Skip to content

Make "allow anyone to pull" work with group-level Terraform modules endpoints

Moaz Khalifa requested to merge 468062-allow-anyone-to-pull-public-terraform-modules-on-instance-level into master

Context

In GitLab package registry, there's a project-level setting that can allow anyone to pull from the package registry, regardless of the project's visibility.

That works fine for the project-level endpoints. However, it's not supported for the group-level endpoints.

In Terraform Registry, we need to support the allow anyone to pull setting for the namespace endpoints.

Solution

We have a SQL query that says: within this group, collect all the public projects + all the projects where the user has reporter access.

We will need to update that to: within this group, collect all the public projects + all the projects where the user has reporter access + all the projects that have a public package registry.

The change is gated behind a feature flag.

What does this MR do and why?

  • Modify Packages::GroupPackagesFinder & API::Terraform::Modules::V1::NamespacePackages classes to support allow anyone to pull setting.
  • Add the related specs.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

N/A

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Make sure you have terraform CLI installed.
  2. Make sure https is enabled in your GDK.
  3. Publish this dummy moduleinfra-registry-aws-0.0.1.tgz to a private project in your GDK: 
    curl --fail-with-body --header "PRIVATE-TOKEN: <your_access_token>" \
  --upload-file path/to/file.tgz \
  "https://gdk.test:3443/api/v4/projects/<your_project_id>/packages/terraform/modules/my-module/my-system/0.0.1/file"
  4. in rails console: 
    Gitlab::CurrentSettings.update!(package_registry_allow_anyone_to_pull_option: true)

Project.find(<your_project_id>).project_feature.update(package_registry_access_level: ProjectFeature::PUBLIC)

Feature.enable(:allow_anyone_to_pull_public_terraform_modules_on_group_level)
  5. Create a new directory on your local machine, and cd to the directory & create a new file named main.tf
  6. Open the main.tf file and paste the following in it: 
    module "aws_module" {
  source = "gdk.test:3443/private/infra-registry/aws"
}
  7. In the terminal, run the following command in the root of the new directory: 
    terraform init
  8. The module should be successfully downloaded.
  9. Update the project's package_registry_access_level setting to be private & repeat step 6: Not found 
    Project.find(<your_project_id>).project_feature.update(package_registry_access_level: ProjectFeature::PRIVATE)

Related to #468062 (closed)

Edited by Moaz Khalifa

Merge request reports