Skip to content

Latest commit

 

History

History
84 lines (68 loc) · 5.01 KB

README.md

File metadata and controls

84 lines (68 loc) · 5.01 KB
Raw

MRPICKLE

Manage
Roles (and)
Policies
Incredibly
Conveniently
Keeping
Logins
Efficient

What?

This module is designed to generate login policies inside Spacelift that are convenient and simple. Stop worrying about how to grant folks access to your Spacelift organization and let MRPICKLE do it for you.

Heres a simple example of how to use this module:

resource "spacelift_space" "billys" {
  name            = "billys-space"
  description     = "only billy can access this"
  parent_space_id = "root"
}

resource "spacelift_space" "johnnys" {
  name            = "johnnys-space"
  description     = "only johnny can access this"
  parent_space_id = "root"
}

resource "spacelift_space" "billy_and_johnnys" {
  name            = "billy-and-johnnys-space"
  description     = "billy and johnny can access this, but only billy is an admin"
  parent_space_id = "root"
}

module "mrpickle" {
  source = "github.com/apollorion/mrpickle"

  admins = [
    "Apollorion"
  ]

  spaces = {
    BILLYS_SPACE = {
      space_id = spacelift_space.billys.id
      admin    = ["Billy"]
    }
    JOHNNYS_SPACE = {
      space_id = spacelift_space.johnnys.id
      admin    = ["Johnny"]
    }
    BILLY_AND_JOHNNYS_SPACE = {
      space_id = spacelift_space.billy_and_johnnys.id
      admin    = ["Billy"]
      write    = ["Johnny"]
      read     = ["Peter"]
    }
  }
}

This will create the necessary login policy that will grant access as you specify in terraform.

Inputs

Name Description Type Default Required
admins List of global admins list(string) [] no
description Description of the policy string "MRPICKLES generated login policy" no
labels labels to add to the login policy list(string) null no
name Name of the policy string "MRPICKLES" no
session_key Session key for the policy string "input.session.login" no
spaces Map of spaces and their permissions 
map(object({
    space_id = string
    admin    = optional(list(string))
    write    = optional(list(string))
    read     = optional(list(string))
  }))
 {} no

What is the session_key?

Spacelift can do comparisons against a multitude of different data points to determine if a user should be granted access. The session_key is the data point that will be used to determine if a user should be granted access. By default, it uses the input.session.login which is the username of the user logging in. So the admins, writers, and reader inputs of this module should be the username of the user logging in. If the session key was something else, like a group maybe. You would set the session_key to the key in the input data and the admins, writers, and readers would be the group name.

See the data input for login policies here to get an idea of how the session key might be used.