1. Docs
  2. Reference
  3. REST API Docs
  4. Policy Groups

Policy Groups

    Policy Groups are collections of policy packs that can be applied to stacks to enforce governance rules. The Policy Groups API allows you to create, manage, and apply policy groups to stacks.

    List Policy Groups

    GET /api/orgs/{orgName}/policygroups

    Returns a list of all Policy Groups for the organization. Policy Groups define which Policy Packs are enforced on which stacks, with configurable enforcement levels (advisory, mandatory, or disabled) per pack. Every organization has a default Policy Group, and additional groups can be created to apply different policy sets to different environments (e.g., stricter enforcement in production).

    Request Parameters

    • orgName string path required
      The organization name

    Responses

    200 OK
    Schema: AppListPolicyGroupsResponse
    • policyGroups array[AppPolicyGroupSummary] required
      List of policy groups
    • name string required
      The unique name of the policy group.
    • isOrgDefault boolean required
      Whether this is the organization’s default policy group, applied to all stacks not in another group.
    • numStacks integer required
      Number of stacks assigned to this policy group.
    • numAccounts integer optional
      Number of cloud accounts assigned to this policy group.
    • entityType enum required
      The type of entity this policy group targets (e.g. stacks, accounts).
      Values: stacks, accounts
    • mode enum required
      The enforcement mode of the policy group.
      Values: audit, preventative
    • numEnabledPolicyPacks integer required
      Number of policy packs currently enabled in this group.
    Errors: 404 Organization not found

    New Policy Group

    POST /api/orgs/{orgName}/policygroups

    Creates a new Policy Group for an organization. Policy Groups define which Policy Packs are enforced on which stacks or cloud accounts, with configurable enforcement levels (advisory, mandatory, or disabled) per pack. This allows different policy strictness for different environments, such as advisory-only in development and mandatory in production.

    Request Parameters

    • orgName string path required
      The organization name

    Request Body

    Schema: NewPolicyGroupRequest
    • name string required
      The name of the new policy group.
    • entityType enum required
      The type of entities this policy group applies to (stacks or accounts).
      Values: stacks, accounts
    • mode enum optional
      The enforcement mode for the policy group (audit or preventative). Defaults to ‘audit’ for account policy groups, ‘preventative’ for stack policy groups.
      Values: audit, preventative
    • agentPoolId string optional
      Agent pool ID for policy evaluation. Defaults to Pulumi hosted pool if not specified.

    Responses

    204 No Content
    Errors: 400 Invalid entity type or invalid Policy Group name 404 Organization not found 409 Policy Group already exists

    Get Policy Group

    GET /api/orgs/{orgName}/policygroups/{policyGroup}

    Returns the details of a specific Policy Group, including the list of Policy Packs applied to it and their enforcement levels (advisory, mandatory, or disabled), as well as the stacks or cloud accounts assigned to the group. Policy Groups enable targeted policy enforcement by associating sets of policies with specific infrastructure resources.

    Request Parameters

    • orgName string path required
      The organization name
    • policyGroup string path required
      The policy group name

    Responses

    200 OK
    Schema: PolicyGroup
    • name string required
      The name of the policy group.
    • isOrgDefault boolean required
      True if this is either the default stacks or default accounts policy group for the organization.
    • entityType enum required
      The type of entities this policy group applies to (stacks or accounts).
      Values: stacks, accounts
    • mode enum required
      The enforcement mode for the policy group (audit or preventative).
      Values: audit, preventative
    • stacks array[AppPulumiStackReference] required
      List of stacks that are members of this policy group.
    • name string required
      The name
    • routingProject string required
      The routing project
    • appliedPolicyPacks array[AppPolicyPackMetadata] required
      List of policy packs that are applied to this policy group.
    • name string required
      The name
    • displayName string required
      The display name
    • version integer required
      The version number
    • versionTag string required
      The version tag
    • config map[string]object optional
      The configuration that is to be passed to the Policy Pack. This map ties Policies with their configuration.
    • environments array[string] optional
      References to ESC environments to use for this policy pack.
    • accounts array[string] required
      List of Insights account names that are members of this policy group.
    • agentPoolId string optional
      Agent pool ID for audit policy evaluation. Defaults to Pulumi hosted pool if not specified.
    Errors: 404 Organization or Policy Group not found

    Update Policy Group

    PATCH /api/orgs/{orgName}/policygroups/{policyGroup}

    Updates a Policy Group’s configuration. This multi-purpose endpoint supports several operations in a single request via different body fields:

    • newName: rename the policy group
    • addStack / removeStack: add or remove stacks (with name and routingProject fields)
    • addPolicyPack / removePolicyPack: add or remove policy packs (with name, version, versionTag, and optional config)
    • addInsightsAccount / removeInsightsAccount: add or remove Insights accounts

    Enforcement levels for policy packs are advisory, mandatory, or disabled.

