Skip to main content
Manages a Kosli policy. Policies define artifact compliance requirements (provenance, trail-compliance, attestations) that can be attached to environments. Policies are versioned and immutable: updating content or description creates a new version rather than modifying the existing one.
Deleting this resource removes it from Terraform state only. Kosli has no API endpoint to delete policies, so the policy will remain in Kosli after terraform destroy. To attach policies to environments, use the kosli_policy_attachment resource.

Example usage

terraform {
  required_providers {
    kosli = {
      source = "kosli-dev/kosli"
    }
  }
}

# Minimal policy requiring provenance for all artifacts
resource "kosli_policy" "minimal" {
  name = "basic-requirements"
  content = <<-YAML
    _schema: https://kosli.com/schemas/policy/environment/v1
    artifacts:
      provenance:
        required: true
  YAML
}

# Production policy with full compliance requirements
resource "kosli_policy" "production" {
  name        = "prod-requirements"
  description = "Compliance requirements for production environments"
  content     = <<-YAML
    _schema: https://kosli.com/schemas/policy/environment/v1
    artifacts:
      provenance:
        required: true
      trail-compliance:
        required: true
      attestations:
        - name: unit-test
          type: junit
        - name: dependency-scan
          type: "*"
  YAML
}

Import

Policies can be imported using their name: 
# Import a policy by name. The content attribute is populated from the API response.
terraform import kosli_policy.example prod-requirements

Schema

Required

  • content (String) YAML content of the policy, conforming to the Kosli policy schema (_schema: https://kosli.com/schemas/policy/environment/v1). Supports heredoc syntax for multi-line YAML. Updating this value creates a new policy version.
  • name (String) Name of the policy. Must be unique within the organization. Changing this will force recreation of the resource.

Optional

  • description (String) Description of the policy.

Read-only

  • created_at (Number) Unix timestamp of when the policy was first created.
  • latest_version (Number) The version number of the latest policy version. Null if the policy has no versions.
Last modified on March 26, 2026