1. Docs
  2. Reference
  3. REST API Docs
  4. Policy Packs

Policy Packs

    Policy Packs are collections of policies that define governance rules for infrastructure deployments. The Policy Packs API allows you to create, manage, and apply policy packs to enforce governance rules across your organization.

    List Policy Packs

    GET /api/orgs/{orgName}/policypacks

    ListPolicyPacks returns a list of all complete Policy Packs for the organization. If the policypack query parameter is set, it will only list the policy packs with the specified name.

    Request Parameters

    • orgName string path required
      The organization name
    • policypack string query optional
      The policy pack name

    Responses

    200 OK
    Schema: AppListPolicyPacksResponse
    • policyPacks array[AppPolicyPackWithVersions] required
      List of policy packs
    • name string required
      The name
    • displayName string required
      The display name
    • versions array[integer] required
      List of versions
    • versionTags array[string] required
      List of version tags
    Errors: 400 invalid query parameter

    Create Policy Pack

    POST /api/orgs/{orgName}/policypacks

    Creates a new Policy Pack for an organization. A Policy Pack is a versioned collection of related policies that validate infrastructure configuration during deployments. Policies can enforce rules such as requiring encryption on storage buckets or prohibiting public access to databases. The pack must contain at least one policy. Once created, the pack can be applied to Policy Groups to enforce rules on specific stacks with configurable enforcement levels (advisory, mandatory, or disabled).

    Request Parameters

    • orgName string path required
      The organization name

    Request Body

    Schema: AppCreatePolicyPackRequest
    • name string required
      Name is a unique URL-safe identifier (at the org level) for the package. If the name has already been used by the organization, then the request will create a new version of the Policy Pack (incremented by one). This is supplied by the CLI.
    • displayName string required
      A pretty name for the Policy Pack that is supplied by the package.
    • versionTag string optional
      VersionTag is the semantic version of the Policy Pack. One a version is published, it cannot never be republished. Older clients will not have a version tag.
    • policies array[AppPolicy] required
      The Policies outline the specific Policies in the package, and are derived from the package by the CLI.
    • name string required
      Unique URL-safe name for the policy. This is unique to a specific version of a Policy Pack.
    • displayName string required
      The display name
    • description string required
      Description is used to provide more context about the purpose of the policy.
    • enforcementLevel enum required
      The enforcement level
      Values: advisory, mandatory, remediate, disabled
    • message string required
      Message is the message that will be displayed to end users when they violate this policy.
    • configSchema AppPolicyConfigSchema optional
      The JSON schema for the Policy’s configuration.
    • severity enum optional
      The severity of the policy.
      Values: , low, medium, high, critical
    • framework AppPolicyComplianceFramework optional
      The compliance framework that this policy belongs to.
    • tags array[string] optional
      Tags associated with the policy.
    • remediationSteps string optional
      A description of the steps to take to remediate a policy violation.
    • url string optional
      A URL to more information about the policy.
    • description string optional
      A brief description of the policy pack.
    • readme string optional
      README text about the policy pack.
    • provider string optional
      The cloud provider/platform this policy pack is associated with, e.g. AWS, Azure, etc.
    • tags array[string] optional
      Tags for this policy pack.
    • repository string optional
      A URL to the repository where the policy pack is defined.
    • metadata map[string]string optional
      Metadata contains optional data about the environment performing the publish operation, e.g. the current source code control commit information.

    Responses

    201 Created
    Schema: AppCreatePolicyPackResponse
    • version integer required
      The version number
    • uploadURI string required
      The upload URI
    • requiredHeaders map[string]string optional
      RequiredHeaders represents headers that the CLI must set in order for the upload to succeed.
    Errors: 400 Policy Pack must have at least one policy.

    Delete Policy Pack

    DELETE /api/orgs/{orgName}/policypacks/{policyPackName}

    DeletePolicyPack deletes all versions of a Policy Pack, the associated packs stored in S3, and any applied versions of the Policy Packs.

    Request Parameters

    • orgName string path required
      The organization name
    • policyPackName string path required
      The policy pack name

    Responses

    200 OK
    Errors: 400 Cannot delete an enabled Policy Pack 404 Policy Pack

    Get Policy Pack

    GET /api/orgs/{orgName}/policypacks/{policyPackName}/versions/{version}

    Returns the metadata and list of individual policies for a specific version of a Policy Pack. Each policy includes its name, description, enforcement level (advisory, mandatory, or disabled), and configuration schema. Returns 400 if the Policy Pack version is not yet complete (still being uploaded), or 404 if the organization or pack is not found.

