Draft: Add compliance framework templates backend and GraphQL API

Illya Klymovrequested to merge
compliance-framework-templates into master

What does this MR do and why?

This MR implements backend support for compliance framework templates — a new feature that allows users to create compliance frameworks from predefined templates (e.g., SOC 2, GDPR) instead of building them from scratch. This is part of the AI Governance Compliance Templates epic.

Changes overview (🤖 DAP generated)

Feature flag (compliance_framework_templates, WIP type):

  • Introduced as a WIP feature flag gating all new GraphQL endpoints. Both the query and mutation return a "resource not available" error when the flag is disabled.

Database migration:

  • Adds template_id (text, max 255 chars) and template_version (integer) columns to compliance_management_frameworks table. These columns track which template a framework was created from and at what version, enabling future template update detection.

Template registry and data:

  • ComplianceManagement::Frameworks::TemplateRegistry — an in-memory registry that loads template JSON files from ee/config/compliance_management/templates/ and exposes them as Template objects with GlobalID support.
  • Two initial templates: SOC 2 and GDPR, each containing framework metadata (name, description, color) and a set of compliance requirements with controls.
  • JSON schema validation (compliance_framework_template.json) ensuring template structure consistency.

Service layer:

  • CreateFromTemplateService — orchestrates framework creation from a template: loads the template, applies optional user overrides (name, description, color, default), and delegates to the existing JsonImportService.
  • CreateService and UpdateService updated to handle template_id and template_version attributes. When a templated framework is edited, these fields are nullified to disconnect it from future template updates.

GraphQL API (both marked as experiment in the schema):

  • Query complianceFrameworkTemplates(id:) — lists all available templates or filters by ID. Requires authentication. Gated by the compliance_framework_templates feature flag (actor: current_user).
  • Mutation createComplianceFrameworkFromTemplate — creates a compliance framework from a template with optional overrides for name, description, color, and default status. Requires group owner permissions and custom_compliance_frameworks license. Gated by the compliance_framework_templates feature flag (actor: current_user).

Commit breakdown

Commit Description
1 Feature flag YAML definition
2 DB migration adding template_id and template_version
3 Template registry, JSON data files, and schema validation
4 Service layer (CreateFromTemplateService + updates to existing services)
5 GraphQL query/mutation, feature flag runtime checks, tests, docs, and introspection

References

How to set up and validate locally

  1. Enable the feature flag:

    Feature.enable(:compliance_framework_templates)

  2. Query available templates:

    query {
  complianceFrameworkTemplates {
    id
    name
    description
    color
    templateVersion
    json
  }
}

  3. Create a framework from template (requires group owner role and custom_compliance_frameworks license):

    mutation {
  createComplianceFrameworkFromTemplate(input: {
    namespacePath: "your-group"
    templateId: "gid://gitlab/ComplianceManagement::Frameworks::TemplateRegistry::Template/soc2"
    name: "My Custom SOC 2"
  }) {
    framework {
      id
      name
      description
      color
    }
    errors
  }
}

  4. Verify the feature flag gates correctly by disabling it:

    Feature.disable(:compliance_framework_templates)

    Both the query and mutation should return permission errors.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Illya Klymov

Merge request reports