Create Custom Role for Terraform State Management

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Label this issue
• Close this issue

Create Custom Role for Terraform State Management

Overview

Currently, only users with owner or maintainer permissions can run and manage Terraform state files. This creates unnecessary privilege escalation and prevents teams from implementing proper separation of duties. We need to implement a dedicated role specifically for Terraform state management.

Problem Statement

Many organizations need to grant developers the ability to work with Terraform state files without giving them full maintainer or owner privileges. The current permission model is too restrictive and forces teams to either grant excessive permissions or bottleneck operations through a limited number of privileged users.

User Stories

• As a DevOps lead, I want to grant developers permissions to run Terraform state files without making them project maintainers so that I can follow the principle of least privilege.
• As a developer, I want to manage Terraform state files for my application without requesting assistance from maintainers so that I can work independently.
• As a security administrator, I want to audit which users have Terraform state management capabilities so that I can ensure compliance with security policies.
• As a project manager, I want to delegate Terraform state management responsibilities without elevating user privileges so that I can maintain proper access controls.

Requirements

Functional Requirements

• Create a new role named "Terraform State Manager" with specific permissions for Terraform state operations
• Allow the role to be assigned at both project and group levels
• Provide the following granular permissions within the role:
  • View state files
  • Run state files
  • Create new state files
  • Edit existing state files
  • Lock/unlock state files
  • Delete state files (optional, can be restricted)
• Allow administrators to customize which permissions are included in the role
• Integrate with GitLab's existing RBAC system and user interface
• Enable auditing of all actions performed by users with this role

Non-Functional Requirements

• Role assignment should follow the same pattern as existing GitLab roles
• UI for role management should be consistent with other permission management interfaces
• Role implementation should not impact performance of Terraform operations
• Documentation should clearly explain the capabilities and limitations of the new role

Technical Considerations

• Review the current permission model and identify all endpoints that require protection
• Consider compatibility with existing CI/CD pipelines that interact with Terraform
• Ensure that the role interacts correctly with project/group inheritance rules
• Evaluate impact on existing automation and scripts
• Consider how this role will interact with other planned Terraform features

Success Criteria

• Users with the new role can successfully perform Terraform state operations without requiring maintainer privileges
• Administrators can assign and customize the role through the GitLab UI
• All actions performed by users with this role are properly logged for audit purposes
• Documentation clearly explains how to use and manage the new role