Add "Manage Terraform State" as a customizable permission

Background

This issue has been raised when capturing the deltas in permissions between Developer and Maintainer. Maintainer has this permission, but Developer does not. Adding this as a customizable permission helps our customers lessen their reliance on the extremely privileged maintainer role, and gives them flexibility when creating new roles to give them only the permissions that they need.

Proposal

Add "Manage Terraform State" as a customizable permission using the customizable roles framework.

Permission should remain in maintainer, but be added as a customizable permission so that it can be added to any base role.

Implementation

NOTE: please introduce this behind a Feature Flag like what's done in the linked example MR in the instructions below.

Follow the Custom Roles -> Implement New Ability guide for admin_terraform_state.

Add new column admin_terraform_state to member_roles table.
Add admin_terraform_state to the MemberRole model:
- Add to ALL_CUSTOMIZABLE_PERMISSIONS hash, with the relevant details
- Add to ALL_CUSTOMIZABLE_PROJECT_PERMISSIONS array
Add admin_terraform_state as a custom permission in ee/app/policies/ee/project_policy.rb. (Example)
Update specs accordingly
Update relevant docs

Please see this example MR for a better idea of how to implement this change as well as the docs that need to be updated: !128302 (merged)

References

https://docs.gitlab.com/ee/development/permissions/custom_roles.html

Edited Sep 11, 2023 by Pam Artiaga