[TF-27661] Add support for HYOK related attributes (#1192)

* initial attribute changes, wip

* Add support for HYOK Configurations and OIDC Configurations (#1162)

Co-authored-by: Helen Jiang <[email protected]>

* Update workspace.go

Co-authored-by: Jarrett Spiker <[email protected]>

* Add support for HYOK Configurations and OIDC Configurations (#1162)

Co-authored-by: Helen Jiang <[email protected]>

* Add support for Customer Key Version and Encrypted Data Keys (#1203)

Co-authored-by: Jarrett Spiker <[email protected]>

* Updating attributes.

* Add support for HYOK Configurations and OIDC Configurations (#1162)

Co-authored-by: Helen Jiang <[email protected]>

* Add support for Customer Key Version and Encrypted Data Keys (#1203)

Co-authored-by: Jarrett Spiker <[email protected]>

* Updating agent_pool. Added test case.

* Updated agent pool integration test file.

* Revert commented section.

* Updating organization. WIP organization_integration_test.

* Updated organization integration test.

* Updating attributes. Updating test cases.

* Added workspace integration test cases

* Updated test cases.

* Updated state_version. Updated Read test cases.

* Updated hyok tests. Added environment variables.

* Updated errors.go

* WIP StateVersion

* Updated skipHYOKIntegrationTests if-statement.

* Added hyok-testing.sh to scripts folder. Finished state_version testing and new functions.

* Updated uploading test.

* Added comments to UploadSanitizedState.

* Updated hyok test cases.

* Updating state_version_mocks.go.

---------

Co-authored-by: Helen Jiang <[email protected]>
Co-authored-by: Jarrett Spiker <[email protected]>
Co-authored-by: Helen Jiang <[email protected]>

Author: 3 people

.github/actions/test-go-tfe/action.yml

@@ -97,6 +97,14 @@ runs:
         GITHUB_REGISTRY_MODULE_IDENTIFIER: "hashicorp/terraform-random-module"
         GITHUB_REGISTRY_NO_CODE_MODULE_IDENTIFIER: "hashicorp/terraform-random-no-code-module"
         OAUTH_CLIENT_GITHUB_TOKEN: "${{ inputs.oauth-client-github-token }}"
+        SKIP_HYOK_INTEGRATION_TESTS: "${{ inputs.skip-hyok-integration-tests }}"
+        HYOK_ORGANIZATION_NAME: "${{ inputs.hyok-organization-name }}"
+        HYOK_WORKSPACE_NAME: "${{ inputs.hyok-workspace-name }}"
+        HYOK_POOL_ID: "${{ inputs.hyok-pool-id }}"
+        HYOK_PLAN_ID: "${{ inputs.hyok-plan-id }}"
+        HYOK_STATE_VERSION_ID: "${{ inputs.hyok-state-version-id }}"
+        HYOK_CUSTOMER_KEY_VERSION_ID: "${{ inputs.hyok-customer-key-version-id }}"
+        HYOK_ENCRYPTED_DATA_KEY_ID: "${{ inputs.hyok-encrypted-data-key-id }}"
         GO111MODULE: "on"
         ENABLE_TFE: ${{ inputs.enterprise }}
       run: |

agent_pool.go

@@ -66,18 +66,20 @@ type AgentPool struct {
 	CreatedAt          time.Time `jsonapi:"attr,created-at,iso8601"`
 
 	// Relations
-	Organization       *Organization `jsonapi:"relation,organization"`
-	Workspaces         []*Workspace  `jsonapi:"relation,workspaces"`
-	AllowedWorkspaces  []*Workspace  `jsonapi:"relation,allowed-workspaces"`
-	AllowedProjects    []*Project    `jsonapi:"relation,allowed-projects"`
-	ExcludedWorkspaces []*Workspace  `jsonapi:"relation,excluded-workspaces"`
+	Organization       *Organization        `jsonapi:"relation,organization"`
+	HYOKConfigurations []*HYOKConfiguration `jsonapi:"relation,hyok-configurations"`
+	Workspaces         []*Workspace         `jsonapi:"relation,workspaces"`
+	AllowedWorkspaces  []*Workspace         `jsonapi:"relation,allowed-workspaces"`
+	AllowedProjects    []*Project           `jsonapi:"relation,allowed-projects"`
+	ExcludedWorkspaces []*Workspace         `jsonapi:"relation,excluded-workspaces"`
 }
 
