diff --git a/app/assets/javascripts/graphql_shared/possible_types.json b/app/assets/javascripts/graphql_shared/possible_types.json
index 37c1674cc5aa228ab911024be52537685d546ee0..4e0b1413f7117b73eed93be4c35c5a474f52bef3 100644
--- a/app/assets/javascripts/graphql_shared/possible_types.json
+++ b/app/assets/javascripts/graphql_shared/possible_types.json
@@ -3,6 +3,9 @@
"AlertManagementHttpIntegration",
"AlertManagementPrometheusIntegration"
],
+ "AmazonS3ConfigurationInterface": [
+ "AmazonS3ConfigurationType"
+ ],
"BaseHeaderInterface": [
"AuditEventStreamingHeader",
"AuditEventsStreamingInstanceHeader"
diff --git a/doc/administration/audit_event_streaming/audit_event_types.md b/doc/administration/audit_event_streaming/audit_event_types.md
index 5c27dabe378649354fab452f2d51de72fd3411da..b48bbefae964c299e4ff4abe238e08e590ee219d 100644
--- a/doc/administration/audit_event_streaming/audit_event_types.md
+++ b/doc/administration/audit_event_streaming/audit_event_types.md
@@ -37,6 +37,7 @@ audit events to external destinations.
| [`allow_committer_approval_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/102256) | Event triggered on updating prevent merge request approval from committers from group merge request setting | **{check-circle}** Yes | **{check-circle}** Yes | `compliance_management` | GitLab [15.6](https://gitlab.com/gitlab-org/gitlab/-/issues/373949) |
| [`allow_merge_on_skipped_pipeline_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/83922) | There is a project setting which toggles the ability to merge when a pipeline is skipped. This audit event tracks changes to that setting. This MR adds a setting to allow this (like previous GitLab versions). | **{check-circle}** Yes | **{check-circle}** Yes | `continuous_integration` | GitLab [14.10](https://gitlab.com/gitlab-org/gitlab/-/issues/301124) |
| [`allow_overrides_to_approver_list_per_merge_request_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/102256) | Event triggered on updating prevent users from modifying MR approval rules in merge requests from group merge request setting | **{check-circle}** Yes | **{check-circle}** Yes | `compliance_management` | GitLab [15.6](https://gitlab.com/gitlab-org/gitlab/-/issues/373949) |
+| [`amazon_s3_configuration_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/132443) | Triggered when Amazon S3 configuration for audit events streaming is created | **{check-circle}** Yes | **{check-circle}** Yes | `audit_events` | GitLab [16.5](https://gitlab.com/gitlab-org/gitlab/-/issues/423229) |
| [`application_setting_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124639) | Triggered when Application setting is updated | **{check-circle}** Yes | **{check-circle}** Yes | `system_access` | GitLab [16.3](https://gitlab.com/gitlab-org/gitlab/-/issues/282428) |
| [`approval_rule_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/89939) | Triggered when a merge request approval rule is created | **{check-circle}** Yes | **{check-circle}** Yes | `source_code_management` | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363092) |
| [`approval_rule_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/82297) | Triggered on successful approval rule deletion | **{check-circle}** Yes | **{check-circle}** Yes | `source_code_management` | GitLab [14.9](https://gitlab.com/gitlab-org/gitlab/-/issues/329514) |
diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md
index 65736f10ba9103e6652c32b997cc681e48efc5db..5b35f7dc3917a85ae451b577e84b64a4069cef1a 100644
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -1274,6 +1274,30 @@ Input type: `AlertTodoCreateInput`
| `issue` | [`Issue`](#issue) | Issue created after mutation. |
| `todo` | [`Todo`](#todo) | To-do item after mutation. |
+### `Mutation.amazonS3ConfigurationCreate`
+
+Input type: `AmazonS3ConfigurationCreateInput`
+
+#### Arguments
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| `accessKeyXid` | [`String!`](#string) | Access key ID of the Amazon S3 account. |
+| `awsRegion` | [`String!`](#string) | AWS region where the bucket is created. |
+| `bucketName` | [`String!`](#string) | Name of the bucket where the audit events would be logged. |
+| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| `groupPath` | [`ID!`](#id) | Group path. |
+| `name` | [`String`](#string) | Destination name. |
+| `secretAccessKey` | [`String!`](#string) | Secret access key of the Amazon S3 account. |
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| `amazonS3Configuration` | [`AmazonS3ConfigurationType`](#amazons3configurationtype) | configuration created. |
+| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| `errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
+
### `Mutation.approveDeployment`
Input type: `ApproveDeploymentInput`
@@ -13270,6 +13294,21 @@ An endpoint and credentials used to accept Prometheus alerts for a project.
