🌌Spacelift

CI/CD Automation

You can integrate Resourcely with Spacelift to automatically evaluate your Terraform plans and policies on every pull request, and provide feedback directly within your pull/merge request. To set up Resourcely with Spacelift, you must perform the following steps:

Verifying Prerequisites
Storing the Resourcely API Token
Storing the Github Personal Access Token
Integrate Resourcely CLI into your Plan Hooks

Verify Prerequisites

This document assumes that you have a pre-existing Spacelift account configured. If you do not, you can follow their Getting Started steps here: https://docs.spacelift.io/getting-started

Storing the Resourcely API Token

The Resourcely CLI needs access to a Resourcely API key at build time so it can report findings in your Terraform plans. Spacelift allows you to store these secrets in each stack as an Environment.

In the Spacelift console navigate to the Stack you want to integrate with Resourcely.
Click 'Edit'.
With 'Environment Variable' selected, type RESOURCELY_API_TOKEN as the key.
Paste the API Token generated from the Resourcely portal as the value.
Click "Secret" to save this variable as a secret (this will prevent it from being exposed in stdout).

Storing the GitHub Personal Access Token

We need a GitHub Personal Access Token in order for Resourcely to map your Pull Request URL when your guardrails are evaluated. For details on how to generate a Personal Access Token, you can view the following docs: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens

In the Spacelift console navigate to the Stack you want to integrate with Resourcely.
Click 'Edit'.
With 'Environment Variable' selected, type GH_TOKEN as the key.
Paste the Personal Access Token generated from GitHub as the value.
Click "Secret" to save this variable as a secret (this will prevent it from being exposed in stdout).

Integrate Resourcely CLI into your Plan Hooks

Spacelift allows you to specify Hooks that you can run at different stages of your pipeline. We setup the Resourcely CLI to run after the Plan runs, which allows us to evaluate our guardrails against your planned changes. Use the following steps to setup your Post-Plan flow with Resourcely:

These instructions assume that your Spacelift stack name exactly matches the environment name configured in .resourcely.yaml.

If it does not, you will need to customize how RESOURCELY_EVALUATE_ENVIRONMENTis set in the script below.

See #advanced-resourcely-cli-usagefor more information.

In your desired Stack, navigate to Hooks
Click 'Planning'
Navigate to 'After'
Individually paste the following commands:

LATEST_RELEASE_TAG=$(curl -s -I https://github.com/cli/cli/releases/latest | awk -F '/' '/^location/ {print  substr($NF, 1, length($NF)-1)}')
curl -s -L -O https://github.com/cli/cli/releases/download/$LATEST_RELEASE_TAG/gh_${LATEST_RELEASE_TAG#v}_linux_amd64.tar.gz > /dev/null && tar -zxf gh_${LATEST_RELEASE_TAG#v}_linux_amd64.tar.gz && mv gh_${LATEST_RELEASE_TAG#v}_linux_amd64/bin/gh .
export GH_PR_URL=$(./gh api https://api.github.com/repos/$TF_VAR_spacelift_repository/commits/$TF_VAR_spacelift_commit_sha/pulls | jq -r '.[0].html_url')
terraform show -json spacelift.plan > spacelift.json
LATEST_RELEASE_TAG=$(curl -s -I https://github.com/Resourcely-Inc/resourcely-container-registry/releases/latest | awk -F '/' '/^location/ {print  substr($NF, 1, length($NF)-1)}')
curl -s -L -O https://github.com/Resourcely-Inc/resourcely-container-registry/releases/download/$LATEST_RELEASE_TAG/resourcely-cli-${LATEST_RELEASE_TAG}-linux-amd64.tar.gz > /dev/null && tar xvzf resourcely-cli-${LATEST_RELEASE_TAG}-linux-amd64.tar.gz
[ -z "$GH_PR_URL" ] && export RESOURCELY_EVALUATE_DRY_RUN=true || export RESOURCELY_EVALUATE_DRY_RUN=false
export RESOURCELY_EVALUATE_CHANGE_REQUEST_URL=$GH_PR_URL
export RESOURCELY_EVALUATE_CHANGE_REQUEST_SHA=$TF_VAR_spacelift_commit_sha
export RESOURCELY_EVALUATE_CONFIG_ROOT_PATH=$TF_VAR_spacelift_project_root
export RESOURCELY_EVALUATE_ENVIRONMENT=$TF_VAR_spacelift_stack_id
./resourcely-cli evaluate spacelift.json

Now Resourcely should be integrated into your Terraform flow, and we will alert your PRs with any violations to the Guardrails you've configured.