 // A list of relations to include
 // https://developer.hashicorp.com/terraform/cloud-docs/api-docs/agents#available-related-resources
 type AgentPoolIncludeOpt string
 
 const AgentPoolWorkspaces AgentPoolIncludeOpt = "workspaces"
+const AgentPoolHYOKConfigurations AgentPoolIncludeOpt = "hyok-configurations"
 
 type AgentPoolReadOptions struct {
 	Include []AgentPoolIncludeOpt `url:"include,omitempty"`
@@ -188,7 +190,7 @@ func (s *agentPools) ReadWithOptions(ctx context.Context, agentpoolID string, op
 	}
 
 	u := fmt.Sprintf("agent-pools/%s", url.PathEscape(agentpoolID))
-	req, err := s.client.NewRequest("GET", u, nil)
+	req, err := s.client.NewRequest("GET", u, &options)
 	if err != nil {
 		return nil, err
 	}

agent_pool_integration_test.go

@@ -5,6 +5,7 @@ package tfe
 
 import (
 	"context"
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -343,6 +344,22 @@ func TestAgentPoolsRead(t *testing.T) {
 		require.NoError(t, err)
 		assert.NotEmpty(t, k.Workspaces[0])
 	})
+
+	t.Run("read hyok configurations of an agent pool", func(t *testing.T) {
+		skipHYOKIntegrationTests(t)
+
+		// replace the environment variable with a valid agent pool ID that has HYOK configurations
+		hyokPoolID := os.Getenv("HYOK_POOL_ID")
+		if hyokPoolID == "" {
+			t.Fatal("Export a valid HYOK_POOL_ID before running this test!")
+		}
+
+		k, err := client.AgentPools.ReadWithOptions(ctx, hyokPoolID, &AgentPoolReadOptions{
+			Include: []AgentPoolIncludeOpt{AgentPoolHYOKConfigurations},
+		})
+		require.NoError(t, err)
+		assert.NotEmpty(t, k.HYOKConfigurations)
+	})
 }
 
 func TestAgentPoolsReadCreatedAt(t *testing.T) {

aws_oidc_configuration_integration_test.go

@@ -2,6 +2,7 @@ package tfe
 
 import (
 	"context"
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -12,13 +13,17 @@ import (
 // To run them locally, follow the instructions outlined in hyok_configuration_integration_test.go
 
 func TestAWSOIDCConfigurationCreateDelete(t *testing.T) {
-	if skipHYOKIntegrationTests {
-		t.Skip()
-	}
+	skipHYOKIntegrationTests(t)
 
 	client := testClient(t)
 	ctx := context.Background()
 
+	// replace the environment variable with a valid organization name that has AWS OIDC HYOK configurations
+	hyokOrganizationName := os.Getenv("HYOK_ORGANIZATION_NAME")
+	if hyokOrganizationName == "" {
+		t.Fatal("Export a valid HYOK_ORGANIZATION_NAME before running this test!")
+	}
+
 	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
 	if err != nil {
 		t.Fatal(err)
@@ -48,13 +53,17 @@ func TestAWSOIDCConfigurationCreateDelete(t *testing.T) {
 }
 
 func TestAWSOIDCConfigurationRead(t *testing.T) {
-	if skipHYOKIntegrationTests {
-		t.Skip()
-	}
+	skipHYOKIntegrationTests(t)
 
 	client := testClient(t)
 	ctx := context.Background()
 
