             proxy.UNKNOWN_ARRAY_VALUE,
 64 |             ["foo"])
 65 | 
 66 |         self.assert_raises_unknown_value(
 67 |             lambda: proxy.unknown_checking_proxy({"foo": proxy.UNKNOWN_ASSET_VALUE})["foo"],
 68 |             proxy.UNKNOWN_ASSET_VALUE,
 69 |             ["foo"])
 70 | 
 71 |         self.assert_raises_unknown_value(
 72 |             lambda: proxy.unknown_checking_proxy({"foo": proxy.UNKNOWN_ARCHIVE_VALUE})["foo"],
 73 |             proxy.UNKNOWN_ARCHIVE_VALUE,
 74 |             ["foo"])
 75 | 
 76 |         self.assert_raises_unknown_value(
 77 |             lambda: proxy.unknown_checking_proxy({"foo": proxy.UNKNOWN_OBJECT_VALUE})["foo"],
 78 |             proxy.UNKNOWN_OBJECT_VALUE,
 79 |             ["foo"])
 80 | 
 81 | 
 82 |     def test_raises_on_nested_unknown_value(self):
 83 |         self.assert_raises_unknown_value(
 84 |             lambda: proxy.unknown_checking_proxy({"foo": {"bar": proxy.UNKNOWN_BOOLEAN_VALUE}})["foo"]["bar"],
 85 |             proxy.UNKNOWN_BOOLEAN_VALUE,
 86 |             ["foo", "bar"])
 87 | 
 88 |         self.assert_raises_unknown_value(
 89 |             lambda: proxy.unknown_checking_proxy({"foo": [proxy.UNKNOWN_BOOLEAN_VALUE]})["foo"][0],
 90 |             proxy.UNKNOWN_BOOLEAN_VALUE,
 91 |             ["foo", "0"])
 92 | 
 93 |         def list_loop():
 94 |             props = proxy.unknown_checking_proxy({"foo": [True, proxy.UNKNOWN_BOOLEAN_VALUE, False]})
 95 |             count = 0
 96 |             for _ in props["foo"]:
 97 |                 count += 1
 98 | 
 99 |         self.assert_raises_unknown_value(list_loop, proxy.UNKNOWN_BOOLEAN_VALUE, ["foo", "1"])
100 | 
101 |         def list_enum():
102 |             props = proxy.unknown_checking_proxy({"foo": [True, proxy.UNKNOWN_BOOLEAN_VALUE, False]})
103 |             count = 0
104 |             for _, __ in enumerate(props["foo"]):
105 |                 count += 1
106 | 
107 |         self.assert_raises_unknown_value(list_enum, proxy.UNKNOWN_BOOLEAN_VALUE, ["foo", "1"])
108 | 
109 |         def dict_items():
110 |             props = proxy.unknown_checking_proxy({"foo": {"a": True, "b": proxy.UNKNOWN_BOOLEAN_VALUE, "c": False}})
111 |             count = 0
112 |             for _ in props["foo"].items():
113 |                 count += 1
114 | 
115 |         self.assert_raises_unknown_value(dict_items, proxy.UNKNOWN_BOOLEAN_VALUE, ["foo", "b"])
116 | 
117 |         def dict_values():
118 |             props = proxy.unknown_checking_proxy({"foo": {"a": True, "b": proxy.UNKNOWN_BOOLEAN_VALUE, "c": False}})
119 |             count = 0
120 |             for _ in props["foo"].values():
121 |                 count += 1
122 | 
123 |         self.assert_raises_unknown_value(dict_values, proxy.UNKNOWN_BOOLEAN_VALUE, ["foo", "b"])
124 | 


--------------------------------------------------------------------------------
/sdk/python/mypy.ini:
--------------------------------------------------------------------------------
1 | # Global options:
2 | 
3 | [mypy]
4 | 
5 | # Per-module options:
6 | 
7 | [mypy-grpc]
8 | ignore_missing_imports = True
9 | 


--------------------------------------------------------------------------------
/tests/integration/config/policy-pack-python/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: python
2 | 


--------------------------------------------------------------------------------
/tests/integration/config/policy-pack-python/requirements.txt:
--------------------------------------------------------------------------------
1 | pulumi>=3.157.0,<4.0.0
2 | 


--------------------------------------------------------------------------------
/tests/integration/config/policy-pack/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: nodejs
2 | 


--------------------------------------------------------------------------------
/tests/integration/config/policy-pack/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "config-policy",
 3 |     "version": "0.0.1",
 4 |     "dependencies": {
 5 |         "@pulumi/policy": "latest",
 6 |         "@pulumi/pulumi": "^3.0.0"
 7 |     },
 8 |     "devDependencies": {
 9 |         "@types/node": "^10.0.0"
10 |     }
11 | }
12 | 


--------------------------------------------------------------------------------
/tests/integration/config/policy-pack/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "outDir": "bin",
 4 |         "target": "es6",
 5 |         "module": "commonjs",
 6 |         "moduleResolution": "node",
 7 |         "declaration": true,
 8 |         "sourceMap": false,
 9 |         "stripInternal": true,
10 |         "experimentalDecorators": true,
11 |         "pretty": true,
12 |         "noFallthroughCasesInSwitch": true,
13 |         "noImplicitAny": true,
14 |         "noImplicitReturns": true,
15 |         "forceConsistentCasingInFileNames": true,
16 |         "strictNullChecks": true,
17 |     },
18 |     "files": [
19 |         "index.ts"
20 |     ]
21 | }
22 | 


--------------------------------------------------------------------------------
/tests/integration/config/program/Pulumi.yaml:
--------------------------------------------------------------------------------
1 | name: config
2 | runtime: nodejs
3 | description: A program to test policy configuration.
4 | 


--------------------------------------------------------------------------------
/tests/integration/config/program/index.ts:
--------------------------------------------------------------------------------
1 | // Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
2 | 
3 | import * as random from "@pulumi/random";
4 | 
5 | const str = new random.RandomString("str", {
6 |     length: 10,
7 | });
8 | 


--------------------------------------------------------------------------------
/tests/integration/config/program/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "config",
 3 |     "devDependencies": {
 4 |         "@types/node": "^10.0.0"
 5 |     },
 6 |     "dependencies": {
 7 |         "@pulumi/pulumi": "^3.0.0",
 8 |         "@pulumi/random": "^4.0.0"
 9 |     }
10 | }
11 | 


--------------------------------------------------------------------------------
/tests/integration/config/program/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "strict": true,
 4 |         "outDir": "bin",
 5 |         "target": "es2016",
 6 |         "module": "commonjs",
 7 |         "moduleResolution": "node",
 8 |         "sourceMap": true,
 9 |         "experimentalDecorators": true,
10 |         "pretty": true,
11 |         "noFallthroughCasesInSwitch": true,
12 |         "noImplicitReturns": true,
13 |         "forceConsistentCasingInFileNames": true
14 |     },
15 |     "files": [
16 |         "index.ts"
17 |     ]
18 | }
19 | 


--------------------------------------------------------------------------------
/tests/integration/deserialize/policy-pack-python/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: python
2 | 


--------------------------------------------------------------------------------
/tests/integration/deserialize/policy-pack-python/__main__.py:
--------------------------------------------------------------------------------
 1 | # Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import pulumi
 4 | 
 5 | from pulumi_policy import (
 6 |     EnforcementLevel,
 7 |     PolicyPack,
 8 |     ResourceValidationPolicy,
 9 |     StackValidationPolicy,
10 | )
11 | 
12 | 
13 | def validate_resource(args, report_violation):
14 |     verify(args)
15 | 
16 | 
17 | def remediate(args):
18 |     verify(args)
19 | 
20 | 
21 | def validate_stack(args, report_violation):
22 |     for r in args.resources:
23 |         verify(r)
24 | 
25 | 
26 | def verify(r):
27 |     t = r.resource_type
28 |     if t != "pulumi-nodejs:dynamic:Resource":
29 |         return
30 | 
31 |     assert r.props["secret"] == "a secret value"
32 | 
33 |     assert isinstance(r.props["fileAsset"], pulumi.FileAsset)
34 |     assert r.props["fileAsset"].path == "index.ts"
35 | 
36 |     assert isinstance(r.props["stringAsset"], pulumi.StringAsset)
37 |     assert r.props["stringAsset"].text == "some text"
38 | 
39 |     assert isinstance(r.props["fileArchive"], pulumi.FileArchive)
40 |     assert r.props["fileArchive"].path == "."
41 | 
42 |     assert isinstance(r.props["assetArchive"], pulumi.AssetArchive)
43 |     assets = r.props["assetArchive"].assets
44 |     assert isinstance(assets["fileAsset"], pulumi.FileAsset)
45 |     assert assets["fileAsset"].path == "index.ts"
46 |     assert isinstance(assets["stringAsset"], pulumi.StringAsset)
47 |     assert assets["stringAsset"].text == "some text"
48 |     assert isinstance(assets["fileArchive"], pulumi.FileArchive)
49 |     assert assets["fileArchive"].path == "."
50 | 
51 | 
52 | PolicyPack(
53 |     name="deserialize-policy",
54 |     enforcement_level=EnforcementLevel.MANDATORY,
55 |     policies=[
56 |         ResourceValidationPolicy(
57 |             enforcement_level=EnforcementLevel.REMEDIATE,
58 |             name="resource-validation",
59 |             description="Verifies deserialized properties during resource validation.",
60 |             validate=validate_resource,
61 |             remediate=remediate,
62 |         ),
63 |         StackValidationPolicy(
64 |             name="stack-validation",
65 |             description="Verifies deserialized properties during stack validation.",
66 |             validate=validate_stack,
67 |         ),
68 |     ],
69 | )
70 | 


--------------------------------------------------------------------------------
/tests/integration/deserialize/policy-pack-python/requirements.txt:
--------------------------------------------------------------------------------
1 | pulumi>=3.157.0,<4.0.0
2 | 


--------------------------------------------------------------------------------
/tests/integration/deserialize/policy-pack/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: nodejs
2 | 


--------------------------------------------------------------------------------
/tests/integration/deserialize/policy-pack/index.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as assert from "assert";
 4 | 
 5 | import * as pulumi from "@pulumi/pulumi";
 6 | import { PolicyPack, PolicyResource, ResourceValidationArgs } from "@pulumi/policy";
 7 | 
 8 | new PolicyPack("deserialize-policy", {
 9 |     enforcementLevel: "mandatory",
10 |     policies: [
11 |         {
12 |             enforcementLevel: "remediate",
13 |             name: "resource-validation",
14 |             description: "Verifies deserialized properties during resource validation.",
15 |             validateResource: (args, reportViolation) => {
16 |                 verify(args);
17 |             },
18 |             remediateResource: (args) => {
19 |                 verify(args);
20 |             },
21 |         },
22 |         {
23 |             name: "stack-validation",
24 |             description: "Verifies deserialized properties during stack validation.",
25 |             validateStack: (args, reportViolation) => {
26 |                 for (const r of args.resources) {
27 |                     verify(r);
28 |                 }
29 |             },
30 |         },
31 |     ],
32 | });
33 | 
34 | function verify(r: PolicyResource | ResourceValidationArgs) {
35 |     if (r.type !== "pulumi-nodejs:dynamic:Resource") {
36 |         return;
37 |     }
38 | 
39 |     assert.strictEqual(r.props.secret, "a secret value");
40 | 
41 |     assert.deepStrictEqual(r.props.fileAsset.path, Promise.resolve("index.ts"));
42 |     assert.ok(pulumi.asset.FileAsset.isInstance(r.props.fileAsset));
43 | 
44 |     assert.deepStrictEqual(r.props.stringAsset.text, Promise.resolve("some text"));
45 |     assert.ok(pulumi.asset.StringAsset.isInstance(r.props.stringAsset));
46 | 
47 |     assert.deepStrictEqual(r.props.fileArchive.path, Promise.resolve("."));
48 |     assert.ok(pulumi.asset.FileArchive.isInstance(r.props.fileArchive));
49 | 
50 |     assert.deepStrictEqual(r.props.assetArchive.assets, Promise.resolve({
51 |         fileAsset: new pulumi.asset.FileAsset("index.ts"),
52 |         stringAsset: new pulumi.asset.StringAsset("some text"),
53 |         fileArchive: new pulumi.asset.FileArchive("."),
54 |     }));
55 |     assert.ok(pulumi.asset.AssetArchive.isInstance(r.props.assetArchive));
56 | }
57 | 


--------------------------------------------------------------------------------
/tests/integration/deserialize/policy-pack/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "deserialize-policy-pack",
 3 |     "version": "0.0.1",
 4 |     "dependencies": {
 5 |         "@pulumi/policy": "latest",
 6 |         "@pulumi/pulumi": "^3.0.0"
 7 |     },
 8 |     "devDependencies": {
 9 |         "@types/node": "^10.0.0"
10 |     }
11 | }
12 | 


--------------------------------------------------------------------------------
/tests/integration/deserialize/policy-pack/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "outDir": "bin",
 4 |         "target": "es6",
 5 |         "module": "commonjs",
 6 |         "moduleResolution": "node",
 7 |         "declaration": true,
 8 |         "sourceMap": false,
 9 |         "stripInternal": true,
10 |         "experimentalDecorators": true,
11 |         "pretty": true,
12 |         "noFallthroughCasesInSwitch": true,
13 |         "noImplicitAny": true,
14 |         "noImplicitReturns": true,
15 |         "forceConsistentCasingInFileNames": true,
16 |         "strictNullChecks": true,
17 |     },
18 |     "files": [
19 |         "index.ts"
20 |     ]
21 | }
22 | 


--------------------------------------------------------------------------------
/tests/integration/deserialize/program/Pulumi.yaml:
--------------------------------------------------------------------------------
1 | name: deserialize
2 | runtime: nodejs
3 | description: A test program to test how special objects are serialized/deserialized.
4 | 


--------------------------------------------------------------------------------
/tests/integration/deserialize/program/index.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as pulumi from "@pulumi/pulumi";
 4 | 
 5 | import { Resource } from "./resource";
 6 | 
 7 | const hello = new Resource("hello", {
 8 |     secret: pulumi.secret("a secret value"),
 9 |     fileAsset: new pulumi.asset.FileAsset("index.ts"),
10 |     stringAsset: new pulumi.asset.StringAsset("some text"),
11 |     fileArchive: new pulumi.asset.FileArchive("."),
12 |     assetArchive: new pulumi.asset.AssetArchive({
13 |         fileAsset: new pulumi.asset.FileAsset("index.ts"),
14 |         stringAsset: new pulumi.asset.StringAsset("some text"),
15 |         fileArchive: new pulumi.asset.FileArchive("."),
16 |     }),
17 | });
18 | 


--------------------------------------------------------------------------------
/tests/integration/deserialize/program/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "deserialize",
 3 |     "devDependencies": {
 4 |         "@types/node": "^10.0.0"
 5 |     },
 6 |     "dependencies": {
 7 |         "@pulumi/pulumi": "^3.0.0"
 8 |     }
 9 | }
10 | 


--------------------------------------------------------------------------------
/tests/integration/deserialize/program/resource.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as pulumi from "@pulumi/pulumi";
 4 | 
 5 | let currentID = 0;
 6 | 
 7 | export class Provider implements pulumi.dynamic.ResourceProvider {
 8 |     public static readonly instance = new Provider();
 9 | 
10 |     public async create(inputs: any) {
11 |         return {
12 |             id: (currentID++).toString(),
13 |             outs: Object.assign({}, inputs), // propagate inputs to outputs.
14 |         };
15 |     }
16 | }
17 | 
18 | export class Resource extends pulumi.dynamic.Resource {
19 |     constructor(name: string, inputs: any, opts?: pulumi.ResourceOptions) {
20 |         super(Provider.instance, name, inputs, opts);
21 |     }
22 | }
23 | 


--------------------------------------------------------------------------------
/tests/integration/deserialize/program/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "strict": true,
 4 |         "outDir": "bin",
 5 |         "target": "es2016",
 6 |         "module": "commonjs",
 7 |         "moduleResolution": "node",
 8 |         "sourceMap": true,
 9 |         "experimentalDecorators": true,
10 |         "pretty": true,
11 |         "noFallthroughCasesInSwitch": true,
12 |         "noImplicitReturns": true,
13 |         "forceConsistentCasingInFileNames": true
14 |     },
15 |     "files": [
16 |         "index.ts",
17 |         "resource.ts"
18 |     ]
19 | }
20 | 


