Skip to main content

Module rules_export

Module rules_export 

Source
Expand description

Rules-pack writer for the bootstrap flow.

When a deployer’s super::DeployerCredentials::bootstrap succeeds, it returns a RulesPack — a bag of IaC files (Terraform / OpenTofu HCL, kubectl YAML, Helm values, Pulumi / Bicep, anything the deployer wants) that the customer’s admin can review and apply offline so the same minimum-privilege roles/policies/SAs/secrets-paths exist on whichever target environment they govern.

The writer lays the entries down under <env_root>/rules/ with a per-pack subdirectory keyed by the deployer’s PackDescriptor. Each entry’s filename is treated as path-relative and rejected if it escapes the per-pack subdir (no .., no absolute, no symlink components — same posture as the bundle extractors hardened in P0.4). An index.json summary lands alongside so a reviewer can see every rendered artifact at a glance.

Files are written atomically (NamedTempFile → flush → fsync(parent) pattern, same shape as crate::environment::atomic_write_bytes).

Structs§

RulesPack
RulesPackEntry

Enums§

RulesExportError

Functions§

write_rules_pack
Write pack to <env_root>/rules/<deployer-path>/ and return the env-relative path to the directory (for CredentialsBootstrap.rules_pack_ref).