spacelift-terraform
Installation
SKILL.md
Spacelift
Spacelift orchestrates Terraform via GitOps: GitHub pushes trigger runs, policies govern behavior, contexts inject config, workers execute runs.
- API:
https://<account>.app.spacelift.io/graphql - Terraform provider:
spacelift-io/spacelift - spacectl:
brew install spacelift-io/spacelift/spacectl
Core Concepts
| Concept | Description |
|---|---|
| Stack | Terraform project unit: repo + branch + settings + state |
| Run | Execution of terraform plan (proposed) or plan+apply (tracked) |
| Policy | OPA Rego rule set governing stack behavior (9 types) |
| Context | Reusable bundle of env vars + mounted files + hooks |
| Worker Pool | Set of runners executing runs (public Spacelift-hosted or private) |
| Space | Organizational boundary for access control and resource scoping |
GitOps Workflow
feature branch push
→ push policy → propose
→ proposed run: terraform plan
→ commit status reported to PR
PR merged to tracked branch (e.g., main)
→ push policy → track
→ tracked run: terraform plan
→ if autodeploy: auto-apply
→ else: unconfirmed state → human confirms → apply
Run States
| State | Meaning |
|---|---|
| QUEUED | Waiting for worker; approval policies evaluated here |
| INITIALIZING | Worker starting, downloading source |
| PLANNING | terraform plan running |
| UNCONFIRMED | Plan done, awaiting human confirm (or autodeploy blocked) |
| CONFIRMED | Human confirmed, apply will start |
| APPLYING | terraform apply running |
| FINISHED | Completed successfully |
| FAILED | Run failed at some phase |
| DISCARDED | Manually abandoned |
spacectl Quick Reference
Auth (CI/Agent — non-interactive)
export SPACELIFT_API_KEY_ENDPOINT=https://myorg.app.spacelift.io
export SPACELIFT_API_KEY_ID=$SECRET_KEY_ID
export SPACELIFT_API_KEY_SECRET=$SECRET_KEY_SECRET
GitHub Actions
- uses: spacelift-io/setup-spacectl@main
- run: spacectl stack deploy --id my-stack --auto-confirm --tail
env:
SPACELIFT_API_KEY_ENDPOINT: https://myorg.app.spacelift.io
SPACELIFT_API_KEY_ID: ${{ secrets.SPACELIFT_API_KEY_ID }}
SPACELIFT_API_KEY_SECRET: ${{ secrets.SPACELIFT_API_KEY_SECRET }}
Key Commands
spacectl stack list
spacectl stack deploy --id <stack> --auto-confirm --tail
spacectl stack task --id <stack> --tail 'terraform output -json'
spacectl run list --stack <stack>
spacectl run logs --stack <stack> --run <run-id>
spacectl run confirm --stack <stack> --run <run-id>
spacectl workerpool list
spacectl profile export-token # get bearer token for API calls
Stack Settings Quick Reference
| Field | Key Values |
|---|---|
| Branch | Tracked branch — pushes here trigger tracked runs |
| Project root | Subdirectory for Terraform root (monorepo) |
| Project globs | Sparse checkout paths (requires git checkout mode) |
| Autodeploy | true = auto-apply on clean plan |
| Autoretry | true = retry proposed runs when state changes (private worker only) |
| Worker pool | Assign private pool; required for drift detection |
| Runner image | Custom Docker image (default: public.ecr.aws/spacelift/runner-terraform:latest) |
| Labels | Used by policies for auto-attach and filtering |
| Deletion protection | Prevent accidental stack deletion |
Policy Types Quick Reference
| Type | Fires when | Key outputs |
|---|---|---|
| Push | Git push or PR event | track, propose, ignore, cancel |
| Plan | After terraform plan |
deny (fail), warn (require review) |
| Trigger | Tracked run reaches terminal state | trigger (stack IDs to cascade) |
| Approval | Run enters queued/unconfirmed | approve, reject |
| Login | User login attempt | allow, deny, admin |
| Stack Access | Stack access check | read, write, admin, deny |
| Notification | Any run state change | notification targets |
| Task | Before task runs | allow, deny |
| Run Init | Before run starts (deprecated) | allow, deny |
All policies use Rego v1 (package spacelift). Auto-attach via label autoattach:<label>.
Most Common Patterns
# Push: standard GitOps
track if input.push.branch == input.stack.branch
propose if not is_null(input.pull_request)
ignore if { not track; not propose }
# Plan: block deletions
deny contains sprintf("Deletion not allowed: %s", [c.entity.address]) if {
some c in input.spacelift.run.changes; c.action == "deleted"
}
# Plan: manual review for drift
warn contains "Drift reconciliation requires manual approval" if {
input.spacelift.run.drift_detection
}
# Approval: require 1 reviewer
approve if count(input.reviews.current.approvals) >= 1
Reference Files
| File | Read when |
|---|---|
references/github-terraform-workflow.md |
Setting up GitHub App, branch tracking, PR status checks, push policy patterns, monorepo sparse checkout |
references/stack-configuration.md |
Stack creation fields, VCS settings, Terraform settings, hooks, scheduling, stack dependencies |
references/policies.md |
All 9 policy types with full input schemas, Rego v1 examples, workbench testing |
references/spacectl.md |
CLI installation, auth methods, stack/run/worker commands, CI agent patterns, GraphQL API |
references/contexts-and-config.md |
Context creation, auto-attach labels, priority/conflict resolution, .spacelift/config.yml, env var precedence |
references/worker-pools.md |
Private worker setup (CSR → pool → launch), config vars, network requirements, sizing |
references/drift-detection.md |
Scheduling, reconciliation, plan/trigger policy integration, drift run limits |
references/gcp-integration.md |
Setting up GCP OIDC (WIF), native GCP integration, credential config JSON, Terraform provider auth, hierarchical space access, direct resource access |
references/terraform-provider.md |
Terraform provider config, resource+data source inventory, HCL schemas for all core resources, AWS integration setup, import IDs |
Related skills
More from way-platform/skills
way-magefile
Build tool for Go projects. Use when the user wants to create, edit, or understand Way-specific Magefiles, build targets, or automate Go project tasks.
18way-go-style
Guide for writing idiomatic, effective, and standard Go code. Use this skill when writing, refactoring, or reviewing Go code to ensure adherence to established conventions and best practices.
18ileap
>-
17agents-md
This skill should be used when the user asks to "create AGENTS.md", "update AGENTS.md", "maintain agent docs", "set up CLAUDE.md", or needs to keep agent instructions concise. Guides discovery of local skills and enforces minimal documentation style.
11way-brand-identity
Write copy and use colors according to the Way brand.
11aep
AEP (API Enhancement Proposals) design standards. Use when designing, reviewing, or implementing APIs to ensure compliance with AEP conventions.
5