Hi, I understand that you can implement CrossGuard server-side by publishing Policy Packs to Pulumi Cloud or via a step in the CI/CD pipeline. We already have a CICD workflow integrated with Github and a CICD platform for Pulumi that works well. What would be a better approach? I want to make sure that the pipeline fails when we run pulumi preview or up with non-compliant infrastructure.

The server-side enforcement for Policy Packs requires Business Critical edition. If you want to check it out, you can create a trial org in Pulumi Cloud and you get 2 weeks free of Business Critical with no credit card required. The way it works is that you can apply policy packs to multiple stacks (all stacks, all stacks with a tag, etc). Whenever you run a

pulumi

operation, Pulumi Cloud will automatically run the Policy Packs you have controlled on the server-side (as opposed to having to supply them via a flag yourself if you are not using server-side policy enforcement). Details here: https://www.pulumi.com/docs/using-pulumi/crossguard/configuration/#using-the-pulumi-cloud