spaceforge 0.0.5__tar.gz → 0.0.6__tar.gz

{spaceforge-0.0.5 → spaceforge-0.0.6}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: spaceforge
-Version: 0.0.5
+Version: 0.0.6
 Summary: A Python framework for building Spacelift plugins
 Home-page: https://github.com/spacelift-io/plugins
 Author: Spacelift
@@ -29,6 +29,7 @@ Requires-Dist: PyYAML>=6.0
 Requires-Dist: click>=8.0.0
 Requires-Dist: pydantic>=2.11.7
 Requires-Dist: Jinja2>=3.1.0
+Requires-Dist: mergedeep>=1.3.4
 Provides-Extra: dev
 Requires-Dist: pytest>=6.0; extra == "dev"
 Requires-Dist: pytest-cov; extra == "dev"

spaceforge-0.0.6/plugins/enviroment_manager/plugin.py

@@ -0,0 +1,248 @@
+from spaceforge import SpaceforgePlugin, MountedFile, Context
+
+import yaml
+import os
+
+class EnvironmentManagerPlugin(SpaceforgePlugin):
+    """
+# Spacelift Environment Variable Manager
+This plugin allows you to manage Spacelift environment variables using a centralized YAML configuration file for multiple stacks.
+
+## Features
+- Centralized management of environment variables across multiple stacks.
+- Supports sensitive variables.
+- Preview of environment variable changes across stacks before applying changes here.
+
+**Hint:** Use this in combination with the `sops` plugin to manage secrets in your environment variables.
+
+## Usage
+Add this plugin to an **administrative** stack in your Spacelift account, the stack **must** have the `Spacelift` OpenTofu/Terraform provider configured.
+example:
+```hcl
+terraform {
+  required_providers {
+    spacelift = {
+      source  = "spacelift-io/spacelift"
+      version = "~> 1.0"
+    }
+  }
+}
+
+provider "spacelift" {}
+```
+
+1. **YAML Configuration**: Environment variables are defined in `vars.yaml` using the following structure:
+   ```yaml
+   stack-id:
+     - name: VARIABLE_NAME
+       value: variable_value
+       sensitive: false
+   ```
+
+2. **Terraform Processing**: The main Terraform configuration:
+   - Reads and parses the YAML file using `yamldecode(file("vars.yaml"))`
+   - Flattens the structure into a list of variables with their associated stack IDs
+   - Creates `spacelift_environment_variable` resources for each variable
+
+3. **Stack Association**: Variables are automatically associated with their respective stacks based on the stack ids defined in the YAML file.
+
+**note:** when using this plugin, if you open a PR to your variables file, the changes of the child stacks will be previewed and linked.
+
+## Example Configuration
+
+### vars.yaml
+```yaml
+env-var-yaml-1:
+  - name: KUBECONFIG
+    value: /home/joey/.kube/config
+    sensitive: false
+
+env-var-yaml-2:
+  - name: AWS_PROFILE
+    value: test
+    sensitive: false
+  - name: MY_AWESOME_SECRET
+    value: HelloWorld
+    sensitive: true
+```
+
+The above configuration will create the following in a plan:
+
+```ansi
+# spacelift_environment_variable.this["env-var-yaml-1_KUBECONFIG"] will be created
+  + resource "spacelift_environment_variable" "this" {
+      + checksum   = (known after apply)
+      + id         = (known after apply)
+      + name       = "KUBECONFIG"
+      + stack_id   = "env-var-yaml-1"
+      + value      = (sensitive value)
+      + write_only = false
+    }
+
+  # spacelift_environment_variable.this["env-var-yaml-2_AWS_PROFILE"] will be created
+  + resource "spacelift_environment_variable" "this" {
+      + checksum   = (known after apply)
+      + id         = (known after apply)
+      + name       = "AWS_PROFILE"
+      + stack_id   = "env-var-yaml-2"
+      + value      = (sensitive value)
+      + write_only = false
+    }
+
+  # spacelift_environment_variable.this["env-var-yaml-2_MY_AWESOME_SECRET"] will be created
+  + resource "spacelift_environment_variable" "this" {
+      + checksum   = (known after apply)
+      + id         = (known after apply)
+      + name       = "MY_AWESOME_SECRET"
+      + stack_id   = "env-var-yaml-2"
+      + value      = (sensitive value)
+      + write_only = true
+    }
+```
+    """
+
+    # Plugin metadata
+    __plugin_name__ = "Environment Manager"
+    __labels__ = ["management", "infrastructure"]
+    __version__ = "1.0.0"
+    __author__ = "Spacelift Team"
+
+    __contexts__ = [
+        Context(
+            name_prefix="Environment Manager",
+            description="Environment Manager Plugin",
+            hooks = {
+                "before_init": [
+                    "mv /mnt/workspace/__environment_manager.tf /mnt/workspace/source/$TF_VAR_spacelift_project_root/__environment_manager.tf",
+                ]
+            },
+            mounted_files=[
+                MountedFile(
