The gcp:assuredworkloads/workload:Workload resource, part of the Pulumi GCP provider, provisions Assured Workloads environments that enforce compliance regimes, data residency, and encryption requirements. This guide focuses on three capabilities: FedRAMP and sovereign controls configuration, customer-managed encryption key setup, and partner workload delegation with split billing.
Assured Workloads depend on an existing GCP organization, billing accounts, and optionally folders for resource placement. The examples are intentionally small. Combine them with your own organization structure and billing configuration.
Create a FedRAMP Moderate workload with encryption
Organizations subject to FedRAMP Moderate compliance need isolated environments with customer-managed encryption keys and violation monitoring.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const primary = new gcp.assuredworkloads.Workload("primary", {
complianceRegime: "FEDRAMP_MODERATE",
displayName: "{{display}}",
location: "us-west1",
organization: "123456789",
billingAccount: "billingAccounts/000000-0000000-0000000-000000",
kmsSettings: {
nextRotationTime: "9999-10-02T15:01:23Z",
rotationPeriod: "10368000s",
},
provisionedResourcesParent: "folders/519620126891",
resourceSettings: [
{
displayName: "{{name}}",
resourceType: "CONSUMER_FOLDER",
},
{
resourceType: "ENCRYPTION_KEYS_PROJECT",
},
{
resourceId: "ring",
resourceType: "KEYRING",
},
],
violationNotificationsEnabled: true,
workloadOptions: {
kajEnrollmentType: "KEY_ACCESS_TRANSPARENCY_OFF",
},
labels: {
"label-one": "value-one",
},
});
import pulumi
import pulumi_gcp as gcp
primary = gcp.assuredworkloads.Workload("primary",
compliance_regime="FEDRAMP_MODERATE",
display_name="{{display}}",
location="us-west1",
organization="123456789",
billing_account="billingAccounts/000000-0000000-0000000-000000",
kms_settings={
"next_rotation_time": "9999-10-02T15:01:23Z",
"rotation_period": "10368000s",
},
provisioned_resources_parent="folders/519620126891",
resource_settings=[
{
"display_name": "{{name}}",
"resource_type": "CONSUMER_FOLDER",
},
{
"resource_type": "ENCRYPTION_KEYS_PROJECT",
},
{
"resource_id": "ring",
"resource_type": "KEYRING",
},
],
violation_notifications_enabled=True,
workload_options={
"kaj_enrollment_type": "KEY_ACCESS_TRANSPARENCY_OFF",
},
labels={
"label-one": "value-one",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/assuredworkloads"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := assuredworkloads.NewWorkload(ctx, "primary", &assuredworkloads.WorkloadArgs{
ComplianceRegime: pulumi.String("FEDRAMP_MODERATE"),
DisplayName: pulumi.String("{{display}}"),
Location: pulumi.String("us-west1"),
Organization: pulumi.String("123456789"),
BillingAccount: pulumi.String("billingAccounts/000000-0000000-0000000-000000"),
KmsSettings: &assuredworkloads.WorkloadKmsSettingsArgs{
NextRotationTime: pulumi.String("9999-10-02T15:01:23Z"),
RotationPeriod: pulumi.String("10368000s"),
},
ProvisionedResourcesParent: pulumi.String("folders/519620126891"),
ResourceSettings: assuredworkloads.WorkloadResourceSettingArray{
&assuredworkloads.WorkloadResourceSettingArgs{
DisplayName: pulumi.String("{{name}}"),
ResourceType: pulumi.String("CONSUMER_FOLDER"),
},
&assuredworkloads.WorkloadResourceSettingArgs{
ResourceType: pulumi.String("ENCRYPTION_KEYS_PROJECT"),
},
&assuredworkloads.WorkloadResourceSettingArgs{
ResourceId: pulumi.String("ring"),
ResourceType: pulumi.String("KEYRING"),
},
},
ViolationNotificationsEnabled: pulumi.Bool(true),
WorkloadOptions: &assuredworkloads.WorkloadWorkloadOptionsArgs{
KajEnrollmentType: pulumi.String("KEY_ACCESS_TRANSPARENCY_OFF"),
},
