CI Secrets vault usage instrumentation with Snowplow (!111857) · Merge requests · GitLab.org / GitLab

Leaminn Ma requested to merge 388838-secrets-vault-snowplow-tracking into master Feb 13, 2023

What does this MR do and why?

This MR adds Snowplow instrumentation to track the usage of secrets: (vault integration) in the CI pipeline.

The instrumentation works by tracking the event when a pipeline Build job is created with secrets defined. This Snowplow metric is a mirror of the existing Service Ping RedisHLL metric with key_path: redis_hll_counters.ci_secrets_management.i_ci_secrets_management_vault_build_created_monthly

This MR resolves Instrument tracking for Secrets usage using Sno... (#388838 - closed). A similar MR for id_tokens was previously merged--it implements the same tracking method.

How to set up and validate locally

secrets: is a Premium feature so ensure your local instance is licensed.
Configure your GDK to run Snowplow Micro.
Go to http://gdk.test:9091/micro/good to observe the events being tracked.
Go to your Project's CI/CD Editor and update the contents with the following.

job_with_secrets:
  secrets:
    MY_SECRET:
      vault: production/db/password
  script:
    - echo 'test'

Commit the changes and run the pipeline. Note that the job will fail (unless you have a valid vault set up locally). Refresh http://gdk.test:9091/micro/good and observe that an event appears with se_action: value create_secrets_vault.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #388838 (closed)

Edited Feb 17, 2023 by Leaminn Ma

CI Secrets vault usage instrumentation with Snowplow

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports