Allow multiple environments on secret and access policies

[carlosmonastyrski]

Description 📣

Allow users to assign multiple environments to a secret/access policy, enabling centralized management in a single resource instead of duplicating the same configuration across environments.

Small details:
The logic for handling these resources as single-environment policies is still supported to ensure existing Terraform workflows remain unaffected by this change.

If an environment is detached from a policy while there are open requests, those requests won’t be deleted but will instead fail with an error when a merge is attempted (or when approval is requested for access)

If an environment is still referenced by a policy, any attempt to delete it will fail to ensure all associated policies are properly detached first.

Type ✨

• Bug fix
• New feature
• Improvement
• Breaking change
• Documentation

Tests 🛠️

# Here's some code block to paste some code snippets

---

• I have read the contributing guide, agreed and acknowledged the code of conduct. 📝

[maidul98]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

[greptile-apps]

Greptile Summary

This PR implements a significant architectural change that enables approval policies (both secret and access) to be associated with multiple environments instead of being limited to a single environment. The core change introduces many-to-many relationships between policies and environments through new junction tables (access_approval_policies_environments and secret_approval_policies_environments).

Key Changes:

• Database Schema: New junction tables enable many-to-many relationships, replacing the previous one-to-many structure where each policy was tied to a single environment via envId
• Migration Strategy: The migration (20250722152841_add-policies-environments-table.ts) preserves existing data by copying current policy-environment associations to the new junction tables while changing the original foreign key constraints from CASCADE to SET NULL for backward compatibility
• API Updates: Both frontend and backend APIs now support environments arrays alongside the existing environment field, enabling both single-environment (legacy) and multi-environment (new) workflows
• Service Layer: Policy services now handle environment validation across multiple environments, policy conflict detection across environment sets, and proper cleanup when environments are detached from policies
• Data Access Layer: New DAL files provide database operations for the junction tables, with updated query patterns using joins to retrieve policy-environment associations
• Frontend Components: UI components updated to support multi-environment selection and display, with filtering and sorting logic adapted for environment arrays

The implementation maintains backward compatibility by supporting both the legacy single environment parameter and the new environments array parameter, ensuring existing Terraform workflows continue to function without changes. The change enables centralized policy management, reducing configuration duplication across environments while maintaining referential integrity through proper validation when environments are added, removed, or deleted.

Confidence score: 3/5

• This PR introduces significant architectural changes with complex many-to-many relationships that could cause data integrity issues if not properly handled
• The implementation has potential inconsistencies in data mapping logic and mixed query patterns that suggest incomplete migration between old and new approaches
• Multiple files need attention due to performance concerns, validation gaps, and complex database operations that require careful review

Files needing more attention:

• backend/src/db/migrations/20250722152841_add-policies-environments-table.ts - Complex migration with data transformation risks
• backend/src/ee/services/secret-approval-policy/secret-approval-policy-dal.ts - Inconsistent data mapping between methods
• backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts - Complex join logic that could affect performance
• backend/src/ee/services/access-approval-request/access-approval-request-service.ts - Type safety concerns with unsafe assertions

_{30 files reviewed, 18 comments}

_{Edit Code Review Bot Settings | Greptile}