diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md
index 5b7e8ec066f733d9e7b99a7dd7f9074cceabbbe7..189f7a4afec7f541a2c21373e964d729070bfc88 100644
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -2018,6 +2018,52 @@ Input type: `AuditEventsInstanceDestinationEventsDeleteInput`
| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
| `errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
+### `Mutation.auditEventsInstanceDestinationNamespaceFilterCreate`
+
+DETAILS:
+**Introduced** in GitLab 17.2.
+**Status**: Experiment.
+
+Input type: `AuditEventsInstanceDestinationNamespaceFilterCreateInput`
+
+#### Arguments
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| `destinationId` | [`AuditEventsInstanceExternalStreamingDestinationID!`](#auditeventsinstanceexternalstreamingdestinationid) | Destination ID. |
+| `namespacePath` | [`String`](#string) | Full path of the namespace. Project or group namespaces only. |
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| `errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
+| `namespaceFilter` | [`InstanceAuditEventNamespaceFilter`](#instanceauditeventnamespacefilter) | Namespace filter to be created. |
+
+### `Mutation.auditEventsInstanceDestinationNamespaceFilterDelete`
+
+DETAILS:
+**Introduced** in GitLab 17.2.
+**Status**: Experiment.
+
+Input type: `AuditEventsInstanceDestinationNamespaceFilterDeleteInput`
+
+#### Arguments
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| `namespaceFilterId` | [`AuditEventsInstanceNamespaceFilterID!`](#auditeventsinstancenamespacefilterid) | Namespace filter ID. |
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| `errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
+
### `Mutation.auditEventsStreamingDestinationEventsAdd`
Input type: `AuditEventsStreamingDestinationEventsAddInput`
@@ -23382,6 +23428,18 @@ Stores instance level Amazon S3 configurations for audit event streaming.
| `id` | [`ID!`](#id) | ID of the configuration. |
| `name` | [`String!`](#string) | Name of the external destination to send audit events to. |
+### `InstanceAuditEventNamespaceFilter`
+
+Represents a subgroup or project filter that belongs to an instance level external audit event streaming destination.
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| `externalStreamingDestination` | [`InstanceAuditEventStreamingDestination!`](#instanceauditeventstreamingdestination) | Destination to which the filter belongs. |
+| `id` | [`ID!`](#id) | ID of the filter. |
+| `namespace` | [`Namespace!`](#namespace) | Group or project namespace the filter belongs to. |
+
### `InstanceAuditEventStreamingDestination`
Represents an external destination to stream instance level audit events.
@@ -23395,6 +23453,7 @@ Represents an external destination to stream instance level audit events.
| `eventTypeFilters` | [`[String!]!`](#string) | List of event type filters added for streaming. |
| `id` | [`ID!`](#id) | ID of the destination. |
| `name` | [`String!`](#string) | Name of the external destination to send audit events to. |
+| `namespaceFilters` | [`[InstanceAuditEventNamespaceFilter!]`](#instanceauditeventnamespacefilter) | List of subgroup or project filters for the destination. |
### `InstanceExternalAuditEventDestination`
@@ -36254,6 +36313,12 @@ A `AuditEventsInstanceGoogleCloudLoggingConfigurationID` is a global ID. It is e
An example `AuditEventsInstanceGoogleCloudLoggingConfigurationID` is: `"gid://gitlab/AuditEvents::Instance::GoogleCloudLoggingConfiguration/1"`.
+### `AuditEventsInstanceNamespaceFilterID`
+
+A `AuditEventsInstanceNamespaceFilterID` is a global ID. It is encoded as a string.
+
+An example `AuditEventsInstanceNamespaceFilterID` is: `"gid://gitlab/AuditEvents::Instance::NamespaceFilter/1"`.
