Policy-as-code with CrossGuard

Guardrails in code, enforced on preview.

Advanced12 min · lesson 10 of 12

CrossGuard is Pulumi’s policy-as-code: guardrails, written in code, that evaluate every resource during preview and update and can warn (advisory) or block (mandatory) non-compliant changes before they deploy. Because policies are themselves TypeScript/Python, you express rules with the same language and logic as your infrastructure — “no public buckets,” “encryption required,” “only approved instance types,” “every resource tagged.”

policy/index.ts
import { PolicyPack, validateResourceOfType } from "@pulumi/policy";
import * as aws from "@pulumi/aws";
new PolicyPack("acme-guardrails", {
policies: [{
name: "s3-no-public-acl",
enforcementLevel: "mandatory", // block, do not just warn
validateResource: validateResourceOfType(aws.s3.BucketV2, (b, args, report) => {
if ((b as any).acl === "public-read")
report("S3 buckets must not be public-read");
}),
}],
});

Enforce it

You attach a policy pack to a run (or enforce it org-wide via Pulumi Cloud), and a mandatory violation fails the preview/update, so a non-compliant resource never deploys. Advisory level lets you roll a new rule out in warn-only mode first, see who trips it, fix, then flip to mandatory — the same audit-before-enforce discipline as Kubernetes Pod Security or OPA.

terminal
$ pulumi up --policy-pack ./policy
Diagnostics:
pulumi:pulumi:Stack (payments-infra-dev):
mandatory: s3-no-public-acl
S3 buckets must not be public-read
error: preview failed due to a policy violation
Policy runs on the resolved plan, not just source
CrossGuard evaluates the actual resource inputs Pulumi computed for the update, so it catches values produced by logic at runtime — a public flag set from config, a size chosen by a conditional — that a source-only scanner would miss. Start rules advisory to avoid blocking teams on day one, then promote the ones you trust to mandatory.