DevOps & SRE

Realize policy-as-code with Pulumi through CrossGuard on Google Cloud

April 7, 2023

Xuejiao Zhang

Cloud Architect, Google Cloud

When it comes to creating and deploying cloud infrastructure on Google Cloud, more organizations are using CrossGuard from Pulumi. This policy-as-code offering lets you set guardrails to enforce compliance for resources, so you can provision your own infrastructure while sticking to best practices and baseline your organization’s security compliance.

Pulumi lets you write code in your favorite language (such as Python) and automatically provisions and manages Google Cloud resources using an infrastructure-as-code approach.

Policy-as-Code is the use of code to define and manage rules and conditions, where a policy contains specific logic you would like to enforce. For example, you may want to prevent the creation of public, world-readable storage buckets on cloud storage. When policies are executed as part of your Pulumi deployments, any violation will gate or block that update from proceeding.

In this post, we’ll walk through how to use CrossGuard for policy as code when creating infrastructure with Pulumi. Here is a list of high-level tasks that we cover:

Creating a Pulumi project to deploy Google Cloud resources (Cloud Storage)
Writing a simple policy based on CrossGuard (checking whether the Cloud Storage bucket has the name prefix “my-”)
Leveraging the policy to validate the Pulumi code

Prerequisites

Create a workstation referring to the instruction here

Access the workstation and launch the terminal

Download the Pulumi package, here we use Pulumi v3.55.0 for demonstration

Verify the checksum

If the checksum output matches the following, then we are good to continue.

Extract the tar package

Add $HOME/pulumi/ to your $PATH

Confirm pulumi is installed

Get started

Create a Pulumi project

The Pulumi project will create a Cloud Storage bucket.

This command will walk you through creating a new Pulumi project.

Here we use default values for all questions.

Review the new project

Let’s review the generated project files:

__main__.py
is the Pulumi program that defines your stack resources.

We can see that a Cloud Storage bucket with name “my-bucket” is defined in Pulumi code.

Create policy pack

Let’s examine the policy code:

The automatically generated policy will check if Cloud Storage buckets are configured as publicRead or publicReadWrite.

Validate Cloud Storage with the generated policy (Checking if Cloud Storage buckets are configured as publicRead or publicReadWrite)

Once you’ve created your policy pack, you need to validate your Pulumi code for Cloud Storage creation. For example, check to make sure the Cloud Storage buckets aren’t configured publicRead or publicReadWrite.

https://storage.googleapis.com/gweb-cloudblog-publish/images/1_H9Q6TtS.max-1600x1600.png

From the output, we can see there is no policy violation.

Create a policy with CrossGuard

Next, you’ll need to check if the Cloud Storage bucket’s has the prefix “my-”

Here's how to edit the policy code (__main__.py )

$ cd ~/policypack
$ cat  __main__.py
from pulumi_policy import (
   EnforcementLevel,
   PolicyPack,
   ReportViolation,
   ResourceValidationArgs,
   ResourceValidationPolicy,
)

def storage_bucket_no_public_read_validator(args: ResourceValidationArgs, report_violation: ReportViolation):
   if args.resource_type == "gcp:storage/bucketACL:BucketACL" and "predefinedAcl" in args.props:
       acl = args.props["predefinedAcl"]
       if acl == "public-read" or acl == "public-read-write":
           report_violation("Storage buckets acl cannot be set to public-read or public-read-write.")

storage_bucket_no_public_read = ResourceValidationPolicy(
   name="storage-bucket-no-public-read",
   description="Prohibits setting the publicRead or publicReadWrite permission on GCP Storage buckets.",
   validate=storage_bucket_no_public_read_validator,
)

def storage_bucket_name_prefix_validator(args: ResourceValidationArgs, report_violation: ReportViolation):
   if args.resource_type == "gcp:storage/bucket:Bucket":
       name = args.props["name"]
       print(name)
       if name.startswith("my-"):
           report_violation("Storage buckets with name prefix: my- cannot be created")

storage_bucket_name_prefix = ResourceValidationPolicy(
   name="storage-bucket-name-prefix",
   description="Prohibits GCP Storage buckets with name prefix: my- from creation.",
   validate=storage_bucket_name_prefix_validator,
)

PolicyPack(
   name="gcp-python",
   enforcement_level=EnforcementLevel.MANDATORY,
   policies=[
       storage_bucket_no_public_read,
       storage_bucket_name_prefix,
   ],
)
In the code above, we define the storage_bucket_name_prefix_validator function and storage_bucket_name_prefix policy, with the storage_bucket_name_prefix policy added in the PolicyPack.

Validate Cloud Storage with policy (Checking if Cloud Storage bucket is with name prefix “my-”)

https://storage.googleapis.com/gweb-cloudblog-publish/images/2_lunLAOl.max-1800x1800.png

From the output, we can see there is one violation to our newly created policy (storage_bucket_name_prefix): the bucket named “my-bucket”.

Next steps

The example above is a demonstration that shows a way of using CrossGuard to create a policy, validate that policy, and determine whether a proposed Pulumi update on Google Cloud is authorized. This example can be applied to other use cases as well, including ensuring all resources have tags before they are created, making sure naming standards for resources are followed, and meeting security and operational requirements.

Knowing early whether an infrastructure deployment is in violation of your policy definitions can be useful. It’s a good idea to include policy evaluation in your infrastructure lifecycle workflows, and to fail deployments that create non-compliant resources. You can integrate CrossGuard with a Pulumi-backed infrastructure-as-code CI/CD pipeline, and make use of the CrossGuard output to automatically fail or pass a deployment.

All in all, you can use CrossGuard with Pulumi to build policy-driven infrastructure on Google Cloud, to enforce constraints, to provide guardrails, and to govern cloud resources with confidence.

Posted in