Design: "Protected" Terraform states
Problem to solve
Currently a GitLab managed Terraform state can be accessed by CI jobs using the built in job token. This is restricted to jobs run by maintainers, developer jobs have read-only access.
However, there are no restrictions on the branch the job is running on, which means that a maintainer can make potentially destructive infrastructure changes via a branch that was never intended to be merged, and we forbid use cases where developers could write the state files for review environments.
Intended users
User experience goal
Happy path
The CI job runs without any errors as it works today
Protected state
terraform apply
fails with 403 - Forbidden status code. If the response allows, we should return a description for the error: "This protected state file can be changed only from protected branches using the GitLab CI." + link to docs
Setup
Protected states are enabled by default, thus they can be written only by changes made on protected branches. By default this means the master
branch.
- Existing state files are protected
- If a state file is created on a protected branch, it is protected.
- If a state file is created on an un-protected branch, it can be set to protected on the state details page.
- If a branch is changed to be protected, any new state file changed on it turns the state protected
- If a branch becomes un-protected, the state files remain protected. Removing state file protection can be done on the state details page.
- Protected state files should have an icon or a tag in the state list view and in the state details page
Proposal
Add the ability to explicitly "protect" a Terraform state. Similar to protected CI variables, a protected state can only be accessed by CI jobs that are running on protected branches/tags.
This will provide two additional customisation options:
- The ability to prevent local execution of any kind
- The ability to prevent accidental changes from branches that would never be approved and/or merged.
Related but addressed in a separate issue (not in scope):
- [Potentially - TBC] Prevent developers from reading the state (all access is maintainer only) - #254668
- [Added 2020-10-29] Prevent accidental deletion of the state
- [Potentially - TBC] Allow developers to write non-protected branches