-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for writing policies in Go #230
Comments
I was linked here from the Crossguard page and I see this was opened in 2020. Is there any update or timeline for when Go will have support for writing policies? |
Any due date? Thanks!! |
Peeking in., would love this too. |
👍 |
+1 from me. |
Any update on when this might be available in Go? |
+1 from me |
Any update? thanks. |
/assign |
There is an old hackathon project to add a Go SDK: https://github.com/pulumi/pulumi-policy/compare/hackweek/go-policy |
Thank you @justinvp!
Additionally, it fails for me for some reason. I didn't find any differences compared to the GitHub Actions configuration. I will investigate it deeper. I made some simple prototype to keep every runtime isolated during integration tests. I will push it later. |
Yes. The TypeScript implementation does have some more advanced capabilities for filtering to specific resource types, but they're largely equivalent. For the config schema, Python has this, but lacks the full type definitions that are present in TypeScript. I think we could/should extend Python to include type information for this, similar to TypeScript, and the go hackathon branch, using TypedDicts.
Open to it. Ideally more would run in parallel. For example, matrix it out such that each test ran as its own separate GitHub Action job, each of which would be isolated and run in parallel. |
|
The implementation of Go and .NET will require a significant amount of testing. The current integration test system is becoming quite difficult to manage and to use. Integration tests in Docker.Ready to create a pull request Pretty well described in README.md. I tested it extensively. list of commits Just to note, we could reuse GitHub Actions with Act for this purpose, but the GitHub Actions configurations include release steps. Therefore, Docker (or Podman) is more widely applicable in this case. Refactoring of the integration tests runnerMostly done and tested. I refactored many parts of code. Although there are many changes, This small code snippet captures the essence of all the changes. .
|
I also investigated hackweek/go-policy. I couldn't take much from it as it was written (I assume) in a hurry. Still, it was useful to see a solution from a different perspective. Right now, I have implemented a GRPC server that decodes all protobuf objects into types defined in the Pulumi library (mostly from the plugin package). I try to reuse already defined types as much as possible. I am considering what would be the best library interface. 1My first version followed the Python approach. It was pretty straightforward: type Policy struct {
apitype.Policy
ValidateStack []StackValidator
Validate []ResourceValidator
Remediate ResourceRemediator
} The user would only need to fill in Validate, Validate & Remediate, Remediate, or ValidateStack. If the user mixes them, it will fail at runtime. We could provide functions like NewStackValidationPolicy, which would create policies with the correct fields. We could also make these fields private. 2This version is almost the same, except that we have private config and use the Functional Options pattern. So it would look like this: p := apitype.Policy{} // or we also could send every fields separately
NewPolicy(p, WithRemediation(f), WithValidation([]f) .... )
If the user mixes WithValidation with WithStackValidation, it will fail at runtime. This approach also looks more Go-like. 3I don't see much use for generics here. I tried playing around with them but couldn't find a simple way to implement an interface. Violation handling.I was also thinking about whether functions should include a ReportViolation function (more of a "JS style" approach) or be more Go-like and return errors. In hackweek/go-policy the ReportViolation function clearly states that it needs two arguments (though in Python URN is optional), whereas returning an error would require a custom type, and the user would need to remember to fill in both fields. However, when it comes to URNs, we already know the URN (at least in most cases; I’m unsure about StackValidation calls). ConclusionWhile writing down these suggestions, I think I came up with an idea: type Policy struct {
apitype.Policy
validateStack []StackValidator
validate []ResourceValidator
remediate ResourceRemediator
} We would have functions like: NewValidationPolicy(p, []f, WithRemediation(f)) At the same time, I want the PolicyPack to be customizable and allow the injection of custom implementations of pulumirpc.Analyzer and plugin.Analyzer. However, with private fields, users won't be able to inject plugin.Analyzer or reuse PolicyPack. We could define an interface: type PolicyI struct{
Validate()
Remediate()
ValidateStack()
} The official implementation could know which method to call since it would have access to the private fields. However, this might actually be a bad idea because it would require the user to implement both Policy and PolicyPack if they want customize it. |
@justinvp I am currently creating a plugin to run Go policies. I would like to know if I am heading in the right direction.
I have already created a prototype and tested it. Out of curiosity, I considered whether Go plugins might be a good option, but I decided that the compile/gRPC approach is more tested and standardized within the Pulumi ecosystem. If this is the correct approach, should I move the compile logic from sdk/go/pulumi-language-go into a reusable library, or would it be better not to modify this critical code for now? |
I've been looking into different parts of the code and had the idea of compiling I will proceed with the solution I described earlier. |
No description provided.
The text was updated successfully, but these errors were encountered: