Skip to content

Pulumi Policy Pack

DodaTech 3 min read

In this tutorial, you'll learn about Pulumi Policy Pack Rules Not Enforced. We cover key concepts, practical examples, and best practices.

A Pulumi Policy Pack rules are never evaluated during pre-deployment checks.

Wrong ❌

// Wrong: policy rule that never validates the expected condition
import { PolicyPack } from "@pulumi/policy";

new PolicyPack("aws-policies", {
  policies: [{
    name: "encryption-check",
    description: "Check that S3 buckets have encryption enabled",
    enforcementLevel: "mandatory",
    validateResource: (args, reportViolation) => {
      // Only checks bucket but bucket ARN is different from bucket resource type
      if (args.type === "aws:s3/bucket:Bucket") {
        // This never matches because the actual type uses lowercase
      }
    },
  }],
});

Wrong Output

Previewing update:
  + aws:s3:Bucket "my-bucket"
    (no policy violations)
# But the bucket has no encryption configured!
import { PolicyPack } from "@pulumi/policy";

new PolicyPack("aws-policies", {
  policies: [{
    name: "encryption-check",
    description: "Ensure all S3 buckets have server-side encryption enabled",
    enforcementLevel: "mandatory",
    validateResource: (args, reportViolation) => {
      if (args.type === "aws:s3/bucket:Bucket" || args.type === "aws:s3:Bucket") {
        const props = args.props;
        if (!props.serverSideEncryptionConfiguration) {
          reportViolation(
            "S3 bucket must have server-side encryption configured.]
          );
        } else if (!props.serverSideEncryptionConfiguration.rule?.applyServerSideEncryptionByDefault?.sseAlgorithm) {
          reportViolation(
            "S3 bucket encryption rule must specify an SSE algorithm."
          );
        }
      }
    },
  }],
});

Right Output

Previewing update:
  + aws:s3:Bucket "my-bucket"
    Policy violation: aws-policies/encryption-check (mandatory)
      S3 bucket must have server-side encryption configured.

Prevention

  • Always verify the exact resource type string by checking the provider schema.
  • Test policy packs locally with pulumi policy validate before applying in CI/CD.
  • Use mandatory enforcement level for security-critical policies; advisory for recommendations.
  • Include clear violation messages that tell the user exactly what to fix.
  • Run policy packs in CI/CD pipelines using pulumi policy publish and pulumi policy apply.

DodaTech applies similar defensive patterns across Doda Browser, DodaZIP, and Durga Antivirus Pro infrastructure for production reliability.

Common Mistakes with policy pack

  1. Using head and tail instead of pattern matching, causing runtime errors on empty lists
  2. Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks
  3. Using return to exit a function early instead of wrapping a pure value in the monad

These mistakes appear frequently in real-world PULUMI code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

**Q: What is the most common cause of this pulumi error?**

A: Configuration drift between environments and version mismatches between the client and server are the top causes. Always verify both before deeper troubleshooting.

Q: Can this error affect production traffic?

A: Yes. Depending on whether the error occurs in the control plane or data plane, it can block all traffic or cause silent failures. Always test configuration changes in a staging environment first.

Q: How do I monitor for this error in production?

A: Set up log-based alerts for the error signature shown in the Wrong Output section. Prometheus, Grafana, and Datadog all support pattern matching on log entries.

Q: Is there a quick rollback procedure?

A: If you have the previous configuration version, revert and restart. For data-plane errors, replay affected records from the source of truth. Always version control your configuration.


This quick fix is part of the DodaTech infrastructure engineering series. Learn more at DodaTech tutorials.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro