Enforcing a Policy Pack Across an Organization

CrossGuard is a beta feature and is subject to breaking changes. The open source --policy-pack flag is free and available for all to use. A preview of CrossGuard is also available in the Pulumi Console, which enables you to enforce policies across an organization. To get access, submit a request here.

Once you’ve validated the behavior of your policies, an organization administrator can publish them to the Pulumi Console to be enforced across your organization. Any Pulumi client (a developer’s workstation, CI/CD tool, etc) that interacts with a stack via the Pulumi Console will have policy enforcement during the execution of preview and update. Policy Packs are versioned by the Pulumi Console so that updated policies can be published and applied as ready and also reverted to previous versions as needed.

  1. From within the Policy Pack directory, run the following command to publish your pack:

    $ PULUMI_EXPERIMENTAL=true pulumi policy publish [org-name]
    $ PULUMI_EXPERIMENTAL=true pulumi policy publish [org-name]

    Windows cmd.exe

    set PULUMI_EXPERIMENTAL=true
    pulumi policy publish [org-name]

    Windows PowerShell

    $env:PULUMI_EXPERIMENTAL = 'true'
    pulumi policy publish [org-name]

    The [org-name] is optional. If not specified, the pack will be published to your user account.

    The output will tell you what version of the Policy Pack you just published. The Pulumi service provides a monotonic version number for Policy Packs.

    Obtaining policy metadata from policy plugin
    Compressing policy pack
    Uploading policy pack to Pulumi service
    Publishing policy-pack-typescript to myorg
    Published as version 1
    
  2. You can apply this Policy Pack to your organization’s default Policy Group by running:

    $ PULUMI_EXPERIMENTAL=true pulumi policy apply <org-name>/<policy-pack-name> <version>
    $ PULUMI_EXPERIMENTAL=true pulumi policy apply <org-name>/<policy-pack-name> <version>

    Windows cmd.exe

    set PULUMI_EXPERIMENTAL=true
    pulumi policy apply <org-name>/<policy-pack-name> <version>

    Windows PowerShell

    $env:PULUMI_EXPERIMENTAL = 'true'
    pulumi policy apply <org-name>/<policy-pack-name> <version>

    For example, to apply the Policy Pack created in the previous step:

    $ PULUMI_EXPERIMENTAL=true pulumi policy apply pulumi/policy-pack-typescript 1
    $ PULUMI_EXPERIMENTAL=true pulumi policy apply pulumi/policy-pack-typescript 1

    Windows cmd.exe

    set PULUMI_EXPERIMENTAL=true
    pulumi policy apply pulumi/policy-pack-typescript 1

    Windows PowerShell

    $env:PULUMI_EXPERIMENTAL = 'true'
    pulumi policy apply pulumi/policy-pack-typescript 1

    The CLI can only be used to apply the Policy Pack to your default Policy Group. If you would like to add the Policy Pack to a different Policy Group, you can do so via the Pulumi Console.

Next Steps

Now that you have published your first Policy Pack, you now have all the tools needed to enforce compliance amongst your organization. For more example Policy Packs, you can check out the examples repo. You can also find more documentation in the CrossGuard guide.