Remote policy validation for managing distributed system resources

What is claimed is: 1. A system, comprising: a data store that maintains a hierarchy of resource data objects, wherein the hierarchy of the resource data objects identifies policies applicable to the behavior of resources corresponding to the resource data objects in the system and groups the policies based on their respective policy types; at least one processor and a memory storing program instructions that cause the at least one processor to implement a system resource manager, configured to: receive a request to apply a policy to an identified one of the resource data objects corresponding to one of the resources in the system, and in response: identify a remote validation agent implemented remotely from the system resource manager to validate the policy according to a policy type of the policy, wherein the policy type is determined from the hierarchy maintained in the data store, the remote validation agent is associated with the policy type, and validation of the policy includes evaluating the policy for syntactic or semantic errors; send a validation request to a network address or endpoint associated with the remote validation agent, wherein the validation request causes the remote validation agent to initiate a validation of the policy, and the validation request includes validation information for the policy; in response to the validation request, receive a validation result from the remote validation agent that indicates that the policy is valid; and upon receipt of the validation result that indicates that the policy is valid, apply the policy to the one resource data object. 2. The system of claim 1 , wherein the system resource manager is further configured to: prior to the receipt of the request to apply the policy: receive a request to create the policy; send a request to initiate a syntactic validation of the policy to the same remote validation agent or a different remote validation agent; receive a different validation result from the same remote validation agent or the different remote validation agent that was sent the request to initiate syntactic validation, wherein the different validation result indicates that the policy is syntactically valid; and create a policy object in the data store that is available for application. 3. The system of claim 1 , wherein the data store is a hierarchical data store, and wherein to apply the policy to the one resource data object, the system resource manager is configured to link a policy data object for the policy in the hierarchical data store to the one resource data object. 4. The system of claim 1 , wherein the system is a provider network that implements a plurality of different network-based services, wherein the resources are implemented as part of the different network-based services, and wherein the system resource manager is implemented as another one of the network-based services. 5. A method, comprising: performing, by one or more computing devices that implement a resource manager for a distributed system: detecting a policy validation event for a policy applicable to manage one or more resources in the distributed system, wherein respective resource data objects corresponding to a plurality of resources in the distributed system including the one or more resources are maintained in a hierarchical data structure in a hierarchical data store, wherein the respective resource data objects identify policies including the policy applicable to the resources in the distributed system, and wherein the hierarchical data structure groups the policies based on their respective policy types; identifying a remote validation agent implemented remotely from the resource manager to validate the policy according to a policy type of the policy, wherein the policy type is determined from the hierarchical data structure, the remote validation agent is associated with the policy type, and validation of the policy includes evaluating the policy for syntactic or semantic errors; sending a validation request to a network address or endpoint associated with the remote validation agent, wherein the validation request causes the remote validation agent to perform a validation of the policy, and the validation request includes validation information for the policy; in response to the validation request, receiving a validation result from the remote validation agent; and allowing or denying a policy action that triggered the policy validation event according to the received validation result. 6. The method of claim 5 , wherein the validation of the policy initiated at the remote validation agent is a semantic policy evaluation that evaluates content of the policy to determine whether the policy is enforceable. 7. The method of claim 5 , further comprising: performing, by one or more other computing device implementing the remote validation agent: receiving the validation information for the policy; evaluating the policy based, at least in part, on the validation information to determine whether the policy is valid; and sending the validation result to the resource manager indicating whether the policy is valid. 8. The method of claim 7 , further comprising: prior to evaluating the policy, obtaining, by the remote validation agent, additional information for the policy from one or more sources. 9. The method of claim 8 , wherein at least one of the one or more sources is the resource manager. 10. The method of claim 5 , wherein the policy validation event is triggered in response to an attempt to modify of one of the resources, and wherein the policy action allows or denies the modification to the resource. 11. The method of claim 5 , wherein the policy indicates one of synchronous or asynchronous processing behavior for the validation of the policy. 12. The method of claim 5 , further comprising the resource manager tracking a state of the validation of the policy and sending the state to a client associated with the policy validation event. 13. The method of claim 5 , wherein the validation result indicates that the policy is valid, and wherein allowing or denying a policy action that triggered the policy validation event according to the received validation result comprises: upon determining that the policy is valid, updating the hierarchical data structure to store a policy data object corresponding to the policy or link a policy data object to at least one of the respective resource data objects in the hierarchical data structure. 14. A non-transitory, computer-readable storage medium, storing program instructions that when executed by one or more computing devices to implement a resource manager for a distributed system and cause the resource manager to implement: detecting a policy validation event for a policy applicable to manage one or more resources in the distributed system, wherein respective resource data objects corresponding to a plurality of resources in the distributed system including the one or more resources are maintained in a hierarchical data structure in a hierarchical data store, wherein the respective resource data objects identify policies including the policy applicable to the resources in the distributed system, and wherein the hierarchical data structure groups the policies based on their respective policy types; identifying a remote validation agent implemented remotely from the resource manager to validate the policy according to a policy type of the policy, wherein the policy type is determined from the hierarchical data structure, the remote validation agent is associated with the policy type, and validation of the policy includes