Protected terraform states: Add REST API GET endpoint for Terraform state protection rules
What does this MR do and why?
Add GET /projects/:id/terraform/state_protection_rules REST API endpoint that returns all Terraform state protection rules for a project.
This is the foundation MR for the REST API CRUD operations — the create, update, and delete endpoints build on top of it in subsequent MRs.
What's included:
- Grape API class (
API::Terraform::StateProtectionRules) with authentication, authorization (read_terraform_state, developer+), and feature flag gating (protected_terraform_states) - Grape entity (
API::Entities::Terraform::StateProtectionRule) exposingid,project_id,state_name,minimum_access_level_for_write,allowed_from - Request spec covering authorized access, permission rejection, feature flag disabled, and invalid token scenarios
- OpenAPI v2/v3 spec updates
- Fine-grained access token documentation update
Changelog: added
References
- Epic: &15118
- Issue: #597360 (closed)
- Related MR (DB migration + model): !225580 (merged)
- Related MR (enforcement): !226770 (merged)
Screenshots or screen recordings
Not applicable — backend-only API changes.
How to set up and validate locally
- Ensure the
protected_terraform_statesfeature flag is enabled (enabled by default):Feature.enable(:protected_terraform_states) - Create a project with a Terraform state protection rule, e.g. via Rails console:
project = Project.find_by_full_path('your/project') project.terraform_state_protection_rules.create!( state_name: 'production', minimum_access_level_for_write: :maintainer, allowed_from: :ci_only ) - As a developer (or higher), call the API endpoint:
GET /api/v4/projects/:id/terraform/state_protection_rules - Verify the response returns the protection rules with
id,project_id,state_name,minimum_access_level_for_write, andallowed_fromfields. - Verify that a reporter-level user receives a
403 Forbiddenresponse. - Verify that disabling the feature flag returns
404 Not Found.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
MR Checklist (@gerardo-navarro)
- Changelog entry added, if necessary
- Documentation created/updated via this MR
- Documentation reviewed by technical writer or follow-up review issue created
- Tests added for this feature/bug
- Tested in all supported browsers
- Conforms to the code review guidelines
- Conforms to the style guides
- Conforms to the javascript style guides
- Conforms to the database guides
- Conforms to the merge request performance guidelines
- OpenAPI spec updated for new endpoint
Related to #15118 (closed)
Edited by Gerardo Navarro