NTC Spacelift Administration
Descriptionβ
NTC Spacelift Administration simplifies the setup and management of Spacelift, a powerful CI/CD platform for Infrastructure as Code (IaC) deployments. This building block automates the configuration of Spacelift environments, including stack creation, role-based access control (RBAC), OPA policy integration, and secure pipeline authentication. Designed to integrate seamlessly with NTC modules, NTC Spacelift Administration reduces operational overhead and ensures consistent and secure deployment workflows.
Whether you're using Spacelift SaaS or a self-hosted setup, this module provides a streamlined approach to managing your Spacelift infrastructure.
Usageβ
| Latest Release | 1.0.1 |
|---|
- Spacelift Administration
- Github Repository
# --------------------------------------------------------------------------------------------------
# Β¦ NTC SPACELIFT ADMINISTRATION
# --------------------------------------------------------------------------------------------------
# initial manual configuration before managing spacelift with NTC:
# 1) create a spacelift account with supported identity provider here: https://spacelift.io/free-trial
# 2) (optional) setup SSO with SAML (enterprise feature) or OIDC: https://docs.spacelift.io/integrations/single-sign-on#managed-identity-provider-vs-sso
# 3) setup one or more source control integrations like github, gitlab or raw git: https://docs.spacelift.io/integrations/source-control
# 4) create a spacelift-administration repository and a spacelift administration-stack: https://docs.spacelift.io/concepts/stack/stack-settings#administrative
# 5) (optional) add NTC modules to spacelift private registry or add NTC credentials as environment variables to spacelift administration-stack
module "ntc_spacelift_administration" {
source = "https://github.com/nuvibit-terraform-collection/terraform-spacelift-ntc-administration?ref=X.X.X"
# (optional) settings for auditing all operations that change Spacelift resources
# Audit Trail is an Enterprise plan feature
# https://docs.spacelift.io/integrations/audit-trail
audit_trail_settings = {
enabled = false
include_runs = false
webhook_endpoint_url = ""
webhook_secret = ""
}
# email that Spacelift will use to contact you in the event of a security incident
# security_notifications_email = "demo-security@nuvibit.com"
# list of nested (up to 5 levels) spacelift spaces
# https://docs.spacelift.io/concepts/spaces/
nested_spaces = [
{
# 'root' is the top level space and already exists
# path describes relationship of parent and child spaces
space_path = "/root/workloads"
description = "test space"
# (optional) if true any stack in the child space can use resources such as worker pools or contexts from the parent space
enable_inheritance = true
# list of user-defined tags to describe the space
labels = []
},
{
space_path = "/root/workloads/prod"
enable_inheritance = true
},
{
space_path = "/root/workloads/dev"
enable_inheritance = true
},
]
# list of Open Policy Agent (Rego) policies that involve various decision points
# https://docs.spacelift.io/concepts/policy
# [LOGIN]: who gets to log in to your Spacelift account and with what level of access;
# [ACCESS]: who gets to access individual Stacks and with what level of access;
# [APPROVAL]: who can approve or reject a run and how a run can be approved;
# [INITIALIZATION]: which Runs and Tasks can be started;
# [NOTIFICATION]: routing and filtering notifications;
# [PLAN]: which changes can be applied;
# [GIT_PUSH]: how Git push events are interpreted;
# [TASK]: which one-off commands can be executed;
# [TRIGGER]: what happens when blocking runs terminate;
# example policies:
# https://github.com/spacelift-io/spacelift-policies-example-library
# https://spacelift.io/blog/open-policy-agent-rego
policies = [
{
policy_name = "plan-policy-test"
description = "this is a test policy"
space_path = "/root"
policy_type = "PLAN"
policy_content = file("${path.module}/files/plan-policy-test.rego")
# 'autoattach' allows policies to be automatically attached to stacks or modules with defined labels
labels = ["autoattach:*"]
},
]
# list of context definitions with a bundle of configuration elements which can be attached to stacks or modules
# https://docs.spacelift.io/concepts/configuration/context
context_definitions = [
{
context_name = "opentofu-test"
description = "Configuration details for OpenTofu workflows"
labels = ["folder:opentofu"]
# define which space_path the context will belong to
space_path = "/root/workloads"
