From 5203fcd9021c54fc8e9cef681c90090dfbc4980e Mon Sep 17 00:00:00 2001 From: "Cloud Posse Bot (CI/CD)" Date: Mon, 5 Aug 2024 14:20:59 -0700 Subject: [PATCH] (github actions) generated latest snippets (#631) --- .../workflows/atmos-components-updater.yml | 40 +++++++ .../atmos-terraform-apply-matrix.yaml | 54 +++++++++- .../workflows/atmos-terraform-apply.yaml | 101 +++++++++++++++++- .../workflows/atmos-terraform-dispatch.yaml | 64 ++++++++++- .../atmos-terraform-drift-detection.yaml | 62 ++++++++++- .../atmos-terraform-drift-remediation.yaml | 46 +++++++- .../atmos-terraform-plan-matrix.yaml | 67 +++++++++++- .../workflows/atmos-terraform-plan.yaml | 50 ++++++++- ...tmos-trigger-spacelift-feature-branch.yaml | 20 ++++ .../atmos-trigger-spacelift-main.yaml | 20 ++++ .../stacks/orgs/acme/core/spacelift.yaml | 33 ++++++ .../stacks/orgs/acme/plat/spacelift.yaml | 34 +++++- .../snippets/stacks/orgs/acme/spacelift.yaml | 43 +++++++- 13 files changed, 625 insertions(+), 9 deletions(-) create mode 100644 examples/snippets/.github/workflows/atmos-components-updater.yml create mode 100644 examples/snippets/.github/workflows/atmos-trigger-spacelift-feature-branch.yaml create mode 100644 examples/snippets/.github/workflows/atmos-trigger-spacelift-main.yaml create mode 100644 examples/snippets/stacks/orgs/acme/core/spacelift.yaml diff --git a/examples/snippets/.github/workflows/atmos-components-updater.yml b/examples/snippets/.github/workflows/atmos-components-updater.yml new file mode 100644 index 000000000..89f54cae5 --- /dev/null +++ b/examples/snippets/.github/workflows/atmos-components-updater.yml @@ -0,0 +1,40 @@ +name: "Atmos Component Updater" + +on: + workflow_dispatch: {} + + schedule: + - cron: 0 8 * * * + +jobs: + update: + environment: atmos + runs-on: ["self-hosted", "default"] + steps: + - name: "Checkout source code at current commit" + uses: actions/checkout@v4 + + - name: Generate a token + id: github-app + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.ATMOS_APP_ID }} + private-key: ${{ secrets.ATMOS_PRIVATE_KEY }} + + - name: Update Atmos Components + uses: cloudposse/github-action-atmos-component-updater@v2 + env: + ATMOS_CLI_CONFIG_PATH: ${{ github.workspace }}/rootfs/usr/local/etc/atmos/ + with: + github-access-token: ${{ steps.github-app.outputs.token }} + log-level: INFO + vendoring-enabled: true + max-number-of-prs: 5 + + - name: Delete abandoned update branches + uses: phpdocker-io/github-actions-delete-abandoned-branches@v2 + with: + github_token: ${{ steps.github-app.outputs.token }} + last_commit_age_days: 0 + allowed_prefixes: "component-update/" + dry_run: no diff --git a/examples/snippets/.github/workflows/atmos-terraform-apply-matrix.yaml b/examples/snippets/.github/workflows/atmos-terraform-apply-matrix.yaml index 4f2e970e9..888e1836d 100644 --- a/examples/snippets/.github/workflows/atmos-terraform-apply-matrix.yaml +++ b/examples/snippets/.github/workflows/atmos-terraform-apply-matrix.yaml @@ -1 +1,53 @@ -PLACEHOLDER +name: 👽 Atmos Terraform Apply Matrix (Reusable) +run-name: 👽 Atmos Terraform Apply Matrix (Reusable) + +on: + workflow_call: + inputs: + stacks: + description: "Stacks" + required: true + type: string + sha: + description: "Commit SHA to apply. Default: github.sha" + type: string + required: false + default: "${{ github.event.pull_request.head.sha }}" + atmos-version: + description: The version of atmos to install + required: false + default: ">= 1.63.0" + type: string + atmos-config-path: + description: The path to the atmos.yaml file + required: true + type: string + +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + +jobs: + atmos-apply: + if: ${{ inputs.stacks != '{include:[]}' }} + name: ${{ matrix.stack_slug }} + runs-on: ["self-hosted", "terraform"] + strategy: + max-parallel: 10 + fail-fast: false # Don't