<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Label this issue](https://contributors.gitlab.com/manage-issue?action=label&projectId=278964&issueIid=600680) </details> <!--IssueSummary end--> ## Summary This issue is to roll out [the feature](https://gitlab.com/gitlab-org/gitlab/-/work_items/599604) on production, that is currently behind the `update_sast_vr_setting_permission` feature flag. The flag is introduced in !237031 and gates the new `update_sast_vr_setting` ability that lets users with the Security Manager / Maintainer / Owner roles toggle `duo_sast_vr_workflow_enabled` via the REST `PUT /projects/:id` endpoint and the project controller, replacing the previous `admin_project` gate. Related: - Feature issue: #599604 - Introducing MR: !237031 - Parent epic: [&21971 SAST Vulnerability Resolution - Backend](https://gitlab.com/groups/gitlab-org/-/work_items/21971) ## Owners - Most appropriate Slack channel to reach out to: `#g_security_insights` (update if a different team channel applies) - Best individual to reach out to: @charlieeekroon ## Expectations ### What are we expecting to happen? When the flag is enabled, users with the `update_sast_vr_setting` ability (Security Manager, Maintainer, Owner) can toggle `duo_sast_vr_workflow_enabled` on a project through: - `PUT /projects/:id` REST endpoint, and - the project settings controller path. Users without that ability continue to receive `403`. Existing Maintainer/Owner functionality continues to work unchanged, and no other project settings should become editable via this new path. ### What can go wrong and how would we detect it? - A user with `update_sast_vr_setting` is unexpectedly able to modify other project attributes through the same endpoint. Detect via: - Specs covering the projects API/controller permitted attributes. - Audit/Rails logs for unexpected attribute changes on projects. - A user without the ability is allowed to flip the toggle (privilege escalation). Detect via: - 200 responses where 403 is expected in API logs. - Manual verification with a Developer role account. - Regression for existing Maintainer/Owner flow (no longer able to toggle). Detect via: - Increase in 403s on `PUT /projects/:id` for fields including `duo_sast_vr_workflow_enabled`. - User reports / support tickets. Monitor relevant graphs on https://dashboards.gitlab.net and the Rails/API error rates after each rollout step. ## Rollout Steps Note: Please make sure to run the chatops commands in the Slack channel that gets impacted by the command. ### Rollout on non-production environments - Verify the MR with the feature flag is merged to `master` and has been deployed to non-production environments with `/chatops gitlab run auto_deploy status <merge-commit-of-your-feature>` - [ ] Deploy the feature flag at a percentage (recommended percentage: 50%) with `/chatops gitlab run feature set update_sast_vr_setting_permission 50 --actors --dev --pre --staging --staging-ref` - [ ] Monitor that the error rates did not increase (repeat with a different percentage as necessary). - [ ] Enable the feature globally on non-production environments with `/chatops gitlab run feature set update_sast_vr_setting_permission true --dev --pre --staging --staging-ref` - [ ] Verify that the feature works as expected. The best environment to validate the feature in is [`staging-canary`](https://about.gitlab.com/handbook/engineering/infrastructure/environments/#staging-canary) as this is the first environment deployed to. Make sure you are [configured to use canary](https://next.gitlab.com/). - [ ] If the feature flag causes end-to-end tests to fail, disable the feature flag on staging to avoid blocking [deployments](https://about.gitlab.com/handbook/engineering/deployments-and-releases/deployments/). - See [`#e2e-run-staging` Slack channel](https://gitlab.enterprise.slack.com/archives/CBS3YKMGD) and look for the following messages: - test kicked off: `Feature flag update_sast_vr_setting_permission has been set to true on **gstg**` - test result: `This pipeline was triggered due to toggling of update_sast_vr_setting_permission feature flag` If you encounter end-to-end test failures and are unable to diagnose them, you may reach out to the [`#s_developer_experience` Slack channel](https://gitlab.enterprise.slack.com/archives/C07TWBRER7H) for assistance. Note that end-to-end test failures on `staging-ref` [don't block deployments](https://about.gitlab.com/handbook/engineering/infrastructure/environments/staging-ref/#how-to-use-staging-ref). ### Before production rollout - [ ] If the change is significant and you wanted to announce in [#whats-happening-at-gitlab](https://gitlab.enterprise.slack.com/archives/C0259241C), it best to do it before rollout to `gitlab-org/gitlab-com`. ### Specific rollout on production For visibility, all `/chatops` commands that target production must be executed in the [`#production` Slack channel](https://gitlab.slack.com/archives/C101F3796) and cross-posted (with the command results) to the responsible team's Slack channel. - Ensure that the feature MRs have been deployed to both production and canary with `/chatops gitlab run auto_deploy status <merge-commit-of-your-feature>` - [ ] Depending on the [type of actor](https://docs.gitlab.com/development/feature_flags/#feature-actors) you