Merge pull request #1033 from hashicorp/Netra2104/TF-7897-add-policy-set-workspace-exclusions-resource

Add a new workspace_policy_set_exclusion resource

Author: Netra2104

CHANGELOG.md

@@ -8,6 +8,7 @@ FEATURES:
 * `d/tfe_organization_membership`: Add `organization_membership_id` attribute, by @laurenolivia [997](https://github.com/hashicorp/terraform-provider-tfe/pull/997)
 * `d/tfe_variable_set`: Add `project_ids` attribute, by @Netra2104 [994](https://github.com/hashicorp/terraform-provider-tfe/pull/994)
 * **New Data Source**: `d/tfe_teams` is a new data source to return names and IDs of Teams in an Organization, by @isaacmcollins [992](https://github.com/hashicorp/terraform-provider-tfe/pull/992)
+* **New Resource**: `r/tfe_workspace_policy_set_exclusion` is a new resource allowing the exclusion of one or more existing workspaces from an existing `policy set`, by @Netra2104 [1033](https://github.com/hashicorp/terraform-provider-tfe/pull/1033)
 
 ## v0.48.0 (August 7, 2023)
 

internal/provider/provider.go

@@ -106,43 +106,44 @@ func Provider() *schema.Provider {
 		},
 
 		ResourcesMap: map[string]*schema.Resource{
-			"tfe_admin_organization_settings":   resourceTFEAdminOrganizationSettings(),
-			"tfe_agent_pool":                    resourceTFEAgentPool(),
-			"tfe_agent_pool_allowed_workspaces": resourceTFEAgentPoolAllowedWorkspaces(),
-			"tfe_agent_token":                   resourceTFEAgentToken(),
-			"tfe_notification_configuration":    resourceTFENotificationConfiguration(),
-			"tfe_oauth_client":                  resourceTFEOAuthClient(),
-			"tfe_organization":                  resourceTFEOrganization(),
-			"tfe_organization_membership":       resourceTFEOrganizationMembership(),
-			"tfe_organization_module_sharing":   resourceTFEOrganizationModuleSharing(),
-			"tfe_organization_run_task":         resourceTFEOrganizationRunTask(),
-			"tfe_organization_token":            resourceTFEOrganizationToken(),
-			"tfe_policy":                        resourceTFEPolicy(),
-			"tfe_policy_set":                    resourceTFEPolicySet(),
-			"tfe_policy_set_parameter":          resourceTFEPolicySetParameter(),
-			"tfe_project":                       resourceTFEProject(),
-			"tfe_project_policy_set":            resourceTFEProjectPolicySet(),
-			"tfe_project_variable_set":          resourceTFEProjectVariableSet(),
-			"tfe_registry_module":               resourceTFERegistryModule(),
-			"tfe_no_code_module":                resourceTFENoCodeModule(),
-			"tfe_run_trigger":                   resourceTFERunTrigger(),
-			"tfe_sentinel_policy":               resourceTFESentinelPolicy(),
-			"tfe_ssh_key":                       resourceTFESSHKey(),
-			"tfe_team":                          resourceTFETeam(),
-			"tfe_team_access":                   resourceTFETeamAccess(),
-			"tfe_team_organization_member":      resourceTFETeamOrganizationMember(),
-			"tfe_team_organization_members":     resourceTFETeamOrganizationMembers(),
-			"tfe_team_project_access":           resourceTFETeamProjectAccess(),
-			"tfe_team_member":                   resourceTFETeamMember(),
-			"tfe_team_members":                  resourceTFETeamMembers(),
-			"tfe_team_token":                    resourceTFETeamToken(),
