From d0b2ba109371a2784fd56473cab1db7e570d84a5 Mon Sep 17 00:00:00 2001
From: Jean-Marc Fontaine <jmf@spacelift.io>
Date: Thu, 1 Jun 2023 17:37:48 -0400
Subject: [PATCH 1/4] Remove obsolete policy

---
 management/policies.tf                        |  8 -----
 .../policies/ignore-outside-project-root.rego | 18 -----------
 management/stacks.tf                          | 30 ++++---------------
 3 files changed, 6 insertions(+), 50 deletions(-)
 delete mode 100644 management/policies/ignore-outside-project-root.rego

diff --git a/management/policies.tf b/management/policies.tf
index 51cac04..5d35708 100644
--- a/management/policies.tf
+++ b/management/policies.tf
@@ -1,11 +1,3 @@
-resource "spacelift_policy" "ignore-outside-project-root" {
-  name = "Ignore pushes outside of project root - ${random_string.stack_name_suffix.result}"
-  body = file("${path.module}/policies/ignore-outside-project-root.rego")
-  type = "GIT_PUSH"
-
-  labels = toset(var.spacelift_labels)
-}
-
 resource "spacelift_policy" "trigger-dependent-stacks" {
   name = "Trigger dependent stacks - ${random_string.stack_name_suffix.result}"
   body = file("${path.module}/policies/trigger-dependent-stacks.rego")
diff --git a/management/policies/ignore-outside-project-root.rego b/management/policies/ignore-outside-project-root.rego
deleted file mode 100644
index 121689b..0000000
--- a/management/policies/ignore-outside-project-root.rego
+++ /dev/null
@@ -1,18 +0,0 @@
-package spacelift
-
-track {
-    affected
-    input.push.branch == input.stack.branch
-}
-
-propose { affected }
-ignore  { not affected }
-ignore  { input.push.tag != "" }
-
-affected {
-    filepath := input.push.affected_files[_]
-
-    startswith(filepath, input.stack.project_root)
-}
-
-sample { true }
diff --git a/management/stacks.tf b/management/stacks.tf
index 76c1e7e..f146d2c 100644
--- a/management/stacks.tf
+++ b/management/stacks.tf
@@ -3,6 +3,12 @@ resource "random_string" "stack_name_suffix" {
   special = false
 }
 
+data "spacelift_current_stack" "this" {}
+
+data "spacelift_stack" "current_stack" {
+  stack_id = data.spacelift_current_stack.this.id
+}
+
 # Terraform stack
 resource "spacelift_stack" "terraform-ansible-workflow-terraform" {
   branch         = data.spacelift_stack.current_stack.branch
@@ -44,11 +50,6 @@ resource "spacelift_aws_role" "terraform-stack" {
   role_arn = var.aws_role
 }
 
-resource "spacelift_policy_attachment" "ignore-outside-project-root-terraform" {
-  policy_id = spacelift_policy.ignore-outside-project-root.id
-  stack_id  = spacelift_stack.terraform-ansible-workflow-terraform.id
-}
-
 resource "spacelift_policy_attachment" "trigger-dependent-stacks-terraform" {
   policy_id = spacelift_policy.trigger-dependent-stacks.id
   stack_id  = spacelift_stack.terraform-ansible-workflow-terraform.id
@@ -59,7 +60,6 @@ resource "spacelift_stack_destructor" "terraform-stack" {
     spacelift_environment_variable.ansible_context_id,
     spacelift_environment_variable.aws_region,
     spacelift_aws_role.terraform-stack,
-    spacelift_policy_attachment.ignore-outside-project-root-terraform,
     spacelift_policy_attachment.trigger-dependent-stacks-terraform,
   ]
 
@@ -102,28 +102,11 @@ resource "spacelift_aws_role" "ansible-stack" {
   role_arn = var.aws_role
 }
 
-resource "spacelift_policy_attachment" "ignore-outside-project-root-ansible" {
-  policy_id = spacelift_policy.ignore-outside-project-root.id
-  stack_id  = spacelift_stack.terraform-ansible-workflow-ansible.id
-}
-
 resource "spacelift_policy_attachment" "warn-on-unreachable-hosts-ansible" {
   policy_id = spacelift_policy.warn-on-unreachable-hosts.id
   stack_id  = spacelift_stack.terraform-ansible-workflow-ansible.id
 }
 
-# Ignore outside of project root for current stack
-data "spacelift_current_stack" "this" {}
-
-data "spacelift_stack" "current_stack" {
-  stack_id = data.spacelift_current_stack.this.id
-}
-
-resource "spacelift_policy_attachment" "ignore-outside-project-root-this" {
-  policy_id = spacelift_policy.ignore-outside-project-root.id
-  stack_id  = data.spacelift_current_stack.this.id
-}
-
 # Trigger a run in terraform stack
 
 resource "spacelift_run" "this" {
@@ -132,6 +115,5 @@ resource "spacelift_run" "this" {
   depends_on = [
     spacelift_environment_variable.ansible_context_id,
     spacelift_aws_role.ansible-stack,
-    spacelift_policy_attachment.ignore-outside-project-root-ansible,
   ]
 }

From d5ca243b69cc4a1b08848cac98cb4ca1aea0b623 Mon Sep 17 00:00:00 2001
From: Jean-Marc Fontaine <jmf@spacelift.io>
Date: Thu, 1 Jun 2023 17:54:16 -0400
Subject: [PATCH 2/4] Replace Trigger policy with Stack Dependencies

