Enforcing a Policy Pack Across an Organization
Once you’ve validated the behavior of your policies, an organization administrator can publish them to the Pulumi Console to be enforced across your organization. Any Pulumi client (a developer’s workstation, CI/CD tool, etc) that interacts with a stack via the Pulumi Console will have policy enforcement during the execution of
update. Policy Packs are versioned by the Pulumi Console so that updated policies can be published and applied as ready and also reverted to previous versions as needed.
From within the Policy Pack directory, run the following command to publish your pack:
$ pulumi policy publish <org-name>
The output will tell you what version of the Policy Pack you just published. The Pulumi service provides a monotonic version number for Policy Packs.
Obtaining policy metadata from policy plugin Compressing policy pack Uploading policy pack to Pulumi service Publishing my-policy-pack to myorg Published as version 1.0.0
The Policy Pack version is specified in the
PulumiPolicy.yamlfile for Python packs. A version can only be used one time and once published the version can never be used by that Policy Pack again.
You can enable this Policy Pack to your organization’s default Policy Group by running:
$ pulumi policy enable <org-name>/<policy-pack-name> <latest|version>
For example, to enable the Policy Pack created in the previous step:
$ pulumi policy enable myorg/my-policy-pack latest
The CLI by default enables the Policy Pack to your default Policy Group. If you would like to add the Policy Pack to a different Policy Group, you can use the
Now that you have published your first Policy Pack, you now have all the tools needed to enforce compliance amongst your organization. For more example Policy Packs, you can check out the examples repo. You can also find more documentation in the CrossGuard guide.