--------------------------------------------------------------------------------
/tests/integration/enforcementlevel/policy-pack-python/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: python
2 | 


--------------------------------------------------------------------------------
/tests/integration/enforcementlevel/policy-pack-python/__main__.py:
--------------------------------------------------------------------------------
 1 | # Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | from typing import List, NamedTuple, Optional
 4 | 
 5 | from pulumi import Config
 6 | 
 7 | from pulumi_policy import (
 8 |     EnforcementLevel,
 9 |     PolicyPack,
10 |     ResourceValidationPolicy,
11 |     StackValidationPolicy,
12 | )
13 | 
14 | 
15 | class Scenario(NamedTuple):
16 |     pack: Optional[EnforcementLevel]
17 |     policy: Optional[EnforcementLevel]
18 | 
19 | 
20 | # Build a set of scenarios to test
21 | enforcement_levels = [EnforcementLevel.ADVISORY, EnforcementLevel.DISABLED, EnforcementLevel.MANDATORY, None]
22 | scenarios: List[Scenario] = [{}]
23 | for pack in enforcement_levels:
24 |     for policy in enforcement_levels:
25 |         scenarios.append(Scenario(pack, policy))
26 | 
27 | 
28 | # Get the current scenario
29 | config = Config()
30 | test_scenario = config.require_int("scenario")
31 | if test_scenario >= len(scenarios):
32 |     raise AssertionError(f"Unexpected test_scenario {test_scenario}.")
33 | scenario = scenarios[test_scenario]
34 | 
35 | 
36 | # Generate a Policy Pack name for the scenario.
37 | pack: str = scenario.pack.value if scenario.pack is not None else "none"
38 | policy: str = f"-{scenario.policy.value}" if scenario.policy is not None else ""
39 | policy_pack_name = f"enforcementlevel-{pack}{policy}-test-policy"
40 | 
41 | 
42 | # Whether the validate function should raise an exception (to validate that it doesn't run).
43 | validate_function_raises = (
44 |     (scenario.pack == EnforcementLevel.DISABLED and
45 |         (scenario.policy == EnforcementLevel.DISABLED or scenario.policy is None)) or
46 |     scenario.policy == EnforcementLevel.DISABLED)
47 | 
48 | 
49 | # Create a Policy Pack instance for the scenario.
50 | def validate_resource(args, report_violation):
51 |     if validate_function_raises:
52 |         raise AssertionError("validate-resource should never be called.")
53 |     report_violation("validate-resource-violation-message")
54 | 
55 | 
56 | def validate_stack(args, report_violation):
57 |     if validate_function_raises:
58 |         raise AssertionError("validate-stack should never be called.")
59 |     report_violation("validate-stack-violation-message")
60 | 
61 | 
62 | 
63 | 
64 | 
65 | PolicyPack(
66 |     name=policy_pack_name,
67 |     enforcement_level=scenario.pack,
68 |     policies=[
69 |         ResourceValidationPolicy(
70 |             name="validate-resource",
71 |             description="Always reports a resource violation.",
72 |             enforcement_level=scenario.policy,
73 |             validate=validate_resource,
74 |         ),
75 |         StackValidationPolicy(
76 |             name="validate-stack",
77 |             description="Always reports a stack violation.",
78 |             enforcement_level=scenario.policy,
79 |             validate=validate_stack,
80 |         ),
81 |     ],
82 | )
83 | 


--------------------------------------------------------------------------------
/tests/integration/enforcementlevel/policy-pack-python/requirements.txt:
--------------------------------------------------------------------------------
1 | pulumi>=3.157.0,<4.0.0
2 | 


--------------------------------------------------------------------------------
/tests/integration/enforcementlevel/policy-pack/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: nodejs
2 | 


--------------------------------------------------------------------------------
/tests/integration/enforcementlevel/policy-pack/index.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as pulumi from "@pulumi/pulumi";
 4 | import { EnforcementLevel, PolicyPack } from "@pulumi/policy";
 5 | 
 6 | interface Scenario {
 7 |     pack?: EnforcementLevel;
 8 |     policy?: EnforcementLevel;
 9 | }
10 | 
11 | // Build a set of scenarios to test.
12 | const enforcementLevels: (EnforcementLevel | undefined)[] = ["advisory", "disabled", "mandatory", undefined];
13 | const scenarios: Scenario[] = [{}]
14 | for (const pack of enforcementLevels) {
15 |     for (const policy of enforcementLevels) {
16 |         scenarios.push({
17 |             ...(pack && { pack }),
18 |             ...(policy && { policy }),
19 |         })
20 |     }
21 | }
22 | 
23 | // Get the current scenario.
24 | const config = new pulumi.Config();
25 | const testScenario = config.requireNumber("scenario");
26 | if (testScenario >= scenarios.length) {
27 |     throw new Error(`Unexpected testScenario ${testScenario}.`);
28 | }
29 | const scenario: Scenario = scenarios[testScenario];
30 | 
31 | // Generate a Policy Pack name for the scenario.
32 | const pack: string = scenario.pack || "none";
33 | const policy: string = scenario.policy ? `-${scenario.policy}` : "";
34 | const policyPackName = `enforcementlevel-${pack}${policy}-test-policy`;
35 | 
36 | // Whether the validate function should throw an exception (to validate that it doesn't run).
37 | const validateFunctionThrows =
38 |     (scenario.pack === "disabled" && (scenario.policy === "disabled" || !scenario.policy)) ||
39 |     scenario.policy === "disabled";
40 | 
41 | // Create a Policy Pack instance for the scenario.
42 | new PolicyPack(policyPackName, {
43 |     // Conditionally set the policy pack's enforcementLevel if it is truthy.
44 |     ...(scenario.pack && { enforcementLevel: scenario.pack }),
45 | 
46 |     policies: [
47 |         {
48 |             // Conditionally set the policy's enforcement level if it is truthy.
49 |             ...(scenario.policy && { enforcementLevel: scenario.policy }),
50 | 
51 |             name: "validate-resource",
52 |             description: "Always reports a resource violation.",
53 |             validateResource: (args, reportViolation) => {
54 |                 if (validateFunctionThrows) {
55 |                     throw new Error("validate-resource should never be called.");
56 |                 }
57 |                 reportViolation("validate-resource-violation-message");
58 |             },
59 |         },
60 |         {
61 |             // Conditionally set the policy's enforcement level if it is truthy.
62 |             ...(scenario.policy && { enforcementLevel: scenario.policy }),
63 | 
64 |             name: "validate-stack",
65 |             description: "Always reports a stack violation.",
66 |             validateStack: (args, reportViolation) => {
67 |                 if (validateFunctionThrows) {
68 |                     throw new Error("validate-stack should never be called.");
69 |                 }
70 |                 reportViolation("validate-stack-violation-message");
71 |             },
72 |         },
73 |     ],
74 | });
75 | 


--------------------------------------------------------------------------------
/tests/integration/enforcementlevel/policy-pack/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "enforcementlevel-policy-pack",
 3 |     "version": "0.0.1",
 4 |     "dependencies": {
 5 |         "@pulumi/policy": "latest",
 6 |         "@pulumi/pulumi": "^3.0.0"
 7 |     },
 8 |     "devDependencies": {
 9 |         "@types/node": "^10.0.0"
10 |     }
11 | }
12 | 


--------------------------------------------------------------------------------
/tests/integration/enforcementlevel/policy-pack/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "outDir": "bin",
 4 |         "target": "es6",
 5 |         "module": "commonjs",
 6 |         "moduleResolution": "node",
 7 |         "declaration": true,
 8 |         "sourceMap": false,
 9 |         "stripInternal": true,
10 |         "experimentalDecorators": true,
11 |         "pretty": true,
12 |         "noFallthroughCasesInSwitch": true,
13 |         "noImplicitAny": true,
14 |         "noImplicitReturns": true,
15 |         "forceConsistentCasingInFileNames": true,
16 |         "strictNullChecks": true,
17 |     },
18 |     "files": [
19 |         "index.ts"
20 |     ]
21 | }
22 | 


--------------------------------------------------------------------------------
/tests/integration/enforcementlevel/program/Pulumi.yaml:
--------------------------------------------------------------------------------
1 | name: enforcementlevel
2 | runtime: nodejs
3 | description: A program to test policy packs with enforcement levels set on the policy pack and individual policies.
4 | 


--------------------------------------------------------------------------------
/tests/integration/enforcementlevel/program/index.ts:
--------------------------------------------------------------------------------
1 | // Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
2 | 
3 | import * as random from "@pulumi/random";
4 | 
5 | const str = new random.RandomString("str", {
6 |     length: 10,
7 | });
8 | 


--------------------------------------------------------------------------------
/tests/integration/enforcementlevel/program/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "enforcementlevel",
 3 |     "devDependencies": {
 4 |         "@types/node": "^10.0.0"
 5 |     },
 6 |     "dependencies": {
 7 |         "@pulumi/pulumi": "^3.0.0",
 8 |         "@pulumi/random": "^4.0.0"
 9 |     }
10 | }
11 | 


--------------------------------------------------------------------------------
/tests/integration/enforcementlevel/program/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "strict": true,
 4 |         "outDir": "bin",
 5 |         "target": "es2016",
 6 |         "module": "commonjs",
 7 |         "moduleResolution": "node",
 8 |         "sourceMap": true,
 9 |         "experimentalDecorators": true,
10 |         "pretty": true,
11 |         "noFallthroughCasesInSwitch": true,
12 |         "noImplicitReturns": true,
13 |         "forceConsistentCasingInFileNames": true
14 |     },
15 |     "files": [
16 |         "index.ts"
17 |     ]
18 | }
19 | 


--------------------------------------------------------------------------------
/tests/integration/go.mod:
--------------------------------------------------------------------------------
 1 | module github.com/pulumi/pulumi-policy/tests
 2 | 
 3 | go 1.22
 4 | 
 5 | toolchain go1.24.1
 6 | 
 7 | require (
 8 | 	github.com/pulumi/pulumi/sdk/v3 v3.157.0
 9 | 	github.com/stretchr/testify v1.10.0
10 | )
11 | 
12 | require (
13 | 	github.com/davecgh/go-spew v1.1.1 // indirect
14 | 	github.com/golang/glog v1.2.4 // indirect
15 | 	github.com/pmezard/go-difflib v1.0.0 // indirect
16 | 	github.com/rogpeppe/go-internal v1.12.0 // indirect
17 | 	gopkg.in/yaml.v3 v3.0.1 // indirect
18 | )
19 | 


--------------------------------------------------------------------------------
/tests/integration/go.sum:
--------------------------------------------------------------------------------
 1 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 2 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 3 | github.com/golang/glog v1.2.4 h1:CNNw5U8lSiiBk7druxtSHHTsRWcxKoac6kZKm2peBBc=
 4 | github.com/golang/glog v1.2.4/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
 5 | github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 6 | github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 7 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 8 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 9 | github.com/pulumi/pulumi/sdk/v3 v3.157.0 h1:wqIN+JM/igzOC+XXdch0UKYr3V3k/hjpgt3sS3GzX84=
10 | github.com/pulumi/pulumi/sdk/v3 v3.157.0/go.mod h1:YEbbl0N7eVsgfsL7h5215dDf8GBSe4AnRon7Ya/KIVc=
11 | github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
12 | github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
13 | github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
14 | github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
15 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
16 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
17 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
18 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
19 | 


--------------------------------------------------------------------------------
/tests/integration/invalid_policy/policy-pack/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: nodejs
2 | 


--------------------------------------------------------------------------------
/tests/integration/invalid_policy/policy-pack/index.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as pulumi from "@pulumi/pulumi";
 4 | import { PolicyPack } from "@pulumi/policy";
 5 | 
 6 | const config = new pulumi.Config();
 7 | const testScenario = config.requireNumber("scenario");
 8 | 
 9 | switch (testScenario) {
10 |     case 1:
11 |         new PolicyPack("invalid-policy", {
12 |             policies: [
13 |                 {
14 |                     name: "all",
15 |                     description: "Invalid policy name.",
16 |                     enforcementLevel: "mandatory",
17 |                     validateResource: (args, reportViolation) => { throw new Error("Should never run."); },
18 |                     remediateResource: (args) => { throw new Error("Should never run."); },
19 |                 },
20 |             ],
21 |         });
22 |         break;
23 | 
24 |     case 2:
25 |         new PolicyPack("invalid-policy", {
26 |             policies: [
27 |                 {
28 |                     name: "foo",
29 |                     description: "Invalid schema: enforcementLevel cannot be added to `properties`.",
30 |                     enforcementLevel: "mandatory",
31 |                     configSchema: {
32 |                         properties: {
33 |                             enforcementLevel: { type: "string" },
34 |                         },
35 |                     },
36 |                     validateResource: (args, reportViolation) => { throw new Error("Should never run."); },
37 |                     remediateResource: (args) => { throw new Error("Should never run."); },
38 |                 },
39 |             ],
40 |         });
41 |         break;
42 | 
43 |     case 3:
44 |         new PolicyPack("invalid-policy", {
45 |             policies: [
46 |                 {
47 |                     name: "foo",
48 |                     description: "Invalid schema: enforcementLevel cannot be added to `required`.",
49 |                     enforcementLevel: "mandatory",
50 |                     configSchema: {
51 |                         properties: {
52 |                             foo: { type: "string" },
53 |                         },
54 |                         required: ["enforcementLevel"],
55 |                     },
56 |                     validateResource: (args, reportViolation) => { throw new Error("Should never run."); },
57 |                     remediateResource: (args) => { throw new Error("Should never run."); },
58 |                 },
59 |             ],
60 |         });
61 |         break;
62 | }
63 | 


--------------------------------------------------------------------------------
/tests/integration/invalid_policy/policy-pack/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "invalid-policy-name-policy",
 3 |     "version": "0.0.1",
 4 |     "dependencies": {
 5 |         "@pulumi/policy": "latest",
 6 |         "@pulumi/pulumi": "^3.0.0"
 7 |     },
 8 |     "devDependencies": {
 9 |         "@types/node": "^10.0.0"
10 |     }
11 | }
12 | 


--------------------------------------------------------------------------------
/tests/integration/invalid_policy/policy-pack/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "outDir": "bin",
 4 |         "target": "es6",
 5 |         "module": "commonjs",
 6 |         "moduleResolution": "node",
 7 |         "declaration": true,
 8 |         "sourceMap": false,
 9 |         "stripInternal": true,
10 |         "experimentalDecorators": true,
11 |         "pretty": true,
12 |         "noFallthroughCasesInSwitch": true,
13 |         "noImplicitAny": true,
14 |         "noImplicitReturns": true,
15 |         "forceConsistentCasingInFileNames": true,
16 |         "strictNullChecks": true,
17 |     },
18 |     "files": [
19 |         "index.ts"
20 |     ]
21 | }
22 | 


--------------------------------------------------------------------------------
/tests/integration/invalid_policy/program/Pulumi.yaml:
--------------------------------------------------------------------------------
1 | name: invalid_policy
2 | runtime: nodejs
3 | description: An empty test program.
4 | 


--------------------------------------------------------------------------------
/tests/integration/invalid_policy/program/index.ts:
--------------------------------------------------------------------------------
1 | // Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
2 | 
3 | // Empty program.
4 | 


--------------------------------------------------------------------------------
/tests/integration/invalid_policy/program/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "invalid_policy",
 3 |     "devDependencies": {
 4 |         "@types/node": "^10.0.0"
 5 |     },
 6 |     "dependencies": {
 7 |         "@pulumi/pulumi": "^3.0.0"
 8 |     }
 9 | }
10 | 


