Using Multiple Policies of the Same Type

Overview

In Spacelift, it’s possible to use multiple policies of the same type, such as Login, Push, or Plan policies. However, certain policies are more prone to conflict when evaluated together. This article explains how Spacelift evaluates multiple policies of the same type and offers best practices for minimizing potential conflicts.

Policy Evaluation and Merging

When multiple policies of the same type are attached, Spacelift evaluates each policy independently and then merges the decisions. Here’s an example of how it works for different policy types:

1. Login Policies

   • Deny Precedence: Denies take precedence over allows in Login policies. This means that if any Login policy denies access, the user will be denied access, regardless of other allow rules.

   • Recommendation: To avoid unintentional blocking, it’s recommended to use a single Login policy. This simplifies access control and reduces the risk of conflicting deny rules.

2. Push Policies

   • Similar to Login policies, Push policies can conflict if multiple policies include both allow and deny rules. Deny rules can block operations even when other policies allow them.

   • Best Practice: Consolidate Push policies when possible to avoid potential conflicts.

3. Plan Policies

   • Plan policies typically do not conflict because they focus on evaluating plan outputs rather than allowing or denying specific actions. Multiple Plan policies can coexist effectively, as they don’t generally interfere with each other.