Labels: pulumi.StringMap{
"label-one": pulumi.String("value-one"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var primary = new Gcp.AssuredWorkloads.Workload("primary", new()
{
ComplianceRegime = "FEDRAMP_MODERATE",
DisplayName = "{{display}}",
Location = "us-west1",
Organization = "123456789",
BillingAccount = "billingAccounts/000000-0000000-0000000-000000",
KmsSettings = new Gcp.AssuredWorkloads.Inputs.WorkloadKmsSettingsArgs
{
NextRotationTime = "9999-10-02T15:01:23Z",
RotationPeriod = "10368000s",
},
ProvisionedResourcesParent = "folders/519620126891",
ResourceSettings = new[]
{
new Gcp.AssuredWorkloads.Inputs.WorkloadResourceSettingArgs
{
DisplayName = "{{name}}",
ResourceType = "CONSUMER_FOLDER",
},
new Gcp.AssuredWorkloads.Inputs.WorkloadResourceSettingArgs
{
ResourceType = "ENCRYPTION_KEYS_PROJECT",
},
new Gcp.AssuredWorkloads.Inputs.WorkloadResourceSettingArgs
{
ResourceId = "ring",
ResourceType = "KEYRING",
},
},
ViolationNotificationsEnabled = true,
WorkloadOptions = new Gcp.AssuredWorkloads.Inputs.WorkloadWorkloadOptionsArgs
{
KajEnrollmentType = "KEY_ACCESS_TRANSPARENCY_OFF",
},
Labels =
{
{ "label-one", "value-one" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.assuredworkloads.Workload;
import com.pulumi.gcp.assuredworkloads.WorkloadArgs;
import com.pulumi.gcp.assuredworkloads.inputs.WorkloadKmsSettingsArgs;
import com.pulumi.gcp.assuredworkloads.inputs.WorkloadResourceSettingArgs;
import com.pulumi.gcp.assuredworkloads.inputs.WorkloadWorkloadOptionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var primary = new Workload("primary", WorkloadArgs.builder()
.complianceRegime("FEDRAMP_MODERATE")
.displayName("{{display}}")
.location("us-west1")
.organization("123456789")
.billingAccount("billingAccounts/000000-0000000-0000000-000000")
.kmsSettings(WorkloadKmsSettingsArgs.builder()
.nextRotationTime("9999-10-02T15:01:23Z")
.rotationPeriod("10368000s")
.build())
.provisionedResourcesParent("folders/519620126891")
.resourceSettings(
WorkloadResourceSettingArgs.builder()
.displayName("{{name}}")
.resourceType("CONSUMER_FOLDER")
.build(),
WorkloadResourceSettingArgs.builder()
.resourceType("ENCRYPTION_KEYS_PROJECT")
.build(),
WorkloadResourceSettingArgs.builder()
.resourceId("ring")
.resourceType("KEYRING")
.build())
.violationNotificationsEnabled(true)
.workloadOptions(WorkloadWorkloadOptionsArgs.builder()
.kajEnrollmentType("KEY_ACCESS_TRANSPARENCY_OFF")
.build())
.labels(Map.of("label-one", "value-one"))
.build());
}
}
resources:
primary:
type: gcp:assuredworkloads:Workload
properties:
complianceRegime: FEDRAMP_MODERATE
displayName: '{{display}}'
location: us-west1
organization: '123456789'
billingAccount: billingAccounts/000000-0000000-0000000-000000
kmsSettings:
nextRotationTime: 9999-10-02T15:01:23Z
rotationPeriod: 10368000s
provisionedResourcesParent: folders/519620126891
resourceSettings:
- displayName: '{{name}}'
resourceType: CONSUMER_FOLDER
- resourceType: ENCRYPTION_KEYS_PROJECT
- resourceId: ring
resourceType: KEYRING
violationNotificationsEnabled: true
workloadOptions:
kajEnrollmentType: KEY_ACCESS_TRANSPARENCY_OFF
labels:
label-one: value-one
When you create the workload, Assured Workloads provisions a folder structure, encryption keys project, and keyring based on the resourceSettings array. The complianceRegime property is immutable and determines which GCP services are allowed. The kmsSettings block configures key rotation for customer-managed encryption keys. Setting violationNotificationsEnabled to true sends email alerts when compliance violations occur. The provisionedResourcesParent specifies where Assured Workloads creates the folder hierarchy.
