NTC Spacelift Administration
Description​
NTC Spacelift Administration simplifies the setup and management of Spacelift, a powerful CI/CD platform for Infrastructure as Code (IaC) deployments. This building block automates the configuration of Spacelift environments, including stack creation, role-based access control (RBAC), OPA policy integration, and secure pipeline authentication. Designed to integrate seamlessly with NTC modules, NTC Spacelift Administration reduces operational overhead and ensures consistent and secure deployment workflows.
Whether you're using Spacelift SaaS or a self-hosted setup, this module provides a streamlined approach to managing your Spacelift infrastructure.
Usage​
| Latest Release | 1.3.0 |
|---|
Requirements​
The following requirements are needed by this module:
-
terraform (>= 1.6.1)
-
spacelift (>= 1.30.0)
-
tls (>= 4.0.5)
Providers​
The following providers are used by this module:
-
spacelift (>= 1.30.0)
-
tls (>= 4.0.5)
Modules​
The following Modules are called:
spacelift_context​
Source: ./modules/spacelift-context
Version:
spacelift_module​
Source: ./modules/spacelift-module
Version:
spacelift_stack​
Source: ./modules/spacelift-stack
Version:
Resources​
The following resources are used by this module:
- spacelift_audit_trail_webhook.ntc_audit (resource)
- spacelift_idp_group_mapping.ntc_group (resource)
- spacelift_policy.ntc_policy (resource)
- spacelift_saved_filter.ntc_custom_view (resource)
- spacelift_security_email.ntc_security (resource)
- spacelift_space.ntc_nested_space_level1 (resource)
- spacelift_space.ntc_nested_space_level2 (resource)
- spacelift_space.ntc_nested_space_level3 (resource)
- spacelift_space.ntc_nested_space_level4 (resource)
- spacelift_space.ntc_nested_space_level5 (resource)
- spacelift_stack_dependency.ntc_stack (resource)
- spacelift_stack_dependency_reference.ntc_stack (resource)
- spacelift_user.ntc_user (resource)
- spacelift_worker_pool.ntc_private_workers (resource)
- tls_cert_request.ntc_private_workers (resource)
- tls_private_key.ntc_private_workers (resource)
- spacelift_account.current (data source)
- spacelift_ips.current (data source)
Required Inputs​
No required inputs.
Optional Inputs​
The following input variables are optional (have default values):
audit_trail_settings​
Description: Settings for auditing all operations that change Spacelift resources. Audit Trail is an Enterprise plan feature.
Type:
object({
enabled = optional(bool, false)
include_runs = optional(bool, false)
webhook_endpoint_url = optional(string, "")
webhook_secret = optional(string, "")
})
Default: {}
context_definitions​
Description: List of context definitions with a bundle of configuration elements that can be attached to stacks or modules.
Type:
list(object({
context_name = string
description = optional(string, null)
labels = optional(list(string), [])
space_path = optional(string, "/root")
environment_variables = optional(list(object({
name = string
description = optional(string, null)
value = string
sensitive = optional(bool, true)
})), [])
mounted_files = optional(list(object({
relative_path = string
base64_content = string
sensitive = optional(bool, true)
})))
custom_hooks = optional(object({
before_init = optional(list(string), [])
after_init = optional(list(string), [])
before_plan = optional(list(string), [])
after_plan = optional(list(string), [])
before_apply = optional(list(string), [])
after_apply = optional(list(string), [])
before_destroy = optional(list(string), [])
after_destroy = optional(list(string), [])
before_perform = optional(list(string), [])
after_perform = optional(list(string), [])
after_run = optional(list(string), [])
}), {})
}))
Default: []
custom_views​
Description: List of views that should be added to filter different spacelift dashboards.
Type:
list(object({
view_name = string
type = string
shared = optional(bool, true)
sort_direction = optional(string, "DESC")
sort_by_filter = optional(string, "starred")
text_search = optional(string, "")
active_filters = optional(list(object({
filter_name = string
filter_values = list(string)
})), [])
diplayed_filters = optional(list(string), [
"administrative",
"branch",
"commit",
"drifted",
"starred",
"folder",
"slug",
"label",
"locked",
"name",
"needsApproval",
"projectRoot",
"provider",
"repository",
"integration",
"space",
"state",
"synced",
"vendor",
"workerPool"
])
}))
Default: []
nested_spaces​
Description: List of spaces that should be added under the root space for more granular access control.
Type:
list(object({
space_path = string
description = optional(string, null)
enable_inheritance = optional(bool, false)
labels = optional(list(string), [])
}))
Default: []
policies​
Description: List of OPA policies that should be applied to stacks, modules or globally.
Type:
list(object({
policy_name = string
description = optional(string, null)
space_path = optional(string, "/root")
policy_type = string
policy_content = string
labels = optional(list(string), [])
}))
Default: []
private_worker_pools​
Description: Manage spacelift private worker pools.
Type:
list(object({
pool_name = string
pool_description = optional(string, null)
space_path = optional(string, "/root")
labels = optional(list(string), [])
drift_detection_run_limit = optional(number, -1) # '-1' is unlimited and '0' disables drift detection for current pool.
}))
Default: []
security_notifications_email​
Description: Email that Spacelift will use to contact you in the event of a security incident
Type: string
Default: ""
stack_definitions​
Description: List of spacelift stacks to create.
