Get Started with Policy as Code

Pulumi CrossGuard is a product that provides gated deployments via Policy as Code.

Often organizations want to empower developers to manage their infrastructure yet are concerned about giving them full access. CrossGuard allows administrators to provide autonomy to their developers while ensuring compliance to defined organization policies.

Using Policy as Code, users can express business or security rules as functions that are executed against resources in their stacks. Then using CrossGuard, organization administrators can apply these rules to particular stacks within their organization. When policies are executed as part of your Pulumi deployments, any violation will gate or block that update from proceeding.

Policies can be written in TypeScript/JavaScript (Node.js) or Python and can be applied to Pulumi stacks written in any language. More information on language support for policies is here.


  • Policy Pack - a set of related policies - i.e. ‚ÄúSecurity‚ÄĚ, ‚ÄúCost Optimization‚ÄĚ, ‚ÄúData Location‚ÄĚ. The categorization of policies into a policy pack is left up to the user.
  • Policy - an individual policy - i.e. ‚Äúprohibit use of instances larger than t3.medium‚ÄĚ.
  • Enforcement Level - the impact of a policy violation - i.e. ‚Äúmandatory‚ÄĚ or ‚Äúadvisory‚ÄĚ.

Learn more about Policy as Code core concepts.

Creating a Policy Pack

Let’s start with authoring your first Policy Pack.