Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
---
2022-12-08 15:41:39 -08:00
title_tag: Get Started with Policy as Code | CrossGuard
2021-06-21 17:31:16 -07:00
meta_desc: Pulumi CrossGuard is a product that provides gated deployments via Policy as Code. Enforce best practices
and security compliance when creating cloud resources.
2023-05-15 15:25:28 -07:00
title: Get started
h1: Get started with Pulumi policy as code
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
weight: 1
2023-06-08 16:15:52 -07:00
meta_image: /images/docs/meta-images/docs-meta.png
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
menu:
2023-05-15 15:25:28 -07:00
usingpulumi:
2021-06-21 17:31:16 -07:00
parent: crossguard
2023-05-15 15:25:28 -07:00
identifier: policy-as-code-get-started
aliases:
- /docs/get-started/policy-as-code
- /docs/get-started/crossguard
- /docs/get-started/crossguard/authoring-a-policy-pack
- /docs/get-started/crossguard/enforcing-a-policy-pack
- /docs/guides/crossguard/get-started/
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
---
2021-06-21 17:31:16 -07:00
Pulumi CrossGuard is a product that provides gated deployments via Policy as Code.
Often organizations want to empower developers to manage their infrastructure yet are concerned about giving them full access. CrossGuard allows administrators to provide autonomy to their developers while ensuring compliance to defined organization policies.
Using Policy as Code, users can express business or security rules as functions that are executed against resources in their stacks. Then using CrossGuard, organization administrators can apply these rules to particular stacks within their organization. When policies are executed as part of your Pulumi deployments, any violation will gate or block that update from proceeding.
2022-10-26 07:22:15 -07:00
Policies can be written in TypeScript/JavaScript (Node.js) or Python and can be applied to Pulumi stacks written in any language. Learn more about [language support for policies ](/docs/guides/crossguard#languages ).
2021-06-21 17:31:16 -07:00
## Terminology
* **Policy Pack** - a set of related policies - i.e. “Security”, “Cost Optimization”, “Data Location”. The categorization of policies into a policy pack is left up to the user.
* **Policy** - an individual policy - i.e. “prohibit use of instances larger than t3.medium”.
* **Enforcement Level** - the impact of a policy violation - i.e. “mandatory” or “advisory”.
2023-05-15 15:25:28 -07:00
Learn more about [Policy as Code core concepts ](/docs/using-pulumi/crossguard/core-concepts/ ).
2021-06-21 17:31:16 -07:00
## Creating a Policy Pack
Let's start with authoring your first Policy Pack.
2019-12-18 09:59:20 -08:00
2023-05-15 17:51:16 -07:00
Policies can be written in TypeScript/JavaScript (Node.js) or Python and can be applied to Pulumi stacks written in any language. [More information on language support for policies ](/docs/using-pulumi/crossguard#languages ).
2020-04-13 10:59:51 -07:00
{{< chooser language " typescript , python " > }}
{{% choosable language typescript %}}
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
1. Install prerequisites.
2023-05-15 15:25:28 -07:00
* [Install Pulumi ](/docs/install/ )
2021-06-21 17:31:16 -07:00
* [Install Node.js ](https://nodejs.org/en/download/ )
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
1. Create a directory for your new Policy Pack, and change into it.
```sh
$ mkdir policypack & & cd policypack
```
2020-04-01 14:53:15 -07:00
1. Run the `pulumi policy new` command.
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
2020-04-01 14:53:15 -07:00
```sh
$ pulumi policy new aws-typescript
```
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
2020-04-13 10:59:51 -07:00
1. Tweak the Policy Pack in the `index.ts` file as desired. The existing policy in the template (which is annotated below) mandates that an AWS S3 bucket not have public read or write permissions enabled.
Each Policy must have a unique name, description, and validation function. Here we use the `validateResourceOfType` helper so that our validation function is only called for AWS S3 bucket resources. An enforcement level can be set on the Policy Pack (applies to all policies) and/or on each individual policy (overriding any Policy Pack value).
