Allow Terraform/OpenTofu state encryption to be turned off

Problem to solve

Currently all state files are encrypted by GitLab before being stored, and this behaviour can not be changed. In most circumstances this is desired, however there are situations where it would be preferable to disable this behaviour and store the state files as they are received.

Some examples include (these are not mutually exclusive):

• Encryption is supported/enabled by the storage provider (eg. S3).
• Users are using OpenTofu state and plan encryption.
• Administrators want to be able to access state files without access to GitLab itself (eg. for disaster recovery purposes), which is not currently possible as the GitLab application is responsible for the encryption key.

Proposal

1. Add an instance-level setting to enable/disable state encryption, which is enabled by default.
2. If the instance setting is disabled, newly created state files will not be encrypted by Rails.
3. For the first iteration existing states will continue to use encryption with no change in behaviour (in the future they could start using the new behaviour on the next update).

Feature Usage Metrics

We should track two new events:

• A state file is stored with encryption
• A state file is stored without encryption

Does this feature require an audit event?

No (application setting changes are audited automatically)