This is a guest author article written by Ian Duffy, Sr SRE at Cloudsmith, a Spacelift customer.
Managing package repositories at scale requires the right tools to prevent chaos from ensuing. As providers of a cloud-native artifact management platform, we at Cloudsmith faced the same scaling challenges as our customers.
This post shows how repository management complexity can be solved by treating our infrastructure as code, using Terraform (or OpenTofu) and Spacelift to automate Cloudsmith workspace configuration.
Cloudsmith is a fully managed cloud-native artifact repository designed for controlling, securing, and distributing everything that flows through your software supply chain.
Founded in 2016 and trusted by over 1,000 enterprise customers, including American Airlines, The Trade Desk, and Shopify, Cloudsmith protects the software supply chain by providing secure, scalable artifact repositories for software teams worldwide.
Spacelift is an IaC orchestration platform that automates infrastructure management. It runs tools including Terraform, Pulumi, and Ansible whenever your IaC files change. There’s no need to build complex CI/CD pipelines manually or bring your own infrastructure state management solutions.
Spacelift is designed to unify all infrastructure provisioning, configuration, and governance tasks. Policy-as-code support lets you enforce security and compliance requirements, while flexible multi-tenancy and self-service features empower your whole team to interact with infrastructure. You can centralize all your infrastructure processes to improve reliability.
Many people think of artifact management tools as simple storage spaces, like hangars or warehouses, where you park your code. But that’s what basic repositories and registries do. A modern artifact management platform like Cloudsmith serves a much more critical role in your software development ecosystem.
Think of software development as a bustling airport with countless moving parts and constant activity. Cloudsmith functions as both your air traffic control tower and your security checkpoints:
- Like airport security: Cloudsmith acts as a gatekeeper, enforcing strict access controls and screening for threats that could compromise software stability or security. It scans every package for vulnerabilities, validates authenticity, and ensures only authorized artifacts reach your applications.
- Like air traffic control: Cloudsmith oversees the flow of all your code artifacts, ensuring assets arrive at their destinations safely and on time. It monitors the journey, coordinates movements between environments, and prevents collisions or bottlenecks that disrupt operations.
Just as air traffic control and airport security ensure safe, efficient air travel, Cloudsmith safeguards the integrity and reliability of your software supply chain, providing smooth operations for your teams and safe software delivery to your customers.
We find three major challenges with traditional artifact management:
- The legacy platform performance crisis
- The multi-format package complexity
- The software supply chain security risks
Many companies start with basic package management tools that work fine for small teams. As they scale, these systems become unreliable nightmares where development teams experience frequent outages that prevent access to critical packages, disrupting CI/CD pipelines and causing build failures.
When your deployment schedule depends on artifact availability, system downtime directly impacts your ability to deliver features and fixes to customers. Self-hosted and legacy solutions require significant maintenance overhead while providing poor reliability, meaning engineering teams spend more time maintaining infrastructure than building products.
Cloudsmith’s cloud-native platform eliminates the burden of infrastructure maintenance while providing global CDN distribution for optimal performance, allowing teams to focus on innovation instead of infrastructure management.
Modern organizations typically use diverse technology stacks with teams working on Docker containers, npm packages, Python libraries, Maven artifacts, Helm charts, and more.
Managing separate registries for each format creates operational complexity with inconsistent access patterns across different registry systems, fragmented security policies where each format requires different approaches, geographic performance bottlenecks for distributed teams, and complex integration overhead, maintaining connections to multiple external registries.
Cloudsmith’s universal platform supports 30+ package formats with consistent APIs, unified access controls, and global distribution, giving engineering teams a single source of truth for all software assets regardless of format or location.
Companies need to automatically scan artifacts for known security vulnerabilities before they reach production, maintain a complete audit trail of where artifacts came from and who has accessed them, implement fine-grained permissions to ensure only authorized users can publish or consume critical packages, prevent malicious packages from entering their software supply chain, and meet regulatory standards like SOC 2, GDPR, and industry-specific security frameworks.
