Pulumi's Policy as Code SDK, CrossGuard. Define infrastructure checks in code to enforce security, compliance, cost, and other practices, enforced at deployment time.
If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)
Issue details
When using Policy-as-Code, a policy have one of the 2 enforcement levels: advisory or mandatory. However, neither may be adequate when a user has many existing resources that aren't compliant but where these legacy resources need to exist as they are (ie, non-compliant) for some time and where new resources will need to be created as well.
To assist with this situation, a new enforcement level mandatoryOnCreate could be added and would behave as follow:
If a non-compliant resource already exists and the enforcement level is mandatoryOnCreate, then only a warning is displayed. This is similar to advisory.
if a new resource is about to be created and is not compliant with a policy, and that policy has the enforcement level mandatoryOnCreate, then the deployment would be interrupted. This is similar to mandatory.
Hello!
Issue details
When using Policy-as-Code, a policy have one of the 2 enforcement levels:
advisory
ormandatory
. However, neither may be adequate when a user has many existing resources that aren't compliant but where these legacy resources need to exist as they are (ie, non-compliant) for some time and where new resources will need to be created as well.To assist with this situation, a new enforcement level
mandatoryOnCreate
could be added and would behave as follow:mandatoryOnCreate
, then only a warning is displayed. This is similar toadvisory
.mandatoryOnCreate
, then the deployment would be interrupted. This is similar tomandatory
.