| `type` | [`AlertManagementIntegrationType!`](#alertmanagementintegrationtype) | Type of integration. |
| `url` | [`String`](#string) | Endpoint which accepts alert notifications. |
+### `AmazonS3ConfigurationType`
+
+Stores Amazon S3 configurations.
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| `accessKeyXid` | [`String!`](#string) | Access key ID of the Amazon S3 account. |
+| `awsRegion` | [`String!`](#string) | AWS region where the bucket is created. |
+| `bucketName` | [`String!`](#string) | Name of the bucket where the audit events would be logged. |
+| `group` | [`Group!`](#group) | Group the configuration belongs to. |
+| `id` | [`ID!`](#id) | ID of the configuration. |
+| `name` | [`String!`](#string) | Name of the external destination to send audit events to. |
+
### `ApiFuzzingCiConfiguration`
Data associated with configuring API fuzzing scans in GitLab CI.
@@ -30162,6 +30201,22 @@ Implementations:
| `type` | [`AlertManagementIntegrationType!`](#alertmanagementintegrationtype) | Type of integration. |
| `url` | [`String`](#string) | Endpoint which accepts alert notifications. |
+#### `AmazonS3ConfigurationInterface`
+
+Implementations:
+
+- [`AmazonS3ConfigurationType`](#amazons3configurationtype)
+
+##### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| `accessKeyXid` | [`String!`](#string) | Access key ID of the Amazon S3 account. |
+| `awsRegion` | [`String!`](#string) | AWS region where the bucket is created. |
+| `bucketName` | [`String!`](#string) | Name of the bucket where the audit events would be logged. |
+| `id` | [`ID!`](#id) | ID of the configuration. |
+| `name` | [`String!`](#string) | Name of the external destination to send audit events to. |
+
#### `BaseHeaderInterface`
Implementations:
diff --git a/ee/app/graphql/ee/types/mutation_type.rb b/ee/app/graphql/ee/types/mutation_type.rb
index 5332505397e41b9141e706a65d4d7e303850899c..d82d589a5199386e799bdc814751b4cd583e6e49 100644
--- a/ee/app/graphql/ee/types/mutation_type.rb
+++ b/ee/app/graphql/ee/types/mutation_type.rb
@@ -122,6 +122,7 @@ module MutationType
mount_mutation ::Mutations::AuditEvents::GoogleCloudLoggingConfigurations::Create
mount_mutation ::Mutations::AuditEvents::GoogleCloudLoggingConfigurations::Destroy
mount_mutation ::Mutations::AuditEvents::GoogleCloudLoggingConfigurations::Update
+ mount_mutation ::Mutations::AuditEvents::AmazonS3Configurations::Create
mount_mutation ::Mutations::AuditEvents::Instance::GoogleCloudLoggingConfigurations::Create
mount_mutation ::Mutations::Forecasting::BuildForecast, alpha: { milestone: '16.0' }
mount_mutation ::Mutations::AuditEvents::Streaming::InstanceHeaders::Create
diff --git a/ee/app/graphql/mutations/audit_events/amazon_s3_configurations/base.rb b/ee/app/graphql/mutations/audit_events/amazon_s3_configurations/base.rb
new file mode 100644
index 0000000000000000000000000000000000000000..f6c70d16704a3135254b619f462363a420de545d
--- /dev/null
+++ b/ee/app/graphql/mutations/audit_events/amazon_s3_configurations/base.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Mutations
+ module AuditEvents
+ module AmazonS3Configurations
+ class Base < BaseMutation
+ private
+
+ def audit(config, action:)
+ audit_context = {
