Extending AwsGuard with additional policies

[rsclarke-vgw]

Hi,

I'm interested in understanding how best to use AwsGuard coupled with our own internal policies.

Would it make sense for example to export registerPolicy so as to allow users to extend AwsGuard following a similar pattern to how policies are currently defined?

In my initial attempts I defined an additional PolicyPack in addition to AwsGuard yet ran into the issue;

Already serving policy pack 'pulumi-awsguard'. Only one policy pack may be defined per-process.

which then begs the question, how should multiple policy packs be evaluated on a pulumi preview command?

Thanks!

[justinvp]

Hi @rsclarke-vgw,

Would it make sense for example to export registerPolicy so as to allow users to extend AwsGuard following a similar pattern to how policies are currently defined?

It may make sense for us to provide a supported way to either register custom policies or create an instance of an individual AwsGuard policy to use in a custom policy pack.

which then begs the question, how should multiple policy packs be evaluated on a pulumi preview command?

In the meantime, I’d recommend simply creating a new Policy Pack for your internal policies. You can pass multiple --policy-pack flags to pulumi preview, e.g.:

pulumi preview --policy-pack <path-to-awsguard-policy-pack> --policy-pack <path-to-internal-policy-pack>

Or if you're publishing Policy Packs to the Pulumi Service, you can enable multiple policy packs in your organization.

[rsclarke-vgw]

@justinvp Thanks, I reworked what I had into separate policy packs. 👍

Firstly, a wrapper around AWSGuard with our own initial config / enforcement levels that we can then publish as a policy pack. Similarly a secondary pack for our internal policies. Perhaps what I didn't realise was being able to specify multiple --policy-pack options on the CLI.