Skip to content

Add a setting to allow/disallow duplicate Terraform modules

Moaz Khalifa requested to merge 368040-Add-a-setting-to-allow/disallow-duplicate-Terraform-modules into master

Context

You can publish Terraform modules to your GitLab project. And you can install them from your group or sub-group.

Problem to solve

The problem is that a Developer in Project A may create a module called foo and this prevents Developers in other projects from using the name foo. And if they try they'll receive an error but have no way of knowing which project created foo.

Proposal

In some cases, organizations may want to allow duplicate package name/version combinations. GitLab offers a setting for this for Maven and generic packages. We will do the same for Terraform modules.

What does this MR do and why?

  • Add two new settings to the Namespace::PackageSetting model & the corresponding namespace_package_settings database table:
    • terraform_module_duplicates_allowed
    • terraform_module_duplicate_exception_regex
  • terraform_module_duplicates_allowed is false by default; which means the Terraform Registry's default behavior is disallowing duplicates in the same namespace.
  • Update Packages::TerraformModule::CreatePackageService so that when publishing a new terraform module package, we will check if terraform_module_duplicates_allowed is true in any parent namespace in the hierarchy for the project the module is being published in. If any, then we allow duplicates. Otherwise, a 403 error with a clarifying message is returned to the user.
  • If terraform_module_duplicates_allowed is false in all parent namespaces for the project, but terraform_module_duplicate_exception_regex has some value in any parent namespace, this value is checked against the name of the being published module, and if they match, the duplication is allowed.
  • Update the specs according to the new changes.
  • Update the documentation to reflect the new changes.

Screenshots or screen recordings

N/A

How to set up and validate locally

  1. Create a subgroup in a parent group, and create two projects in this subgroup.
  2. Publish a terraform module to one of the two projects. This public project can be used to publish a dummy module.
  3. Clone the repo locally, and edit package.sh file to replace YOUR_TOKEN, GITLAB_API_V4_URL & PROJECT_ID variable with your GDK values.
  4. Navigate to the root of the cloned project and then run the package.sh script file:
./package.sh

  1. The module should be successfully published to your GDK.

  2. Change the PROJECT_ID variable value inside the package.sh file to the 2nd project in the subgroup, and publish the same module again.

  3. You should receive a 403 Forbidden error with the A package with the same name already exists in the namespace message.

  4. To allow duplicates, the terraform_module_duplicates_allowed setting should updated to be true in the subgroup or the parent group or both.

  5. Enable the namespace package setting terraform_module_duplicates_allowed using the query below in graphql-explorer:

    mutation {
  updateNamespacePackageSettings(input: {
    namespacePath: "<your-group-full-path>", 
    terraformModuleDuplicatesAllowed: true
  }) {
    packageSettings {
	terraformModuleDuplicatesAllowed
    }
  }
}

  6. Repeat step 6 and the module should be successfully pushed to the 2nd project in the subgroup.

  7. To test terraform_module_duplicate_exception_regex, the terraform_module_duplicates_allowed should be false for all parent namespaces. For the subgroup or parent group, update terraform_module_duplicate_exception_regex to hold a part of the module name, then try to push the same module in a 3rd project and it should be pushed successfully.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #368040 (closed)

Edited by Moaz Khalifa

Merge request reports