Over the last couple months, the team at Pulumi has been working on a new policy-as-code feature that we expect to make generally available later this year. With this new Gated Deployments feature in the Pulumi Service, you can express business, compliance or security rules as functions (written in fully-expressive code!) that are executed against resources in your stacks (either individual stacks or organization wide). When policies are executed as part of your Pulumi deployments, any violation will gate or block that update from proceeding.
We've been alpha testing this with a few customers, but are looking to expand the scope of feedback for a broader private beta. If you are interested, please reach out to firstname.lastname@example.org with your Pulumi account name, the optional organization name to grant preview access to, and details of your current Pulumi use case and interest in trialing the Gated Deployments feature.
We look forward to your feedback!