## Why are we doing this work For SaaS, we want to add a setting on the top-level group that enables the Secrets Manager Open Beta. The toggle state will be queryable and modified via GraphQL mutation and when enabled will allow for Secrets Manager feature availability for the whole group (including child groups and projects). The setting itself will be hidden behind the open beta feature flag, to be determined in https://gitlab.com/gitlab-org/gitlab/-/work_items/597896. This is only available for SaaS, so this setting will not show for self-managed. When this TLG toggle is enabled, there will be a separate toggle that must be enabled for provisioning the secrets manager for that top-level group. This functions similarly to the toggle for child groups that provision the secrets manager at the child group level. ## Relevant links [Design issue](https://gitlab.com/gitlab-org/gitlab/-/work_items/597481) [Figma designs](https://gitlab.com/gitlab-org/gitlab/-/work_items/597481) [Feature flag discussion](https://gitlab.com/gitlab-org/gitlab/-/work_items/597896) ## Implementation plan The `SecretsManagerSettings` component is used for both project and group secrets manager settings. This is where the provisioning toggle is located. 1. Pass `isTopLevelGroup` from Rails. This value is true when we are in Saas (`Gitlab.com?`) and the group has no parent (`group.root?`). 3. Create a new toggle in `SecretsManagerSettings` component that calls the new GraphQL query and mutation for checking the enrollment status (to be created on the ~backend via https://gitlab.com/gitlab-org/gitlab/-/work_items/598522). Show toast message on success, inline error on failure. 4. Once enrolled, show the provisioning toggle for the top-level group. Behavior remains the same (when provisioned, the user can now manage the secrets manager permissions and visit the secrets manager page). 5. Add a non-dismissable alert message at the bottom that informs the user that charges may be incurred at the end of the open beta. **For groups that are **NOT** top-level, the settings will only be available once the top-level group toggle is enabled. https://gitlab.com/gitlab-org/gitlab/-/work_items/599327+ will take care of gating this UI behind the enrollment status. ## Verification steps 1. Upload a Premium license (or above). 2. [Set up openbao and enable the secrets manager](https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/openbao.md) on your gdk. 3. Enable the open beta feature flag (to be provided in https://gitlab.com/gitlab-org/gitlab/-/work_items/597896). 4. Go to your project settings (Settings > General) and expand **Visibility, project features, permissions**. Verify that the secrets manager toggle does not exist yet in the settings. 5. Go to the Admin settings and enable the secrets manager open beta toggle. 6. Go back to the permissions settings of your project and verify that the secrets manager toggle is now available.