Identity Approvals

A GitLab repository is securely hosted in the Identity Kingdom Black Ops GitLab self-managed instance that is used for managing configuration-as-code/infrastructure-as-code for any actions that can be performed in the Admin UI. This moves all day-to-day administrative actions and global configuration into state management with MR approval rules and CI/CD automation.

Not Live Yet

You are viewing a preview of documentation for the future state of GitLab Identity v3 (mid 2024). See the Access Management Policy for the GitLab Identity v2 current state with baseline entitlements and access requests. See the roadmap in the epics gantt chart.

GitOps Workflow

gitGraph
   commit id: "Change 1"
   commit id: "Change 2"
   branch change
   checkout change
   commit id:"Current Changes"
   commit id:"CI/CD Validate and Plan Jobs" type: REVERSE
   commit id:"Peer Review" type: HIGHLIGHT
   commit id:"Identity Approval" type: HIGHLIGHT
   commit id:"CODEOWNER Approval" type: HIGHLIGHT
   checkout main
   commit id: "Change 3"
   commit id: "Change 4"
   merge change
   commit id:"CI/CD Terraform Apply Jobs" type: REVERSE
   commit id: "Change 6"

We have a GitLab repository for each vendor instance with a .gitlab-ci.yml file with CI/CD pipeline jobs for terraform validate, checkov (Iac SAST scanning), terraform plan, terraform apply, and terraform destroy jobs.

All changes are performed in GitLab branches that have a terraform validate, checkov, and terraform plan job. Merge requests are configured to require all jobs to succeed, all approvals to be obtained and are merged automatically after all approvals.

Approval Rules

Each merge request requires a peer review and is configured with three (2) GitLab approval rules. The peer reviewer is allowed to add commits to make fixes or make suggestions in merge request review comments.

The Identity Approval approval requires review from the Identity Engineering or Identity Operations team to ensure technical accuracy. This can be performed by the Identity Peer Reviewer if they did not make commits. If the Peer Reviewer makes commits, then an additional person must provide approval for separation of duties.
The System Owner approval uses the CODEOWNERS file that specifies the business owner and technical owner for each directory or file in the Terraform GitLab repository. We rely on GitLab’s Tech Stack by default, however this can be updated by the Identity Operations team to be the domain subject matter expert (SME) for the specific configuration.

The merge request is automatically merged after all approvals are provided. Approval should not be provided until changes are ready to go live.

When the branch is merged into the main branch, the terraform apply job is included in the CI/CD pipeline and is run automatically if the terraform plan job passes and the changes go live automatically.

Standardized Modules and Syntax

We have a library of pre-defined modules (configuration templates) that allow us to simply define a few variables in a module configuration block and all of the other syntax is handled within the module for standardization.

Each module can be used in the appropriate Terraform configuration file. See the respective vendor repository for more details.

Last modified January 17, 2024: Add Security Identity Engineering team handbook page (5752bfc0)

View page source - Edit this page - please contribute.