The gcp:assuredworkloads/workload:Workload resource, part of the Pulumi GCP provider, provisions Assured Workloads environments that enforce compliance regimes, data residency, and encryption requirements. This guide focuses on three capabilities: FedRAMP and sovereign controls configuration, customer-managed encryption key setup, and partner workload management with split billing.
Assured Workloads depend on a GCP organization, billing accounts, and optionally folders for resource hierarchy. The examples are intentionally small. Combine them with your own organization structure and compliance policies.
Create a FedRAMP Moderate workload with encryption
Organizations subject to FedRAMP Moderate requirements need isolated environments with customer-managed encryption keys and violation monitoring.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const primary = new gcp.assuredworkloads.Workload("primary", {
complianceRegime: "FEDRAMP_MODERATE",
displayName: "{{display}}",
location: "us-west1",
organization: "123456789",
billingAccount: "billingAccounts/000000-0000000-0000000-000000",
kmsSettings: {
nextRotationTime: "9999-10-02T15:01:23Z",
rotationPeriod: "10368000s",
},
provisionedResourcesParent: "folders/519620126891",
resourceSettings: [
{
displayName: "{{name}}",
resourceType: "CONSUMER_FOLDER",
},
{
resourceType: "ENCRYPTION_KEYS_PROJECT",
},
{
resourceId: "ring",
resourceType: "KEYRING",
},
],
violationNotificationsEnabled: true,
workloadOptions: {
kajEnrollmentType: "KEY_ACCESS_TRANSPARENCY_OFF",
},
labels: {
"label-one": "value-one",
},
});
import pulumi
import pulumi_gcp as gcp
primary = gcp.assuredworkloads.Workload("primary",
compliance_regime="FEDRAMP_MODERATE",
display_name="{{display}}",
location="us-west1",
organization="123456789",
billing_account="billingAccounts/000000-0000000-0000000-000000",
kms_settings={
"next_rotation_time": "9999-10-02T15:01:23Z",
"rotation_period": "10368000s",
},
provisioned_resources_parent="folders/519620126891",
resource_settings=[
{
"display_name": "{{name}}",
"resource_type": "CONSUMER_FOLDER",
},
{
"resource_type": "ENCRYPTION_KEYS_PROJECT",
},
{
"resource_id": "ring",
"resource_type": "KEYRING",
},
],
violation_notifications_enabled=True,
workload_options={
"kaj_enrollment_type": "KEY_ACCESS_TRANSPARENCY_OFF",
},
labels={
"label-one": "value-one",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/assuredworkloads"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := assuredworkloads.NewWorkload(ctx, "primary", &assuredworkloads.WorkloadArgs{
ComplianceRegime: pulumi.String("FEDRAMP_MODERATE"),
DisplayName: pulumi.String("{{display}}"),
Location: pulumi.String("us-west1"),
Organization: pulumi.String("123456789"),
BillingAccount: pulumi.String("billingAccounts/000000-0000000-0000000-000000"),
KmsSettings: &assuredworkloads.WorkloadKmsSettingsArgs{
NextRotationTime: pulumi.String("9999-10-02T15:01:23Z"),
RotationPeriod: pulumi.String("10368000s"),
},
ProvisionedResourcesParent: pulumi.String("folders/519620126891"),
ResourceSettings: assuredworkloads.WorkloadResourceSettingArray{
&assuredworkloads.WorkloadResourceSettingArgs{
DisplayName: pulumi.String("{{name}}"),
ResourceType: pulumi.String("CONSUMER_FOLDER"),
},
&assuredworkloads.WorkloadResourceSettingArgs{
ResourceType: pulumi.String("ENCRYPTION_KEYS_PROJECT"),
},
&assuredworkloads.WorkloadResourceSettingArgs{
ResourceId: pulumi.String("ring"),
ResourceType: pulumi.String("KEYRING"),
},
},
ViolationNotificationsEnabled: pulumi.Bool(true),
WorkloadOptions: &assuredworkloads.WorkloadWorkloadOptionsArgs{
KajEnrollmentType: pulumi.String("KEY_ACCESS_TRANSPARENCY_OFF"),
