1. Docs
  2. Insights & Governance
  3. Policies
  4. API & SDK Reference

Policy API & SDK Reference

    Pulumi provides SDKs for authoring policy packs in TypeScript/JavaScript and Python, and REST API endpoints for managing policies programmatically through Pulumi Cloud.

    Policy SDK

    The Policy SDK lets you define and validate policies in code. Use it to write custom policy packs that enforce your organization’s compliance and security requirements.

    LanguagePackageStatus
    TypeScript/JavaScript@pulumi/policyStable
    Pythonpulumi_policyStable

    Getting started with the SDK

    Create a new policy pack project with the CLI:

    pulumi policy new aws-typescript

    A basic policy pack looks like this:

    import { PolicyPack, validateResourceOfType } from "@pulumi/policy";
import * as aws from "@pulumi/aws";

new PolicyPack("my-policies", {
    policies: [
        {
            name: "s3-no-public-read",
            description: "Prohibits setting the publicRead ACL on S3 buckets.",
            enforcementLevel: "mandatory",
            validateResource: validateResourceOfType(aws.s3.Bucket, (bucket, args, reportViolation) => {
                if (bucket.acl === "public-read") {
                    reportViolation("S3 buckets must not have the publicRead ACL.");
                }
            }),
        },
    ],
});

    For a complete guide on writing policies, see write your own policy packs.

    Pulumi Cloud REST API

    The Pulumi Cloud REST API provides endpoints for managing policy packs, policy groups, and policy results programmatically. Use these endpoints to integrate policy management into custom tooling and workflows.

    Policy packs

    Create, list, apply, and delete policy packs in your organization.

    Policy groups

    Manage policy groups that control which policy packs are enforced on which stacks.

    Policy results

    Query policy evaluation results to monitor compliance across your organization.

    Stack policy

    View the policy packs and policy groups associated with a specific stack.

    Pulumi Service Provider

    The Pulumi Cloud (pulumiservice) provider includes resources and functions for managing policies programmatically as part of your Pulumi infrastructure code.

    Resources

    ResourceDescription
    PolicyGroupApply policy packs to a set of stacks or cloud accounts in your organization. Supports audit and preventative enforcement modes.

    Functions

    FunctionDescription
    getPolicyPackGet details about a specific version of a policy pack, including its configuration and policies.
    getPolicyPacksList all policy packs for an organization.