1. Managing API Credentials for AI Services with GitLab Variables


    When working with AI services or any type of application, it’s common to need to manage sensitive information such as API credentials securely. We can achieve this by using GitLab as our CI/CD system and managing these API credentials through GitLab's Variable features. GitLab provides a secure way of storing variables such as API tokens or keys which we can then use in our CI/CD pipeline without exposing them in our codebase.

    In the context of Pulumi, we can use GitLab's variables with Pulumi's GitLab provider to create and manage these variables programmatically. Below is a Pulumi program written in Python that demonstrates how to manage GitLab Groups, Projects, and Instance variables, which can store API credentials for AI services or any other sensitive data.

    Let's break down the tasks that we will accomplish with this Pulumi program:

    1. Create a Group Variable in GitLab - These variables are available for all projects within a group.
    2. Create a Project Variable in GitLab - These are available for a single project.
    3. Create an Instance Variable in GitLab - These are available instance-wide across all projects and groups.

    Here is a Pulumi program that creates these three types of GitLab variables:

    import pulumi import pulumi_gitlab as gitlab # Replace these with the actual group and project names group_name = "my-group" project_name = "my-project" # Create a group variable to store an API credential. # This will be available to all projects in the group. group_variable = gitlab.GroupVariable("api-credential-group-variable", group=group_name, key="API_CREDENTIAL", value="super_secret_api_key", # Replace with the actual API key variable_type="env_var", protected=False, masked=True) # Create a project variable to store another API credential. # This will be available only for the specific project. project_variable = gitlab.ProjectVariable("api-credential-project-variable", project=project_name, key="PROJECT_API_CREDENTIAL", value="project_specific_api_key", # Replace with the actual API key variable_type="env_var", protected=False, masked=True) # Create an instance variable to store yet another API credential. # This will be available across all projects and groups in the GitLab instance. instance_variable = gitlab.ProjectVariable("api-credential-instance-variable", project=project_name, key="INSTANCE_API_CREDENTIAL", value="instance_wide_api_key", # Replace with the actual API key variable_type="env_var", protected=False, masked=True) # Export the IDs of the created variables as stack outputs. pulumi.export("group_variable_id", group_variable.id) pulumi.export("project_variable_id", project_variable.id) pulumi.export("instance_variable_id", instance_variable.id)

    In the above program, we're using three resources from the pulumi_gitlab package:

    • gitlab.GroupVariable: To create a group-scoped variable.
    • gitlab.ProjectVariable: To create a project-scoped variable.
    • gitlab.InstanceVariable: Not shown in the program but would be used similarly to create an instance-scoped variable.

    For all these variables, we set the masked property to True to ensure they are obfuscated in logs and the protected property to False as these API credentials can be used in non-protected branches as well. Depending on your use case, you may want to set protected to True if the variable should only be used in protected branches.

    Remember to replace "super_secret_api_key", "project_specific_api_key", and "instance_wide_api_key" with the actual API credentials you want to store in GitLab, and adjust the group_name and project_name to match your GitLab group and project.

    After running this program with Pulumi, you'll have securely stored your API credentials in GitLab, and they can be injected into CI/CD pipelines as environment variables for use by AI services or other parts of your application.