2018-05-22 19:43:36 +00:00
|
|
|
// Copyright 2016-2018, Pulumi Corporation.
|
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
Add basic analyzer support
This change introduces the basic requirements for analyzers, as per
pulumi/coconut#119. In particular, an analyzer can implement either,
or both, of the RPC methods, Analyze and AnalyzeResource. The former
is meant to check an overall deployment (e.g., to ensure it has been
signed off on) and the latter is to check individual resources (e.g.,
to ensure properties of them are correct, such as checking style,
security, etc. rules). These run simultaneous to overall checking.
Analyzers are loaded as plugins just like providers are. The difference
is mainly in their naming ("analyzer-" prefix, rather than "resource-"),
and the RPC methods that they support.
This isn't 100% functional since we need a way to specify at the CLI
that a particular analyzer should be run, in addition to a way of
recording which analyzers certain projects should use in their manifests.
2017-03-11 07:49:17 +00:00
|
|
|
|
Overhaul resources, planning, and environments
This change, part of pulumi/lumi#90, overhauls quite a bit of the
core resource, planning, environments, and related areas.
The biggest amount of movement comes from the splitting of pkg/resource
into multiple sub-packages. This results in:
- pkg/resource: just the core resource data structures.
- pkg/resource/deployment: all planning and deployment logic.
- pkg/resource/environment: all environment, configuration, and
serialized checkpoint structures and logic.
- pkg/resource/plugin: all dynamically loaded analyzer and
provider logic, including the actual loading and RPC mechanisms.
This also splits the resource abstraction up. We now have:
- resource.Resource: a shared interface.
- resource.Object: a resource that is connected to a live object
that will periodically observe mutations due to ongoing
evaluation of computations. Snapshots of its state may be
taken; however, this is purely a "pre-planning" abstraction.
- resource.State: a snapshot of a resource's state that is frozen.
In other words, it is no longer connected to a live object.
This is what will store provider outputs (ID and properties),
and is what may be serialized into a deployment record.
The branch is in a half-baked state as of this change; more changes
are to come...
2017-06-08 23:37:40 +00:00
|
|
|
package plugin
|
Add basic analyzer support
This change introduces the basic requirements for analyzers, as per
pulumi/coconut#119. In particular, an analyzer can implement either,
or both, of the RPC methods, Analyze and AnalyzeResource. The former
is meant to check an overall deployment (e.g., to ensure it has been
signed off on) and the latter is to check individual resources (e.g.,
to ensure properties of them are correct, such as checking style,
security, etc. rules). These run simultaneous to overall checking.
Analyzers are loaded as plugins just like providers are. The difference
is mainly in their naming ("analyzer-" prefix, rather than "resource-"),
and the RPC methods that they support.
This isn't 100% functional since we need a way to specify at the CLI
that a particular analyzer should be run, in addition to a way of
recording which analyzers certain projects should use in their manifests.
2017-03-11 07:49:17 +00:00
|
|
|
|
|
|
|
import (
|
|
|
|
"io"
|
|
|
|
|
2021-03-17 13:20:05 +00:00
|
|
|
"github.com/pulumi/pulumi/sdk/v3/go/common/apitype"
|
|
|
|
"github.com/pulumi/pulumi/sdk/v3/go/common/resource"
|
|
|
|
"github.com/pulumi/pulumi/sdk/v3/go/common/tokens"
|
|
|
|
"github.com/pulumi/pulumi/sdk/v3/go/common/workspace"
|
Add basic analyzer support
This change introduces the basic requirements for analyzers, as per
pulumi/coconut#119. In particular, an analyzer can implement either,
or both, of the RPC methods, Analyze and AnalyzeResource. The former
is meant to check an overall deployment (e.g., to ensure it has been
signed off on) and the latter is to check individual resources (e.g.,
to ensure properties of them are correct, such as checking style,
security, etc. rules). These run simultaneous to overall checking.
Analyzers are loaded as plugins just like providers are. The difference
is mainly in their naming ("analyzer-" prefix, rather than "resource-"),
and the RPC methods that they support.
