Infra 35677 tfc v2 add team access support (#333)

* INFRA-35677: Adding support for Workspace teamAccess in v2 operator

* Adding teat-case for teamAccess

---------

Co-authored-by: Nick <[email protected]>

charts/terraform-cloud/CHANGELOG.md

@@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [v1.8.0] - 2024-06-07
+### Added
+- Update v2 workspace to configure `spec.teamAccesss`
+
 ## [v1.7.0] - 2024-06-07
 ### Changed
 - Update v2 workspace to configure `spec.tags`

charts/terraform-cloud/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.7.0
+version: 1.8.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/terraform-cloud/README.md

@@ -1,6 +1,6 @@
 # terraform-cloud
 
-![Version: 1.7.0](https://img.shields.io/badge/Version-1.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.0](https://img.shields.io/badge/AppVersion-2.0.0-informational?style=flat-square)
+![Version: 1.8.0](https://img.shields.io/badge/Version-1.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.0](https://img.shields.io/badge/AppVersion-2.0.0-informational?style=flat-square)
 
 A Helm chart for provisioning resources using Terraform Cloud
 

charts/terraform-cloud/templates/helpers/_workspace-v2.yaml

@@ -52,6 +52,14 @@ spec:
     - mod:{{ $resourceType }}
     - allow-destroy:{{ (include "mintel_common.terraform_cloud.allow_destroy" $workspaceDict) }}
     - kubernetes-managed
+  {{- with $global.terraform.teamAccess}}
+  teamAccess:
+  {{- range $teamEntry := . }}
+    - access: {{ $teamEntry.access }}
+      team:
+        name: {{ $teamEntry.team.name }}
+  {{- end }}
+  {{- end }}
   terraformVersion: {{ $tfVersion | default $global.terraform.terraformVersion | quote }}
   {{- if (has $resourceType (list "irsa" "extraIAM" )) }}
   runTriggers:

charts/terraform-cloud/tests/__snapshot__/workspace-v2_test.yaml.snap

@@ -234,6 +234,131 @@ Test tags with env/allow-destroy flags changed:
         - name: tfcloud_agent
       workspace:
         name: logs-eu-west-1-cluster1-test-namespace-mntl-test-app-s3
+Test teamAccess can be configured:
+  1: |
+    apiVersion: app.terraform.io/v1alpha2
+    kind: Workspace
+    metadata:
+      annotations:
+        app.mintel.com/altManifestFileSuffix: mntl-test-app-s3
+        app.mintel.com/placeholder: placeholder
+        argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+        argocd.argoproj.io/sync-wave: "-40"
+      labels:
+        app.kubernetes.io/name: mntl-test-app-s3
+        app.mintel.com/env: logs
+        app.mintel.com/owner: sre
+        app.mintel.com/region: eu-west-1
+        name: mntl-test-app-s3
+      name: logs-eu-west-1-cluster1-test-namespace-mntl-test-app-s3
+      namespace: test-namespace
+    spec:
+      agentPool:
+        id: ""
+      allowDestroyPlan: false
+      applyMethod: auto
+      executionMode: agent
+      name: logs-eu-west-1-cluster1-test-namespace-mntl-test-app-s3
+      organization: Mintel
+      sshKey:
+        name: mintel-ssh
+      tags:
+        - env:logs
+        - owner:sre
+        - mod:s3
+        - allow-destroy:false
+        - kubernetes-managed
+      teamAccess:
+        - access: admin
+          team:
+            name: test-admin-team
+        - access: write
+          team:
+            name: test-app-team
+      terraformVariables:
+        - hcl: false
+          name: aws_account_name
+          sensitive: false
+          value: logs
+        - hcl: false
+          name: aws_region
+          sensitive: false
+          value: eu-west-1
+        - hcl: false
+          name: eks_cluster_name
+          sensitive: false
+          value: cluster1
+        - hcl: false
+          name: name
+          sensitive: false
+          value: mntl-test-app
+        - hcl: false
+          name: output_secret_name
+          sensitive: false
+          value: test-namespace/mntl-test-app/s3
+        - hcl: true
+          name: secret_tags
+          sensitive: false
+          value: '{access-project = "test-namespace-ops"}'
+        - hcl: true
+          name: tags
+          sensitive: false
+          value: |-
+            {
+              Application = "test-app"
+              Component = "test-app"
+              Owner = "sre"
+              Project = "test-project"
+            }
+        - hcl: false
+          name: tfcloud_agent
+          sensitive: false
+          value: "true"
+      terraformVersion: 1.3.10
+      token:
+        secretKeyRef:
+          key: token
+          name: terraformrc
+  2: |
+    apiVersion: app.terraform.io/v1alpha2
+    kind: Module
+    metadata:
+      annotations:
+        app.mintel.com/altManifestFileSuffix: mntl-test-app-s3
+        app.mintel.com/placeholder: placeholder
+        argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+        argocd.argoproj.io/sync-wave: "-40"
+      labels:
+        app.kubernetes.io/name: mntl-test-app-s3
+        app.mintel.com/env: logs
+        app.mintel.com/owner: sre
+        app.mintel.com/region: eu-west-1
+        name: mntl-test-app-s3
+      name: logs-eu-west-1-cluster1-test-namespace-mntl-test-app-s3
+      namespace: test-namespace
+    spec:
+      destroyOnDeletion: true
+      module:
+        source: app.terraform.io/Mintel/private-s3-bucket/aws
+        version: 3.0.2
+      name: operator
+      organization: Mintel
+      restartedAt: 1b8273d8b2a6e386e56efb1eaaa6f57401e219eddfdb01819449687fb3476b2e
+      token:
+        secretKeyRef:
+          key: token
+          name: terraformrc
+      variables:
+        - name: aws_account_name
+        - name: aws_region
+        - name: eks_cluster_name
+        - name: name
+        - name: output_secret_name
+        - name: secret_tags
+        - name: tags
+        - name: tfcloud_agent
+      workspace:
+        name: logs-eu-west-1-cluster1-test-namespace-mntl-test-app-s3
 Test workspace allow destroy env:
   1: |
     apiVersion: app.terraform.io/v1alpha2

charts/terraform-cloud/tests/workspace-v2_test.yaml

@@ -325,3 +325,34 @@ tests:
             - allow-destroy:false
             - kubernetes-managed
         documentIndex: 0
+
+  - it: Test teamAccess can be configured
+    set:
+      global.name: test-app
+      global.clusterEnv: logs
+      global.clusterName: cluster1
+      global.clusterRegion: eu-west-1
+      global.owner: sre
+      global.partOf: test-project
+      global.terraform.operatorVersion: v2
+      global.terraform.teamAccess:
+        - access: admin
+          team:
+            name: test-admin-team
+        - access: write
+          team:
+            name: test-app-team
+      s3:
+        enabled: true
+    asserts:
+      - matchSnapshot: {} # Check for regressions and unexpected changes.
+      - equal:
+          path: spec.teamAccess
+          value:
+            - access: admin
+              team:
+                name: test-admin-team
+            - access: write
+              team:
+                name: test-app-team
+        documentIndex: 0

charts/terraform-cloud/values.yaml

@@ -51,6 +51,8 @@ global:
     # defaultWorkspaceAllowDestroy: false
     # -- Default which apply method Workspaces should use.
     defaultApplyMethod: auto
+    # -- teamAccess configuration for the workspace
+    # teamAccess: []
 ###
 ## Resources
 ###