+
### `AuditEventsStreamingHTTPNamespaceFilterID`
A `AuditEventsStreamingHTTPNamespaceFilterID` is a global ID. It is encoded as a string.
diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md
index 4891f0a5f96fac9cd0ceffb670e0c28466a3556a..9e06913f6fdf2e061b359f4be3823a3b28cf7749 100644
--- a/doc/user/compliance/audit_event_types.md
+++ b/doc/user/compliance/audit_event_types.md
@@ -68,10 +68,12 @@ Audit event types belong to the following product categories.
| [`created_group_audit_event_streaming_destination`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147888) | Event triggered when an external audit event destination for a top-level group is created.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.11](https://gitlab.com/gitlab-org/gitlab/-/issues/436610) | Group |
| [`created_group_namespace_filter`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150712) | Event triggered when a namespace filter for an external audit event destination for a top-level group is created.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.0](https://gitlab.com/gitlab-org/gitlab/-/issues/436612) | Group |
| [`created_instance_audit_event_streaming_destination`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148383) | Event triggered when an external audit event destination for a GitLab instance is created.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.11](https://gitlab.com/gitlab-org/gitlab/-/issues/436615) | Instance |
+| [`created_instance_namespace_filter`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153156) | Event triggered when a namespace filter for an external audit event destination for an instance is created.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.2](https://gitlab.com/gitlab-org/gitlab/-/issues/436613) | Instance |
| [`delete_http_namespace_filter`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136302) | Event triggered when a namespace filter for an external audit event destination for a top-level group is deleted.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.7](https://gitlab.com/gitlab-org/gitlab/-/issues/424177) | Group |
| [`deleted_group_audit_event_streaming_destination`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148738) | Event triggered when an external audit event destination for a top-level group is deleted.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.11](https://gitlab.com/gitlab-org/gitlab/-/issues/436610) | Group |
| [`deleted_group_namespace_filter`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150712) | Event triggered when a namespace filter for an external audit event destination for a top-level group is deleted.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.0](https://gitlab.com/gitlab-org/gitlab/-/issues/436612) | Group |
| [`deleted_instance_audit_event_streaming_destination`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/14910) | Event triggered when an external audit event destination for a GitLab instance is deleted.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.11](https://gitlab.com/gitlab-org/gitlab/-/issues/436615) | Instance |
+| [`deleted_instance_namespace_filter`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153156) | Event triggered when a namespace filter for an external audit event destination for an instance is deleted.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.2](https://gitlab.com/gitlab-org/gitlab/-/issues/436613) | Instance |
| [`destroy_event_streaming_destination`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/74632) | Event triggered when an external audit event destination is deleted| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [14.6](https://gitlab.com/gitlab-org/gitlab/-/issues/344664) | Group |
| [`destroy_instance_event_streaming_destination`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/125846) | Event triggered when an instance level external audit event destination is deleted| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.2](https://gitlab.com/gitlab-org/gitlab/-/issues/404730) | Instance |
| [`event_type_filters_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/113081) | Event triggered when a new audit events streaming event type filter is created| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.10](https://gitlab.com/gitlab-org/gitlab/-/issues/344848) | Group |
diff --git a/ee/app/graphql/ee/types/mutation_type.rb b/ee/app/graphql/ee/types/mutation_type.rb
index a81050499da7caf3f7b5889675095c70c29ba57f..9808f7825c37bc37098dee6ab6fa9a93626e5d24 100644
--- a/ee/app/graphql/ee/types/mutation_type.rb
+++ b/ee/app/graphql/ee/types/mutation_type.rb
@@ -202,6 +202,10 @@ def self.authorization_scopes
alpha: { milestone: '17.0' }
mount_mutation ::Mutations::AuditEvents::Group::NamespaceFilters::Delete,
alpha: { milestone: '17.0' }
+ mount_mutation ::Mutations::AuditEvents::Instance::NamespaceFilters::Create,
+ alpha: { milestone: '17.2' }
+ mount_mutation ::Mutations::AuditEvents::Instance::NamespaceFilters::Delete,
+ alpha: { milestone: '17.2' }
prepend(Types::DeprecatedMutations)
end
diff --git a/ee/app/graphql/mutations/audit_events/instance/namespace_filters/base.rb b/ee/app/graphql/mutations/audit_events/instance/namespace_filters/base.rb
new file mode 100644
index 0000000000000000000000000000000000000000..d1e6df672dd1ceb92aecd5f83e8d9cd11220e734
--- /dev/null
+++ b/ee/app/graphql/mutations/audit_events/instance/namespace_filters/base.rb
@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Mutations
+ module AuditEvents
+ module Instance
+ module NamespaceFilters
+ # rubocop:disable GraphQL/GraphqlName -- This is a base mutation so name is not needed here
+ class Base < BaseMutation
+ authorize :admin_instance_external_audit_events
+
+ private
+
+ def audit(filter, action:)
+ audit_context = {
+ name: "#{action}_instance_namespace_filter",
+ author: current_user,
+ scope: Gitlab::Audit::InstanceScope.new,
+ target: filter.external_streaming_destination,
+ message: "#{action.capitalize} namespace filter for instance audit event streaming destination.",
+ additional_details: {
+ destination_name: filter.external_streaming_destination.name,
+ namespace: filter.namespace.full_path
+ }
+ }
+
+ ::Gitlab::Audit::Auditor.audit(audit_context)
+ end
+ end
+ end
+ end
+ end
+end
+# rubocop:enable GraphQL/GraphqlName
diff --git a/ee/app/graphql/mutations/audit_events/instance/namespace_filters/create.rb b/ee/app/graphql/mutations/audit_events/instance/namespace_filters/create.rb
new file mode 100644
index 0000000000000000000000000000000000000000..b5502aba1005d01e5247fcf1c96e5becbfb307a2
--- /dev/null
+++ b/ee/app/graphql/mutations/audit_events/instance/namespace_filters/create.rb
@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module Mutations
+ module AuditEvents
+ module Instance
+ module NamespaceFilters
+ class Create < Base
+ graphql_name 'AuditEventsInstanceDestinationNamespaceFilterCreate'
+
+ argument :destination_id, ::Types::GlobalIDType[::AuditEvents::Instance::ExternalStreamingDestination],
+ required: true,
+ description: 'Destination ID.'
