Replies: 2 comments
-
Original reply by @verdverm in cuelang/cue#920 (comment)
For a conjunction solution, define the HIPAA version to come from the CFN bucket
Then use the HIPAA module in place of the CFN module
You could also arrange things such that the only thing users need to change is the import statement, by making the refined / constrained modules have the same package name as the original. Maybe you want this to be more like the admission controllers in Kubernetes which can automatically change incoming specs? |
Beta Was this translation helpful? Give feedback.
-
Original reply by @myitcv in cuelang/cue#920 (comment) @jlongtine sorry for the slow reply. I'm not entirely clear where the modules aspect of this comes in? As @verdverm suggested, this feels more like a decision on how to structure packages/definitions such that the end-user experience "feels" right, whether it be importing the HIPAA version, or performing the composition themselves. In that regard, the query proposal (#165) feels more related here, because that would allow a general specification of further (HIPAA) constraints, whether as the end user or enforced via some policy. |
Beta Was this translation helpful? Give feedback.
-
Originally opened by @jlongtine in cuelang/cue#920
I'll start this discussion with a specific use case to help ground the general idea I'm interested in solving for.
cfn-cue
creates structs which form the basis for creating CloudFormation templates using CUE. As an example, here is a simplified version of an S3 bucket for demonstration purposes:The above would be installable as a part of the github.com/cue-sh/cfn-cue module.
The thing I'd like to do is create a module that would act as a set of constraints on top of github.com/cue-sh/cfn-cue . This would be useful for setting further constraints on top of the base CloudFormation structs for compliance (such as HIPAA), security, etc.
An example for
AWS::S3::Bucket
Basically, I want to enforce that the users must turn on Bucket encryption and use a KMS key for that encryption.
I know that I could simply install this constraint into the
cue.mod/usr
folder, but I'm wondering if there would be a good way to make constraints like this installable using the module system.I can imagine similar constraints for Kubernetes (which set reasonable security defaults for
podSpec
for instance).@myitcv Any thoughts about this use case for modules?
Beta Was this translation helpful? Give feedback.
All reactions