+                    path="__environment_manager.tf",
+                    content="""
+locals {
+  __env_vars = {
+    for obj in flatten([
+      for stack_id, values in yamldecode(file("${path.module}/vars.yaml")) : [
+        for v in values : {
+          stack_id   = stack_id
+          name       = v.name
+          value      = v.value
+          write_only = v.write_only
+        }
+      ]
+    ]) : "${obj.stack_id}_${obj.name}" => obj
+  }
+}
+
+resource "spacelift_environment_variable" "__this" {
+  for_each = local.__env_vars
+
+  stack_id   = each.value.stack_id
+  name       = each.value.name
+  value      = each.value.value
+  write_only = each.value.write_only
+}
+            """
+                )
+            ]
+        )
+    ]
+
+    def load_yaml_file(self, file_path):
+        """Load YAML file and return parsed content"""
+        try:
+            with open(file_path, 'r') as file:
+                return yaml.safe_load(file)
+        except FileNotFoundError:
+            self.logger.error(f"Error: File {file_path} not found")
+            exit(1)
+        except yaml.YAMLError as e:
+            self.logger.error(f"Error parsing YAML: {e}")
+            exit(1)
+
+    def convert_to_runtime_config(self, yaml_data):
+        """Convert YAML data to Spacelift runtime config format"""
+        runtime_config = {}
+
+        for stack_id, env_vars in yaml_data.items():
+            if not isinstance(env_vars, list):
+                self.logger.error(f"Error: Environment variables for stack '{stack_id}' must be a list")
+                exit(1)
+
+            runtime_config[stack_id] = {
+                "environment": {}
+            }
+
+            for var in env_vars:
+                runtime_config[stack_id]["environment"][var["name"]] = var["value"]
+
+        return runtime_config
+
+    def trigger_stack_previews(self, runtime_config: dict):
+        """Trigger stack previews using Spacelift API"""
+
+        markdown = []
+
+        for stack_id, env in runtime_config.items():
+
+            # Get the current tracked sha from the stack
+            query = "{ stack(id: \"" + stack_id + "\") { trackedCommit { hash } } }"
+            response = self.query_api(query)
+            if "errors" in response:
+                self.logger.error("Error fetching stack tracked commit:", response["errors"])
+                continue
+
+            # Ensure we have a tracked commit
+            try:
+                tracked_commit = response["data"]["stack"]["trackedCommit"]["hash"]
+            except TypeError:
+                tracked_commit = None
+            if tracked_commit is None:
+                self.logger.error(f"Stack {stack_id} has no tracked commit. Skipping.")
+                continue
+
+            # Trigger the stack preview with the current tracked commit SHA
+            query = """
+            mutation TriggerStackPreview($stack: ID!, $commitSHA: String!, $runtimeConfig: String!) {
+                runTrigger(stack: $stack, commitSha: $commitSHA, runType: PROPOSED, runtimeConfig: { yaml: $runtimeConfig }) {
+                    id
+                }
+            }
+            """
+
+            variables = {
+                "stack": stack_id,
+                "commitSHA": tracked_commit,
+                "runtimeConfig": yaml.dump(env)
+            }
+
+            response = self.query_api(query, variables)
+            if "errors" in response:
+                self.logger.error(f"Error triggering stack preview for {stack_id}:", response["errors"])
+            else:
+                url = f"https://{self.spacelift_domain}/stack/{stack_id}/run/{response['data']['runTrigger']['id']}"
+                markdown.append(f"- Triggered [stack preview]({url}) for {stack_id} with commit {tracked_commit}.")
+
+        if len(markdown) > 0:
+            mdown = "# Stack Previews Triggered\n\n" + "\n".join(markdown)
+            success = self.send_markdown(mdown)
+            if not success:
+                self.logger.error("Failed to send markdown message with stack previews.")
+                self.logger.info(mdown)
+
+
+    def before_init(self):
+        # ensure we are in a proposed run
+        if os.getenv("TF_VAR_spacelift_run_type") != "PROPOSED":
+            # This script should only be run in a proposed run context.
+            return
+
+        # Load YAML data
+        yaml_data = self.load_yaml_file("vars.yaml")
+
+        # Convert to runtime config
+        runtime_config = self.convert_to_runtime_config(yaml_data)
+
+        # Trigger stack previews
+        self.trigger_stack_previews(runtime_config)