+ name: "amazon_s3_configuration_#{action}",
+ author: current_user,
+ scope: config.group,
+ target: config.group,
+ message: "#{action.capitalize} Amazon S3 configuration with name: #{config.name} bucket: " \
+ "#{config.bucket_name} and AWS region: #{config.aws_region}"
+ }
+
+ ::Gitlab::Audit::Auditor.audit(audit_context)
+ end
+ end
+ end
+ end
+end
diff --git a/ee/app/graphql/mutations/audit_events/amazon_s3_configurations/create.rb b/ee/app/graphql/mutations/audit_events/amazon_s3_configurations/create.rb
new file mode 100644
index 0000000000000000000000000000000000000000..51fd0baa827aa43931cf52094fc432cd753c91c1
--- /dev/null
+++ b/ee/app/graphql/mutations/audit_events/amazon_s3_configurations/create.rb
@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+module Mutations
+ module AuditEvents
+ module AmazonS3Configurations
+ class Create < Base
+ graphql_name 'AmazonS3ConfigurationCreate'
+
+ authorize :admin_external_audit_events
+
+ argument :name, GraphQL::Types::String,
+ required: false,
+ description: 'Destination name.'
+
+ argument :group_path, GraphQL::Types::ID,
+ required: true,
+ description: 'Group path.'
+
+ argument :access_key_xid, GraphQL::Types::String,
+ required: true,
+ description: 'Access key ID of the Amazon S3 account.'
+
+ argument :secret_access_key, GraphQL::Types::String,
+ required: true,
+ description: 'Secret access key of the Amazon S3 account.'
+
+ argument :bucket_name, GraphQL::Types::String,
+ required: true,
+ description: 'Name of the bucket where the audit events would be logged.'
+
+ argument :aws_region, GraphQL::Types::String,
+ required: true,
+ description: 'AWS region where the bucket is created.'
+
+ field :amazon_s3_configuration, ::Types::AuditEvents::AmazonS3ConfigurationType,
+ null: true,
+ description: 'configuration created.'
+
+ def resolve(group_path:, access_key_xid:, secret_access_key:, bucket_name:, aws_region:, name: nil)
+ group = authorized_find!(group_path)
+ config_attributes = {
+ group: group,
+ access_key_xid: access_key_xid,
+ secret_access_key: secret_access_key,
+ bucket_name: bucket_name,
+ aws_region: aws_region,
+ name: name
+ }
+
+ config = ::AuditEvents::AmazonS3Configuration.new(config_attributes)
+
+ if config.save
+ audit(config, action: :created)
+
+ { amazon_s3_configuration: config, errors: [] }
+ else
+ { amazon_s3_configuration: nil, errors: Array(config.errors) }
+ end
+ end
+
+ private
+
+ def find_object(group_path)
+ ::Group.find_by_full_path(group_path)
+ end
+ end
+ end
+ end
+end
diff --git a/ee/app/graphql/types/audit_events/amazon_s3_configuration_interface.rb b/ee/app/graphql/types/audit_events/amazon_s3_configuration_interface.rb
new file mode 100644
index 0000000000000000000000000000000000000000..51c0e8a84535852122856d856819d244d13baf28
--- /dev/null
+++ b/ee/app/graphql/types/audit_events/amazon_s3_configuration_interface.rb
@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Types
+ module AuditEvents
+ module AmazonS3ConfigurationInterface
+ include Types::BaseInterface
+
+ field :id, GraphQL::Types::ID,
+ null: false,
+ description: 'ID of the configuration.'
+
+ field :name, GraphQL::Types::String,
+ null: false,
+ description: 'Name of the external destination to send audit events to.'
