Add policy check to enable gated deployments

[tachyonik]

Add policy check to enable gated deployments

Gated deployments are a way to control the rollout of new features or changes in a system. Enabling the option to compare the code against the best practices, security patterns and compliance requirements is a good way to ensure that the code meets the standards before it is deployed. Enabling the option to prevent the deployment of code if the code breaches the policy of the organisation allows secure and compliant infrastructure.

SST uses Pulumi for infrastructure builds. Pulumi offers CrossGuard to allow easy to use policy as code.

Allowing for execution of policy code with the sst diff and sst deploy commands will allow extending SST to support gated deployments and will assist in adoption of SST in enterprises and large organisations especially the ones that are regulated, e.g. financial institutions, healthcare, etc.

An execution pattern such as the one below will allow viewing the code being targetted for deployment and assess whether it is safe and compliant or not:

sst diff --policy /path/to/policy-pack

Additionally, applying the policy pack to prevent deployment of code that breaches the policies and best practices can be done with the following command:

sst deploy --policy /path/to/policy-pack

Here is a proposal for implementing the above. This contains ways to run the additional command line parameters, reporting the policy breaches and applying policy gates. The proposal also contains an example that demonstrates how to use the policy pack option with SST command line interface.

Pull request: PR #5876

[jayair]

Thanks for taking a crack at this. It's been on our roadmap.

[jayair]

We have some ideas on how we wanted to implement this. But we'll review the PR.