+
+ argument :namespace_path, GraphQL::Types::String,
+ required: false,
+ description: 'Full path of the namespace. Project or group namespaces only.'
+
+ field :namespace_filter, ::Types::AuditEvents::Instance::NamespaceFilterType,
+ null: true,
+ description: 'Namespace filter to be created.'
+
+ def resolve(args)
+ destination = authorized_find!(args[:destination_id])
+
+ namespace = namespace(args[:namespace_path])
+ filter = ::AuditEvents::Instance::NamespaceFilter.new(external_streaming_destination: destination,
+ namespace: namespace)
+
+ audit(filter, action: :created) if filter.save
+ { namespace_filter: (filter if filter.persisted?), errors: Array(filter.errors) }
+ end
+
+ private
+
+ def find_object(destination_id)
+ ::GitlabSchema.object_from_id(destination_id,
+ expected_type: ::AuditEvents::Instance::ExternalStreamingDestination)
+ end
+
+ def namespace(namespace_path)
+ namespace = Routable.find_by_full_path(namespace_path)
+
+ case namespace
+ when ::Group
+ namespace
+ when ::Project
+ namespace.project_namespace
+ else
+ raise Gitlab::Graphql::Errors::ArgumentError, "namespace_path should be of group or project only."
+ end
+ end
+ end
+ end
+ end
+ end
+end
diff --git a/ee/app/graphql/mutations/audit_events/instance/namespace_filters/delete.rb b/ee/app/graphql/mutations/audit_events/instance/namespace_filters/delete.rb
new file mode 100644
index 0000000000000000000000000000000000000000..3e191ff58da7d59bc4e7a5e172ac1879633198ad
--- /dev/null
+++ b/ee/app/graphql/mutations/audit_events/instance/namespace_filters/delete.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Mutations
+ module AuditEvents
+ module Instance
+ module NamespaceFilters
+ class Delete < Base
+ graphql_name 'AuditEventsInstanceDestinationNamespaceFilterDelete'
+
+ argument :namespace_filter_id, ::Types::GlobalIDType[::AuditEvents::Instance::NamespaceFilter],
+ required: true,
+ description: 'Namespace filter ID.'
+ def resolve(namespace_filter_id:)
+ filter = authorized_find!(id: namespace_filter_id)
+
+ audit(filter, action: :deleted) if filter.destroy
+
+ { namespace_filter: nil, errors: filter.errors }
+ end
+ end
+ end
+ end
+ end
+end
diff --git a/ee/app/graphql/types/audit_events/instance/namespace_filter_type.rb b/ee/app/graphql/types/audit_events/instance/namespace_filter_type.rb
new file mode 100644
index 0000000000000000000000000000000000000000..c5f59b6211bce23a8613197e4b6cd04cc76c11e6
--- /dev/null
+++ b/ee/app/graphql/types/audit_events/instance/namespace_filter_type.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Types
+ module AuditEvents
+ module Instance
+ class NamespaceFilterType < ::Types::BaseObject
+ graphql_name 'InstanceAuditEventNamespaceFilter'
+ description 'Represents a subgroup or project filter that belongs to ' \
+ 'an instance level external audit event streaming destination.'