Enable sovereign controls for EU data residency
European customers often require data sovereignty guarantees that keep data and support operations within EU boundaries.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const primary = new gcp.assuredworkloads.Workload("primary", {
complianceRegime: "EU_REGIONS_AND_SUPPORT",
displayName: "display",
location: "europe-west9",
organization: "123456789",
billingAccount: "billingAccounts/000000-0000000-0000000-000000",
enableSovereignControls: true,
kmsSettings: {
nextRotationTime: "9999-10-02T15:01:23Z",
rotationPeriod: "10368000s",
},
resourceSettings: [
{
resourceType: "CONSUMER_FOLDER",
},
{
resourceType: "ENCRYPTION_KEYS_PROJECT",
},
{
resourceId: "ring",
resourceType: "KEYRING",
},
],
labels: {
"label-one": "value-one",
},
});
import pulumi
import pulumi_gcp as gcp
primary = gcp.assuredworkloads.Workload("primary",
compliance_regime="EU_REGIONS_AND_SUPPORT",
display_name="display",
location="europe-west9",
organization="123456789",
billing_account="billingAccounts/000000-0000000-0000000-000000",
enable_sovereign_controls=True,
kms_settings={
"next_rotation_time": "9999-10-02T15:01:23Z",
"rotation_period": "10368000s",
},
resource_settings=[
{
"resource_type": "CONSUMER_FOLDER",
},
{
"resource_type": "ENCRYPTION_KEYS_PROJECT",
},
{
"resource_id": "ring",
"resource_type": "KEYRING",
},
],
labels={
"label-one": "value-one",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/assuredworkloads"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := assuredworkloads.NewWorkload(ctx, "primary", &assuredworkloads.WorkloadArgs{
ComplianceRegime: pulumi.String("EU_REGIONS_AND_SUPPORT"),
DisplayName: pulumi.String("display"),
Location: pulumi.String("europe-west9"),
Organization: pulumi.String("123456789"),
BillingAccount: pulumi.String("billingAccounts/000000-0000000-0000000-000000"),
EnableSovereignControls: pulumi.Bool(true),
KmsSettings: &assuredworkloads.WorkloadKmsSettingsArgs{
NextRotationTime: pulumi.String("9999-10-02T15:01:23Z"),
RotationPeriod: pulumi.String("10368000s"),
},
ResourceSettings: assuredworkloads.WorkloadResourceSettingArray{
&assuredworkloads.WorkloadResourceSettingArgs{
ResourceType: pulumi.String("CONSUMER_FOLDER"),
},
&assuredworkloads.WorkloadResourceSettingArgs{
ResourceType: pulumi.String("ENCRYPTION_KEYS_PROJECT"),
},
&assuredworkloads.WorkloadResourceSettingArgs{
ResourceId: pulumi.String("ring"),
ResourceType: pulumi.String("KEYRING"),
},
},
Labels: pulumi.StringMap{
"label-one": pulumi.String("value-one"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var primary = new Gcp.AssuredWorkloads.Workload("primary", new()
{
ComplianceRegime = "EU_REGIONS_AND_SUPPORT",
DisplayName = "display",
Location = "europe-west9",
Organization = "123456789",
BillingAccount = "billingAccounts/000000-0000000-0000000-000000",
EnableSovereignControls = true,
KmsSettings = new Gcp.AssuredWorkloads.Inputs.WorkloadKmsSettingsArgs
{
NextRotationTime = "9999-10-02T15:01:23Z",
RotationPeriod = "10368000s",
},
ResourceSettings = new[]
{
new Gcp.AssuredWorkloads.Inputs.WorkloadResourceSettingArgs
{
ResourceType = "CONSUMER_FOLDER",
},
new Gcp.AssuredWorkloads.Inputs.WorkloadResourceSettingArgs
{
ResourceType = "ENCRYPTION_KEYS_PROJECT",
},
new Gcp.AssuredWorkloads.Inputs.WorkloadResourceSettingArgs
{
ResourceId = "ring",
ResourceType = "KEYRING",
},
},
Labels =
{
{ "label-one", "value-one" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.assuredworkloads.Workload;
import com.pulumi.gcp.assuredworkloads.WorkloadArgs;
import com.pulumi.gcp.assuredworkloads.inputs.WorkloadKmsSettingsArgs;
import com.pulumi.gcp.assuredworkloads.inputs.WorkloadResourceSettingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var primary = new Workload("primary", WorkloadArgs.builder()
.complianceRegime("EU_REGIONS_AND_SUPPORT")
.displayName("display")
.location("europe-west9")
.organization("123456789")
