Going to AWS Summit London? 🇬🇧🇬🇧

Meet us there →


Announcing Spaces by Spacelift

Announcing Spaces by Spacelift

Finally! One of our most anticipated features has been released! Spaces by Spacelift is a new feature that allows organizations to organize their stacks and resources in a much more organized and managed way. Spaces allow for exciting features such as multi-tenancy.

What are Spaces?

As your infrastructure grows, so does the number of stacks in Spacelift. While policies by themselves can help manage everything for a single team in a single account, you’re eventually going to need to have more fine-grained control. Once you have multiple teams and environments that require different policy scopes, context access, cloud integrations, worker pools, modules, and more, it’s time to create some extra guardrails. Luckily, Spacelift has released Spaces to create those guardrails. 

Spaces create logical permissions boundaries for your stacks and resources. For instance, you may want a set of policies to only apply to a set of development stacks while another set applies to your production stacks. This is achievable by using Spaces. You may also want to ensure your development team does not have access to production context values. This is also possible. Spaces can be used to compartmentalize any Spacelift resources and limit access to only the stacks within that Space or Spaces from which you have allowed inheritance. This compartmentalization also allows for multitenancy. You can provide your users admin rights only to the Space to which that user is assigned. By using these Space-limited admin rights, you can ensure Spaces configured for different environments and organizations can be managed and secured properly while providing the self-service attributes needed by your developers.

Let’s take a look. 

Spaces Layout

spaces layout

As you can see, Spacelift provides a simple visual layout of your Spaces. The solid lines indicate that inheritance is enabled, allowing the Space to inherit all resources from its parent Space, and the dotted lines indicate that inheritance is not enabled. This allows for the consolidation of resources without having to duplicate them.

You may also notice that each Space has certain permissions indicated. Permissions for Spaces consist of Read, Write, and Admin. Each higher permission includes the permissions from the previous tier.

Creating Spaces

creating spaces

Creating Spaces is very easy and can be accomplished through the console or through the Spacelift Terraform Provider. To make the migration process easier, it’s best to first move all existing resources to the root Space as you will receive an error message if you try to change the Space of a dependency. For instance, if you try to move a context to the dev Space while an attached stack still resides in the Legacy Space, you will receive a dependency error.

If you move the context to the root Space first, assuming inheritance is enabled, inheritance will kick in and any new Space created under the root will inherit that context. This allows you to create new Spaces and move stacks as you see fit. After everything is created, you would then move the resources from the root Space to their respective Spaces.

Sample Space Policy

package spacelift

developers := { "sarah" }
login   := input.session.login
is_developer { developers[login] }
allow { is_developer }

# Let's give every developer read access to any Space
space_read[space.id] {
  space := input.spaces[_]

# Assign write role to developers for spaces with "developers-are-writers" label
space_write[space.id] {
  space := input.spaces[_]
  space.labels[_] == "developers-are-writers"

# Assign admin role for the root space for anyone in the admin team
space_admin["root"] {
  input.session.teams[_] == "admin"

This OPA policy written in rego includes many of the attributes you may want to set when configuring Spaces. As you can see, we’ve given every developer read access to any Space, write permissions to developers with the “developers-are-writers” label, and admin privileges for anyone in the admin team. This is nice and straightforward and allows you to have fine-grained guardrails for your Spaces to keep your resources in check. 

What’s Next?

Spaces are available in your account today! So go check out the documentation and get started!

Automation and Collaboration Layer for Infrastructure as Code

Spacelift is a flexible orchestration solution for IaC development. It delivers enhanced collaboration, automation and controls to simplify and accelerate the provisioning of cloud based infrastructures.

Start free trial