+ authorize :admin_instance_external_audit_events
+
+ field :id, GraphQL::Types::ID,
+ null: false,
+ description: 'ID of the filter.'
+
+ field :namespace, ::Types::NamespaceType,
+ null: false,
+ description: 'Group or project namespace the filter belongs to.'
+
+ field :external_streaming_destination, ::Types::AuditEvents::Instance::StreamingDestinationType,
+ null: false,
+ description: 'Destination to which the filter belongs.'
+ end
+ end
+ end
+end
diff --git a/ee/app/graphql/types/audit_events/instance/streaming_destination_type.rb b/ee/app/graphql/types/audit_events/instance/streaming_destination_type.rb
index 6c7e24638cf041d58ac13bc3f3d2dc7ff7660a14..5ec228a3c7658e364dcf4ed3f93c8b1284b4e488 100644
--- a/ee/app/graphql/types/audit_events/instance/streaming_destination_type.rb
+++ b/ee/app/graphql/types/audit_events/instance/streaming_destination_type.rb
@@ -9,6 +9,10 @@ class StreamingDestinationType < ::Types::BaseObject
authorize :admin_instance_external_audit_events
implements AuditEventStreamingDestinationInterface
+
+ field :namespace_filters, [::Types::AuditEvents::Instance::NamespaceFilterType],
+ null: true,
+ description: 'List of subgroup or project filters for the destination.'
end
end
end
diff --git a/ee/app/policies/audit_events/instance/namespace_filter_policy.rb b/ee/app/policies/audit_events/instance/namespace_filter_policy.rb
new file mode 100644
index 0000000000000000000000000000000000000000..cf829401664ca76e9b76a8203d72e2b793858d2a
--- /dev/null
+++ b/ee/app/policies/audit_events/instance/namespace_filter_policy.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module AuditEvents
+ module Instance
+ class NamespaceFilterPolicy < ::BasePolicy
+ delegate { :global }
+ end
+ end
+end
diff --git a/ee/config/audit_events/types/created_instance_namespace_filter.yml b/ee/config/audit_events/types/created_instance_namespace_filter.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6bdd1249fd7f2231ff30f8c95983cedb59cc04fe
--- /dev/null
+++ b/ee/config/audit_events/types/created_instance_namespace_filter.yml
@@ -0,0 +1,9 @@
+name: created_instance_namespace_filter
+description: Event triggered when a namespace filter for an external audit event destination for an instance is created.
+introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/436613
+introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153156
+feature_category: audit_events
+milestone: "17.2"
+saved_to_database: true
+streamed: true
+scope: [Instance]
diff --git a/ee/config/audit_events/types/deleted_instance_namespace_filter.yml b/ee/config/audit_events/types/deleted_instance_namespace_filter.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b437a4295a6f067e9511afd8bc12c6da4da4b81b
--- /dev/null
+++ b/ee/config/audit_events/types/deleted_instance_namespace_filter.yml
@@ -0,0 +1,9 @@
+name: deleted_instance_namespace_filter
+description: Event triggered when a namespace filter for an external audit event destination for an instance is deleted.
+introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/436613
+introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153156
+feature_category: audit_events
+milestone: "17.2"
+saved_to_database: true
+streamed: true
+scope: [Instance]
diff --git a/ee/spec/graphql/types/audit_events/instance/namespace_filter_type_spec.rb b/ee/spec/graphql/types/audit_events/instance/namespace_filter_type_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..d11a0c747ef437b869cd0a8b21504ebdc2b882dd
--- /dev/null
+++ b/ee/spec/graphql/types/audit_events/instance/namespace_filter_type_spec.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe GitlabSchema.types['InstanceAuditEventNamespaceFilter'], feature_category: :audit_events do
+ let(:fields) do
+ %i[id namespace external_streaming_destination]
+ end
+
+ specify { expect(described_class.graphql_name).to eq('InstanceAuditEventNamespaceFilter') }
+ specify { expect(described_class).to have_graphql_fields(fields) }
+end
diff --git a/ee/spec/graphql/types/audit_events/instance/streaming_destination_type_spec.rb b/ee/spec/graphql/types/audit_events/instance/streaming_destination_type_spec.rb
index 217ce4eea742b2a5f253bd1cad138c40618a27ae..2b111b203d4efe6337a98c8ba45bf38813e0860d 100644
--- a/ee/spec/graphql/types/audit_events/instance/streaming_destination_type_spec.rb
+++ b/ee/spec/graphql/types/audit_events/instance/streaming_destination_type_spec.rb
@@ -4,7 +4,7 @@
RSpec.describe GitlabSchema.types['InstanceAuditEventStreamingDestination'], feature_category: :audit_events do
let(:fields) do
- %i[id name category config event_type_filters]
+ %i[id name category config event_type_filters namespace_filters]
end
specify { expect(described_class.graphql_name).to eq('InstanceAuditEventStreamingDestination') }
diff --git a/ee/spec/requests/api/graphql/audit_events/instance/namespace_filters/create_spec.rb b/ee/spec/requests/api/graphql/audit_events/instance/namespace_filters/create_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..3b4561fad3414b09856aba214ef2e4c5895c17f0
--- /dev/null
+++ b/ee/spec/requests/api/graphql/audit_events/instance/namespace_filters/create_spec.rb
@@ -0,0 +1,150 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Create a namespace filter for instance level external audit event destinations', feature_category: :audit_events do
+ include GraphqlHelpers
+
+ let_it_be(:destination) { create(:audit_events_instance_external_streaming_destination) }
+ let_it_be(:current_user) { create(:user) }
+ let(:mutation) { graphql_mutation(:audit_events_instance_destination_namespace_filter_create, input) }
+ let(:mutation_response) { graphql_mutation_response(:audit_events_instance_destination_namespace_filter_create) }
+
+ subject { post_graphql_mutation(mutation, current_user: current_user) }
+
+ context 'when feature is licensed' do
+ before do
+ stub_licensed_features(external_audit_events: true)
+ end
+
+ context 'when current user is instance admin' do
+ let(:current_user) { create(:admin) }
+
+ shared_examples 'creation of namespace filters' do
+ context 'when namespace_path is valid' do
+ let(:input) do
+ {
+ destinationId: destination.to_gid,
+ namespacePath: namespace.full_path
+ }
+ end
+
+ it 'creates a namespace filter', :aggregate_failures do
+ expect(::Gitlab::Audit::Auditor).to receive(:audit).with(a_hash_including(
+ name: 'created_instance_namespace_filter',
+ author: current_user,
+ scope: an_instance_of(Gitlab::Audit::InstanceScope),
+ target: destination,
+ message: "Created namespace filter for instance audit event streaming destination.",
+ additional_details: {
+ destination_name: destination.name,
+ namespace: namespace.full_path
+ }
+ )).once.and_call_original
+
+ expect { subject }
+ .to change { AuditEvent.count }.by(1)
+
+ namespace_filters = destination.namespace_filters
+ expect(namespace_filters.first.namespace).to eq(namespace)
+ expect(namespace_filters.first.external_streaming_destination).to eq(destination)
+
+ expect_graphql_errors_to_be_empty
+
+ expect(mutation_response['errors']).to be_empty
+ expect(mutation_response).to have_key('namespaceFilter')
+ expect(mutation_response['namespaceFilter']['namespace']['fullPath']).to eq(namespace.full_path)
+ expect(mutation_response['namespaceFilter']['externalStreamingDestination']['name'])
+ .to eq(destination.name)
+ end
+
+ context 'when namespace filter for the given namespace already exists' do
+ before do
+ create(:audit_events_streaming_instance_namespace_filters,
+ external_streaming_destination: destination,
+ namespace: namespace
+ )
+ end
+
+ it 'returns error' do
+ expect { subject }.not_to change { AuditEvents::Instance::NamespaceFilter.count }
+
+ expect(mutation_response['errors']).to match_array(['Namespace has already been taken'])
+ expect(mutation_response['namespaceFilter']).to be nil
+ end
+ end
+ end
+
+ context 'when given namespace path is invalid' do
+ let(:input) do
+ {
+ destinationId: destination.to_gid,
+ namespace_path: 'invalid_path'
+ }
+ end
+
+ it 'returns error' do
+ expect { subject }.not_to change { AuditEvents::Instance::NamespaceFilter.count }
+
+ expect(graphql_errors)
+ .to include(a_hash_including('message' => "namespace_path should be of group or project only."))