.billingAccount("billingAccounts/000000-0000000-0000000-000000")
.enableSovereignControls(true)
.kmsSettings(WorkloadKmsSettingsArgs.builder()
.nextRotationTime("9999-10-02T15:01:23Z")
.rotationPeriod("10368000s")
.build())
.resourceSettings(
WorkloadResourceSettingArgs.builder()
.resourceType("CONSUMER_FOLDER")
.build(),
WorkloadResourceSettingArgs.builder()
.resourceType("ENCRYPTION_KEYS_PROJECT")
.build(),
WorkloadResourceSettingArgs.builder()
.resourceId("ring")
.resourceType("KEYRING")
.build())
.labels(Map.of("label-one", "value-one"))
.build());
}
}
resources:
primary:
type: gcp:assuredworkloads:Workload
properties:
complianceRegime: EU_REGIONS_AND_SUPPORT
displayName: display
location: europe-west9
organization: '123456789'
billingAccount: billingAccounts/000000-0000000-0000000-000000
enableSovereignControls: true
kmsSettings:
nextRotationTime: 9999-10-02T15:01:23Z
rotationPeriod: 10368000s
resourceSettings:
- resourceType: CONSUMER_FOLDER
- resourceType: ENCRYPTION_KEYS_PROJECT
- resourceId: ring
resourceType: KEYRING
labels:
label-one: value-one
The enableSovereignControls property activates additional data residency controls when set to true. Combined with the EU_REGIONS_AND_SUPPORT compliance regime and a European location (europe-west9), this ensures data and support remain within EU boundaries. The resourceSettings array still provisions encryption infrastructure, but without the explicit provisionedResourcesParent, resources are created under the parent organization.
Configure partner workloads with split billing
Partner-managed workloads require separate billing for partner services and specific permissions for partner service accounts.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const primary = new gcp.assuredworkloads.Workload("primary", {
complianceRegime: "ASSURED_WORKLOADS_FOR_PARTNERS",
displayName: "display",
location: "europe-west8",
organization: "123456789",
billingAccount: "billingAccounts/000000-0000000-0000000-000000",
partner: "SOVEREIGN_CONTROLS_BY_PSN",
partnerPermissions: {
assuredWorkloadsMonitoring: true,
dataLogsViewer: true,
serviceAccessApprover: true,
},
partnerServicesBillingAccount: "billingAccounts/01BF3F-2C6DE5-30C607",
resourceSettings: [
{
resourceType: "CONSUMER_FOLDER",
},
{
resourceType: "ENCRYPTION_KEYS_PROJECT",
},
{
resourceId: "ring",
resourceType: "KEYRING",
},
],
violationNotificationsEnabled: true,
labels: {
"label-one": "value-one",
},
});
import pulumi
import pulumi_gcp as gcp
primary = gcp.assuredworkloads.Workload("primary",
compliance_regime="ASSURED_WORKLOADS_FOR_PARTNERS",
display_name="display",
location="europe-west8",
organization="123456789",
billing_account="billingAccounts/000000-0000000-0000000-000000",
partner="SOVEREIGN_CONTROLS_BY_PSN",
partner_permissions={
"assured_workloads_monitoring": True,
"data_logs_viewer": True,
"service_access_approver": True,
},
partner_services_billing_account="billingAccounts/01BF3F-2C6DE5-30C607",
resource_settings=[
{
"resource_type": "CONSUMER_FOLDER",
},
{
"resource_type": "ENCRYPTION_KEYS_PROJECT",
},
{
"resource_id": "ring",
"resource_type": "KEYRING",
},
],
violation_notifications_enabled=True,
labels={
"label-one": "value-one",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/assuredworkloads"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := assuredworkloads.NewWorkload(ctx, "primary", &assuredworkloads.WorkloadArgs{
ComplianceRegime: pulumi.String("ASSURED_WORKLOADS_FOR_PARTNERS"),
DisplayName: pulumi.String("display"),
Location: pulumi.String("europe-west8"),
Organization: pulumi.String("123456789"),
BillingAccount: pulumi.String("billingAccounts/000000-0000000-0000000-000000"),
Partner: pulumi.String("SOVEREIGN_CONTROLS_BY_PSN"),
PartnerPermissions: &assuredworkloads.WorkloadPartnerPermissionsArgs{
AssuredWorkloadsMonitoring: pulumi.Bool(true),
DataLogsViewer: pulumi.Bool(true),
ServiceAccessApprover: pulumi.Bool(true),
},