--------------------------------------------------------------------------------
/tests/integration/invalid_policy/program/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "strict": true,
 4 |         "outDir": "bin",
 5 |         "target": "es2016",
 6 |         "module": "commonjs",
 7 |         "moduleResolution": "node",
 8 |         "sourceMap": true,
 9 |         "experimentalDecorators": true,
10 |         "pretty": true,
11 |         "noFallthroughCasesInSwitch": true,
12 |         "noImplicitReturns": true,
13 |         "forceConsistentCasingInFileNames": true
14 |     },
15 |     "files": [
16 |         "index.ts"
17 |     ]
18 | }
19 | 


--------------------------------------------------------------------------------
/tests/integration/parent_dependencies/policy-pack-python/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: python
2 | 


--------------------------------------------------------------------------------
/tests/integration/parent_dependencies/policy-pack-python/__main__.py:
--------------------------------------------------------------------------------
 1 | # Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import json
 4 | 
 5 | from pulumi_policy import (
 6 |     EnforcementLevel,
 7 |     PolicyPack,
 8 |     StackValidationPolicy,
 9 | )
10 | 
11 | 
12 | def validate_stack(args, report_violation):
13 |     for r in args.resources:
14 |         validate(args.resources, r)
15 | 
16 | 
17 | def validate(resources, r):
18 |     stack = next(r for r in resources if r.resource_type == "pulumi:pulumi:Stack")
19 | 
20 |     t = r.resource_type
21 |     if (t == "pulumi:pulumi:Stack" or
22 |             t == "pulumi:providers:pulumi-nodejs" or
23 |             t == "pulumi:providers:random"):
24 |         assert r.parent is None
25 |         assert json.dumps(r.dependencies) == json.dumps([])
26 |         assert json.dumps(r.property_dependencies) == json.dumps({})
27 |     elif t == "pulumi-nodejs:dynamic:Resource":
28 |         if r.name == "child":
29 |             parent = next(r for r in resources if r.name == "parent")
30 |             assert r.parent is parent
31 |             assert json.dumps(r.dependencies) == json.dumps([])
32 |             assert json.dumps(r.property_dependencies) == json.dumps({})
33 |         elif r.name == "b":
34 |             assert r.parent is stack
35 |             a = next(r for r in resources if r.name == "a")
36 |             assert len(r.dependencies) == 1
37 |             assert r.dependencies[0] is a
38 |             assert json.dumps(r.property_dependencies) == json.dumps({})
39 |     elif t == "random:index/randomString:RandomString":
40 |         assert r.parent is stack
41 |         assert json.dumps(r.dependencies) == json.dumps([])
42 |         assert json.dumps(r.property_dependencies) == json.dumps({})
43 |     elif t == "random:index/randomPet:RandomPet":
44 |         assert r.parent is stack
45 |         str_ = next(r for r in resources if r.name == "str")
46 |         assert len(r.dependencies) == 1
47 |         assert r.dependencies[0] is str_
48 |         assert "prefix" in r.property_dependencies
49 |         prefix = r.property_dependencies["prefix"]
50 |         assert len(prefix) == 1
51 |         assert prefix[0] is str_
52 |     else:
53 |         raise AssertionError(f"Unexpected resource of type: '{t}'.")
54 | 
55 | PolicyPack(
56 |     name="parent-dependencies-test-policy",
57 |     enforcement_level=EnforcementLevel.MANDATORY,
58 |     policies=[
59 |         StackValidationPolicy(
60 |             name="validate-stack",
61 |             description="Validates resource options during `validateStack`.",
62 |             validate=validate_stack,
63 |         ),
64 |     ],
65 | )
66 | 


--------------------------------------------------------------------------------
/tests/integration/parent_dependencies/policy-pack/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: nodejs
2 | 


--------------------------------------------------------------------------------
/tests/integration/parent_dependencies/policy-pack/index.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as assert from "assert";
 4 | 
 5 | import { PolicyPack, PolicyResource } from "@pulumi/policy";
 6 | 
 7 | new PolicyPack("parent-dependencies-test-policy", {
 8 |     policies: [
 9 |         {
10 |             name: "validate-stack",
11 |             description: "Validates parent and dependencies during `validateStack`.",
12 |             enforcementLevel: "mandatory",
13 |             validateStack: (args, reportViolation) => {
14 |                 for (const r of args.resources) {
15 |                     validate(args.resources, r);
16 |                 }
17 |             },
18 |         },
19 |     ],
20 | });
21 | 
22 | function validate(resources: PolicyResource[], r: PolicyResource) {
23 |     const stack = resources.find(r => r.type === "pulumi:pulumi:Stack");
24 |     assert.notStrictEqual(stack, undefined);
25 | 
26 |     switch (r.type) {
27 |         case "pulumi:pulumi:Stack":
28 |         case "pulumi:providers:pulumi-nodejs":
29 |         case "pulumi:providers:random":
30 |             assert.strictEqual(r.parent, undefined);
31 |             assert.deepStrictEqual(r.dependencies, []);
32 |             assert.deepStrictEqual(r.propertyDependencies, {});
33 |             break;
34 | 
35 |         case "pulumi-nodejs:dynamic:Resource":
36 |             switch (r.name) {
37 |                 case "child":
38 |                     const parent = resources.find(r => r.name === "parent");
39 |                     assert.notStrictEqual(parent, undefined);
40 |                     assert.strictEqual(r.parent, parent);
41 |                     assert.deepStrictEqual(r.dependencies, []);
42 |                     assert.deepStrictEqual(r.propertyDependencies, {});
43 |                     break;
44 | 
45 |                 case "b":
46 |                     assert.strictEqual(r.parent, stack);
47 |                     const a = resources.find(r => r.name === "a");
48 |                     assert.notStrictEqual(a, undefined);
49 |                     assert.strictEqual(r.dependencies.length, 1);
50 |                     assert.strictEqual(r.dependencies[0], a);
51 |                     assert.deepStrictEqual(r.propertyDependencies, {});
52 |                     break;
53 |             }
54 |             break;
55 | 
56 |         case "random:index/randomString:RandomString":
57 |             assert.strictEqual(r.parent, stack);
58 |             assert.deepStrictEqual(r.dependencies, []);
59 |             assert.deepStrictEqual(r.propertyDependencies, {});
60 |             break;
61 | 
62 |         case "random:index/randomPet:RandomPet":
63 |             assert.strictEqual(r.parent, stack);
64 |             const str = resources.find(r => r.name === "str");
65 |             assert.notStrictEqual(str, undefined);
66 |             assert.deepStrictEqual(r.dependencies, [str]);
67 |             assert.deepStrictEqual(r.propertyDependencies, { prefix: [str] });
68 |             break;
69 | 
70 |         default:
71 |             throw Error(`Unexpected resource of type: '${r.type}'.`);
72 |     }
73 | }
74 | 


--------------------------------------------------------------------------------
/tests/integration/parent_dependencies/policy-pack/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "parent-dependencies-policy-pack",
 3 |     "version": "0.0.1",
 4 |     "dependencies": {
 5 |         "@pulumi/policy": "latest",
 6 |         "@pulumi/pulumi": "^3.0.0"
 7 |     },
 8 |     "devDependencies": {
 9 |         "@types/node": "^10.0.0"
10 |     }
11 | }
12 | 


--------------------------------------------------------------------------------
/tests/integration/parent_dependencies/policy-pack/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "outDir": "bin",
 4 |         "target": "es6",
 5 |         "module": "commonjs",
 6 |         "moduleResolution": "node",
 7 |         "declaration": true,
 8 |         "sourceMap": false,
 9 |         "stripInternal": true,
10 |         "experimentalDecorators": true,
11 |         "pretty": true,
12 |         "noFallthroughCasesInSwitch": true,
13 |         "noImplicitAny": true,
14 |         "noImplicitReturns": true,
15 |         "forceConsistentCasingInFileNames": true,
16 |         "strictNullChecks": true,
17 |     },
18 |     "files": [
19 |         "index.ts"
20 |     ]
21 | }
22 | 


--------------------------------------------------------------------------------
/tests/integration/parent_dependencies/program/Pulumi.yaml:
--------------------------------------------------------------------------------
1 | name: parent_dependencies
2 | runtime: nodejs
3 | description: A program that creates some resources for testing a resource's parent and dependencies.
4 | 


--------------------------------------------------------------------------------
/tests/integration/parent_dependencies/program/index.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as random from "@pulumi/random";
 4 | import { Resource } from "./resource";
 5 | 
 6 | // Create resources with a parent/child relationship.
 7 | const parent = new Resource("parent");
 8 | const child = new Resource("child", {
 9 |     parent: parent,
10 | });
11 | 
12 | // Create resources with an explicit dependency relationship.
13 | const a = new Resource("a");
14 | const b = new Resource("b", {
15 |     dependsOn: a,
16 | });
17 | 
18 | // Create a resource with an implicit dependency relationship.
19 | const str = new random.RandomString("str", {
20 |     length: 10,
21 | });
22 | const pet = new random.RandomPet("pet", {
23 |     prefix: str.result,
24 | });
25 | 


--------------------------------------------------------------------------------
/tests/integration/parent_dependencies/program/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "parent-dependencies",
 3 |     "devDependencies": {
 4 |         "@types/node": "^10.0.0"
 5 |     },
 6 |     "dependencies": {
 7 |         "@pulumi/pulumi": "^3.0.0",
 8 |         "@pulumi/random": "^4.0.0"
 9 |     }
10 | }
11 | 


--------------------------------------------------------------------------------
/tests/integration/parent_dependencies/program/resource.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as pulumi from "@pulumi/pulumi";
 4 | 
 5 | let currentID = 0;
 6 | 
 7 | export class Provider implements pulumi.dynamic.ResourceProvider {
 8 |     public static readonly instance = new Provider();
 9 | 
10 |     public async create(inputs: any) {
11 |         return {
12 |             id: (currentID++).toString(),
13 |             outs: {},
14 |         };
15 |     }
16 | }
17 | 
18 | export class Resource extends pulumi.dynamic.Resource {
19 |     constructor(name: string, opts?: pulumi.CustomResourceOptions) {
20 |         super(Provider.instance, name, {}, opts);
21 |     }
22 | }
23 | 


--------------------------------------------------------------------------------
/tests/integration/parent_dependencies/program/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "strict": true,
 4 |         "outDir": "bin",
 5 |         "target": "es2016",
 6 |         "module": "commonjs",
 7 |         "moduleResolution": "node",
 8 |         "sourceMap": true,
 9 |         "experimentalDecorators": true,
10 |         "pretty": true,
11 |         "noFallthroughCasesInSwitch": true,
12 |         "noImplicitReturns": true,
13 |         "forceConsistentCasingInFileNames": true
14 |     },
15 |     "files": [
16 |         "index.ts",
17 |         "resource.ts"
18 |     ]
19 | }
20 | 


--------------------------------------------------------------------------------
/tests/integration/provider/policy-pack-python/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: python
2 | 


--------------------------------------------------------------------------------
/tests/integration/provider/policy-pack-python/__main__.py:
--------------------------------------------------------------------------------
 1 | # Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | from pulumi import get_project, get_stack
 4 | 
 5 | from pulumi_policy import (
 6 |     EnforcementLevel,
 7 |     PolicyPack,
 8 |     ResourceValidationPolicy,
 9 |     StackValidationPolicy,
10 | )
11 | 
12 | 
13 | def create_urn(type_: str, name: str) -> str:
14 |     return f"urn:pulumi:{get_stack()}::{get_project()}::{type_}::{name}"
15 | 
16 | 
17 | def validate_resource(args, report_violation):
18 |     validate(args)
19 | 
20 | 
21 | def remediate(args):
22 |     validate(args)
23 | 
24 | 
25 | def validate_stack(args, report_violation):
26 |     for r in args.resources:
27 |         validate(r)
28 | 
29 | 
30 | def validate(r):
31 |     t = r.resource_type
32 |     if (t == "pulumi:pulumi:Stack" or
33 |             t == "pulumi:providers:pulumi-nodejs" or
34 |             t == "pulumi:providers:random"):
35 |         assert r.provider is None
36 |     elif t == "pulumi-nodejs:dynamic:Resource":
37 |         assert r.provider is not None
38 |         assert r.provider.resource_type == "pulumi:providers:pulumi-nodejs"
39 |         assert r.provider.name == "default"
40 |         assert r.provider.urn == create_urn("pulumi:providers:pulumi-nodejs", "default")
41 |         assert r.provider.props
42 |         assert r.provider.props["provider:scenario"]
43 |     elif t == "random:index/randomUuid:RandomUuid":
44 |         assert r.provider is not None
45 |         assert r.provider.resource_type == "pulumi:providers:random"
46 |         assert r.provider.name == "default_4_0_0"
47 |         assert r.provider.urn == create_urn("pulumi:providers:random", "default_4_0_0")
48 |         assert r.provider.props
49 |         assert r.provider.props["version"] == "4.0.0"
50 |     elif t == "random:index/randomString:RandomString":
51 |         assert r.provider is not None
52 |         assert r.provider.resource_type == "pulumi:providers:random"
53 |         assert r.provider.name == "my-provider"
54 |         assert r.provider.urn == create_urn("pulumi:providers:random", "my-provider")
55 |         assert r.provider.props
56 |         assert r.provider.props["version"] == "4.0.0"
57 |     else:
58 |         raise AssertionError(f"Unexpected resource of type: '{t}'.")
59 | 
60 | 
61 | PolicyPack(
62 |     name="resource-options-test-policy",
63 |     enforcement_level=EnforcementLevel.MANDATORY,
64 |     policies=[
65 |         ResourceValidationPolicy(
66 |             name="validate-resource",
67 |             description="Validates resource options during `validateResource`.",
68 |             validate=validate_resource,
69 |             remediate=remediate,
70 |         ),
71 |         StackValidationPolicy(
72 |             name="validate-stack",
73 |             description="Validates resource options during `validateStack`.",
74 |             validate=validate_stack,
75 |         ),
76 |     ],
77 | )
78 | 


--------------------------------------------------------------------------------
/tests/integration/provider/policy-pack-python/requirements.txt:
--------------------------------------------------------------------------------
1 | pulumi>=3.157.0,<4.0.0
2 | 


--------------------------------------------------------------------------------
/tests/integration/provider/policy-pack/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: nodejs
2 | 


--------------------------------------------------------------------------------
/tests/integration/provider/policy-pack/index.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as assert from "assert";
 4 | 
 5 | import * as pulumi from "@pulumi/pulumi";
 6 | import { PolicyPack, PolicyResource, ResourceValidationArgs } from "@pulumi/policy";
 7 | 
 8 | new PolicyPack("resource-options-test-policy", {
 9 |     policies: [
10 |         {
11 |             name: "validate-resource",
12 |             description: "Validates resource options during `validateResource`.",
13 |             enforcementLevel: "mandatory",
14 |             validateResource: (args, reportViolation) => {
15 |                 validate(args);
16 |             },
17 |             remediateResource: (args) => {
18 |                 validate(args);
19 |             },
20 |         },
21 |         {
22 |             name: "validate-stack",
23 |             description: "Validates resource options during `validateStack`.",
24 |             enforcementLevel: "mandatory",
25 |             validateStack: (args, reportViolation) => {
26 |                 for (const r of args.resources) {
27 |                     validate(r);
28 |                 }
29 |             },
30 |         },
31 |     ],
32 | });
33 | 
34 | function validate(r: ResourceValidationArgs | PolicyResource) {
35 |     switch (r.type) {
36 |         case "pulumi:pulumi:Stack":
37 |         case "pulumi:providers:pulumi-nodejs":
38 |         case "pulumi:providers:random":
39 |             assert.strictEqual(r.provider, undefined);
40 |             break;
41 | 
42 |         case "pulumi-nodejs:dynamic:Resource":
43 |             assert.notStrictEqual(r.provider, undefined);
44 |             assert.strictEqual(r.provider!.type, "pulumi:providers:pulumi-nodejs");
45 |             assert.strictEqual(r.provider!.name, "default");
46 |             assert.strictEqual(r.provider!.urn, createURN("pulumi:providers:pulumi-nodejs", "default"));
47 |             assert.notStrictEqual(r.provider!.props, undefined);
48 |             assert.ok("provider:scenario" in r.provider!.props, "Expected key 'provider:scenario'");
49 |             break;
50 | 
51 |         case "random:index/randomUuid:RandomUuid":
52 |             assert.notStrictEqual(r.provider, undefined);
53 |             assert.strictEqual(r.provider!.type, "pulumi:providers:random");
54 |             assert.strictEqual(r.provider!.name, "default_4_0_0");
55 |             assert.strictEqual(r.provider!.urn, createURN("pulumi:providers:random", "default_4_0_0"));
56 |             assert.notStrictEqual(r.provider!.props, undefined);
57 |             assert.deepStrictEqual(r.provider!.props.version, "4.0.0");
58 |             break;
59 | 
60 |         case "random:index/randomString:RandomString":
61 |             assert.notStrictEqual(r.provider, undefined);
62 |             assert.strictEqual(r.provider!.type, "pulumi:providers:random");
63 |             assert.strictEqual(r.provider!.name, "my-provider");
64 |             assert.strictEqual(r.provider!.urn, createURN("pulumi:providers:random", "my-provider"));
65 |             assert.notStrictEqual(r.provider!.props, undefined);
66 |             assert.deepStrictEqual(r.provider!.props.version, "4.0.0");
67 |             break;
68 | 
69 |         default:
70 |             throw Error(`Unexpected resource of type: '${r.type}'.`);
71 |     }
72 | }
73 | 
74 | /**
75 |  * Creates a URN from the given `type` and `name`.
76 |  * @param type the resource type.
77 |  * @param name the resource name.
78 |  */
79 | function createURN(type: string, name: string): string {
80 |     return `urn:pulumi:${pulumi.getStack()}::${pulumi.getProject()}::${type}::${name}`;
81 | }
82 | 