spaceforge-0.0.6/plugins/enviroment_manager/plugin.yaml

@@ -0,0 +1,416 @@
+name: Environment Manager
+version: 1.0.0
+description: |-
+  # Spacelift Environment Variable Manager
+  This plugin allows you to manage Spacelift environment variables using a centralized YAML configuration file for multiple stacks.
+
+  ## Features
+  - Centralized management of environment variables across multiple stacks.
+  - Supports sensitive variables.
+  - Preview of environment variable changes across stacks before applying changes here.
+
+  **Hint:** Use this in combination with the `sops` plugin to manage secrets in your environment variables.
+
+  ## Usage
+  Add this plugin to an **administrative** stack in your Spacelift account, the stack **must** have the `Spacelift` OpenTofu/Terraform provider configured.
+  example:
+  ```hcl
+  terraform {
+    required_providers {
+      spacelift = {
+        source  = "spacelift-io/spacelift"
+        version = "~> 1.0"
+      }
+    }
+  }
+
+  provider "spacelift" {}
+  ```
+
+  1. **YAML Configuration**: Environment variables are defined in `vars.yaml` using the following structure:
+     ```yaml
+     stack-id:
+       - name: VARIABLE_NAME
+         value: variable_value
+         sensitive: false
+     ```
+
+  2. **Terraform Processing**: The main Terraform configuration:
+     - Reads and parses the YAML file using `yamldecode(file("vars.yaml"))`
+     - Flattens the structure into a list of variables with their associated stack IDs
+     - Creates `spacelift_environment_variable` resources for each variable
+
+  3. **Stack Association**: Variables are automatically associated with their respective stacks based on the stack ids defined in the YAML file.
+
+  **note:** when using this plugin, if you open a PR to your variables file, the changes of the child stacks will be previewed and linked.
+
+  ## Example Configuration
+
+  ### vars.yaml
+  ```yaml
+  env-var-yaml-1:
+    - name: KUBECONFIG
+      value: /home/joey/.kube/config
+      sensitive: false
+
+  env-var-yaml-2:
+    - name: AWS_PROFILE
+      value: test
+      sensitive: false
+    - name: MY_AWESOME_SECRET
+      value: HelloWorld
+      sensitive: true
+  ```
+
+  The above configuration will create the following in a plan:
+
+  ```ansi
+  # spacelift_environment_variable.this["env-var-yaml-1_KUBECONFIG"] will be created
+    + resource "spacelift_environment_variable" "this" {
+        + checksum   = (known after apply)
+        + id         = (known after apply)
+        + name       = "KUBECONFIG"
+        + stack_id   = "env-var-yaml-1"
+        + value      = (sensitive value)
+        + write_only = false
+      }
+
+    # spacelift_environment_variable.this["env-var-yaml-2_AWS_PROFILE"] will be created
+    + resource "spacelift_environment_variable" "this" {
+        + checksum   = (known after apply)
+        + id         = (known after apply)
+        + name       = "AWS_PROFILE"
+        + stack_id   = "env-var-yaml-2"
+        + value      = (sensitive value)
+        + write_only = false
+      }
+
+    # spacelift_environment_variable.this["env-var-yaml-2_MY_AWESOME_SECRET"] will be created
+    + resource "spacelift_environment_variable" "this" {
+        + checksum   = (known after apply)
+        + id         = (known after apply)
+        + name       = "MY_AWESOME_SECRET"
+        + stack_id   = "env-var-yaml-2"
+        + value      = (sensitive value)
+        + write_only = true
+      }
+  ```
+author: Spacelift Team
+labels:
+- management
+- infrastructure
+contexts:
+- name_prefix: Environment Manager
+  description: Environment Manager Plugin
+  env: []
+  mounted_files:
+  - path: __environment_manager.tf
+    content: |-
+      locals {
+        __env_vars = {
+          for obj in flatten([
+            for stack_id, values in yamldecode(file("${path.module}/vars.yaml")) : [
+              for v in values : {
+                stack_id   = stack_id
+                name       = v.name
+                value      = v.value
+                write_only = v.write_only
+              }
+            ]
+          ]) : "${obj.stack_id}_${obj.name}" => obj
+        }
+      }
+
+      resource "spacelift_environment_variable" "__this" {
+        for_each = local.__env_vars
+
+        stack_id   = each.value.stack_id
+        name       = each.value.name
+        value      = each.value.value
+        write_only = each.value.write_only
+      }
+    sensitive: false
+  - path: /mnt/workspace/plugins/environment manager/requirements.txt
+    content: pyyaml==6.0.2
+    sensitive: false
+  - path: /mnt/workspace/plugins/environment manager/plugin.py
+    content: |-
+      from spaceforge import SpaceforgePlugin, MountedFile, Context
+
+      import yaml
+      import os
+
+      class EnvironmentManagerPlugin(SpaceforgePlugin):
+          """
+      # Spacelift Environment Variable Manager
+      This plugin allows you to manage Spacelift environment variables using a centralized YAML configuration file for multiple stacks.
+
+      ## Features
+      - Centralized management of environment variables across multiple stacks.
+      - Supports sensitive variables.
+      - Preview of environment variable changes across stacks before applying changes here.
+
+      **Hint:** Use this in combination with the `sops` plugin to manage secrets in your environment variables.
+
+      ## Usage
+      Add this plugin to an **administrative** stack in your Spacelift account, the stack **must** have the `Spacelift` OpenTofu/Terraform provider configured.
+      example:
+      ```hcl
+      terraform {
+        required_providers {
+          spacelift = {
+            source  = "spacelift-io/spacelift"
+            version = "~> 1.0"
+          }
+        }
+      }
+
+      provider "spacelift" {}
+      ```
+
+      1. **YAML Configuration**: Environment variables are defined in `vars.yaml` using the following structure:
+         ```yaml
+         stack-id:
+           - name: VARIABLE_NAME
+             value: variable_value
+             sensitive: false
+         ```
+
+      2. **Terraform Processing**: The main Terraform configuration:
+         - Reads and parses the YAML file using `yamldecode(file("vars.yaml"))`
+         - Flattens the structure into a list of variables with their associated stack IDs
+         - Creates `spacelift_environment_variable` resources for each variable
+
+      3. **Stack Association**: Variables are automatically associated with their respective stacks based on the stack ids defined in the YAML file.
+
+      **note:** when using this plugin, if you open a PR to your variables file, the changes of the child stacks will be previewed and linked.
+
+      ## Example Configuration
+
+      ### vars.yaml
+      ```yaml
+      env-var-yaml-1:
+        - name: KUBECONFIG
+          value: /home/joey/.kube/config
+          sensitive: false
+
+      env-var-yaml-2:
+        - name: AWS_PROFILE
+          value: test
+          sensitive: false
+        - name: MY_AWESOME_SECRET
+          value: HelloWorld
+          sensitive: true
+      ```
+
+      The above configuration will create the following in a plan:
+
+      ```ansi
+      # spacelift_environment_variable.this["env-var-yaml-1_KUBECONFIG"] will be created
+        + resource "spacelift_environment_variable" "this" {
+            + checksum   = (known after apply)
+            + id         = (known after apply)
+            + name       = "KUBECONFIG"
+            + stack_id   = "env-var-yaml-1"
+            + value      = (sensitive value)
+            + write_only = false
+          }
+
+        # spacelift_environment_variable.this["env-var-yaml-2_AWS_PROFILE"] will be created
+        + resource "spacelift_environment_variable" "this" {
+            + checksum   = (known after apply)