},
Labels: pulumi.StringMap{
"label-one": pulumi.String("value-one"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var primary = new Gcp.AssuredWorkloads.Workload("primary", new()
{
ComplianceRegime = "FEDRAMP_MODERATE",
DisplayName = "{{display}}",
Location = "us-west1",
Organization = "123456789",
BillingAccount = "billingAccounts/000000-0000000-0000000-000000",
KmsSettings = new Gcp.AssuredWorkloads.Inputs.WorkloadKmsSettingsArgs
{
NextRotationTime = "9999-10-02T15:01:23Z",
RotationPeriod = "10368000s",
},
ProvisionedResourcesParent = "folders/519620126891",
ResourceSettings = new[]
{
new Gcp.AssuredWorkloads.Inputs.WorkloadResourceSettingArgs
{
DisplayName = "{{name}}",
ResourceType = "CONSUMER_FOLDER",
},
new Gcp.AssuredWorkloads.Inputs.WorkloadResourceSettingArgs
{
ResourceType = "ENCRYPTION_KEYS_PROJECT",
},
new Gcp.AssuredWorkloads.Inputs.WorkloadResourceSettingArgs
{
ResourceId = "ring",
ResourceType = "KEYRING",
},
},
ViolationNotificationsEnabled = true,
WorkloadOptions = new Gcp.AssuredWorkloads.Inputs.WorkloadWorkloadOptionsArgs
{
KajEnrollmentType = "KEY_ACCESS_TRANSPARENCY_OFF",
},
Labels =
{
{ "label-one", "value-one" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.assuredworkloads.Workload;
import com.pulumi.gcp.assuredworkloads.WorkloadArgs;
import com.pulumi.gcp.assuredworkloads.inputs.WorkloadKmsSettingsArgs;
import com.pulumi.gcp.assuredworkloads.inputs.WorkloadResourceSettingArgs;
import com.pulumi.gcp.assuredworkloads.inputs.WorkloadWorkloadOptionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var primary = new Workload("primary", WorkloadArgs.builder()
.complianceRegime("FEDRAMP_MODERATE")
.displayName("{{display}}")
.location("us-west1")
.organization("123456789")
.billingAccount("billingAccounts/000000-0000000-0000000-000000")
.kmsSettings(WorkloadKmsSettingsArgs.builder()
.nextRotationTime("9999-10-02T15:01:23Z")
.rotationPeriod("10368000s")
.build())
.provisionedResourcesParent("folders/519620126891")
.resourceSettings(
WorkloadResourceSettingArgs.builder()
.displayName("{{name}}")
.resourceType("CONSUMER_FOLDER")
.build(),
WorkloadResourceSettingArgs.builder()
.resourceType("ENCRYPTION_KEYS_PROJECT")
.build(),
WorkloadResourceSettingArgs.builder()
.resourceId("ring")
.resourceType("KEYRING")
.build())
.violationNotificationsEnabled(true)
.workloadOptions(WorkloadWorkloadOptionsArgs.builder()
.kajEnrollmentType("KEY_ACCESS_TRANSPARENCY_OFF")
.build())
.labels(Map.of("label-one", "value-one"))
.build());
}
}
resources:
primary:
type: gcp:assuredworkloads:Workload
properties:
complianceRegime: FEDRAMP_MODERATE
displayName: '{{display}}'
location: us-west1
organization: '123456789'
billingAccount: billingAccounts/000000-0000000-0000000-000000
kmsSettings:
nextRotationTime: 9999-10-02T15:01:23Z
rotationPeriod: 10368000s
provisionedResourcesParent: folders/519620126891
resourceSettings:
- displayName: '{{name}}'
resourceType: CONSUMER_FOLDER
- resourceType: ENCRYPTION_KEYS_PROJECT
- resourceId: ring
resourceType: KEYRING
violationNotificationsEnabled: true
workloadOptions:
kajEnrollmentType: KEY_ACCESS_TRANSPARENCY_OFF
labels:
label-one: value-one
The complianceRegime property sets the regulatory framework (here, FEDRAMP_MODERATE). The resourceSettings array defines what resources Assured Workloads provisions: a consumer folder for workload resources, an encryption keys project, and a keyring. The kmsSettings block configures key rotation for customer-managed encryption. The provisionedResourcesParent property places all resources under a specific folder in your organization hierarchy.
