Permission's changing during a run

Issue: Permissions Changing Between Plan and Apply Stages in Stacks

When using Spacelift, you may encounter permission changes between the plan and apply stages. This can happen because the workspace is persisted and stored between stages, and different workers may handle each phase. This article explains why this occurs and how to ensure permissions remain consistent.

Why Permissions Change

In Spacelift, the workspace is saved to S3 between the plan and apply phases. Since plan and apply stages may be executed on different workers, certain configurations (such as file permissions or environment variables) might not carry over seamlessly.

Common scenarios where this can happen:

• Autodeploy is Disabled: If autodeploy is off, runs may enter an unconfirmed state, and the apply phase could be scheduled on a different worker.

• Plan or Approval Policies: If a plan policy generates a warning or an approval policy is in place, these will require confirmation, potentially resulting in a different worker handling the apply phase.

Solution: Reapply Permissions in before_apply Hook

To ensure consistent permissions, add any necessary permission settings in both the before_init and before_apply hooks. This will ensure permissions are correctly set, regardless of worker changes between plan and apply.

Example:

1. Set Permissions in before_init
   Define any permissions needed for the plan stage.

2. Set Permissions Again in before_apply
   Duplicate the permissions setup in the before_apply hook to ensure they are in place for the apply phase, even if a different worker is used.

Addition information on hooks can be found here.