Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
general
- m
microscopic-florist-22719
06/20/2018, 10:18 PMDuring a preview/update we give each analyzer referenced by the project a chance to inspect each resource. If an analyzer reports failures, the resource registration fails and the preview/update halts. - s
stocky-spoon-28903
06/20/2018, 10:18 PMExcellent. Is the intention for the analysers to be exposed via the same programming model? - s
stocky-spoon-28903
06/20/2018, 10:19 PMAnd will it have the ability to retrospectively inspect conformance with a new or modified policy? - m
microscopic-florist-22719
06/20/2018, 10:19 PMThose are great questions. 🙂 @big-piano-35669 or @white-balloon-205 probably have better insight there. - m
microscopic-florist-22719
06/20/2018, 10:20 PM(FWIW, it turns out we do have one example analyzer in the
repo, though I'm not sure of its precise status: https://github.com/pulumi/pulumi/blob/master/examples/analyzers/infosec/main.go)pulumi/pulumi - s
stocky-spoon-28903
06/20/2018, 10:21 PMInteresting. It’s a bit unclear what additional context each analyzer has access to there. Often they’d need implementing in terms of the entire dependency graph? - m
microscopic-florist-22719
06/20/2018, 10:23 PMHm, that's an interesting complication. One consequence of the Pulumi model is that the graph is built and executed incrementally, so the complete graph is (generally speaking) not known until the preview/update has completed. - s
stocky-spoon-28903
06/20/2018, 10:24 PMYes, that seems to be the major difference between Pulumi and Terraform when it comes to execution - TF has a complete graph before execution. - m
microscopic-florist-22719
06/20/2018, 10:24 PMTo be a bit more precise, given a resource
, we are guaranteed to have seen the transitive closure of `r`'s dependencies by the timer
is registered, but we are also guaranteed not to have seen any resource that depend onr
.r - m
microscopic-florist-22719
06/20/2018, 10:24 PMCorrect. - s
stocky-spoon-28903
06/20/2018, 10:25 PMI think that is OK for the purposes of policy - s
stocky-spoon-28903
06/20/2018, 10:25 PMBut perhaps not - s
stocky-spoon-28903
06/20/2018, 10:25 PMIt might only be possible to evaluate some policies retrospectively - s
stocky-spoon-28903
06/20/2018, 10:25 PMWhich I think might also be OK - m
microscopic-florist-22719
06/20/2018, 10:26 PMYeah, if a policy requires an understanding of which resources depend on a given resource, then that policy can only be evaluated in retrospect - m
microscopic-florist-22719
06/20/2018, 10:26 PMThough we can give a conservative answer on such a policy using the graph produced by a preview - s
stocky-spoon-28903
06/20/2018, 10:27 PMMy canonical example is “instances may not be placed in a subnet with a route to an internet gateway” - m
microscopic-florist-22719
06/20/2018, 10:27 PM....that's a really good example - s
stocky-spoon-28903
06/20/2018, 10:27 PMIn that case the instance would have a dependency on the subnet, but the route would be an edge from the subnet also. - m
microscopic-florist-22719
06/20/2018, 10:27 PMesp. as it can be phrased from different perspectives - s
stocky-spoon-28903
06/20/2018, 10:28 PMAssuming we are walking in parallel, there is a possibility the context necessary for matching the policy wouldn’t exist at the evaluation of the instance. - m
microscopic-florist-22719
06/20/2018, 10:29 PMRight. So you might need to implement this policy in such a way that it can handle all possible partial orderings of resource creation that create the problematic result - s
stocky-spoon-28903
06/20/2018, 10:33 PMI wonder if a policy could be made into a graph node such that the execution is delayed until all of the inputs are reified - s
stocky-spoon-28903
06/20/2018, 10:34 PMThat could get awkward thoguh - s
stocky-spoon-28903
06/20/2018, 10:39 PMIt might be worth adding some library functions to either
or perhaps a newpulumi
package which has things likenetwork
in order to implement things like “extend this CIDR prefix by n bytes and then find the network number x within it”cidr_subnet - s
stocky-spoon-28903
06/20/2018, 10:39 PM(similar to the Terraform
interpolation function)cidr_subnet - m
microscopic-florist-22719
06/20/2018, 10:41 PMThat's a good idea. Would you mind filing an issue for that in https://github.com/pulumi/pulumi? - s
stocky-spoon-28903
06/20/2018, 10:47 PM - m
microscopic-florist-22719
06/20/2018, 10:47 PMThanks! - b
big-piano-35669
06/21/2018, 12:34 AMLate to the party, sorry!Is the intention for the analysers to be exposed via the same programming model?
Analyzers are gRPC plugins too, so yes, they can be written in any language and have access to the parts of graph available per Pat's comments. The current state is a little half-baked -- which is why we don't advertise or doc them -- but it's a preview of core capability we're going to go pretty hard on in the weeks to come. For instance, we have a query language prototype that will expand to give you GraphQL-ish capabilities to perform rich analysis against resource graphs/plans. I expect we'll have lots more to say about this over the next couple milestones, but for now, if you end up wanting to kick the tires on what's there, just let us know and we can point you at some defaults.đź’Ż 2
Title
b
big-piano-35669
06/21/2018, 12:34 AMLate to the party, sorry!
Is the intention for the analysers to be exposed via the same programming model?Analyzers are gRPC plugins too, so yes, they can be written in any language and have access to the parts of graph available per Pat's comments. The current state is a little half-baked -- which is why we don't advertise or doc them -- but it's a preview of core capability we're going to go pretty hard on in the weeks to come. For instance, we have a query language prototype that will expand to give you GraphQL-ish capabilities to perform rich analysis against resource graphs/plans. I expect we'll have lots more to say about this over the next couple milestones, but for now, if you end up wanting to kick the tires on what's there, just let us know and we can point you at some defaults.
đź’Ż 2
View count: 2