PartnerServicesBillingAccount: pulumi.String("billingAccounts/01BF3F-2C6DE5-30C607"),
ResourceSettings: assuredworkloads.WorkloadResourceSettingArray{
&assuredworkloads.WorkloadResourceSettingArgs{
ResourceType: pulumi.String("CONSUMER_FOLDER"),
},
&assuredworkloads.WorkloadResourceSettingArgs{
ResourceType: pulumi.String("ENCRYPTION_KEYS_PROJECT"),
},
&assuredworkloads.WorkloadResourceSettingArgs{
ResourceId: pulumi.String("ring"),
ResourceType: pulumi.String("KEYRING"),
},
},
ViolationNotificationsEnabled: pulumi.Bool(true),
Labels: pulumi.StringMap{
"label-one": pulumi.String("value-one"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var primary = new Gcp.AssuredWorkloads.Workload("primary", new()
{
ComplianceRegime = "ASSURED_WORKLOADS_FOR_PARTNERS",
DisplayName = "display",
Location = "europe-west8",
Organization = "123456789",
BillingAccount = "billingAccounts/000000-0000000-0000000-000000",
Partner = "SOVEREIGN_CONTROLS_BY_PSN",
PartnerPermissions = new Gcp.AssuredWorkloads.Inputs.WorkloadPartnerPermissionsArgs
{
AssuredWorkloadsMonitoring = true,
DataLogsViewer = true,
ServiceAccessApprover = true,
},
PartnerServicesBillingAccount = "billingAccounts/01BF3F-2C6DE5-30C607",
ResourceSettings = new[]
{
new Gcp.AssuredWorkloads.Inputs.WorkloadResourceSettingArgs
{
ResourceType = "CONSUMER_FOLDER",
},
new Gcp.AssuredWorkloads.Inputs.WorkloadResourceSettingArgs
{
ResourceType = "ENCRYPTION_KEYS_PROJECT",
},
new Gcp.AssuredWorkloads.Inputs.WorkloadResourceSettingArgs
{
ResourceId = "ring",
ResourceType = "KEYRING",
},
},
ViolationNotificationsEnabled = true,
Labels =
{
{ "label-one", "value-one" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.assuredworkloads.Workload;
import com.pulumi.gcp.assuredworkloads.WorkloadArgs;
import com.pulumi.gcp.assuredworkloads.inputs.WorkloadPartnerPermissionsArgs;
import com.pulumi.gcp.assuredworkloads.inputs.WorkloadResourceSettingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var primary = new Workload("primary", WorkloadArgs.builder()
.complianceRegime("ASSURED_WORKLOADS_FOR_PARTNERS")
.displayName("display")
.location("europe-west8")
.organization("123456789")
.billingAccount("billingAccounts/000000-0000000-0000000-000000")
.partner("SOVEREIGN_CONTROLS_BY_PSN")
.partnerPermissions(WorkloadPartnerPermissionsArgs.builder()
.assuredWorkloadsMonitoring(true)
.dataLogsViewer(true)
.serviceAccessApprover(true)
.build())
.partnerServicesBillingAccount("billingAccounts/01BF3F-2C6DE5-30C607")
.resourceSettings(
WorkloadResourceSettingArgs.builder()
.resourceType("CONSUMER_FOLDER")
.build(),
WorkloadResourceSettingArgs.builder()
.resourceType("ENCRYPTION_KEYS_PROJECT")
.build(),
WorkloadResourceSettingArgs.builder()
.resourceId("ring")
.resourceType("KEYRING")
.build())
.violationNotificationsEnabled(true)
.labels(Map.of("label-one", "value-one"))
.build());
}
}
resources:
primary:
type: gcp:assuredworkloads:Workload
properties:
complianceRegime: ASSURED_WORKLOADS_FOR_PARTNERS
displayName: display
location: europe-west8
organization: '123456789'
billingAccount: billingAccounts/000000-0000000-0000000-000000
partner: SOVEREIGN_CONTROLS_BY_PSN
partnerPermissions:
assuredWorkloadsMonitoring: true
dataLogsViewer: true
serviceAccessApprover: true
partnerServicesBillingAccount: billingAccounts/01BF3F-2C6DE5-30C607
resourceSettings:
- resourceType: CONSUMER_FOLDER
- resourceType: ENCRYPTION_KEYS_PROJECT
- resourceId: ring
resourceType: KEYRING
violationNotificationsEnabled: true
labels:
label-one: value-one
The partner property identifies which sovereign cloud partner manages the workload (here, SOVEREIGN_CONTROLS_BY_PSN). The partnerPermissions block grants the partner’s service account access to monitoring, logs, and service approval. The partnerServicesBillingAccount separates partner service costs from your main billing account. This configuration uses the ASSURED_WORKLOADS_FOR_PARTNERS compliance regime, which enables partner-specific controls.