-			"tfe_terraform_version":             resourceTFETerraformVersion(),
-			"tfe_workspace":                     resourceTFEWorkspace(),
-			"tfe_workspace_run_task":            resourceTFEWorkspaceRunTask(),
-			"tfe_variable_set":                  resourceTFEVariableSet(),
-			"tfe_workspace_variable_set":        resourceTFEWorkspaceVariableSet(),
-			"tfe_workspace_policy_set":          resourceTFEWorkspacePolicySet(),
-			"tfe_workspace_run":                 resourceTFEWorkspaceRun(),
+			"tfe_admin_organization_settings":    resourceTFEAdminOrganizationSettings(),
+			"tfe_agent_pool":                     resourceTFEAgentPool(),
+			"tfe_agent_pool_allowed_workspaces":  resourceTFEAgentPoolAllowedWorkspaces(),
+			"tfe_agent_token":                    resourceTFEAgentToken(),
+			"tfe_notification_configuration":     resourceTFENotificationConfiguration(),
+			"tfe_oauth_client":                   resourceTFEOAuthClient(),
+			"tfe_organization":                   resourceTFEOrganization(),
+			"tfe_organization_membership":        resourceTFEOrganizationMembership(),
+			"tfe_organization_module_sharing":    resourceTFEOrganizationModuleSharing(),
+			"tfe_organization_run_task":          resourceTFEOrganizationRunTask(),
+			"tfe_organization_token":             resourceTFEOrganizationToken(),
+			"tfe_policy":                         resourceTFEPolicy(),
+			"tfe_policy_set":                     resourceTFEPolicySet(),
+			"tfe_policy_set_parameter":           resourceTFEPolicySetParameter(),
+			"tfe_project":                        resourceTFEProject(),
+			"tfe_project_policy_set":             resourceTFEProjectPolicySet(),
+			"tfe_project_variable_set":           resourceTFEProjectVariableSet(),
+			"tfe_registry_module":                resourceTFERegistryModule(),
+			"tfe_no_code_module":                 resourceTFENoCodeModule(),
+			"tfe_run_trigger":                    resourceTFERunTrigger(),
+			"tfe_sentinel_policy":                resourceTFESentinelPolicy(),
+			"tfe_ssh_key":                        resourceTFESSHKey(),
+			"tfe_team":                           resourceTFETeam(),
+			"tfe_team_access":                    resourceTFETeamAccess(),
+			"tfe_team_organization_member":       resourceTFETeamOrganizationMember(),
+			"tfe_team_organization_members":      resourceTFETeamOrganizationMembers(),
+			"tfe_team_project_access":            resourceTFETeamProjectAccess(),
+			"tfe_team_member":                    resourceTFETeamMember(),
+			"tfe_team_members":                   resourceTFETeamMembers(),
+			"tfe_team_token":                     resourceTFETeamToken(),
+			"tfe_terraform_version":              resourceTFETerraformVersion(),
+			"tfe_workspace":                      resourceTFEWorkspace(),
+			"tfe_workspace_run_task":             resourceTFEWorkspaceRunTask(),
+			"tfe_variable_set":                   resourceTFEVariableSet(),
+			"tfe_workspace_policy_set":           resourceTFEWorkspacePolicySet(),
+			"tfe_workspace_policy_set_exclusion": resourceTFEWorkspacePolicySetExclusion(),
+			"tfe_workspace_run":                  resourceTFEWorkspaceRun(),
+			"tfe_workspace_variable_set":         resourceTFEWorkspaceVariableSet(),
 		},
 		ConfigureContextFunc: configure(),
 	}

