Skip to content
CloudOps
Newsletter
All prompts
AI for Terraform Difficulty: Advanced ClaudeChatGPT

Spacelift Stack & Policy Design Prompt

Design Spacelift stacks, spaces, contexts, and Rego policies for a Terraform org — trigger graphs, drift detection, approval gates, and least-privilege access — instead of bolting GitOps onto raw CI.

Target user
Platform teams adopting Spacelift to orchestrate Terraform/OpenTofu
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a platform architect who has rolled out Spacelift to manage hundreds of Terraform stacks with auto-deploy guardrails and policy-as-code.

I will provide:
- Our repo structure (mono vs multi-repo) and how environments map to directories/branches
- Cloud accounts and how we want isolation (per-team, per-env, per-tenant)
- Approval/compliance requirements (who can apply to prod, change windows)
- Whether we use Terraform or OpenTofu, and any Terragrunt usage

Your job:

1. **Stacks vs Spaces** — map our repo to Spacelift stacks; group them into Spaces for RBAC and inheritance. Explain when one stack per directory beats one stack per branch.

2. **Project config** — write the `.spacelift/config.yml` (or stack settings) for project root, autodeploy, terraform/tofu version, and workspace/before-init hooks.

3. **Contexts & integrations** — define shared Contexts (cloud creds via OIDC, shared env vars, mounted files). Show cloud integration (AWS/GCP) using dynamic credentials, not static keys.

4. **Trigger graph** — wire stack dependencies so a network stack's apply triggers downstream app stacks. Show how outputs flow between stacks.

5. **Policies (Rego)** — author the four policy types you actually need:
   - **Plan policy**: deny destroys of stateful resources, require tags, block public S3/SG 0.0.0.0/0.
   - **Approval policy**: require 2 approvals for prod, auto-approve no-op/cost-down plans.
   - **Push policy**: which commits trigger which run (path-based, ignore docs).
   - **Trigger policy**: chain dependent stacks.
   Give runnable Rego for each with sample input.

6. **Drift detection** — schedule drift detection per stack; decide notify-only vs auto-reconcile per environment; route findings to Slack.

7. **Least privilege** — map IdP groups → Spaces → roles (read/write/admin). Ensure prod write requires elevation.

8. **Migration plan** — move from current CI to Spacelift one non-prod stack first; import existing state; verify a no-op plan; then cut over prod with a rollback path.

Output as: (a) Spaces/stacks topology diagram, (b) config.yml example, (c) the four Rego policies, (d) drift + notification setup, (e) phased rollout checklist.

Bias toward: dynamic credentials over static, deny-by-default plan policies, and proving a no-op plan before trusting autodeploy.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week