--------------------------------------------------------------------------------
/tests/integration/provider/policy-pack/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "provider-policy-pack",
 3 |     "version": "0.0.1",
 4 |     "dependencies": {
 5 |         "@pulumi/policy": "latest",
 6 |         "@pulumi/pulumi": "^3.0.0"
 7 |     },
 8 |     "devDependencies": {
 9 |         "@types/node": "^10.0.0"
10 |     }
11 | }
12 | 


--------------------------------------------------------------------------------
/tests/integration/provider/policy-pack/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "outDir": "bin",
 4 |         "target": "es6",
 5 |         "module": "commonjs",
 6 |         "moduleResolution": "node",
 7 |         "declaration": true,
 8 |         "sourceMap": false,
 9 |         "stripInternal": true,
10 |         "experimentalDecorators": true,
11 |         "pretty": true,
12 |         "noFallthroughCasesInSwitch": true,
13 |         "noImplicitAny": true,
14 |         "noImplicitReturns": true,
15 |         "forceConsistentCasingInFileNames": true,
16 |         "strictNullChecks": true,
17 |     },
18 |     "files": [
19 |         "index.ts"
20 |     ]
21 | }
22 | 


--------------------------------------------------------------------------------
/tests/integration/provider/program/Pulumi.yaml:
--------------------------------------------------------------------------------
1 | name: provider
2 | runtime: nodejs
3 | description: A program that creates some resources for testing providers.
4 | 


--------------------------------------------------------------------------------
/tests/integration/provider/program/index.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as random from "@pulumi/random";
 4 | import { Resource } from "./resource";
 5 | 
 6 | // Create a dynamic resource.
 7 | const empty = new Resource("empty");
 8 | 
 9 | // Create a resource.
10 | const uuid = new random.RandomUuid("uuid");
11 | 
12 | // Create a provider and resource that uses it.
13 | const provider = new random.Provider("my-provider");
14 | const str = new random.RandomString("str", { length: 10 }, {
15 |     provider: provider,
16 | });
17 | 


--------------------------------------------------------------------------------
/tests/integration/provider/program/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "provider",
 3 |     "devDependencies": {
 4 |         "@types/node": "^10.0.0"
 5 |     },
 6 |     "dependencies": {
 7 |         "@pulumi/pulumi": "^3.0.0",
 8 |         "@pulumi/random": "4.0.0"
 9 |     }
10 | }
11 | 


--------------------------------------------------------------------------------
/tests/integration/provider/program/resource.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as pulumi from "@pulumi/pulumi";
 4 | 
 5 | let currentID = 0;
 6 | 
 7 | export class Provider implements pulumi.dynamic.ResourceProvider {
 8 |     public static readonly instance = new Provider();
 9 | 
10 |     public async create(inputs: any) {
11 |         return {
12 |             id: (currentID++).toString(),
13 |             outs: {},
14 |         };
15 |     }
16 | }
17 | 
18 | export class Resource extends pulumi.dynamic.Resource {
19 |     constructor(name: string, opts?: pulumi.CustomResourceOptions) {
20 |         super(Provider.instance, name, {}, opts);
21 |     }
22 | }
23 | 


--------------------------------------------------------------------------------
/tests/integration/provider/program/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "strict": true,
 4 |         "outDir": "bin",
 5 |         "target": "es2016",
 6 |         "module": "commonjs",
 7 |         "moduleResolution": "node",
 8 |         "sourceMap": true,
 9 |         "experimentalDecorators": true,
10 |         "pretty": true,
11 |         "noFallthroughCasesInSwitch": true,
12 |         "noImplicitReturns": true,
13 |         "forceConsistentCasingInFileNames": true
14 |     },
15 |     "files": [
16 |         "index.ts",
17 |         "resource.ts"
18 |     ]
19 | }
20 | 


--------------------------------------------------------------------------------
/tests/integration/remote_component/policy-pack-python/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: python
2 | 


--------------------------------------------------------------------------------
/tests/integration/remote_component/policy-pack-python/__main__.py:
--------------------------------------------------------------------------------
 1 | # Copyright 2016-2021, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | from pulumi_policy import (
 4 |     EnforcementLevel,
 5 |     PolicyPack,
 6 |     ResourceValidationPolicy,
 7 | )
 8 | 
 9 | 
10 | def verify(args):
11 |     if args.name != "innerRandom":
12 |         return
13 | 
14 |     assert args.props["keepers"]["hello"] == "world"
15 | 
16 |     # Accessing `keepers.hi` is expected to result in a policy violation because its value is unknown
17 |     # during previews given the associated Pulumi program.
18 |     print(args.props["keepers"]["hi"])
19 | 
20 | 
21 | def validate_resource(args, report_violation):
22 |     verify(args)
23 | 
24 | 
25 | def remediate(args):
26 |     verify(args)
27 | 
28 | 
29 | PolicyPack(
30 |     name="remote-component-policy",
31 |     enforcement_level=EnforcementLevel.MANDATORY,
32 |     policies=[
33 |         ResourceValidationPolicy(
34 |             name="resource-validation",
35 |             description="Verifies properties during resource validation.",
36 |             validate=validate_resource,
37 |             remediate=remediate,
38 |         ),
39 |     ],
40 | )
41 | 


--------------------------------------------------------------------------------
/tests/integration/remote_component/policy-pack-python/requirements.txt:
--------------------------------------------------------------------------------
1 | pulumi>=3.157.0,<4.0.0
2 | 


--------------------------------------------------------------------------------
/tests/integration/remote_component/policy-pack/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: nodejs
2 | 


--------------------------------------------------------------------------------
/tests/integration/remote_component/policy-pack/index.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2021, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as assert from "assert";
 4 | 
 5 | import { PolicyPack } from "@pulumi/policy";
 6 | 
 7 | function verify(args: any) {
 8 |     if (args.name !== "innerRandom") {
 9 |         return;
10 |     }
11 | 
12 |     assert.strictEqual(args.props.keepers.hello, "world");
13 | 
14 |     // Accessing `keepers.hi` is expected to result in a policy violation because its value is unknown
15 |     // during previews given the associated Pulumi program.
16 |     console.log(args.props.keepers.hi);
17 | }
18 | 
19 | new PolicyPack("remote-component-policy", {
20 |     enforcementLevel: "mandatory",
21 |     policies: [
22 |         {
23 |             name: "resource-validation",
24 |             description: "Verifies properties during resource validation.",
25 |             validateResource: (args, reportViolation) => { verify(args); },
26 |             remediateResource: (args) => { verify(args); },
27 |         },
28 | 
29 |     ],
30 | });
31 | 


--------------------------------------------------------------------------------
/tests/integration/remote_component/policy-pack/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "remote-component-policy-pack",
 3 |     "version": "0.0.1",
 4 |     "dependencies": {
 5 |         "@pulumi/policy": "latest",
 6 |         "@pulumi/pulumi": "^3.0.0"
 7 |     },
 8 |     "devDependencies": {
 9 |         "@types/node": "^10.0.0"
10 |     }
11 | }
12 | 


--------------------------------------------------------------------------------
/tests/integration/remote_component/policy-pack/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "outDir": "bin",
 4 |         "target": "es6",
 5 |         "module": "commonjs",
 6 |         "moduleResolution": "node",
 7 |         "declaration": true,
 8 |         "sourceMap": false,
 9 |         "stripInternal": true,
10 |         "experimentalDecorators": true,
11 |         "pretty": true,
12 |         "noFallthroughCasesInSwitch": true,
13 |         "noImplicitAny": true,
14 |         "noImplicitReturns": true,
15 |         "forceConsistentCasingInFileNames": true,
16 |         "strictNullChecks": true,
17 |     },
18 |     "files": [
19 |         "index.ts"
20 |     ]
21 | }
22 | 


--------------------------------------------------------------------------------
/tests/integration/remote_component/program/Pulumi.yaml:
--------------------------------------------------------------------------------
1 | name: remote_component
2 | runtime: nodejs
3 | description: A test program to test constructing remote components with nested unknowns
4 | 


--------------------------------------------------------------------------------
/tests/integration/remote_component/program/component.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2021, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as pulumi from "@pulumi/pulumi";
 4 | 
 5 | export interface BarArgs {
 6 |     keepers?: pulumi.Input<{[key: string]: pulumi.Input<any>}>;
 7 | }
 8 | 
 9 | export interface ComponentArgs {
10 |     bar?: pulumi.Input<BarArgs>;
11 | }
12 | 
13 | export class Component extends pulumi.ComponentResource {
14 |     constructor(name: string, args?: ComponentArgs, opts?: pulumi.ComponentResourceOptions) {
15 |         super("testcomponent:index:Component", name, args, opts, true /*remote*/);
16 |     }
17 | }
18 | 


--------------------------------------------------------------------------------
/tests/integration/remote_component/program/index.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2021, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as random from "@pulumi/random";
 4 | 
 5 | import { Component } from "./component";
 6 | 
 7 | const rand = new random.RandomString("random", { length: 10 });
 8 | 
 9 | const comp = new Component("component", {
10 |     bar: {
11 |         keepers: {
12 |             "hello": "world",
13 |             "hi": rand.id,
14 |         },
15 |     }
16 | });
17 | 


--------------------------------------------------------------------------------
/tests/integration/remote_component/program/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "remote_component",
 3 |     "devDependencies": {
 4 |         "@types/node": "^10.0.0"
 5 |     },
 6 |     "dependencies": {
 7 |         "@pulumi/pulumi": "^3.0.0",
 8 |         "@pulumi/random": "^4.3.1"
 9 |     }
10 | }
11 | 


--------------------------------------------------------------------------------
/tests/integration/remote_component/testcomponent/go.mod:
--------------------------------------------------------------------------------
 1 | module github.com/pulumi/pulumi-policy/tests/integration/remote_component/testcomponent
 2 | 
 3 | go 1.21
 4 | 
 5 | require (
 6 | 	github.com/pulumi/pulumi-random/sdk/v4 v4.15.0
 7 | 	github.com/pulumi/pulumi/pkg/v3 v3.100.0
 8 | 	github.com/pulumi/pulumi/sdk/v3 v3.100.0
 9 | )
10 | 
11 | require (
12 | 	dario.cat/mergo v1.0.0 // indirect
13 | 	github.com/Microsoft/go-winio v0.6.1 // indirect
14 | 	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
15 | 	github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da // indirect
16 | 	github.com/agext/levenshtein v1.2.3 // indirect
17 | 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
18 | 	github.com/atotto/clipboard v0.1.4 // indirect
19 | 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
20 | 	github.com/blang/semver v3.5.1+incompatible // indirect
21 | 	github.com/charmbracelet/bubbles v0.16.1 // indirect
22 | 	github.com/charmbracelet/bubbletea v0.24.2 // indirect
23 | 	github.com/charmbracelet/lipgloss v0.7.1 // indirect
24 | 	github.com/cheggaaa/pb v1.0.29 // indirect
25 | 	github.com/cloudflare/circl v1.3.7 // indirect
26 | 	github.com/containerd/console v1.0.4-0.20230313162750-1ae8d489ac81 // indirect
27 | 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
28 | 	github.com/djherbis/times v1.5.0 // indirect
29 | 	github.com/emirpasic/gods v1.18.1 // indirect
30 | 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
31 | 	github.com/go-git/go-billy/v5 v5.5.0 // indirect
32 | 	github.com/go-git/go-git/v5 v5.11.0 // indirect
33 | 	github.com/gogo/protobuf v1.3.2 // indirect
34 | 	github.com/golang/glog v1.1.0 // indirect
35 | 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
36 | 	github.com/golang/protobuf v1.5.3 // indirect
37 | 	github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect
38 | 	github.com/hashicorp/errwrap v1.1.0 // indirect
39 | 	github.com/hashicorp/go-multierror v1.1.1 // indirect
40 | 	github.com/hashicorp/hcl/v2 v2.17.0 // indirect
41 | 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
42 | 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
43 | 	github.com/kevinburke/ssh_config v1.2.0 // indirect
44 | 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
45 | 	github.com/mattn/go-isatty v0.0.19 // indirect
46 | 	github.com/mattn/go-localereader v0.0.1 // indirect
47 | 	github.com/mattn/go-runewidth v0.0.15 // indirect
48 | 	github.com/mitchellh/go-ps v1.0.0 // indirect
49 | 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
50 | 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
51 | 	github.com/muesli/cancelreader v0.2.2 // indirect
52 | 	github.com/muesli/reflow v0.3.0 // indirect
53 | 	github.com/muesli/termenv v0.15.2 // indirect
54 | 	github.com/opentracing/basictracer-go v1.1.0 // indirect
55 | 	github.com/opentracing/opentracing-go v1.2.0 // indirect
56 | 	github.com/pgavlin/fx v0.1.6 // indirect
57 | 	github.com/pjbgf/sha1cd v0.3.0 // indirect
58 | 	github.com/pkg/errors v0.9.1 // indirect
59 | 	github.com/pkg/term v1.1.0 // indirect
60 | 	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
61 | 	github.com/pulumi/esc v0.6.2 // indirect
62 | 	github.com/rivo/uniseg v0.4.4 // indirect
63 | 	github.com/rogpeppe/go-internal v1.11.0 // indirect
64 | 	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
65 | 	github.com/santhosh-tekuri/jsonschema/v5 v5.0.1 // indirect
66 | 	github.com/sergi/go-diff v1.3.1 // indirect
67 | 	github.com/skeema/knownhosts v1.2.1 // indirect
68 | 	github.com/spf13/cobra v1.7.0 // indirect
69 | 	github.com/spf13/pflag v1.0.5 // indirect
70 | 	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
71 | 	github.com/tweekmonster/luser v0.0.0-20161003172636-3fa38070dbd7 // indirect
72 | 	github.com/uber/jaeger-client-go v2.30.0+incompatible // indirect
73 | 	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect
74 | 	github.com/xanzy/ssh-agent v0.3.3 // indirect
75 | 	github.com/zclconf/go-cty v1.13.2 // indirect
76 | 	go.uber.org/atomic v1.10.0 // indirect
77 | 	golang.org/x/crypto v0.24.0 // indirect
78 | 	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect
79 | 	golang.org/x/mod v0.17.0 // indirect
80 | 	golang.org/x/net v0.26.0 // indirect
81 | 	golang.org/x/sync v0.7.0 // indirect
82 | 	golang.org/x/sys v0.21.0 // indirect
83 | 	golang.org/x/term v0.21.0 // indirect
84 | 	golang.org/x/text v0.16.0 // indirect
85 | 	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
86 | 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230706204954-ccb25ca9f130 // indirect
87 | 	google.golang.org/grpc v1.57.1 // indirect
88 | 	google.golang.org/protobuf v1.34.2 // indirect
89 | 	gopkg.in/warnings.v0 v0.1.2 // indirect
90 | 	gopkg.in/yaml.v3 v3.0.1 // indirect
91 | 	lukechampine.com/frand v1.4.2 // indirect
92 | )
93 | 