Enable sovereign controls for EU data residency
European customers often need data sovereignty guarantees that restrict where data is stored and who can access it.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const primary = new gcp.assuredworkloads.Workload("primary", {
complianceRegime: "EU_REGIONS_AND_SUPPORT",
displayName: "display",
location: "europe-west9",
organization: "123456789",
billingAccount: "billingAccounts/000000-0000000-0000000-000000",
enableSovereignControls: true,
kmsSettings: {
nextRotationTime: "9999-10-02T15:01:23Z",
rotationPeriod: "10368000s",
},
resourceSettings: [
{
resourceType: "CONSUMER_FOLDER",
},
{
resourceType: "ENCRYPTION_KEYS_PROJECT",
},
{
resourceId: "ring",
resourceType: "KEYRING",
},
],
labels: {
"label-one": "value-one",
},
});
import pulumi
import pulumi_gcp as gcp
primary = gcp.assuredworkloads.Workload("primary",
compliance_regime="EU_REGIONS_AND_SUPPORT",
display_name="display",
location="europe-west9",
organization="123456789",
billing_account="billingAccounts/000000-0000000-0000000-000000",
enable_sovereign_controls=True,
kms_settings={
"next_rotation_time": "9999-10-02T15:01:23Z",
"rotation_period": "10368000s",
},
resource_settings=[
{
"resource_type": "CONSUMER_FOLDER",
},
{
"resource_type": "ENCRYPTION_KEYS_PROJECT",
},
{
"resource_id": "ring",
"resource_type": "KEYRING",
},
],
labels={
"label-one": "value-one",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/assuredworkloads"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := assuredworkloads.NewWorkload(ctx, "primary", &assuredworkloads.WorkloadArgs{
ComplianceRegime: pulumi.String("EU_REGIONS_AND_SUPPORT"),
DisplayName: pulumi.String("display"),
Location: pulumi.String("europe-west9"),
Organization: pulumi.String("123456789"),
BillingAccount: pulumi.String("billingAccounts/000000-0000000-0000000-000000"),
EnableSovereignControls: pulumi.Bool(true),
KmsSettings: &assuredworkloads.WorkloadKmsSettingsArgs{
NextRotationTime: pulumi.String("9999-10-02T15:01:23Z"),
RotationPeriod: pulumi.String("10368000s"),
},
ResourceSettings: assuredworkloads.WorkloadResourceSettingArray{
&assuredworkloads.WorkloadResourceSettingArgs{
ResourceType: pulumi.String("CONSUMER_FOLDER"),
},
&assuredworkloads.WorkloadResourceSettingArgs{
ResourceType: pulumi.String("ENCRYPTION_KEYS_PROJECT"),
},
&assuredworkloads.WorkloadResourceSettingArgs{
ResourceId: pulumi.String("ring"),
ResourceType: pulumi.String("KEYRING"),
},
},
Labels: pulumi.StringMap{
"label-one": pulumi.String("value-one"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var primary = new Gcp.AssuredWorkloads.Workload("primary", new()
{
ComplianceRegime = "EU_REGIONS_AND_SUPPORT",
DisplayName = "display",
Location = "europe-west9",
Organization = "123456789",
BillingAccount = "billingAccounts/000000-0000000-0000000-000000",
EnableSovereignControls = true,
KmsSettings = new Gcp.AssuredWorkloads.Inputs.WorkloadKmsSettingsArgs
{
NextRotationTime = "9999-10-02T15:01:23Z",
RotationPeriod = "10368000s",
},
ResourceSettings = new[]
{
new Gcp.AssuredWorkloads.Inputs.WorkloadResourceSettingArgs
{
ResourceType = "CONSUMER_FOLDER",
},
new Gcp.AssuredWorkloads.Inputs.WorkloadResourceSettingArgs
{
ResourceType = "ENCRYPTION_KEYS_PROJECT",
},
new Gcp.AssuredWorkloads.Inputs.WorkloadResourceSettingArgs
{
ResourceId = "ring",
ResourceType = "KEYRING",
},
},
Labels =
{
{ "label-one", "value-one" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.assuredworkloads.Workload;
import com.pulumi.gcp.assuredworkloads.WorkloadArgs;
import com.pulumi.gcp.assuredworkloads.inputs.WorkloadKmsSettingsArgs;
import com.pulumi.gcp.assuredworkloads.inputs.WorkloadResourceSettingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var primary = new Workload("primary", WorkloadArgs.builder()
.complianceRegime("EU_REGIONS_AND_SUPPORT")
.displayName("display")
