Compute policy diff before persisting security policies

Sashi Kumar Kumaresanrequested to merge
sk/416262-policy-diff into master

What does this MR do and why?

This change computes policy diff before persisting the security policies so that the diff can be used to update the associated resources conditionally. The changes related to updating the associated resources is done in Draft: Add events for policy changes (!163945 - closed) using EventStore.

The changes in this MR are still behind security_policies_sync feature flag.

In this MR:

  • Security::SecurityOrchestrationPolicies::PolicyChanges is a data-model that computes the policy diff along with the rules diff in RuleChange data-model.
  • Uses policy name as an identifier to query the existing policies as policy name is unique for a policy project
  • Outdated policies are not deleted but rather set an negative policy_index and processed for deletion asynchronously to avoid cascading deletes due to approval_policy_rule_id in many other tables (approval_merge_request_rules, approval_project_rules, software_license_polices etc)
  • rules in policy YAML are persisted correctly when one or many rule(s) is/are removed/added/updated. Outdated rules (approval_policy_rules & scan_execution_policy_rules) are also marked with a negative rule_index to process the deletion asynchronously to avoid cascading deletes

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Addresses #416262 (closed)

Edited by Sashi Kumar Kumaresan

Merge request reports