{{- define "template.scan-pulumi-crossguard" -}}
- name: scan-pulumi-crossguard
  inputs:
    parameters:
      - name: working-dir
  container:
    image: {{ .Values.images.pulumiCrossguard | quote }}
    env:
      - name: PULUMI_ACCESS_TOKEN
        valueFrom:
          secretKeyRef:
            name: amp-security-pipeline-secrets
            key: PULUMI_ACCESS_TOKEN
      - name: AWS_ACCESS_KEY_ID
        valueFrom:
          secretKeyRef:
            name: amp-security-pipeline-secrets
            key: AWS_ACCESS_KEY_ID
      - name: AWS_SECRET_ACCESS_KEY
        valueFrom:
          secretKeyRef:
            name: amp-security-pipeline-secrets
            key: AWS_SECRET_ACCESS_KEY
    command:
      - sh
      - -c
    args:
      - |
        set -eu
        mkdir -p /workspace/reports
        cd "/workspace/{{ `{{inputs.parameters.working-dir}}` }}"
        pulumi preview --policy-pack "{{ .Values.pulumi.policyPackPath }}" > /workspace/reports/pulumi-crossguard.json 2>&1 || true
    volumeMounts:
      - name: workspace
        mountPath: /workspace
{{- end }}