Analysis

pulumi/pulumi:proto/pulumi/analyzer.proto

Services

🔌 Analyzer

Analyzer provides a pluggable interface for checking resource definitions against some number of resource policies. It is intentionally open-ended, allowing for implementations that check everything from raw resource definitions to entire projects/stacks/snapshots for arbitrary issues – style, policy, correctness, security, and so on.

📞 Analyze

⤵️ AnalyzeRequest ⤴️ AnalyzeResponse

Analyze analyzes a single resource object, and returns any errors that it finds. Called with the “inputs” to the resource, before it is updated.

📞 AnalyzeStack

⤵️ AnalyzeStackRequest ⤴️ AnalyzeResponse

AnalyzeStack analyzes all resources within a stack, at the end of a successful preview or update. The provided resources are the “outputs”, after any mutations have taken place.

📞 Remediate

⤵️ AnalyzeRequest ⤴️ RemediateResponse

Remediate optionally transforms a single resource object. This effectively rewrites a single resource object’s properties instead of using what was generated by the program.

📞 GetAnalyzerInfo

⤵️ .google.protobuf.Empty ⤴️ AnalyzerInfo

GetAnalyzerInfo returns metadata about the analyzer (e.g., list of policies contained).

📞 GetPluginInfo

⤵️ .google.protobuf.Empty ⤴️ PluginInfo

GetPluginInfo returns generic information about this plugin, like its version.

📞 Configure

⤵️ ConfigureAnalyzerRequest ⤴️ .google.protobuf.Empty

Configure configures the analyzer, passing configuration properties for each policy.

📞 Handshake

⤵️ AnalyzerHandshakeRequest ⤴️ AnalyzerHandshakeResponse

Handshake is the first call made by the engine to an analyzer. It is used to pass the engine’s address to the analyzer so that it may establish its own connections back, and to establish protocol configuration that will be used to communicate between the two parties.

📞 ConfigureStack

⤵️ AnalyzerStackConfigureRequest ⤴️ AnalyzerStackConfigureResponse

ConfigureStack is always called if the engine is using the analyzer to analyze resources in a specific stack. This method is not always called, for example if the engine is just booting the analyzer up to call GetAnalyzerInfo.

📞 Cancel

⤵️ .google.protobuf.Empty ⤴️ .google.protobuf.Empty

Cancel signals the analyzer to gracefully shut down and abort any ongoing analysis operations. Operations aborted in this way will return an error. Since Cancel is advisory and non-blocking, it is up to the host to decide how long to wait after Cancel is called before (e.g.) hard-closing any gRPC connection.

Messages

📨 AnalyzeDiagnostic

policyName string

Name of the violated policy.

policyPackName string

Name of the policy pack the policy is in.

policyPackVersion string

Version of the policy pack.

description string

Description of policy rule. e.g., “encryption enabled.”

message string

Message to display on policy violation, e.g., remediation steps.

enforcementLevel EnforcementLevel

Enforcement level of the policy violation.

urn string

URN of the resource that violates the policy.

severity PolicySeverity

Severity of the policy violation.

📨 AnalyzeRequest

type string

the type token of the resource.

properties google.protobuf.Struct

the full properties to use for validation.

urn string

the URN of the resource.

name string

the name for the resource’s URN.

options AnalyzerResourceOptions

the resource options.

provider AnalyzerProviderResource

the resource’s provider.

📨 AnalyzeResponse

diagnostics AnalyzeDiagnostic

information about policy violations.

not_applicable PolicyNotApplicable

information about policies that were not applicable.

📨 AnalyzeStackRequest

resources AnalyzerResource

<No description>

📨 AnalyzerHandshakeRequest

AnalyzerHandshakeRequest is the type of requests sent as part of a 📞 Handshake call.

engine_address string

The gRPC address of the engine handshaking with the analyzer. At a minimum, this address will expose an instance of the 🔌 Engine service.

root_directory string

A root directory where the analyzer’s binary, PulumiPolicy.yaml, or other identifying source code is located. In the event that the analyzer is not being booted by the engine (e.g. in the case that the engine has been asked to attach to an existing running analyzer instance via a host/port number), this field will be empty.

program_directory string

A program directory in which the analyzer should execute. This is generally a subdirectory of the root directory, though this is not required. In the event that the analyzer is not being booted by the engine (e.g. in the case that the engine has been asked to attach to an existing running analyzer instance via a host/port number), this field will be empty.

📨 AnalyzerHandshakeResponse

AnalyzerHandshakeResponse is the type of responses sent by a 📞 Handshake call.

📨 AnalyzerInfo

AnalyzerInfo provides metadata about a PolicyPack inside an analyzer.

name string

Name of the PolicyPack.

displayName string

Pretty name for the PolicyPack.

policies PolicyInfo

Metadata about policies contained in PolicyPack.

version string

Version of the Policy Pack.

supportsConfig bool

Whether the Policy Pack supports config.

initialConfig AnalyzerInfo.InitialConfigEntry

Map of policy name to config.

description string

Description of the policy pack.

readme string

README text for the policy pack.

provider string

Cloud provider/platform associated with the policy pack.

tags string

Tags for this policy pack.

repository string

A URL to the repository where the policy pack is defined.

📨 InitialConfigEntry

key string

<No description>

value PolicyConfig

<No description>

📨 AnalyzerPropertyDependencies

AnalyzerPropertyDependencies describes the resources that a particular property depends on.

urns string

A list of URNs this property depends on.