# (optional) list of environment variables that should be attached to context and corresponding projects.
#Β https://docs.spacelift.io/concepts/configuration/environment
environment_variables = [
{
name = "AWS_DEFAULT_REGION"
value = "eu-central-1"
sensitive = false
},
{
name = "AWS_ROLE_SESSION_NAME"
value = "spacelift"
sensitive = false
},
{
# recommended to use 'AWS_WEB_IDENTITY_TOKEN_FILE' envvar for AWS OpenID Connect (OIDC)
# the file "/mnt/workspace/spacelift.oidc" is generated by Spacelift
# https://docs.spacelift.io/integrations/cloud-providers/oidc#about-the-spacelift-oidc-token
# 'AWS_ROLE_ARN' is also required but is unique and must be added directly to stack envvars
name = "AWS_WEB_IDENTITY_TOKEN_FILE"
value = "/mnt/workspace/spacelift.oidc"
sensitive = false
},
]
# (optional) when environment variables are not supported, you can fallback to mounting a file
# https://docs.spacelift.io/concepts/configuration/environment#mounted-files
mounted_files = [
{
# spacelift supports custom workflows which allows you to customize the commands that are executed
# https://docs.spacelift.io/vendors/terraform/workflow-tool
relative_path = "source/.spacelift/workflow.yml"
base64_content = filebase64("${path.module}/files/custom-workflow-terraform.yml")
sensitive = false
},
]
# (optional) spacelift workflow can be customized by adding extra commands to be executed before and after different phases
# https://docs.spacelift.io/concepts/stack/stack-settings#customizing-workflow
custom_hooks = {
# This phase is handled exclusively by the worker and involves running pre-initialization hooks and vendor-specific initialization process.
#Β For Terraform stacks it would mean running terraform init, in the right directory and with the right parameters.
before_init = [
## install any necessary tools before init
# "wget --quiet https://releases.hashicorp.com/terraform/1.9.1/terraform_1.9.1_linux_amd64.zip",
# "unzip -o terraform_1.9.1_linux_amd64.zip",
# "export PATH=$PATH:~/",
# "mv terraform ~/terraform",
# "terraform -v",
## load credentials to access terraform modules from github
# https://docs.spacelift.io/vendors/terraform/external-modules#git-repositories
"ls -l"
]
after_init = []
# Once the workspace is prepared by the Initializing phase, planning runs a vendor-specific preview command and interprets the results.
# For OpenTofu that command is tofu plan, for Terraform - terraform plan, for Pulumi - pulumi preview.
before_plan = []
after_plan = []
# If the run required a manual approval step, this phase is preceded by another handover (preparing phase) since the run again needs to be yielded to a worker node.
before_apply = []
after_apply = []
#Β used during module test cases to destroy resources in the end
#Β also used by stacks during destruction that have corresponding stack_destructor_resource
before_destroy = []
after_destroy = []
# Apart from the common run phases described in the general run documentation, tasks have just one extra state - performing.
# That's when the arbitrary user-supplied command is executed, wrapped in sh -c to support all the shell goodies we all love to abuse.
#Β In particular, you can use as many && and || as you wish.
before_perform = []
after_perform = []
#Β Executed after each actively processed run, regardless of its outcome.
#Β These hooks will execute as part of the last "active" state of the run and will have access to an environment variable called TF_VAR_spacelift_final_run_state indicating the final state of the run.
