[Backend] Add 'compliance pipeline configuration location' value to custom compliance framework labels

Release notes

Problem to solve

In #231247 (closed) we are pivoting on compliance framework project labels to allow customers to customize them. Currently, these labels are hard-coded and informational only.

Learning from both the initial implementation of labels and a now-related problem validation cycle about group-level compliance pipeline configurations, customers will need a way to associate specific projects with pre-defined compliance CI configuration files (e.g. hipaa-include.gitlab-ci.yml).

Intended users

• Cameron (Compliance Manager)
• Sidney (Systems Administrator)
• Alex (Security Operations Engineer)

User experience goal

A group owner can add a compliance pipeline configuration location value to a customized compliance framework project label they create at the group-level.

Proposal

🆕 field

[Root] Group Level Settings > General > New/Edit

• Title
• Description
• Settings Enforcement
• Force Merge
• + Compliance pipeline configuration location (optional)
• Background color

Project Level Settings > CI/CD

• ...
• Custom CI configuration path
• + Compliance pipeline configuration location

Note: This value should be inherited by a project, but is not the same as custom CI configuration path. It should be disabled and read-only.

Feature flag

Re uses the existing flag for compliance frameworks: ff_custom_compliance_frameworks

Disabled by default

Out of scope

• Using the inputted value for any logical change to the CI pipeline.
• Enabling the feature for production use.

• @asubramanian1 is investigating the use of multi-project pipelines for the next step, which is to implement the pipeline itself. This is related to, but not within scope for this issue.

Update: Issue for using the group-level configuration: #281049 (closed)

Further details

This value - Compliance pipeline configuration location, e.g. hipaa-include.gitlab-ci.yml@group/compliance-project - should serve as the reference that $CI_PROJECT_CONFIG_PATH will use to know that all projects with this reference/value should combine the local .gitlab-ci.yml CI configuration with hipaa-include.gitlab-ci.yml@group/compliance-project at runtime.

Implementation plan

database

• Add new database attribute on ComplianceManagement::Framework

backend - 3️⃣

If the feature flag :ff_custom_compliance_frameworks is set:

• Modify updateComplianceFramework GraphQL mutation to allow new field to be updated.
• Motify ComplianceManagement::FrameworkType to expose new field value.