terraform-aws-control_tower_account_factory icon indicating copy to clipboard operation
terraform-aws-control_tower_account_factory copied to clipboard

Published 20 hours ago verified publisher icon aws-ia

Gitlab Self-Managed integration

Open mandrakenet opened this issue 1 year ago • 6 comments

Gitlab Self-Managed AFT repositories integration with AFT pipelines

I wanted to discuss the possibility of integrating self-managed GitLab repositories with AWS Account Factory for Terraform (AFT) pipelines. This inquiry stems from the recent update where AWS CodePipeline announced support for self-managed GitLab instances.

Can AFT be configured to use these repositories hosted on a self-managed GitLab instance? This integration would be instrumental for our workflows, and I'm eager to know if this is feasible and, if so, what steps would be required to implement it.

I would appreciate any guidance, documentation, or insights into how AFT can leverage this new CodePipeline feature with self-managed GitLab repositories.

Thank you for considering this request.

mandrakenet avatar Dec 31 '23 16:12 mandrakenet

I'm curious to see if it will be implemented.

FWIW, I too was in the same conundrum but ultimately decided leaving it hosted on Codecommit was not the worst thing.

I ended up doing the following:

  • creating "submodules" in one Gitlab repo that referenced the 4 modules
  • an SCP to require approvals before merging to main (Why isn't this standard AWS?!)
  • Instructions on how to download the submodules and interact with Codecommit

The workaround isn't as bas as it seems, and you don't need to use pipelines anyways in Gitlab. The added bonus is the security, as nobody without actual access to the AFT account can create PR's or approve them, as they need to authenticate locally to Codecommit. This also means the code isn't readable in Gitlab, which with it's lackluster access control settings is a nice bonus too.

be-aws-architect avatar Jan 02 '24 13:01 be-aws-architect

I prefer to use a GitLab push mirror with 4 local users in the AFT account, each dedicated to a specific repository mirror. And securing the access only to those users and actions via SCP policies. After configuring mirror credentials in GitLab, they become inaccessible (unlike masked variables), enhancing security. Therefore, I only mirror the main branch, which is protected in GitLab.

Additionally, I will add an extra pipeline in Gitlab on a different branch, like 'pre-plan', to execute a local plan validation in GitLab.

I think having the integration with self hosted gitlab should avoid the creation of 4 local users in my case

mandrakenet avatar Jan 02 '24 15:01 mandrakenet

@mandrakenet thank you for the feature request. Currently, AFT only supports use of CodeCommit (default); and GitHub, GitHub enterprise, Bitbucket VCS providers via CodeStar Connections. I went ahead and created a backlog to explore the possibility of supporting Gitlab as the VCS provider for an AFT deployment.

snebhu3 avatar Jan 02 '24 17:01 snebhu3

@snebhu3 Any news about Gitlab (self managed) support? Our company would like to migrate to AFT but now that CodeCommit is deprecated we don't have any compatible VCS system available.

pkujala avatar Aug 12 '24 12:08 pkujala

@snebhu3 Any chance you can share what is the backlog priority for this integration with Gitlab self-managed instances?

We are currently preparing our AFT deploy and this would really help us.

Thanks!

falmada avatar Aug 13 '24 17:08 falmada

This feature should be great for our setup. Please!

martindb avatar Aug 13 '24 20:08 martindb