internal/provider/resource_tfe_workspace_policy_set_exclusion.go

@@ -0,0 +1,173 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package provider
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log"
+	"strings"
+
+	tfe "github.com/hashicorp/go-tfe"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func resourceTFEWorkspacePolicySetExclusion() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceTFEWorkspacePolicySetExclusionCreate,
+		Read:   resourceTFEWorkspacePolicySetExclusionRead,
+		Delete: resourceTFEWorkspacePolicySetExclusionDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: resourceTFEWorkspacePolicySetExclusionImporter,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"policy_set_id": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+
+			"workspace_id": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+		},
+	}
+}
+
+func resourceTFEWorkspacePolicySetExclusionCreate(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(ConfiguredClient)
+
+	policySetID := d.Get("policy_set_id").(string)
+	workspaceExclusionID := d.Get("workspace_id").(string)
+
+	policySetAddWorkspaceExclusionsOptions := tfe.PolicySetAddWorkspaceExclusionsOptions{}
+	policySetAddWorkspaceExclusionsOptions.WorkspaceExclusions = append(policySetAddWorkspaceExclusionsOptions.WorkspaceExclusions, &tfe.Workspace{ID: workspaceExclusionID})
+
+	err := config.Client.PolicySets.AddWorkspaceExclusions(ctx, policySetID, policySetAddWorkspaceExclusionsOptions)
+	if err != nil {
+		return fmt.Errorf(
+			"error adding workspace exclusion %s to policy set id %s: %w", workspaceExclusionID, policySetID, err)
+	}
+
+	d.SetId(fmt.Sprintf("%s_%s", workspaceExclusionID, policySetID))
+
+	return resourceTFEWorkspacePolicySetExclusionRead(d, meta)
+}
+
+func resourceTFEWorkspacePolicySetExclusionRead(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(ConfiguredClient)
+
+	policySetID := d.Get("policy_set_id").(string)
+	workspaceExclusionsID := d.Get("workspace_id").(string)
+
+	log.Printf("[DEBUG] Read configuration of excluded workspace policy set: %s", policySetID)
+	policySet, err := config.Client.PolicySets.ReadWithOptions(ctx, policySetID, &tfe.PolicySetReadOptions{
+		Include: []tfe.PolicySetIncludeOpt{tfe.PolicySetWorkspaceExclusions},
+	})
+	if err != nil {
+		if errors.Is(err, tfe.ErrResourceNotFound) {
+			log.Printf("[DEBUG] Policy set %s no longer exists", policySetID)
+			d.SetId("")
+			return nil
+		}
+		return fmt.Errorf("error reading configuration of policy set %s: %w", policySetID, err)
+	}
+
+	isWorkspaceExclusionsAttached := false
+	for _, excludedWorkspace := range policySet.WorkspaceExclusions {
+		if excludedWorkspace.ID == workspaceExclusionsID {
+			isWorkspaceExclusionsAttached = true
+			d.Set("workspace_id", workspaceExclusionsID)
+			break
+		}
+	}
+
+	if !isWorkspaceExclusionsAttached {
+		log.Printf("[DEBUG] Excluded workspace %s not attached to policy set %s. Removing from state.", workspaceExclusionsID, policySetID)
+		d.SetId("")
+		return nil
+	}
+
+	d.Set("policy_set_id", policySetID)
+	return nil
+}
+
+func resourceTFEWorkspacePolicySetExclusionDelete(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(ConfiguredClient)
+
+	policySetID := d.Get("policy_set_id").(string)
+	workspaceExclusionsID := d.Get("workspace_id").(string)
+
+	log.Printf("[DEBUG] Removing excluded workspace (%s) from policy set (%s)", workspaceExclusionsID, policySetID)
+	policySetRemoveWorkspaceExclusionsOptions := tfe.PolicySetRemoveWorkspaceExclusionsOptions{}
+	policySetRemoveWorkspaceExclusionsOptions.WorkspaceExclusions = append(policySetRemoveWorkspaceExclusionsOptions.WorkspaceExclusions, &tfe.Workspace{ID: workspaceExclusionsID})
+
+	err := config.Client.PolicySets.RemoveWorkspaceExclusions(ctx, policySetID, policySetRemoveWorkspaceExclusionsOptions)
+	if err != nil {
+		return fmt.Errorf(
+			"error removing excluded workspace %s from policy set %s: %w", workspaceExclusionsID, policySetID, err)
+	}
+
+	return nil
+}
+
+func resourceTFEWorkspacePolicySetExclusionImporter(ctx context.Context, d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+	// The format of the import ID is <ORGANIZATION/WORKSPACE NAME/POLICYSET NAME>
+	splitID := strings.SplitN(d.Id(), "/", 3)
+	if len(splitID) != 3 {
+		return nil, fmt.Errorf(
+			"invalid excluded workspace policy set input format: %s (expected <ORGANIZATION>/<WORKSPACE NAME>/<POLICYSET NAME>)",
+			splitID,
+		)
+	}
+
+	organization, wsName, pSName := splitID[0], splitID[1], splitID[2]
+
+	config := meta.(ConfiguredClient)
+
+	// Ensure the named workspace exists before fetching all the policy sets in the org
+	_, err := config.Client.Workspaces.Read(ctx, organization, wsName)
+	if err != nil {
+		return nil, fmt.Errorf("error reading configuration of the workspace to exclude %s in organization %s: %w", wsName, organization, err)
+	}
+
+	options := &tfe.PolicySetListOptions{Include: []tfe.PolicySetIncludeOpt{tfe.PolicySetWorkspaceExclusions}}
+	for {
+		list, err := config.Client.PolicySets.List(ctx, organization, options)
+		if err != nil {
+			return nil, fmt.Errorf("error retrieving policy sets: %w", err)
+		}
+		for _, policySet := range list.Items {
+			if policySet.Name != pSName {
+				continue
+			}
+
+			for _, ws := range policySet.WorkspaceExclusions {
+				if ws.Name != wsName {
+					continue
+				}
+
+				d.Set("workspace_id", ws.ID)
+				d.Set("policy_set_id", policySet.ID)
+				d.SetId(fmt.Sprintf("%s_%s", ws.ID, policySet.ID))
+
+				return []*schema.ResourceData{d}, nil
+			}
+		}
+
+		// Exit the loop when we've seen all pages.
+		if list.CurrentPage >= list.TotalPages {
+			break
+		}
+
+		// Update the page number to get the next page.
+		options.PageNumber = list.NextPage
+	}
+
+	return nil, fmt.Errorf("excluded workspace %s has not been added to policy set %s", wsName, pSName)
+}