Story: Infrastructure Customizations

[eladb]

Summary

Apply non-functional infrastructure concerns on Wing apps using declarative, policy-driven syntax.

Feature Spec

(hypothetical readme)

You can use wing policy files to apply infrastructure policies to your wing applications during compilation.

Use the --policy switch in the compiler to tell the compiler which policy to use. For example:

$ wing compile hello.w --target tf-aws --policy my-policy.wp

Where my-policy.wp is (this is just a mock up):

resource aws_s3_bucket * {
  ...

  versioning {
    enabled = true
  }
}

The policy file is a bit like a CSS file. It selects which elements in the Terraform output to work on and then applies a bunch of attributes on it. This rule selects all aws_s3_bucket resources (hence the *) and enables versioning on the bucket.

Use Cases

• Deploy this to AWS and make all the buckets encrypted
• Put all the resources in side the VPC
• I want this app to be HIPPA-compliant
• Set the property "foo_bar" of resource "s3_bucket.bufol.dkkdjf" to "false"
• Tag all the resources with this label
• Don't allow any IAM policy to perform s3:putObject operations.

[eladb]

See discussion #868 started by @schosterbarak about "hosting" Wing apps within existing "environments".

Example use case: I have a VPC that is already defined elsewhere (be it through IAC or manually), and I want all my Wing resources to be deployed into this VPC. That's a classic non-functional aspect of the deployment that we want to support.

[darrenweiner]

Could be useful to have a set of pre-defined policies that track with well-architected principles, but with different levels of resiliency or security: Thinking of something like "well-architected t-shirt sizing":
Maybe the small version is intended for dev environments:

Even small would have key best practices around least access/privledge, but when it comes to other areas that have cost implications, it's 'lighter' on the configs:
Examples:
single AZ deployments
Minimal backup policies (e.g. 1 day)
Minimal resiliency in general (Autoscaling with minimum of 1, that sort of thing)
AWS-managed encryption

medium - for production-style workloads
Multi-AZ
backup policies of 30 days
Autoscaling minimum of 2
CMK managed encryption
etc etc

large - for Enterprise/X-Region needs
Multi-region data resiliency and deployments (e.g. S3 replication X-region, RDS X-Region if available, etc)
other things I haven't thought of at the moment.

[hasanaburayyan]

Once this is implemented we will need to update the temporary solution in #1162 (azure location) using env variable to retrieve location app prop for Azure

[monadabot]

Congrats! 🚀 This was released in Wing 0.5.8.