+            + id         = (known after apply)
+            + name       = "AWS_PROFILE"
+            + stack_id   = "env-var-yaml-2"
+            + value      = (sensitive value)
+            + write_only = false
+          }
+
+        # spacelift_environment_variable.this["env-var-yaml-2_MY_AWESOME_SECRET"] will be created
+        + resource "spacelift_environment_variable" "this" {
+            + checksum   = (known after apply)
+            + id         = (known after apply)
+            + name       = "MY_AWESOME_SECRET"
+            + stack_id   = "env-var-yaml-2"
+            + value      = (sensitive value)
+            + write_only = true
+          }
+      ```
+          """
+
+          # Plugin metadata
+          __plugin_name__ = "Environment Manager"
+          __labels__ = ["management", "infrastructure"]
+          __version__ = "1.0.0"
+          __author__ = "Spacelift Team"
+
+          __contexts__ = [
+              Context(
+                  name_prefix="Environment Manager",
+                  description="Environment Manager Plugin",
+                  hooks = {
+                      "before_init": [
+                          "mv /mnt/workspace/__environment_manager.tf /mnt/workspace/source/$TF_VAR_spacelift_project_root/__environment_manager.tf",
+                      ]
+                  },
+                  mounted_files=[
+                      MountedFile(
+                          path="__environment_manager.tf",
+                          content="""
+      locals {
+        __env_vars = {
+          for obj in flatten([
+            for stack_id, values in yamldecode(file("${path.module}/vars.yaml")) : [
+              for v in values : {
+                stack_id   = stack_id
+                name       = v.name
+                value      = v.value
+                write_only = v.write_only
+              }
+            ]
+          ]) : "${obj.stack_id}_${obj.name}" => obj
+        }
+      }
+
+      resource "spacelift_environment_variable" "__this" {
+        for_each = local.__env_vars
+
+        stack_id   = each.value.stack_id
+        name       = each.value.name
+        value      = each.value.value
+        write_only = each.value.write_only
+      }
+                  """
+                      )
+                  ]
+              )
+          ]
+
+          def load_yaml_file(self, file_path):
+              """Load YAML file and return parsed content"""
+              try:
+                  with open(file_path, 'r') as file:
+                      return yaml.safe_load(file)
+              except FileNotFoundError:
+                  self.logger.error(f"Error: File {file_path} not found")
+                  exit(1)
+              except yaml.YAMLError as e:
+                  self.logger.error(f"Error parsing YAML: {e}")
+                  exit(1)
+
+          def convert_to_runtime_config(self, yaml_data):
+              """Convert YAML data to Spacelift runtime config format"""
+              runtime_config = {}
+
+              for stack_id, env_vars in yaml_data.items():
+                  if not isinstance(env_vars, list):
+                      self.logger.error(f"Error: Environment variables for stack '{stack_id}' must be a list")
+                      exit(1)
+
+                  runtime_config[stack_id] = {
+                      "environment": {}
+                  }
+
+                  for var in env_vars:
+                      runtime_config[stack_id]["environment"][var["name"]] = var["value"]
+
+              return runtime_config
+
+          def trigger_stack_previews(self, runtime_config: dict):
+              """Trigger stack previews using Spacelift API"""
+
+              markdown = []
+
+              for stack_id, env in runtime_config.items():
+
+                  # Get the current tracked sha from the stack
+                  query = "{ stack(id: \"" + stack_id + "\") { trackedCommit { hash } } }"
+                  response = self.query_api(query)
+                  if "errors" in response:
+                      self.logger.error("Error fetching stack tracked commit:", response["errors"])
+                      continue
+
+                  # Ensure we have a tracked commit
+                  try:
+                      tracked_commit = response["data"]["stack"]["trackedCommit"]["hash"]
+                  except TypeError:
+                      tracked_commit = None
+                  if tracked_commit is None:
+                      self.logger.error(f"Stack {stack_id} has no tracked commit. Skipping.")
+                      continue
+
+                  # Trigger the stack preview with the current tracked commit SHA
+                  query = """
+                  mutation TriggerStackPreview($stack: ID!, $commitSHA: String!, $runtimeConfig: String!) {
+                      runTrigger(stack: $stack, commitSha: $commitSHA, runType: PROPOSED, runtimeConfig: { yaml: $runtimeConfig }) {
+                          id
+                      }
+                  }
+                  """
+
+                  variables = {
+                      "stack": stack_id,
+                      "commitSHA": tracked_commit,
+                      "runtimeConfig": yaml.dump(env)
+                  }
+
+                  response = self.query_api(query, variables)
+                  if "errors" in response:
+                      self.logger.error(f"Error triggering stack preview for {stack_id}:", response["errors"])
+                  else:
+                      url = f"https://{self.spacelift_domain}/stack/{stack_id}/run/{response['data']['runTrigger']['id']}"
+                      markdown.append(f"- Triggered [stack preview]({url}) for {stack_id} with commit {tracked_commit}.")
+
+              if len(markdown) > 0:
+                  mdown = "# Stack Previews Triggered\n\n" + "\n".join(markdown)
+                  success = self.send_markdown(mdown)
+                  if not success:
+                      self.logger.error("Failed to send markdown message with stack previews.")
+                      self.logger.info(mdown)
+
+
+          def before_init(self):
+              # ensure we are in a proposed run
+              if os.getenv("TF_VAR_spacelift_run_type") != "PROPOSED":
+                  # This script should only be run in a proposed run context.
+                  return
+
+              # Load YAML data
+              yaml_data = self.load_yaml_file("vars.yaml")
+
+              # Convert to runtime config
+              runtime_config = self.convert_to_runtime_config(yaml_data)
+
+              # Trigger stack previews
+              self.trigger_stack_previews(runtime_config)
+    sensitive: false
+  - path: /mnt/workspace/plugins/environment manager/before_init.sh
+    content: |-
+      #!/bin/sh
+
+      set -e
+
+      cd /mnt/workspace/plugins/environment manager
+
+      if [ ! -d "./venv" ]; then
+          python -m venv ./venv
+      fi
+      . venv/bin/activate
+
+      if ! command -v spaceforge; then
+          pip install spaceforge
+      fi
+
+      if [ -f requirements.txt ] && [ ! -f .spaceforge_installed_requirements ]; then
+          pip install -r requirements.txt
+          touch .spaceforge_installed_requirements
+      fi
+
+      cd /mnt/workspace/source/$TF_VAR_spacelift_project_root
+      spaceforge runner --plugin-file /mnt/workspace/plugins/environment manager/plugin.py before_init
+    sensitive: false
+  hooks:
+    before_init:
+    - mv /mnt/workspace/__environment_manager.tf /mnt/workspace/source/$TF_VAR_spacelift_project_root/__environment_manager.tf
+    - mkdir -p /mnt/workspace/plugins/environment manager
+    - chmod +x /mnt/workspace/plugins/environment manager/before_init.sh && /mnt/workspace/plugins/environment manager/before_init.sh

