{"id":8456,"library":"pulumi-policy","title":"Pulumi Policy Python SDK","description":"Pulumi's Policy Python SDK defines and manages policies for cloud resources deployed through Pulumi. Policy rules run during `pulumi preview` and `pulumi up`, asserting that cloud resource definitions comply with policies immediately before they are created or updated. It is currently at version 1.20.0 and follows a regular release cadence as part of the broader Pulumi ecosystem.","status":"active","version":"1.20.0","language":"en","source_language":"en","source_url":"https://github.com/pulumi/pulumi-policy","tags":["infrastructure-as-code","iac","policy-as-code","cloud-governance","pulumi","security","compliance"],"install":[{"cmd":"pip install pulumi-policy","lang":"bash","label":"Install Pulumi Policy SDK"},{"cmd":"pulumi policy new aws-python","lang":"bash","label":"Create a new Python Policy Pack"}],"dependencies":[{"reason":"Core Pulumi SDK required for any Pulumi program, including policy packs.","package":"pulumi","optional":false}],"imports":[{"note":"Used to register a collection of policies.","symbol":"PolicyPack","correct":"from pulumi_policy import PolicyPack"},{"note":"Used to define a policy that validates individual resources.","symbol":"ResourceValidationPolicy","correct":"from pulumi_policy import ResourceValidationPolicy"},{"note":"Used to define a policy that validates an entire stack's configuration.","symbol":"StackValidationPolicy","correct":"from pulumi_policy import StackValidationPolicy"},{"note":"Specifies whether a policy violation is 'advisory', 'mandatory', or 'remediate'.","symbol":"EnforcementLevel","correct":"from pulumi_policy import EnforcementLevel"},{"note":"A helper function to easily create resource validation policies for specific resource types.","symbol":"validateResourceOfType","correct":"from pulumi_policy import validateResourceOfType"}],"quickstart":{"code":"import pulumi\nfrom pulumi_policy import PolicyPack, ResourceValidationPolicy, EnforcementLevel, validateResourceOfType\nimport pulumi_aws as aws\n\ndef s3_bucket_no_public_read_policy(args: aws.s3.Bucket, report_violation):\n    if args.acl == 'public-read' or args.acl == 'public-read-write':\n        report_violation(f\"S3 Bucket '{args.id}' should not be publicly readable.\")\n\nPolicyPack(\n    name=\"aws-s3-security\",\n    policies=[\n        ResourceValidationPolicy(\n            name=\"s3-no-public-read\",\n            description=\"Prohibits setting the publicRead or publicReadWrite permission on AWS S3 buckets.\",\n            enforcement_level=EnforcementLevel.MANDATORY,\n            validate=validateResourceOfType(aws.s3.Bucket, s3_bucket_no_public_read_policy)\n        )\n    ]\n)\n","lang":"python","description":"This example defines a Pulumi Policy Pack in Python that includes a single policy. The `s3-no-public-read` policy ensures that no AWS S3 bucket can be created or updated with a `public-read` or `public-read-write` ACL. If such a bucket is detected during `pulumi preview` or `pulumi up`, the deployment will be halted due to the `MANDATORY` enforcement level. This code would typically reside in `__main__.py` within a policy pack directory created by `pulumi policy new aws-python`."},"warnings":[{"fix":"Refer to the documentation and changelogs of the specific policy pack you are using. Upgrade to the latest stable versions when possible.","message":"Some Pulumi-authored policy packs (e.g., `pulumi-awsguard`) were released as 'Preview' and explicitly stated they were subject to breaking changes. While the core `pulumi-policy` SDK is more stable, be cautious with specific policy libraries and always check their release notes.","severity":"breaking","affected_versions":"Early versions of specific policy packs (e.g., pulumi-awsguard v0.x)"},{"fix":"Use `EnforcementLevel.ADVISORY` for warnings that don't block deployment, or `EnforcementLevel.REMEDIATE` to automatically fix certain violations. Carefully test mandatory policies in non-production environments first.","message":"Policies with `EnforcementLevel.MANDATORY` will halt `pulumi up` operations if a violation is detected. This prevents non-compliant resources from being provisioned or updated.","severity":"gotcha","affected_versions":"All versions"},{"fix":"For local testing, always include `--policy-pack` flag. For organizational enforcement, publish your policy pack using `pulumi policy publish` and configure it in the Pulumi Cloud console.","message":"Policy Packs are only evaluated locally when the `--policy-pack <path-to-policy-pack-directory>` flag is explicitly passed to `pulumi preview` or `pulumi up`. For central enforcement across an organization, policy packs must be published to Pulumi Cloud and associated with a Policy Group.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure that only trusted policy packs are run against your stacks and that your policy code itself does not log or expose sensitive information unnecessarily.","message":"During policy evaluation, any secrets defined in your Pulumi stack configuration or resources are decrypted and accessible in plaintext to the policy code. Treat your policy code with the same security considerations as your infrastructure code.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Be aware that resources imported or refreshed might temporarily be out of compliance without immediate policy notification. Subsequent `pulumi up` operations will then apply policies.","message":"`pulumi stack import` and `pulumi refresh` commands do not trigger policy evaluations. Policies are primarily designed to run during `pulumi preview` and `pulumi up` to validate changes before or during deployment.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-16T00:00:00.000Z","next_check":"2026-07-15T00:00:00.000Z","problems":[{"fix":"Confirm no other users are running updates. If not, use `pulumi cancel` in the stack directory to clear the stale lease.","cause":"Another Pulumi update is already running on the stack, or a previous update crashed, leaving a stale lease.","error":"409 conflict: Another update is currently in progress"},{"fix":"If testing locally, ensure you are running `pulumi preview --policy-pack <path-to-your-policy-pack-directory>`. If expecting cloud enforcement, verify the policy pack is published and associated with a Policy Group in your Pulumi Cloud organization.","cause":"The policy pack is not correctly referenced (locally) or enabled (in Pulumi Cloud).","error":"Policy violations not being reported during pulumi preview/up"},{"fix":"This is a rare error and usually points to a Pulumi bug. It is recommended to open a GitHub issue with Pulumi, providing detailed steps to reproduce the issue and diagnostic logs.","cause":"This error message indicates an internal bug within the Pulumi engine related to its data structure self-check.","error":"Error: after mutation of snapshot"}]}