pulumi/pkg/resource/plugin/analyzer.go

// Copyright 2016-2018, Pulumi Corporation.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package plugin

import (
	"io"

	"github.com/pulumi/pulumi/pkg/apitype"
	"github.com/pulumi/pulumi/pkg/resource"
	"github.com/pulumi/pulumi/pkg/tokens"
	"github.com/pulumi/pulumi/pkg/workspace"
)

// Analyzer provides a pluggable interface for performing arbitrary analysis of entire projects/stacks/snapshots, and/or
// individual resources, for arbitrary issues.  These might be style, policy, correctness, security, or performance
// related.  This interface hides the messiness of the underlying machinery, since providers are behind an RPC boundary.
type Analyzer interface {
	// Closer closes any underlying OS resources associated with this provider (like processes, RPC channels, etc).
	io.Closer
	// Name fetches an analyzer's qualified name.
	Name() tokens.QName
	// Analyze analyzes a single resource object, and returns any errors that it finds.
	// Is called before the resource is modified.
	Analyze(r AnalyzerResource) ([]AnalyzeDiagnostic, error)
	// AnalyzeStack analyzes all resources after a successful preview or update.
	// Is called after all resources have been processed, and all changes applied.
	AnalyzeStack(resources []AnalyzerStackResource) ([]AnalyzeDiagnostic, error)
	// GetAnalyzerInfo returns metadata about the analyzer (e.g., list of policies contained).
	GetAnalyzerInfo() (AnalyzerInfo, error)
	// GetPluginInfo returns this plugin's information.
	GetPluginInfo() (workspace.PluginInfo, error)
}

// AnalyzerResource mirrors a resource that is passed to `Analyze`.
type AnalyzerResource struct {
	URN        resource.URN
	Type       tokens.Type
	Name       tokens.QName
	Properties resource.PropertyMap
	Options    AnalyzerResourceOptions
	Provider   *AnalyzerProviderResource
}

// AnalyzerStackResource mirrors a resource that is passed to `AnalyzeStack`.
type AnalyzerStackResource struct {
	AnalyzerResource
	Parent               resource.URN                            // an optional parent URN for this resource.
	Dependencies         []resource.URN                          // dependencies of this resource object.
	PropertyDependencies map[resource.PropertyKey][]resource.URN // the set of dependencies that affect each property.
}

// AnalyzerResourceOptions mirrors resource options sent to the analyzer.
type AnalyzerResourceOptions struct {
	Protect                 bool                    // true to protect this resource from deletion.
	IgnoreChanges           []string                // a list of property names to ignore during changes.
	DeleteBeforeReplace     *bool                   // true if this resource should be deleted prior to replacement.
	AdditionalSecretOutputs []resource.PropertyKey  // outputs that should always be treated as secrets.
	Aliases                 []resource.URN          // additional URNs that should be aliased to this resource.
	CustomTimeouts          resource.CustomTimeouts // an optional config object for resource options
}

// AnalyzerProviderResource mirrors a resource's provider sent to the analyzer.
type AnalyzerProviderResource struct {
	URN        resource.URN
	Type       tokens.Type
	Name       tokens.QName
	Properties resource.PropertyMap
}

// AnalyzeDiagnostic indicates that resource analysis failed; it contains the property and reason
// for the failure.
type AnalyzeDiagnostic struct {
	PolicyName        string
	PolicyPackName    string
	PolicyPackVersion string
	Description       string
	Message           string
	Tags              []string
	EnforcementLevel  apitype.EnforcementLevel
	URN               resource.URN
}