fail fast to avoid locking TF State + matrix: ${{ fromJson(inputs.stacks) }} + ## Avoid running the same stack in parallel mode (from different workflows) + concurrency: + group: ${{ matrix.stack_slug }} + cancel-in-progress: false + steps: + - uses: unfor19/install-aws-cli-action@v1 + + - name: Apply Atmos Component + uses: cloudposse/github-action-atmos-terraform-apply@v2 + with: + component: ${{ matrix.component }} + stack: ${{ matrix.stack }} + sha: ${{ inputs.sha }} + atmos-version: ${{ inputs.atmos-version }} + atmos-config-path: ${{ inputs.atmos-config-path }} diff --git a/examples/snippets/.github/workflows/atmos-terraform-apply.yaml b/examples/snippets/.github/workflows/atmos-terraform-apply.yaml index 4f2e970e9..939f2f9e5 100644 --- a/examples/snippets/.github/workflows/atmos-terraform-apply.yaml +++ b/examples/snippets/.github/workflows/atmos-terraform-apply.yaml @@ -1 +1,100 @@ -PLACEHOLDER +name: 👽 Atmos Terraform Apply +run-name: 👽 Atmos Terraform Apply + + +on: + push: + branches: + - main + +permissions: + id-token: write + contents: read + issues: write + pull-requests: write + +jobs: + pr: + name: PR Context + runs-on: + - "self-hosted" + - "amd64" + - "common" + steps: + - uses: 8BitJonny/gh-get-current-pr@3.0.0 + id: pr + + outputs: + base: ${{ fromJSON(steps.pr.outputs.pr).base.sha }} + head: ${{ fromJSON(steps.pr.outputs.pr).head.sha }} + auto-apply: ${{ contains( fromJSON(steps.pr.outputs.pr).labels.*.name, 'auto-apply') }} + no-apply: ${{ contains( fromJSON(steps.pr.outputs.pr).labels.*.name, 'no-apply') }} + + atmos-affected: + name: Determine Affected Stacks + if: needs.pr.outputs.no-apply == 'false' + needs: ["pr"] + runs-on: ["self-hosted", "terraform"] + steps: + - id: affected + uses: cloudposse/github-action-atmos-affected-stacks@v3 + with: + base-ref: ${{ github.event.pull_request.base.sha }} + head-ref: ${{ github.event.pull_request.head.sha }} + atmos-version: ${{ vars.ATMOS_VERSION }} + atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} + outputs: + stacks: ${{ steps.affected.outputs.matrix }} + has-affected-stacks: ${{ steps.affected.outputs.has-affected-stacks }} + + plan-atmos-components: + needs: ["atmos-affected", "pr"] + if: | + needs.atmos-affected.outputs.has-affected-stacks == 'true' && needs.pr.outputs.auto-apply != 'true' + name: Validate plan (${{ matrix.name }}) + uses: ./.github/workflows/atmos-terraform-plan-matrix.yaml + strategy: + matrix: ${{ fromJson(needs.atmos-affected.outputs.stacks) }} + max-parallel: 1 # This is important to avoid ddos GHA API + fail-fast: false # Don't fail fast to avoid locking TF State + with: + stacks: ${{ matrix.items }} + drift-detection-mode-enabled: "true" + continue-on-error: 'true' + atmos-version: ${{ vars.ATMOS_VERSION }} + atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} + sha: ${{ needs.pr.outputs.head }} + secrets: inherit + + drift-detection: + needs: ["atmos-affected", "plan-atmos-components", "pr"] + if: | + always() && needs.atmos-affected.outputs.has-affected-stacks == 'true' && needs.pr.outputs.auto-apply != 'true' + name: Reconcile issues + runs-on: + - "self-hosted" + - "amd64" + - "common" + steps: + - name: Drift Detection + uses: cloudposse/github-action-atmos-terraform-drift-detection@v2 + with: + max-opened-issues: '-1' + process-all: 'false' + + auto-apply: + needs: ["atmos-affected", "pr"] + if: | + needs.atmos-affected.outputs.has-affected-stacks == 'true' && needs.pr.outputs.auto-apply == 'true' + name: Apply (${{ matrix.name }}) + uses: ./.github/workflows/atmos-terraform-apply-matrix.yaml + strategy: + max-parallel: 1 + fail-fast: false # Don't fail fast to avoid locking TF State + matrix: ${{ fromJson(needs.atmos-affected.outputs.stacks) }} + with: + stacks: ${{ matrix.items }} + sha: ${{ needs.pr.outputs.head }} + atmos-version: ${{ vars.ATMOS_VERSION }} + atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} + secrets: inherit diff --git a/examples/snippets/.github/workflows/atmos-terraform-dispatch.yaml b/examples/snippets/.github/workflows/atmos-terraform-dispatch.yaml index 4f2e970e9..f36c3d30e 100644 --- a/examples/snippets/.github/workflows/atmos-terraform-dispatch.yaml +++ b/examples/snippets/.github/workflows/atmos-terraform-dispatch.yaml @@ -1 +1,63 @@ -PLACEHOLDER +name: 👽 Atmos Terraform Dispatch +run-name: 👽 Atmos Terraform Dispatch + +on: + workflow_dispatch: + inputs: + component: + description: "Atmos Component" + type: string + stack: + description: "Atmos Stack" + type: string + plan: + description: "Terraform Plan" + type: boolean + default: true + apply: + description: "Terraform Apply" + type: boolean + default: false + distinct_id: + description: "Distinct ID" + + +permissions: + id-token: write + contents: read + +jobs: + dispatch-id: + runs-on: ["self-hosted", "terraform"] + steps: + - name: echo Distinct ID ${{ github.event.inputs.distinct_id }} + run: echo ${{ github.event.inputs.distinct_id }} + + atmos-plan: + needs: [ "dispatch-id" ] + if: ${{ inputs.plan }} + name: Plan (${{ inputs.stack }}) + uses: ./.github/workflows/atmos-terraform-plan-matrix.yaml + with: + atmos-version: ${{ vars.ATMOS_VERSION }} + atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} + stacks: | + {"include": [ + {"component": "${{ inputs.component }}", "stack": "${{ inputs.stack }}", "stack_slug": "${{ inputs.stack }}-${{ inputs.component }}"} + ]} + secrets: inherit + + atmos-apply: + needs: ["atmos-plan"] + if: ${{ inputs.apply }} + name: Apply (${{ inputs.stack }}) + uses: ./.github/workflows/atmos-terraform-apply-matrix.yaml + with: + atmos-version: ${{ vars.ATMOS_VERSION }} + atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} + stacks: | + {"include": [ + {"component": "${{ inputs.component }}", "stack": "${{ inputs.stack }}", "stack_slug": "${{ inputs.stack }}-${{ inputs.component }}"} + ]} + secrets: inherit + diff --git a/examples/snippets/.github/workflows/atmos-terraform-drift-detection.yaml b/examples/snippets/.github/workflows/atmos-terraform-drift-detection.yaml index 4f2e970e9..0f6ccb51b 100644 --- a/examples/snippets/.github/workflows/atmos-terraform-drift-detection.yaml +++ b/examples/snippets/.github/workflows/atmos-terraform-drift-detection.yaml @@ -1 +1,61 @@ -PLACEHOLDER +name: 👽 Atmos Terraform Drift Detection +run-name: 👽 Atmos Terraform Drift Detection + +on: + # push: + # branches: + # - main # this is for debugging only + workflow_dispatch: {} + schedule: + - cron: "0 */12 * * *" + +permissions: + id-token: write + contents: write + issues: write + +jobs: + select-components: + name: Select Components + runs-on: ["self-hosted", "terraform"] + steps: + - name: Selected Components + id: components + uses: cloudposse/github-action-atmos-terraform-select-components@v2 + with: + select-filter: '.settings.github.actions_enabled and .metadata.type != "abstract"' + atmos-version: ${{ vars.ATMOS_VERSION }} + atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} + outputs: + stacks: ${{ steps.components.outputs.matrix }} + has-selected-components: ${{ steps.components.outputs.has-selected-components }} + + plan-atmos-components: + needs: ["select-components"] + if: ${{ needs.select-components.outputs.has-selected-components == 'true' }} + name: Detect Drift (${{ matrix.name }}) + uses: ./.github/workflows/atmos-terraform-plan-matrix.yaml + strategy: + max-parallel: 1 # This is important to avoid ddos GHA API + fail-fast: false # Don't fail fast to avoid locking TF State + matrix: ${{ fromJson(needs.select-components.outputs.stacks) }} + with: + stacks: ${{ matrix.items }} + sha: ${{ github.sha }} + drift-detection-mode-enabled: "true" + continue-on-error: true + atmos-version: ${{ vars.ATMOS_VERSION }} + atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} + secrets: inherit + + drift-detection: + needs: ["plan-atmos-components"] + if: always() + name: Reconcile issues + runs-on: ["self-hosted", "terraform"] + steps: + - name: Drift Detection + uses: cloudposse/github-action-atmos-terraform-drift-detection@v2 + with: + max-opened-issues: '25' + process-all: 'true' diff --git a/examples/snippets/.github/workflows/atmos-terraform-drift-remediation.yaml b/examples/snippets/.github/workflows/atmos-terraform-drift-remediation.yaml index 4f2e970e9..594e950fa 100644 --- a/examples/snippets/.github/workflows/atmos-terraform-drift-remediation.yaml +++ b/examples/snippets/.github/workflows/atmos-terraform-drift-remediation.yaml @@ -1 +1,45 @@ -PLACEHOLDER +name: 👽 Atmos Terraform Drift Remediation +run-name: 👽 Atmos Terraform Drift Remediation + +on: + issues: + types: + - labeled + - closed + +permissions: + id-token: write + contents: read + issues: write + +jobs: + remediate-drift: + if: github.event.action == 'labeled' && contains(github.event.issue.labels.*.name, 'apply') + name: Remediate Drift + runs-on: ["self-hosted", "terraform"] + steps: + - name: Remediate Drift + uses: cloudposse/github-action-atmos-terraform-drift-remediation@v2 + with: + issue-number: ${{ github.event.issue.number }} + action: remediate + atmos-version: ${{ vars.ATMOS_VERSION }} + atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} + + discard-drift: + if: > + github.event.action == 'closed' && ( + contains(github.event.issue.labels.*.name, 'drift') || + contains(github.event.issue.labels.*.name, 'error') + ) && + !contains(github.event.issue.labels.*.name, 'remediated') + name: Discard Drift + runs-on: ["self-hosted", "terraform"] + steps: + - name: Discard Drift + uses: cloudposse/github-action-atmos-terraform-drift-remediation@v2 + with: + issue-number: ${{ github.event.issue.number }} + action: discard + atmos-version: ${{ vars.ATMOS_VERSION }} + atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} diff --git a/examples/snippets/.github/workflows/atmos-terraform-plan-matrix.yaml b/examples/snippets/.github/workflows/atmos-terraform-plan-matrix.yaml index 4f2e970e9..2a92373d8 100644 --- a/examples/snippets/.github/workflows/atmos-terraform-plan-matrix.yaml +++ b/examples/snippets/.github/workflows/atmos-terraform-plan-matrix.yaml @@ -1 +1,66 @@ -PLACEHOLDER +name: 👽 Atmos Terraform Plan Matrix (Reusable) +run-name: 👽 Atmos Terraform Plan Matrix (Reusable) + +on: + workflow_call: + inputs: + stacks: + description: "Stacks" + required: true + type: string + drift-detection-mode-enabled: + description: "Indicate whether this action is used in drift detection workflow." + type: string + required: false + default: 'false' + sha: + description: "SHA to use" + required: false + default: "${{ github.event.pull_request.head.sha }}" + type: string + atmos-version: + description: The version of atmos to install + required: false + default: ">= 1.63.0" + type: string + atmos-config-path: + description: The path to the atmos.yaml file + required: true + type: string + continue-on-error: + description: "Prevents a workflow run from failing when a job fails. Set to true to allow a workflow run to pass when this job fails." + required: false + default: "false" + type: string + +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + +jobs: + atmos-plan: + if: ${{ inputs.stacks != '{include:[]}' }} + name: ${{ matrix.stack_slug }} + runs-on: ["self-hosted", "terraform"] + continue-on-error: ${{ inputs.continue-on-error == 'true' }} + strategy: + max-parallel: 10 + fail-fast: false # Don't fail fast to avoid locking TF State + matrix: ${{ fromJson(inputs.stacks) }} + ## Avoid running the same stack in parallel mode (from different workflows) + concurrency: + group: ${{ matrix.stack_slug }} + cancel-in-progress: false + steps: + - uses: unfor19/install-aws-cli-action@v1 + + - name: Plan Atmos Component + uses: cloudposse/github-action-atmos-terraform-plan@v3 + with: + component: ${{ matrix.component }} + stack: ${{ matrix.stack }} + drift-detection-mode-enabled: ${{ inputs.drift-detection-mode-enabled }} + infracost-api-key: ${{ secrets.INFRACOST_API_KEY }} + sha: ${{ inputs.sha }} + atmos-version: ${{ inputs.atmos-version }} + atmos-config-path: ${{ inputs.atmos-config-path }} diff --git a/examples/snippets/.github/workflows/atmos-terraform-plan.yaml b/examples/snippets/.github/workflows/atmos-terraform-plan.yaml index 4f2e970e9..56dbc5ee3 100644 --- a/examples/snippets/.github/workflows/atmos-terraform-plan.yaml +++ b/examples/snippets/.github/workflows/atmos-terraform-plan.yaml @@ -1 +1,49 @@ -PLACEHOLDER +name: 👽 Atmos Terraform Plan +run-name: 👽 Atmos Terraform Plan + +on: + pull_request_target: + types: + - opened + - synchronize + - reopened + branches: + - main + +permissions: + id-token: write + contents: read + +jobs: + atmos-affected: + if: ${{ !contains( github.event.pull_request.labels.*.name, 'no-plan') }} + name: Determine Affected Stacks + runs-on: ["self-hosted", "terraform"] + steps: + - id: affected + uses: cloudposse/github-action-atmos-affected-stacks@v3 + with: + atmos-version: ${{ vars.ATMOS_VERSION }} + atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} + base-ref: ${{ github.event.pull_request.base.sha }} + head-ref: ${{ github.event.pull_request.head.sha }} + outputs: + stacks: ${{ steps.affected.outputs.matrix }} + has-affected-stacks: ${{ steps.affected.outputs.has-affected-stacks }} + + atmos-plan: + needs: ["atmos-affected"] + if: ${{ needs.atmos-affected.outputs.has-affected-stacks == 'true' }} + name: Plan (${{ matrix.name }}) + uses: ./.github/workflows/atmos-terraform-plan-matrix.yaml + strategy: + matrix: ${{ fromJson(needs.atmos-affected.outputs.stacks) }} + max-parallel: 1 # This is important to avoid ddos GHA API + fail-fast: false # Don't fail fast to avoid locking TF State + with: + stacks: ${{ matrix.items }} + atmos-version: ${{ vars.ATMOS_VERSION }} + atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} + sha: ${{ github.event.pull_request.head.sha }} + secrets: inherit + diff --git a/examples/snippets/.github/workflows/atmos-trigger-spacelift-feature-branch.yaml b/examples/snippets/.github/workflows/atmos-trigger-spacelift-feature-branch.yaml new file mode 100644 index 000000000..9b311dd4a --- /dev/null +++ b/examples/snippets/.github/workflows/atmos-trigger-spacelift-feature-branch.yaml @@ -0,0 +1,20 @@ +name: "Plan Affected Spacelift Stacks" + +on: + pull_request: + types: + - opened + - synchronize + - reopened + branches: + - main + +jobs: + context: + runs-on: ["self-hosted", "default"] + steps: + - name: Atmos Affected Stacks Trigger Spacelift + uses: cloudposse/github-action-atmos-affected-trigger-spacelift@v2 + with: + atmos-config-path: ./rootfs/usr/local/etc/atmos + github-token:${{ secrets.GITHUB_TOKEN }} diff --git a/examples/snippets/.github/workflows/atmos-trigger-spacelift-main.yaml b/examples/snippets/.github/workflows/atmos-trigger-spacelift-main.yaml new file mode 100644 index 000000000..9c14a7560 --- /dev/null +++ b/examples/snippets/.github/workflows/atmos-trigger-spacelift-main.yaml @@ -0,0 +1,20 @@ +name: "Deploy Affected Spacelift Stacks" + +on: + pull_request: + types: [closed] + branches: + - main + +jobs: + run: + if: github.event.pull_request.merged == true + runs-on: ["self-hosted", "default"] + steps: + - name: Atmos Affected Stacks Trigger Spacelift + uses: cloudposse/github-action-atmos-affected-trigger-spacelift@v2 + with: + atmos-config-path: ./rootfs/usr/local/etc/atmos + deploy: true + github-token:${{ secrets.GITHUB_TOKEN }} + head-ref:${{ github.sha }}~1 diff --git a/examples/snippets/stacks/orgs/acme/core/spacelift.yaml b/examples/snippets/stacks/orgs/acme/core/spacelift.yaml new file mode 100644 index 000000000..66d894168 --- /dev/null +++ b/examples/snippets/stacks/orgs/acme/core/spacelift.yaml @@ -0,0 +1,33 @@ +import: + - mixins/region/global-region + - orgs/acme/core/_defaults + - catalog/spacelift/admin-stack + +# These intentionally overwrite the default values +vars: + tenant: core + environment: gbl + stage: spacelift + +components: + terraform: + admin-stack: + metadata: + component: spacelift/admin-stack + inherits: + - admin-stack/default + settings: + spacelift: + space_name: core + labels: + - admin-stack-name:core + vars: + enabled: true + # This admin-stack filters for all non-administrative stacks in the core tenant + context_filters: + tenants: ["core"] + administrative: false # We don't want this stack to also find itself in the config and add itself a second time + labels: + - admin-stack-name:core + child_policy_attachments: + - TRIGGER Dependencies diff --git a/examples/snippets/stacks/orgs/acme/plat/spacelift.yaml b/examples/snippets/stacks/orgs/acme/plat/spacelift.yaml index 4f2e970e9..54dab8c8a 100644 --- a/examples/snippets/stacks/orgs/acme/plat/spacelift.yaml +++ b/examples/snippets/stacks/orgs/acme/plat/spacelift.yaml @@ -1 +1,33 @@ -PLACEHOLDER +import: + - mixins/region/global-region + - orgs/acme/plat/_defaults + - catalog/spacelift/admin-stack + +# These intentionally overwrite the default values +vars: + tenant: plat + environment: gbl + stage: spacelift + +components: + terraform: + admin-stack: + metadata: + component: spacelift/admin-stack + inherits: + - admin-stack/default + settings: + spacelift: + space_name: plat + labels: + - admin-stack-name:plat + vars: + enabled: true + # This admin-stack filters for all non-administrative stacks in the plat tenant + context_filters: + tenants: ["plat"] + administrative: false # We don't want this stack to also find itself in the config and add itself a second time + labels: + - admin-stack-name:plat + child_policy_attachments: + - TRIGGER Dependencies diff --git a/examples/snippets/stacks/orgs/acme/spacelift.yaml b/examples/snippets/stacks/orgs/acme/spacelift.yaml index 4f2e970e9..a8c2d0fc9 100644 --- a/examples/snippets/stacks/orgs/acme/spacelift.yaml +++ b/examples/snippets/stacks/orgs/acme/spacelift.yaml @@ -1 +1,42 @@ -PLACEHOLDER +import: + - mixins/region/global-region + - orgs/acme/_defaults + - catalog/spacelift/admin-stack + - catalog/spacelift/spaces + +# These intentionally overwrite the default values +vars: + tenant: root + environment: gbl + stage: spacelift + +components: + terraform: + # This root admin stack creates other admin stacks, spacelift/spaces, and spacelift/worker-pool + admin-stack: + metadata: + component: spacelift/admin-stack + inherits: + - admin-stack/default + settings: + spacelift: + root_administrative: true + labels: + - root-admin + - admin + vars: + enabled: true + root_admin_stack: true # This stack will be created in the root space and will create all the other admin stacks as children. + context_filters: # context_filters determine which child stacks to manage with this admin stack + administrative: true # This stack is managing all the other admin stacks + root_administrative: false # We don't want this stack to also find itself in the config and add itself a second time + labels: + - admin + # attachments only on the root stack + root_stack_policy_attachments: + - TRIGGER Global Administrator + - GIT_PUSH Global Administrator # Always trigger this stack on pushes to main + # this creates policies for the child admin stacks + child_policy_attachments: + - TRIGGER Global Administrator + - GIT_PUSH Global Administrator # Always trigger admin stacks on pushes to main