+	// replace the environment variable with a valid organization name that has AWS OIDC HYOK configurations
+	hyokOrganizationName := os.Getenv("HYOK_ORGANIZATION_NAME")
+	if hyokOrganizationName == "" {
+		t.Fatal("Export a valid HYOK_ORGANIZATION_NAME before running this test!")
+	}
+
 	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
 	if err != nil {
 		t.Fatal(err)
@@ -76,13 +85,17 @@ func TestAWSOIDCConfigurationRead(t *testing.T) {
 }
 
 func TestAWSOIDCConfigurationsUpdate(t *testing.T) {
-	if skipHYOKIntegrationTests {
-		t.Skip()
-	}
+	skipHYOKIntegrationTests(t)
 
 	client := testClient(t)
 	ctx := context.Background()
 
+	// replace the environment variable with a valid organization name that has AWS OIDC HYOK configurations
+	hyokOrganizationName := os.Getenv("HYOK_ORGANIZATION_NAME")
+	if hyokOrganizationName == "" {
+		t.Fatal("Export a valid HYOK_ORGANIZATION_NAME before running this test!")
+	}
+
 	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
 	if err != nil {
 		t.Fatal(err)

azure_oidc_configuration_integration_test.go

@@ -2,6 +2,7 @@ package tfe
 
 import (
 	"context"
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -12,13 +13,17 @@ import (
 // To run them locally, follow the instructions outlined in hyok_configuration_integration_test.go
 
 func TestAzureOIDCConfigurationCreateDelete(t *testing.T) {
-	if skipHYOKIntegrationTests {
-		t.Skip()
-	}
+	skipHYOKIntegrationTests(t)
 
 	client := testClient(t)
 	ctx := context.Background()
 
+	// replace the environment variable with a valid organization name that has Azure OIDC HYOK configurations
+	hyokOrganizationName := os.Getenv("HYOK_ORGANIZATION_NAME")
+	if hyokOrganizationName == "" {
+		t.Fatal("Export a valid HYOK_ORGANIZATION_NAME before running this test!")
+	}
+
 	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
 	if err != nil {
 		t.Fatal(err)
@@ -75,13 +80,17 @@ func TestAzureOIDCConfigurationCreateDelete(t *testing.T) {
 }
 
 func TestAzureOIDCConfigurationRead(t *testing.T) {
-	if skipHYOKIntegrationTests {
-		t.Skip()
-	}
+	skipHYOKIntegrationTests(t)
 
 	client := testClient(t)
 	ctx := context.Background()
 
+	// replace the environment variable with a valid organization name that has Azure OIDC HYOK configurations
+	hyokOrganizationName := os.Getenv("HYOK_ORGANIZATION_NAME")
+	if hyokOrganizationName == "" {
+		t.Fatal("Export a valid HYOK_ORGANIZATION_NAME before running this test!")
+	}
+
 	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
 	if err != nil {
 		t.Fatal(err)
@@ -103,13 +112,17 @@ func TestAzureOIDCConfigurationRead(t *testing.T) {
 }
 
 func TestAzureOIDCConfigurationUpdate(t *testing.T) {
-	if skipHYOKIntegrationTests {
-		t.Skip()
-	}
+	skipHYOKIntegrationTests(t)
 
 	client := testClient(t)
 	ctx := context.Background()
 
+	// replace the environment variable with a valid organization name that has Azure OIDC HYOK configurations
+	hyokOrganizationName := os.Getenv("HYOK_ORGANIZATION_NAME")
+	if hyokOrganizationName == "" {
+		t.Fatal("Export a valid HYOK_ORGANIZATION_NAME before running this test!")
+	}
+
 	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
 	if err != nil {
 		t.Fatal(err)

errors.go

@@ -89,6 +89,9 @@ var (
 	// it is locked. "conflict" followed by newline is used to preserve go-tfe version
 	// compatibility with the error constructed at runtime before it was defined here.
 	ErrWorkspaceLockedCannotDelete = errors.New("conflict\nWorkspace is currently locked. Workspace must be unlocked before it can be safely deleted")
+
+	// ErrHYOKCannotBeDisabled is returned when attempting to disable HYOK on a workspace that already has it enabled.
+	ErrHYOKCannotBeDisabled = errors.New("bad request\n\nhyok may not be disabled once it has been turned on for a workspace")
 )
 
 // Invalid values for resources/struct fields
@@ -410,6 +413,8 @@ var (
 
 	ErrStateVersionUploadNotSupported = errors.New("upload not supported by this version of Terraform Enterprise")
 