spaceforge-0.0.6/plugins/enviroment_manager/requirements.txt

@@ -0,0 +1 @@
+pyyaml==6.0.2

{spaceforge-0.0.5 → spaceforge-0.0.6}/plugins/sops/plugin.yaml

@@ -179,6 +179,8 @@ contexts:
           touch .spaceforge_installed_requirements
       fi
 
+      export PATH="/mnt/workspace/plugins/plugin_binaries:$PATH"
+
       cd /mnt/workspace/source/$TF_VAR_spacelift_project_root
       spaceforge runner --plugin-file /mnt/workspace/plugins/sops/plugin.py before_init
     sensitive: false

{spaceforge-0.0.5 → spaceforge-0.0.6}/plugins/wiz/plugin.py

@@ -79,13 +79,33 @@ Samples of these policies are included with the plugin.
     __policies__ = [
         Policy(
             name_prefix="wiz_policy",
-            type="notification",
+            type="PLAN",
             body="""
 package spacelift
 
-webhook[{"endpoint_id": "wiz-alert-endpoint"}] {
-  input.run_updated.run.type == "TRACKED"
-  input.run_updated.run.marked_unsafe == true
+max_critical_vulnerabilities := 0
+max_high_vulnerabilities := 0
+max_medium_vulnerabilities := 3
+max_low_vulnerabilities := 10
+
+deny[sprintf("Too many critical vulnerabilities (%d)", [num])] {
+	num := input.third_party_metadata.custom.wiz.result.scanStatistics.criticalMatches
+    num > max_critical_vulnerabilities
+}
+
+deny[sprintf("Too many high vulnerabilities (%d)", [num])] {
+	num := input.third_party_metadata.custom.wiz.result.scanStatistics.highMatches
+    num > max_high_vulnerabilities
+}
+
+deny[sprintf("Too many medium vulnerabilities (%d)", [num])] {
+	num := input.third_party_metadata.custom.wiz.result.scanStatistics.mediumMatches
+    num > max_medium_vulnerabilities
+}
+
+deny[sprintf("Too many low vulnerabilities (%d)", [num])] {
+	num := input.third_party_metadata.custom.wiz.result.scanStatistics.lowMatches
+    num > max_low_vulnerabilities
 }
             """,
             labels=[

{spaceforge-0.0.5 → spaceforge-0.0.6}/plugins/wiz/plugin.yaml

@@ -125,13 +125,33 @@ contexts:
           __policies__ = [
               Policy(
                   name_prefix="wiz_policy",
-                  type="notification",
+                  type="PLAN",
                   body="""
       package spacelift
 