+
+ field :access_key_xid, GraphQL::Types::String,
+ null: false,
+ description: 'Access key ID of the Amazon S3 account.'
+
+ field :bucket_name, GraphQL::Types::String,
+ null: false,
+ description: 'Name of the bucket where the audit events would be logged.'
+
+ field :aws_region, GraphQL::Types::String,
+ null: false,
+ description: 'AWS region where the bucket is created.'
+ end
+ end
+end
diff --git a/ee/app/graphql/types/audit_events/amazon_s3_configuration_type.rb b/ee/app/graphql/types/audit_events/amazon_s3_configuration_type.rb
new file mode 100644
index 0000000000000000000000000000000000000000..6d1cabd5102565ccd8da7b8a6737f2a29f0d8eb3
--- /dev/null
+++ b/ee/app/graphql/types/audit_events/amazon_s3_configuration_type.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Types
+ module AuditEvents
+ class AmazonS3ConfigurationType < ::Types::BaseObject
+ graphql_name 'AmazonS3ConfigurationType'
+ description 'Stores Amazon S3 configurations.'
+ authorize :admin_external_audit_events
+
+ implements AmazonS3ConfigurationInterface
+
+ field :group, ::Types::GroupType,
+ null: false,
+ description: 'Group the configuration belongs to.'
+ end
+ end
+end
diff --git a/ee/app/policies/audit_events/amazon_s3_configuration_policy.rb b/ee/app/policies/audit_events/amazon_s3_configuration_policy.rb
new file mode 100644
index 0000000000000000000000000000000000000000..665a316ad79b13597aa7ee519171d6bb096f1a50
--- /dev/null
+++ b/ee/app/policies/audit_events/amazon_s3_configuration_policy.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module AuditEvents
+ class AmazonS3ConfigurationPolicy < ::BasePolicy
+ delegate { @subject.group }
+ end
+end
diff --git a/ee/config/audit_events/types/amazon_s3_configuration_created.yml b/ee/config/audit_events/types/amazon_s3_configuration_created.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e8095f90ccd6554240dd3f3d25fb3be4a126b184
--- /dev/null
+++ b/ee/config/audit_events/types/amazon_s3_configuration_created.yml
@@ -0,0 +1,9 @@
+---
+name: amazon_s3_configuration_created
+description: Triggered when Amazon S3 configuration for audit events streaming is created
+introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/423229
+introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/132443
+feature_category: audit_events
+milestone: '16.5'
+saved_to_database: true
+streamed: true
diff --git a/ee/spec/requests/api/graphql/mutations/audit_events/amazon_s3_configurations/create_spec.rb b/ee/spec/requests/api/graphql/mutations/audit_events/amazon_s3_configurations/create_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..dc4508451787e08c1140ea360d70ae0d5bf7e75d
--- /dev/null
+++ b/ee/spec/requests/api/graphql/mutations/audit_events/amazon_s3_configurations/create_spec.rb
@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Create Amazon S3 configuration', feature_category: :audit_events do
+ include GraphqlHelpers
+
+ let_it_be(:group) { create(:group) }
+ let_it_be(:current_user) { create(:user) }
+ let_it_be(:destination_name) { 'test_aws_s3_destination' }
+ let_it_be(:access_key_id) { 'AKIARANDOMID1234' }
+ let_it_be(:secret_access_key) { 'TEST/SECRET/XYZ' }
+ let_it_be(:bucket_name) { 'test-bucket' }
+ let_it_be(:aws_region) { 'us-east-1' }
+
+ let(:mutation) { graphql_mutation(:amazon_s3_configuration_create, input) }
+ let(:mutation_response) { graphql_mutation_response(:amazon_s3_configuration_create) }
+
+ let(:input) do
+ {
+ name: destination_name,
+ groupPath: group.full_path,
+ accessKeyXid: access_key_id,
+ secretAccessKey: secret_access_key,
+ bucketName: bucket_name,
