GitLab CI Offboarding

Automated offboarding workflow for GitLab CI environments that identifies and reports all applications requiring manual access revocation.

Overview

This GitLab CI pipeline helps automate the offboarding process by identifying all applications where a departing employee has access. It generates a comprehensive report and can optionally send notifications to the security team.

Features

Complete access audit: Identifies all WorkApps where the user has access
Detailed reporting: Generates comprehensive offboarding reports
Slack notifications: Optional notifications to security teams
Manual action tracking: Lists apps requiring manual revocation
Error handling: Robust error handling with detailed error messages

Prerequisites

GitLab CI Requirements

GitLab 13.0+ with CI/CD enabled
Access to create CI/CD variables
Appropriate permissions to run pipelines

CI/CD Variables

Configure these variables in your GitLab project:

CAKEWALK_API_KEY: Your Cakewalk API key
CAKEWALK_API_SECRET: Your Cakewalk API secret
SLACK_WEBHOOK_URL: (Optional) Slack webhook URL for notifications

API Limitations

Important: The current Cakewalk API does not have a DELETE endpoint for removing individual user access. This pipeline will:

✅ Identify all apps the user has access to
✅ Generate a detailed report
⚠️ Require manual revocation in the Cakewalk UI

Setup Instructions

1. Create the Pipeline File

Create .gitlab-ci.yml in your repository:

stages:
  - offboard

offboard-employee:
  stage: offboard
  image: curlimages/curl:latest
  rules:
    - if: '$CI_PIPELINE_SOURCE == "trigger"'
    - when: manual
  variables:
    EMPLOYEE_EMAIL: ""  # Set via pipeline trigger
  before_script:
    - apk add --no-cache jq
  script:
    - |
      echo "🚨 Starting offboarding process for $EMPLOYEE_EMAIL"
      
      # Get user
      USERS_RESPONSE=$(curl -s "https://open-api.getcakewalk.io/api/v1/Users" \
        -H "X-API-KEY: $CAKEWALK_API_KEY" \
        -H "X-API-SECRET: $CAKEWALK_API_SECRET")
      
      USER_JSON=$(echo "$USERS_RESPONSE" | jq ".data[] | select(.email == \"$EMPLOYEE_EMAIL\")")
      
      if [ -z "$USER_JSON" ]; then
        echo "❌ User not found"
        exit 1
      fi
      
      USER_ID=$(echo "$USER_JSON" | jq -r '.id')
      USER_NAME=$(echo "$USER_JSON" | jq -r '.name')
      
      echo "✓ Found user: $USER_NAME ($USER_ID)"
      
      # Get all WorkApps
      WORKAPPS_RESPONSE=$(curl -s "https://open-api.getcakewalk.io/api/v1/WorkApps" \
        -H "X-API-KEY: $CAKEWALK_API_KEY" \
        -H "X-API-SECRET: $CAKEWALK_API_SECRET")
      
      WORKAPP_IDS=$(echo "$WORKAPPS_RESPONSE" | jq -r '.data[].id')
      
      # Check each app for user access
      ACCESS_COUNT=0
      APPS_LIST=""
      
      for workapp_id in $WORKAPP_IDS; do
        accesses=$(curl -s "https://open-api.getcakewalk.io/api/v1/WorkApps/$workapp_id/Accesses" \
          -H "X-API-KEY: $CAKEWALK_API_KEY" \
          -H "X-API-SECRET: $CAKEWALK_API_SECRET")
        
        has_access=$(echo "$accesses" | jq ".data[] | select(.user.id == \"$USER_ID\")")
        
        if [ -n "$has_access" ]; then
          workapp_name=$(curl -s "https://open-api.getcakewalk.io/api/v1/WorkApps/$workapp_id" \
            -H "X-API-KEY: $CAKEWALK_API_KEY" \
            -H "X-API-SECRET: $CAKEWALK_API_SECRET" | jq -r '.data.name')
          
          echo "  ⚠️  Has access to: $workapp_name"
          APPS_LIST="$APPS_LIST\n  - $workapp_name"
          ACCESS_COUNT=$((ACCESS_COUNT + 1))
        fi
      done
      
      echo ""
      echo "========================================="
      echo "📋 Offboarding Report"
      echo "========================================="
      echo "User: $USER_NAME ($EMPLOYEE_EMAIL)"
      echo "WorkApps with access: $ACCESS_COUNT"
      
      if [ $ACCESS_COUNT -gt 0 ]; then
        echo ""
        echo "⚠️  Manual action required:"
        echo -e "$APPS_LIST"
        echo ""
        echo "Please revoke access via Cakewalk UI"
      else
        echo "✅ No active access grants found"
      fi
      echo "========================================="
      
      # Optional: Send Slack notification
      if [ -n "$SLACK_WEBHOOK_URL" ] && [ $ACCESS_COUNT -gt 0 ]; then
        curl -X POST "$SLACK_WEBHOOK_URL" \
          -H "Content-Type: application/json" \
          -d "{
            \"text\": \"🚨 Offboarding Alert: $EMPLOYEE_EMAIL\",
            \"blocks\": [{
              \"type\": \"section\",
              \"text\": {
                \"type\": \"mrkdwn\",
                \"text\": \"*Manual Action Required*\n• Employee: $USER_NAME\n• Email: $EMPLOYEE_EMAIL\n• Apps with access: $ACCESS_COUNT\n\nPlease revoke access in Cakewalk UI.\"
              }
            }]
          }"
      fi
  artifacts:
    reports:
      junit: offboarding-report.xml
    paths:
      - offboarding-report.xml
    expire_in: 1 week

