Add service to create and sync policy YAML into read model
Why are we doing this work
The security policies are stored as YAML files in the security policy project. This approach has a lot of advantages (like version control for policies using git, auditable etc) but it faces some performance drawbacks. Since reading from the git repository requires calls to Gitaly, it gets difficult to add additional features
This issue focusses on persisting SecurityPolicyRead
from policy YAML whenever these events happen:
- Policy project is linked to a development project
- Policy YAML is updated:
PoC that partially covers these changes: Draft: Add initial policies tables and save new... (!139352 - closed)
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: new sync should be implemented behind a feature flag -
Performance: -
Testing:
Implementation plan
-
Create a new service class Security::SecurityOrchestrationPolicies::Read::SyncService
to sync the policies from YAML to delete and re-createSecurityPolicyRead
by callingSecurity::SecurityOrchestrationPolicies::Read::CreateService
. CallSecurity::SecurityOrchestrationPolicies::SyncScanResultPoliciesProjectService
after creatingSecurityPolicyRead
-
Scan result policy rules should be persisted using Security::ScanResultPolicyRule
model -
Scan execution policy rules should be persisted using Security::ScanExecutionPolicyRule
model -
Update UpdateOrchestrationPolicyConfiguration concern
to callSecurity::SecurityOrchestrationPolicies::Read::SyncService
for each policy in YAML
Verification steps
Edited by Martin Čavoj