--------------------------------------------------------------------------------
/tests/integration/remote_component/testcomponent/main.go:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2021, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | package main
 4 | 
 5 | import (
 6 | 	"errors"
 7 | 	"fmt"
 8 | 
 9 | 	"github.com/pulumi/pulumi-random/sdk/v4/go/random"
10 | 	"github.com/pulumi/pulumi/pkg/v3/resource/provider"
11 | 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/cmdutil"
12 | 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
13 | 	pulumiprovider "github.com/pulumi/pulumi/sdk/v3/go/pulumi/provider"
14 | )
15 | 
16 | type Component struct {
17 | 	pulumi.ResourceState
18 | }
19 | 
20 | type ComponentArgs struct {
21 | 	Bar BarPtrInput `pulumi:"bar"`
22 | }
23 | 
24 | func NewComponent(ctx *pulumi.Context, name string, args *ComponentArgs,
25 | 	opts ...pulumi.ResourceOption) (*Component, error) {
26 | 	if args == nil {
27 | 		return nil, errors.New("args is required")
28 | 	}
29 | 
30 | 	barArgs, isBarArgs := args.Bar.(BarArgs)
31 | 	if !isBarArgs {
32 | 		return nil, errors.New("expected args.Bar to be BarArgs")
33 | 	}
34 | 
35 | 	component := &Component{}
36 | 	err := ctx.RegisterComponentResource("testcomponent:index:Component", name, component, opts...)
37 | 	if err != nil {
38 | 		return nil, err
39 | 	}
40 | 
41 | 	_, err = random.NewRandomString(ctx, "innerRandom", &random.RandomStringArgs{
42 | 		Length:  pulumi.Int(10),
43 | 		Keepers: barArgs.Keepers,
44 | 	}, pulumi.Parent(component))
45 | 	if err != nil {
46 | 		return nil, err
47 | 	}
48 | 
49 | 	if err := ctx.RegisterResourceOutputs(component, pulumi.Map{}); err != nil {
50 | 		return nil, err
51 | 	}
52 | 
53 | 	return component, nil
54 | }
55 | 
56 | const providerName = "testcomponent"
57 | const version = "0.0.1"
58 | 
59 | func main() {
60 | 	if err := provider.MainWithOptions(provider.Options{
61 | 		Name:    providerName,
62 | 		Version: version,
63 | 		Construct: func(ctx *pulumi.Context, typ, name string, inputs pulumiprovider.ConstructInputs,
64 | 			options pulumi.ResourceOption) (*pulumiprovider.ConstructResult, error) {
65 | 
66 | 			if typ != "testcomponent:index:Component" {
67 | 				return nil, fmt.Errorf("unknown resource type %s", typ)
68 | 			}
69 | 
70 | 			args := &ComponentArgs{}
71 | 			if err := inputs.CopyTo(args); err != nil {
72 | 				return nil, fmt.Errorf("setting args: %w", err)
73 | 			}
74 | 
75 | 			component, err := NewComponent(ctx, name, args, options)
76 | 			if err != nil {
77 | 				return nil, fmt.Errorf("creating component: %w", err)
78 | 			}
79 | 
80 | 			return pulumiprovider.NewConstructResult(component)
81 | 		},
82 | 	}); err != nil {
83 | 		cmdutil.ExitError(err.Error())
84 | 	}
85 | }
86 | 


--------------------------------------------------------------------------------
/tests/integration/remote_component/testcomponent/pulumi-resource-testcomponent:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
3 | cd $SCRIPT_DIR && go run . $@
4 | 


--------------------------------------------------------------------------------
/tests/integration/remote_component/testcomponent/pulumi-resource-testcomponent.cmd:
--------------------------------------------------------------------------------
1 | @echo off
2 | setlocal
3 | set SCRIPT_DIR=%~dp0
4 | cd "%SCRIPT_DIR%" && @go run . %*
5 | 


--------------------------------------------------------------------------------
/tests/integration/remote_component/testcomponent/pulumiTypes.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2016-2021, Pulumi Corporation.  All rights reserved.
  2 | 
  3 | package main
  4 | 
  5 | import (
  6 | 	"context"
  7 | 	"reflect"
  8 | 
  9 | 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 10 | )
 11 | 
 12 | type Bar struct {
 13 | 	Keepers map[string]interface{} `pulumi:"keepers"`
 14 | }
 15 | 
 16 | type BarInput interface {
 17 | 	pulumi.Input
 18 | 
 19 | 	ToBarOutput() BarOutput
 20 | 	ToBarOutputWithContext(context.Context) BarOutput
 21 | }
 22 | 
 23 | type BarArgs struct {
 24 | 	Keepers pulumi.StringMapInput `pulumi:"keepers"`
 25 | }
 26 | 
 27 | func (BarArgs) ElementType() reflect.Type {
 28 | 	return reflect.TypeOf((*Bar)(nil)).Elem()
 29 | }
 30 | 
 31 | func (i BarArgs) ToBarOutput() BarOutput {
 32 | 	return i.ToBarOutputWithContext(context.Background())
 33 | }
 34 | 
 35 | func (i BarArgs) ToBarOutputWithContext(ctx context.Context) BarOutput {
 36 | 	return pulumi.ToOutputWithContext(ctx, i).(BarOutput)
 37 | }
 38 | 
 39 | func (i BarArgs) ToBarPtrOutput() BarPtrOutput {
 40 | 	return i.ToBarPtrOutputWithContext(context.Background())
 41 | }
 42 | 
 43 | func (i BarArgs) ToBarPtrOutputWithContext(ctx context.Context) BarPtrOutput {
 44 | 	return pulumi.ToOutputWithContext(ctx, i).(BarOutput).ToBarPtrOutputWithContext(ctx)
 45 | }
 46 | 
 47 | type BarPtrInput interface {
 48 | 	pulumi.Input
 49 | 
 50 | 	ToBarPtrOutput() BarPtrOutput
 51 | 	ToBarPtrOutputWithContext(context.Context) BarPtrOutput
 52 | }
 53 | 
 54 | type barPtrType BarArgs
 55 | 
 56 | func BarPtr(v *BarArgs) BarPtrInput {
 57 | 	return (*barPtrType)(v)
 58 | }
 59 | 
 60 | func (*barPtrType) ElementType() reflect.Type {
 61 | 	return reflect.TypeOf((**Bar)(nil)).Elem()
 62 | }
 63 | 
 64 | func (i *barPtrType) ToBarPtrOutput() BarPtrOutput {
 65 | 	return i.ToBarPtrOutputWithContext(context.Background())
 66 | }
 67 | 
 68 | func (i *barPtrType) ToBarPtrOutputWithContext(ctx context.Context) BarPtrOutput {
 69 | 	return pulumi.ToOutputWithContext(ctx, i).(BarPtrOutput)
 70 | }
 71 | 
 72 | type BarOutput struct{ *pulumi.OutputState }
 73 | 
 74 | func (BarOutput) ElementType() reflect.Type {
 75 | 	return reflect.TypeOf((*Bar)(nil)).Elem()
 76 | }
 77 | 
 78 | func (o BarOutput) ToBarOutput() BarOutput {
 79 | 	return o
 80 | }
 81 | 
 82 | func (o BarOutput) ToBarOutputWithContext(ctx context.Context) BarOutput {
 83 | 	return o
 84 | }
 85 | 
 86 | func (o BarOutput) ToBarPtrOutput() BarPtrOutput {
 87 | 	return o.ToBarPtrOutputWithContext(context.Background())
 88 | }
 89 | 
 90 | func (o BarOutput) ToBarPtrOutputWithContext(ctx context.Context) BarPtrOutput {
 91 | 	return o.ApplyTWithContext(ctx, func(_ context.Context, v Bar) *Bar {
 92 | 		return &v
 93 | 	}).(BarPtrOutput)
 94 | }
 95 | 
 96 | type BarPtrOutput struct{ *pulumi.OutputState }
 97 | 
 98 | func (BarPtrOutput) ElementType() reflect.Type {
 99 | 	return reflect.TypeOf((**Bar)(nil)).Elem()
100 | }
101 | 
102 | func (o BarPtrOutput) ToBarPtrOutput() BarPtrOutput {
103 | 	return o
104 | }
105 | 
106 | func (o BarPtrOutput) ToBarPtrOutputWithContext(ctx context.Context) BarPtrOutput {
107 | 	return o
108 | }
109 | 
110 | func (o BarPtrOutput) Elem() BarOutput {
111 | 	return o.ApplyT(func(v *Bar) Bar {
112 | 		if v != nil {
113 | 			return *v
114 | 		}
115 | 		var ret Bar
116 | 		return ret
117 | 	}).(BarOutput)
118 | }
119 | 
120 | func init() {
121 | 	pulumi.RegisterInputType(reflect.TypeOf((*BarInput)(nil)).Elem(), BarArgs{})
122 | 	pulumi.RegisterInputType(reflect.TypeOf((*BarPtrInput)(nil)).Elem(), BarArgs{})
123 | 	pulumi.RegisterOutputType(BarOutput{})
124 | 	pulumi.RegisterOutputType(BarPtrOutput{})
125 | }
126 | 


--------------------------------------------------------------------------------
/tests/integration/resource_options/policy-pack-python/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: python
2 | 


--------------------------------------------------------------------------------
/tests/integration/resource_options/policy-pack-python/requirements.txt:
--------------------------------------------------------------------------------
1 | pulumi>=3.157.0,<4.0.0
2 | 


--------------------------------------------------------------------------------
/tests/integration/resource_options/policy-pack/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: nodejs
2 | 


--------------------------------------------------------------------------------
/tests/integration/resource_options/policy-pack/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "resource-options-policy-pack",
 3 |     "version": "0.0.1",
 4 |     "dependencies": {
 5 |         "@pulumi/policy": "latest",
 6 |         "@pulumi/pulumi": "^3.0.0"
 7 |     },
 8 |     "devDependencies": {
 9 |         "@types/node": "^10.0.0"
10 |     }
11 | }
12 | 


--------------------------------------------------------------------------------
/tests/integration/resource_options/policy-pack/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "outDir": "bin",
 4 |         "target": "es6",
 5 |         "module": "commonjs",
 6 |         "moduleResolution": "node",
 7 |         "declaration": true,
 8 |         "sourceMap": false,
 9 |         "stripInternal": true,
10 |         "experimentalDecorators": true,
11 |         "pretty": true,
12 |         "noFallthroughCasesInSwitch": true,
13 |         "noImplicitAny": true,
14 |         "noImplicitReturns": true,
15 |         "forceConsistentCasingInFileNames": true,
16 |         "strictNullChecks": true,
17 |     },
18 |     "files": [
19 |         "index.ts"
20 |     ]
21 | }
22 | 


--------------------------------------------------------------------------------
/tests/integration/resource_options/program/Pulumi.yaml:
--------------------------------------------------------------------------------
1 | name: resource_options
2 | runtime: nodejs
3 | description: A program that creates some resources for testing resource options.
4 | 


--------------------------------------------------------------------------------
/tests/integration/resource_options/program/index.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as pulumi from "@pulumi/pulumi";
 4 | import * as random from "@pulumi/random";
 5 | import { Resource } from "./resource";
 6 | 
 7 | const config = new pulumi.Config();
 8 | const testScenario = config.requireNumber("scenario");
 9 | 
10 | // Create a resource that doesn't have any explicit options set.
11 | const empty = new Resource("empty");
12 | 
13 | // Create a custom resource that doesn't have any explicit options set.
14 | const uuid = new random.RandomUuid("uuid");
15 | 
16 | // Create a protected resource.
17 | const protect = new Resource("protect", {
18 |     // Only set `protect` during the first test scenario when the actual tests are run.
19 |     // Set it to `false` on any other test scenario in preparation for destroying the stack.
20 |     protect: testScenario === 1,
21 | });
22 | 
23 | // Create a resource with ignoreChanges.
24 | const ignoreChanges = new Resource("ignoreChanges", {
25 |     ignoreChanges: ["foo", "bar"],
26 | })
27 | 
28 | // Create a resource with deleteBeforeReplace.
29 | const deleteBeforeReplaceNotSet = new Resource("deleteBeforeReplaceNotSet");
30 | const deleteBeforeReplaceTrue = new Resource("deleteBeforeReplaceTrue", {
31 |     deleteBeforeReplace: true,
32 | });
33 | const deleteBeforeReplaceFalse = new Resource("deleteBeforeReplaceFalse", {
34 |     deleteBeforeReplace: false,
35 | });
36 | 
37 | // Create a resource with an alias to an old name.
38 | const aliased = new Resource("aliased", {
39 |     aliases: [{ name: "old-name-for-aliased" }],
40 | });
41 | 
42 | // Create resources with custom timeouts.
43 | const timeouts = new Resource("timeouts", {
44 |     customTimeouts: {
45 |         create: "1m",
46 |         update: "2m",
47 |         delete: "3m",
48 |     },
49 | });
50 | const timeoutsCreate = new Resource("timeouts-create", {
51 |     customTimeouts: {
52 |         create: "4m",
53 |     },
54 | });
55 | const timeoutsUpdate = new Resource("timeouts-update", {
56 |     customTimeouts: {
57 |         update: "5m",
58 |     },
59 | });
60 | const timeoutsDelete = new Resource("timeouts-delete", {
61 |     customTimeouts: {
62 |         delete: "6m",
63 |     },
64 | });
65 | 
66 | // Create a resource with additional secret outputs.
67 | const secrets = new Resource("secrets", {
68 |     additionalSecretOutputs: ["foo"],
69 | });
70 | 
71 | // Create a parent and child resource.
72 | const parent = new Resource("parent-res", {});
73 | const child = new Resource("child-res", { parent });
74 | 


--------------------------------------------------------------------------------
/tests/integration/resource_options/program/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "resource-options",
 3 |     "devDependencies": {
 4 |         "@types/node": "^10.0.0"
 5 |     },
 6 |     "dependencies": {
 7 |         "@pulumi/pulumi": "^3.0.0",
 8 |         "@pulumi/random": "^4.0.0"
 9 |     }
10 | }
11 | 


--------------------------------------------------------------------------------
/tests/integration/resource_options/program/resource.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as pulumi from "@pulumi/pulumi";
 4 | 
 5 | let currentID = 0;
 6 | 
 7 | export class Provider implements pulumi.dynamic.ResourceProvider {
 8 |     public static readonly instance = new Provider();
 9 | 
10 |     public async create(inputs: any) {
11 |         return {
12 |             id: (currentID++).toString(),
13 |             outs: {},
14 |         };
15 |     }
16 | }
17 | 
18 | export class Resource extends pulumi.dynamic.Resource {
19 |     constructor(name: string, opts?: pulumi.CustomResourceOptions) {
20 |         super(Provider.instance, name, {}, opts);
21 |     }
22 | }
23 | 


--------------------------------------------------------------------------------
/tests/integration/resource_options/program/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "strict": true,
 4 |         "outDir": "bin",
 5 |         "target": "es2016",
 6 |         "module": "commonjs",
 7 |         "moduleResolution": "node",
 8 |         "sourceMap": true,
 9 |         "experimentalDecorators": true,
10 |         "pretty": true,
11 |         "noFallthroughCasesInSwitch": true,
12 |         "noImplicitReturns": true,
13 |         "forceConsistentCasingInFileNames": true
14 |     },
15 |     "files": [
16 |         "index.ts",
17 |         "resource.ts"
18 |     ]
19 | }
20 | 


--------------------------------------------------------------------------------
/tests/integration/runtime_data/policy-pack-python/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: python
2 | 