2. Configure CI/CD Variables

In your GitLab project, go to Settings → CI/CD → Variables and add:

CAKEWALK_API_KEY: Your Cakewalk API key
CAKEWALK_API_SECRET: Your Cakewalk API secret
SLACK_WEBHOOK_URL: (Optional) Slack webhook URL

3. Test the Pipeline

Go to your project's CI/CD → Pipelines
Click Run pipeline
Set the EMPLOYEE_EMAIL variable
Click Run pipeline

Usage Examples

Manual Trigger

# Trigger pipeline manually
curl -X POST "https://gitlab.com/api/v4/projects/PROJECT_ID/trigger/pipeline" \
  -H "PRIVATE-TOKEN: your-token" \
  -F "ref=main" \
  -F "variables[EMPLOYEE_EMAIL][email protected]"

Scheduled Execution

Add to your .gitlab-ci.yml for scheduled execution:

offboard-employee-scheduled:
  extends: offboard-employee
  rules:
    - if: '$CI_PIPELINE_SOURCE == "schedule"'
  variables:
    EMPLOYEE_EMAIL: "$SCHEDULED_EMPLOYEE_EMAIL"

Integration with HR Systems

Trigger from external systems:

offboard-employee-webhook:
  extends: offboard-employee
  rules:
    - if: '$CI_PIPELINE_SOURCE == "web"'
  variables:
    EMPLOYEE_EMAIL: "$WEBHOOK_EMPLOYEE_EMAIL"

Customization

Adding Email Notifications

Add email notification functionality:

  script:
    # ... existing script ...
    
    # Send email notification
    if [ $ACCESS_COUNT -gt 0 ]; then
      echo "Sending email notification..."
      curl -X POST "https://api.sendgrid.com/v3/mail/send" \
        -H "Authorization: Bearer $SENDGRID_API_KEY" \
        -H "Content-Type: application/json" \
        -d "{
          \"personalizations\": [{
            \"to\": [{\"email\": \"[email protected]\"}]
          }],
          \"from\": {\"email\": \"[email protected]\"},
          \"subject\": \"Offboarding Alert: $EMPLOYEE_EMAIL\",
          \"content\": [{
            \"type\": \"text/plain\",
            \"value\": \"Employee $USER_NAME has access to $ACCESS_COUNT applications. Manual revocation required.\"
          }]
        }"
    fi

Adding Approval Step

For sensitive offboarding, add an approval step:

stages:
  - approval
  - offboard

request-approval:
  stage: approval
  script:
    - echo "Approval required for offboarding $EMPLOYEE_EMAIL"
    - echo "Please approve in GitLab UI"
  when: manual
  allow_failure: false

offboard-employee:
  stage: offboard
  needs: ["request-approval"]
  # ... rest of job

Adding Multiple Environments

Support different environments:

offboard-employee:
  stage: offboard
  image: curlimages/curl:latest
  rules:
    - if: '$CI_PIPELINE_SOURCE == "trigger"'
  variables:
    EMPLOYEE_EMAIL: ""
    ENVIRONMENT: "production"  # or "staging"
  script:
    - |
      # Use different API endpoints based on environment
      if [ "$ENVIRONMENT" = "staging" ]; then
        API_BASE_URL="https://staging-api.getcakewalk.io"
      else
        API_BASE_URL="https://open-api.getcakewalk.io"
      fi
      
      # ... rest of script using $API_BASE_URL

Monitoring & Troubleshooting

Pipeline Logs

Check the CI/CD → Pipelines tab for detailed execution logs
Look for error messages in the job outputs
Review the summary report for access details

Common Issues

"User not found" Error:

Verify the user exists in Cakewalk
Check email spelling and case sensitivity
Ensure the user hasn't already been deleted

"401 Unauthorized" Error:

Verify API key and secret are correct
Check that credentials haven't expired
Ensure proper header formatting

"Empty response" Error:

Verify the API endpoint URL
Check network connectivity
Review API rate limits

Debugging

Enable debug mode for more detailed logging:

  variables:
    DEBUG: "true"
  script:
    - |
      if [ "$DEBUG" = "true" ]; then
        set -x  # Enable debug mode
      fi
      
      # ... rest of script

Security Considerations

CI/CD Variables: Store as encrypted variables, never in code
Access Control: Limit who can trigger sensitive pipelines
Audit Logging: Enable detailed logging for all pipeline runs
Manual Verification: Always verify access revocation in the UI

Next Steps

Set up monitoring: Configure alerts for failed pipelines
Add notifications: Integrate with Slack, email, or other systems
Automate further: Consider triggering from HR systems
Request API improvements: Ask Cakewalk for DELETE endpoint support

Last updated 6 months ago

Was this helpful?

hashtagOverview

hashtagFeatures

hashtagPrerequisites

hashtagGitLab CI Requirements

hashtagCI/CD Variables

hashtagAPI Limitations

hashtagSetup Instructions

hashtag1. Create the Pipeline File

hashtag2. Configure CI/CD Variables

hashtag3. Test the Pipeline

hashtagUsage Examples

hashtagManual Trigger

hashtagScheduled Execution

hashtagIntegration with HR Systems

hashtagCustomization

hashtagAdding Email Notifications

hashtagAdding Approval Step

hashtagAdding Multiple Environments

hashtagMonitoring & Troubleshooting

hashtagPipeline Logs

hashtagCommon Issues

hashtagDebugging

hashtagSecurity Considerations

hashtagNext Steps