terraform-provider-gitlab icon indicating copy to clipboard operation
terraform-provider-gitlab copied to clipboard

Published 20 hours ago verified publisher icon gitlabhq

Add support for assigning a security policy project

Open PatrickRice-KSC opened this issue 2 years ago • 3 comments

Feature Description

It's common for users with an ultimate subscription to want to enforce some level of security scans and policies around MRs. Gitlab supports this through the use of Security Policy Projects: https://docs.gitlab.com/ee/user/application_security/policies/

This issue will look to add support for security policy projects to the provider, so that users who want to enforce policies through terraform can do so.

This issue will also act as a POC for using the GraphQL API, as these operations are only supported through GraphQL: https://docs.gitlab.com/ee/api/graphql/reference/index.html#mutationsecuritypolicyprojectassign https://docs.gitlab.com/ee/api/graphql/reference/index.html#mutationsecuritypolicyprojectunassign

Do you want to implement this?

  • [X] I would like to implement this myself 👷

PatrickRice-KSC avatar May 27 '22 03:05 PatrickRice-KSC

This is a bit of an odd API patterns... there doesn't appear to be any way to read the value of a security policy project through the API, so I may need to mark both inputs as computed. You can retrieve the policies themselves (as inherited from the parent policy project), but there doesn't seem to be a way to read the linkage itself.

May need to create an issue for the gitlab team to see if that's intentional.

PatrickRice-KSC avatar May 27 '22 03:05 PatrickRice-KSC

I'm very much looking forward to that PoC @PatrickRice-KSC 🎉

May need to create an issue for the gitlab team to see if that's intentional.

Totally agree that we should do this to at least clarify. It seems odd to me, too.

I'm also a bit reluctant to use this particular API for the GraphQL PoC ... what would you think about implementing a simple one we are already implementing? Maybe the gitlab_instance_variable one?

Or maybe the gitlab_label one to see if it the API doesn't have the same limitations with the nullable priority (as we currently have with go-gitlab (not related to REST per se though)) (see https://github.com/gitlabhq/terraform-provider-gitlab/pull/926) ?

timofurrer avatar May 28 '22 16:05 timofurrer

I agree @timofurrer , I think this is going to need to go on the backlog until we can get a Read API. I had a couple query resources I was trying to play with to see if they returned the data I wanted, but I think this is going to be blocked for a bit.

PatrickRice-KSC avatar May 28 '22 19:05 PatrickRice-KSC