.location("europe-west9")
.organization("123456789")
.billingAccount("billingAccounts/000000-0000000-0000000-000000")
.enableSovereignControls(true)
.kmsSettings(WorkloadKmsSettingsArgs.builder()
.nextRotationTime("9999-10-02T15:01:23Z")
.rotationPeriod("10368000s")
.build())
.resourceSettings(
WorkloadResourceSettingArgs.builder()
.resourceType("CONSUMER_FOLDER")
.build(),
WorkloadResourceSettingArgs.builder()
.resourceType("ENCRYPTION_KEYS_PROJECT")
.build(),
WorkloadResourceSettingArgs.builder()
.resourceId("ring")
.resourceType("KEYRING")
.build())
.labels(Map.of("label-one", "value-one"))
.build());
}
}
resources:
primary:
type: gcp:assuredworkloads:Workload
properties:
complianceRegime: EU_REGIONS_AND_SUPPORT
displayName: display
location: europe-west9
organization: '123456789'
billingAccount: billingAccounts/000000-0000000-0000000-000000
enableSovereignControls: true
kmsSettings:
nextRotationTime: 9999-10-02T15:01:23Z
rotationPeriod: 10368000s
resourceSettings:
- resourceType: CONSUMER_FOLDER
- resourceType: ENCRYPTION_KEYS_PROJECT
- resourceId: ring
resourceType: KEYRING
labels:
label-one: value-one
Setting enableSovereignControls to true activates additional data residency and access controls. The complianceRegime EU_REGIONS_AND_SUPPORT restricts data storage and support access to EU regions. The location property (europe-west9) determines where the workload control plane runs.
Configure partner workloads with split billing
Partner-managed workloads require separate billing for partner services and specific permissions for partner service accounts to monitor and manage resources.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const primary = new gcp.assuredworkloads.Workload("primary", {
complianceRegime: "ASSURED_WORKLOADS_FOR_PARTNERS",
displayName: "display",
location: "europe-west8",
organization: "123456789",
billingAccount: "billingAccounts/000000-0000000-0000000-000000",
partner: "SOVEREIGN_CONTROLS_BY_PSN",
partnerPermissions: {
assuredWorkloadsMonitoring: true,
dataLogsViewer: true,
serviceAccessApprover: true,
},
partnerServicesBillingAccount: "billingAccounts/01BF3F-2C6DE5-30C607",
resourceSettings: [
{
resourceType: "CONSUMER_FOLDER",
},
{
resourceType: "ENCRYPTION_KEYS_PROJECT",
},
{
resourceId: "ring",
resourceType: "KEYRING",
},
],
violationNotificationsEnabled: true,
labels: {
"label-one": "value-one",
},
});
import pulumi
import pulumi_gcp as gcp
primary = gcp.assuredworkloads.Workload("primary",
compliance_regime="ASSURED_WORKLOADS_FOR_PARTNERS",
display_name="display",
location="europe-west8",
organization="123456789",
billing_account="billingAccounts/000000-0000000-0000000-000000",
partner="SOVEREIGN_CONTROLS_BY_PSN",
partner_permissions={
"assured_workloads_monitoring": True,
"data_logs_viewer": True,
"service_access_approver": True,
},
partner_services_billing_account="billingAccounts/01BF3F-2C6DE5-30C607",
resource_settings=[
{
"resource_type": "CONSUMER_FOLDER",
},
{
"resource_type": "ENCRYPTION_KEYS_PROJECT",
},
{
"resource_id": "ring",
"resource_type": "KEYRING",
},
],
violation_notifications_enabled=True,
labels={
"label-one": "value-one",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/assuredworkloads"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := assuredworkloads.NewWorkload(ctx, "primary", &assuredworkloads.WorkloadArgs{
ComplianceRegime: pulumi.String("ASSURED_WORKLOADS_FOR_PARTNERS"),
DisplayName: pulumi.String("display"),
Location: pulumi.String("europe-west8"),
Organization: pulumi.String("123456789"),
BillingAccount: pulumi.String("billingAccounts/000000-0000000-0000000-000000"),
Partner: pulumi.String("SOVEREIGN_CONTROLS_BY_PSN"),
PartnerPermissions: &assuredworkloads.WorkloadPartnerPermissionsArgs{
AssuredWorkloadsMonitoring: pulumi.Bool(true),
DataLogsViewer: pulumi.Bool(true),
ServiceAccessApprover: pulumi.Bool(true),
},
