Add Terraform module support to package protection rules

Summary

Adds terraform_module as a supported package type in package protection rules, enabling customers to restrict who can push to the Terraform module registry at the project level.

This addresses the gap where customers using GitLab's Terraform module registry had no mechanism to protect their modules using package protection rules.

Changes

  • Model: Added :terraform_module to the package_type enum in Packages::Protection::Rule
  • GraphQL: Added TERRAFORM_MODULE value to RulePackageTypeEnum
  • Frontend: Added "Terraform module" option to the package type dropdown in the protection rule form
  • Enforcement: Added protection check in Packages::TerraformModule::CreatePackageService to enforce rules on module publish
  • Specs: Updated model, GraphQL, frontend, and service specs

How it works

When a protection rule is created with package_type: terraform_module, the system will check the user's access level against the rule's minimum_access_level_for_push when they attempt to publish a Terraform module. If the user's access level is below the minimum, the publish is blocked with a "Package protected" error.

The package name pattern matching works with the Terraform module naming format {module_name}/{module_system} (e.g., my-module/aws).

Test plan

  • [ ] Create a protection rule with package type "Terraform module" via UI
  • [ ] Create a protection rule with package type "TERRAFORM_MODULE" via GraphQL API
  • [ ] Create a protection rule with package type "terraform_module" via REST API
  • [ ] Verify a user below the minimum access level cannot push a matching Terraform module
  • [ ] Verify a user at or above the minimum access level can push a matching Terraform module
  • [ ] Verify non-matching module names are not affected by the protection rule

Related issues

Related to #592761 (closed)

Merge request reports

Loading