Context

When using wildcard policy attachments (autoattach:*) for policies or contexts in Spacelift, users need to understand how these attachments interact with stack permissions and space hierarchies to ensure proper access control and policy implementation.

Answer

Wildcard policy attachments (autoattach:*) work based on space inheritance rules and are applied to all stacks that can see the policy or context. Here's how it works:

• The wildcard attachment applies to all stacks in the space where it's defined and all stacks in its child spaces

If defined in the root space, the policy/context will be applied to any entity that it has access to via inheritance (i.e if I have a child-of-root space with inheritance toggled on then all stacks/modules will have the policy or context automatically attached but if inheritance is off - it will not)

• The ability to create and manage policies and contexts is restricted to:

  • Administrators (via the UI)

  • Administrative stacks (via the Terraform provider)

Source: Spacelift Spaces Best Practices Documentation