Make "allow anyone to pull" work with group-level Terraform modules endpoints
Context
In GitLab package registry, there's a project-level setting that can allow anyone to pull from the package registry, regardless of the project's visibility.
That works fine for the project-level endpoints. However, it's not supported for the group-level endpoints.
In Terraform Registry, we need to support the allow anyone to pull
setting for the namespace endpoints.
Solution
We have a SQL query that says: within this group, collect all the public projects + all the projects where the user has reporter
access.
We will need to update that to: within this group, collect all the public projects + all the projects where the user has reporter
access + all the projects that have a public package registry.
The change is gated behind a feature flag.
What does this MR do and why?
- Modify
Packages::GroupPackagesFinder
&API::Terraform::Modules::V1::NamespacePackages
classes to supportallow anyone to pull
setting. - Add the related specs.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
N/A
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Make sure you have terraform CLI installed.
- Make sure https is enabled in your GDK.
- Publish this dummy moduleinfra-registry-aws-0.0.1.tgz to a private project in your GDK:
curl --fail-with-body --header "PRIVATE-TOKEN: <your_access_token>" \ --upload-file path/to/file.tgz \ "https://gdk.test:3443/api/v4/projects/<your_project_id>/packages/terraform/modules/my-module/my-system/0.0.1/file"
- in rails console:
Gitlab::CurrentSettings.update!(package_registry_allow_anyone_to_pull_option: true) Project.find(<your_project_id>).project_feature.update(package_registry_access_level: ProjectFeature::PUBLIC) Feature.enable(:allow_anyone_to_pull_public_terraform_modules_on_group_level)
- Create a new directory on your local machine, and cd to the directory & create a new file named
main.tf
- Open the
main.tf
file and paste the following in it:module "aws_module" { source = "gdk.test:3443/private/infra-registry/aws" }
- In the terminal, run the following command in the root of the new directory:
terraform init
- The module should be successfully downloaded.
- Update the project's
package_registry_access_level
setting to be private & repeat step6
:➡ Not found
Project.find(<your_project_id>).project_feature.update(package_registry_access_level: ProjectFeature::PRIVATE)
Related to #468062 (closed)