Skip to main content

Policies

Policies define when a version is allowed to deploy. They are the rules that govern how releases progress through your environments — controlling deployment timing through approvals, verification gates, progression requirements, deployment windows, and more.
In Ctrlplane’s mental model: Deployments = what & how, Environments = where, Policies = when.

Building Confidence Through Policies

While deployments define what and how and environments define where, policies answer the critical question of when: is this version ready to deploy? Has it passed through the right gates? Policies help you deploy with confidence by ensuring that each stage meets your quality standards before progressing to the next.
With policies, you can:
  • Start simple, grow complex - Begin with basic health checks in QA, add integration tests in staging, require approvals and verification in production
  • Catch issues early - Run smoke tests in QA to catch problems before they reach production
  • Automate quality gates - Let verification results automatically determine if a release can proceed
  • Reduce deployment anxiety - Know that every production deployment has passed through proven checks
  • Customize per environment - Apply stricter rules where they matter most

Policy Structure

A policy consists of:
  1. Name & Description - Identify and document the policy’s purpose
  2. Selector - A CEL expression defining which release targets the policy applies to
  3. Rules - One or more rules specifying behavior or requirements
  4. Priority - Higher priority policies are evaluated first
  5. Metadata - Arbitrary key-value pairs for organization

Policy Selectors

The selector field is a CEL expression that determines which release targets a policy applies to. Policies only affect releases that match the selector.

Environment Selector

Target releases going to specific environments:

Resource Selector

Target releases for specific resources:

Deployment Selector

Target releases for specific deployments:

Combined Selectors

Combine conditions with && (AND) and || (OR):

Policy Rules

Rules define what the policy enforces. A single policy can contain multiple rules across different types. Each rule in the rules array contains exactly one rule type.

Approval Rule

Require manual approval before deployment: See Approval for details.

Environment Progression Rule

Require successful deployment to a prerequisite environment: See Environment Progression for details.

Gradual Rollout Rule

Control the pace of deployments across multiple targets: See Gradual Rollouts for details.

Deployment Dependency Rule

Require upstream deployments to succeed first: See Deployment Dependency for details.

Deployment Window Rule

Control when deployments are allowed using time-based schedules: See Deployment Window for details.

Version Cooldown Rule

Batch frequent releases by enforcing a minimum time between deployments: See Version Cooldown for details.

Retry Rule

Configure automatic retry behavior for failed jobs: See Retry for details.

Version Selector Rule

Filter which versions can deploy to specific targets: See Version Selector for details.

Verification Rule

Run automated checks after deployment: See Verification for detailed configuration options.

Plan Validation Rule

Run OPA/Rego policies against a deployment plan to preview proposed changes. This rule is non-blocking — it reports violations but does not gate deployments. See Plan Validation for details.

Terraform Provider Reference

The Terraform provider supports the following policy blocks:
retry and version_selector are not yet available in the Terraform provider. Use the REST API for these rule types.

REST API Reference

Create a policy:
Get/Update/Delete a policy:
List policies:
Each rule in the rules array is an object with exactly one rule-type key (e.g., anyApproval, gradualRollout, deploymentWindow).

Policy Evaluation

When a release is created, Ctrlplane:
  1. Finds matching policies - Evaluates the selector CEL expression against each release target
  2. Merges rules - Combines rules from all matching policies
  3. Applies rules - Enforces each rule type

Rule Interactions

  • Approval + Gradual Rollout: The rollout start time is determined by when the approval was satisfied
  • Environment Progression + Gradual Rollout: The rollout waits until progression criteria are met
  • Deployment Window + Gradual Rollout: Allow windows push the rollout start to the window opening; deny windows pause the rollout
  • Version Cooldown + Deployment Window: Both must be satisfied — cooldown determines which version, window determines when

Common Patterns

Environment Progression

Different requirements per environment:

Critical Service Protection

Extra protection for critical services:

Best Practices

Policy Organization

  • ✅ Use descriptive policy names
  • ✅ Document policy purpose in description
  • ✅ Start with permissive policies and tighten over time
  • ✅ Test policies in lower environments first
  • ✅ Use priority to control evaluation order for overlapping policies

Selector Design

  • ✅ Be specific with selectors to avoid unexpected matches
  • ✅ Use environment selectors for environment-specific rules
  • ✅ Use metadata for cross-cutting concerns (team, tier, etc.)
  • ✅ Test selector expressions before applying

Rule Configuration

  • ✅ Set reasonable timeouts and failure limits
  • ✅ Use verification to catch issues before they impact users
  • ✅ Require approvals for high-risk deployments
  • ✅ Use gradual rollouts for large-scale deployments
  • ✅ Combine complementary rules (e.g., approval + gradual rollout)

Next Steps