    Request Parameters

    • orgName string path required
      The organization name
    • policyPackName string path required
      The policy pack name
    • version string path required
      The version number

    Responses

    200 OK
    Schema: AppGetPolicyPackResponse
    • name string required
      The unique name of the policy pack.
    • displayName string required
      Human-readable display name of the policy pack.
    • version integer required
      Numeric version of the policy pack, auto-incremented on each publish.
    • versionTag string required
      Semantic version tag for this policy pack version (e.g. ‘1.2.0’).
    • policies array[AppPolicy] required
      The individual policies contained in this policy pack.
    • name string required
      Unique URL-safe name for the policy. This is unique to a specific version of a Policy Pack.
    • displayName string required
      The display name
    • description string required
      Description is used to provide more context about the purpose of the policy.
    • enforcementLevel enum required
      The enforcement level
      Values: advisory, mandatory, remediate, disabled
    • message string required
      Message is the message that will be displayed to end users when they violate this policy.
    • configSchema AppPolicyConfigSchema optional
      The JSON schema for the Policy’s configuration.
    • severity enum optional
      The severity of the policy.
      Values: , low, medium, high, critical
    • framework AppPolicyComplianceFramework optional
      The compliance framework that this policy belongs to.
    • tags array[string] optional
      Tags associated with the policy.
    • remediationSteps string optional
      A description of the steps to take to remediate a policy violation.
    • url string optional
      A URL to more information about the policy.
    • applied boolean required
      Whether this policy pack version is currently applied to any policy group.
    Errors: 400 Cannot get incomplete Policy Pack 404 Organization or Policy Pack not found

    Delete Policy Pack Version

    DELETE /api/orgs/{orgName}/policypacks/{policyPackName}/versions/{version}

    DeletePolicyPackVersion deletes a specific version of a Policy Pack and deletes the associated pack stored in S3. A Policy Pack must be unapplied to be deleted.

    Request Parameters

    • orgName string path required
      The organization name
    • policyPackName string path required
      The policy pack name
    • version string path required
      The version number

    Responses

    200 OK
    Errors: 400 Cannot delete external policy packs 404 Organization or Policy Pack not found 409 Cannot delete a Policy Pack that is applied to Policy Groups

    Complete Policy Pack

    POST /api/orgs/{orgName}/policypacks/{policyPackName}/versions/{version}/complete

    Transitions the publish status of a specific Policy Pack version to ‘complete’, making it available for enforcement. Policy Packs go through a multi-step publish process: first the pack content is uploaded, then this endpoint is called to finalize publication. Returns 400 if the pack is already complete.

    Request Parameters

    • orgName string path required
      The organization name
    • policyPackName string path required
      The policy pack name
    • version string path required
      The version number

    Responses

    204 No Content
    Errors: 400 Policy Pack is already complete 404 Organization or Policy Pack not found

    Get Policy Pack Config Schema

    GET /api/orgs/{orgName}/policypacks/{policyPackName}/versions/{version}/schema

    Returns the JSON configuration schema for a specific version of a Policy Pack. The schema defines the configurable parameters for each policy in the pack, including allowed values, defaults, and validation rules. Policy Groups use this schema to configure policy behavior when assigning packs to stacks.

    Request Parameters

    • orgName string path required
      The organization name
    • policyPackName string path required
      The policy pack name
    • version string path required
      The version number

    Responses

    200 OK
    Schema: AppGetPolicyPackConfigSchemaResponse
    Errors: 400 Policy as code feature not enabled 404 Organization or Policy Pack not found

    Get Org Registry Policy Pack

    GET /api/orgs/{orgName}/registry/policypacks/{policyPackName}

    Retrieves lightweight registry metadata for a policy pack (source/publisher/name) without loading detailed policy definitions.

    Request Parameters

    • orgName string path required
      The organization name
    • policyPackName string path required
      The policy pack name
    • tag string query optional
      Version tag to retrieve (e.g., ’latest')