+ awsRegion: aws_region
+ }
+ end
+
+ subject(:mutate) { post_graphql_mutation(mutation, current_user: current_user) }
+
+ shared_examples 'creates an audit event' do
+ before do
+ allow(Gitlab::Audit::Auditor).to receive(:audit)
+ end
+
+ it 'audits the creation' do
+ subject
+
+ expect(Gitlab::Audit::Auditor).to have_received(:audit) do |args|
+ expect(args[:name]).to eq('amazon_s3_configuration_created')
+ expect(args[:author]).to eq(current_user)
+ expect(args[:scope]).to eq(group)
+ expect(args[:target]).to eq(group)
+ expect(args[:message]).to eq("Created Amazon S3 configuration with name: #{destination_name} " \
+ "bucket: #{bucket_name} and AWS region: #{aws_region}")
+ end
+ end
+ end
+
+ shared_examples 'a mutation that does not create a configuration' do
+ it 'does not create the configuration' do
+ expect { mutate }
+ .not_to change { AuditEvents::AmazonS3Configuration.count }
+ end
+
+ it 'does not create audit event' do
+ expect { mutate }.not_to change { AuditEvent.count }
+ end
+ end
+
+ shared_examples 'an unauthorized mutation that does not create a configuration' do
+ it_behaves_like 'a mutation on an unauthorized resource'
+ it_behaves_like 'a mutation that does not create a configuration'
+ end
+
+ context 'when feature is licensed' do
+ before do
+ stub_licensed_features(external_audit_events: true)
+ end
+
+ context 'when current user is a group owner' do
+ before_all do
+ group.add_owner(current_user)
+ end
+
+ it 'resolves group by full path' do
+ expect(::Group).to receive(:find_by_full_path).with(group.full_path)
+
+ mutate
+ end
+
+ it 'creates the configuration' do
+ expect { mutate }
+ .to change { AuditEvents::AmazonS3Configuration.count }.by(1)
+
+ config = AuditEvents::AmazonS3Configuration.last
+ expect(config.group).to eq(group)
+ expect(config.name).to eq(destination_name)
+ expect(config.access_key_xid).to eq(access_key_id)
+ expect(config.secret_access_key).to eq(secret_access_key)
+ expect(config.bucket_name).to eq(bucket_name)
+ expect(config.aws_region).to eq(aws_region)
+ end
+
+ it_behaves_like 'creates an audit event', 'audit_events'
+
+ context 'when there is error while saving' do
+ before do
+ allow_next_instance_of(AuditEvents::AmazonS3Configuration) do |s3_configuration|
+ allow(s3_configuration).to receive(:save).and_return(false)
+
+ errors = ActiveModel::Errors.new(s3_configuration).tap { |e| e.add(:aws_region, 'error message') }
+ allow(s3_configuration).to receive(:errors).and_return(errors)
+ end
+ end
+
+ it 'does not create the configuration and returns the error' do
+ expect { mutate }
+ .not_to change { AuditEvents::AmazonS3Configuration.count }
+
+ expect(mutation_response).to include(
+ 'amazonS3Configuration' => nil,
+ 'errors' => ["Aws region error message"])
+ end
+ end
+ end
+
+ context 'when current user is a group maintainer' do
+ before_all do
+ group.add_maintainer(current_user)
+ end
+
+ it_behaves_like 'an unauthorized mutation that does not create a configuration'
+ end
+
+ context 'when current user is a group developer' do
+ before_all do
+ group.add_developer(current_user)
+ end
+
+ it_behaves_like 'an unauthorized mutation that does not create a configuration'
+ end
+
+ context 'when current user has guest access' do
+ before_all do
+ group.add_guest(current_user)
+ end
+
+ it_behaves_like 'an unauthorized mutation that does not create a configuration'
+ end
+ end
+
+ context 'when feature is unlicensed' do
+ before do
+ stub_licensed_features(external_audit_events: false)
+ end
+
+ it_behaves_like 'an unauthorized mutation that does not create a configuration'
+ end
+end