Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow managing project permissions #768

Merged
merged 4 commits into from
Jan 26, 2023
Merged

Allow managing project permissions #768

merged 4 commits into from
Jan 26, 2023

Conversation

mwudka
Copy link
Contributor

@mwudka mwudka commented Jan 14, 2023
edited by hs26gill

Description

This adds support for managing a team's project permissions. It introduces a new resource called tfe_team_project_access to grant a team read or admin permission on a specific project, and adds a new manage_projects attribute on the tfe_team resource to allow giving a team access to all projects in an org.

Testing plan

  1. Ensure new tests pass
  2. Try importing existing resources
  3. Ensure existing configs still apply cleanly
  4. Manually test with various configurations similar to:
resource "tfe_organization" "test-organization" {
  name  = "my-org-name"
  email = "admin@company.com"
}

resource "tfe_project" "test" {
  organization = tfe_organization.test-organization.name
  name = "projectname"
}

resource "tfe_team" "manage-proj" {
  organization = tfe_organization.test-organization.name
  name = "manage-proj"
  organization_access {
    manage_projects = true
    manage_workspaces = true
  }
}

resource "tfe_team" "read-proj" {
  organization = tfe_organization.test-organization.name
  name = "read-proj"
}

resource "tfe_team_project_access" "read" {
  team_id = tfe_team.read-proj.id
  project_id = tfe_project.test.id
  access = "read"
}

resource "tfe_team" "admin-proj" {
  organization = tfe_organization.test-organization.name
  name = "admin-proj"
}

resource "tfe_team_project_access" "admin" {
  team_id = tfe_team.admin-proj.id
  project_id = tfe_project.test.id
  access = "admin"
}

data "tfe_team" "manage-proj" {
  organization = tfe_organization.test-organization.name
  name = "manage-proj"
}

data "tfe_team_project_access" "reader" {
  team_id = tfe_team.read-proj.id
  project_id = tfe_project.test.id
}

output "reader-access" {
  value = data.tfe_team_project_access.reader.access
}

External links

Output from acceptance tests

Please run applicable acceptance tests locally and include the output here. See TESTS.md to learn how to run acceptance tests.

If you are an external contributor, your contribution(s) will first be reviewed before running them against the project's CI pipeline.

Ran with ENABLE_BETA=1

=== RUN   TestAccTFETeamProjectAccess_admin
--- PASS: TestAccTFETeamProjectAccess_admin (24.28s)
=== RUN   TestAccTFETeamProjectAccess_import
--- PASS: TestAccTFETeamProjectAccess_import (13.18s)
PASS

=== RUN   TestAccTFETeamProjectAccessDataSource_basic
--- PASS: TestAccTFETeamProjectAccessDataSource_basic (15.64s)
PASS

Process finished with the exit code 0

...

@mwudka mwudka requested a review from hs26gill January 14, 2023 03:56
@mwudka mwudka requested a review from a team as a code owner January 14, 2023 03:56
@mwudka mwudka self-assigned this Jan 14, 2023
@mwudka mwudka force-pushed the mwudka/project-permissions branch 4 times, most recently from ab1c7a0 to 0eeb874 Compare January 18, 2023 04:41
This was referenced Jan 18, 2023
Closed
Closed
@laurenolivia laurenolivia linked an issue Jan 18, 2023 that may be closed by this pull request
Add manage_projects attribute to the tfe_team resource #770
Closed
@brandonc brandonc linked an issue Jan 18, 2023 that may be closed by this pull request
Team/Project Access Resource, similar to tfe_team_access #754
Closed
@mwudka mwudka force-pushed the mwudka/project-permissions branch 5 times, most recently from 24426b4 to 63e1bf0 Compare January 23, 2023 22:36
sebasslash
sebasslash requested changes Jan 25, 2023
View reviewed changes
Copy link
Contributor

@sebasslash sebasslash left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So far things are looking great. While smoke testing I uncovered a panic ⬇️

tfe/resource_tfe_team_project_access.go Outdated
}

func resourceTFETeamProjectAccessCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
tfeClient := meta.(*tfe.Client)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Panic ❗

Suggested change
tfeClient := meta.(*tfe.Client)
config := meta.(ConfiguredClient)
// you can use the tfe client: config.Client.Workspaces.Blah()

This change was introduced in #762

In effect, organization attributes are no longer required since you can configure the provider with a universal org.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops oops oops, I didn't realize I had pulled this in with a rebase. At it would have burned me in the merge anyway, so thanks for catching this! I applied that pattern to remove all usages of meta.(*tfe.Client).

tfe/resource_tfe_team_project_access.go Show resolved Hide resolved
tfe/resource_tfe_team_project_access_test.go
Comment on lines +14 to +19
func TestAccTFETeamProjectAccess_admin(t *testing.T) {
skipUnlessBeta(t)

tmAccess := &tfe.TeamProjectAccess{}
rInt := rand.New(rand.NewSource(time.Now().UnixNano())).Int()

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're going to need elevated privileges here, so createBusinessOrganization() 😄

tfe/testing.go Show resolved Hide resolved
@mwudka
Allow giving teams manage projects permission
8a2924d 
Adds a new `manage_projects` attribute to team
resource to allow giving teams permission to
manage all projects in an org.
@mwudka
Add tfe_team_project_access resource
cb99cce 
Allows giving teams admin or read permissions
on specific projects.
@mwudka
Add tfe_team_project_access data source
9036846 
Allows reading a team's access level
to a workspace.
@mwudka
Update CHANGELOG.md
18607c8
@uturunku1 uturunku1 self-requested a review January 26, 2023 18:52
uturunku1
uturunku1 approved these changes Jan 26, 2023
View reviewed changes
Copy link
Collaborator

@uturunku1 uturunku1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I got the chance to run a smoke test on your configuration example. It works!

@hs26gill hs26gill merged commit 4cc97a5 into main Jan 26, 2023
@hs26gill hs26gill deleted the mwudka/project-permissions branch January 26, 2023 20:49
@tkaburagi
Copy link

When will it be available?

@cmicck
Copy link

cmicck commented Feb 1, 2023

When will it be available?

We are also looking forward to have this available.

@brandonc
Copy link
Collaborator

brandonc commented Feb 1, 2023

@tkaburagi @cmicck This was released yesterday in provider version v0.42.0

@hs26gill hs26gill mentioned this pull request Feb 15, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sebasslash sebasslash sebasslash approved these changes

@uturunku1 uturunku1 uturunku1 approved these changes

@hs26gill hs26gill Awaiting requested review from hs26gill

Assignees

@mwudka mwudka

Labels
None yet
Projects
None yet
Milestone
No milestone
7 participants
@mwudka @tkaburagi @cmicck @brandonc @sebasslash @uturunku1 @hs26gill