Consider supporting policy transformations

[joeduffy]

A user had the suggestion to allow write operations from policies. Two examples:

1. A policy could come packaged with an "auto-fixer" (e.g., "no public load balancers" could automatically turn all load balancers into private ones)
2. An org-wide transformation could apply a standard rewrite (e.g., "add a standard tag to all resources")

This seems like a very powerful capability — but potentially very dangerous and/or confusing also, and probably one where you'd want dials to control what rewrites were allowed to run where.

[joeduffy]

@lukehoban @leezen , both @clstokes and I had a conversation with a customer today that effectively distills down to this. As they said today, "it's great to block deployments if tags are missing, but even better to just inject the right tags automatically for all of our stacks in the first place." I do wonder where this belongs -- as it's somewhere between transformations and policies.

[yellowhat]

I am trying to create a policy to check for tags:

def tags_validator(args: ResourceValidationArgs, report_violation: ReportViolation):
    if "tags" in args.props:
        tags = args.props["tags"]
        for tag in ["Project"]:
            if tag not in tags:
                report_violation("Must have a tag name {tag}")

tags = ResourceValidationPolicy(
    name="tags",
    description="Must have tags and specific one",
    validate=tags_validator,
)

PolicyPack(
    name="azure-python",
    enforcement_level=EnforcementLevel.MANDATORY,
    policies=[
        tags,
    ],
)

But not violation is reported if no tags are assigned to a resource.

Instead using:

    if "tags" not in args.props:
        report_violation("Must have a tags")

will report a violation even if no tags can be assigned to the resource (ie azure.network.Subnet)

[justinvp]

This was fixed with #314 (and associated CLI changes)

[pulumi-bot]

Cannot close issue:

• does not have an assignee

Please fix these problems and try again.