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
```typescript
// Create a new Policy Pack.
new PolicyPack("policy-pack-typescript", {
// Specify the Policies in the Policy Pack.
policies: [{
// The name for the Policy must be unique within the Pack.
name: "s3-no-public-read",
// The description should document what the Policy does and why it exists.
description: "Prohibits setting the publicRead or publicReadWrite permission on AWS S3 buckets.",
2020-04-13 10:59:51 -07:00
// The enforcement level can be "advisory", "mandatory", or "disabled". An "advisory" enforcement level
// simply prints a warning for users, while a "mandatory" policy will block an update from proceeding, and
// "disabled" disables the policy from running.
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
enforcementLevel: "mandatory",
2020-01-30 15:38:55 -08:00
// The validateResourceOfType function allows you to filter resources. In this case, the rule only
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
// applies to S3 buckets and reports a violation if the acl is "public-read" or "public-read-write".
2020-01-30 15:38:55 -08:00
validateResource: validateResourceOfType(aws.s3.Bucket, (bucket, args, reportViolation) => {
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
if (bucket.acl === "public-read" || bucket.acl === "public-read-write") {
reportViolation(
"You cannot set public-read or public-read-write on an S3 bucket. " +
"Read more about ACLs here: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html");
}
}),
}],
});
```
2020-04-13 10:59:51 -07:00
{{% /choosable %}}
{{% choosable language python %}}
1. Install prerequisites.
2023-05-15 15:25:28 -07:00
* [Install Pulumi ](/docs/install/ )
2021-06-21 17:31:16 -07:00
* [Install Python ](https://www.python.org/downloads/ )
2020-04-13 10:59:51 -07:00
1. Create a directory for your new Policy Pack, and change into it.
```sh
$ mkdir policypack & & cd policypack
```
1. Run the `pulumi policy new` command.
```sh
$ pulumi policy new aws-python
```
1. Tweak the Policy Pack in the `__main__.py` file as desired. The existing policy in the template (which is annotated below) mandates that an AWS S3 bucket not have public read or write permissions enabled.
Each Policy must have a unique name, description, and validation function. An enforcement level can be set on the Policy Pack (applies to all policies) and/or on each individual policy (overriding any Policy Pack value).
```python
# The validation function is called before each resource is created or updated.
# In this case, the rule only applies to S3 buckets and reports a violation if the
# acle is "public-read" or "public-read-write".
def s3_no_public_read_validator(args: ResourceValidationArgs, report_violation: ReportViolation):
if args.resource_type == "aws:s3/bucket:Bucket" and "acl" in args.props:
acl = args.props["acl"]
if acl == "public-read" or acl == "public-read-write":
report_violation(
"You cannot set public-read or public-read-write on an S3 bucket. " +
"Read more about ACLs here: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html")
s3_no_public_read = ResourceValidationPolicy(
# The name for the Policy must be unique within the Pack.
name="s3-no-public-read",
# The description should document what the Policy does and why it exists.
description="Prohibits setting the publicRead or publicReadWrite permission on AWS S3 buckets.",
# The enforcement level can be ADVISORY, MANDATORY, or DISABLED. An ADVISORY enforcement level
# simply prints a warning for users, while a MANDATORY policy will block an update from proceeding, and
# DISABLED disables the policy from running.
enforcement_level=EnforcementLevel.MANDATORY,
# The validation function, defined above.
validate=s3_no_public_read_validator,
)
# Create a new Policy Pack.
PolicyPack(
name="policy-pack-python",
# Specify the Policies in the Policy Pack.
policies=[
s3_no_public_read,
],
)
```
{{% /choosable %}}
{{< / chooser > }}
2023-05-15 15:25:28 -07:00
You can find more example Policy Packs in the [examples repo ](https://github.com/pulumi/examples/tree/master/policy-packs ). [Policy Pack best practices ](/docs/using-pulumi/crossguard/best-practices/ ) details the best practices for writing a Policy Pack.