--------------------------------------------------------------------------------
/tests/integration/runtime_data/policy-pack-python/__main__.py:
--------------------------------------------------------------------------------
 1 | # Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import json
 4 | import os
 5 | 
 6 | from pulumi import Config, get_project, get_stack
 7 | from pulumi.runtime import is_dry_run
 8 | from pulumi_aws import config as aws_config
 9 | 
10 | from pulumi_policy import (
11 |     EnforcementLevel,
12 |     PolicyPack,
13 |     ResourceValidationPolicy,
14 |     StackValidationPolicy,
15 | )
16 | 
17 | 
18 | def validate_resource(args, report_violation):
19 |     verify_data(args)
20 | 
21 | 
22 | def remediate_resource(args, report):
23 |     verify_data(args)
24 | 
25 | 
26 | def validate_stack(args, report_violation):
27 |     for r in args.resources:
28 |         verify_data(r)
29 | 
30 | 
31 | def verify_data(r):
32 |     t = r.resource_type
33 |     if t != "pulumi-nodejs:dynamic:Resource":
34 |         return
35 | 
36 |     # Verify is_dry_run()
37 |     assert is_dry_run() == r.props["isDryRun"]
38 | 
39 |     # Verify get_project()
40 |     assert "PULUMI_TEST_PROJECT" in os.environ
41 |     assert get_project() == os.environ["PULUMI_TEST_PROJECT"]
42 |     assert get_project() == r.props["getProject"]
43 | 
44 |     # Verify get_stack()
45 |     assert "PULUMI_TEST_STACK" in os.environ
46 |     assert get_stack() == os.environ["PULUMI_TEST_STACK"]
47 |     assert get_stack() == r.props["getStack"]
48 | 
49 |     # Verify Config
50 |     config = Config()
51 |     value = config.require("aConfigValue")
52 |     assert value == "this value is a value"
53 |     assert aws_config.region == "us-west-2"
54 | 
55 | 
56 | PolicyPack(
57 |     name="runtime-data-policy",
58 |     enforcement_level=EnforcementLevel.MANDATORY,
59 |     policies=[
60 |         ResourceValidationPolicy(
61 |             name="runtime-data-resource-validation",
62 |             description="Verifies runtime data during resource validation.",
63 |             validate=validate_resource,
64 |             remediate=remediate_resource,
65 |         ),
66 |         StackValidationPolicy(
67 |             name="runtime-data-stack-validation",
68 |             description="Verifies runtime data during stack validation.",
69 |             validate=validate_stack,
70 |         ),
71 |     ],
72 | )
73 | 


--------------------------------------------------------------------------------
/tests/integration/runtime_data/policy-pack-python/requirements.txt:
--------------------------------------------------------------------------------
1 | pulumi>=3.157.0,<4.0.0
2 | pulumi-aws>=4.0.0,<5.0.0
3 | 


--------------------------------------------------------------------------------
/tests/integration/runtime_data/policy-pack/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | description: A Policy Pack to test that runtime data (Config, getStack, getProject, and isDryRun) is available to Policy Packs.
2 | runtime: nodejs
3 | 


--------------------------------------------------------------------------------
/tests/integration/runtime_data/policy-pack/index.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2019, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as assert from "assert";
 4 | 
 5 | import * as pulumi from "@pulumi/pulumi";
 6 | import * as aws from "@pulumi/aws";
 7 | import { PolicyPack, PolicyResource, ResourceValidationArgs } from "@pulumi/policy";
 8 | 
 9 | new PolicyPack("runtime-data-policy", {
10 |     policies: [
11 |         {
12 |             name: "runtime-data-resource-validation",
13 |             description: "Verifies runtime data during resource validation.",
14 |             enforcementLevel: "mandatory",
15 |             validateResource: (args, reportViolation) => {
16 |                 verifyData(args);
17 |             },
18 |             remediateResource: (args) => {
19 |                 verifyData(args);
20 |             },
21 |         },
22 |         {
23 |             name: "runtime-data-stack-validation",
24 |             description: "Verifies runtime data during stack validation.",
25 |             enforcementLevel: "mandatory",
26 |             validateStack: (args, reportViolation) => {
27 |                 for (const r of args.resources) {
28 |                     verifyData(r);
29 |                 }
30 |             },
31 |         },
32 |     ],
33 | });
34 | 
35 | function verifyData(r: PolicyResource | ResourceValidationArgs) {
36 |     if (r.type !== "pulumi-nodejs:dynamic:Resource") {
37 |         return;
38 |     }
39 | 
40 |     // Verify isDryRun().
41 |     assert.strictEqual(pulumi.runtime.isDryRun(), r.props.isDryRun,
42 |         "'isDryRun()' not the expected value (via resource prop).");
43 | 
44 |     // Verify getProject().
45 |     assert.ok(process.env.PULUMI_TEST_PROJECT, "'PULUMI_TEST_PROJECT' not set.");
46 |     assert.strictEqual(pulumi.getProject(), process.env.PULUMI_TEST_PROJECT, "'getProject()' not the expected value.");
47 |     assert.strictEqual(pulumi.getProject(), r.props.getProject, "'getProject()' not the expected value.");
48 | 
49 |     // Verify getStack().
50 |     assert.ok(process.env.PULUMI_TEST_STACK, "'PULUMI_TEST_STACK' not set.")
51 |     assert.strictEqual(pulumi.getStack(), process.env.PULUMI_TEST_STACK,
52 |         "'getStack()' not the expected value (via env var).");
53 |     assert.strictEqual(pulumi.getStack(), r.props.getStack,
54 |         "'getStack()' not the expected value (via resource prop).");
55 | 
56 |     // Verify Config.
57 |     assert.deepStrictEqual(pulumi.runtime.allConfig(), r.props.allConfig,
58 |         "'allConfig()' not the expected value (via resource prop).")
59 |     const config = new pulumi.Config();
60 |     const value = config.require("aConfigValue");
61 |     assert.strictEqual(value, "this value is a value", "'aConfigValue' not the expected value.");
62 |     assert.strictEqual(aws.config.region, "us-west-2", "'aws.config.region' not the expected value.");
63 | }
64 | 


--------------------------------------------------------------------------------
/tests/integration/runtime_data/policy-pack/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "aws-typescript",
 3 |     "version": "0.0.1",
 4 |     "dependencies": {
 5 |         "@pulumi/policy": "latest",
 6 |         "@pulumi/pulumi": "^3.0.0",
 7 |         "@pulumi/aws": "^4.0.0"
 8 |     },
 9 |     "devDependencies": {
10 |         "@types/node": "^10.0.0"
11 |     }
12 | }
13 | 


--------------------------------------------------------------------------------
/tests/integration/runtime_data/policy-pack/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "outDir": "bin",
 4 |         "target": "es6",
 5 |         "module": "commonjs",
 6 |         "moduleResolution": "node",
 7 |         "declaration": true,
 8 |         "sourceMap": false,
 9 |         "stripInternal": true,
10 |         "experimentalDecorators": true,
11 |         "pretty": true,
12 |         "noFallthroughCasesInSwitch": true,
13 |         "noImplicitAny": true,
14 |         "noImplicitReturns": true,
15 |         "forceConsistentCasingInFileNames": true,
16 |         "strictNullChecks": true,
17 |     },
18 |     "files": [
19 |         "index.ts"
20 |     ]
21 | }
22 | 


--------------------------------------------------------------------------------
/tests/integration/runtime_data/program/Pulumi.yaml:
--------------------------------------------------------------------------------
1 | name: runtime_data
2 | runtime: nodejs
3 | description: >
4 |     A test program that creates a dynamic resource that passes along runtime data (as inputs & outputs) that the Policy
5 |     Pack will use to confirm it sees the same runtime data.
6 | 


--------------------------------------------------------------------------------
/tests/integration/runtime_data/program/index.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2019, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as pulumi from "@pulumi/pulumi";
 4 | 
 5 | import { Resource } from "./resource";
 6 | 
 7 | // Create a dynamic resource that passes along runtime data in its inputs and outputs.
 8 | // The policy pack will confirm it sees the same data.
 9 | const hello = new Resource("Hello", {
10 |     allConfig: pulumi.runtime.allConfig(),
11 |     getProject: pulumi.getProject(),
12 |     getStack: pulumi.getStack(),
13 |     isDryRun: pulumi.runtime.isDryRun(),
14 | });
15 | 


--------------------------------------------------------------------------------
/tests/integration/runtime_data/program/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "typescript",
 3 |     "devDependencies": {
 4 |         "@types/node": "^10.0.0"
 5 |     },
 6 |     "dependencies": {
 7 |         "@pulumi/pulumi": "^3.0.0"
 8 |     }
 9 | }
10 | 


--------------------------------------------------------------------------------
/tests/integration/runtime_data/program/resource.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2019, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as pulumi from "@pulumi/pulumi";
 4 | 
 5 | let currentID = 0;
 6 | 
 7 | export class Provider implements pulumi.dynamic.ResourceProvider {
 8 |     public static readonly instance = new Provider();
 9 | 
10 |     public async create(inputs: any) {
11 |         return {
12 |             id: (currentID++).toString(),
13 |             outs: inputs, // propagate inputs to outputs.
14 |         };
15 |     }
16 | }
17 | 
18 | export class Resource extends pulumi.dynamic.Resource {
19 |     public isInstance(o: any): o is Resource {
20 |         return o.__pulumiType === "pulumi-nodejs:dynamic:Resource";
21 |     }
22 | 
23 |     constructor(name: string, args: ResourceArgs, opts?: pulumi.ResourceOptions) {
24 |         super(Provider.instance, name, args, opts);
25 |     }
26 | }
27 | 
28 | export interface ResourceArgs {
29 |     allConfig: {[key: string]: string};
30 |     getProject: string;
31 |     getStack: string;
32 |     isDryRun: boolean;
33 | }
34 | 


--------------------------------------------------------------------------------
/tests/integration/runtime_data/program/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "strict": true,
 4 |         "outDir": "bin",
 5 |         "target": "es2016",
 6 |         "module": "commonjs",
 7 |         "moduleResolution": "node",
 8 |         "sourceMap": true,
 9 |         "experimentalDecorators": true,
10 |         "pretty": true,
11 |         "noFallthroughCasesInSwitch": true,
12 |         "noImplicitReturns": true,
13 |         "forceConsistentCasingInFileNames": true
14 |     },
15 |     "files": [
16 |         "index.ts",
17 |         "resource.ts"
18 |     ]
19 | }
20 | 


--------------------------------------------------------------------------------
/tests/integration/unknown_values/policy-pack-python/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: python
2 | 


--------------------------------------------------------------------------------
/tests/integration/unknown_values/policy-pack-python/__main__.py:
--------------------------------------------------------------------------------
 1 | # Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import pulumi
 4 | 
 5 | from pulumi_policy import (
 6 |     EnforcementLevel,
 7 |     PolicyPack,
 8 |     ResourceValidationPolicy,
 9 |     StackValidationPolicy,
10 | )
11 | 
12 | 
13 | def validate_resource(args, report_violation):
14 |     verify(args)
15 | 
16 | 
17 | def remediate_resource(args):
18 |     verify(args)
19 | 
20 | 
21 | def validate_stack(args, report_violation):
22 |     for r in args.resources:
23 |         verify(r)
24 | 
25 | 
26 | def verify(r):
27 |     t = r.resource_type
28 |     if t != "random:index/randomPet:RandomPet":
29 |         return
30 | 
31 |     # Accessing `prefix` is expected to result in a policy violation because its value is unknown
32 |     # during previews given the associated Pulumi program.
33 |     print(r.props["prefix"])
34 | 
35 | 
36 | PolicyPack(
37 |     name="unknown-values-policy",
38 |     policies=[
39 |         ResourceValidationPolicy(
40 |             enforcement_level=EnforcementLevel.REMEDIATE,
41 |             name="unknown-values-resource-validation",
42 |             description="Accessing unknown values during preview results in a violation.",
43 |             validate=validate_resource,
44 |             remediate=remediate_resource,
45 |         ),
46 |         StackValidationPolicy(
47 |             enforcement_level=EnforcementLevel.MANDATORY,
48 |             name="unknown-values-stack-validation",
49 |             description="Accessing unknown values during preview results in a violation.",
50 |             validate=validate_stack,
51 |         ),
52 |     ],
53 | )
54 | 


--------------------------------------------------------------------------------
/tests/integration/unknown_values/policy-pack-python/requirements.txt:
--------------------------------------------------------------------------------
1 | pulumi>=3.157.0,<4.0.0
2 | 


--------------------------------------------------------------------------------
/tests/integration/unknown_values/policy-pack/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: nodejs
2 | 


--------------------------------------------------------------------------------
/tests/integration/unknown_values/policy-pack/index.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import {
 4 |     PolicyPack,
 5 |     remediateResourceOfType,
 6 |     validateStackResourcesOfType,
 7 |     validateResourceOfType,
 8 | } from "@pulumi/policy";
 9 | 
10 | import * as random from "@pulumi/random";
11 | 
12 | new PolicyPack("unknown-values-policy", {
13 |     policies: [
14 |         {
15 |             name: "unknown-values-resource-validation",
16 |             description: "Accessing unknown values during preview results in a violation.",
17 |             enforcementLevel: "mandatory",
18 |             validateResource: validateResourceOfType(random.RandomPet, (pet, args, reportViolation) => {
19 |                 // Accessing `.prefix` is expected to result in a policy violation because its value is unknown
20 |                 // during previews given the associated Pulumi program.
21 |                 console.log(pet.prefix);
22 |             }),
23 |             remediateResource: remediateResourceOfType(random.RandomPet, (pet, args) => {
24 |                 // Accessing `.prefix` is expected to result in a policy violation because its value is unknown
25 |                 // during previews given the associated Pulumi program.
26 |                 console.log(pet.prefix);
27 |             }),
28 |         },
29 |         {
30 |             name: "unknown-values-stack-validation",
31 |             description: "Accessing unknown values during preview results in a violation.",
32 |             enforcementLevel: "mandatory",
33 |             validateStack: validateStackResourcesOfType(random.RandomPet, (pets, args, reportViolation) => {
34 |                 for (const pet of pets) {
35 |                     // Accessing `.prefix` is expected to result in a policy violation because its value is unknown
36 |                     // during previews given the associated Pulumi program.
37 |                     console.log(pet.prefix);
38 |                 }
39 |             }),
40 |         },
41 |     ],
42 | });
43 | 


--------------------------------------------------------------------------------
/tests/integration/unknown_values/policy-pack/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "unknown-values-policy",
 3 |     "version": "0.0.1",
 4 |     "dependencies": {
 5 |         "@pulumi/policy": "latest",
 6 |         "@pulumi/pulumi": "^3.0.0",
 7 |         "@pulumi/random": "^4.0.0"
 8 |     },
 9 |     "devDependencies": {
10 |         "@types/node": "^10.0.0"
11 |     }
12 | }
13 | 


--------------------------------------------------------------------------------
/tests/integration/unknown_values/policy-pack/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "outDir": "bin",
 4 |         "target": "es6",
 5 |         "module": "commonjs",
 6 |         "moduleResolution": "node",
 7 |         "declaration": true,
 8 |         "sourceMap": false,
 9 |         "stripInternal": true,
10 |         "experimentalDecorators": true,
11 |         "pretty": true,
12 |         "noFallthroughCasesInSwitch": true,
13 |         "noImplicitAny": true,
14 |         "noImplicitReturns": true,
15 |         "forceConsistentCasingInFileNames": true,
16 |         "strictNullChecks": true,
17 |     },
18 |     "files": [
19 |         "index.ts"
20 |     ]
21 | }
22 | 


--------------------------------------------------------------------------------
/tests/integration/unknown_values/program/Pulumi.yaml:
--------------------------------------------------------------------------------
1 | name: unknown_values
2 | runtime: nodejs
3 | description: A program that creates a resource with an unknown value.
4 | 


--------------------------------------------------------------------------------
/tests/integration/unknown_values/program/index.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as random from "@pulumi/random";
 4 | 
 5 | const str = new random.RandomString("str", {
 6 |     length: 10,
 7 | });
 8 | 
 9 | const pet = new random.RandomPet("pet", {
10 |     prefix: str.result,
11 | });
12 | 


--------------------------------------------------------------------------------
/tests/integration/unknown_values/program/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "unknown_values",
 3 |     "devDependencies": {
 4 |         "@types/node": "^10.0.0"
 5 |     },
 6 |     "dependencies": {
 7 |         "@pulumi/random": "^4.0.0"
 8 |     }
 9 | }
10 | 