-      webhook[{"endpoint_id": "wiz-alert-endpoint"}] {
-        input.run_updated.run.type == "TRACKED"
-        input.run_updated.run.marked_unsafe == true
+      max_critical_vulnerabilities := 0
+      max_high_vulnerabilities := 0
+      max_medium_vulnerabilities := 3
+      max_low_vulnerabilities := 10
+
+      deny[sprintf("Too many critical vulnerabilities (%d)", [num])] {
+      	num := input.third_party_metadata.custom.wiz.result.scanStatistics.criticalMatches
+          num > max_critical_vulnerabilities
+      }
+
+      deny[sprintf("Too many high vulnerabilities (%d)", [num])] {
+      	num := input.third_party_metadata.custom.wiz.result.scanStatistics.highMatches
+          num > max_high_vulnerabilities
+      }
+
+      deny[sprintf("Too many medium vulnerabilities (%d)", [num])] {
+      	num := input.third_party_metadata.custom.wiz.result.scanStatistics.mediumMatches
+          num > max_medium_vulnerabilities
+      }
+
+      deny[sprintf("Too many low vulnerabilities (%d)", [num])] {
+      	num := input.third_party_metadata.custom.wiz.result.scanStatistics.lowMatches
+          num > max_low_vulnerabilities
       }
                   """,
                   labels=[
@@ -277,6 +297,8 @@ contexts:
           touch .spaceforge_installed_requirements
       fi
 
+      export PATH="/mnt/workspace/plugins/plugin_binaries:$PATH"
+
       cd /mnt/workspace/source/$TF_VAR_spacelift_project_root
       spaceforge runner --plugin-file /mnt/workspace/plugins/wiz/plugin.py before_plan
     sensitive: false
@@ -288,13 +310,33 @@ contexts:
     - chmod +x /mnt/workspace/plugins/wiz/before_plan.sh && /mnt/workspace/plugins/wiz/before_plan.sh
 policies:
 - name_prefix: wiz_policy
-  type: notification
+  type: PLAN
   body: |-
     package spacelift
 
-    webhook[{"endpoint_id": "wiz-alert-endpoint"}] {
-      input.run_updated.run.type == "TRACKED"
-      input.run_updated.run.marked_unsafe == true
+    max_critical_vulnerabilities := 0
+    max_high_vulnerabilities := 0
+    max_medium_vulnerabilities := 3
+    max_low_vulnerabilities := 10
+
+    deny[sprintf("Too many critical vulnerabilities (%d)", [num])] {
+    	num := input.third_party_metadata.custom.wiz.result.scanStatistics.criticalMatches
+        num > max_critical_vulnerabilities
+    }
+
+    deny[sprintf("Too many high vulnerabilities (%d)", [num])] {
+    	num := input.third_party_metadata.custom.wiz.result.scanStatistics.highMatches
+        num > max_high_vulnerabilities
+    }
+
+    deny[sprintf("Too many medium vulnerabilities (%d)", [num])] {
+    	num := input.third_party_metadata.custom.wiz.result.scanStatistics.mediumMatches
+        num > max_medium_vulnerabilities
+    }
+
+    deny[sprintf("Too many low vulnerabilities (%d)", [num])] {
+    	num := input.third_party_metadata.custom.wiz.result.scanStatistics.lowMatches
+        num > max_low_vulnerabilities
     }
   labels:
   - wiz-plugin

{spaceforge-0.0.5 → spaceforge-0.0.6}/pyproject.toml

@@ -33,6 +33,7 @@ dependencies = [
     "click>=8.0.0", 
     "pydantic>=2.11.7",
     "Jinja2>=3.1.0",
+    "mergedeep>=1.3.4",
 ]
 
 [project.optional-dependencies]

{spaceforge-0.0.5 → spaceforge-0.0.6}/setup.py

@@ -44,6 +44,7 @@ setup(
         "click>=8.0.0",
         "pydantic>=2.11.7",
         "Jinja2>=3.1.0",
+        "mergedeep>=1.3.4",
     ],
     extras_require={
         "dev": [

{spaceforge-0.0.5 → spaceforge-0.0.6}/spaceforge/_version_scm.py

@@ -28,7 +28,7 @@ version_tuple: VERSION_TUPLE
 commit_id: COMMIT_ID
 __commit_id__: COMMIT_ID
 
-__version__ = version = '0.0.5'
-__version_tuple__ = version_tuple = (0, 0, 5)
+__version__ = version = '0.0.6'
+__version_tuple__ = version_tuple = (0, 0, 6)
 
-__commit_id__ = commit_id = 'gd83c2c6ce'
+__commit_id__ = commit_id = 'gf4078fecf'

{spaceforge-0.0.5 → spaceforge-0.0.6}/spaceforge/cls.py

@@ -149,6 +149,9 @@ class Webhook:
     labels: Optional[List[str]] = optional_field
 
 
+PolicyTypes = Literal["PUSH", "PLAN", "TRIGGER", "APPROVAL", "NOTIFICATION"]
+
+
 @pydantic_dataclass
 class Policy:
     """
@@ -162,7 +165,7 @@ class Policy:
     """
 
     name_prefix: str
-    type: str
+    type: PolicyTypes
     body: str
     labels: Optional[List[str]] = optional_field
 

{spaceforge-0.0.5 → spaceforge-0.0.6}/spaceforge/generator.py

@@ -8,6 +8,7 @@ from typing import TYPE_CHECKING, Any, Dict, List, Optional, Type, Union
 
 import yaml
 from jinja2 import Environment, PackageLoader, select_autoescape
+from mergedeep import Strategy, merge  # type: ignore
 
 if TYPE_CHECKING:
     from .plugin import SpaceforgePlugin
@@ -185,7 +186,10 @@ class PluginGenerator:
                 )
 
     def _add_spaceforge_hooks(
-        self, hooks: Dict[str, List[str]], mounted_files: List[MountedFile]
+        self,
+        hooks: Dict[str, List[str]],
+        mounted_files: List[MountedFile],
+        has_binaries: bool,
     ) -> None:
         # Add the spaceforge hook to actually run the plugin
         if self.config is None:
@@ -203,6 +207,7 @@ class PluginGenerator:
                 plugin_path=directory,
                 plugin_file=self.config["plugin_mounted_path"],
                 phase=hook,
+                has_binaries=has_binaries,
             )
             self._add_to_mounted_files(hooks, mounted_files, hook, f"{hook}.sh", render)
 