PreviousScalr NextTerramate

Last updated 5 months ago

Storing the Resourcely API Token

The Resourcely CLI needs access to a Resourcely API key at build time so it can report findings in your Terraform plans. Spacelift allows you to store these secrets in each stack as an Environment.

In the Spacelift console navigate to the Stack you want to integrate with Resourcely.

Click 'Edit'.

With 'Environment Variable' selected, type RESOURCELY_API_TOKEN as the key.

Paste the API Token generated from the Resourcely portal as the value.

Click "Secret" to save this variable as a secret (this will prevent it from being exposed in stdout).

Storing the GitHub Personal Access Token

In the Spacelift console navigate to the Stack you want to integrate with Resourcely.

Click 'Edit'.

With 'Environment Variable' selected, type GH_TOKEN as the key.

Paste the Personal Access Token generated from GitHub as the value.

Click "Secret" to save this variable as a secret (this will prevent it from being exposed in stdout).

Integrate Resourcely CLI into your Plan Hooks

These instructions assume that your Spacelift stack name exactly matches the environment name configured in .resourcely.yaml.

If it does not, you will need to customize how RESOURCELY_EVALUATE_ENVIRONMENTis set in the script below.

See #advanced-resourcely-cli-usagefor more information.

In your desired Stack, navigate to Hooks

Click 'Planning'

Navigate to 'After'

Individually paste the following commands:

LATEST_RELEASE_TAG=$(curl -s -I https://github.com/cli/cli/releases/latest | awk -F '/' '/^location/ {print  substr($NF, 1, length($NF)-1)}')
curl -s -L -O https://github.com/cli/cli/releases/download/$LATEST_RELEASE_TAG/gh_${LATEST_RELEASE_TAG#v}_linux_amd64.tar.gz > /dev/null && tar -zxf gh_${LATEST_RELEASE_TAG#v}_linux_amd64.tar.gz && mv gh_${LATEST_RELEASE_TAG#v}_linux_amd64/bin/gh .
export GH_PR_URL=$(./gh api https://api.github.com/repos/$TF_VAR_spacelift_repository/commits/$TF_VAR_spacelift_commit_sha/pulls | jq -r '.[0].html_url')
terraform show -json spacelift.plan > spacelift.json
LATEST_RELEASE_TAG=$(curl -s -I https://github.com/Resourcely-Inc/resourcely-container-registry/releases/latest | awk -F '/' '/^location/ {print  substr($NF, 1, length($NF)-1)}')
curl -s -L -O https://github.com/Resourcely-Inc/resourcely-container-registry/releases/download/$LATEST_RELEASE_TAG/resourcely-cli-${LATEST_RELEASE_TAG}-linux-amd64.tar.gz > /dev/null && tar xvzf resourcely-cli-${LATEST_RELEASE_TAG}-linux-amd64.tar.gz
[ -z "$GH_PR_URL" ] && export RESOURCELY_EVALUATE_DRY_RUN=true || export RESOURCELY_EVALUATE_DRY_RUN=false
export RESOURCELY_EVALUATE_CHANGE_REQUEST_URL=$GH_PR_URL
export RESOURCELY_EVALUATE_CHANGE_REQUEST_SHA=$TF_VAR_spacelift_commit_sha
export RESOURCELY_EVALUATE_CONFIG_ROOT_PATH=$TF_VAR_spacelift_project_root
export RESOURCELY_EVALUATE_ENVIRONMENT=$TF_VAR_spacelift_stack_id
./resourcely-cli evaluate spacelift.json

Now Resourcely should be integrated into your Terraform flow, and we will alert your PRs with any violations to the Guardrails you've configured.