📨 AnalyzerProviderResource

AnalyzerProviderResource provides information about a resource’s provider.

type string

the type token of the resource.

properties google.protobuf.Struct

the full properties to use for validation.

urn string

the URN of the resource.

name string

the name for the resource’s URN.

📨 AnalyzerResource

AnalyzerResource defines the view of a Pulumi-managed resource as sent to Analyzers. The properties of the resource are specific to the type of analysis being performed. See the Analyzer service definition for more information.

type string

the type token of the resource.

properties google.protobuf.Struct

the full properties to use for validation.

urn string

the URN of the resource.

name string

the name for the resource’s URN.

options AnalyzerResourceOptions

the resource options.

provider AnalyzerProviderResource

the resource’s provider.

parent string

an optional parent URN that this child resource belongs to.

dependencies string

a list of URNs that this resource depends on.

propertyDependencies AnalyzerResource.PropertyDependenciesEntry

a map from property keys to the dependencies of the property.

📨 PropertyDependenciesEntry

key string

<No description>

value AnalyzerPropertyDependencies

<No description>

📨 AnalyzerResourceOptions

AnalyzerResourceOptions defines the options associated with a resource.

protect bool

true if the resource should be marked protected.

ignoreChanges string

a list of property names to ignore during changes.

deleteBeforeReplace bool

true if this resource should be deleted before replacement.

deleteBeforeReplaceDefined bool

true if the deleteBeforeReplace property should be treated as defined even if it is false.

additionalSecretOutputs string

a list of output properties that should also be treated as secret, in addition to ones we detect.

aliases string

a list of additional URNs that shoud be considered the same.

customTimeouts AnalyzerResourceOptions.CustomTimeouts

a config block that will be used to configure timeouts for CRUD operations.

parent string

an optional parent URN that this child resource belongs to.

📨 CustomTimeouts

CustomTimeouts allows a user to be able to create a set of custom timeout parameters.

create double

The create resource timeout in seconds.

update double

The update resource timeout in seconds.

delete double

The delete resource timeout in seconds.

📨 AnalyzerStackConfigureRequest

AnalyzerStackConfigureRequest is the message for the stack configuration of the stack being analyzed.

stack string

The stack name being analyzed.

project string

The project name of the stack being analyzed.

organization string

The organization name of the stack being analyzed.

dry_run bool

True if this is a preview/dry run.

config_secret_keys string

A list of configuration keys whose values should be treated as secrets.

config AnalyzerStackConfigureRequest.ConfigEntry

The configuration of the stack being analyzed.

tags AnalyzerStackConfigureRequest.TagsEntry

Tags for the current stack.

📨 ConfigEntry

key string

<No description>

value string

<No description>

📨 TagsEntry

key string

<No description>

value string

<No description>

📨 AnalyzerStackConfigureResponse

AnalyzerStackConfigureResponse is the type of responses sent by a 📞 ConfigureStack call.

📨 ConfigureAnalyzerRequest

ConfigureAnalyzerRequest provides configuration information to the analyzer.

policyConfig ConfigureAnalyzerRequest.PolicyConfigEntry

Map of policy name to config.

📨 PolicyConfigEntry

key string

<No description>

value PolicyConfig

<No description>

📨 PolicyComplianceFramework

PolicyComplianceFramework provides information about the compliance framework that a policy belongs to.

name string

The compliance framework name.

version string

The compliance framework version.

reference string

The compliance framework reference.

specification string

The compliance framework specification.

📨 PolicyConfig

PolicyConfig provides configuration for a policy.

enforcementLevel EnforcementLevel

Enforcement level of the policy.

properties google.protobuf.Struct

Configuration properties of the policy.

📨 PolicyConfigSchema

PolicyConfigSchema provides the schema for a policy’s configuration.

properties google.protobuf.Struct

JSON schema for each property.

required string

Required properties.

📨 PolicyInfo

PolicyInfo provides metadata about a policy within a Policy Pack.

name string

Name of the policy.

displayName string

Pretty name for the policy.

description string

Description of policy rule. e.g., “encryption enabled.”

message string

Message to display on policy violation, e.g., remediation steps.

enforcementLevel EnforcementLevel

Severity of the policy violation.

configSchema PolicyConfigSchema

Config schema for the policy.

policy_type PolicyType

Type of the policy.

severity PolicySeverity

Severity of the policy.

framework PolicyComplianceFramework

Compliance framework that this policy belongs to.

tags string

Tags associated with the policy.

remediation_steps string

A description of the steps to take to remediate a policy violation.

url string

A URL to more information about the policy.

📨 PolicyNotApplicable

PolicyNotApplicable describes a policy that was not applicable, including an optional reason why.

policy_name string

The name of the policy that was not applicable.

reason string

An optional reason why the policy was not applicable.

📨 RemediateResponse

RemediateResponse contains a sequence of remediations applied, in order.

remediations Remediation

the list of remediations that were applied.

not_applicable PolicyNotApplicable

information about policies that were not applicable.

📨 Remediation

Remediation is a single resource remediation result.

policyName string

Name of the policy that performed the remediation.

policyPackName string

Name of the policy pack the transform is in.

policyPackVersion string

Version of the policy pack.

description string

Description of transform rule. e.g., “auto-tag resources.”

properties google.protobuf.Struct

the transformed properties to use.

diagnostic string

an optional warning diagnostic to emit, if a transform failed.