1. Tutorials
  2. Creating a Custom Policy Pack
  3. Publish and Enforce a Custom Policy Pack

Publish and Enforce a Custom Policy Pack

Server-side enforcement of policy packs across an organization is only available in Pulumi Business Critical. See pricing for more details.

Now that we’ve validated the behavior of our custom policy pack, publishing it to Pulumi Cloud will allow the policies to be enforced across your organization. Any time you run pulumi preview or pulumi up on a stack, Pulumi Cloud will ship the policy to the client to enable policy enforcement. Policy Packs are versioned by the Pulumi Cloud so that updated policies can be published and applied incrementally, and also reverted to previous versions as needed.

Publish the policy pack

Navigate back to the policy pack directory, and run the following command to publish your policy pack:

$ pulumi policy publish <org-name>

The output will tell you what version of the policy pack you just published.

Obtaining policy metadata from policy plugin
Compressing policy pack
Uploading policy pack to Pulumi Cloud
Publishing custom-policy-pack to myorg
Published as version 1.0.0
Policy Versions: Pulumi Cloud tracks published policy packs by version. When a policy pack is published, it will automatically receive a monotonically-increasing version number by Pulumi Cloud. The policy pack version can be specified in the package.json file for TypeScript/JavaScript (Node.js) packs and in the PulumiPolicy.yaml file for Python packs. Published policy packs are immutable, meaning that a version number can only be published to one time. Once published, the version can never be used by that policy pack again.

Enforce the policy pack

You can enable the policy pack organization-wide by running:

$ pulumi policy enable myorg/custom-policy-pack latest

The latest parameter indicates that the most recent version of the policy should be enabled. You could use a version number instead, to enable a previous version.

Policy Groups: Pulumi Crossguard also has a concept of policy groups, which allow you to apply certain policies only to certain stacks within the group. The pulumi policy enable command, by default, turns on a published policy pack to your default policy group, which applies it to all stacks. If you would like to add the policy pack to a different policy group, you can use the --policy-group flag. Read more about how to manage groups with [pulumi policy group](/docs/iac/cli/commands/pulumi_policy_group/) commands in the Crossguard docs.

Next Steps

Congratulations! Now that you have published your first custom policy pack, all the pieces are in place to enforce compliance across your organization. For more example policy packs, you can check out the examples repo. You can also find more documentation in the CrossGuard guide.