e6be38e285
The initial config represents any config that was specified programmatically to the Policy Pack, for Policy Packs that support programmatic configuration like AWSGuard.
159 lines
8.9 KiB
Protocol Buffer
159 lines
8.9 KiB
Protocol Buffer
// Copyright 2016-2018, Pulumi Corporation.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
syntax = "proto3";
|
|
|
|
import "plugin.proto";
|
|
import "google/protobuf/empty.proto";
|
|
import "google/protobuf/struct.proto";
|
|
|
|
package pulumirpc;
|
|
|
|
// Analyzer provides a pluggable interface for checking resource definitions against some number of
|
|
// resource policies. It is intentionally open-ended, allowing for implementations that check
|
|
// everything from raw resource definitions to entire projects/stacks/snapshots for arbitrary
|
|
// issues -- style, policy, correctness, security, and so on.
|
|
service Analyzer {
|
|
// Analyze analyzes a single resource object, and returns any errors that it finds.
|
|
// Called with the "inputs" to the resource, before it is updated.
|
|
rpc Analyze(AnalyzeRequest) returns (AnalyzeResponse) {}
|
|
// AnalyzeStack analyzes all resources within a stack, at the end of a successful
|
|
// preview or update. The provided resources are the "outputs", after any mutations
|
|
// have taken place.
|
|
rpc AnalyzeStack(AnalyzeStackRequest) returns (AnalyzeResponse) {}
|
|
// GetAnalyzerInfo returns metadata about the analyzer (e.g., list of policies contained).
|
|
rpc GetAnalyzerInfo(google.protobuf.Empty) returns (AnalyzerInfo) {}
|
|
// GetPluginInfo returns generic information about this plugin, like its version.
|
|
rpc GetPluginInfo(google.protobuf.Empty) returns (PluginInfo) {}
|
|
// Configure configures the analyzer, passing configuration properties for each policy.
|
|
rpc Configure(ConfigureAnalyzerRequest) returns (google.protobuf.Empty) {}
|
|
}
|
|
|
|
message AnalyzeRequest {
|
|
string type = 1; // the type token of the resource.
|
|
google.protobuf.Struct properties = 2; // the full properties to use for validation.
|
|
string urn = 3; // the URN of the resource.
|
|
string name = 4; // the name for the resource's URN.
|
|
AnalyzerResourceOptions options = 5; // the resource options.
|
|
AnalyzerProviderResource provider = 6; // the resource's provider.
|
|
}
|
|
|
|
// AnalyzerResource defines the view of a Pulumi-managed resource as sent to Analyzers. The properties
|
|
// of the resource are specific to the type of analysis being performed. See the Analyzer
|
|
// service definition for more information.
|
|
message AnalyzerResource {
|
|
string type = 1; // the type token of the resource.
|
|
google.protobuf.Struct properties = 2; // the full properties to use for validation.
|
|
string urn = 3; // the URN of the resource.
|
|
string name = 4; // the name for the resource's URN.
|
|
AnalyzerResourceOptions options = 5; // the resource options.
|
|
AnalyzerProviderResource provider = 6; // the resource's provider.
|
|
string parent = 7; // an optional parent URN that this child resource belongs to.
|
|
repeated string dependencies = 8; // a list of URNs that this resource depends on.
|
|
map<string, AnalyzerPropertyDependencies> propertyDependencies = 9; // a map from property keys to the dependencies of the property.
|
|
}
|
|
|
|
// AnalyzerResourceOptions defines the options associated with a resource.
|
|
message AnalyzerResourceOptions {
|
|
// CustomTimeouts allows a user to be able to create a set of custom timeout parameters.
|
|
message CustomTimeouts {
|
|
double create = 1; // The create resource timeout in seconds.
|
|
double update = 2; // The update resource timeout in seconds.
|
|
double delete = 3; // The delete resource timeout in seconds.
|
|
}
|
|
|
|
bool protect = 1; // true if the resource should be marked protected.
|
|
repeated string ignoreChanges = 2; // a list of property names to ignore during changes.
|
|
bool deleteBeforeReplace = 3; // true if this resource should be deleted before replacement.
|
|
bool deleteBeforeReplaceDefined = 4; // true if the deleteBeforeReplace property should be treated as defined even if it is false.