Many organizations struggle with fragmented security approaches across different package types, inconsistent vulnerability scanning, poor audit trails, and difficulty maintaining compliance across multiple registries and environments.
Cloudsmith addresses these security challenges with built-in vulnerability scanning, comprehensive audit logging, unified access controls across all package formats, and compliance-ready features that help organizations meet security and regulatory requirements without additional tooling overhead.
In this section, we will review how to scale artifact management using Spacelift and Cloudsmith, leveraging the power of IaC orchestration.
Cloudsmith manages your artifacts, while Spacelift manages your IaC. Together, they create a robust system for organizations that want to move beyond manual configuration.
Benefits include:
- Full change history: Every change to your Cloudsmith setup is tracked in Git, giving you complete visibility and traceability.
- Consistent environments: Use code to create identical development and production environments, reducing bugs caused by configuration drift.
- Better collaboration: Teams can collaborate more effectively through code reviews and pull requests before changes are applied.
- Enhanced security: Enforce policies and guardrails through code, reducing the risk of unauthorized or risky changes.
In this tutorial, you will learn how to:
- Configure Cloudsmith as code: Define repositories, teams, and access controls using Terraform
- Implement secure authentication: Use OpenID Connect instead of storing API keys
- Automate with Spacelift: Deploy changes automatically through Git workflows
This allows you to build a foundation that eliminates manual configuration, provides complete audit trails, and ensures consistency across environments.
Step 1: Create your Terraform configuration
First, let’s set up the Cloudsmith Terraform provider. Create a new file called main.tf:
terraform {
required_providers {
cloudsmith = {
source = "cloudsmith-io/cloudsmith"
version = "0.0.62"
}
}
}
variable "api_key" {
type = string
sensitive = true
}
provider "cloudsmith" {
api_key = var.api_key
}Step 2: Define your repository
Now let’s create a repository. Add this to your main.tf:
# Data source to get organization information
data "cloudsmith_organization" "example_org" {
slug = "example-org" # Replace with your organization slug
}
# Create a Cloudsmith repository
resource "cloudsmith_repository" "example_repo" {
name = "Example Repository"
namespace = data.cloudsmith_organization.example_org.slug_perm
description = "A repository created with Terraform"
slug = "example-repository" # Optional: URL-friendly identifier
# Optional: Repository type (defaults to Private if not specified)
# repository_type = "Public"
}Step 3: Configure team access
Let’s add some repository permissions. Add the following to your main.tf:
# Get current user for self-admin privileges
data "cloudsmith_user_self" "this" {}
# Get specific org member details
data "cloudsmith_org_member_details" "member1" {
organization = data.cloudsmith_organization.example_org.slug
member = "user1@example.com" # Replace with actual email
}
data "cloudsmith_org_member_details" "member2" {
organization = data.cloudsmith_organization.example_org.slug
member = "user2@example.com" # Replace with actual email
}
# Create team
resource "cloudsmith_team" "developers" {
organization = data.cloudsmith_organization.example_org.slug
name = "Developers"
description = "Development team"
}
# Add members to team using org member details
resource "cloudsmith_manage_team" "dev_team_members" {
organization = data.cloudsmith_organization.example_org.slug
team_name = cloudsmith_team.developers.slug
members {
user = data.cloudsmith_org_member_details.member1.user_id
role = "Manager"
}
members {
user = data.cloudsmith_org_member_details.member2.user_id
role = "Member"
}
}
# Assign repository privileges
resource "cloudsmith_repository_privileges" "example_repo_privileges" {
organization = data.cloudsmith_organization.example_org.slug
repository = cloudsmith_repository.example_repo.slug
# Self-admin for Terraform service account
service {
privilege = "Admin"
slug = data.cloudsmith_user_self.this.slug
}
# Team access
team {
privilege = "Write"
slug = cloudsmith_team.developers.slug
}
}This configuration creates a team, adds members, and grants them write access to your repository. The Terraform service account keeps admin privileges so it can manage everything.