@@ -244,8 +249,8 @@ class PluginGenerator:
 
         self._update_with_requirements(mounted_files)
         self._update_with_python_file(mounted_files)
-        self._generate_binary_install_command(hooks, mounted_files)
-        self._add_spaceforge_hooks(hooks, mounted_files)
+        has_binaries = self._generate_binary_install_command(hooks, mounted_files)
+        self._add_spaceforge_hooks(hooks, mounted_files, has_binaries)
 
         # Get the contexts and append the hooks and mounted files to it.
         if self.plugin_class is None:
@@ -270,8 +275,8 @@ class PluginGenerator:
             contexts[0].env = []
 
         # Add the hooks and mounted files to the first context
-        contexts[0].hooks.update(hooks)
-        contexts[0].mounted_files.extend(mounted_files)
+        merge(contexts[0].hooks, hooks, strategy=Strategy.TYPESAFE_ADDITIVE)
+        contexts[0].mounted_files += mounted_files
 
         self._map_variables_to_parameters(contexts)
 
@@ -279,10 +284,10 @@ class PluginGenerator:
 
     def _generate_binary_install_command(
         self, hooks: Dict[str, List[str]], mounted_files: List[MountedFile]
-    ) -> None:
+    ) -> bool:
         binaries = self.get_plugin_binaries()
         if binaries is None:
-            return None
+            return False
 
         for i, binary in enumerate(binaries):
             amd64_url = binary.download_urls.get("amd64", None)
@@ -309,6 +314,8 @@ class PluginGenerator:
                 render,
             )
 
+        return True
+
     def get_plugin_binaries(self) -> Optional[List[Binary]]:
         """Get binary definitions from the plugin class."""
         return getattr(self.plugin_class, "__binaries__", None)

{spaceforge-0.0.5 → spaceforge-0.0.6}/spaceforge/plugin.py

@@ -36,21 +36,21 @@ class SpaceforgePlugin(ABC):
         self.logger = self._setup_logger()
 
         self._api_token = os.environ.get("SPACELIFT_API_TOKEN") or False
-        self._spacelift_domain = (
+        self.spacelift_domain = (
             os.environ.get("TF_VAR_spacelift_graphql_endpoint") or False
         )
-        self._api_enabled = bool(self._api_token and self._spacelift_domain)
+        self._api_enabled = bool(self._api_token and self.spacelift_domain)
         self._workspace_root = os.getcwd()
         self._spacelift_markdown_endpoint = None
 
         # This should be the last thing we do in the constructor
         # because we set api_enabled to false if the domain is set up incorrectly.
-        if self._spacelift_domain and isinstance(self._spacelift_domain, str):
+        if self.spacelift_domain and isinstance(self.spacelift_domain, str):
             # this must occur after we check if spacelift domain is false
             # because the domain could be set but not start with https://
-            if self._spacelift_domain.startswith("https://"):
-                if self._spacelift_domain.endswith("/"):
-                    self._spacelift_domain = self._spacelift_domain[:-1]
+            if self.spacelift_domain.startswith("https://"):
+                if self.spacelift_domain.endswith("/"):
+                    self.spacelift_domain = self.spacelift_domain[:-1]
             else:
                 self.logger.warning(
                     "SPACELIFT_DOMAIN does not start with https://, api calls will fail."
@@ -58,7 +58,7 @@ class SpaceforgePlugin(ABC):
                 self._api_enabled = False
 
             if self._api_enabled:
-                self._spacelift_markdown_endpoint = self._spacelift_domain.replace(
+                self._spacelift_markdown_endpoint = self.spacelift_domain.replace(
                     "/graphql", "/worker/plugin_logs_url"
                 )
 
@@ -200,7 +200,7 @@ class SpaceforgePlugin(ABC):
             data["variables"] = variables
 
         req = urllib.request.Request(
-            self._spacelift_domain,  # type: ignore[arg-type]
+            self.spacelift_domain,  # type: ignore[arg-type]
             json.dumps(data).encode("utf-8"),
             headers,
         )

{spaceforge-0.0.5 → spaceforge-0.0.6}/spaceforge/schema.json

@@ -170,6 +170,13 @@
           "type": "string"
         },
         "type": {
+          "enum": [
+            "PUSH",
+            "PLAN",
+            "TRIGGER",
+            "APPROVAL",
+            "NOTIFICATION"
+          ],
           "title": "Type",
           "type": "string"
         },

{spaceforge-0.0.5 → spaceforge-0.0.6}/spaceforge/templates/ensure_spaceforge_and_run.sh.j2

@@ -17,6 +17,8 @@ if [ -f requirements.txt ] && [ ! -f .spaceforge_installed_requirements ]; then
     pip install -r requirements.txt
     touch .spaceforge_installed_requirements
 fi
-
+{% if has_binaries %}
+export PATH="/mnt/workspace/plugins/plugin_binaries:$PATH"
+{% endif %}
 cd /mnt/workspace/source/$TF_VAR_spacelift_project_root
 spaceforge runner --plugin-file {{plugin_file}} {{phase}}

