This module will create a Spacelift plugin that signs runs for Spacelift inside GitHub.
The module will create the following resource:
- A push policy inside spacelift
- An output you can use with a worker pool to pass the appropriate initialization policy to the workers.
- This initialization policy is written as to not prevent stacks that are not signed from running (stacks not defined in
var.stacks can still use this workerpool with no issues).
- For Every
stack defined in var.stacks:
- We will query for the repository defined in the specified
stack_id, and we will commit a new workflow to that repository that will trigger a run in Spacelift with SpaceCTL.
- The workflow will automatically configure the path in the workflow to only trigger based on the project root of the stack.
- You can change this path with
custom_path in the stacks variable.
- You can also use a custom workflow by setting
use_custom_workflow to true in the stacks variable.
- A user pushes a code change to GitHub.
- Spacelift is notified but ignores the code change push because of the Push policy.
- The GitHub Action is triggered. It builds a JWT token and signs it with your secret. Then, it triggers a run and passes the signed token as metadata.
- Spacelift schedules the run onto the private worker pool configured for the stack.
- The private worker pool launcher evaluates the Initialization policy to verify the signature, that the token has not expired and is associated with the stack and commit for the run.
- If the token validation succeeds, the launcher starts the worker, and the run gets executed. Otherwise, the worker does not get started, the run is marked as failed, and the reason for the failure is displayed in the Initialization phase logs.
This variable in the module will control which stacks will be allowed to run signed runs.
The key can be anything, its only used statically in for_each loops.
stack_id: The stack you want to trigger with signed runs.
custom_path: Optional. If you want to trigger the stack using a path other than the stacks project root you can set it here.
use_custom_workflow: Optional. If set to true, the module will not create a workflow in github for this stack. You will need to create a custom workflow in the repository.
terraform {
required_providers {
spacelift = {
source = "spacelift-io/spacelift"
version = ">=1.18.0"
}
github = {
source = "integrations/github"
version = "~> 6.0"
}
}
}
provider "github" {
token = "{your_github_token}" # WARNING Sensitive
}
module "plugin_signed_runs" {
source = "spacelift.io/spacelift-solutions/plugin-signed-runs/spacelift"
spacelift_api_endpoint = "https://{your_account}.app.spacelift.io"
spacelift_api_key_id = "{your_spacelift_api_key_id}"
spacelift_api_key_secret = "{your_spacelift_api_key_secret}" # WARNING Sensitive
spacelift_run_signature_secret = "my-super-awesome-secret-that-no-one-will-guess" # WARNING Sensitive
stacks = {
my-great-stack = {
stack_id = "my-awesome-stack-id"
custom_path = "my-great-stack/test"
}
my-second-great-stack = {
stack_id = "my-awesome-second-stack-id"
use_custom_workflow = true
}
my-third-great-stack = {
stack_id = "my-awesome-third-stack-id"
}
}
}
module "workerpool" {
source = "github.com/spacelift-io/terraform-aws-spacelift-workerpool-on-ec2?ref=v2.6.2"
configuration = <<-EOT
export SPACELIFT_TOKEN="{your_workerpool_config_token}"
export SPACELIFT_POOL_PRIVATE_KEY="{your_workerpool_private_key}"
# This line is needed in order to pass the initialization policy to the workers
${module.plugin_signed_runs.initialization_policy}
EOT
}
| Name |
Description |
Type |
Default |
Required |
| name |
Name of the context |
string |
"plugin_signed_runs" |
no |
| space |
ID of the space the policy will be created in |
string |
"root" |
no |
| spacelift_api_endpoint |
The URL for your Spacelift account (e.g., https://acme.app.spacelift.io/) |
string |
n/a |
yes |
| spacelift_api_key_id |
Spacelift API key ID with admin permissions |
string |
n/a |
yes |
| spacelift_api_key_secret |
Spacelift API key secret with admin permissions |
string |
n/a |
yes |
| spacelift_run_signature_secret |
The secret that will be used to sign the JWT token. It can be any string. |
string |
n/a |
yes |
| stacks |
The stacks that will be triggered and signed via this plugin. |
map(object({ stack_id = string custom_path = optional(string) use_custom_workflow = optional(bool) })) |
n/a |
yes |
| Name |
Description |
| initialization_policy |
The initialization policy that must be assigned to the workerpool for this plugin to work. |