--------------------------------------------------------------------------------
/tests/integration/unknown_values/program/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "strict": true,
 4 |         "outDir": "bin",
 5 |         "target": "es2016",
 6 |         "module": "commonjs",
 7 |         "moduleResolution": "node",
 8 |         "sourceMap": true,
 9 |         "experimentalDecorators": true,
10 |         "pretty": true,
11 |         "noFallthroughCasesInSwitch": true,
12 |         "noImplicitReturns": true,
13 |         "forceConsistentCasingInFileNames": true
14 |     },
15 |     "files": [
16 |         "index.ts"
17 |     ]
18 | }
19 | 


--------------------------------------------------------------------------------
/tests/integration/validate_python_resource/policy-pack-python/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: python
2 | 


--------------------------------------------------------------------------------
/tests/integration/validate_python_resource/policy-pack-python/__main__.py:
--------------------------------------------------------------------------------
 1 | # Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | from pulumi_policy import (
 4 |     EnforcementLevel,
 5 |     PolicyPack,
 6 |     ReportViolation,
 7 |     ResourceValidationArgs,
 8 |     ResourceValidationPolicy,
 9 | )
10 | 
11 | def randomuuid_no_keepers_validator(args: ResourceValidationArgs, report_violation: ReportViolation):
12 |     if args.resource_type == "random:index/randomUuid:RandomUuid":
13 |         if "keepers" not in args.props or not args.props["keepers"]:
14 |             report_violation("RandomUuid must not have an empty 'keepers'.")
15 | 
16 | 
17 | randomuuid_no_keepers = ResourceValidationPolicy(
18 |     name="randomuuid-no-keepers",
19 |     description="Prohibits creating a RandomUuid without any 'keepers'.",
20 |     validate=randomuuid_no_keepers_validator,
21 | )
22 | 
23 | PolicyPack(
24 |     name="validate-resource-test-policy",
25 |     enforcement_level=EnforcementLevel.MANDATORY,
26 |     policies=[randomuuid_no_keepers],
27 | )
28 | 


--------------------------------------------------------------------------------
/tests/integration/validate_python_resource/policy-pack/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | description: A Policy Pack for validating test resources.
2 | runtime: nodejs
3 | 


--------------------------------------------------------------------------------
/tests/integration/validate_python_resource/policy-pack/index.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2019, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import { PolicyPack, validateResourceOfType } from "@pulumi/policy";
 4 | import * as random from "@pulumi/random";
 5 | 
 6 | new PolicyPack("validate-resource-test-policy", {
 7 |     policies: [
 8 |         {
 9 |             name: "randomuuid-no-keepers",
10 |             description: "Prohibits creating a RandomUuid without any 'keepers'.",
11 |             enforcementLevel: "mandatory",
12 |             validateResource: validateResourceOfType(random.RandomUuid, (it, args, reportViolation) => {
13 |                 if (!it.keepers || Object.keys(it.keepers).length === 0) {
14 |                     reportViolation("RandomUuid must not have an empty 'keepers'.")
15 |                 }
16 |             }),
17 |         },
18 |     ],
19 | });
20 | 


--------------------------------------------------------------------------------
/tests/integration/validate_python_resource/policy-pack/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "aws-typescript",
 3 |     "version": "0.0.1",
 4 |     "dependencies": {
 5 |         "@pulumi/policy": "latest",
 6 |         "@pulumi/pulumi": "^3.0.0",
 7 |         "@pulumi/random": "^4.0.0"
 8 |     },
 9 |     "devDependencies": {
10 |         "@types/node": "^10.0.0"
11 |     }
12 | }
13 | 


--------------------------------------------------------------------------------
/tests/integration/validate_python_resource/policy-pack/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "outDir": "bin",
 4 |         "target": "es6",
 5 |         "module": "commonjs",
 6 |         "moduleResolution": "node",
 7 |         "declaration": true,
 8 |         "sourceMap": false,
 9 |         "stripInternal": true,
10 |         "experimentalDecorators": true,
11 |         "pretty": true,
12 |         "noFallthroughCasesInSwitch": true,
13 |         "noImplicitAny": true,
14 |         "noImplicitReturns": true,
15 |         "forceConsistentCasingInFileNames": true,
16 |         "strictNullChecks": true,
17 |     },
18 |     "files": [
19 |         "index.ts"
20 |     ]
21 | }
22 | 


--------------------------------------------------------------------------------
/tests/integration/validate_python_resource/program/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | venv/
3 | 


--------------------------------------------------------------------------------
/tests/integration/validate_python_resource/program/Pulumi.yaml:
--------------------------------------------------------------------------------
1 | name: validate_python_resource
2 | runtime: python
3 | description: A test Python program.
4 | 


--------------------------------------------------------------------------------
/tests/integration/validate_python_resource/program/__main__.py:
--------------------------------------------------------------------------------
 1 | import pulumi
 2 | import pulumi_random
 3 | 
 4 | config = pulumi.Config()
 5 | testScenario = config.require_int("scenario")
 6 | 
 7 | if testScenario == 1:
 8 |     r1 = pulumi_random.RandomUuid("r1")
 9 | elif testScenario == 2:
10 |     r2 = pulumi_random.RandomUuid("r2", keepers={})
11 | elif testScenario == 3:
12 |     r3 = pulumi_random.RandomUuid("r3", keepers={ "foo": "bar" })
13 | 


--------------------------------------------------------------------------------
/tests/integration/validate_python_resource/program/requirements.txt:
--------------------------------------------------------------------------------
1 | pulumi>=3.157.0,<4.0.0
2 | pulumi-random>=4.0.0,<5.0.0
3 | 


--------------------------------------------------------------------------------
/tests/integration/validate_resource/policy-pack-python/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: python
2 | 


--------------------------------------------------------------------------------
/tests/integration/validate_resource/policy-pack-python/__main__.py:
--------------------------------------------------------------------------------
 1 | # Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | from pulumi_policy import (
 4 |     EnforcementLevel,
 5 |     PolicyPack,
 6 |     ReportViolation,
 7 |     ResourceValidationArgs,
 8 |     ResourceValidationPolicy,
 9 | )
10 | 
11 | def dynamic_no_state_with_value_1(args: ResourceValidationArgs, report_violation: ReportViolation):
12 |     if args.resource_type == "pulumi-nodejs:dynamic:Resource":
13 |         if "state" in args.props and args.props["state"] == 1:
14 |             report_violation("'state' must not have the value 1.")
15 | 
16 | def dynamic_no_state_with_value_2(args: ResourceValidationArgs, report_violation: ReportViolation):
17 |     if args.resource_type == "pulumi-nodejs:dynamic:Resource":
18 |         if "state" in args.props and args.props["state"] == 2:
19 |             report_violation("'state' must not have the value 2.")
20 | 
21 | def dynamic_no_state_with_value_3(args: ResourceValidationArgs, report_violation: ReportViolation):
22 |     if args.resource_type == "pulumi-nodejs:dynamic:Resource":
23 |         if "state" in args.props and args.props["state"] == 3:
24 |             report_violation("'state' must not have the value 3.")
25 | 
26 | def dynamic_no_state_with_value_4(args: ResourceValidationArgs, report_violation: ReportViolation):
27 |     if args.resource_type == "pulumi-nodejs:dynamic:Resource":
28 |         if "state" in args.props and args.props["state"] == 4:
29 |             report_violation("'state' must not have the value 4.")
30 | 
31 | # Note: In the NodeJS Policy Pack, this is a strongly-typed policy, but since Python
32 | # does not yet support filtering by type, this is checking the type directly.
33 | def randomuuid_no_keepers(args: ResourceValidationArgs, report_violation: ReportViolation):
34 |     if args.resource_type == "random:index/randomUuid:RandomUuid":
35 |         if "keepers" not in args.props or not args.props["keepers"]:
36 |             report_violation("RandomUuid must not have an empty 'keepers'.")
37 | 
38 | def dynamic_no_state_with_value_5(args: ResourceValidationArgs, report_violation: ReportViolation):
39 |     if args.resource_type == "pulumi-nodejs:dynamic:Resource":
40 |         if "state" in args.props and args.props["state"] == 5:
41 |             report_violation("'state' must not have the value 5.", "some-urn")
42 | 
43 | def large_resource(args: ResourceValidationArgs, report_violation: ReportViolation):
44 |     if args.resource_type == "pulumi-nodejs:dynamic:Resource":
45 |         if "state" in args.props and args.props["state"] == 6:
46 |             long_string = "a" * 5 * 1024 * 1024
47 |             expected = len(long_string)
48 |             result = len(args.props["longString"])
49 |             if result != expected:
50 |                 report_violation(f"'longString' had expected length of {expected}, got {result}")
51 | 
52 | 
53 | PolicyPack(
54 |     name="validate-resource-test-policy",
55 |     enforcement_level=EnforcementLevel.MANDATORY,
56 |     policies=[
57 |         ResourceValidationPolicy(
58 |             name="dynamic-no-state-with-value-1",
59 |             description="Prohibits setting state to 1 on dynamic resources.",
60 |             validate=dynamic_no_state_with_value_1,
61 |         ),
62 |         ResourceValidationPolicy(
63 |             name="dynamic-no-state-with-value-2",
64 |             description="Prohibits setting state to 2 on dynamic resources.",
65 |             validate=dynamic_no_state_with_value_2,
66 |         ),
67 |         ResourceValidationPolicy(
68 |             name="dynamic-no-state-with-value-3-or-4",
69 |             description="Prohibits setting state to 3 or 4 on dynamic resources.",
70 |             validate=[
71 |                 dynamic_no_state_with_value_3,
72 |                 dynamic_no_state_with_value_4,
73 |             ],
74 |         ),
75 |         ResourceValidationPolicy(
76 |             name="randomuuid-no-keepers",
77 |             description="Prohibits creating a RandomUuid without any 'keepers'.",
78 |             validate=randomuuid_no_keepers,
79 |         ),
80 |         ResourceValidationPolicy(
81 |             name="dynamic-no-state-with-value-5",
82 |             description="Prohibits setting state to 5 on dynamic resources.",
83 |             validate=dynamic_no_state_with_value_5,
84 |         ),
85 |         ResourceValidationPolicy(
86 |             name="large-resource",
87 |             description="Ensures that large string properties are set properly.",
88 |             validate=large_resource,
89 |         )
90 |     ],
91 | )
92 | 


--------------------------------------------------------------------------------
/tests/integration/validate_resource/policy-pack/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | description: A Policy Pack for validating test resources.
2 | runtime: nodejs
3 | 


--------------------------------------------------------------------------------
/tests/integration/validate_resource/policy-pack/index.ts:
--------------------------------------------------------------------------------
  1 | // Copyright 2016-2019, Pulumi Corporation.  All rights reserved.
  2 | 
  3 | import { PolicyPack, validateResourceOfType } from "@pulumi/policy";
  4 | import * as random from "@pulumi/random";
  5 | 
  6 | new PolicyPack("validate-resource-test-policy", {
  7 |     policies: [
  8 |         {
  9 |             name: "dynamic-no-state-with-value-1",
 10 |             description: "Prohibits setting state to 1 on dynamic resources.",
 11 |             enforcementLevel: "mandatory",
 12 |             validateResource: (args, reportViolation) => {
 13 |                 if (args.type === "pulumi-nodejs:dynamic:Resource") {
 14 |                     if (args.props.state === 1) {
 15 |                         reportViolation("'state' must not have the value 1.")
 16 |                     }
 17 |                 }
 18 |             },
 19 |         },
 20 |         // More than one policy.
 21 |         {
 22 |             name: "dynamic-no-state-with-value-2",
 23 |             description: "Prohibits setting state to 2 on dynamic resources.",
 24 |             enforcementLevel: "mandatory",
 25 |             validateResource: (args, reportViolation) => {
 26 |                 if (args.type === "pulumi-nodejs:dynamic:Resource") {
 27 |                     if (args.props.state === 2) {
 28 |                         reportViolation("'state' must not have the value 2.")
 29 |                     }
 30 |                 }
 31 |             },
 32 |         },
 33 |         // Multiple validateResource callbacks.
 34 |         {
 35 |             name: "dynamic-no-state-with-value-3-or-4",
 36 |             description: "Prohibits setting state to 3 or 4 on dynamic resources.",
 37 |             enforcementLevel: "mandatory",
 38 |             validateResource: [
 39 |                 (args, reportViolation) => {
 40 |                     if (args.type === "pulumi-nodejs:dynamic:Resource") {
 41 |                         if (args.props.state === 3) {
 42 |                             reportViolation("'state' must not have the value 3.")
 43 |                         }
 44 |                     }
 45 |                 },
 46 |                 (args, reportViolation) => {
 47 |                     if (args.type === "pulumi-nodejs:dynamic:Resource") {
 48 |                         if (args.props.state === 4) {
 49 |                             reportViolation("'state' must not have the value 4.")
 50 |                         }
 51 |                     }
 52 |                 },
 53 |             ],
 54 |         },
 55 |         // Strongly-typed.
 56 |         {
 57 |             name: "randomuuid-no-keepers",
 58 |             description: "Prohibits creating a RandomUuid without any 'keepers'.",
 59 |             enforcementLevel: "mandatory",
 60 |             validateResource: validateResourceOfType(random.RandomUuid, (it, args, reportViolation) => {
 61 |                 if (!it.keepers || Object.keys(it.keepers).length === 0) {
 62 |                     reportViolation("RandomUuid must not have an empty 'keepers'.")
 63 |                 }
 64 |             }),
 65 |         },
 66 |         // Specifying a URN explicitly has no affect for validateResource.
 67 |         {
 68 |             name: "dynamic-no-state-with-value-5",
 69 |             description: "Prohibits setting state to 5 on dynamic resources.",
 70 |             enforcementLevel: "mandatory",
 71 |             validateResource: (args, reportViolation) => {
 72 |                 if (args.type === "pulumi-nodejs:dynamic:Resource") {
 73 |                     if (args.props.state === 5) {
 74 |                         reportViolation("'state' must not have the value 5.", "some-urn")
 75 |                     }
 76 |                 }
 77 |             },
 78 |         },
 79 |         // Validate other type checks work as expected.
 80 |         {
 81 |             name: "test-type-checks",
 82 |             description: "Policy used to test type checks.",
 83 |             enforcementLevel: "mandatory",
 84 |             validateResource: (args, reportViolation) => {
 85 |                 if (args.type !== "random:index/randomPassword:RandomPassword") {
 86 |                     return;
 87 |                 }
 88 |                 if (!args.isType(random.RandomPassword)) {
 89 |                     throw new Error("`isType` did not return the expected value.");
 90 |                 }
 91 |                 const randomPassword = args.asType(random.RandomPassword);
 92 |                 if (!randomPassword) {
 93 |                     throw new Error("`asType` did not return the expected value.");
 94 |                 }
 95 |                 if (randomPassword.length !== 42) {
 96 |                     throw new Error("`randomPassword.length` did not return the expected value.");
 97 |                 }
 98 |             },
 99 |         },
100 |         // Ensure that the resource can contain large strings.
101 |         {
102 |             name: "large-resource",
103 |             description: "Ensures that large string properties are set properly.",
104 |             enforcementLevel: "mandatory",
105 |             validateResource: (args) => {
106 |                 if (args.type === "pulumi-nodejs:dynamic:Resource") {
107 |                     if (args.props.state === 6) {
108 |                         const longString = "a".repeat(5 * 1024 * 1024);
109 |                         const expected = longString.length;
110 |                         const result = args.props.longString.length;
111 |                         if (result !== expected) {
112 |                             throw new Error(`'longString' had expected length of ${expected}, got ${result}`);
113 |                         }
114 |                     }
115 |                 }
116 |             },
117 |         }
118 |     ],
119 | });
120 | 


--------------------------------------------------------------------------------
/tests/integration/validate_resource/policy-pack/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "aws-typescript",
 3 |     "version": "0.0.1",
 4 |     "dependencies": {
 5 |         "@pulumi/policy": "latest",
 6 |         "@pulumi/pulumi": "^3.0.0",
 7 |         "@pulumi/random": "^4.0.0"
 8 |     },
 9 |     "devDependencies": {
10 |         "@types/node": "^10.0.0"
11 |     }
12 | }
13 | 