after_run = []
}
}
]
# a stack is as a combination of source code, state of the infrastructure (e.g. Terraform state file), environment variables and mounted files
# https://docs.spacelift.io/concepts/stack
stack_definitions = [
{
stack_name = "opentofu-test"
description = "opentofu test stack"
space_path = "/root/workloads/prod"
# list of user-defined tags to describe the stack
# https://docs.spacelift.io/concepts/stack/stack-settings#labels
labels = ["workloads"]
# stack settings
stack_settings = {
administrative = false
protect_from_deletion = false
autodeploy = false
autoretry = false
enable_well_known_secret_masking = true
enable_local_preview = true
# project_root = "test/subfolder"
# runner_image = null
# worker_pool_name = "private-workers"
# additional_project_globs = []
}
# connect to source code
vcs_settings = {
# default, github_enterprise, gitlab, bitbucket_cloud, bitbucket_datacenter, raw_git
vcs_provider = "github_enterprise"
# if not specified, the default integration will be used; for raw_git use 'url' instead of 'integration'
# WARNING: if you are using space-level integrations your stack cannot be easily moved to another space
# https://docs.spacelift.io/concepts/spaces/moving-a-space-or-an-entity#moving-a-stack
integration = "spacelift-administration"
# github organization, gitlab namespace or bitbucket project containing the repository
namespace = "nuvibit-terraform-collection"
repository = module.ntc_spacelift_github_repository.github_repositories["spacelift-test-stack"].name
branch = "main"
}
#Β (optional) attach policies by name
policy_names_to_attach = []
# (optional) attach context definition by name and in priority by list order
context_names_to_attach = [
"workloads-opentofu-test"
]
# terraform / opentofu based project
terraform_opentofu_settings = {
enabled = true
# stack supports OPEN_TOFU, TERRAFORM_FOSS or CUSTOM workflows
workflow_tool = "OPEN_TOFU"
# version can be defined strict and loose or ranges defined by SemVer
# https://devhints.io/semver
# e.g. range: ~1.2.3 is >=1.2.3 <1.3.0
# TERRAFORM_FOSS only support up to version 1.5.7
# OPEN_TOFU starts at version 1.6.0
version = "1.8.1"
smart_sanitization = true
external_state_access = false
workspace = null
manage_state = true
import_state = null
import_state_file = null
}
# (optional) custom hooks should be defined in 'context_definition' when possible
#Β https://docs.spacelift.io/concepts/stack/stack-settings#customizing-workflow
custom_hooks = {
before_init = []
after_init = []
before_plan = []
after_plan = []
before_apply = []
after_apply = []
before_destroy = []
after_destroy = []
before_perform = []
after_perform = []
after_run = []
}
# (optional) list of environment variables that should be attached directly to stack
# can be used in addition to environment variables from context which are the same for all attached stacks
#Β https://docs.spacelift.io/concepts/configuration/environment
environment_variables = [
{
# the OIDC role_arn is different for every stack and therefore needs to be added to envvars of stack instead of context
name = "AWS_ROLE_ARN"
value = "arn:aws:iam::111111111111:role/ntc-oidc-spacelift-role"
sensitive = false
}
]
# (optional) when environment variables are not supported, you can fallback to mounting a file
# https://docs.spacelift.io/concepts/configuration/environment#mounted-files
mounted_files = [
# {
# # spacelift supports custom workflows which allows you to customize the commands that are executed
# # https://docs.spacelift.io/vendors/terraform/workflow-tool
# relative_path = ""
# base64_content = filebase64("${path.module}/example.yml")
# sensitive = false
# }
]
# (optional) trigger a stack deletion or task at a specific time or periodically based on the cron rules defined.
# Scheduled tasks is an Enterprise plan feature
# https://docs.spacelift.io/concepts/stack/scheduling#scheduling
scheduled_tasks = [
# {
# task_name = "test"
# command = "tofu state list"
# cron_schedule_expressions = ["0 21 * * 1-5"]
# timezone = "CET"
# }
]
# define dependencies and refaerences between stacks
# https://docs.spacelift.io/concepts/stack/stack-dependencies#defining-stack-dependencies
stack_dependencies = [
# {
# depends_on_stack_name = "test-stack"
# reference_output_name = "random_id"
# reference_input_name = "TF_VAR_random_id"
# reference_trigger_always = false
# }
]
}
]
# (optional) maintain your modules with the spacelift terraform registry
# The name of a module managed by Spacelift is of the following form: spacelift.io/<organization>/<module_name>/<provider>
# https://docs.spacelift.io/vendors/terraform/module-registry
terraform_registry = {