    Request Parameters

    • orgName string path required
      The organization name
    • policyGroup string path required
      The policy group name

    Request Body

    Schema: UpdatePolicyGroupRequest
    • addInsightsAccount InsightsAccount optional
      An Insights account to add to the policy group.
    • id string required
      ID of the account.
    • name string required
      The name of the account.
    • ownedBy UserInfo required
      The user with ownership of this Insights account
    • provider string required
      The cloud provider for the account (e.g., aws, gcp, azure-native).
    • providerVersion string optional
      The version of the Pulumi provider package used for discovery.
    • providerEnvRef string optional
      Reference to an ESC environment containing provider credentials, in the format ‘project/environment’ with an optional @version suffix.
    • scheduledScanEnabled boolean required
      If true, the account is scheduled for recurring discovery.
    • agentPoolID string optional
      The ID of the agent pool to run account discovery workflows. If not specified, discovery will use the default agent pool.
    • providerConfig object optional
      Provider-specific configuration for the account.
    • scanStatus ScanStatus optional
      Status of the last discovery scan for this account.
    • newName string optional
      The new name to assign to the policy group.
    • addStack AppPulumiStackReference optional
      A stack to add to the policy group.
    • name string required
      The name
    • routingProject string required
      The routing project
    • removeInsightsAccount InsightsAccount optional
      An Insights account to remove from the policy group.
    • id string required
      ID of the account.
    • name string required
      The name of the account.
    • ownedBy UserInfo required
      The user with ownership of this Insights account
    • provider string required
      The cloud provider for the account (e.g., aws, gcp, azure-native).
    • providerVersion string optional
      The version of the Pulumi provider package used for discovery.
    • providerEnvRef string optional
      Reference to an ESC environment containing provider credentials, in the format ‘project/environment’ with an optional @version suffix.
    • scheduledScanEnabled boolean required
      If true, the account is scheduled for recurring discovery.
    • agentPoolID string optional
      The ID of the agent pool to run account discovery workflows. If not specified, discovery will use the default agent pool.
    • providerConfig object optional
      Provider-specific configuration for the account.
    • scanStatus ScanStatus optional
      Status of the last discovery scan for this account.
    • agentPoolId string optional
      Agent pool ID for audit policy evaluation. Set to empty string to clear, omit to leave unchanged.
    • removeStack AppPulumiStackReference optional
      A stack to remove from the policy group.
    • name string required
      The name
    • routingProject string required
      The routing project
    • addPolicyPack AppPolicyPackMetadata optional
      A policy pack to enable for the policy group.
    • name string required
      The name
    • displayName string required
      The display name
    • version integer required
      The version number
    • versionTag string required
      The version tag
    • config map[string]object optional
      The configuration that is to be passed to the Policy Pack. This map ties Policies with their configuration.
    • environments array[string] optional
      References to ESC environments to use for this policy pack.
    • removePolicyPack AppPolicyPackMetadata optional
      A policy pack to disable for the policy group.
    • name string required
      The name
    • displayName string required
      The display name
    • version integer required
      The version number
    • versionTag string required
      The version tag
    • config map[string]object optional
      The configuration that is to be passed to the Policy Pack. This map ties Policies with their configuration.
    • environments array[string] optional
      References to ESC environments to use for this policy pack.

    Responses

    204 No Content
    Errors: 400 Bad Request 404 Organization, Policy Group, Stack, Account, or Policy Pack not found

    Delete Policy Group

    DELETE /api/orgs/{orgName}/policygroups/{policyGroup}

    Deletes a Policy Group from an organization. A Policy Group defines which Policy Packs are enforced on which stacks, with configurable enforcement levels (advisory, mandatory, or disabled) per pack. The organization’s default Policy Group cannot be deleted. Deleting a Policy Group removes all policy enforcement associations for the stacks that were assigned to it.

    Request Parameters

    • orgName string path required
      The organization name
    • policyGroup string path required
      The policy group name

    Responses

    204 No Content
    Errors: 400 Cannot delete the default Policy Group 404 Organization or Policy Group not found

    Batch Update Policy Group

    PATCH /api/orgs/{orgName}/policygroups/{policyGroup}/batch

    BatchUpdatePolicyGroup applies multiple update operations to the Policy Group efficiently. Each operation in the list uses the same fields as UpdatePolicyGroupRequest. Operations are grouped by type (adds, removes) and processed in batches for efficiency.

    Request Parameters

    • orgName string path required
      The organization name
    • policyGroup string path required
      The policy group name

    Request Body

    Responses

    204 No Content
    Errors: 400 Bad Request 404 Organization, Policy Group, Stack, Account, or Policy Pack not found

    Get Policy Group Metadata

    GET /api/orgs/{orgName}/policygroups/metadata

    Returns high-level policy protection metrics for an organization, including the number of stacks protected by policy enforcement, the total number of Policy Groups, and overall policy coverage statistics.

    Request Parameters

    • orgName string path required
      The organization name

    Responses

    200 OK
    Schema: PolicyGroupMetadata
    • ProtectedStacks integer required
      Number of unique stacks in any policy group (preventative or audit). Deprecated: Use PreventativeStacks and AuditStacks for breakdown by mode
    • ProtectedStackResources integer required
      Number of resources in unique stacks in any policy group (preventative or audit). Deprecated: Use PreventativeStackResources and AuditStackResources for breakdown by mode
    • PreventativeStacks integer required
      Number of stacks in preventative policy groups
    • PreventativeStackResources integer required
      Number of resources in stacks in preventative policy groups
    • AuditStacks integer required
      Number of stacks in audit policy groups
    • AuditStackResources integer required
      Number of resources in stacks in audit policy groups
    • TotalStacks integer required
      Total number of stacks in the organization
    • TotalStackResources integer required
      Total number of resources in all stacks
    • ProtectedAccounts integer required
      Number of accounts in policy groups
    • ProtectedAccountResources integer required
      Number of resources in accounts in policy groups
    • TotalAccounts integer required
      Total number of accounts in the organization
    • TotalAccountResources integer required
      Total number of resources in all accounts
    Errors: 404 Organization not found