Manage
Roles (and)
Policies
Incredibly
Conveniently
Keeping
Logins
Efficient
This module is designed to generate login policies inside Spacelift that are convenient and simple. Stop worrying about how to grant folks access to your Spacelift organization and let MRPICKLE do it for you.
Heres a simple example of how to use this module:
resource "spacelift_space" "billys" {
name = "billys-space"
description = "only billy can access this"
parent_space_id = "root"
}
resource "spacelift_space" "johnnys" {
name = "johnnys-space"
description = "only johnny can access this"
parent_space_id = "root"
}
resource "spacelift_space" "billy_and_johnnys" {
name = "billy-and-johnnys-space"
description = "billy and johnny can access this, but only billy is an admin"
parent_space_id = "root"
}
module "mrpickle" {
source = "github.com/apollorion/mrpickle"
admins = [
"Apollorion"
]
spaces = {
BILLYS_SPACE = {
space_id = spacelift_space.billys.id
admin = ["Billy"]
}
JOHNNYS_SPACE = {
space_id = spacelift_space.johnnys.id
admin = ["Johnny"]
}
BILLY_AND_JOHNNYS_SPACE = {
space_id = spacelift_space.billy_and_johnnys.id
admin = ["Billy"]
write = ["Johnny"]
read = ["Peter"]
}
}
}
This will create the necessary login policy that will grant access as you specify in terraform.
Name | Description | Type | Default | Required |
---|---|---|---|---|
admins | List of global admins | list(string) |
[] |
no |
description | Description of the policy | string |
"MRPICKLES generated login policy" |
no |
labels | labels to add to the login policy | list(string) |
null |
no |
name | Name of the policy | string |
"MRPICKLES" |
no |
session_key | Session key for the policy | string |
"input.session.login" |
no |
spaces | Map of spaces and their permissions | map(object({ |
{} |
no |
Spacelift can do comparisons against a multitude of different data points to determine if a user should be granted access.
The session_key
is the data point that will be used to determine if a user should be granted access.
By default, it uses the input.session.login
which is the username of the user logging in. So the admins, writers, and reader inputs of this module should be the username of the user logging in.
If the session key was something else, like a group maybe. You would set the session_key
to the key in the input data and the admins, writers, and readers would be the group name.
See the data input for login policies here to get an idea of how the session key might be used.