Ensuring that cloud services are properly deployed, configured, and managed is the domain of CloudOps, and it is commonly enabled by infrastructure-as-code (IaC) platforms like Pulumi.
On March 3, Pulumi announced a new Business Critical edition of its platform that provides users with enhanced security access control capabilities for cloud resources. The Business Critical edition also provides users with the ability to self-host Pulumi and get support, as opposed to having the entire platform managed and operated on Pulumi's cloud service. In addition, the new service brings 24/7 support and training to help organizations manage CloudOps.
"We've gone from customers that have tens of users to hundreds to now many thousands of active users," Joe Duffy, founder and CEO of Pulumi, told ITPro Today. "As you can imagine, a lot of the security, compliance, and reliability needs at that scale are just fundamentally different, and so we've introduced a lot of great functionality with the Business Critical edition."
Pulumi Infrastructure-as-Code Business Critical Features
Among the capabilities in Pulumi Business Critical is enhanced role-based access control (RBAC).
RBAC was already in other versions of Pulumi, including its enterprise edition, according to Duffy. What's new in the Business Critical edition is better integration with SAML (Security Assertion Markup Language) single sign-on (SSO) providers via SCIM (System for Cross-domain Identity Management).
"SCIM basically allows us to do automatic group synchronization," Duffy said. "So you can manage your roles and groups in Active Directory, for example, and have them automatically mirrored over in Pulumi."
With infrastructure as code, organizations can programmatically define what cloud infrastructure resources they want to deploy with specific configurations. Pulumi also extends the concept with policy-as-code capabilities that go beyond just the deployment of resources to also include policy management for how cloud resources operate. Policy-as-code capabilities in Pulumi include security best practices and what the company refers to as guardrails to help minimize potential risks.
Policy as code in Pulumi also provides cost control, such that a policy can be defined to provide a limit for how much a given cloud resource can cost an organization.
Policy as Code Brings More Power to Pulumi
Duffy explained that the policy-as-code capabilities in Pulumi provide organizational wide control, wherever resources are deployed, across different cloud providers. Policies can be written in different programming languages, and there is also support for the Open Policy Agent (OPA) and its Rego policy language.
"They can really do anything," he said about policies. "They're basically given access to the infrastructure metadata, and then you can validate different things."
Some of Pulumi's biggest enterprise customers do cost and budget validation, Duffy said. What those users do is dynamically query the live pricing on Amazon Web Services (AWS) as part of a policy check that runs at deployment time.
"So even though you're using infrastructure as code to define your cloud elements, when you go to deploy, it's actually running the policies automatically that are configured on the server," he explained.