{spaceforge-0.0.5 → spaceforge-0.0.6}/spaceforge/test_generator.py

@@ -72,7 +72,7 @@ class PluginExample(SpaceforgePlugin):
     __policies__ = [
         Policy(
             name_prefix="test_policy",
-            type="notification",
+            type="NOTIFICATION",
             body="package test",
             labels=["type:security"],
         )
@@ -396,7 +396,7 @@ class NotAPlugin:
         assert policies is not None
         assert len(policies) == 1
         assert policies[0].name_prefix == "test_policy"
-        assert policies[0].type == "notification"
+        assert policies[0].type == "NOTIFICATION"
         assert policies[0].body == "package test"
 
     def test_get_plugin_webhooks(self) -> None:

{spaceforge-0.0.5 → spaceforge-0.0.6}/spaceforge/test_plugin.py

@@ -21,7 +21,7 @@ class TestSpaceforgePluginInitialization:
 
         # Assert
         assert plugin._api_token is False
-        assert plugin._spacelift_domain is False
+        assert plugin.spacelift_domain is False
         assert plugin._api_enabled is False
         assert plugin._workspace_root == os.getcwd()
         assert isinstance(plugin.logger, logging.Logger)
@@ -36,7 +36,7 @@ class TestSpaceforgePluginInitialization:
 
         # Assert
         assert plugin._api_token == "test_token"
-        assert plugin._spacelift_domain == "https://test.spacelift.io"
+        assert plugin.spacelift_domain == "https://test.spacelift.io"
         assert plugin._api_enabled is True
         assert plugin._workspace_root == os.getcwd()
 
@@ -53,7 +53,7 @@ class TestSpaceforgePluginInitialization:
             plugin = SpaceforgePlugin()
 
         # Assert
-        assert plugin._spacelift_domain == "https://test.spacelift.io"
+        assert plugin.spacelift_domain == "https://test.spacelift.io"
         assert plugin._api_enabled is True
 
     def test_should_disable_api_when_domain_has_no_https_prefix(self) -> None:
@@ -69,7 +69,7 @@ class TestSpaceforgePluginInitialization:
             plugin = SpaceforgePlugin()
 
         # Assert
-        assert plugin._spacelift_domain == "test.spacelift.io"
+        assert plugin.spacelift_domain == "test.spacelift.io"
         assert plugin._api_enabled is False
 
     def test_should_disable_api_when_only_token_provided(self) -> None:
@@ -271,7 +271,7 @@ class TestSpaceforgePluginAPI:
         plugin = SpaceforgePlugin()
         plugin._api_enabled = True
         plugin._api_token = "test_token"
-        plugin._spacelift_domain = "https://test.spacelift.io"
+        plugin.spacelift_domain = "https://test.spacelift.io"
 
         expected_data = {"data": {"test": "result"}}
         mock_api_response.read.return_value = json.dumps(expected_data).encode("utf-8")
@@ -305,7 +305,7 @@ class TestSpaceforgePluginAPI:
         plugin = SpaceforgePlugin()
         plugin._api_enabled = True
         plugin._api_token = "test_token"
-        plugin._spacelift_domain = "https://test.spacelift.io"
+        plugin.spacelift_domain = "https://test.spacelift.io"
 
         mock_response_data = {"data": {"test": "result"}}
         mock_response = Mock()
@@ -331,7 +331,7 @@ class TestSpaceforgePluginAPI:
         plugin = SpaceforgePlugin()
         plugin._api_enabled = True
         plugin._api_token = "test_token"
-        plugin._spacelift_domain = "https://test.spacelift.io"
+        plugin.spacelift_domain = "https://test.spacelift.io"
 
         mock_response_data = {"errors": [{"message": "Test error"}]}
         mock_response = Mock()

{spaceforge-0.0.5 → spaceforge-0.0.6}/spaceforge.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: spaceforge
-Version: 0.0.5
+Version: 0.0.6
 Summary: A Python framework for building Spacelift plugins
 Home-page: https://github.com/spacelift-io/plugins
 Author: Spacelift
@@ -29,6 +29,7 @@ Requires-Dist: PyYAML>=6.0
 Requires-Dist: click>=8.0.0
 Requires-Dist: pydantic>=2.11.7
 Requires-Dist: Jinja2>=3.1.0
+Requires-Dist: mergedeep>=1.3.4
 Provides-Extra: dev
 Requires-Dist: pytest>=6.0; extra == "dev"
 Requires-Dist: pytest-cov; extra == "dev"

{spaceforge-0.0.5 → spaceforge-0.0.6}/spaceforge.egg-info/SOURCES.txt

@@ -9,6 +9,9 @@ templates.go
 test.sh
 .github/workflows/ci.yml
 .github/workflows/release.yml
+plugins/enviroment_manager/plugin.py
+plugins/enviroment_manager/plugin.yaml
+plugins/enviroment_manager/requirements.txt
 plugins/infracost/plugin.py
 plugins/infracost/plugin.yaml
 plugins/sops/plugin.py

{spaceforge-0.0.5 → spaceforge-0.0.6}/spaceforge.egg-info/requires.txt

@@ -2,6 +2,7 @@ PyYAML>=6.0
 click>=8.0.0
 pydantic>=2.11.7
 Jinja2>=3.1.0
+mergedeep>=1.3.4
 
 [dev]
 pytest>=6.0