Management Of Compliance Frameworks

Management Of Compliance Frameworks

Today, our organization is managing the top level configuration of all GitLab groups in a self-hosted install using Terraform. Since Compliance Frameworks cannot be set at the instance level, we want to use Terraform to provision Compliance Frameworks to all groups in GitLab.

Right now, there is no way to do this using the terraform module. Optimally, we'd be able to create Compliance Framework resource and attach it to a group.

I'm looking for something that I could use like this:

resource "gitlab_group" "TopLevelGroup" { # This is an existing resource
  name        = var.name
  path        = var.path
  description = var.description

  visibility_level                  = var.visibility_level
  subgroup_creation_level           = var.subgroup_creation_level 
  project_creation_level            = var.project_creation_level
  default_branch_protection         = var.default_branch_protection
  share_with_group_lock             = var.share_with_group_lock
  request_access_enabled            = var.request_access_enabled
  prevent_forking_outside_group     = var.prevent_forking_outside_group
  lfs_enabled                       = var.lfs_enabled 
  emails_disabled                   = var.emails_disabled
  mentions_disabled                 = var.mentions_disabled
  auto_devops_enabled               = var.auto_devops_enabled
  require_two_factor_authentication = var.require_two_factor_authentication
} 
resource "gitlab_compliance_framework" "SOX" { # this is a new resource that references the group ID it should be applied to
    name              = "SOX"
    group_id          = gitlab_group.TopLevelGroup.id
    description       = "This applies to all SOX in-scope projects"
    background_color  = "#87CEEB"
    default_framework = true
}

Related GitLab APIs

API documentation:

• create: https://docs.gitlab.com/ee/api/graphql/reference/#mutationcreatecomplianceframework
• read: https://docs.gitlab.com/ee/api/graphql/reference/#groupcomplianceframeworks
• update: https://docs.gitlab.com/ee/api/graphql/reference/#mutationupdatecomplianceframework
• delete: https://docs.gitlab.com/ee/api/graphql/reference/#mutationdestroycomplianceframework

Additional Details

There is an example of implementing a GraphQL resource here: https://gitlab.com/gitlab-org/terraform-provider-gitlab/-/blob/main/internal/provider/sdk/data_source_gitlab_current_user.go

We would want to use the new framework instead of the old SDK for implementing this resource, but the SendGraphQLRequest could be moved to a separate package and re-used.

• GitLab REST API resources available (read for data sources, crud for resources)
• go-gitlab does support the related GitLab API already
• I'd like to contribute it myself

/cc @kbockrath @bmiller1