Associate terraform state changes with pipeline/job/MR/commit whenever possible
Release notes
Problem to solve
As a Lead Engineer, I would like to see what action changed the terraform state, so that I can debug the Terraform state or provide compliance reports.
Intended users
User experience goal
The GitLab Managed Terraform state views show data about the source of a change. This might include the CI job and pipeline that applied the changes, the MR and git commit that started the pipeline.
Proposal
Some ideas from @mattkasa and @tigerwnz:
- we probably don't want to deviate from the upstream http Terraform backend
- we can add some decorating
curlcalls in our wrapper script, but it's a rather fragile solution - we could code the pipeline id in the CI auth token, and get the needed data from that
Tasks
- provide the backend
- provide the designs
- create the frontend
Further details
Permissions and Security
Documentation
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
Design: Terraform State listing Design Epic
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
Designs
Relates to
Activity
added to epic &4563
mentioned in issue #262085 (closed)
@nicholasklick @tigerwnz @mattkasa Let's continue the discussion here!
added workflowdesign label
Are we thinking an MVC could be: When using
gitlab-terraform applywe link that apply to its parent pipeline via an (extra api hit or request header)? A pipeline should already be linked to a branch/commit etc I assume?Edited by Nick KlickI think this makes sense as a first iteration. As a technical nitpick, we'll probably want to link to the specific job within the pipeline (we can then get pipeline info from the job).
Extra API hit or use request header: IMO if we can get this to work automatically without requiring an extra API call we should go with that. An extra endpoint could allow for extra customisation by the user later on, though I'm not sure what exactly they might want to do here yet.
A pipeline should already be linked to a branch/commit
Yes, the job (pipeline) links us to everything else.
then can we definitely look up the job used?
Technically, yes, because this is how we identify the user in the first place (to check permissions etc). However it may prove complicated as this lookup is quite far down into the authentication logic. Just now I've noticed that
@current_authenticated_jobgets set though, maybe we can use that?would relying on this be an acceptable MVC
Users may be using a personal access token here which will prevent this from working, but I still think this is good enough as a first iteration - I have a feeling trying to add anything else will be a bit more complicated.
@tigerwnz I agree with you, and would go forward with assuming that they don't use a personal access token. If they do, then we won't show the related data.
Just now I've noticed that
@current_authenticated_jobgets set though, maybe we can use that?I tested this out in !45347 (merged), it works as expected with only minor modifications to the authentication code.
As of !45347 (merged) we are capturing the job that created each state version (if present). The details aren't available to the frontend yet, this will come in a later merge request.
!47339 (merged) and !47347 (merged) provide the final backend components, the remainder is frontend only.
added sectionops label
changed milestone to %13.7
mentioned in merge request !45347 (merged)
mentioned in issue #267147 (closed)
changed milestone to %13.6
mentioned in merge request !47339 (merged)
mentioned in merge request !47347 (merged)
@mvrachni Could you add here the final designs for the terraform state list page, please.
@nagyv-gitlab Added the designs in the proposal section in the description. We still need to review the tooltip text to finalise and sign off the designs. You can provide your comments in the design issue here: #262916[Versions-no_actions-tooltips.png]
Edited by Maria Vrachni@mvrachni Ok, just did it.
changed milestone to %13.8
marked this issue as related to #262085 (closed)
removed milestone %13.8
mentioned in issue gitlab-org/quality/triage-reports#1095 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1205 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1252 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1334 (closed)
added workflowready for development label and removed workflowdesign label
mentioned in issue gitlab-org/quality/triage-reports#2400 (closed)
mentioned in issue gitlab-org/quality/triage-reports#2466 (closed)
mentioned in issue gitlab-org/quality/triage-reports#2547 (closed)
changed milestone to %Backlog
added environmentsparked label
added [deprecated] Accepting merge requests label
mentioned in issue gitlab-design#1624 (closed)
added workflowrefinement label and removed workflowready for development label
removed workflowrefinement label
removed Stretch label
added groupenvironments label and removed groupconfigure [DEPRECATED] label
added devopsdeploy label and removed devopsconfigure [DEPRECATED] label
![#262916[Versions-no_actions-tooltips.png]](https://gitlab.com/gitlab-org/gitlab/-/issues/262916/designs/Versions-no_actions-tooltips.png){kind=link}