--------------------------------------------------------------------------------
/tests/integration/validate_resource/policy-pack/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "outDir": "bin",
 4 |         "target": "es6",
 5 |         "module": "commonjs",
 6 |         "moduleResolution": "node",
 7 |         "declaration": true,
 8 |         "sourceMap": false,
 9 |         "stripInternal": true,
10 |         "experimentalDecorators": true,
11 |         "pretty": true,
12 |         "noFallthroughCasesInSwitch": true,
13 |         "noImplicitAny": true,
14 |         "noImplicitReturns": true,
15 |         "forceConsistentCasingInFileNames": true,
16 |         "strictNullChecks": true,
17 |     },
18 |     "files": [
19 |         "index.ts"
20 |     ]
21 | }
22 | 


--------------------------------------------------------------------------------
/tests/integration/validate_resource/program/Pulumi.yaml:
--------------------------------------------------------------------------------
1 | name: validate_resource
2 | runtime: nodejs
3 | description: A program that creates some dynamic resources for testing.
4 | 


--------------------------------------------------------------------------------
/tests/integration/validate_resource/program/index.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2019, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as pulumi from "@pulumi/pulumi";
 4 | import * as random from "@pulumi/random";
 5 | import { Resource } from "./resource";
 6 | 
 7 | const config = new pulumi.Config();
 8 | const testScenario = config.requireNumber("scenario");
 9 | 
10 | switch (testScenario) {
11 |     case 1:
12 |         // Don't create any resources.
13 |         break;
14 | 
15 |     case 2:
16 |         // Create a resource that doesn't violate any policies.
17 |         const hello = new Resource("hello", { hello: "world" });
18 |         break;
19 | 
20 |     case 3:
21 |         // Violates the first policy.
22 |         const a = new Resource("a", { state: 1 });
23 |         break;
24 | 
25 |     case 4:
26 |         // Violates the second policy.
27 |         const b = new Resource("b", { state: 2 });
28 |         break;
29 | 
30 |     case 5:
31 |         // Violates the first validation function of the third policy.
32 |         const c = new Resource("c", { state: 3 });
33 |         break;
34 | 
35 |     case 6:
36 |         // Violates the second validation function of the third policy.
37 |         const d = new Resource("d", { state: 4 });
38 |         break;
39 | 
40 |     case 7:
41 |         // Violates the fourth policy.
42 |         const r1 = new random.RandomUuid("r1");
43 |         break;
44 | 
45 |     case 8:
46 |         // Doesn't violate the fourth policy.
47 |         const r2 = new random.RandomUuid("r2", {
48 |             keepers: {
49 |                 foo: "bar",
50 |             },
51 |         });
52 |         break;
53 | 
54 |     case 9:
55 |         // Violates the fifth policy.
56 |         const e = new Resource("e", { state: 5 });
57 |         break;
58 | 
59 |     case 10:
60 |         // Create a resource to test the strongly-typed helpers.
61 |         const pass = new random.RandomPassword("pass", {
62 |             length: 42,
63 |         });
64 |         break;
65 | 
66 |     case 11:
67 |         // Create a resource with a large string property.
68 |         const longString = "a".repeat(5 * 1024 * 1024);
69 |         const largeStringResource = new Resource("large-resource", { state: 6, longString })
70 | }
71 | 


--------------------------------------------------------------------------------
/tests/integration/validate_resource/program/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "typescript",
 3 |     "devDependencies": {
 4 |         "@types/node": "^10.0.0"
 5 |     },
 6 |     "dependencies": {
 7 |         "@pulumi/pulumi": "^3.0.0",
 8 |         "@pulumi/random": "^4.0.0"
 9 |     }
10 | }
11 | 


--------------------------------------------------------------------------------
/tests/integration/validate_resource/program/resource.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2019, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as pulumi from "@pulumi/pulumi";
 4 | 
 5 | let currentID = 0;
 6 | 
 7 | export class Provider implements pulumi.dynamic.ResourceProvider {
 8 |     public static readonly instance = new Provider();
 9 | 
10 |     public async create(inputs: any) {
11 |         return {
12 |             id: (currentID++).toString(),
13 |             outs: undefined,
14 |         };
15 |     }
16 | }
17 | 
18 | export class Resource extends pulumi.dynamic.Resource {
19 |     public isInstance(o: any): o is Resource {
20 |         return o.__pulumiType === "pulumi-nodejs:dynamic:Resource";
21 |     }
22 | 
23 |     constructor(name: string, props: pulumi.Inputs, opts?: pulumi.ResourceOptions) {
24 |         super(Provider.instance, name, props, opts);
25 |     }
26 | }
27 | 


--------------------------------------------------------------------------------
/tests/integration/validate_resource/program/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "strict": true,
 4 |         "outDir": "bin",
 5 |         "target": "es2016",
 6 |         "module": "commonjs",
 7 |         "moduleResolution": "node",
 8 |         "sourceMap": true,
 9 |         "experimentalDecorators": true,
10 |         "pretty": true,
11 |         "noFallthroughCasesInSwitch": true,
12 |         "noImplicitReturns": true,
13 |         "forceConsistentCasingInFileNames": true
14 |     },
15 |     "files": [
16 |         "index.ts",
17 |         "resource.ts"
18 |     ]
19 | }
20 | 


--------------------------------------------------------------------------------
/tests/integration/validate_stack/policy-pack-python/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | runtime: python
2 | 


--------------------------------------------------------------------------------
/tests/integration/validate_stack/policy-pack-python/__main__.py:
--------------------------------------------------------------------------------
 1 | # Copyright 2016-2020, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | from pulumi_policy import (
 4 |     EnforcementLevel,
 5 |     PolicyPack,
 6 |     ReportViolation,
 7 |     StackValidationArgs,
 8 |     StackValidationPolicy,
 9 | )
10 | 
11 | def dynamic_no_state_with_value_1(args: StackValidationArgs, report_violation: ReportViolation):
12 |     for r in args.resources:
13 |         if r.resource_type == "pulumi-nodejs:dynamic:Resource":
14 |             if "state" in r.props and r.props["state"] == 1:
15 |                 report_violation("'state' must not have the value 1.")
16 | 
17 | def dynamic_no_state_with_value_2(args: StackValidationArgs, report_violation: ReportViolation):
18 |     for r in args.resources:
19 |         if r.resource_type == "pulumi-nodejs:dynamic:Resource":
20 |             if "state" in r.props and r.props["state"] == 2:
21 |                 report_violation("'state' must not have the value 2.")
22 | 
23 | def dynamic_no_state_with_value_3(args: StackValidationArgs, report_violation: ReportViolation):
24 |     for r in args.resources:
25 |         if r.resource_type == "pulumi-nodejs:dynamic:Resource":
26 |             if "state" in r.props and r.props["state"] == 3:
27 |                 report_violation("'state' must not have the value 3.", r.urn)
28 | 
29 | # Note: In the NodeJS Policy Pack, this is a strongly-typed policy, but since Python
30 | # does not yet support filtering by type, this is checking the type directly.
31 | def randomuuid_no_keepers(args: StackValidationArgs, report_violation: ReportViolation):
32 |     for r in args.resources:
33 |         if r.resource_type == "random:index/randomUuid:RandomUuid":
34 |             if "keepers" not in r.props or not r.props["keepers"]:
35 |                 report_violation("RandomUuid must not have an empty 'keepers'.")
36 | 
37 | # Note: In the NodeJS Policy Pack, this uses the `isType` helper.
38 | def no_randomstrings(args: StackValidationArgs, report_violation: ReportViolation):
39 |     for r in args.resources:
40 |         if r.resource_type == "random:index/randomString:RandomString":
41 |             report_violation("RandomString resources are not allowed.")
42 | 
43 | def dynamic_no_foo_with_value_bar(args: StackValidationArgs, report_violation: ReportViolation):
44 |     for r in args.resources:
45 |         if r.resource_type == "pulumi-nodejs:dynamic:Resource":
46 |             if "foo" in r.props and r.props["foo"] == "bar":
47 |                 report_violation("'foo' must not have the value 'bar'.")
48 | 
49 | PolicyPack(
50 |     name="validate-stack-test-policy",
51 |     enforcement_level=EnforcementLevel.MANDATORY,
52 |     policies=[
53 |         StackValidationPolicy(
54 |             name="dynamic-no-state-with-value-1",
55 |             description="Prohibits setting state to 1 on dynamic resources.",
56 |             validate=dynamic_no_state_with_value_1,
57 |         ),
58 |         # More than one policy.
59 |         StackValidationPolicy(
60 |             name="dynamic-no-state-with-value-2",
61 |             description="Prohibits setting state to 2 on dynamic resources.",
62 |             validate=dynamic_no_state_with_value_2,
63 |         ),
64 |         # Policy that specifies the URN of the resource violating the policy.
65 |         StackValidationPolicy(
66 |             name="dynamic-no-state-with-value-3",
67 |             description="Prohibits setting state to 3 on dynamic resources.",
68 |             validate=dynamic_no_state_with_value_3,
69 |         ),
70 |         StackValidationPolicy(
71 |             name="randomuuid-no-keepers",
72 |             description="Prohibits creating a RandomUuid without any 'keepers'.",
73 |             validate=randomuuid_no_keepers,
74 |         ),
75 |         StackValidationPolicy(
76 |             name="no-randomstrings",
77 |             description="Prohibits RandomString resources.",
78 |             validate=no_randomstrings,
79 |         ),
80 |         # Stack policies with an enforcement level of remediate are treated as mandatory.
81 |         StackValidationPolicy(
82 |             name="dynamic-no-foo-with-value-bar",
83 |             description="Prohibits setting foo to 'bar' on dynamic resources.",
84 |             enforcement_level=EnforcementLevel.REMEDIATE,
85 |             validate=dynamic_no_foo_with_value_bar,
86 |         ),
87 |     ],
88 | )
89 | 


--------------------------------------------------------------------------------
/tests/integration/validate_stack/policy-pack/PulumiPolicy.yaml:
--------------------------------------------------------------------------------
1 | description: A Policy Pack for validating a test stack.
2 | runtime: nodejs
3 | 


--------------------------------------------------------------------------------
/tests/integration/validate_stack/policy-pack/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "validate-stack-policy",
 3 |     "version": "0.0.1",
 4 |     "dependencies": {
 5 |         "@pulumi/policy": "latest",
 6 |         "@pulumi/pulumi": "^3.0.0",
 7 |         "@pulumi/random": "^4.0.0"
 8 |     },
 9 |     "devDependencies": {
10 |         "@types/node": "^10.0.0"
11 |     }
12 | }
13 | 


--------------------------------------------------------------------------------
/tests/integration/validate_stack/policy-pack/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "outDir": "bin",
 4 |         "target": "es6",
 5 |         "module": "commonjs",
 6 |         "moduleResolution": "node",
 7 |         "declaration": true,
 8 |         "sourceMap": false,
 9 |         "stripInternal": true,
10 |         "experimentalDecorators": true,
11 |         "pretty": true,
12 |         "noFallthroughCasesInSwitch": true,
13 |         "noImplicitAny": true,
14 |         "noImplicitReturns": true,
15 |         "forceConsistentCasingInFileNames": true,
16 |         "strictNullChecks": true,
17 |     },
18 |     "files": [
19 |         "index.ts"
20 |     ]
21 | }
22 | 


--------------------------------------------------------------------------------
/tests/integration/validate_stack/program/Pulumi.yaml:
--------------------------------------------------------------------------------
1 | name: validate_stack
2 | runtime: nodejs
3 | description: A program that creates some dynamic resources for testing.
4 | 


--------------------------------------------------------------------------------
/tests/integration/validate_stack/program/index.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2019, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as pulumi from "@pulumi/pulumi";
 4 | import * as random from "@pulumi/random";
 5 | import { Resource } from "./resource";
 6 | 
 7 | const config = new pulumi.Config();
 8 | const testScenario = config.getNumber("scenario");
 9 | 
10 | switch (testScenario) {
11 |     case 1:
12 |         // Don't create any resources.
13 |         break;
14 | 
15 |     case 2:
16 |         // Create a resource that doesn't violate any policies.
17 |         const hello = new Resource("hello", { hello: "world" });
18 |         break;
19 | 
20 |     case 3:
21 |         // Violates the first policy.
22 |         const a = new Resource("a", { state: 1 });
23 |         break;
24 | 
25 |     case 4:
26 |         // Violates the second policy.
27 |         const b = new Resource("b", { state: 2 });
28 |         break;
29 | 
30 |     case 5:
31 |         // Violates the third policy.
32 |         const c = new Resource("c", { state: 3 });
33 |         break;
34 | 
35 |     case 6:
36 |         // Violates the fourth policy.
37 |         const r1 = new random.RandomUuid("r1");
38 |         break;
39 | 
40 |     case 7:
41 |         // Violates the fifth policy.
42 |         const r2 = new random.RandomString("r2", {
43 |             length: 10,
44 |         });
45 |         break;
46 | 
47 |     case 8:
48 |         // Create a resource to test the strongly-typed helpers.
49 |         const r3 = new random.RandomPassword("r3", {
50 |             length: 42,
51 |         });
52 |         break;
53 | 
54 |     case 9:
55 |         // Create several resources of the same type to validate
56 |         // resource filtering by type.
57 |         const x = new random.RandomInteger("x", { min: 0, max: 10 });
58 |         const y = new random.RandomInteger("y", { min: 0, max: 10 });
59 |         const z = new random.RandomInteger("z", { min: 0, max: 10 });
60 |         break;
61 | 
62 |     case 10:
63 |         // Create a resource that will cause a stack policy with an
64 |         // enforcement level of "remediate" to report a violation
65 |         // successfully. It should be treated as "mandatory" rather
66 |         // than "remediate".
67 |         const d = new Resource("d", { foo: "bar" });
68 |         break;
69 | }
70 | 


--------------------------------------------------------------------------------
/tests/integration/validate_stack/program/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "typescript",
 3 |     "devDependencies": {
 4 |         "@types/node": "^10.0.0"
 5 |     },
 6 |     "dependencies": {
 7 |         "@pulumi/pulumi": "^3.0.0",
 8 |         "@pulumi/random": "^4.0.0"
 9 |     }
10 | }
11 | 


--------------------------------------------------------------------------------
/tests/integration/validate_stack/program/resource.ts:
--------------------------------------------------------------------------------
 1 | // Copyright 2016-2019, Pulumi Corporation.  All rights reserved.
 2 | 
 3 | import * as pulumi from "@pulumi/pulumi";
 4 | 
 5 | let currentID = 0;
 6 | 
 7 | export class Provider implements pulumi.dynamic.ResourceProvider {
 8 |     public static readonly instance = new Provider();
 9 | 
10 |     public async create(inputs: any) {
11 |         return {
12 |             id: (currentID++).toString(),
13 |             outs: { ...inputs },
14 |         };
15 |     }
16 | }
17 | 
18 | export class Resource extends pulumi.dynamic.Resource {
19 |     public isInstance(o: any): o is Resource {
20 |         return o.__pulumiType === "pulumi-nodejs:dynamic:Resource";
21 |     }
22 | 
23 |     constructor(name: string, props: pulumi.Inputs, opts?: pulumi.ResourceOptions) {
24 |         super(Provider.instance, name, props, opts);
25 |     }
26 | }
27 | 


--------------------------------------------------------------------------------
/tests/integration/validate_stack/program/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |         "strict": true,
 4 |         "outDir": "bin",
 5 |         "target": "es2016",
 6 |         "module": "commonjs",
 7 |         "moduleResolution": "node",
 8 |         "sourceMap": true,
 9 |         "experimentalDecorators": true,
10 |         "pretty": true,
11 |         "noFallthroughCasesInSwitch": true,
12 |         "noImplicitReturns": true,
13 |         "forceConsistentCasingInFileNames": true
14 |     },
15 |     "files": [
16 |         "index.ts",
17 |         "resource.ts"
18 |     ]
19 | }
20 | 


--------------------------------------------------------------------------------