// AnalyzerInfo provides metadata about a PolicyPack inside an analyzer.
type AnalyzerInfo struct {
	Name        string
	DisplayName string
	Version     string
	Policies    []apitype.Policy
}
Add license headers 2018-05-22 21:43:36 +02:00			`// Copyright 2016-2018, Pulumi Corporation.`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`
Add basic analyzer support This change introduces the basic requirements for analyzers, as per pulumi/coconut#119. In particular, an analyzer can implement either, or both, of the RPC methods, Analyze and AnalyzeResource. The former is meant to check an overall deployment (e.g., to ensure it has been signed off on) and the latter is to check individual resources (e.g., to ensure properties of them are correct, such as checking style, security, etc. rules). These run simultaneous to overall checking. Analyzers are loaded as plugins just like providers are. The difference is mainly in their naming ("analyzer-" prefix, rather than "resource-"), and the RPC methods that they support. This isn't 100% functional since we need a way to specify at the CLI that a particular analyzer should be run, in addition to a way of recording which analyzers certain projects should use in their manifests. 2017-03-11 08:49:17 +01:00
Overhaul resources, planning, and environments This change, part of pulumi/lumi#90, overhauls quite a bit of the core resource, planning, environments, and related areas. The biggest amount of movement comes from the splitting of pkg/resource into multiple sub-packages. This results in: - pkg/resource: just the core resource data structures. - pkg/resource/deployment: all planning and deployment logic. - pkg/resource/environment: all environment, configuration, and serialized checkpoint structures and logic. - pkg/resource/plugin: all dynamically loaded analyzer and provider logic, including the actual loading and RPC mechanisms. This also splits the resource abstraction up. We now have: - resource.Resource: a shared interface. - resource.Object: a resource that is connected to a live object that will periodically observe mutations due to ongoing evaluation of computations. Snapshots of its state may be taken; however, this is purely a "pre-planning" abstraction. - resource.State: a snapshot of a resource's state that is frozen. In other words, it is no longer connected to a live object. This is what will store provider outputs (ID and properties), and is what may be serialized into a deployment record. The branch is in a half-baked state as of this change; more changes are to come... 2017-06-09 01:37:40 +02:00			`package plugin`
Add basic analyzer support This change introduces the basic requirements for analyzers, as per pulumi/coconut#119. In particular, an analyzer can implement either, or both, of the RPC methods, Analyze and AnalyzeResource. The former is meant to check an overall deployment (e.g., to ensure it has been signed off on) and the latter is to check individual resources (e.g., to ensure properties of them are correct, such as checking style, security, etc. rules). These run simultaneous to overall checking. Analyzers are loaded as plugins just like providers are. The difference is mainly in their naming ("analyzer-" prefix, rather than "resource-"), and the RPC methods that they support. This isn't 100% functional since we need a way to specify at the CLI that a particular analyzer should be run, in addition to a way of recording which analyzers certain projects should use in their manifests. 2017-03-11 08:49:17 +01:00
			`import (`
			`"io"`

Use Analyzer PB in analyzer code 2019-06-11 00:20:44 +02:00			`"github.com/pulumi/pulumi/pkg/apitype"`
Rename pulumi-fabric to pulumi This includes a few changes: * The repo name -- and hence the Go modules -- changes from pulumi-fabric to pulumi. * The Node.js SDK package changes from @pulumi/pulumi-fabric to just pulumi. * The CLI is renamed from lumi to pulumi. 2017-09-22 04:18:21 +02:00			`"github.com/pulumi/pulumi/pkg/resource"`
			`"github.com/pulumi/pulumi/pkg/tokens"`
Consult the program for its list of plugins This change adds a GetRequiredPlugins RPC method to the language host, enabling us to query it for its list of plugin requirements. This is language-specific because it requires looking at the set of dependencies (e.g., package.json files). It also adds a call up front during any update/preview operation to compute the set of plugins and require that they are present. These plugins are populated in the cache and will be used for all subsequent plugin-related operations during the engine's activity. We now cache the language plugins, so that we may load them eagerly too, which we never did previously due to the fact that we needed to pass the monitor address at load time. This was a bit bizarre anyhow, since it's really the Run RPC function that needs this information. So, to enable caching and eager loading -- which we need in order to invoke GetRequiredPlugins -- the "phone home" monitor RPC address is passed at Run time. In a subsequent change, we will switch to faulting in the plugins that are missing -- rather than erroring -- in addition to supporting the `pulumi plugin install` CLI command. 2018-02-06 18:57:32 +01:00			`"github.com/pulumi/pulumi/pkg/workspace"`
Add basic analyzer support This change introduces the basic requirements for analyzers, as per pulumi/coconut#119. In particular, an analyzer can implement either, or both, of the RPC methods, Analyze and AnalyzeResource. The former is meant to check an overall deployment (e.g., to ensure it has been signed off on) and the latter is to check individual resources (e.g., to ensure properties of them are correct, such as checking style, security, etc. rules). These run simultaneous to overall checking. Analyzers are loaded as plugins just like providers are. The difference is mainly in their naming ("analyzer-" prefix, rather than "resource-"), and the RPC methods that they support. This isn't 100% functional since we need a way to specify at the CLI that a particular analyzer should be run, in addition to a way of recording which analyzers certain projects should use in their manifests. 2017-03-11 08:49:17 +01:00			`)`

