Protected terraform states: Add REST API GET endpoint for Terraform state protection rules

What does this MR do and why?

Add GET /projects/:id/terraform/state_protection_rules REST API endpoint that returns all Terraform state protection rules for a project.

This is the foundation MR for the REST API CRUD operations — the create, update, and delete endpoints build on top of it in subsequent MRs.

What's included:

  • Grape API class (API::Terraform::StateProtectionRules) with authentication, authorization (read_terraform_state, developer+), and feature flag gating (protected_terraform_states)
  • Grape entity (API::Entities::Terraform::StateProtectionRule) exposing id, project_id, state_name, minimum_access_level_for_write, allowed_from
  • Request spec covering authorized access, permission rejection, feature flag disabled, and invalid token scenarios
  • OpenAPI v2/v3 spec updates
  • Fine-grained access token documentation update

Changelog: added

🛠️ with ❤️ at Siemens

References

Screenshots or screen recordings

Not applicable — backend-only API changes.

How to set up and validate locally

  1. Ensure the protected_terraform_states feature flag is enabled (enabled by default):
    Feature.enable(:protected_terraform_states)
  2. Create a project with a Terraform state protection rule, e.g. via Rails console:
    project = Project.find_by_full_path('your/project')
    project.terraform_state_protection_rules.create!(
      state_name: 'production',
      minimum_access_level_for_write: :maintainer,
      allowed_from: :ci_only
    )
  3. As a developer (or higher), call the API endpoint:
    GET /api/v4/projects/:id/terraform/state_protection_rules
  4. Verify the response returns the protection rules with id, project_id, state_name, minimum_access_level_for_write, and allowed_from fields.
  5. Verify that a reporter-level user receives a 403 Forbidden response.
  6. Verify that disabling the feature flag returns 404 Not Found.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

MR Checklist (@gerardo-navarro)

Related to #15118 (closed)

Edited by Gerardo Navarro

Merge request reports

Loading