Create service account for top-level group flow

Keeyan Nejadrequested to merge
578532-be-support-adding-a-flow-to-a-group into master

What does this MR do and why?

When a user with create_service_account permissions creates a flow for a top-level group, it will create a service account for that flow.

This service account will be needed for running the flows due to the new Agent Identity feature we're working on.

References

Screenshots or screen recordings

Before After

How to set up and validate locally

  1. Enable the appropriate flags ai_catalog_flows global_ai_catalog

  2. Create a flow:

mutation {
  aiCatalogFlowCreate(
    input: {name: "Test flow", description: "Test flow", projectId: "gid://gitlab/Project/1000000", public: true, steps: []}
  ) {
    errors
    item {
      id
    }
  }
}
  1. Enable the flow in a group:
mutation {
  aiCatalogItemConsumerCreate(
    input: {itemId: "gid://gitlab/Ai::Catalog::Item/<ID FROM ABOVE>", target: {groupId: "gid://gitlab/Group/1000000"}}
  ) {
    itemConsumer {
      id
    }
    errors
  }
}
  1. Confirm that a service account named ai-test-flow-gitlab-duo was created at http://gdk.test:3000/groups/gitlab-duo/-/settings/service_accounts
  2. Repeat the steps again, but when adding the new flow to the group, use a group maintainer account instead of group owner. A service account should not be created.
  3. Confirm that both item consumers were created but only the one created by the owner has a service account:
Ai::Catalog::ItemConsumer.last(2)

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #578532 (closed)

Edited by Keeyan Nejad

Merge request reports