+ expect(mutation_response).to eq(nil)
+ end
+ end
+ end
+
+ context 'when group_path is passed in params' do
+ it_behaves_like 'creation of namespace filters' do
+ let_it_be(:namespace) { create(:group) }
+ end
+ end
+
+ context 'when project_path is passed in params' do
+ it_behaves_like 'creation of namespace filters' do
+ let_it_be(:project) { create(:project, group: create(:group)) }
+ let_it_be(:namespace) { project.project_namespace }
+ end
+ end
+
+ context 'when namespace_path is invalid' do
+ let(:input) do
+ {
+ destinationId: destination.to_gid,
+ namespace_path: 'invalid_path'
+ }
+ end
+
+ it_behaves_like 'a mutation that returns top-level errors',
+ errors: ['namespace_path should be of group or project only.']
+ end
+ end
+
+ context 'when current user is not instance admin' do
+ let_it_be(:namespace_group) { create(:group) }
+ let(:input) do
+ {
+ destinationId: destination.to_gid,
+ namespacePath: namespace_group.full_path
+ }
+ end
+
+ it_behaves_like 'a mutation on an unauthorized resource'
+ end
+ end
+
+ context 'when feature is unlicensed' do
+ before do
+ stub_licensed_features(external_audit_events: false)
+ end
+
+ let_it_be(:namespace_group) { create(:group) }
+ let(:input) do
+ {
+ destinationId: destination.to_gid,
+ namespacePath: namespace_group.full_path
+ }
+ end
+
+ it_behaves_like 'a mutation on an unauthorized resource'
+ end
+end
diff --git a/ee/spec/requests/api/graphql/audit_events/instance/namespace_filters/delete_spec.rb b/ee/spec/requests/api/graphql/audit_events/instance/namespace_filters/delete_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..0bc13f978af49451df2f94e0b884af3c83af9cdb
--- /dev/null
+++ b/ee/spec/requests/api/graphql/audit_events/instance/namespace_filters/delete_spec.rb
@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Delete a namespace filter for instance level external audit event destinations', feature_category: :audit_events do
+ include GraphqlHelpers
+
+ let_it_be(:current_user) { create(:user) }
+ let_it_be(:group) { create(:group) }
+ let_it_be(:destination) { create(:audit_events_instance_external_streaming_destination) }
+ let_it_be(:filter) do
+ create(:audit_events_streaming_instance_namespace_filters, external_streaming_destination: destination,
+ namespace: group)
+ end
+
+ let(:mutation) { graphql_mutation(:audit_events_instance_destination_namespace_filter_delete, input) }
+ let(:mutation_response) { graphql_mutation_response(:audit_events_instance_destination_namespace_filter_delete) }
+
+ let(:input) do
+ { namespaceFilterId: filter.to_gid }
+ end
+
+ subject(:mutate) { post_graphql_mutation(mutation, current_user: current_user) }
+
+ context 'when feature is licensed' do
+ before do
+ stub_licensed_features(external_audit_events: true)
+ end
+
+ context 'when current user is instance admin' do
+ let_it_be(:current_user) { create(:admin) }
+
+ context 'when namespace filter id is valid' do
+ it 'deletes the filter', :aggregate_failures do
+ expect(::Gitlab::Audit::Auditor).to receive(:audit).with(a_hash_including(
+ name: 'deleted_instance_namespace_filter',
+ author: current_user,
+ scope: an_instance_of(Gitlab::Audit::InstanceScope),
+ target: destination,
+ message: "Deleted namespace filter for instance audit event streaming destination."))
+ .once.and_call_original
+
+ expect { mutate }.to change { AuditEvents::Instance::NamespaceFilter.count }.by(-1)
+
+ expect(destination.reload.namespace_filters).to be_empty
+ expect_graphql_errors_to_be_empty
+ expect(mutation_response['errors']).to be_empty
+ expect(mutation_response['namespaceFilter']).to be nil
+ end
+ end
+
+ context 'when namespace filter id is invalid' do
+ let(:input) do
+ { namespaceFilterId: 'gid://gitlab/AuditEvents::Instance::NamespaceFilter/invalid_id' }
+ end
+
+ it_behaves_like 'a mutation that returns a top-level access error'
+ end
+ end
+
+ context 'when current user is not instance admin' do
+ it_behaves_like 'a mutation that returns a top-level access error'
+ end
+ end
+
+ context 'when feature is not licensed' do
+ before do
+ stub_licensed_features(external_audit_events: false)
+ end
+
+ it_behaves_like 'a mutation on an unauthorized resource'
+ end
+end