Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add "disabled" value to EnforcementLevel #156

Merged
merged 1 commit into from
Nov 25, 2019
Merged

Add "disabled" value to EnforcementLevel #156

merged 1 commit into from
Nov 25, 2019

Conversation

justinvp
Copy link
Member

This allows disabling policies. A disabled policy is treated as if it wasn't defined, which means it will be excluded from analyzer info and when analyzing resources and the stack (i.e. the CLI and service don't need to know about "disabled").

@justinvp
Add "disabled" value to EnforcementLevel
966d76c 
This allows disabling policies. A disabled policy is treated as if it wasn't defined, which means it will be excluded from analyzer info and when analyzing resources and the stack.
@justinvp justinvp added the impact/no-changelog-required This issue doesn't require a CHANGELOG update label Nov 25, 2019
chrsmith
chrsmith approved these changes Nov 25, 2019
View reviewed changes
sdk/nodejs/policy/protoutil.ts
@@ -130,7 +130,17 @@ export function mapEnforcementLevel(el: EnforcementLevel) {
return analyzerproto.EnforcementLevel.ADVISORY;
case "mandatory":
return analyzerproto.EnforcementLevel.MANDATORY;
// Disabled is treated as if the policy was not defined, so the value should not escape over GRPC.
case "disabled":
throw new Error("'disabled' should not escape the GRPC boundary");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a first step this is fine, but I think we should wire this through the CLI layer and add some comments in the protobuf. Since otherwise an alternate implementation could "leak" the "disabled" bit. Similarly, when we do hook this option up to the Pulumi Service UI, we will need to pass the "disabled" state through the CLI to the policy pack.

Read: it's fine for now, but probably not sufficient for the long run.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah we talked about this but for now its nice to not to have to touch the service!

@justinvp justinvp merged commit da62c45 into master Nov 25, 2019
@pulumi-bot pulumi-bot deleted the justin/disabled branch November 25, 2019 17:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekrengel ekrengel ekrengel approved these changes

@chrsmith chrsmith chrsmith approved these changes

Assignees
No one assigned
Labels
impact/no-changelog-required This issue doesn't require a CHANGELOG update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@justinvp @chrsmith @ekrengel