			`// Analyzer provides a pluggable interface for performing arbitrary analysis of entire projects/stacks/snapshots, and/or`
			`// individual resources, for arbitrary issues. These might be style, policy, correctness, security, or performance`
			`// related. This interface hides the messiness of the underlying machinery, since providers are behind an RPC boundary.`
			`type Analyzer interface {`
			`// Closer closes any underlying OS resources associated with this provider (like processes, RPC channels, etc).`
			`io.Closer`
Create a plan plugin host This is a minor refactoring to introduce a ProviderHost interface that is associated with the context and can be swapped in and out for custom plugin behavior. This is required to write tests that mock certain aspects, like loading packages from the filesystem. In theory, this change incurs zero behavioral changes. 2017-06-01 20:41:24 +02:00			`// Name fetches an analyzer's qualified name.`
			`Name() tokens.QName`
Make more progress on the new deployment model This change restructures a lot more pertaining to deployments, snapshots, environments, and the like. The most notable change is that the notion of a deploy.Source is introduced, which splits the responsibility between the deploy.Plan -- which simply understands how to compute and carry out deployment plans -- and the idea of something that can produce new objects on-demand during deployment. The primary such implementation is evalSource, which encapsulates an interpreter and takes a package, args, and config map, and proceeds to run the interpreter in a distinct goroutine. It synchronizes as needed to poke and prod the interpreter along its path to create new resource objects. There are two other sources, however. First, a nullSource, which simply refuses to create new objects. This can be handy when writing isolated tests but is also used to simulate the "empty" environment as necessary to do a complete teardown of the target environment. Second, a fixedSource, which takes a pre-computed array of objects, and hands those, in order, to the planning engine; this is mostly useful as a testing technique. Boatloads of code is now changed and updated in the various CLI commands. This further chugs along towards pulumi/lumi#90. The end is in sight. 2017-06-10 20:50:47 +02:00			`// Analyze analyzes a single resource object, and returns any errors that it finds.`
Add support for aggregate resource analysis (#3366) * Add AnalyzeStack method to Analyze service * Protobuf generated code * Hook up AnalyzeStack method * Address PR feedback * Address PR feedback 2019-10-25 17:29:02 +02:00			`// Is called before the resource is modified.`
			`Analyze(r AnalyzerResource) ([]AnalyzeDiagnostic, error)`
			`// AnalyzeStack analyzes all resources after a successful preview or update.`
			`// Is called after all resources have been processed, and all changes applied.`
Expose options, parent, deps, and provider config to policies (#3862) 2020-02-08 01:11:34 +01:00			`AnalyzeStack(resources []AnalyzerStackResource) ([]AnalyzeDiagnostic, error)`
Implement `GetAnalyzerInfo` in analyzer plugin 2019-06-24 04:02:37 +02:00			`// GetAnalyzerInfo returns metadata about the analyzer (e.g., list of policies contained).`
			`GetAnalyzerInfo() (AnalyzerInfo, error)`
Add a manifest to checkpoint files (#630) This change adds a new manifest section to the checkpoint files. The existing time moves into it, and we add to it the version of the Pulumi CLI that created it, along with the names, types, and versions of all plugins used to generate the file. There is a magic cookie that we also use during verification. This is to help keep us sane when debugging problems "in the wild," and I'm sure we will add more to it over time (checksum, etc). For example, after an up, you can now see this in `pulumi stack`: ``` Current stack is demo: Last updated at 2017-12-01 13:48:49.815740523 -0800 PST Pulumi version v0.8.3-79-g1ab99ad Plugin pulumi-provider-aws [resource] version v0.8.3-22-g4363e77 Plugin pulumi-langhost-nodejs [language] version v0.8.3-79-g77bb6b6 Checkpoint file is /Users/joeduffy/dev/code/src/github.com/pulumi/pulumi-aws/.pulumi/stacks/webserver/demo.json ``` This addresses pulumi/pulumi#628. 2017-12-01 22:50:32 +01:00			`// GetPluginInfo returns this plugin's information.`
Consult the program for its list of plugins This change adds a GetRequiredPlugins RPC method to the language host, enabling us to query it for its list of plugin requirements. This is language-specific because it requires looking at the set of dependencies (e.g., package.json files). It also adds a call up front during any update/preview operation to compute the set of plugins and require that they are present. These plugins are populated in the cache and will be used for all subsequent plugin-related operations during the engine's activity. We now cache the language plugins, so that we may load them eagerly too, which we never did previously due to the fact that we needed to pass the monitor address at load time. This was a bit bizarre anyhow, since it's really the Run RPC function that needs this information. So, to enable caching and eager loading -- which we need in order to invoke GetRequiredPlugins -- the "phone home" monitor RPC address is passed at Run time. In a subsequent change, we will switch to faulting in the plugins that are missing -- rather than erroring -- in addition to supporting the `pulumi plugin install` CLI command. 2018-02-06 18:57:32 +01:00			`GetPluginInfo() (workspace.PluginInfo, error)`
Add basic analyzer support This change introduces the basic requirements for analyzers, as per pulumi/coconut#119. In particular, an analyzer can implement either, or both, of the RPC methods, Analyze and AnalyzeResource. The former is meant to check an overall deployment (e.g., to ensure it has been signed off on) and the latter is to check individual resources (e.g., to ensure properties of them are correct, such as checking style, security, etc. rules). These run simultaneous to overall checking. Analyzers are loaded as plugins just like providers are. The difference is mainly in their naming ("analyzer-" prefix, rather than "resource-"), and the RPC methods that they support. This isn't 100% functional since we need a way to specify at the CLI that a particular analyzer should be run, in addition to a way of recording which analyzers certain projects should use in their manifests. 2017-03-11 08:49:17 +01:00			`}`