---
 management/policies.tf                        |  8 -------
 .../policies/trigger-dependent-stacks.rego    | 21 -------------------
 management/stacks.tf                          | 12 +++++------
 3 files changed, 6 insertions(+), 35 deletions(-)
 delete mode 100644 management/policies/trigger-dependent-stacks.rego

diff --git a/management/policies.tf b/management/policies.tf
index 5d35708..cffab75 100644
--- a/management/policies.tf
+++ b/management/policies.tf
@@ -1,11 +1,3 @@
-resource "spacelift_policy" "trigger-dependent-stacks" {
-  name = "Trigger dependent stacks - ${random_string.stack_name_suffix.result}"
-  body = file("${path.module}/policies/trigger-dependent-stacks.rego")
-  type = "TRIGGER"
-
-  labels = toset(var.spacelift_labels)
-}
-
 resource "spacelift_policy" "warn-on-unreachable-hosts" {
   name = "Require manual confirm on unreachable hosts - ${random_string.stack_name_suffix.result}"
   body = file("${path.module}/policies/warn-on-unreachable-hosts.rego")
diff --git a/management/policies/trigger-dependent-stacks.rego b/management/policies/trigger-dependent-stacks.rego
deleted file mode 100644
index ac7e3d0..0000000
--- a/management/policies/trigger-dependent-stacks.rego
+++ /dev/null
@@ -1,21 +0,0 @@
-package spacelift
-
-# This example trigger policy will cause every stack that declares dependency on
-# the current one to get triggered the current one is successfully updated.
-#
-# You can read more about trigger policies here:
-#
-# https://docs.spacelift.io/concepts/policy/trigger-policy
-
-trigger[stack.id] {
-  count(input.run.changes) > 0
-  stack := input.stacks[_]
-  input.run.state == "FINISHED"
-  input.run.type == "TRACKED"
-  stack.labels[_] == concat("", ["depends-on:", input.stack.id])
-}
-
-# Learn more about sampling policy evaluations here:
-#
-# https://docs.spacelift.io/concepts/policy#sampling-policy-inputs
-sample { true }
diff --git a/management/stacks.tf b/management/stacks.tf
index f146d2c..b0281fb 100644
--- a/management/stacks.tf
+++ b/management/stacks.tf
@@ -50,17 +50,11 @@ resource "spacelift_aws_role" "terraform-stack" {
   role_arn = var.aws_role
 }
 
-resource "spacelift_policy_attachment" "trigger-dependent-stacks-terraform" {
-  policy_id = spacelift_policy.trigger-dependent-stacks.id
-  stack_id  = spacelift_stack.terraform-ansible-workflow-terraform.id
-}
-
 resource "spacelift_stack_destructor" "terraform-stack" {
   depends_on = [
     spacelift_environment_variable.ansible_context_id,
     spacelift_environment_variable.aws_region,
     spacelift_aws_role.terraform-stack,
-    spacelift_policy_attachment.trigger-dependent-stacks-terraform,
   ]
 
   stack_id = spacelift_stack.terraform-ansible-workflow-terraform.id
@@ -107,6 +101,12 @@ resource "spacelift_policy_attachment" "warn-on-unreachable-hosts-ansible" {
   stack_id  = spacelift_stack.terraform-ansible-workflow-ansible.id
 }
 
+# The Ansible stack depends on the Terraform one
+resource "spacelift_stack_dependency" "terraform-ansible" {
+  stack_id            = spacelift_stack.terraform-ansible-workflow-ansible.id
+  depends_on_stack_id = spacelift_stack.terraform-ansible-workflow-terraform.id
+}
+
 # Trigger a run in terraform stack
 
 resource "spacelift_run" "this" {

From 9dc8e1d41bcd9aff5231e63c7533eba9b047fc73 Mon Sep 17 00:00:00 2001
From: Jean-Marc Fontaine <jmf@spacelift.io>
Date: Thu, 1 Jun 2023 18:09:35 -0400
Subject: [PATCH 3/4] Enable Smart Sanitization

---
 management/stacks.tf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/management/stacks.tf b/management/stacks.tf
index b0281fb..74f6b86 100644
--- a/management/stacks.tf
+++ b/management/stacks.tf
@@ -26,7 +26,8 @@ resource "spacelift_stack" "terraform-ansible-workflow-terraform" {
     }
   }
 
-  terraform_version = "1.2.4"
+  terraform_version            = "1.2.4"
+  terraform_smart_sanitization = true
 }
 
 # Terraform context variable

From 7015a0d96429ca2b2ea0f535371d675b89af2828 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Goli=C5=84ski?= <michalg@spacelift.io>
Date: Tue, 12 Sep 2023 14:54:11 +0200
Subject: [PATCH 4/4] Fix main merge

---
 management/stacks.tf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/management/stacks.tf b/management/stacks.tf
index b20fb83..d435b6a 100644
--- a/management/stacks.tf
+++ b/management/stacks.tf
@@ -18,7 +18,6 @@ resource "spacelift_stack" "terraform-ansible-workflow-terraform" {
   labels         = toset(var.spacelift_labels)
   administrative = true
   autodeploy     = true
-  terraform_smart_sanitization = true
 
   dynamic "github_enterprise" {
     for_each = var.github_org_name != "" ? [1] : []