|
|
repeated string additionalSecretOutputs = 5; // a list of output properties that should also be treated as secret, in addition to ones we detect.
|
|
repeated string aliases = 6; // a list of additional URNs that shoud be considered the same.
|
|
CustomTimeouts customTimeouts = 7; // a config block that will be used to configure timeouts for CRUD operations.
|
|
}
|
|
|
|
// AnalyzerProviderResource provides information about a resource's provider.
|
|
message AnalyzerProviderResource {
|
|
string type = 1; // the type token of the resource.
|
|
google.protobuf.Struct properties = 2; // the full properties to use for validation.
|
|
string urn = 3; // the URN of the resource.
|
|
string name = 4; // the name for the resource's URN.
|
|
}
|
|
|
|
// AnalyzerPropertyDependencies describes the resources that a particular property depends on.
|
|
message AnalyzerPropertyDependencies {
|
|
repeated string urns = 1; // A list of URNs this property depends on.
|
|
}
|
|
|
|
message AnalyzeStackRequest {
|
|
repeated AnalyzerResource resources = 1;
|
|
}
|
|
|
|
message AnalyzeResponse {
|
|
repeated AnalyzeDiagnostic diagnostics = 2; // information about policy violations.
|
|
}
|
|
|
|
// EnforcementLevel indicates the severity of a policy violation.
|
|
enum EnforcementLevel {
|
|
ADVISORY = 0; // Displayed to users, but does not block deployment.
|
|
MANDATORY = 1; // Stops deployment, cannot be overridden.
|
|
DISABLED = 2; // Disabled policies do not run during a deployment.
|
|
}
|
|
|
|
message AnalyzeDiagnostic {
|
|
string policyName = 1; // Name of the violated policy.
|
|
string policyPackName = 2; // Name of the policy pack the policy is in.
|
|
string policyPackVersion = 3; // Version of the policy pack.
|
|
string description = 4; // Description of policy rule. e.g., "encryption enabled."
|
|
string message = 5; // Message to display on policy violation, e.g., remediation steps.
|
|
repeated string tags = 6; // Keywords/terms to associate with a policy, e.g., "cost".
|
|
EnforcementLevel enforcementLevel = 7; // Severity of the policy violation.
|
|
string urn = 8; // URN of the resource that violates the policy.
|
|
}
|
|
|
|
// AnalyzerInfo provides metadata about a PolicyPack inside an analyzer.
|
|
message AnalyzerInfo {
|
|
string name = 1; // Name of the PolicyPack.
|
|
string displayName = 2; // Pretty name for the PolicyPack.
|
|
repeated PolicyInfo policies = 3; // Metadata about policies contained in PolicyPack.
|
|
string version = 4; // Version of the Policy Pack.
|
|
bool supportsConfig = 5; // Whether the Policy Pack supports config.
|
|
map<string, PolicyConfig> initialConfig = 6; // Map of policy name to config.
|
|
}
|
|
|
|
// PolicyInfo provides metadata about a policy within a Policy Pack.
|
|
message PolicyInfo {
|
|
string name = 1; // Name of the policy.
|
|
string displayName = 2; // Pretty name for the policy.
|
|
string description = 3; // Description of policy rule. e.g., "encryption enabled."
|
|
string message = 4; // Message to display on policy violation, e.g., remediation steps.
|
|
EnforcementLevel enforcementLevel = 5; // Severity of the policy violation.
|
|
PolicyConfigSchema configSchema = 6; // Config schema for the policy.
|
|
}
|
|
|
|
// PolicyConfigSchema provides the schema for a policy's configuration.
|
|
message PolicyConfigSchema {
|
|
google.protobuf.Struct properties = 1; // JSON schema for each property.
|
|
repeated string required = 2; // Required properties.
|
|
}
|
|
|
|
// PolicyConfig provides configuration for a policy.
|
|
message PolicyConfig {
|
|
EnforcementLevel enforcementLevel = 1; // Enforcement level of the policy.
|
|
google.protobuf.Struct properties = 2; // Configuration properties of the policy.
|
|
}
|
|
|
|
// ConfigureAnalyzerRequest provides configuration information to the analyzer.
|
|
message ConfigureAnalyzerRequest {
|
|
map<string, PolicyConfig> policyConfig = 1; // Map of policy name to config.
|
|
}
|