modules = [
{
# module name will by default be inferred from the repository name
# needs to follow the terraform-provider-name naming convention
custom_name = "parameters-test"
description = null
space_path = "/root"
labels = ["module"]
# connect to source code
vcs_settings = {
# default, github_enterprise, gitlab, bitbucket_cloud, bitbucket_datacenter, raw_git
vcs_provider = "github_enterprise"
# if not specified, the default integration will be used; for raw_git use 'url' instead of 'integration'
# WARNING: if you are using space-level integrations your stack cannot be easily moved to another space
# https://docs.spacelift.io/concepts/spaces/moving-a-space-or-an-entity#moving-a-stack
integration = "spacelift-administration"
# github organization, gitlab namespace or bitbucket project containing the repository
namespace = "nuvibit-terraform-collection"
repository = "terraform-aws-ntc-parameters"
branch = "main"
}
# module settings
module_settings = {
# modules can be shared with other spacelift customers
# https://docs.spacelift.io/vendors/terraform/module-registry.html#sharing-modules
shared_with_spacelift_accounts = []
# Indicates whether this module can manage others
administrative = false
protect_from_deletion = false # for testing purposes disabld
enable_local_preview = true
workflow_tool = "OPEN_TOFU"
# module provider will by default be inferred from the repository name
# terraform_provider_name = null
# worker_pool_name = "private-workers"
# project_root = ""
}
# (optional) import existing module versions into spacelift registry
# https://docs.spacelift.io/vendors/terraform/module-registry#versions
import_versions = [
# {
# git_commit_sha = "dfde1109aad4f11b5d2e4f97eeba4b39e7ff897f"
# module_version = "1.0.0"
# }
]
#Β (optional) attach policies by name
policy_names_to_attach = []
# (optional) attach context definition by name and in priority by list order
context_names_to_attach = []
}
]
}
# save filters to a custom view for different spacelift dashboards
#Β https://docs.spacelift.io/concepts/stack/organizing-stacks.html#saving-filters-in-views
custom_views = [
{
view_name = "workloads"
# custom views can be created for 'stacks', 'blueprints', 'contexts' and 'webhooks'
type = "stacks"
# sort in ascending (ASC) or descending (DESC) order
sort_direction = "ASC"
sort_by_filter = "starred"
# search by name, id or labels
text_search = ""
# combine multiple filters
active_filters = [
{
# spaces are filtered hierarchical including the children spaces
filter_name = "space"
filter_values = [
"/root/workloads"
]
},
{
filter_name = "administrative"
filter_values = [
false
]
},
]
# select filters that you want to be displayed on the filter list and set the order
diplayed_filters = [
"administrative",
"branch",
"commit",
"drifted",
"starred",
"folder",
"slug",
"label",
"locked",
"name",
"needsApproval",
"projectRoot",
"provider",
"repository",
"integration",
"space",
"state",
"synced",
"vendor",
"workerPool"
]
}
]
# (optional) private worker pools allow executing spacelift runs on self hosted docker-based or kubernetes workers
# private workers is an Enterprise plan feature. You may still manage them, but jobs will not be scheduled on private workers until you upgrade billing tier that supports them.
# https://docs.spacelift.io/concepts/worker-pools
private_worker_pools = [
{
pool_name = "private-workers-test"
pool_description = "spacelift private worker pool"
space_path = "/root"
labels = []
}
]
# choose a Management Strategy under organizational settings (manual configuration)
# use 'login policies' for full control over your login process. This allows you to support very advanced use-cases.
# use 'user management' for simpler use-cases. This is a great option for getting started quickly, and you have the option of switching to login policies later if required.
# https://docs.spacelift.io/concepts/user-management
user_management = {
# grant access to individual users. it is recommended to use idp_group_mappings and grant permissions to groups instead of individual users
users = [
# {
# username = "spacelift@nuvibit.com"
# # required when creating a new user and optional when importing an existing user
# invitation_email = "spacelift@nuvibit.com"
# permissions = [
# {
# space_path = "/root"
# role = "READ"
# },
# {
# space_path = "/root/workloads"
# role = "WRITE"
# },
# {
# space_path = "/root/workloads/dev"
# role = "ADMIN"
# }
# ]
# }
]
# group permissions will only be applied to the user if the group name in Spacelift exactly matches the group name in your Identity Provider including capital letters and whitespaces.