Expose options, parent, deps, and provider config to policies (#3862) 2020-02-08 01:11:34 +01:00			// AnalyzerResource mirrors a resource that is passed to `Analyze`.
Add support for aggregate resource analysis (#3366) * Add AnalyzeStack method to Analyze service * Protobuf generated code * Hook up AnalyzeStack method * Address PR feedback * Address PR feedback 2019-10-25 17:29:02 +02:00			`type AnalyzerResource struct {`
Send resource URN and name to analyzer (#3554) More information we want to make available to policy packs. 2019-11-21 22:01:15 +01:00			`URN resource.URN`
Add support for aggregate resource analysis (#3366) * Add AnalyzeStack method to Analyze service * Protobuf generated code * Hook up AnalyzeStack method * Address PR feedback * Address PR feedback 2019-10-25 17:29:02 +02:00			`Type tokens.Type`
Send resource URN and name to analyzer (#3554) More information we want to make available to policy packs. 2019-11-21 22:01:15 +01:00			`Name tokens.QName`
Add support for aggregate resource analysis (#3366) * Add AnalyzeStack method to Analyze service * Protobuf generated code * Hook up AnalyzeStack method * Address PR feedback * Address PR feedback 2019-10-25 17:29:02 +02:00			`Properties resource.PropertyMap`
Expose options, parent, deps, and provider config to policies (#3862) 2020-02-08 01:11:34 +01:00			`Options AnalyzerResourceOptions`
			`Provider *AnalyzerProviderResource`
			`}`

