Gitlab Self-Managed integration

[mandrakenet]

Gitlab Self-Managed AFT repositories integration with AFT pipelines

I wanted to discuss the possibility of integrating self-managed GitLab repositories with AWS Account Factory for Terraform (AFT) pipelines. This inquiry stems from the recent update where AWS CodePipeline announced support for self-managed GitLab instances.

Can AFT be configured to use these repositories hosted on a self-managed GitLab instance? This integration would be instrumental for our workflows, and I'm eager to know if this is feasible and, if so, what steps would be required to implement it.

I would appreciate any guidance, documentation, or insights into how AFT can leverage this new CodePipeline feature with self-managed GitLab repositories.

Thank you for considering this request.

[be-aws-architect]

I'm curious to see if it will be implemented.

FWIW, I too was in the same conundrum but ultimately decided leaving it hosted on Codecommit was not the worst thing.

I ended up doing the following:

• creating "submodules" in one Gitlab repo that referenced the 4 modules
• an SCP to require approvals before merging to main (Why isn't this standard AWS?!)
• Instructions on how to download the submodules and interact with Codecommit

The workaround isn't as bas as it seems, and you don't need to use pipelines anyways in Gitlab. The added bonus is the security, as nobody without actual access to the AFT account can create PR's or approve them, as they need to authenticate locally to Codecommit. This also means the code isn't readable in Gitlab, which with it's lackluster access control settings is a nice bonus too.

[mandrakenet]

I prefer to use a GitLab push mirror with 4 local users in the AFT account, each dedicated to a specific repository mirror. And securing the access only to those users and actions via SCP policies. After configuring mirror credentials in GitLab, they become inaccessible (unlike masked variables), enhancing security. Therefore, I only mirror the main branch, which is protected in GitLab.

Additionally, I will add an extra pipeline in Gitlab on a different branch, like 'pre-plan', to execute a local plan validation in GitLab.

I think having the integration with self hosted gitlab should avoid the creation of 4 local users in my case

[snebhu3]

@mandrakenet thank you for the feature request. Currently, AFT only supports use of CodeCommit (default); and GitHub, GitHub enterprise, Bitbucket VCS providers via CodeStar Connections. I went ahead and created a backlog to explore the possibility of supporting Gitlab as the VCS provider for an AFT deployment.