+	ErrSanitizedStateUploadURLMissing = errors.New("sanitized state upload URL is missing")
+
 	ErrRequiredRoleARN = errors.New("role-arn is required for AWS OIDC configuration")
 
 	ErrRequiredServiceAccountEmail = errors.New("service-account-email is required for GCP OIDC configuration")

gcp_oidc_configuration_integration_test.go

@@ -2,6 +2,7 @@ package tfe
 
 import (
 	"context"
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -12,13 +13,17 @@ import (
 // To run them locally, follow the instructions outlined in hyok_configuration_integration_test.go
 
 func TestGCPOIDCConfigurationCreateDelete(t *testing.T) {
-	if skipHYOKIntegrationTests {
-		t.Skip()
-	}
+	skipHYOKIntegrationTests(t)
 
 	client := testClient(t)
 	ctx := context.Background()
 
+	// replace the environment variable with a valid organization name that has GCP OIDC HYOK configurations
+	hyokOrganizationName := os.Getenv("HYOK_ORGANIZATION_NAME")
+	if hyokOrganizationName == "" {
+		t.Fatal("Export a valid HYOK_ORGANIZATION_NAME before running this test!")
+	}
+
 	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
 	if err != nil {
 		t.Fatal(err)
@@ -75,13 +80,17 @@ func TestGCPOIDCConfigurationCreateDelete(t *testing.T) {
 }
 
 func TestGCPOIDCConfigurationRead(t *testing.T) {
-	if skipHYOKIntegrationTests {
-		t.Skip()
-	}
+	skipHYOKIntegrationTests(t)
 
 	client := testClient(t)
 	ctx := context.Background()
 
+	// replace the environment variable with a valid organization name that has GCP OIDC HYOK configurations
+	hyokOrganizationName := os.Getenv("HYOK_ORGANIZATION_NAME")
+	if hyokOrganizationName == "" {
+		t.Fatal("Export a valid HYOK_ORGANIZATION_NAME before running this test!")
+	}
+
 	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
 	if err != nil {
 		t.Fatal(err)
@@ -103,13 +112,17 @@ func TestGCPOIDCConfigurationRead(t *testing.T) {
 }
 
 func TestGCPOIDCConfigurationUpdate(t *testing.T) {
-	if skipHYOKIntegrationTests {
-		t.Skip()
-	}
+	skipHYOKIntegrationTests(t)
 
 	client := testClient(t)
 	ctx := context.Background()
 
+	// replace the environment variable with a valid organization name that has GCP OIDC HYOK configurations
+	hyokOrganizationName := os.Getenv("HYOK_ORGANIZATION_NAME")
+	if hyokOrganizationName == "" {
+		t.Fatal("Export a valid HYOK_ORGANIZATION_NAME before running this test!")
+	}
+
 	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
 	if err != nil {
 		t.Fatal(err)

helper_test.go

@@ -3221,6 +3221,13 @@ func skipIfEnterprise(t *testing.T) {
 	}
 }
 
+func skipHYOKIntegrationTests(t *testing.T) {
+	t.Helper()
+	if !hyokIntegrationTestsEnabled() {
+		t.Skip("Skipping test related to HYOK features. Set ENABLE_HYOK_INTEGRATION_TESTS=1 to run.")
+	}
+}
+
 // skips a test if the underlying beta feature is not available.
 // **Note: ENABLE_BETA is always disabled in CI, so ensure you:
 //
@@ -3269,6 +3276,11 @@ func betaFeaturesEnabled() bool {
 	return os.Getenv("ENABLE_BETA") == "1"
 }
 
+// Checks to see if HYOK_INTEGRATION_TESTS is set to 1, thereby enabling tests for HYOK features.
+func hyokIntegrationTestsEnabled() bool {
+	return os.Getenv("ENABLE_HYOK_INTEGRATION_TESTS") == "1"
+}
+
 // isEmpty gets whether the specified object is considered empty or not.
 func isEmpty(object interface{}) bool {
 	// get nil case out of the way