Prevent locked Terraform states from being deleted

5a3a4cd8 · Emily Ring · Ash McKenzie · 8dcf4b99 · 5a3a4cd8 · 5a3a4cd8
Commit 5a3a4cd8 authored Jan 05, 2021 by Emily Ring Committed by Ash McKenzie Jan 05, 2021
4 changed files
--- a/app/models/terraform/state.rb
+++ b/app/models/terraform/state.rb
@@ -27,6 +27,8 @@ module Terraform
    validates :uuid, presence: true, uniqueness: true, length: { is: UUID_LENGTH },
              format: { with: HEX_REGEXP, message: 'only allows hex characters' }
+    before_destroy :ensure_state_is_unlocked
    default_value_for(:uuid, allows_nil: false) { SecureRandom.hex(UUID_LENGTH / 2) }
    def latest_file
@@ -87,6 +89,13 @@ module Terraform
      new_version.save!
    end
+    def ensure_state_is_unlocked
+      return unless locked?
+      errors.add(:base, s_("Terraform|You cannot remove the State file because it's locked. Unlock the State file first before removing it."))
+      throw :abort # rubocop:disable Cop/BanCatchThrow
+    end
    def parse_serial(file)
      Gitlab::Json.parse(file)["serial"]
    rescue JSON::ParserError

--- a/changelogs/unreleased/state-lock-delete-validation.yml
+++ b/changelogs/unreleased/state-lock-delete-validation.yml
+---
+title: Prevent locked Terraform states from being deleted
+merge_request: 50798
+author:
+type: changed
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -27504,6 +27504,9 @@ msgstr ""
 msgid "Terraform|You are about to remove the State file %{name}. This will permanently delete all the State versions and history. The infrastructure provisioned previously\twill remain intact, only the state file with all its versions are to be removed. This action is non-revertible."
 msgstr ""
+msgid "Terraform|You cannot remove the State file because it's locked. Unlock the State file first before removing it."
+msgstr ""
 msgid "Test"
 msgstr ""

--- a/spec/models/terraform/state_spec.rb
+++ b/spec/models/terraform/state_spec.rb
@@ -27,6 +27,22 @@ RSpec.describe Terraform::State do
    end
  end
+  describe '#destroy' do
+    let(:terraform_state) { create(:terraform_state) }
+    let(:user) { terraform_state.project.creator }
+    it 'deletes when the state is unlocked' do
+      expect(terraform_state.destroy).to be_truthy
+    end
+    it 'fails to delete when the state is locked', :aggregate_failures do
+      terraform_state.update!(lock_xid: SecureRandom.uuid, locked_by_user: user, locked_at: Time.current)
+      expect(terraform_state.destroy).to be_falsey
+      expect(terraform_state.errors.full_messages).to eq(["You cannot remove the State file because it's locked. Unlock the State file first before removing it."])
+    end
+  end
  describe '#latest_file' do
    let(:terraform_state) { create(:terraform_state, :with_version) }
    let(:latest_version) { terraform_state.latest_version }