Expand description
Rules-pack writer for the bootstrap flow.
When a deployer’s super::DeployerCredentials::bootstrap succeeds,
it returns a RulesPack — a bag of IaC files (Terraform / OpenTofu
HCL, kubectl YAML, Helm values, Pulumi / Bicep, anything the deployer
wants) that the customer’s admin can review and apply offline so the
same minimum-privilege roles/policies/SAs/secrets-paths exist on
whichever target environment they govern.
The writer lays the entries down under <env_root>/rules/ with a
per-pack subdirectory keyed by the deployer’s PackDescriptor. Each
entry’s filename is treated as path-relative and rejected if it
escapes the per-pack subdir (no .., no absolute, no symlink
components — same posture as the bundle extractors hardened in
P0.4). An index.json summary lands alongside so a reviewer can see
every rendered artifact at a glance.
Files are written atomically (NamedTempFile → flush → fsync(parent)
pattern, same shape as crate::environment::atomic_write_bytes).
Structs§
Enums§
Functions§
- write_
rules_ pack - Write
packto<env_root>/rules/<deployer-path>/and return the env-relative path to the directory (forCredentialsBootstrap.rules_pack_ref).