idp_group_mappings = [
{
# WARNING: due to a limitation in Microsoft Entra ID, when you map the teams to spacelift it will only map the IDs of the teams
# https://docs.spacelift.io/integrations/single-sign-on/azure-ad-oidc-setup-guide
group_name = "test-admins"
permissions = [
{
space_path = "/root"
role = "READ"
},
{
space_path = "/root/workloads"
role = "WRITE"
}
]
}
]
}
}
# --------------------------------------------------------------------------------------------------
# Β¦ NTC SPACELIFT GITHUB REPOSITORIES
# --------------------------------------------------------------------------------------------------
module "ntc_spacelift_github_repository" {
source = "https://github.com/nuvibit-terraform-collection/terraform-spacelift-ntc-administration//modules/github-repository?ref=X.X.X"
# list of repositories which will be connected with spacelift stacks
github_repositories = [
{
name = "spacelift-test-stack"
description = "opentofu repository for testing purposes"
visibility = "private"
topics = ["test"]
template = {
template_repository = "terraform-pipeline.tpl"
repository_owner = "nuvibit-terraform-collection"
include_all_branches = true
}
settings = {
create_readme = false
has_issues = false
has_discussions = false
has_projects = false
has_wiki = false
allow_merge_commit = true
allow_squash_merge = true
allow_rebase_merge = true
allow_auto_merge = false
delete_branch_on_merge = true
web_commit_signoff_required = false
allow_update_branch = false
archive_on_destroy = false
vulnerability_alerts = true
ignore_vulnerability_alerts_during_read = false
# (optional) chose gitignore file from available templates
# https://github.com/github/gitignore
gitignore_template = null
# (optional) chose license file from available templates
# https://github.com/github/choosealicense.com/tree/gh-pages/_licenses
license_template = null
}
# an initial file in repository is required to apply branch protection rules (e.g. set 'create_readme' to true)
branch_protection_rules = [
{
pattern = "main"
enforce_admins = false
allows_deletions = false
require_conversation_resolution = true
require_signed_commits = true
required_linear_history = false
allows_force_pushes = false
required_status_checks = {
strict = true
contexts = ["spacelift/spacelift-test-stack"]
}
restrict_pushes = {
blocks_creations = true
push_allowances = []
}
required_pull_request_reviews = {
dismiss_stale_reviews = true
restrict_dismissals = true
dismissal_restrictions = []
require_code_owner_reviews = true
required_approving_review_count = 1
}
force_push_bypassers = []
lock_branch = false
}
]
# (optional) create or overwrite files in github repository - most use cases can be solved with 'template_repository' instead
# WARNING: bypass permission required when branch protection is enabled
managed_files = [
# {
# file = ".gitignore"
# content = file("${path.module}/files/terraform.gitignore")
# overwrite_on_create = true
# # enabling this will only create the file initially and it will not be updated
# # this can be usefull to avoid bypassing branch protection (file will be initially created before branch protection rule)
# # WARNING: updating 'ignore_lifecycle' after initial deployment will cause the file to be recreated
# ignore_lifecycle = false
# }
]
}
]
providers = {
github = github
}
}
Requirementsβ
The following requirements are needed by this module:
-
terraform (>= 1.6.0)
-
spacelift (>= 1.0)
-
tls (>= 4.0.5)
Providersβ
The following providers are used by this module:
-
spacelift (>= 1.0)
-
tls (>= 4.0.5)
Modulesβ
The following Modules are called:
spacelift_contextβ
Source: ./modules/spacelift-context
Version:
spacelift_moduleβ
Source: ./modules/spacelift-module
Version:
spacelift_stackβ
Source: ./modules/spacelift-stack
Version:
Resourcesβ
The following resources are used by this module:
- spacelift_audit_trail_webhook.ntc_audit (resource)
- spacelift_idp_group_mapping.ntc_group (resource)
- spacelift_policy.ntc_policy (resource)
- spacelift_saved_filter.ntc_custom_view (resource)
- spacelift_security_email.ntc_security (resource)
- spacelift_space.ntc_nested_space_level1 (resource)
- spacelift_space.ntc_nested_space_level2 (resource)
- spacelift_space.ntc_nested_space_level3 (resource)
- spacelift_space.ntc_nested_space_level4 (resource)
- spacelift_space.ntc_nested_space_level5 (resource)
- spacelift_stack_dependency.ntc_stack (resource)
- spacelift_stack_dependency_reference.ntc_stack (resource)
- spacelift_user.ntc_user (resource)
- spacelift_worker_pool.ntc_private_workers (resource)
- tls_cert_request.ntc_private_workers (resource)
- tls_private_key.ntc_private_workers (resource)
- spacelift_account.current (data source)
- spacelift_ips.current (data source)
Required Inputsβ
No required inputs.
