Publish and Enforce a Custom Policy Pack
Now that we’ve validated the behavior of our custom policy pack, publishing it to Pulumi Cloud will allow the policies to be enforced across your organization. Any time you run pulumi preview
or pulumi up
on a stack, Pulumi Cloud will ship the policy to the client to enable policy enforcement. Policy Packs are versioned by the Pulumi Cloud so that updated policies can be published and applied incrementally, and also reverted to previous versions as needed.
Publish the policy pack
Navigate back to the policy pack directory, and run the following command to publish your policy pack:
$ pulumi policy publish <org-name>
The output will tell you what version of the policy pack you just published.
Obtaining policy metadata from policy plugin
Compressing policy pack
Uploading policy pack to Pulumi Cloud
Publishing custom-policy-pack to myorg
Published as version 1.0.0
package.json
file for TypeScript/JavaScript (Node.js) packs and in the PulumiPolicy.yaml
file for Python packs. Published policy packs are immutable, meaning that a version number can only be published to one time. Once published, the version can never be used by that policy pack again.Enforce the policy pack
You can enable the policy pack organization-wide by running:
$ pulumi policy enable myorg/custom-policy-pack latest
The latest
parameter indicates that the most recent version of the policy should be enabled. You could use a version number instead, to enable a previous version.
pulumi policy enable
command, by default, turns on a published policy pack to your default policy group, which applies it to all stacks. If you would like to add the policy pack to a different policy group, you can use the --policy-group
flag. Read more about how to manage groups with [pulumi policy group](/docs/iac/cli/commands/pulumi_policy_group/)
commands in the Crossguard docs.Next Steps
Congratulations! Now that you have published your first custom policy pack, all the pieces are in place to enforce compliance across your organization. For more example policy packs, you can check out the examples repo. You can also find more documentation in the CrossGuard guide.