Skip to content

Ensure terraform_state.enabled config is respected

Pam Artiaga requested to merge pam/terraform-state-enabled-config into master

What does this MR do and why?

Issue: #348453 (closed)

The Terraform documentation indicates that Terraform state administration can be disabled in a GitLab instance. This can be done through the GitLab Omnibus or directly in the source as described in this section; it can also be done through the helm chart installation or the GDK.

We have found an issue where, regardless of the installation method, Terraform state administration is never disabled even if it is disabled in configuration. Further investigations show that this was because the Rails app (this repository) never considers the terraform_state.enabled configuration anywhere.

This MR ensures that if terraform_state.enabled=false, it is applied in the following areas:

  • the State & StateVersion REST API's, which means that a Terraform job that uses GitLab as the state backend will fail
  • the Project -> Infrastructure -> Terraform menu item is hidden, and its corresponding page returns a 404

Notes on the default value of the Terraform State administration config

If terraform_state.enabled is not set, it defaults to true. See this setting initialization.

In gprd, the ::Gitlab.config.terraform_state.enabled value is true

In gstg, the ::Gitlab.config.terraform_state.enabled value is true

Screenshots or screen recordings

Terraform State management setting is not set (defaults to true)

Pipeline - no failures

terraform_state_nil

Project -> Infrastructure -> Terraform menu item and page is accessible

terraform_state_nil_page_menu

Terraform State management setting is set to true

Pipeline - no failures

terraform_state_true

Project -> Infrastructure -> Terraform menu item and page is accessible

terraform_state_true_page_menu

Terraform State management setting is set to false

Terraform validate job - fails

terraform_state_false

Project -> Infrastructure -> Terraform menu item is hidden

terraform_state_false_menu

Project -> Infrastructure -> Terraform page is accessible

terraform_state_false_page

How to set up and validate locally

Project setup

Create a project that creates cloud resources through Terraform and the GitLab CI Pipeline.

You can use the Create a Google GKE cluster through Terraform example.

Testing

In the GitLab Rails app's config/gitlab.yml file, find the the terraform_state.enabled setting and set it according to the behavior you want to test. Restart the rails application to make sure the setting is applied.

If the terraform_state.enabled is not set, or if terraform_state.enabled=true:

  • the project pipeline should run successfully
  • the Project -> Infrastructure -> Terraform menu item and page should be accessible

If terraform_state.enabled=false:

  • the terraform job should fail
  • the Project -> Infrastructure -> Terraform menu item should be hidden
  • the Project -> Infrastructure -> Terraform page should not be accessible

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Pam Artiaga

Merge request reports