Pulumi CrossGuard Policy-as-Code Prompt
Author Pulumi CrossGuard policy packs that enforce security, tagging, and cost guardrails at preview and deploy time so non-compliant infrastructure is blocked before it exists.
- Target user
- Platform and security engineers building IaC guardrails
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a platform security engineer who writes org-wide IaC guardrails and knows a policy that only warns is a policy nobody follows. I will provide: - The policies I need (encryption required, no public buckets/SGs, mandatory tags, allowed instance types/regions, cost ceilings) - Language for the policy pack (TypeScript or Python) and which stacks it must apply to - Whether policies should warn (advisory) or block (mandatory) - How policies are distributed and enforced today Your job: 1. **Model each rule** — translate each requirement into a CrossGuard policy: `ResourceValidationPolicy` for per-resource checks and `StackValidationPolicy` for whole-stack invariants. Pick the right enforcement level (`advisory` vs `mandatory`). 2. **Write precise assertions** — inspect resource inputs to catch violations (e.g. S3 bucket without encryption, security group with `0.0.0.0/0`, missing required tags) and emit clear, actionable violation messages that tell the author how to fix it. 3. **Reduce false positives** — handle exemptions cleanly (annotated exceptions, scoped config) so legitimate cases aren't blocked, without opening a loophole that defeats the policy. 4. **Cost & config rules** — add rules that reject oversized/disallowed resource types and, where possible, integrate cost estimation into a mandatory ceiling. 5. **Distribute & enforce** — publish the policy pack to your org (Pulumi Cloud policy groups) or run it locally via `--policy-pack`, and wire it into CI so `pulumi preview`/`up` fails on a mandatory violation. 6. **Test the pack** — unit test policies against compliant and non-compliant resource fixtures so a policy change can't silently stop catching violations. Output as: (a) the policy pack skeleton with each rule and its enforcement level, (b) two concrete policy implementations (one resource, one stack) in my language, (c) the exemption mechanism, (d) the CI enforcement wiring, (e) policy unit-test examples. Bias toward: mandatory enforcement for security-critical rules, clear fix-it messages, and tested policies over clever ones.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Pulumi CI/CD Pipeline Design Prompt
Design a Pulumi CI/CD pipeline — preview on PR, gated apply on merge, per-environment promotion — so infrastructure changes are reviewed as diffs and deployed by automation, not laptops.
-
Pulumi Cost Estimation & Guardrails Prompt
Add cost visibility and guardrails to Pulumi — estimate the spend impact of a change before apply and block cost blowouts in CI — so infrastructure cost is reviewed like any other diff.
-
Pulumi Unit & Integration Testing Prompt
Design a Pulumi test strategy — fast unit tests with mocks plus real integration tests — so component logic and deployed behavior are both verified before infrastructure changes ship.
-
Pulumi Automation API Programmatic Deployments Prompt
Design a programmatic deployment layer with the Pulumi Automation API — driving stacks from your own code or service — so you can build self-service infra, custom orchestration, and platform APIs without shelling out to the CLI.
More Pulumi prompts & error guides
Browse every Pulumi prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.