    Responses

    200 OK
    Schema: GetRegistryPolicyPackVersionResponse
    • policyPack RegistryPolicyPack required
      PolicyPack contains the metadata for this specific version.
    • id string required
      ID is the unique identifier for this policy pack in the registry. This is a UUID that corresponds to the policy pack’s database ID.
    • source string required
      Source indicates where this policy pack is hosted (e.g., “private”, “pulumi”). Currently, only “private” policy packs are supported.
    • publisher string required
      Publisher is the organization or user that published this policy pack. This corresponds to the Pulumi organization name.
    • name string required
      Name is the unique identifier for this policy pack within the publisher’s namespace. Policy pack names must be URL-safe and unique per publisher.
    • version string required
      Version is the semantic version of this policy pack. This represents the latest or specific version being referenced.
    • displayName string required
      DisplayName is a human-readable name for this policy pack. This is typically more descriptive than the technical name.
    • accessLevel enum required
      AccessLevel is the client’s level of access to this policy pack.
      Values: full, view-only, deny
    • enforcementLevels array[string] required
      EnforcementLevels are the client’s allowed enforcement levels for this policy pack.
    • policies array[AppPolicy] optional
      Policies contains the individual policy definitions in this version. Each policy includes its configuration schema and enforcement rules. This field is optional and may be omitted for lightweight responses that only provide registry metadata.
    • name string required
      Unique URL-safe name for the policy. This is unique to a specific version of a Policy Pack.
    • displayName string required
      The display name
    • description string required
      Description is used to provide more context about the purpose of the policy.
    • enforcementLevel enum required
      The enforcement level
      Values: advisory, mandatory, remediate, disabled
    • message string required
      Message is the message that will be displayed to end users when they violate this policy.
    • configSchema AppPolicyConfigSchema optional
      The JSON schema for the Policy’s configuration.
    • severity enum optional
      The severity of the policy.
      Values: , low, medium, high, critical
    • framework AppPolicyComplianceFramework optional
      The compliance framework that this policy belongs to.
    • tags array[string] optional
      Tags associated with the policy.
    • remediationSteps string optional
      A description of the steps to take to remediate a policy violation.
    • url string optional
      A URL to more information about the policy.
    Errors: 404 Organization or Policy pack not found

    List Policy Packs

    Deprecated. Use ListPolicyPacks_preview_registry_post instead.
    Preview. This endpoint is in preview and may change without notice.
    GET /api/preview/registry/policypacks

    Lists all policy packs accessible to the calling user for a given organization. The orgLogin query parameter is required and restricts results to policy packs owned by that organization. Results can optionally be filtered by access level. No authentication is required. Returns 400 if the policy pack access filter value is invalid. This is the deprecated GET variant; prefer the POST ListPolicyPacks endpoint instead.

    Request Parameters

    • access string query optional
      Filter by access level
    • orgLogin string query optional
      Required. Filter by owning organization

    Responses

    200 OK
    Schema: ListPolicyPacksResponse
    • continuationToken string optional
      ContinuationToken can be used to fetch the next page of results. If nil, there are no more results available.
    • policyPacks array[RegistryPolicyPack] required
      PolicyPacks contains the policy pack metadata for the current page.
    • id string required
      ID is the unique identifier for this policy pack in the registry. This is a UUID that corresponds to the policy pack’s database ID.
    • source string required
      Source indicates where this policy pack is hosted (e.g., “private”, “pulumi”). Currently, only “private” policy packs are supported.
    • publisher string required
      Publisher is the organization or user that published this policy pack. This corresponds to the Pulumi organization name.
    • name string required
      Name is the unique identifier for this policy pack within the publisher’s namespace. Policy pack names must be URL-safe and unique per publisher.
    • version string required
      Version is the semantic version of this policy pack. This represents the latest or specific version being referenced.
    • displayName string required
      DisplayName is a human-readable name for this policy pack. This is typically more descriptive than the technical name.
    • accessLevel enum required
      AccessLevel is the client’s level of access to this policy pack.
      Values: full, view-only, deny
    • enforcementLevels array[string] required
      EnforcementLevels are the client’s allowed enforcement levels for this policy pack.
    Errors: 400 Policy pack access is not valid

    List Policy Packs

    Preview. This endpoint is in preview and may change without notice.
    POST /api/preview/registry/policypacks

    Lists all policy packs accessible to the calling user, with support for filtering by access level, organization, and specific policy pack IDs. The request body accepts an optional orgLogin to scope results to a specific organization, an optional access level filter (defaults to ’enabled’), and an optional list of policy pack IDs to restrict the results to specific packs. No authentication is required. Returns 400 if the access filter value is invalid.

    Request Body

    Schema: ListPolicyPacksRequest
    • access enum optional
      The access of the policy packs to list. Default is enabled.
      Values: added, available, enabled, private
    • ids array[string] optional
      A list of policy pack IDs to list. If specified, only the policy packs with the specified IDs will be listed. If not specified, all policy packs will be listed.
    • orgLogin string optional
      The canonical name of the organization to list policy packs for.

