Forgecroft Docs
Quickstart Guides Essentials Power Agent API Reference
Core ConceptsCLI ReferenceGo SDKAuthenticationAPI KeysRoles & PermissionsCreating WorkspacesVCS ConnectionsCredentialsState BackendsExecution ModesWorkspace AttributesDependencies & PromotionStacks OverviewCreating StacksEnvironments & VarfilesPromotion GraphManaging StacksRun LifecyclePlan vs ApplyChangesetsApprovalsLogsForce UnlockDrift DetectionTroubleshootingGovernance OverviewPolicy SetsWriting RegoRego PlaygroundApproval RulesExternal ChecksGovernance PreviewGovernance TimelineManaging TeamsNotification ChannelsNotification TargetsUser PreferencesAccess GrantsAudit EventsGitHub AppSlackCredential TypesState Backends
Guides / Workspaces

Workspace Attributes

Tag workspaces with custom metadata to target them in governance rules and organize your infrastructure.

Workspace attributes are user-defined key-value pairs that let you categorize and target workspaces in governance rules.

User-Defined Attributes

Set arbitrary metadata on a workspace:

PATCH /workspaces/{id}
{
  "attributes": {
    "environment": "production",
    "team": "platform",
    "criticality": "high",
    "region": "us-east-1"
  }
}

Attributes are used in governance rules to target specific workspaces. For example, a Rego policy can require approval for any workspace where attributes.environment == "production".

Detected Attributes

Forgecroft automatically detects and populates detected_attributes based on plan output:

These are updated every time a plan runs and are available in the OPA policy input.

Using Attributes in Governance

Attributes are available in Rego policies through the input object:

package forgecroft.policy

deny[msg] {
    input.workspace.attributes.environment == "production"
    count(input.plan_changes.destroyed) > 0
    msg := "Destroying resources in production requires approval"
}

Tags vs Attributes

FeatureTagsAttributes
FormatArray of stringsObject (key-value pairs)
PurposeOrganization and filteringGovernance targeting
Max count50No limit
Max length64 chars per tagNo limit per value
Used inUI filtering, API filteringRego policy evaluation

Workspace Labeling for Governance

A common pattern is to label workspaces by environment and criticality:

{
  "attributes": {
    "environment": "dev",
    "criticality": "low"
  }
}

Then write governance rules that scale with criticality:

require_approval[r] {
    input.workspace.attributes.criticality == "high"
    count(input.plan_changes.changed) > 5
    r := {
        "team": "platform-leads",
        "min": 2,
        "stage": 1,
        "reason": "High-criticality workspace with significant changes"
    }
}

Combining Attributes with Detected Attributes

OPA policies see both user-defined and detected attributes in the input:

package forgecroft.policy

# Require approval for production workspaces that destroy more than 5 resources
require_approval[r] {
    input.workspace.attributes.environment == "production"
    count(input.plan_changes.destroyed) > 5
    r := {
        "team": "platform",
        "min": 2,
        "stage": 1,
        "reason": sprintf("Destroying %d resources in production", [count(input.plan_changes.destroyed)])
    }
}

# Deny all changes to workspaces using IAM resources (detected by plan output)
deny[msg] {
    some rt in input.workspace.detected_attributes.resource_types
    startswith(rt, "aws_iam_")
    input.workspace.attributes.criticality == "high"
    msg := "IAM changes in high-criticality workspaces are blocked by policy"
}