The contents of main.tf should be stored in a GitHub repository. Spacelift will pull the Terraform code from this repository and run it when changes are made.
Step 4: Set up Spacelift with OpenID Connect
Instead of using long-lived API keys, we’ll use OpenID Connect to let Spacelift authenticate with Cloudsmith through a trust relationship.
First, set up OIDC in your Cloudsmith workspace:
- Navigate to your workspace settings
- Go to “Authentication” → “OpenID Connect”
- Create a new OIDC provider for Spacelift
Your configuration should look similar to this:
Create the authentication script with a file called get-cloudsmith-token.sh.tpl:
#!/bin/bash
set -euo pipefail
export TF_VAR_api_key=$(curl -X POST \
-H "Content-Type: application/json" \
-d '{"oidc_token": "'$SPACELIFT_OIDC_TOKEN'", "service_slug":"${service_slug}"}' \
${api_host}/openid/${org_name}/ | jq -r ".token")This script takes the OIDC token Spacelift provides and exchanges it for a temporary Cloudsmith API token. No long-lived credentials needed!
Now let’s bring it all together by creating a Spacelift stack. This stack will run when changes are pushed to your repository containing main.tf:
variable "org_name" {
description = "Organisation name for Cloudsmith"
type = string
default = "example-cloudsmith-org" # Replace with your org name
}
variable "service_slug" {
description = "Service slug for OIDC authentication"
type = string
default = "example-cloudsmith-service-slug" # Replace with your service account slug
}
variable "api_host" {
description = "Cloudsmith API host"
type = string
default = "https://api.cloudsmith.io"
}
terraform {
required_providers {
spacelift = {
source = "spacelift-io/spacelift"
version = "1.26.0"
}
}
}
provider "spacelift" {}
# Create Spacelift stack
resource "spacelift_stack" "this" {
name = "cloudsmith"
repository = "cloudsmith" # This is the repository on github that contains your terraform code which defines your Cloudsmith Workspace.
branch = "master"
}
# Create authentication context
resource "spacelift_context" "cloudsmith_auth" {
name = "cloudsmith-authentication"
description = "Context for Cloudsmith API authentication using OIDC tokens"
# Run the authentication script before Terraform initializes
before_init = [
"source /mnt/workspace/get-cloudsmith-token.sh"
]
}
# Mount authentication script
resource "spacelift_mounted_file" "get_cloudsmith_token" {
context_id = spacelift_context.cloudsmith_auth.id
relative_path = "get-cloudsmith-token.sh"
content = base64encode(templatefile("${path.module}/get-cloudsmith-token.sh.tpl", {
org_name = var.org_name
service_slug = var.service_slug
api_host = var.api_host
}))
write_only = false
}
# Attach context to stack
resource "spacelift_context_attachment" "cloudsmith_auth_attachment" {
context_id = spacelift_context.cloudsmith_auth.id
stack_id = spacelift_stack.this.id
priority = 100
}Step 5: Publish your changes
When you push changes to your repository:
- Spacelift detects a git push and starts a run.
- Before Terraform initializes, Spacelift runs your authentication script:
- The script exchanges Spacelift’s OIDC token for a Cloudsmith API token:
- Terraform uses this token to apply the changes to your Cloudsmith workspace:
Combining Cloudsmith’s artifact management with Spacelift’s IaC automation empowers engineering teams to scale reliably, improve security, and reduce manual overhead.
Want to improve your package management? Terraform and Spacelift offer fast deployment, consistent environments, strong security, and comprehensive governance.
Get started with Cloudsmith today. If you want to learn more about Spacelift, create a free account or book a demo with one of our engineers.
Solve your infrastructure challenges
Spacelift is a flexible orchestration solution for IaC development. It delivers enhanced collaboration, automation, and controls to simplify and accelerate the provisioning of cloud-based infrastructures.