This isn't 100% functional since we need a way to specify at the CLI
that a particular analyzer should be run, in addition to a way of
recording which analyzers certain projects should use in their manifests.
2017-03-11 07:49:17 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// Analyzer provides a pluggable interface for performing arbitrary analysis of entire projects/stacks/snapshots, and/or
|
|
|
|
// individual resources, for arbitrary issues. These might be style, policy, correctness, security, or performance
|
|
|
|
// related. This interface hides the messiness of the underlying machinery, since providers are behind an RPC boundary.
|
|
|
|
type Analyzer interface {
|
|
|
|
// Closer closes any underlying OS resources associated with this provider (like processes, RPC channels, etc).
|
|
|
|
io.Closer
|
2017-06-01 18:41:24 +00:00
|
|
|
// Name fetches an analyzer's qualified name.
|
|
|
|
Name() tokens.QName
|
Make more progress on the new deployment model
This change restructures a lot more pertaining to deployments, snapshots,
environments, and the like.
The most notable change is that the notion of a deploy.Source is introduced,
which splits the responsibility between the deploy.Plan -- which simply
understands how to compute and carry out deployment plans -- and the idea
of something that can produce new objects on-demand during deployment.
The primary such implementation is evalSource, which encapsulates an
interpreter and takes a package, args, and config map, and proceeds to run
the interpreter in a distinct goroutine. It synchronizes as needed to
poke and prod the interpreter along its path to create new resource objects.
There are two other sources, however. First, a nullSource, which simply
refuses to create new objects. This can be handy when writing isolated
tests but is also used to simulate the "empty" environment as necessary to
do a complete teardown of the target environment. Second, a fixedSource,
which takes a pre-computed array of objects, and hands those, in order, to
the planning engine; this is mostly useful as a testing technique.
Boatloads of code is now changed and updated in the various CLI commands.
This further chugs along towards pulumi/lumi#90. The end is in sight.
2017-06-10 18:50:47 +00:00
|
|
|
// Analyze analyzes a single resource object, and returns any errors that it finds.
|
2019-10-25 15:29:02 +00:00
|
|
|
// Is called before the resource is modified.
|
|
|
|
Analyze(r AnalyzerResource) ([]AnalyzeDiagnostic, error)
|
|
|
|
// AnalyzeStack analyzes all resources after a successful preview or update.
|
|
|
|
// Is called after all resources have been processed, and all changes applied.
|
2020-02-08 00:11:34 +00:00
|
|
|
AnalyzeStack(resources []AnalyzerStackResource) ([]AnalyzeDiagnostic, error)
|
2023-10-09 18:31:17 +00:00
|
|
|
// Remediate is given the opportunity to optionally transform a single resource's properties.
|
|
|
|
Remediate(r AnalyzerResource) ([]Remediation, error)
|
2019-06-24 02:02:37 +00:00
|
|
|
// GetAnalyzerInfo returns metadata about the analyzer (e.g., list of policies contained).
|
|
|
|
GetAnalyzerInfo() (AnalyzerInfo, error)
|
2017-12-01 21:50:32 +00:00
|
|
|
// GetPluginInfo returns this plugin's information.
|
2018-02-06 17:57:32 +00:00
|
|
|
GetPluginInfo() (workspace.PluginInfo, error)
|
2020-03-08 21:11:55 +00:00
|
|
|
// Configure configures the analyzer, passing configuration properties for each policy.
|
|
|
|
Configure(policyConfig map[string]AnalyzerPolicyConfig) error
|
Add basic analyzer support
This change introduces the basic requirements for analyzers, as per
pulumi/coconut#119. In particular, an analyzer can implement either,
or both, of the RPC methods, Analyze and AnalyzeResource. The former
is meant to check an overall deployment (e.g., to ensure it has been
signed off on) and the latter is to check individual resources (e.g.,
to ensure properties of them are correct, such as checking style,
security, etc. rules). These run simultaneous to overall checking.
