Typed AWS variables at the group level
Problem to solve
With #26777 (closed), we add an AWS integration with
AWS_DEFAULT_REGION. Moving those out of the CI/CD variables page is already a big help. What's still needed, though, is to manage things at the group level, and scoped by environment. At the moment, group level CI/CD variables cannot be scoped by environment (gitlab-org/gitlab-ee#2874). The end result is that AWS credentials per environment dominate each project's CI/CD variables.
Users would need to retype the environment variables per project, but we can make this easier by introducing environment variables on the group level
Sidney, Systems Administrator, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sidney-systems-administrator
Sourced from comment https://gitlab.com/gitlab-org/gitlab-ce/issues/57780#note_146661044
This issue can be taken care of when MRs as part of #26777 (closed) have been merged in.
groups/.../-/settings/ci_cd, implement same approach as prescribed here #26777 (closed)
There will be a group level UI where you could set the AWS environment variables to be reused amongst projects . So projects that are associated to the same group could use these variables. (Similar to group deploy tokens)
In case there are environment variables both on the group level and on the project level, this will indicate that the user does not want to use the group level defined variables, the following rule will apply- group level environment variables will be used as long as there aren't the same variables set in the project level. Project level variables will always be used in case of a conflict (same environment variable name)
/settings/ci_cd, under `variables:
- When a user types a text in the Key input field that matches the pattern of an AWS variable (ie "A", "AWS", "AWS_AC"), display a dropdown showing the matching variables.
- AWS variables
AWS_ACCESS_KEY_ID– Specifies an AWS access key associated with an IAM user or role.
AWS_SECRET_ACCESS_KEY– Specifies the secret key associated with the access key. This is essentially the "password" for the access key.
AWS_DEFAULT_REGION– Specifies the AWS Region to send the request to. This one may be optional.
- AWS variables
- If a user selects an option from the dropdown, populate the Key field with the selected value.
- If a user enters a text value not matching a variable pattern, remove those options from the dropdown.
- If a user enters a text value not matching any of the variables, hide the dropdown.
- Update documentation to include a link to AWS best practices.
Validation should be done only for:
- KEYID="AWS-key-ID" specifies the AWS access key ID. This value is a 20-character, alphanumeric string. A sample key ID value is AKIAIOSFODNN7EXAMPLE.
- SECRET="AWS-secret" specifies the AWS secret access key. This value is a 40-character string. A sample secret access value is wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
|User focuses on key input|
|User types "A" or text value matching one of the AWS vaiables patterns|
|User types text not mating an AWS variable pattern|
Permissions and Security
TBD but can likely follow existing security controls
What does success look like, and how can we measure that?
TBD - possibly just measuring usage of main feature.