Best Practices for Writing Policy Packs
CrossGuard is a beta feature and is subject to breaking changes. The open
--policy-pack flag is free and available for all to use. A preview of CrossGuard
is also available in the Pulumi Console, which enables you to enforce policies across an
organization. To get access, submit a request here.
Each policy within a Policy Pack must have a unique name. The name must be between 1 and 100 characters and may contain letters, numbers, dashes (-), underscores (_) or periods(.).
Policy assertions should be complete sentences, specify the resource that has violated the policy, and be written using an imperative tone. The table below provides some examples of policy assertions.
|“The RDS cluster must specify a node type.”||“Specify a node type.”|
|“The RDS cluster must have audit logging enabled.”||“Enable audit logging.”|
This format provides a clear message to end users, allowing them to understand what and why a policy is failing.