https://github.com/pulumi/pulumi-policy

Pulumi's Policy as Code SDK, CrossGuard. Define infrastructure checks in code to enforce security, compliance, cost, and other practices, enforced at deployment time.
https://github.com/pulumi/pulumi-policy

javascript policy policy-as-code pulumi python typescript

Last synced: 2 months ago
JSON representation

Pulumi's Policy as Code SDK, CrossGuard. Define infrastructure checks in code to enforce security, compliance, cost, and other practices, enforced at deployment time.

• Host: GitHub
• URL: https://github.com/pulumi/pulumi-policy
• Owner: pulumi
• License: apache-2.0
• Created: 2019-05-23T22:47:52.000Z (about 6 years ago)
• Default Branch: main
• Last Pushed: 2025-03-19T19:19:52.000Z (3 months ago)
• Last Synced: 2025-03-29T00:05:37.346Z (3 months ago)
• Topics: javascript, policy, policy-as-code, pulumi, python, typescript
• Language: TypeScript
• Homepage: https://www.pulumi.com/docs/guides/crossguard/
• Size: 612 KB
• Stars: 35
• Watchers: 26
• Forks: 5
• Open Issues: 62
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Code of conduct: CODE-OF-CONDUCT.md
  • Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

README

        
![Build Status](https://github.com/pulumi/pulumi-policy/actions/workflows/main.yml/badge.svg)

# Pulumi Policy SDK

## Overview

Define and manage policy for cloud resources deployed through Pulumi.

Policy rules run during `pulumi preview` and `pulumi up`, asserting that cloud resource definitions

comply with the policy immediately before they are created or updated. Policies may optionally define

remediations that automatically fix policy violations rather than issue warnings.

During `preview`, every rule is run on every resource, and policy violations are batched up

into a final report. During the update, the first policy violation will halt the deployment.

Policy violations can have enforcement levels that are **advisory**, which results in a printed

warning, or **mandatory**, which results in an error after `pulumi preview` or `pulumi up` completes.

The enforcement level **remediate** is stronger than both and enables automatic remediations.

## Getting Started

Please see [Get Started with Policy as Code](https://www.pulumi.com/docs/get-started/crossguard/) to get

started authoring and enforcing policies.

## Documentation

For additional documentation, guides, best practices, and FAQs, see [Policy as Code](https://www.pulumi.com/docs/guides/crossguard/).

## Examples

Looking for examples? Please refer to the [examples repo](https://github.com/pulumi/examples/tree/master/policy-packs).

## Languages

Policies can be written in TypeScript/JavaScript (Node.js) or Python and can be applied to Pulumi stacks written in any language.

|    | Language | Status |

| -- | -------- | ------ |

|      | [TypeScript](./sdk/nodejs) | Stable      |

|      | [JavaScript](./sdk/nodejs) | Stable      |

|  | [Python](./sdk/python)     | Preview     |

|       | .NET                       | Coming Soon |

|  | Go                         | Coming Soon |