    Responses

    200 OK
    Schema: ListPolicyPacksResponse
    • continuationToken string optional
      ContinuationToken can be used to fetch the next page of results. If nil, there are no more results available.
    • policyPacks array[RegistryPolicyPack] required
      PolicyPacks contains the policy pack metadata for the current page.
    • id string required
      ID is the unique identifier for this policy pack in the registry. This is a UUID that corresponds to the policy pack’s database ID.
    • source string required
      Source indicates where this policy pack is hosted (e.g., “private”, “pulumi”). Currently, only “private” policy packs are supported.
    • publisher string required
      Publisher is the organization or user that published this policy pack. This corresponds to the Pulumi organization name.
    • name string required
      Name is the unique identifier for this policy pack within the publisher’s namespace. Policy pack names must be URL-safe and unique per publisher.
    • version string required
      Version is the semantic version of this policy pack. This represents the latest or specific version being referenced.
    • displayName string required
      DisplayName is a human-readable name for this policy pack. This is typically more descriptive than the technical name.
    • accessLevel enum required
      AccessLevel is the client’s level of access to this policy pack.
      Values: full, view-only, deny
    • enforcementLevels array[string] required
      EnforcementLevels are the client’s allowed enforcement levels for this policy pack.
    Errors: 400 Policy pack access is not valid

    Delete Policy Pack

    Preview. This endpoint is in preview and may change without notice.
    DELETE /api/preview/registry/policypacks/{source}/{publisher}/{name}

    Deletes a policy pack and all of its versions from the registry. The policy pack is identified by its source (currently only ‘private’), publisher organization, and name. This is a destructive operation that permanently removes the policy pack and all associated version data. Requires the RegistryPublish permission on the publisher organization. Returns 404 if the policy pack does not exist.

    Request Parameters

    • source string path required
      The policy pack source: ‘private’
    • publisher string path required
      Organization that owns the policy pack
    • name string path required
      The policy pack name

    Responses

    Errors: 404 Policy pack not found

    List Policy Pack Versions

    Preview. This endpoint is in preview and may change without notice.
    GET /api/preview/registry/policypacks/{source}/{publisher}/{name}/versions

    Lists all versions of a specific policy pack. The policy pack is identified by its source (currently only ‘private’), publisher organization, and name. The response includes a list of policy pack version metadata and an optional continuationToken for pagination. Returns 404 if the policy pack does not exist.

    Request Parameters

    • source string path required
      The policy pack source: ‘private’
    • publisher string path required
      Organization that owns the policy pack
    • name string path required
      The policy pack name

    Responses

    200 OK
    Schema: ListPolicyPacksResponse
    • continuationToken string optional
      ContinuationToken can be used to fetch the next page of results. If nil, there are no more results available.
    • policyPacks array[RegistryPolicyPack] required
      PolicyPacks contains the policy pack metadata for the current page.
    • id string required
      ID is the unique identifier for this policy pack in the registry. This is a UUID that corresponds to the policy pack’s database ID.
    • source string required
      Source indicates where this policy pack is hosted (e.g., “private”, “pulumi”). Currently, only “private” policy packs are supported.
    • publisher string required
      Publisher is the organization or user that published this policy pack. This corresponds to the Pulumi organization name.
    • name string required
      Name is the unique identifier for this policy pack within the publisher’s namespace. Policy pack names must be URL-safe and unique per publisher.
    • version string required
      Version is the semantic version of this policy pack. This represents the latest or specific version being referenced.
    • displayName string required
      DisplayName is a human-readable name for this policy pack. This is typically more descriptive than the technical name.
    • accessLevel enum required
      AccessLevel is the client’s level of access to this policy pack.
      Values: full, view-only, deny
    • enforcementLevels array[string] required
      EnforcementLevels are the client’s allowed enforcement levels for this policy pack.
    Errors: 404 error getting Registry Policy Pack

    Post Publish Policy Pack Version

    Preview. This endpoint is in preview and may change without notice.
    POST /api/preview/registry/policypacks/{source}/{publisher}/{name}/versions

    Initiates the first step of a two-phase policy pack version publish workflow. The policy pack is identified by its source (currently only ‘private’), publisher organization, and name. This creates a publish transaction that must be completed by calling PostPublishPolicyPackVersionComplete. Requires the RegistryPublish permission on the publisher organization. Returns 404 if the policy pack is not found.