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
2021-06-21 17:31:16 -07:00
### Running Locally {#running-locally}
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
2020-04-13 10:59:51 -07:00
Now let's take a look at how to run the Policy Pack locally against a Pulumi program.
{{< chooser language " typescript , python " > }}
{{% choosable language typescript %}}
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
2020-04-13 10:59:51 -07:00
1. Use the `--policy-pack` flag with `pulumi preview` or `pulumi up` to specify the path to the directory containing your Policy Pack when previewing/updating a Pulumi program.
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
2020-04-13 10:59:51 -07:00
If you don’ `pulumi new aws-typescript` in an empty directory. This AWS example will create an S3 bucket, which is perfect for testing our Policy.
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
2023-03-06 11:58:23 -08:00
```sh
$ mkdir test-program & & cd test-program
$ pulumi new aws-typescript
```
2020-04-13 10:59:51 -07:00
In the Pulumi program's directory run:
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
2020-04-01 14:53:15 -07:00
```sh
$ pulumi preview --policy-pack < path-to-policy-pack-directory >
```
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
2022-08-09 12:32:12 -07:00
If the Pulumi stack is in compliance, we expect the output to tell us which Policy Packs were run.
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
2020-04-13 10:59:51 -07:00
Previewing update (dev):
Type Name Plan
+ pulumi:pulumi:Stack test-dev create
+ └─ aws:s3:Bucket my-bucket create
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
2020-04-13 10:59:51 -07:00
Resources:
+ 2 to create
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
2020-04-13 10:59:51 -07:00
Policy Packs run:
Name Version
aws-typescript (/Users/user/path/to/policy-pack) (local)
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
1. We can then edit the stack code to specify the ACL to be public-read.
```typescript
const bucket = new aws.s3.Bucket("my-bucket", {
acl: "public-read",
});
```
1. We then run the `pulumi preview` command again and this time get an error message indicating we failed the preview because of a policy violation.
2020-04-13 10:59:51 -07:00
Previewing update (dev):
Type Name Plan Info
+ pulumi:pulumi:Stack test-dev create 1 error
+ └─ aws:s3:Bucket my-bucket create
Diagnostics:
pulumi:pulumi:Stack (test-dev):
error: preview failed
Policy Violations:
[mandatory] aws-typescript v0.0.1 s3-no-public-read (my-bucket: aws:s3/bucket:Bucket)
Prohibits setting the publicRead or publicReadWrite permission on AWS S3 buckets.
You cannot set public-read or public-read-write on an S3 bucket. Read more about ACLs here: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html
{{% /choosable %}}
{{% choosable language python %}}
1. Use the `--policy-pack` flag with `pulumi preview` or `pulumi up` to specify the path to the directory containing your Policy Pack when previewing/updating a Pulumi program.
If you don’ `pulumi new aws-python` in an empty directory. This AWS example will create an S3 bucket, which is perfect for testing our Policy.
2023-03-06 11:58:23 -08:00
```sh
$ mkdir test-program & & cd test-program
$ pulumi new aws-python
```
2020-06-10 21:28:23 +00:00
In the Pulumi program's directory, run:
2020-04-13 10:59:51 -07:00
```sh
$ pulumi preview --policy-pack < path-to-policy-pack-directory >
```
2022-08-09 12:32:12 -07:00
If the Pulumi stack is in compliance, we expect the output to tell us which Policy Packs were run.
2020-04-13 10:59:51 -07:00
Previewing update (dev):
Type Name Plan
+ pulumi:pulumi:Stack test-dev create
+ └─ aws:s3:Bucket my-bucket create
Resources:
+ 2 to create
Policy Packs run:
Name Version
aws-python (/Users/user/path/to/policy-pack) (local)
1. We can then edit the stack code to specify the ACL to be public-read.
```python
bucket = s3.Bucket('my-bucket', acl="public-read")
```
1. We then run the `pulumi preview` command again and this time get an error message indicating we failed the preview because of a policy violation.
