forked from spacelift-io/terraform-starter
-
Notifications
You must be signed in to change notification settings - Fork 0
/
context.tf
86 lines (80 loc) · 3.47 KB
/
context.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# This resource defines a Spacelift context - a package of reusable
# configuration.
#
# You can read about contexts here:
#
# https://docs.spacelift.io/concepts/context
resource "spacelift_context" "managed" {
name = "Managed context"
description = "Your first context managed by Terraform"
}
# This is an envioronment variable defined on the context level. When the
# context is attached to the stack, this variable will be added to the stack's
# own environment. And that's how we do configuration reuse here at Spacelift.
# This evironment variable has its write_only bit explicitly set to false, which
# means that you'll be able to read back its valie from both the GUI and the API.
#
# You can read more about environment variables here:
#
# https://docs.spacelift.io/concepts/environment#environment-variables
resource "spacelift_environment_variable" "context-plaintext" {
context_id = spacelift_context.managed.id
name = "CONTEXT_PUBLIC"
value = "This should be visible!"
write_only = false
}
# For another (secret) variable, let's create programmatically create a super
# secret password.
resource "random_password" "context-password" {
length = 32
special = true
}
# This is a secret environment variable. Note how we didn't set the write_only
# bit at all here. This setting always defaults to "true" to protect you against
# an accidental leak of secrets. There will be no way to retrieve the value of
# this variable programmatically, but it will be available to your Spacelift
# runs.
#
# If you accidentally print it out to the logs, no worries: we will obfuscate
# every secret thing we know of.
resource "spacelift_environment_variable" "context-writeonly" {
context_id = spacelift_context.managed.id
name = "CONTEXT_SECRET"
value = random_password.context-password.result
}
# Apart from setting environment variables in your Contexts, you can add files
# to be mounted directly in Spacelift's workspace. For the purpose of this
# experiment, let's export our environemnt variables as JSON-encoded files, too.
#
# You can read more about mounted files here:
#
# https://docs.spacelift.io/concepts/environment#mounted-files
resource "spacelift_mounted_file" "context-plaintext-file" {
context_id = spacelift_context.managed.id
relative_path = "context-plaintext-file.json"
content = base64encode(jsonencode({
payload = spacelift_environment_variable.context-plaintext.value
}))
write_only = false
}
# Since you can't read back the value from a write-only environment variable
# like we just did that for the read-write one, we'll need to retrieve the value
# of the password directly from its resource.
resource "spacelift_mounted_file" "context-secret-file" {
context_id = spacelift_context.managed.id
relative_path = "context-secret-password.json"
content = base64encode(jsonencode({ password = random_password.context-password.result }))
}
# This resource attaches context to a Stack. Since this is many-to-many
# relationship and a single Stack can have multiple contexts attached to it, the
# priority value can be set to indicate the precedence this context should take
# in case of clashes/overrides. The lower the number, the higher the priority.
#
# You can read about attaching and detaching contexts here:
#
# https://docs.spacelift.io/concepts/context#attaching-and-detaching
resource "spacelift_context_attachment" "managed" {
context_id = spacelift_context.managed.id
stack_id = spacelift_stack.managed.id
priority = 0
}