{{- define "template.scan-crossguard" }}
- name: scan-crossguard
      container:
        image: pulumi/pulumi:3.154.0
        env:
          - name: PULUMI_ACCESS_TOKEN
            valueFrom:
              secretKeyRef:
                name: amp-security-pipeline-secrets
                key: PULUMI_ACCESS_TOKEN
          - name: AWS_ACCESS_KEY_ID
            valueFrom:
              secretKeyRef:
                name: amp-security-pipeline-secrets
                key: AWS_ACCESS_KEY_ID
          - name: AWS_SECRET_ACCESS_KEY
            valueFrom:
              secretKeyRef:
                name: amp-security-pipeline-secrets
                key: AWS_SECRET_ACCESS_KEY
        command:
          - sh
          - -c
        args:
          - |
            set -eu
            mkdir -p /workspace/reports
            cd /workspace
            pulumi preview --policy-pack ./policy-pack > /workspace/reports/crossguard.json 2>&1 || true
      volumeMounts:
        - name: workspace
          mountPath: /workspace
{{- end }}