Previewing update (dev):
Type Name Plan Info
+ pulumi:pulumi:Stack test-dev create 1 error
+ └─ aws:s3:Bucket my-bucket create
Diagnostics:
pulumi:pulumi:Stack (test-dev):
error: preview failed
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
2020-04-13 10:59:51 -07:00
Policy Violations:
[mandatory] aws-python v0.0.1 s3-no-public-read (my-bucket: aws:s3/bucket:Bucket)
Prohibits setting the publicRead or publicReadWrite permission on AWS S3 buckets.
You cannot set public-read or public-read-write on an S3 bucket. Read more about ACLs here: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
2020-04-13 10:59:51 -07:00
{{% /choosable %}}
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
2020-04-13 10:59:51 -07:00
{{< / chooser > }}
Rearrange nav a bit
This changes the top-level nav a little bit, with respect to
user guides, CrossGuard, etc. Namely:
* Rename top-level to 'Policy as Code ("CrossGuard")', since
it won't be evident to most people what CrossGuard is just
by looking at the nav. (Unfortunately, we have a similar
problem with "Crosswalk" at the moment, but I don't have an
obviously-better suggestion for that right now.)
* Also rename the Getting Started guide to be consistent.
* Renumber the ordering of the guides to sort for most relevant
at the top: Continuous Delivery, Crosswalk ..., Policy as Code,
SSO, Self-Host, Tutorials. (Arguably maybe Tutorials ought to
be at the top, but this is consistent with "GUIDES AND TUTORIALS").
2019-11-29 09:49:50 -08:00
Now that your Policy Pack is ready to go, let's enforce the pack across your organization.
2021-06-21 17:31:16 -07:00
## Enforcing a Policy Pack
{{% notes type="info" %}}
2022-10-26 07:22:15 -07:00
Server-side enforcement of policy packs across an organization is only available in **Pulumi Business Critical** . See [pricing ](/pricing/ ) for more details.
2021-06-21 17:31:16 -07:00
{{% /notes %}}
2023-04-11 13:40:50 -07:00
Once you’ ’ `preview` and `update` . Policy Packs are versioned by the Pulumi Cloud so that updated policies can be published and applied as ready and also reverted to previous versions as needed.
2021-06-21 17:31:16 -07:00
1. From within the Policy Pack directory, run the following command to publish your pack:
```sh
$ pulumi policy publish < org-name >
```
2023-04-11 13:40:50 -07:00
The output will tell you what version of the Policy Pack you just published. The Pulumi Cloud provides a monotonic version number for Policy Packs.
2021-06-21 17:31:16 -07:00
```
Obtaining policy metadata from policy plugin
Compressing policy pack
2023-04-11 13:40:50 -07:00
Uploading policy pack to Pulumi Cloud
2021-06-21 17:31:16 -07:00
Publishing my-policy-pack to myorg
Published as version 1.0.0
```
The Policy Pack version is specified in the `package.json` file for TypeScript/JavaScript (Node.js) packs and in the `PulumiPolicy.yaml` file for Python packs. A version can only be used one time and once published the version can never be used by that Policy Pack again.
<!-- markdownlint - disable ul -->
1. You can enable this Policy Pack to your organization’
```sh
$ pulumi policy enable < org-name > /< policy-pack-name > < latest | version >
```
For example, to enable the Policy Pack created in the previous step:
```sh
$ pulumi policy enable myorg/my-policy-pack latest
```
The CLI by default enables the Policy Pack to your default Policy Group. If you would like to add the Policy Pack to a different Policy Group, you can use the `--policy-group` flag.
## Next Steps
2019-12-18 09:59:20 -08:00
2023-05-15 15:25:28 -07:00
Now that you have published your first Policy Pack, you now have all the tools needed to enforce compliance amongst your organization. For more example Policy Packs, you can check out the [examples repo ](https://github.com/pulumi/examples/tree/master/policy-packs ). You can also find more documentation in the [CrossGuard guide ](/docs/using-pulumi/crossguard/ ).
