-
Epic
-
Resolution: Done
-
Undefined
-
None
Epic Goal
As a user writing templates in a policy there is no way to test to see the output of the template. Currently you have to create a policy to see if there are any errors. But that still does not show the output generated by the template.
Simple cases reading information from a secret isn't too difficult, however once you start trying to parse that data it become difficult and time consuming. Consider a more difficult use case: Policy to clean up groups that are either empty or contain users which have been removed from the cluster. https://gist.github.com/brian-jarvis/0752ae38e00158316d3e748fc3a1a993 It is very difficult to validate the policy generated to ensure it is correct.
ACM should provide a tool that template code can be executed with and will return the generated output.
https://github.com/stolostron/go-template-utils?tab=readme-ov-file#template-resolver-cli-beta provides a starting place. However, this needs to support the following use cases.
- Ability to pipe the output from the PolicyGenerator execution to the TemplateResolver (TR). The input may contain multiple Policies, Placements, Bindings, and PolicySets. The output from the TR should be only the Policies.
- Ability to pass a manifest file that contains only a ConfigurationPolicy or object-templates-raw (ACM-11524. If need be the TR could output a ConfigurationPolicy wrapping the object-templates-raw input manifest.
Why is this important?
Creating more advanced policies becomes very difficult. This would enable customers to validate the Policy code before creating the policy in the cluster.