Add capability to generate Pulumi policies when asked

[pierskarsenbarg]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Example prompt: "A typescript pulumi policy to stop security groups having ssh open to the internet"

Would generate something like:

import * as aws from "@pulumi/aws";
import { PolicyPack, validateResourceOfType } from "@pulumi/policy";

new PolicyPack("lambda", {
    policies: [
        {
            name: "security-group-policy",
            description: "Stop security group being open on port 22 to the internet",
            enforcementLevel: "mandatory",
            validateResource: validateResourceOfType(aws.ec2.SecurityGroup, (securitygroup, args, reportViolation) => {
                if(securitygroup.ingress !== undefined && securitygroup.ingress?.length > 0) {
                    if(securitygroup.ingress.find(x => x.fromPort == 22) &&
                        securitygroup.ingress.find(x => x.toPort == 22) &&
                        securitygroup.ingress.find(x => x.cidrBlocks?.indexOf("0.0.0.0/0") !== -1)
                    ) {
                        reportViolation("Security groups must not have port 22 open to the internet")
                    }
                }
                
            })
        }
    ],
});

No idea where you'd get the data to train this on, but I had a conversation about this today and it sounded like a good idea.

Affected area/feature

[AaronFriel]

Policy as code sounds like an excellent thing to add to our test set.

I ran a query similar to this twice, and I think arrived at decent results. Curious what you think:

• https://www.pulumi.com/ai/?convid=1f79a1df-bf67-4504-b7f6-91e114f15333
• https://www.pulumi.com/ai/?convid=533f83eb-c635-41ef-8797-5bcfc26895aa