Safeguarding Your Azure Infrastructure With Pulumi’s Policies as Code
I recently ventured into Pulumi to see if it was a viable option to use as our Infrastructure as Code (IaC) tool and came across one of their new features called CrossGuard. Simply put, this feature allows you to safeguard the provisioning of resources with policies that are executed as pre-deployment validation.
Here at GSoft, we have a few policies around usage in Azure. Some are enforced with Azure Policy, while others are simply built around a trust relationship, and some occasional manual validation. Here’s where executing policies as code becomes interesting: Catch compliance issues before they’re in Azure and standardize them as code.
Real World Example 1: Resource Tagging 🏷
When so many resources are created, and things become quickly cluttered, it’s easy to see the value in appropriately using tags in Azure. Be it for navigation, ownership tracking or cost management, tags are an important way of classifying our resources and are required by our company.
Our infrastructure team has already done a great job of using Azure Policy to ensure the correct tags have been set on resources, but the provisioning experience through an IaC tool is not so great. Cryptic error messages are output, sometimes halfway through the provisioning process, leaving you worried about what state your resources have been left in 😕.
How about validating all that with a pre-flight policy check? Here’s an example of a validation policy that checks the required tags “owner” and “environment” for Azure resources:
And here’s what running a preview looks like with policies enabled and when receiving a violation message:
Real World Example 2: Compute Families for Reserved Instances 👨👩👧👦
One approach to using Azure compute resources in a cost effective manner is to buy reserved instances. The significant drawback to this is to try to funnel as many virtual machines in these reserved compute families to benefit from the cost savings.
Once again, a policy check is a great way to loosely enforce this behaviour. Here’s an example of a validation policy which advises the use of certain compute families in a best effort scenario (notice the enforcement level is set to “advisory”):
The List Goes On
From where I sit👨🏼💻, I can see many more applications where policies as code can enhance our use of Azure with infrastructure as code. For example:
- Region policies for data confidentiality
- Ensuring IP whitelisting for SSH
- Naming conventions
Also, since they’re standardized as code, they can be shared between teams and even open-sourced to the rest of the community.
Feel free to reuse the provided code! I might just open source this stuff and provide it though an npm package 📦.