pulumi-policy

Create a new Pulumi Policy Pack from a template or URL

$ pulumi policy new --dir [path/to/directory] [template|url]

$ pulumi policy validate-config [organization_name]/[policy_pack_name] [version]

$ pulumi policy ls [[-j|--json]] [organization_name]

$ pulumi policy publish [organization_name]

$ pulumi policy enable [organization_name]/[policy_pack_name] [latest|version]

$ pulumi policy disable [organization_name]/[policy_pack_name] --version [version]

$ pulumi policy [[-h|--help]]

pulumi policy subcommand [options] [arguments]

Common subcommands include:
pulumi policy new [template] [--dir ]
pulumi policy ls [--json]
pulumi policy enable --organization [--version ] [--config ]
pulumi policy disable --organization
pulumi policy publish [] [--organization ]

help
    Display help for a command or subcommand.

--organization
    Specify the organization name. Required for operations like enabling, disabling, or publishing policy packs to an organization.

--policy-pack
    Specify the name of the policy pack.

--version
    Specify a particular version of a policy pack. Relevant for publishing and enabling specific versions.

--config
    Set configuration values for a policy pack when enabling it. Can be specified multiple times.

--dir
    Specify the directory where the policy pack is located or should be created. Defaults to the current working directory.

--json
    Emit output as JSON. Available for commands like 'pulumi policy ls'.

--non-interactive
    Disable interactive prompts (e.g., for automation).

--logtostderr
    Log to stderr instead of to files.

The pulumi policy command enables organizations to define and enforce governance policies on their infrastructure as code deployments. It provides functionalities to manage policy packs, which are collections of rules written in familiar programming languages like TypeScript, Python, or Go. These policies are applied to Pulumi stacks to ensure compliance with organizational standards, security best practices, and regulatory requirements. Policy packs can prevent unapproved resource types, enforce naming conventions, validate configurations, or ensure adherence to cost management guidelines before resources are provisioned in cloud environments. The command offers subcommands for creating new policy packs, listing existing ones, enabling or disabling them for specific organizations, and publishing them to the Pulumi Cloud for centralized management and enforcement across an organization's deployments.

Policy enforcement requires a Pulumi Cloud account or a self-managed backend. Policy packs are written in supported programming languages (TypeScript, Python, Go) and require the respective language runtime installed. Enforcement happens during pulumi preview and pulumi up operations, providing feedback or blocking deployments based on policy rules.

A Pulumi Policy Pack is a standard Pulumi project containing policy code (e.g., TypeScript, Python, Go) and a PulumiPolicy.yaml file. The policy code defines the rules and logic, while the YAML file specifies metadata about the policy pack. When published, it becomes available for enablement across an organization's stacks.

Policies are enforced during the pulumi preview and pulumi up commands. During a preview, policies are evaluated against the planned infrastructure changes, providing warnings or errors. During an update, if a policy violation occurs, the deployment can be blocked entirely or allowed with a warning, depending on the policy's severity and configuration. This ensures that only compliant infrastructure is provisioned.

Pulumi Policy was introduced to extend Pulumi's core infrastructure as code capabilities with robust governance and compliance features. It addresses the critical need for organizations to enforce standards and security policies directly within their cloud infrastructure provisioning workflows. By enabling policies to be written as code, Pulumi Policy allows for version control, testing, and automated enforcement, integrating guardrails directly into the CI/CD pipeline and deployment lifecycle. This capability significantly enhances control and auditability over cloud resources, ensuring that infrastructure remains compliant with organizational and regulatory requirements.

pulumi(1), pulumi stack(1), pulumi up(1), pulumi preview(1)