Analyzers are loaded as plugins just like providers are. The difference
is mainly in their naming ("analyzer-" prefix, rather than "resource-"),
and the RPC methods that they support.
This isn't 100% functional since we need a way to specify at the CLI
that a particular analyzer should be run, in addition to a way of
recording which analyzers certain projects should use in their manifests.
2017-03-11 07:49:17 +00:00
|
|
|
}
|
|
|
|
|
2020-02-08 00:11:34 +00:00
|
|
|
// AnalyzerResource mirrors a resource that is passed to `Analyze`.
|
2019-10-25 15:29:02 +00:00
|
|
|
type AnalyzerResource struct {
|
2019-11-21 21:01:15 +00:00
|
|
|
URN resource.URN
|
2019-10-25 15:29:02 +00:00
|
|
|
Type tokens.Type
|
2023-11-20 08:59:00 +00:00
|
|
|
Name string
|
2019-10-25 15:29:02 +00:00
|
|
|
Properties resource.PropertyMap
|
2020-02-08 00:11:34 +00:00
|
|
|
Options AnalyzerResourceOptions
|
|
|
|
Provider *AnalyzerProviderResource
|
|
|
|
}
|
|
|
|
|
|
|
|
// AnalyzerStackResource mirrors a resource that is passed to `AnalyzeStack`.
|
|
|
|
type AnalyzerStackResource struct {
|
|
|
|
AnalyzerResource
|
|
|
|
Parent resource.URN // an optional parent URN for this resource.
|
|
|
|
Dependencies []resource.URN // dependencies of this resource object.
|
|
|
|
PropertyDependencies map[resource.PropertyKey][]resource.URN // the set of dependencies that affect each property.
|
|
|
|
}
|
|
|
|
|
|
|
|
// AnalyzerResourceOptions mirrors resource options sent to the analyzer.
|
|
|
|
type AnalyzerResourceOptions struct {
|
|
|
|
Protect bool // true to protect this resource from deletion.
|
|
|
|
IgnoreChanges []string // a list of property names to ignore during changes.
|
|
|
|
DeleteBeforeReplace *bool // true if this resource should be deleted prior to replacement.
|
|
|
|
AdditionalSecretOutputs []resource.PropertyKey // outputs that should always be treated as secrets.
|
2022-09-21 19:42:24 +00:00
|
|
|
AliasURNs []resource.URN // additional URNs that should be aliased to this resource.
|
2022-09-22 17:13:55 +00:00
|
|
|
Aliases []resource.Alias // additional URNs that should be aliased to this resource.
|
2020-02-08 00:11:34 +00:00
|
|
|
CustomTimeouts resource.CustomTimeouts // an optional config object for resource options
|
|
|
|
}
|
|
|
|
|
|
|
|
// AnalyzerProviderResource mirrors a resource's provider sent to the analyzer.
|
|
|
|
type AnalyzerProviderResource struct {
|
|
|
|
URN resource.URN
|
|
|
|
Type tokens.Type
|
2023-11-20 08:59:00 +00:00
|
|
|
Name string
|
2020-02-08 00:11:34 +00:00
|
|
|
Properties resource.PropertyMap
|
2019-10-25 15:29:02 +00:00
|
|
|
}
|
|
|
|
|
2019-06-10 22:20:44 +00:00
|
|
|
// AnalyzeDiagnostic indicates that resource analysis failed; it contains the property and reason
|
|
|
|
// for the failure.
|
|
|
|
type AnalyzeDiagnostic struct {
|
2019-06-13 23:14:48 +00:00
|
|
|
PolicyName string
|
|
|
|
PolicyPackName string
|
|
|
|
PolicyPackVersion string
|
|
|
|
Description string
|
|
|
|
Message string
|
|
|
|
Tags []string
|
|
|
|
EnforcementLevel apitype.EnforcementLevel
|
2019-11-21 21:01:15 +00:00
|
|
|
URN resource.URN
|
Add basic analyzer support
This change introduces the basic requirements for analyzers, as per
pulumi/coconut#119. In particular, an analyzer can implement either,
or both, of the RPC methods, Analyze and AnalyzeResource. The former
is meant to check an overall deployment (e.g., to ensure it has been
signed off on) and the latter is to check individual resources (e.g.,
to ensure properties of them are correct, such as checking style,
security, etc. rules). These run simultaneous to overall checking.