Optional Inputsβ
The following input variables are optional (have default values):
audit_trail_settingsβ
Description: Settings for auditing all operations that change Spacelift resources. Audit Trail is an Enterprise plan feature.
Type:
object({
enabled = optional(bool, false)
include_runs = optional(bool, false)
webhook_endpoint_url = optional(string, "")
webhook_secret = optional(string, "")
})
Default: {}
context_definitionsβ
Description: List of context definitions with a bundle of configuration elements that can be attached to stacks or modules.
Type:
list(object({
context_name = string
description = optional(string, null)
labels = optional(list(string), [])
space_path = optional(string, "/root")
environment_variables = optional(list(object({
name = string
value = string
sensitive = optional(bool, true)
})), [])
mounted_files = optional(list(object({
relative_path = string
base64_content = string
sensitive = optional(bool, true)
})))
custom_hooks = optional(object({
before_init = optional(list(string), [])
after_init = optional(list(string), [])
before_plan = optional(list(string), [])
after_plan = optional(list(string), [])
before_apply = optional(list(string), [])
after_apply = optional(list(string), [])
before_destroy = optional(list(string), [])
after_destroy = optional(list(string), [])
before_perform = optional(list(string), [])
after_perform = optional(list(string), [])
after_run = optional(list(string), [])
}), {})
}))
Default: []
custom_viewsβ
Description: List of views that should be added to filter different spacelift dashboards.
Type:
list(object({
view_name = string
type = string
shared = optional(bool, true)
sort_direction = optional(string, "DESC")
sort_by_filter = optional(string, "starred")
text_search = optional(string, "")
active_filters = optional(list(object({
filter_name = string
filter_values = list(string)
})), [])
diplayed_filters = optional(list(string), [
"administrative",
"branch",
"commit",
"drifted",
"starred",
"folder",
"slug",
"label",
"locked",
"name",
"needsApproval",
"projectRoot",
"provider",
"repository",
"integration",
"space",
"state",
"synced",
"vendor",
"workerPool"
])
}))
Default: []
nested_spacesβ
Description: List of spaces that should be added under the root space for more granular access control.
Type:
list(object({
space_path = string
description = optional(string, null)
enable_inheritance = optional(bool, false)
labels = optional(list(string), [])
}))
Default: []
policiesβ
Description: List of OPA policies that should be applied to stacks, modules or globally.
Type:
list(object({
policy_name = string
description = optional(string, null)
space_path = optional(string, "/root")
policy_type = string
policy_content = string
labels = optional(list(string), [])
}))
Default: []
private_worker_poolsβ
Description: Manage spacelift private worker pools.
Type:
list(object({
pool_name = string
pool_description = optional(string, null)
space_path = optional(string, "/root")
labels = optional(list(string), [])
}))
Default: []
security_notifications_emailβ
Description: Email that Spacelift will use to contact you in the event of a security incident
Type: string
Default: ""
stack_definitionsβ
Description: List of spacelift stacks to create.
