Skip to content

Slack»

The Spacelift Slack integration relies on a Slack app being created to allow you to link Spacelift to your Slack workspace. There are two ways you can do this:

  1. Dynamically via your organization settings.
  2. Statically via the environment.

To find out how to dynamically configure your Slack app via the frontend, take a look at our Slack integration documentation. This page explains how to configure Slack statically via the environment.

Networking»

Please note that in order for Slack to send messages to Spacelift (for example Slash Commands), Slack needs to be able to access your Spacelift server. This means that if you want the full functionality of the integration to work your Spacelift server needs to be accessible via the public internet.

Create Slack app»

Before you can configure Slack, you need to create a Slack app in your workspace. This app provides credentials necessary for Spacelift and Slack to communicate, and also tells Slack about certain endpoints in Spacelift that it needs to use.

Create a new Slack app in your workspace by navigating to https://api.slack.com/apps and following these instructions:

  • Click "Create New App"
  • Choose "From an app manifest"
  • Select your workspace
  • Paste following manifest, replacing <your-domain> with the domain you want to host the self-hosted Spacelift instance on.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
{
  "display_information": {
    "name": "Spacelift",
    "description": "Taking your infra-as-code to the next level",
    "background_color": "#131417",
    "long_description": "Spacelift is a sophisticated and compliant infrastructure delivery platform for Terraform (including Terragrunt), Pulumi, CloudFormation, Ansible, and Kubernetes.\r\n\r\n• No lock-in. Under the hood, Spacelift uses your choice of Infrastructure as Code providers: open-source projects with vibrant ecosystems and a multitude of existing providers, modules, and tutorials.\r\n\r\n• Works with your Git flow. Spacelift integrates with GitHub (and other VCSes) to provide feedback on commits and Pull Requests, allowing you and your team to preview the changes before they are applied.\r\n\r\n• Drift detection. Spacelift natively detects drift, and can optionally revert it, to provide visibility and awareness to those \"changes\" that will inevitably happen.\r\n\r\n• Policy as a Code. With Open Policy Agent (OPA) Rego, you can programmatically define policies, approval flows, and various decision points within your Infrastructure as Code flow.\r\n\r\n• Customize your runtime. Spacelift uses Docker to run its workflows, which allows you to fully control your execution environment.\r\n\r\n• Share config using contexts. Spacelift contexts are collections of configuration files and environment variables that can be attached to multiple stacks.\r\n\r\n• Look ma, no credentials. Spacelift integrates with identity management systems from major cloud providers; AWS, Azure, and Google Cloud, allowing you to set up limited temporary access to your resources without the need to supply powerful static credentials.\r\n\r\n• Manage programmatically. With the Terraform provider, you can manage Spacelift resources as code.\r\n\r\n• Protect your state. Spacelift supports a sophisticated state backend and can optionally manage the state on your behalf."
  },
  "features": {
    "bot_user": {
      "display_name": "Spacelift",
      "always_online": true
    },
    "slash_commands": [
      {
        "command": "/spacelift",
        "url": "https://<your-domain>/webhooks/slack",
        "description": "Get notified about Spacelift events",
        "usage_hint": "subscribe, unsubscribe or help",
        "should_escape": false
      }
    ]
  },
  "oauth_config": {
    "redirect_urls": ["https://<your-domain>/slack_oauth"],
    "scopes": {
      "bot": [
        "channels:read",
        "chat:write",
        "chat:write.public",
        "commands",
        "links:write",
        "team:read",
        "users:read"
      ]
    }
  },
  "settings": {
    "event_subscriptions": {
      "request_url": "https://<your-domain>/webhooks/slack",
      "bot_events": ["app_uninstalled"]
    },
    "interactivity": {
      "is_enabled": true,
      "request_url": "https://<your-domain>/webhooks/slack"
    },
    "org_deploy_enabled": false,
    "socket_mode_enabled": false,
    "token_rotation_enabled": false
  }
}

Configuration»

The following table contains the environment variables required for the Slack integration to work:

Environment variable Description
SLACK_APP_CLIENT_ID Corresponds to the Client ID of your Slack app.
SLACK_APP_CLIENT_SECRET Corresponds to the Client Secret of your Slack app.
SLACK_SECRET Corresponds to the Signing Secret of your Slack app.

GovSlack (optional)»

Self-hosted Spacelift can also connect to GovSlack, Slack's FedRAMP-compliant variant hosted at slack-gov.com. The same notification flows that work with commercial Slack (failed runs, stacks pending confirmation, and so on) are supported against GovSlack workspaces, with messages routed to slack-gov.com instead of slack.com.

The following environment variables configure the GovSlack credentials on the backend service:

Environment variable Description
GOVSLACK_CLIENT_ID Corresponds to the Client ID of your GovSlack OAuth app.
GOVSLACK_CLIENT_SECRET Corresponds to the Client Secret of your GovSlack OAuth app.
GOVSLACK_SIGNING_SECRET Corresponds to the Signing Secret of your GovSlack OAuth app.

The equivalent CLI flags are --govslack-client-id, --govslack-client-secret, and --govslack-signing-secret.

Warning

Unlike commercial Slack credentials (which can also be configured via the admin UI), GovSlack credentials must currently be provided via environment variables and require a backend restart to take effect. A UI-based configuration path for GovSlack is not yet available.

Info

Commercial Slack and GovSlack credentials can both be configured on the same Spacelift instance, but only one Slack integration can be connected at a time. Once an integration has been created against either commercial Slack or GovSlack, the other cannot be connected until the existing one is removed.

Creating the GovSlack app»

Create the Slack app in your GovSlack (slack-gov.com) workspace rather than on api.slack.com. The scopes and event subscriptions should match the manifest documented in Create Slack app above.

Use the same OAuth redirect URL as commercial Slack — https://<your-domain>/slack_oauth. The backend handles routing based on which environment the user selects when initiating the connection, so no separate endpoint is required.