Protected terraform states: Add GraphQL query

Gerardo Navarrorequested to merge
gitlab-community/gitlab-org/gitlab:594002-gerardo-navarro-protected-terraform-states-graphql-query into master

What does this MR do and why?

Expose terraformStateProtectionRules on ProjectType so maintainers can list Terraform state protection rules via GraphQL.

Part of the protected Terraform states feature. Adds the GraphQL query layer, building on the DB + model MR.

What's included:

  • TerraformStateProtectionRuleType with id, stateName, minimumAccessLevelForWrite, allowedFrom fields
  • TerraformStateProtectionRuleAccessLevel enum (dynamically generated from model enum: developer, maintainer, owner, admin)
  • TerraformStateProtectionRuleAllowedFrom enum (dynamically generated from model enum: anywhere, ci_only, ci_on_protected_branch_only)
  • StateProtectionRulesResolver delegating to project.terraform_state_protection_rules
  • StateProtectionRulePolicy delegating authorization to the project (:admin_terraform_state)
  • Field on ProjectType: terraformStateProtectionRules connection field
  • Feature flag: gated behind protected_terraform_states (returns empty when disabled)
  • Experiment milestone 18.11 on all new fields, type fields, and enum values
  • Policy spec for StateProtectionRulePolicy
  • Type spec, enum specs, and request spec covering authorized + unauthorized + feature flag disabled

🛠️ with ❤️ at Siemens

References

Screenshots or screen recordings

Not applicable — backend-only changes.

How to set up and validate locally

  1. Create a protection rule via Rails console:

    project = Project.first
project.terraform_state_protection_rules.create!(
  state_name: 'production',
  minimum_access_level_for_write: :maintainer,
  allowed_from: :ci_only
)

  2. Run the following GraphQL query as a maintainer:

    {
  project(fullPath: "your/project") {
    terraformStateProtectionRules {
      nodes {
        id
        stateName
        minimumAccessLevelForWrite
        allowedFrom
      }
    }
  }
}

  3. Verify that developers see empty results

  4. Verify that disabling the feature flag returns empty results:

    Feature.disable(:protected_terraform_states)

MR acceptance checklist

  • Tests added for all new functionality
  • RuboCop passes with no offenses
Edited by Gerardo Navarro

Merge request reports