Realize policy-as-code with Pulumi through CrossGuard on Google Cloud
Xuejiao Zhang
Cloud Architect, Google Cloud
When it comes to creating and deploying cloud infrastructure on Google Cloud, more organizations are using CrossGuard from Pulumi. This policy-as-code offering lets you set guardrails to enforce compliance for resources, so you can provision your own infrastructure while sticking to best practices and baseline your organization’s security compliance.
Pulumi lets you write code in your favorite language (such as Python) and automatically provisions and manages Google Cloud resources using an infrastructure-as-code approach.
Policy-as-Code is the use of code to define and manage rules and conditions, where a policy contains specific logic you would like to enforce. For example, you may want to prevent the creation of public, world-readable storage buckets on cloud storage. When policies are executed as part of your Pulumi deployments, any violation will gate or block that update from proceeding.
In this post, we’ll walk through how to use CrossGuard for policy as code when creating infrastructure with Pulumi. Here is a list of high-level tasks that we cover:
Creating a Pulumi project to deploy Google Cloud resources (Cloud Storage)
Writing a simple policy based on CrossGuard (checking whether the Cloud Storage bucket has the name prefix “my-”)
Leveraging the policy to validate the Pulumi code
Prerequisites
Create a workstation referring to the instruction here
Access the workstation and launch the terminal
Download the Pulumi package, here we use Pulumi v3.55.0 for demonstration
Verify the checksum
If the checksum output matches the following, then we are good to continue.
Extract the tar package
Add $HOME/pulumi/ to your $PATH
Confirm pulumi is installed
Get started
Create a Pulumi project
The Pulumi project will create a Cloud Storage bucket.
This command will walk you through creating a new Pulumi project.
Here we use default values for all questions.
Review the new project
Let’s review the generated project files:
- __main__.py
is the Pulumi program that defines your stack resources.
We can see that a Cloud Storage bucket with name “my-bucket” is defined in Pulumi code.
Create policy pack
Let’s examine the policy code:
The automatically generated policy will check if Cloud Storage buckets are configured as publicRead or publicReadWrite.
Validate Cloud Storage with the generated policy (Checking if Cloud Storage buckets are configured as publicRead or publicReadWrite)
Once you’ve created your policy pack, you need to validate your Pulumi code for Cloud Storage creation. For example, check to make sure the Cloud Storage buckets aren’t configured publicRead or publicReadWrite.
From the output, we can see there is no policy violation.
Create a policy with CrossGuard
Next, you’ll need to check if the Cloud Storage bucket’s has the prefix “my-”
Here's how to edit the policy code (__main__.py )
Validate Cloud Storage with policy (Checking if Cloud Storage bucket is with name prefix “my-”)
From the output, we can see there is one violation to our newly created policy (storage_bucket_name_prefix): the bucket named “my-bucket
”.
Next steps
The example above is a demonstration that shows a way of using CrossGuard to create a policy, validate that policy, and determine whether a proposed Pulumi update on Google Cloud is authorized. This example can be applied to other use cases as well, including ensuring all resources have tags before they are created, making sure naming standards for resources are followed, and meeting security and operational requirements.
Knowing early whether an infrastructure deployment is in violation of your policy definitions can be useful. It’s a good idea to include policy evaluation in your infrastructure lifecycle workflows, and to fail deployments that create non-compliant resources. You can integrate CrossGuard with a Pulumi-backed infrastructure-as-code CI/CD pipeline, and make use of the CrossGuard output to automatically fail or pass a deployment.
All in all, you can use CrossGuard with Pulumi to build policy-driven infrastructure on Google Cloud, to enforce constraints, to provide guardrails, and to govern cloud resources with confidence.