Merge pull request #1210 from timofurrer/docs/project-protected-env-limitation

resource/gitlab_project_protected_environment: Add docs that users and groups must be shared with the project

Author: timofurrer

docs/resources/project_protected_environment.md

@@ -4,13 +4,24 @@ page_title: "gitlab_project_protected_environment Resource - terraform-provider-
 subcategory: ""
 description: |-
   The gitlab_project_protected_environment resource allows to manage the lifecycle of a protected environment in a project.
+  ~> In order to use a user or group in the deploy_access_levels configuration,
+     you need to make sure that users have access to the project and groups must have this project shared.
+     You may use the gitlab_project_membership and gitlab_project_shared_group resources to achieve this.
+     Unfortunately, the GitLab API does not complain about users and groups without access to the project and just ignores those.
+     In case this happens you will get perpetual state diffs.
   Upstream API: GitLab REST API docs https://docs.gitlab.com/ee/api/protected_environments.html
 ---
 
 # gitlab_project_protected_environment (Resource)
 
 The `gitlab_project_protected_environment` resource allows to manage the lifecycle of a protected environment in a project.
 
+~> In order to use a user or group in the `deploy_access_levels` configuration,
+   you need to make sure that users have access to the project and groups must have this project shared.
+   You may use the `gitlab_project_membership` and `gitlab_project_shared_group` resources to achieve this.
+   Unfortunately, the GitLab API does not complain about users and groups without access to the project and just ignores those.
+   In case this happens you will get perpetual state diffs.
+
 **Upstream API**: [GitLab REST API docs](https://docs.gitlab.com/ee/api/protected_environments.html)
 
 ## Example Usage

internal/provider/resource_gitlab_project_protected_environment.go

@@ -15,6 +15,12 @@ var _ = registerResource("gitlab_project_protected_environment", func() *schema.
 	return &schema.Resource{
 		Description: `The ` + "`gitlab_project_protected_environment`" + ` resource allows to manage the lifecycle of a protected environment in a project.
 
+~> In order to use a user or group in the ` + "`deploy_access_levels`" + ` configuration,
+   you need to make sure that users have access to the project and groups must have this project shared.
+   You may use the ` + "`gitlab_project_membership`" + ` and ` + "`gitlab_project_shared_group`" + ` resources to achieve this.
+   Unfortunately, the GitLab API does not complain about users and groups without access to the project and just ignores those.
+   In case this happens you will get perpetual state diffs.
+
 **Upstream API**: [GitLab REST API docs](https://docs.gitlab.com/ee/api/protected_environments.html)`,
 
 		CreateContext: resourceGitlabProjectProtectedEnvironmentCreate,

internal/provider/resource_gitlab_project_protected_environment_test.go

@@ -98,6 +98,59 @@ func TestAccGitlabProjectProtectedEnvironment_basic(t *testing.T) {
 	})
 }
 
+func TestAccGitlabProjectProtectedEnvironment_regressionIssue1132(t *testing.T) {
+	testAccCheckEE(t)
+
+	// Set up project environment.
+	project := testAccCreateProject(t)
+	environment := testAccCreateProjectEnvironment(t, project.ID, &gitlab.CreateEnvironmentOptions{
+		Name: gitlab.String(acctest.RandomWithPrefix("test-protected-environment")),
+	})
+
+	// Set up project user.
+	user := testAccCreateUsers(t, 1)[0]
+	testAccAddProjectMembers(t, project.ID, []*gitlab.User{user})
+
+	// Set up group access.
+	group := testAccCreateGroups(t, 1)[0]
+	if _, err := testGitlabClient.Projects.ShareProjectWithGroup(project.ID, &gitlab.ShareWithGroupOptions{
+		GroupID:     &group.ID,
+		GroupAccess: gitlab.AccessLevel(gitlab.MaintainerPermissions),
+	}); err != nil {
+		t.Fatalf("unable to share project %d with group %d", project.ID, group.ID)
+	}
+
+	additionalGroup := testAccCreateGroups(t, 1)[0]
+	if _, err := testGitlabClient.Projects.ShareProjectWithGroup(project.ID, &gitlab.ShareWithGroupOptions{
+		GroupID:     &additionalGroup.ID,
+		GroupAccess: gitlab.AccessLevel(gitlab.MaintainerPermissions),
+	}); err != nil {
+		t.Fatalf("unable to share project %d with group %d", project.ID, additionalGroup.ID)
+	}
+
+	resource.ParallelTest(t, resource.TestCase{
+		ProviderFactories: providerFactories,
+		CheckDestroy:      testAccCheckGitlabProjectProtectedEnvironmentDestroy(project.ID, environment.Name),
+		Steps: []resource.TestStep{
+			// Create a basic protected environment.
+			{
+				Config: fmt.Sprintf(`
+				resource "gitlab_project_protected_environment" "this" {
+					project     = %d
+					environment = %q
+					deploy_access_levels {
+						access_level = "developer"
+					}
+
+					deploy_access_levels {
+						group_id = %d
+					}
+				}`, project.ID, environment.Name, additionalGroup.ID),
+			},
+		},
+	})
+}
+
 func testAccCheckGitlabProjectProtectedEnvironmentDestroy(projectID int, environmentName string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		_, _, err := testGitlabClient.ProtectedEnvironments.GetProtectedEnvironment(projectID, environmentName)