Beyond these examples
These snippets focus on specific workload-level features: compliance regime selection, encryption key management and rotation, and partner permissions and split billing. They’re intentionally minimal rather than full compliance environments.
The examples reference pre-existing infrastructure such as GCP organization and billing accounts, and folders for resource provisioning when specified. They focus on configuring the workload rather than provisioning the surrounding organization structure.
To keep things focused, common workload patterns are omitted, including:
- Workload lifecycle management (updates, deletion protection)
- Violation monitoring configuration beyond basic enablement
- Resource-level customization (custom project IDs, specific resource types)
- Integration with existing KMS keyrings
These omissions are intentional: the goal is to illustrate how each workload feature is wired, not provide drop-in compliance modules. See the Assured Workloads Workload resource reference for all available configuration options.
Let's configure GCP Assured Workloads
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Immutability
What properties can't I change after creating a workload?
Most core properties are immutable:
complianceRegime, enableSovereignControls, location, organization, billingAccount, partner, partnerPermissions, partnerServicesBillingAccount, provisionedResourcesParent, resourceSettings, workloadOptions, and violationNotificationsEnabled. Plan these values carefully, as changes require recreating the workload.Can I change violationNotificationsEnabled when creating a workload?
No, changes to
violationNotificationsEnabled during workload creation are ignored. It’s always true during creation. Update this field only via updateWorkload after the workload exists.What are the constraints for displayName?
The
displayName must be 4-30 characters and can only contain lowercase letters, uppercase letters, numbers, hyphens, and spaces.Compliance Regimes & Workload Types
What compliance regimes are available?
Over 20 regimes are supported, including
FEDRAMP_MODERATE, FEDRAMP_HIGH, HIPAA, HITRUST, EU_REGIONS_AND_SUPPORT, CA_REGIONS_AND_SUPPORT, ASSURED_WORKLOADS_FOR_PARTNERS, IL4, IL5, CJIS, ITAR, and more. Choose based on your regulatory requirements.What's the difference between basic, sovereign controls, and partner workloads?
Basic workloads use regimes like
FEDRAMP_MODERATE for US compliance. Sovereign Controls workloads use EU_REGIONS_AND_SUPPORT with enableSovereignControls for Europe/Canada. Partner workloads use ASSURED_WORKLOADS_FOR_PARTNERS with partner-specific billing and permissions.How do I create a partner workload with split billing?
Set
complianceRegime to ASSURED_WORKLOADS_FOR_PARTNERS, specify partner (e.g., SOVEREIGN_CONTROLS_BY_PSN), configure partnerPermissions, and provide partnerServicesBillingAccount. You need billing.resourceAssociations.create IAM permission on the billing account.Resource Management
What resources are automatically created with a workload?
Resources are created based on your
resourceSettings configuration. Common resources include CONSUMER_FOLDER, ENCRYPTION_KEYS_PROJECT, and KEYRING. The resources output field shows all created resources.How do I configure custom workload resources?
Use the
resourceSettings array to specify resource types and optional properties like resourceId and displayName. All three examples show the pattern: CONSUMER_FOLDER, ENCRYPTION_KEYS_PROJECT, and KEYRING with resourceId set to ‘ring’.Labels & Metadata
What's the difference between labels, effectiveLabels, and pulumiLabels?
labels only manages labels in your Pulumi configuration (non-authoritative). effectiveLabels shows all labels on the resource in GCP, including those from other sources. pulumiLabels combines your configured labels with provider default labels.Deprecated Features
Why isn't my kmsSettings configuration working?
kmsSettings is deprecated as of Feb 28, 2022. Instead, specify ENCRYPTION_KEYS_PROJECT or KEYRING in the resourceSettings array’s resourceType field.