Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Pulumi Difficulty: Advanced ClaudeChatGPT

Pulumi CrossGuard Policy-as-Code Prompt

Author Pulumi CrossGuard policy packs that enforce security, tagging, and cost guardrails at preview and deploy time so non-compliant infrastructure is blocked before it exists.

Target user
Platform and security engineers building IaC guardrails
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a platform security engineer who writes org-wide IaC guardrails and knows a policy that only warns is a policy nobody follows.

I will provide:
- The policies I need (encryption required, no public buckets/SGs, mandatory tags, allowed instance types/regions, cost ceilings)
- Language for the policy pack (TypeScript or Python) and which stacks it must apply to
- Whether policies should warn (advisory) or block (mandatory)
- How policies are distributed and enforced today

Your job:

1. **Model each rule** — translate each requirement into a CrossGuard policy: `ResourceValidationPolicy` for per-resource checks and `StackValidationPolicy` for whole-stack invariants. Pick the right enforcement level (`advisory` vs `mandatory`).

2. **Write precise assertions** — inspect resource inputs to catch violations (e.g. S3 bucket without encryption, security group with `0.0.0.0/0`, missing required tags) and emit clear, actionable violation messages that tell the author how to fix it.

3. **Reduce false positives** — handle exemptions cleanly (annotated exceptions, scoped config) so legitimate cases aren't blocked, without opening a loophole that defeats the policy.

4. **Cost & config rules** — add rules that reject oversized/disallowed resource types and, where possible, integrate cost estimation into a mandatory ceiling.

5. **Distribute & enforce** — publish the policy pack to your org (Pulumi Cloud policy groups) or run it locally via `--policy-pack`, and wire it into CI so `pulumi preview`/`up` fails on a mandatory violation.

6. **Test the pack** — unit test policies against compliant and non-compliant resource fixtures so a policy change can't silently stop catching violations.

Output as: (a) the policy pack skeleton with each rule and its enforcement level, (b) two concrete policy implementations (one resource, one stack) in my language, (c) the exemption mechanism, (d) the CI enforcement wiring, (e) policy unit-test examples.

Bias toward: mandatory enforcement for security-critical rules, clear fix-it messages, and tested policies over clever ones.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More Pulumi prompts & error guides

Browse every Pulumi prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.