PartnerServicesBillingAccount: pulumi.String("billingAccounts/01BF3F-2C6DE5-30C607"),
ResourceSettings: assuredworkloads.WorkloadResourceSettingArray{
&assuredworkloads.WorkloadResourceSettingArgs{
ResourceType: pulumi.String("CONSUMER_FOLDER"),
},
&assuredworkloads.WorkloadResourceSettingArgs{
ResourceType: pulumi.String("ENCRYPTION_KEYS_PROJECT"),
},
&assuredworkloads.WorkloadResourceSettingArgs{
ResourceId: pulumi.String("ring"),
ResourceType: pulumi.String("KEYRING"),
},
},
ViolationNotificationsEnabled: pulumi.Bool(true),
Labels: pulumi.StringMap{
"label-one": pulumi.String("value-one"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var primary = new Gcp.AssuredWorkloads.Workload("primary", new()
{
ComplianceRegime = "ASSURED_WORKLOADS_FOR_PARTNERS",
DisplayName = "display",
Location = "europe-west8",
Organization = "123456789",
BillingAccount = "billingAccounts/000000-0000000-0000000-000000",
Partner = "SOVEREIGN_CONTROLS_BY_PSN",
PartnerPermissions = new Gcp.AssuredWorkloads.Inputs.WorkloadPartnerPermissionsArgs
{
AssuredWorkloadsMonitoring = true,
DataLogsViewer = true,
ServiceAccessApprover = true,
},
PartnerServicesBillingAccount = "billingAccounts/01BF3F-2C6DE5-30C607",
ResourceSettings = new[]
{
new Gcp.AssuredWorkloads.Inputs.WorkloadResourceSettingArgs
{
ResourceType = "CONSUMER_FOLDER",
},
new Gcp.AssuredWorkloads.Inputs.WorkloadResourceSettingArgs
{
ResourceType = "ENCRYPTION_KEYS_PROJECT",
},
new Gcp.AssuredWorkloads.Inputs.WorkloadResourceSettingArgs
{
ResourceId = "ring",
ResourceType = "KEYRING",
},
},
ViolationNotificationsEnabled = true,
Labels =
{
{ "label-one", "value-one" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.assuredworkloads.Workload;
import com.pulumi.gcp.assuredworkloads.WorkloadArgs;
import com.pulumi.gcp.assuredworkloads.inputs.WorkloadPartnerPermissionsArgs;
import com.pulumi.gcp.assuredworkloads.inputs.WorkloadResourceSettingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var primary = new Workload("primary", WorkloadArgs.builder()
.complianceRegime("ASSURED_WORKLOADS_FOR_PARTNERS")
.displayName("display")
.location("europe-west8")
.organization("123456789")
.billingAccount("billingAccounts/000000-0000000-0000000-000000")
.partner("SOVEREIGN_CONTROLS_BY_PSN")
.partnerPermissions(WorkloadPartnerPermissionsArgs.builder()
.assuredWorkloadsMonitoring(true)
.dataLogsViewer(true)
.serviceAccessApprover(true)
.build())
.partnerServicesBillingAccount("billingAccounts/01BF3F-2C6DE5-30C607")
.resourceSettings(
WorkloadResourceSettingArgs.builder()
.resourceType("CONSUMER_FOLDER")
.build(),
WorkloadResourceSettingArgs.builder()
.resourceType("ENCRYPTION_KEYS_PROJECT")
.build(),
WorkloadResourceSettingArgs.builder()
.resourceId("ring")
.resourceType("KEYRING")
.build())
.violationNotificationsEnabled(true)
.labels(Map.of("label-one", "value-one"))
.build());
}
}
resources:
primary:
type: gcp:assuredworkloads:Workload
properties:
complianceRegime: ASSURED_WORKLOADS_FOR_PARTNERS
displayName: display
location: europe-west8
organization: '123456789'
billingAccount: billingAccounts/000000-0000000-0000000-000000
partner: SOVEREIGN_CONTROLS_BY_PSN
partnerPermissions:
assuredWorkloadsMonitoring: true
dataLogsViewer: true
serviceAccessApprover: true
partnerServicesBillingAccount: billingAccounts/01BF3F-2C6DE5-30C607
resourceSettings:
- resourceType: CONSUMER_FOLDER
- resourceType: ENCRYPTION_KEYS_PROJECT
- resourceId: ring
resourceType: KEYRING
violationNotificationsEnabled: true
labels:
label-one: value-one
The partner property identifies which partner manages the workload (here, SOVEREIGN_CONTROLS_BY_PSN). The partnerPermissions block grants the partner service account specific capabilities: monitoring, data log access, and service access approval. The partnerServicesBillingAccount property separates partner service costs from your primary billing account.
