# Create Policy

Policies will help you to maintain strict guidelines for a deployment pipeline by allowing users to validate the application configuration while creating an application in spinnaker through a policy.

Policies are of two types:

1. **Static Policy**: A policy that is enforced at all times.
2. **Run time Policy**: A policy that can only take effect while running a pipeline.

### Create Policy <a href="#create-policy" id="create-policy"></a>

To create a new policy follow the steps below:

1. From the ISD [**application dashboard**](https://docs.opsmx.com/user-guide/dashboard/application-dashboard), click **Setup** and then click **Policies** to access the policies page, where you can create, edit and delete the policies.

   ![](https://2047464521-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MBEa1hoX6SqpDj-ymNs%2Fuploads%2FUydWIyJLaHLEFQAtX4lW%2Fimage.png?alt=media\&token=fb3c4eda-7e3e-4b74-a560-aec599abbcb8)

2. In the **Policies** page, click **New Policy** button to create a policy as shown in the image below.<br>

   ![](https://2047464521-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MBEa1hoX6SqpDj-ymNs%2Fuploads%2Ft909gyvlHnO4UiB4ywnR%2Fimage.png?alt=media\&token=5b58cc09-8a6b-4258-913e-6cbf1465af68)

3. New Policy creation screen appears and **selects policy type** from the drop-down as shown below: <br>

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Static Policies</strong> can be created/edited only by the <strong>Administrators.</strong></p><p><strong>Runtime Policies</strong> can be created/edited by the <strong>Developers.</strong></p></div>

   ![](https://2047464521-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MBEa1hoX6SqpDj-ymNs%2Fuploads%2FklYNVsArXibRzlI30QvE%2Fimage.png?alt=media\&token=5f399835-358c-4a06-be67-45faa4f7a9fc)

   Enter the following details:&#x20;

   * **Name**: Enter the Name of the policy in the text box.&#x20;
   * **Policy Type**: Select the Policy type from the drop-down.&#x20;
   * **Policy Engine**: Select the Policy Engine as OPA from the drop-down.&#x20;
   * **Policy Engine Account**: Select the Policy Engine Account from the drop-down.&#x20;
   * **Policy Description**: Enter the Policy Description in the text box.&#x20;
   * **Policy File**: Select and add any available Policy file.

4. Enter the Policy Details in the text box and click **Save & Finish** to create the policy. Users can restrict the group permission to access this policy by enabling the **Policy permissions** as shown in the image below.

   ![](https://2047464521-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MBEa1hoX6SqpDj-ymNs%2Fuploads%2FNmFNlKNnPq7WA3a6sDLj%2Fimage.png?alt=media\&token=67b5cae6-0305-4a72-9a3e-abcd5c72e0ca)

{% hint style="info" %}
**Note:** The repository contains a collection of sample policies that can be used with OpsMx ISD. Refer to the below link to view the sample policies.&#x20;
{% endhint %}

{% embed url="<https://github.com/OpsMx/policy-as-code-examples>" %}
Collection of sample policies
{% endembed %}

### Examples from the repository

Here are a couple of examples from the repository:

* **Static Policy to restrict image source while a pipeline is being saved**

  ```
  ######
  #IF
  # application named "sampleapp"
  # deploying to an account "production"
  # THEN
  # The image, if present MUST start with "docker.opsmx.com"
  #
  # Other applications/pipelines can be saved without these restrictions
  package opa.spinnaker.pipelines.new
  deny[msg] {
     count(input.new.stages)>0
     input.new.application == "sampleapp"
     input.new.stages[_].account == "production"

     images := input.new.stages[_].manifests[_].spec.template.spec.containers[_].image
     not startswith(images, "docker.opsmx.com/")
     msg := sprintf("[%v] being deployed to be from docker.opsmx.com", [images])
  }
  ```
* **Dynamic policy that verifies the deployment is not happening during a blackout window**

  ```
  # This policy verifies the deployment is not happening during a blackout window.
  # The blackout window can be configured by changing hour

  package opa.pipelines.datetimeslot

   deny["Pipeline has no start time"] {
       startTime := input.startTime
       startTime == 0
   }
    weekday {
       day := time.weekday(time.now_ns())
       day != "Saturday"
       day != "Sunday"
    }

    deny["No deployments allowed between 09am - 04pm on weekdays"] {
       [hour, minute, second] := time.clock([time.now_ns(), tz])
       tz = "Africa/Lagos"

       hour >= 9
       hour < 16
       weekday
     }
  ```

**To know more about policy as code, refer** [**here**](https://www.opsmx.com/blog/getting-started-with-policy-as-code/)**.**