Policy remediations SDK support

.github/workflows/master.yml

@@ -9,26 +9,26 @@ env:
   PULUMI_API: https://api.pulumi-staging.io
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
   PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-  VERSION: ${{ github.event.client_payload.ref }}  
+  VERSION: ${{ github.event.client_payload.ref }}
 jobs:
   lint:
     name: lint
     runs-on: ubuntu-latest
     steps:
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v1
+        uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python-version }}
       - name: Set up Node
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v3
         with:
           node-version: ${{matrix.node-version}}
           registry-url: https://registry.npmjs.org
       - name: Install pipenv
         run: |
           python -m pip install --upgrade pipenv pip requests wheel urllib3 chardet
       - name: Install pulumictl
-        uses: jaxxstorm/action-install-gh-release@v1.2.0
+        uses: jaxxstorm/action-install-gh-release@v1.5.0
         with:
           repo: pulumi/pulumictl
       - name: Checkout Repo
@@ -46,6 +46,13 @@ jobs:
       - name: Lint Python
         run: |
           cd sdk/python && make lint
+    strategy:
+      fail-fast: true
+      matrix:
+        platform: [ ubuntu-latest ]
+        go-version: [ 1.18.x ]
+        python-version: [ 3.9.x ]
+        node-version: [ 18.x ]
   build_test_publish:
     name: Build, Test, and Publish
     runs-on: ubuntu-latest
@@ -55,22 +62,24 @@ jobs:
       - name: Unshallow clone for tags
         run: git fetch --prune --unshallow --tags
       - name: Install Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ matrix.go-version }}
       - name: Install pulumictl
-        uses: jaxxstorm/action-install-gh-release@v1.1.0
+        uses: jaxxstorm/action-install-gh-release@v1.5.0
         with:
           repo: pulumi/pulumictl
       - name: Install Pulumi CLI
-        uses: pulumi/action-install-pulumi-cli@v1.0.1
+        uses: pulumi/actions@v4
+        with:
+          pulumi-version: ">=3.88.0"
       - name: Setup Node
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v3
         with:
           node-version: ${{matrix.node-version}}
           registry-url: https://registry.npmjs.org
       - name: Setup Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v4
         with:
           python-version: ${{matrix.python-version}}
       - name: Install pipenv
@@ -115,7 +124,7 @@ jobs:
         platform: [ ubuntu-latest ]
         go-version: [ 1.18.x ]
         python-version: [ 3.9.x ]
-        node-version: [ 14.x ]
+        node-version: [ 18.x ]
 name: master
 "on":
   push:

.github/workflows/release.yml

@@ -16,19 +16,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v1
+        uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python-version }}
       - name: Set up Node
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v3
         with:
           node-version: ${{matrix.node-version}}
           registry-url: https://registry.npmjs.org
       - name: Install pipenv
         run: |
           python -m pip install --upgrade pipenv pip requests wheel urllib3 chardet
       - name: Install pulumictl
-        uses: jaxxstorm/action-install-gh-release@v1.2.0
+        uses: jaxxstorm/action-install-gh-release@v1.5.0
         with:
           repo: pulumi/pulumictl
       - name: Checkout Repo
@@ -46,6 +46,13 @@ jobs:
       - name: Lint Python
         run: |
           cd sdk/python && make lint
+    strategy:
+      fail-fast: true
+      matrix:
+        platform: [ ubuntu-latest ]
+        go-version: [ 1.18.x ]
+        python-version: [ 3.9.x ]
+        node-version: [ 18.x ]
   build_test_publish:
     name: Build, Test, and Publish
     runs-on: ubuntu-latest
@@ -55,22 +62,24 @@ jobs:
       - name: Unshallow clone for tags
         run: git fetch --prune --unshallow --tags
       - name: Install Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ matrix.go-version }}
       - name: Install pulumictl
-        uses: jaxxstorm/action-install-gh-release@v1.1.0
+        uses: jaxxstorm/action-install-gh-release@v1.5.0
         with:
           repo: pulumi/pulumictl
       - name: Install Pulumi CLI
-        uses: pulumi/action-install-pulumi-cli@v1.0.1
+        uses: pulumi/actions@v4
+        with:
+          pulumi-version: ">=3.88.0"
       - name: Setup Node
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v3
         with:
           node-version: ${{matrix.node-version}}
           registry-url: https://registry.npmjs.org
       - name: Setup Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v4
         with:
           python-version: ${{matrix.python-version}}
       - name: Install pipenv
@@ -106,14 +115,14 @@ jobs:
         platform: [ ubuntu-latest ]
         go-version: [ 1.18.x ]
         python-version: [ 3.9.x ]
-        node-version: [ 14.x ]
+        node-version: [ 18.x ]
   create_docs_build:
     name: Create docs build
     needs: build_test_publish
     runs-on: ubuntu-latest
     steps:
       - name: Install pulumictl
-        uses: jaxxstorm/action-install-gh-release@v1.1.0
+        uses: jaxxstorm/action-install-gh-release@v1.5.0
         with:
           repo: pulumi/pulumictl
       - env:

.github/workflows/run-acceptance-tests.yml

@@ -30,19 +30,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v1
+        uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python-version }}
       - name: Set up Node
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v3
         with:
           node-version: ${{matrix.node-version}}
           registry-url: https://registry.npmjs.org
       - name: Install pipenv
         run: |
           python -m pip install --upgrade pipenv pip requests wheel urllib3 chardet
       - name: Install pulumictl
-        uses: jaxxstorm/action-install-gh-release@v1.2.0
+        uses: jaxxstorm/action-install-gh-release@v1.5.0
         with:
           repo: pulumi/pulumictl
       - name: Checkout Repo
@@ -60,6 +60,13 @@ jobs:
       - name: Lint Python
         run: |
           cd sdk/python && make lint
+    strategy:
+      fail-fast: true
+      matrix:
+        platform: [ ubuntu-latest ]
+        go-version: [ 1.18.x ]
+        python-version: [ 3.9.x ]
+        node-version: [ 18.x ]
   build_and_test:
     name: Build and Test SDK
     runs-on: ${{ matrix.platform }}
@@ -72,22 +79,24 @@ jobs:
       - name: Unshallow clone for tags
         run: git fetch --prune --unshallow --tags
       - name: Install Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ matrix.go-version }}
       - name: Install pulumictl
-        uses: jaxxstorm/action-install-gh-release@v1.1.0
+        uses: jaxxstorm/action-install-gh-release@v1.5.0
         with:
           repo: pulumi/pulumictl
       - name: Install Pulumi CLI
-        uses: pulumi/action-install-pulumi-cli@v1.0.1
+        uses: pulumi/actions@v4
+        with:
+          pulumi-version: ">=3.88.0"
       - name: Setup Node
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v3
         with:
           node-version: ${{matrix.node-version}}
           registry-url: https://registry.npmjs.org
       - name: Setup Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v4
         with:
           python-version: ${{matrix.python-version}}
       - name: Install pipenv
@@ -114,7 +123,7 @@ jobs:
         platform: [ ubuntu-latest ]
         go-version: [ 1.18.x ]
         python-version: [ 3.9.x ]
-        node-version: [ 14.x ]     
+        node-version: [ 18.x ]
 name: Run Acceptance Tests from PR
 on:
   repository_dispatch:

CHANGELOG.md

@@ -1,5 +1,6 @@
 ## HEAD (Unreleased)
-_(none)_
+
+- Add support for policy remediations (https://github.com/pulumi/pulumi-policy/pull/314).
 
 ---
 

README.md

@@ -7,13 +7,15 @@
 Define and manage policy for cloud resources deployed through Pulumi.
 
 Policy rules run during `pulumi preview` and `pulumi up`, asserting that cloud resource definitions
-comply with the policy immediately before they are created or updated.
+comply with the policy immediately before they are created or updated. Policies may optionally define
+remediations that automatically fix policy violations rather than issue warnings.
 
 During `preview`, every rule is run on every resource, and policy violations are batched up
 into a final report. During the update, the first policy violation will halt the deployment.
 
 Policy violations can have enforcement levels that are **advisory**, which results in a printed
 warning, or **mandatory**, which results in an error after `pulumi preview` or `pulumi up` completes.
+The enforcement level **remediate** is stronger than both and enables automatic remediations.
 
 ## Getting Started