https://pulumi.com
Join Slack
Hey all, We’re looking at Pulumi’s capacity to enforce some governance, Crossguard is obviously one...
# dotnet
a
Hey all, We’re looking at Pulumi’s capacity to enforce some governance, Crossguard is obviously one of the options, however we’re a pure dotnet shop. We were wondering how does Pulumi detect that a new resource is being materialized? Can we intercept that? Is it possible to “mutate” whatever our devs are going to create to ensure that some internal standards will be met at code level?
b
Yes, CrossGuard does exactly what you want here- it supports governance of Pulumi programs written in C#- it works by intercepting the pulumi state changes when running 'preview' or 'up' operations. Additionally, it supports "Remediate" actions, meaning you can write policies to apply mutations to adhere to policy.
a
oh that's interesting, do you have an example?
@billions-river-87988 I took the feature for a spin, The CLI usage appears to be straightforward, however I'm running into an interesting issue. The policies do not seem to execute. I've created an "always fail" policy just to check:
Copy code
// Copyright 2016-2022, Pulumi Corporation.  All rights reserved.

import * as azure from "@pulumi/azure-native";
import * as policy from "@pulumi/policy";

const azureAlwaysFailPolicy: policy.ResourceValidationPolicy = {
  name: "azure-always-fail-policy",
  description: "Ensures that Azure resources have a 'cloud' tag with the value 'azure'.",
  enforcementLevel: "mandatory",
  validateResource: policy.validateResourceOfType(azure.resources.Resource, (resource, args, reportViolation) => {
    reportViolation(`This policy always fails: [${resource}]`, args.urn); // same effect if I throw here
  }),
};

export const policies = new policy.PolicyPack("azure-always-fail", {
  policies: [azureAlwaysFailPolicy],
});
All policies pass and show green checkmarks in the CLI output. I'm a bit puzzled
Copy code
Policies:
    ✅ azure-always-fail@v0.0.1 (local: ../../poc-azure-pulumi-policy/azure/always-fail)
    ✅ azure-tags@v0.0.1 (local: ../../poc-azure-pulumi-policy/azure/tags)
Am I missing something with the structure of my 
index.ts
file?
And yes, remediation appears to be the way to go
b
@astonishing-cpu-1506 sorry for the delay- I will look into this- thanks for the example.
a
@billions-river-87988 any luck with the sample so far?
Open in Slack
PreviousNext
Powered by

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Powered by