			// AnalyzerStackResource mirrors a resource that is passed to `AnalyzeStack`.
			`type AnalyzerStackResource struct {`
			`AnalyzerResource`
			`Parent resource.URN // an optional parent URN for this resource.`
			`Dependencies []resource.URN // dependencies of this resource object.`
			`PropertyDependencies map[resource.PropertyKey][]resource.URN // the set of dependencies that affect each property.`
			`}`

			`// AnalyzerResourceOptions mirrors resource options sent to the analyzer.`
			`type AnalyzerResourceOptions struct {`
			`Protect bool // true to protect this resource from deletion.`
			`IgnoreChanges []string // a list of property names to ignore during changes.`
			`DeleteBeforeReplace *bool // true if this resource should be deleted prior to replacement.`
			`AdditionalSecretOutputs []resource.PropertyKey // outputs that should always be treated as secrets.`
			`Aliases []resource.URN // additional URNs that should be aliased to this resource.`
			`CustomTimeouts resource.CustomTimeouts // an optional config object for resource options`
			`}`

			`// AnalyzerProviderResource mirrors a resource's provider sent to the analyzer.`
			`type AnalyzerProviderResource struct {`
			`URN resource.URN`
			`Type tokens.Type`
			`Name tokens.QName`
			`Properties resource.PropertyMap`
Add support for aggregate resource analysis (#3366) * Add AnalyzeStack method to Analyze service * Protobuf generated code * Hook up AnalyzeStack method * Address PR feedback * Address PR feedback 2019-10-25 17:29:02 +02:00			`}`

Use Analyzer PB in analyzer code 2019-06-11 00:20:44 +02:00			`// AnalyzeDiagnostic indicates that resource analysis failed; it contains the property and reason`
			`// for the failure.`
			`type AnalyzeDiagnostic struct {`
Remove policy ID from policy API 2019-06-14 01:14:48 +02:00			`PolicyName string`
			`PolicyPackName string`
			`PolicyPackVersion string`
			`Description string`
			`Message string`
			`Tags []string`
			`EnforcementLevel apitype.EnforcementLevel`
Send resource URN and name to analyzer (#3554) More information we want to make available to policy packs. 2019-11-21 22:01:15 +01:00			`URN resource.URN`
Add basic analyzer support This change introduces the basic requirements for analyzers, as per pulumi/coconut#119. In particular, an analyzer can implement either, or both, of the RPC methods, Analyze and AnalyzeResource. The former is meant to check an overall deployment (e.g., to ensure it has been signed off on) and the latter is to check individual resources (e.g., to ensure properties of them are correct, such as checking style, security, etc. rules). These run simultaneous to overall checking. Analyzers are loaded as plugins just like providers are. The difference is mainly in their naming ("analyzer-" prefix, rather than "resource-"), and the RPC methods that they support. This isn't 100% functional since we need a way to specify at the CLI that a particular analyzer should be run, in addition to a way of recording which analyzers certain projects should use in their manifests. 2017-03-11 08:49:17 +01:00			`}`
Implement `GetAnalyzerInfo` in analyzer plugin 2019-06-24 04:02:37 +02:00
			`// AnalyzerInfo provides metadata about a PolicyPack inside an analyzer.`
			`type AnalyzerInfo struct {`
			`Name string`
			`DisplayName string`
use version tag (#3961) 2020-02-25 02:11:56 +01:00			`Version string`
Implement `GetAnalyzerInfo` in analyzer plugin 2019-06-24 04:02:37 +02:00			`Policies []apitype.Policy`
			`}`