https://pulumi.com logo
Join Slack
Powered by
What's the best policy checker for pulumi? We curr...
# general
b
What's the best policy checker for pulumi? We currently use checkov for our CFN templates, but checkov doesn't support pulumi (yet? https://github.com/bridgecrewio/checkov/issues/568 ) The AWS policy validators in the Pulumi repo are... pretty barebones. Looks like only one has been added in the last couple years. I really don't want to lose coverage and/or rewrite all of the checkov tests. when I poked around in the checkov code, it looks like a decent chunk of the IAM validation in Checkov actually delegates to Salesforce's cloudsplainer library. May or may not be relevant, but I thought it was an interesting bit of trivia
v
b
I linked that issue in my original message 😛
and I would greatly prefer not to reimplement the entirety of checkov
v
haha sorry, long day 😂 yeah of course, that would be a pain. I’d maybe suggest bumping that post or contributing maybe 🤷
b
I commented on the issue; we'll see where it goes from here
v
good luck
lmk if you hear anything positive back, would be interested to have a play with it
b
want to bump the issue too?
v
done 🙂
b
\o/
welp, if I end up having to write my own on company time, I'll see if I can get legal clearance to put them in a public repo or open a PR to Pulumi's
v
i was thinking of doing something similar, we have a ticket to enforce tagging policies in our next sprint which starts on monday, so could probably get a core policy set knocked out in a sprint and then publish, if I beat you to it I’ll share a link
b
Heck yeah!!!
Thanks so much!
v
no problem 🙂
b
@victorious-church-57397 did you end up taking a look at this?
v
hey, sorry no not just yet. priorities changed! we enforced the tagging policy but didnt do any other stuff just yet
275 Views
Open in Slack
PreviousNext
Powered by