Type:
list(object({
stack_name = string
description = optional(string, null)
space_path = optional(string, "/root")
labels = optional(list(string), [])
stack_settings = optional(object({
administrative = optional(bool, false)
protect_from_deletion = optional(bool, false)
autodeploy = optional(bool, false)
autoretry = optional(bool, false)
enable_well_known_secret_masking = optional(bool, true)
enable_local_preview = optional(bool, true)
runner_image = optional(string, null)
worker_pool_name = optional(string, "")
project_root = optional(string, null)
additional_project_globs = optional(list(string), [])
}), {})
vcs_settings = object({
vcs_provider = optional(string, "default")
namespace = string
integration = optional(string, "")
url = optional(string, "")
repository = string
branch = string
})
policy_names_to_attach = optional(list(string), [])
context_names_to_attach = optional(list(string), [])
terraform_opentofu_settings = optional(object({
enabled = optional(bool, false)
workflow_tool = optional(string, "OPEN_TOFU")
version = optional(string, "") # cannot easily validate semver versioning (TERRAFORM_FOSS <= 1.5.7 and OPEN_TOFU >= 1.6.0)
smart_sanitization = optional(bool, true)
external_state_access = optional(bool, false)
manage_state = optional(bool, true)
workspace = optional(string, null)
import_state = optional(string, null)
import_state_file = optional(string, null)
}), {})
terragrunt_settings = optional(object({
enabled = optional(bool, false)
workflow_tool = optional(string, "OPEN_TOFU")
terraform_version = optional(string, "")
terragrunt_version = optional(string, "")
use_run_all = optional(bool, false)
use_smart_sanitization = optional(bool, true)
}), {})
cloudformation_settings = optional(object({
enabled = optional(bool, false)
entry_template_file = optional(string, "")
region = optional(string, "")
template_bucket = optional(string, "")
stack_name = optional(string, "")
}), {})
pulumi_settings = optional(object({
enabled = optional(bool, false)
login_url = optional(string, "")
stack_name = optional(string, "")
}), {})
kubernetes_settings = optional(object({
enabled = optional(bool, false)
namespace = optional(string, "")
kubectl_version = optional(string, "")
}), {})
ansible_settings = optional(object({
enabled = optional(bool, false)
playbook = optional(string, "")
}), {})
stack_dependencies = optional(list(object({
depends_on_stack_name = string
reference_output_name = optional(string, "")
reference_input_name = optional(string, "")
reference_trigger_always = optional(bool, false)
})), [])
environment_variables = optional(list(object({
name = string
value = string
sensitive = optional(bool, true)
})), [])
mounted_files = optional(list(object({
relative_path = string
base64_content = string
sensitive = optional(bool, true)
})), [])
scheduled_tasks = optional(list(object({
task_name = string
command = string
cron_schedule_expressions = list(string)
timezone = optional(string, "UTC")
})), [])
custom_hooks = optional(object({
before_init = optional(list(string), [])
after_init = optional(list(string), [])
before_plan = optional(list(string), [])
after_plan = optional(list(string), [])
before_apply = optional(list(string), [])
after_apply = optional(list(string), [])
before_destroy = optional(list(string), [])
after_destroy = optional(list(string), [])
before_perform = optional(list(string), [])
after_perform = optional(list(string), [])
after_run = optional(list(string), [])
}), {})
}))
Default: []
terraform_registryβ
Description: Settings for auditing all operations that change Spacelift resources. Audit Trail is an Enterprise plan feature.
Type:
object({
modules = optional(list(object({
custom_name = optional(string, null)
description = optional(string, null)
space_path = optional(string, "/root")
labels = optional(list(string), [])
module_settings = optional(object({
shared_with_spacelift_accounts = optional(list(string), [])
administrative = optional(bool, false)
protect_from_deletion = optional(bool, false)
enable_local_preview = optional(bool, true)
workflow_tool = optional(string, "OPEN_TOFU")
terraform_provider_name = optional(string, null)
worker_pool_name = optional(string, "")
project_root = optional(string, null)
}), {})
vcs_settings = object({
vcs_provider = optional(string, "default")
namespace = string
integration = string
repository = string
branch = string
})
policy_names_to_attach = optional(list(string), [])
context_names_to_attach = optional(list(string), [])
import_versions = optional(list(object({
git_commit_sha = string
module_version = string
})), [])
})), [])
})
Default: {}
user_managementβ
Description: Manage spacelift users (using an Identity Provider) and map user groups (as provided by Identity Provider).
Type:
object({
users = optional(list(object({
username = string
invitation_email = optional(string, null)
permissions = optional(list(object({
space_path = string
role = string
})), [])
})), [])
idp_group_mappings = optional(list(object({
group_name = string
permissions = optional(list(object({
space_path = string
role = string
})), [])
})), [])
})
Default: {}
Outputsβ
The following outputs are exported:
context_ids_by_nameβ
Description: Map of context identifiers by context name.
current_billing_tierβ
Description: Current spacelift billing tier.
module_ids_by_repo_nameβ
Description: Map of terraform registry module identifiers by repository name.
private_worker_credentials_by_pool_nameβ
Description: Map of private worker credentials by pool name.
private_worker_pools_by_nameβ
Description: Map of private worker pool identifiers by pool name.
space_ids_by_space_pathβ
Description: Map of space identifiers by space path.
spacelift_outgoing_ipsβ
Description: List of spacelift.io outgoing IP addresses.
stack_ids_by_nameβ
Description: Map of stack identifiers by stack name.