Context

When setting up Identity Provider (IDP) group mappings in Spacelift, you may need to grant a single group access to multiple spaces with specific roles.

Answer

Yes, you can map multiple Spacelift spaces to a single IDP group by using multiple policy blocks within the spacelift_idp_group_mapping resource. Here's how to implement this:

1. First, structure your input data to specify the spaces and their corresponding group mappings. For example:

{
    "uniqueindex": 1,
    "name": "Space1",
    "parent_space_id": "Default Space",
    "aad_admin_group": "your-aad-group-guid"
}

2. Create a single spacelift_idp_group_mapping resource with multiple policy blocks:

resource "spacelift_idp_group_mapping" "aad_groups" {
  for_each = local.grouped_assignments
  name = each.key
  
  dynamic "policy" {
    for_each = each.value
    content {
      space_id = spacelift_space.project_spaces[...].id
      role = policy.value.role
    }
  }
}

Important: When implementing this approach, remember that:

• Each IDP group (identified by its GUID) can only have one spacelift_idp_group_mapping resource

• You need to deduplicate your group mappings before creating the resources

• Multiple policy blocks within the same mapping allow you to specify different space and role combinations