Beyond these examples
These snippets focus on specific workload-level features: compliance regime selection and sovereign controls, encryption key management and resource provisioning, and partner integration and split billing. They’re intentionally minimal rather than full compliance environments.
The examples reference pre-existing infrastructure such as GCP organization and billing accounts, and folders for resource hierarchy when specified. They focus on configuring the workload rather than provisioning the surrounding organization structure.
To keep things focused, common workload patterns are omitted, including:
- Workload lifecycle management (updates, deletion protection)
- Violation monitoring configuration beyond basic enablement
- Custom resource settings beyond folder and encryption projects
- Integration with external key management systems
These omissions are intentional: the goal is to illustrate how each workload feature is wired, not provide drop-in compliance modules. See the Assured Workloads Workload resource reference for all available configuration options.
Let's configure GCP Assured Workloads
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Immutability
What properties can't I change after creating a workload?
Most workload properties are immutable after creation, including
complianceRegime, location, organization, enableSovereignControls, billingAccount, partner, partnerPermissions, partnerServicesBillingAccount, provisionedResourcesParent, resourceSettings, violationNotificationsEnabled, and workloadOptions. Plan your configuration carefully before creation.Why can't I change violationNotificationsEnabled during workload creation?
Changes to
violationNotificationsEnabled during the createWorkload call are not honored. This field defaults to true and can only be updated via the updateWorkload call after the workload is created.What are the requirements for the displayName field?
The
displayName must be between 4 and 30 characters and can only contain lowercase and uppercase letters, numbers, hyphens, and spaces.Encryption & Key Management
How do I configure encryption keys for my workload?
Use
resourceSettings with resourceType set to ENCRYPTION_KEYS_PROJECT or KEYRING. The kmsSettings field is deprecated as of Feb 28, 2022 and should not be used.Partner Workloads
How do I create a partner workload?
Set
complianceRegime to ASSURED_WORKLOADS_FOR_PARTNERS, specify the partner (e.g., SOVEREIGN_CONTROLS_BY_PSN), configure partnerPermissions, and provide partnerServicesBillingAccount.What IAM permissions do I need to create a partner workload?
The caller must have
billing.resourceAssociations.create IAM permission on the billing account specified in partnerServicesBillingAccount. This is required for creating SIA/PSN/CNTXT partner workloads.Labels & Metadata
Why aren't all my workload labels showing up in the labels field?
The
labels field is non-authoritative and only manages labels present in your configuration. To see all labels on the resource (including those set by other clients or services), use the effectiveLabels output property.Compliance & Sovereignty
What compliance regimes are available for Assured Workloads?
Available regimes include
FEDRAMP_MODERATE, FEDRAMP_HIGH, IL4, IL5, CJIS, HIPAA, HITRUST, EU_REGIONS_AND_SUPPORT, CA_REGIONS_AND_SUPPORT, ITAR, ASSURED_WORKLOADS_FOR_PARTNERS, and many others. See the complianceRegime property for the full list.How do I create a sovereign controls workload?
Set
complianceRegime to a sovereignty-focused regime (e.g., EU_REGIONS_AND_SUPPORT) and set enableSovereignControls to true. This is currently meant for Europe and Canada customers.