Type:
list(object({
stack_name = string
description = optional(string, null)
space_path = optional(string, "/root")
labels = optional(list(string), [])
stack_settings = optional(object({
administrative = optional(bool, false)
protect_from_deletion = optional(bool, false)
autodeploy = optional(bool, false)
autoretry = optional(bool, false)
enable_well_known_secret_masking = optional(bool, true)
enable_local_preview = optional(bool, true)
runner_image = optional(string, null)
worker_pool_name = optional(string, "")
project_root = optional(string, null)
additional_project_globs = optional(list(string), [])
}), {})
vcs_settings = object({
vcs_provider = optional(string, "default")
namespace = string
integration = optional(string, "")
url = optional(string, "")
repository = string
branch = string
})
policy_names_to_attach = optional(list(string), [])
context_names_to_attach = optional(list(string), [])
terraform_opentofu_settings = optional(object({
enabled = optional(bool, false)
workflow_tool = optional(string, "OPEN_TOFU")
version = optional(string, "") # TERRAFORM_FOSS <= 1.5.7 / OPEN_TOFU >= 1.6.0
smart_sanitization = optional(bool, true)
external_state_access = optional(bool, false)
manage_state = optional(bool, true)
workspace = optional(string, null)
import_state = optional(string, null)
import_state_file = optional(string, null)
}), {})
terragrunt_settings = optional(object({
enabled = optional(bool, false)
workflow_tool = optional(string, "OPEN_TOFU")
terraform_version = optional(string, "")
terragrunt_version = optional(string, "")
use_run_all = optional(bool, false)
use_smart_sanitization = optional(bool, true)
}), {})
cloudformation_settings = optional(object({
enabled = optional(bool, false)
entry_template_file = optional(string, "")
region = optional(string, "")
template_bucket = optional(string, "")
stack_name = optional(string, "")
}), {})
pulumi_settings = optional(object({
enabled = optional(bool, false)
login_url = optional(string, "")
stack_name = optional(string, "")
}), {})
kubernetes_settings = optional(object({
enabled = optional(bool, false)
namespace = optional(string, "")
kubectl_version = optional(string, "")
}), {})
ansible_settings = optional(object({
enabled = optional(bool, false)
playbook = optional(string, "")
}), {})
stack_dependencies = optional(list(object({
depends_on_stack_name = string
reference_output_name = optional(string, "")
reference_input_name = optional(string, "")
reference_trigger_always = optional(bool, false)
})), [])
environment_variables = optional(list(object({
name = string
description = optional(string, null)
value = string
sensitive = optional(bool, true)
})), [])
mounted_files = optional(list(object({
relative_path = string
base64_content = string
sensitive = optional(bool, true)
})), [])
scheduled_tasks = optional(list(object({
task_name = string
command = string
cron_schedule_expressions = list(string)
timezone = optional(string, "UTC")
})), [])
drift_detection = optional(object({
enabled = optional(bool, false)
reconcile = optional(bool, false)
ignore_state = optional(bool, false)
cron_schedule_expressions = optional(list(string), [])
timezone = optional(string, "UTC")
}), {})
custom_hooks = optional(object({
before_init = optional(list(string), [])
after_init = optional(list(string), [])
before_plan = optional(list(string), [])
after_plan = optional(list(string), [])
before_apply = optional(list(string), [])
after_apply = optional(list(string), [])
before_destroy = optional(list(string), [])
after_destroy = optional(list(string), [])
before_perform = optional(list(string), [])
after_perform = optional(list(string), [])
after_run = optional(list(string), [])
}), {})
}))
Default: []
terraform_registry​
Description: Settings for auditing all operations that change Spacelift resources. Audit Trail is an Enterprise plan feature.
Type:
object({
modules = optional(list(object({
custom_name = optional(string, null)
description = optional(string, null)
space_path = optional(string, "/root")
labels = optional(list(string), [])
module_settings = optional(object({
shared_with_spacelift_accounts = optional(list(string), [])
administrative = optional(bool, false)
protect_from_deletion = optional(bool, false)
enable_local_preview = optional(bool, true)
workflow_tool = optional(string, "OPEN_TOFU")
terraform_provider_name = optional(string, null)
worker_pool_name = optional(string, "")
project_root = optional(string, null)
}), {})
vcs_settings = object({
vcs_provider = optional(string, "default")
namespace = string
integration = string
repository = string
branch = string
})
policy_names_to_attach = optional(list(string), [])
context_names_to_attach = optional(list(string), [])
import_versions = optional(list(object({
git_commit_sha = string
module_version = string
})), [])
})), [])
})
Default: {}
user_management​
Description: Manage spacelift users (using an Identity Provider) and map user groups (as provided by Identity Provider).
Type:
object({
users = optional(list(object({
username = string
invitation_email = optional(string, null)
permissions = optional(list(object({
space_path = string
role = string
})), [])
})), [])
idp_group_mappings = optional(list(object({
group_name = string
permissions = optional(list(object({
space_path = string
role = string
})), [])
})), [])
})
Default: {}
Outputs​
The following outputs are exported:
context_ids_by_name​
Description: Map of context identifiers by context name.
current_billing_tier​
Description: Current spacelift billing tier.
module_ids_by_repo_name​
Description: Map of terraform registry module identifiers by repository name.
private_worker_credentials_by_pool_name​
Description: Map of private worker credentials by pool name.
private_worker_pools_by_name​
Description: Map of private worker pool identifiers by pool name.
space_ids_by_space_path​
Description: Map of space identifiers by space path.
spacelift_outgoing_ips​
Description: List of spacelift.io outgoing IP addresses.
stack_ids_by_name​
Description: Map of stack identifiers by stack name.