feat: add a new setting for the FedRAMP environment

adamconnelly · adamconnelly · commit 318b19c779cb · 2025-08-28T12:34:42.000+01:00
I've added a new variable to indicate that the pool is connecting to a Spacelift FedRAMP account. When this is enabled, a different launcher binary compatible with the FedRAMP environment is downloaded.
diff --git a/README.md b/README.md
@@ -56,6 +56,49 @@ module "spacelift_workerpool" {
 }
 ```
 
+### FedRAMP Example
+
+If your account is in the Spacelift FedRAMP environment, set the `is_fedramp` variable to `true`:
+
+```hcl
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = "us-west-1"
+}
+
+module "spacelift_workerpool" {
+  source = "github.com/spacelift-io/terraform-aws-spacelift-workerpool-on-ec2?ref=v4.4.3"
+
+  secure_env_vars = {
+    SPACELIFT_TOKEN            = var.worker_pool_config
+    SPACELIFT_POOL_PRIVATE_KEY = var.worker_pool_private_key
+  }
+
+  configuration = <<EOF
+    export SPACELIFT_SENSITIVE_OUTPUT_UPLOAD_ENABLED=true
+  EOF
+
+  min_size          = 1
+  max_size          = 5
+  worker_pool_id    = var.worker_pool_id
+  security_groups   = var.security_groups
+  vpc_subnets       = var.subnets
+  is_fedramp        = true
+}
+```
+
+**NOTE:** if you don't set the `is_fedramp` variable to `true` and attempt to connect to the Spacelift FedRAMP environment the launcher will exit on startup without connecting to Spacelift.
+
+### Other Examples
+
 For more examples covering specific use cases, please see the [examples directory](./examples/):
 
 - [AMD64 deployment](./examples/amd64/)
diff --git a/asg.tf b/asg.tf
@@ -16,6 +16,7 @@ locals {
   saas_user_data = templatefile("${path.module}/user_data/saas.tftpl", {
     custom_user_data = join("\n", [local.secure_env_vars, var.configuration])
     domain_name      = var.domain_name
+    is_fedramp       = var.is_fedramp
     poweroff_delay   = var.poweroff_delay
     region           = data.aws_region.this.region
   })
diff --git a/user_data/saas.tftpl b/user_data/saas.tftpl
@@ -12,7 +12,7 @@ spacelift () {(
     return 1
   fi
 
-  baseURL="https://downloads.${domain_name}/spacelift-launcher"
+  baseURL="https://downloads.${domain_name}/spacelift-launcher${is_fedramp ? "-fedramp" : ""}"
   binaryURL=$(printf "%s-%s" "$baseURL" "$currentArch")
   shaSumURL=$(printf "%s-%s_%s" "$baseURL" "$currentArch" "SHA256SUMS")
   shaSumSigURL=$(printf "%s-%s_%s" "$baseURL" "$currentArch" "SHA256SUMS.sig")
diff --git a/variables.tf b/variables.tf
@@ -84,6 +84,12 @@ variable "domain_name" {
   default     = "spacelift.io"
 }
 
+variable "is_fedramp" {
+  type        = bool
+  description = "Indicates whether the worker pool is connecting to the FedRAMP Spacelift environment. When true a FedRAMP-specific version of the launcher binary will be downloaded."
+  default     = false
+}
+
 variable "ec2_instance_type" {
   type        = string
   description = "EC2 instance type for the workers. If an arm64-based AMI is used, this must be an arm64-based instance type."
