Add column in application_settings for max terraform state size (!106257) · Merge requests · GitLab.org / GitLab

Pam Artiaga requested to merge pam/app-setting-terraform-state-limit into master Dec 06, 2022

What does this MR do and why?

Currently, the Terraform State data sent to the POST /projects/:project_id/terraform/state/:name API has no size limits. A malicious actor can spam the API with very big files, which can cause a denial of service and an increase to storage cost.

We want to introduce a limit to the file/data accepted by the API. We also want to make this configurable in the application settings so self-managed instances can set their own limits. This means a change in 2 places, the API endpoint itself and in the Admin Area -> Settings -> Preferences section of a GitLab instance.

This MR introduces a new column to the application_settings table that will hold the "max size" value of an uploaded Terraform state. It is submitted as its own MR ahead of the API and UI changes so that the changes can be done in parallel on top of this MR.

Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/352951

Screenshots or screen recordings

Migration run locally:

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Dec 07, 2022 by Pam Artiaga

Add column in application_settings for max terraform state size

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports