Policy-as-code with CrossGuard
Guardrails in code, enforced on preview.
CrossGuard is Pulumi’s policy-as-code: guardrails, written in code, that evaluate every resource during preview and update and can warn (advisory) or block (mandatory) non-compliant changes before they deploy. Because policies are themselves TypeScript/Python, you express rules with the same language and logic as your infrastructure — “no public buckets,” “encryption required,” “only approved instance types,” “every resource tagged.”
import { PolicyPack, validateResourceOfType } from "@pulumi/policy";import * as aws from "@pulumi/aws";new PolicyPack("acme-guardrails", {policies: [{name: "s3-no-public-acl",enforcementLevel: "mandatory", // block, do not just warnvalidateResource: validateResourceOfType(aws.s3.BucketV2, (b, args, report) => {if ((b as any).acl === "public-read")report("S3 buckets must not be public-read");}),}],});
Enforce it
You attach a policy pack to a run (or enforce it org-wide via Pulumi Cloud), and a mandatory violation fails the preview/update, so a non-compliant resource never deploys. Advisory level lets you roll a new rule out in warn-only mode first, see who trips it, fix, then flip to mandatory — the same audit-before-enforce discipline as Kubernetes Pod Security or OPA.
$ pulumi up --policy-pack ./policyDiagnostics:pulumi:pulumi:Stack (payments-infra-dev):mandatory: s3-no-public-aclS3 buckets must not be public-readerror: preview failed due to a policy violation