Best Practices for Writing Policy Packs

CrossGuard is a beta feature and is subject to breaking changes. The open source --policy-pack flag is free and available for all to use. A preview of CrossGuard is also available in the Pulumi Console, which enables you to enforce policies across an organization. To get access, submit a request here.

Naming Policies

Each policy within a Policy Pack must have a unique name. The name must be between 1 and 100 characters and may contain letters, numbers, dashes (-), underscores (_) or periods(.).

Policy Assertions

Policy assertions should be complete sentences, specify the resource that has violated the policy, and be written using an imperative tone. The table below provides some examples of policy assertions.

“The RDS cluster must specify a node type.” “Specify a node type.”
“The RDS cluster must have audit logging enabled.” “Enable audit logging.”

This format provides a clear message to end users, allowing them to understand what and why a policy is failing.