    Request Parameters

    • source string path required
      The policy pack source: ‘private’
    • publisher string path required
      Organization that owns the policy pack
    • name string path required
      The policy pack name

    Responses

    Errors: 404 Policy pack not found

    Get Policy Pack Version

    Preview. This endpoint is in preview and may change without notice.
    GET /api/preview/registry/policypacks/{source}/{publisher}/{name}/versions/{version}

    Retrieves detailed information about a specific version of a policy pack, including the individual policy definitions. The policy pack is identified by its source (currently only ‘private’), publisher organization, and name. The version parameter accepts either a specific semantic version string or the special value ’latest’ to retrieve the most recently published version. The response includes the policy pack metadata and an optional list of policies, where each policy includes its configuration schema and enforcement rules. Returns 404 if the specified policy pack does not exist.

    Request Parameters

    • source string path required
      The policy pack source: ‘private’
    • publisher string path required
      Organization that owns the policy pack
    • name string path required
      The policy pack name
    • version string path required
      Semantic version string or ’latest'

    Responses

    200 OK
    Schema: GetRegistryPolicyPackVersionResponse
    • policyPack RegistryPolicyPack required
      PolicyPack contains the metadata for this specific version.
    • id string required
      ID is the unique identifier for this policy pack in the registry. This is a UUID that corresponds to the policy pack’s database ID.
    • source string required
      Source indicates where this policy pack is hosted (e.g., “private”, “pulumi”). Currently, only “private” policy packs are supported.
    • publisher string required
      Publisher is the organization or user that published this policy pack. This corresponds to the Pulumi organization name.
    • name string required
      Name is the unique identifier for this policy pack within the publisher’s namespace. Policy pack names must be URL-safe and unique per publisher.
    • version string required
      Version is the semantic version of this policy pack. This represents the latest or specific version being referenced.
    • displayName string required
      DisplayName is a human-readable name for this policy pack. This is typically more descriptive than the technical name.
    • accessLevel enum required
      AccessLevel is the client’s level of access to this policy pack.
      Values: full, view-only, deny
    • enforcementLevels array[string] required
      EnforcementLevels are the client’s allowed enforcement levels for this policy pack.
    • policies array[AppPolicy] optional
      Policies contains the individual policy definitions in this version. Each policy includes its configuration schema and enforcement rules. This field is optional and may be omitted for lightweight responses that only provide registry metadata.
    • name string required
      Unique URL-safe name for the policy. This is unique to a specific version of a Policy Pack.
    • displayName string required
      The display name
    • description string required
      Description is used to provide more context about the purpose of the policy.
    • enforcementLevel enum required
      The enforcement level
      Values: advisory, mandatory, remediate, disabled
    • message string required
      Message is the message that will be displayed to end users when they violate this policy.
    • configSchema AppPolicyConfigSchema optional
      The JSON schema for the Policy’s configuration.
    • severity enum optional
      The severity of the policy.
      Values: , low, medium, high, critical
    • framework AppPolicyComplianceFramework optional
      The compliance framework that this policy belongs to.
    • tags array[string] optional
      Tags associated with the policy.
    • remediationSteps string optional
      A description of the steps to take to remediate a policy violation.
    • url string optional
      A URL to more information about the policy.
    Errors: 404 Policy Pack

    Delete Policy Pack

    Preview. This endpoint is in preview and may change without notice.
    DELETE /api/preview/registry/policypacks/{source}/{publisher}/{name}/versions/{version}

    Deletes a specific version of a policy pack from the registry. The policy pack version is identified by its source (currently only ‘private’), publisher organization, name, and semantic version string. Requires the RegistryPublish permission on the publisher organization. Returns 404 if the specified policy pack version does not exist.

    Request Parameters

    • source string path required
      The policy pack source: ‘private’
    • publisher string path required
      Organization that owns the policy pack
    • name string path required
      The policy pack name
    • version string path required
      Semantic version string of the policy pack version to delete

    Responses

    Errors: 404 Policy pack not found

    Post Publish Policy Pack Version Complete

    Preview. This endpoint is in preview and may change without notice.
    POST /api/preview/registry/policypacks/{source}/{publisher}/{name}/versions/{version}/complete

    Finalizes the second step of the two-phase policy pack version publish workflow. After initiating a publish with PostPublishPolicyPackVersion, call this endpoint with the policy pack source, publisher, name, and version to complete the publish and make the version available in the registry. Requires the RegistryPublish permission on the publisher organization. Returns 404 if the publish operation is not found.

    Request Parameters

    • source string path required
      The policy pack source: ‘private’
    • publisher string path required
      Organization that owns the policy pack
    • name string path required
      The policy pack name
    • version string path required
      Semantic version string of the policy pack version to complete

    Responses

    Errors: 404 Publish operation not found