Analyzers are loaded as plugins just like providers are. The difference
is mainly in their naming ("analyzer-" prefix, rather than "resource-"),
and the RPC methods that they support.
This isn't 100% functional since we need a way to specify at the CLI
that a particular analyzer should be run, in addition to a way of
recording which analyzers certain projects should use in their manifests.
2017-03-11 07:49:17 +00:00
|
|
|
}
|
2019-06-24 02:02:37 +00:00
|
|
|
|
2023-10-09 18:31:17 +00:00
|
|
|
// Remediation indicates that a resource remediation took place, and contains the resulting
|
|
|
|
// transformed properties and associated metadata.
|
|
|
|
type Remediation struct {
|
|
|
|
PolicyName string
|
|
|
|
Description string
|
|
|
|
PolicyPackName string
|
|
|
|
PolicyPackVersion string
|
|
|
|
URN resource.URN
|
|
|
|
Properties resource.PropertyMap
|
|
|
|
Diagnostic string
|
|
|
|
}
|
|
|
|
|
2019-06-24 02:02:37 +00:00
|
|
|
// AnalyzerInfo provides metadata about a PolicyPack inside an analyzer.
|
|
|
|
type AnalyzerInfo struct {
|
2020-03-08 21:11:55 +00:00
|
|
|
Name string
|
|
|
|
DisplayName string
|
|
|
|
Version string
|
|
|
|
SupportsConfig bool
|
|
|
|
Policies []AnalyzerPolicyInfo
|
2020-03-30 19:52:05 +00:00
|
|
|
InitialConfig map[string]AnalyzerPolicyConfig
|
2020-03-08 21:11:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// AnalyzerPolicyInfo defines the metadata for an individual Policy within a Policy Pack.
|
|
|
|
type AnalyzerPolicyInfo struct {
|
|
|
|
// Unique URL-safe name for the policy. This is unique to a specific version
|
|
|
|
// of a Policy Pack.
|
2019-06-24 02:02:37 +00:00
|
|
|
Name string
|
|
|
|
DisplayName string
|
2020-03-08 21:11:55 +00:00
|
|
|
|
|
|
|
// Description is used to provide more context about the purpose of the policy.
|
|
|
|
Description string
|
|
|
|
EnforcementLevel apitype.EnforcementLevel
|
|
|
|
|
|
|
|
// Message is the message that will be displayed to end users when they violate
|
|
|
|
// this policy.
|
|
|
|
Message string
|
|
|
|
|
|
|
|
// ConfigSchema is optional config schema for the policy.
|
|
|
|
ConfigSchema *AnalyzerPolicyConfigSchema
|
|
|
|
}
|
|
|
|
|
|
|
|
// JSONSchema represents a JSON schema.
|
|
|
|
type JSONSchema map[string]interface{}
|
|
|
|
|
|
|
|
// AnalyzerPolicyConfigSchema provides metadata about a policy's configuration.
|
|
|
|
type AnalyzerPolicyConfigSchema struct {
|
|
|
|
// Map of config property names to JSON schema.
|
|
|
|
Properties map[string]JSONSchema
|
|
|
|
|
|
|
|
// Required config properties
|
|
|
|
Required []string
|
|
|
|
}
|
|
|
|
|
|
|
|
// AnalyzerPolicyConfig is the configuration for a policy.
|
|
|
|
type AnalyzerPolicyConfig struct {
|
|
|
|
// Configured enforcement level for the policy.
|
|
|
|
EnforcementLevel apitype.EnforcementLevel
|
|
|
|
// Configured properties of the policy.
|
|
|
|
Properties map[string]interface{}
|
2019-06-24 02:02:37 +00:00
|
|
|
}
|