are using, pick one of these options: - For **project-actor**: `/chatops gitlab run feature set --project=gitlab-org/gitlab,gitlab-org/gitlab-foss,gitlab-com/www-gitlab-com update_sast_vr_setting_permission true` - For **group-actor**: `/chatops gitlab run feature set --group=gitlab-org,gitlab-com update_sast_vr_setting_permission true` - For **user-actor**: `/chatops gitlab run feature set --user=charlieeekroon update_sast_vr_setting_permission true` - For **all internal users**: `/chatops gitlab run feature set --feature-group=gitlab_team_members update_sast_vr_setting_permission true` - [ ] Verify that the feature works for the specific actors. ### Preparation before global rollout - [ ] Set a milestone to this rollout issue to signal for enabling and removing the feature flag when it is stable. - [ ] Check if the feature flag change needs to be accompanied with a [change management issue](https://about.gitlab.com/handbook/engineering/infrastructure-platforms/change-management/#feature-flags-and-the-change-management-process). Cross link the issue here if it does. - [ ] Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the `@sre-oncall` Slack alias. - [ ] Ensure that documentation exists for the feature, and the [version history text](https://docs.gitlab.com/development/documentation/feature_flags/#add-history-text) has been updated. - [ ] Ensure that any breaking changes have been announced following the [release post process](https://about.gitlab.com/handbook/marketing/blog/release-posts/#deprecations-removals-and-breaking-changes) to ensure GitLab customers are aware. - [ ] Notify the [`#support_gitlab-com` Slack channel](https://gitlab.slack.com/archives/C4XFU81LG) and your team channel ([more guidance when this is necessary in the dev docs](https://docs.gitlab.com/development/feature_flags/controls/#communicate-the-change)). - [ ] If this flag is or may be queried by external API consumers (for example, IDE extensions, Duo CLI, or CI integrations), follow the [external API consumer guidance](https://docs.gitlab.com/development/feature_flags/#do-not-use-feature-flags-in-external-api-consumers) and ensure a fail-open mechanism is in place before the rollout milestone is finalised. ### Global rollout on production For visibility, all `/chatops` commands that target production must be executed in the [`#production` Slack channel](https://gitlab.slack.com/archives/C101F3796) and cross-posted (with the command results) to the responsible team's Slack channel. - [ ] [Incrementally roll out](https://docs.gitlab.com/development/feature_flags/controls/#process) the feature on production. - Example: `/chatops gitlab run feature set update_sast_vr_setting_permission <rollout-percentage> --actors`. - Between every step wait for at least 15 minutes and monitor the appropriate graphs on https://dashboards.gitlab.net. - [ ] After the feature has been 100% enabled, wait for [at least one day before releasing the feature](#release-the-feature). ### Release the feature After the feature has been [deemed stable](https://about.gitlab.com/handbook/product-development-flow/feature-flag-lifecycle/#including-a-feature-behind-feature-flag-in-the-final-release), the [clean up](https://docs.gitlab.com/development/feature_flags/controls/#cleaning-up) should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase. You can either [create a follow-up issue for Feature Flag Cleanup](https://gitlab.com/gitlab-org/gitlab/-/issues/new?description_template=Feature%20Flag%20Cleanup) or use the checklist below in this same issue. - [ ] Create a merge request to remove the `update_sast_vr_setting_permission` feature flag. Ask for review/approval/merge as usual. The MR should include the following changes: - Remove all references to the feature flag from the codebase. - Remove the YAML definitions for the feature from the repository. - [ ] Ensure that the cleanup MR has been included in the release package. If the merge request was deployed before [the monthly release was tagged](https://about.gitlab.com/handbook/engineering/releases/#self-managed-releases-1), the feature can be officially announced in a release blog post: `/chatops gitlab run release check <merge-request-url> <milestone>` - [ ] Close [the feature issue](https://gitlab.com/gitlab-org/gitlab/-/work_items/599604) to indicate the feature will be released in the current milestone. - [ ] Once the cleanup MR has been deployed to production, clean up the feature flag from all environments by running these chatops command in `#production` channel: `/chatops gitlab run feature delete update_sast_vr_setting_permission --dev --pre --staging --staging-ref --production` - [ ] Close this rollout issue. ## Rollback Steps - [ ] This feature can be disabled on production by running the following Chatops command: ``` /chatops gitlab run feature set update_sast_vr_setting_permission false ``` - [ ] Disable the feature flag on non-production environments: ``` /chatops gitlab run feature set update_sast_vr_setting_permission false --dev --pre --staging --staging-ref ``` - [ ] Delete feature flag from all environments: ``` /chatops gitlab run feature delete update_sast_vr_setting_permission --dev --pre --staging --staging-ref --production ``` Related to #599604 and !237031.