Add support for namespace lifecycle (#309)

Author: anekkanti

docs/data-sources/namespace.md

@@ -71,6 +71,7 @@ output "namespace" {
 - `endpoints` (Attributes) The endpoints for the namespace. (see [below for nested schema](#nestedatt--endpoints))
 - `limits` (Attributes) The limits set on the namespace currently. (see [below for nested schema](#nestedatt--limits))
 - `name` (String) The name of the namespace.
+- `namespace_lifecycle` (Attributes) The lifecycle settings for the namespace. (see [below for nested schema](#nestedatt--namespace_lifecycle))
 - `regions` (List of String) The list of regions that this namespace is available in. If more than one region is specified, this namespace is a Multi-region Namespace, which is currently unsupported by the Terraform provider.
 - `retention_days` (Number) The number of days to retain workflow history. Any changes to the retention period will be applied to all new running workflows.
 - `state` (String) The current state of the namespace.
@@ -132,3 +133,11 @@ Read-Only:
 Read-Only:
 
 - `actions_per_second_limit` (Number) The number of actions per second (APS) that is currently allowed for the namespace. The namespace may be throttled if its APS exceeds the limit.
+
+
+<a id="nestedatt--namespace_lifecycle"></a>
+### Nested Schema for `namespace_lifecycle`
+
+Read-Only:
+
+- `enable_delete_protection` (Boolean) If true, delete protection is enabled for the namespace. This means that the namespace cannot be deleted until this is set to false.

docs/data-sources/namespaces.md

@@ -62,6 +62,7 @@ Read-Only:
 - `id` (String) The unique identifier of the namespace across all Temporal Cloud tenants.
 - `limits` (Attributes) The limits set on the namespace currently. (see [below for nested schema](#nestedatt--namespaces--limits))
 - `name` (String) The name of the namespace.
+- `namespace_lifecycle` (Attributes) The lifecycle settings for the namespace. (see [below for nested schema](#nestedatt--namespaces--namespace_lifecycle))
 - `regions` (List of String) The list of regions that this namespace is available in. If more than one region is specified, this namespace is a Multi-region Namespace, which is currently unsupported by the Terraform provider.
 - `retention_days` (Number) The number of days to retain workflow history. Any changes to the retention period will be applied to all new running workflows.
 - `state` (String) The current state of the namespace.
@@ -123,3 +124,11 @@ Read-Only:
 Read-Only:
 
 - `actions_per_second_limit` (Number) The number of actions per second (APS) that is currently allowed for the namespace. The namespace may be throttled if its APS exceeds the limit.
+
+
+<a id="nestedatt--namespaces--namespace_lifecycle"></a>
+### Nested Schema for `namespaces.namespace_lifecycle`
+
+Read-Only:
+
+- `enable_delete_protection` (Boolean) If true, delete protection is enabled for the namespace. This means that the namespace cannot be deleted until this is set to false.

docs/resources/namespace.md

@@ -42,10 +42,9 @@ resource "temporalcloud_namespace" "terraform" {
   regions            = ["aws-us-east-1"]
   accepted_client_ca = base64encode(file("${path.module}/ca.pem"))
   retention_days     = 14
-
-  // Prevents Terraform from deleting namespace. Must remove this before destroying resource.
-  lifecycle {
-    prevent_destroy = true
+  namespace_lifecycle = {
+    // Prevents namespace from being deleted accidentally. Must be updated to false before destroying resource.
+    enable_delete_protection = true
   }
 }
 
@@ -111,10 +110,9 @@ resource "temporalcloud_namespace" "terraform2" {
   regions            = ["aws-us-east-1"]
   accepted_client_ca = base64encode(tls_self_signed_cert.ca.cert_pem)
   retention_days     = 14
-
-  // Prevents Terraform from deleting namespace. Must remove this before destroying resource.
-  lifecycle {
-    prevent_destroy = true
+  namespace_lifecycle = {
+    // Prevents namespace from being deleted accidentally. Must be updated to false before destroying resource.
+    enable_delete_protection = true
   }
 }
 
@@ -124,10 +122,9 @@ resource "temporalcloud_namespace" "terraform3" {
   regions        = ["aws-us-east-1"]
   api_key_auth   = true
   retention_days = 14
-
-  // Prevents Terraform from deleting namespace. Must remove this before destroying resource.
-  lifecycle {
-    prevent_destroy = true
+  namespace_lifecycle = {
+    // Prevents namespace from being deleted accidentally. Must be updated to false before destroying resource.
+    enable_delete_protection = true
   }
 }
 
@@ -161,6 +158,7 @@ resource "temporalcloud_namespace" "terraform4" {
 - `certificate_filters` (Attributes List) A list of filters to apply to client certificates when initiating a connection Temporal Cloud. If present, connections will only be allowed from client certificates whose distinguished name properties match at least one of the filters. Empty lists are not allowed, omit the attribute instead. (see [below for nested schema](#nestedatt--certificate_filters))
 - `codec_server` (Attributes) A codec server is used by the Temporal Cloud UI to decode payloads for all users interacting with this namespace, even if the workflow history itself is encrypted. (see [below for nested schema](#nestedatt--codec_server))
 - `connectivity_rule_ids` (List of String) The IDs of the connectivity rules for this namespace.
+- `namespace_lifecycle` (Attributes) The lifecycle configuration for the namespace. (see [below for nested schema](#nestedatt--namespace_lifecycle))
 - `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
 
 ### Read-Only
@@ -192,6 +190,14 @@ Optional:
 - `pass_access_token` (Boolean) If true, Temporal Cloud will pass the access token to the codec server upon each request.
 
 
+<a id="nestedatt--namespace_lifecycle"></a>
+### Nested Schema for `namespace_lifecycle`
+
+Optional:
+
+- `enable_delete_protection` (Boolean) If true, the namespace cannot be deleted. This is a safeguard against accidental deletion. To delete a namespace with this option enabled, you must first set it to false.
+
+
 <a id="nestedblock--timeouts"></a>
 ### Nested Schema for `timeouts`
 

examples/resources/temporalcloud_namespace/resource.tf

@@ -21,10 +21,9 @@ resource "temporalcloud_namespace" "terraform" {
   regions            = ["aws-us-east-1"]
   accepted_client_ca = base64encode(file("${path.module}/ca.pem"))
   retention_days     = 14
-
-  // Prevents Terraform from deleting namespace. Must remove this before destroying resource.
-  lifecycle {
-    prevent_destroy = true
+  namespace_lifecycle = {
+    // Prevents namespace from being deleted accidentally. Must be updated to false before destroying resource.
+    enable_delete_protection = true
   }
 }
 
@@ -90,10 +89,9 @@ resource "temporalcloud_namespace" "terraform2" {
   regions            = ["aws-us-east-1"]
   accepted_client_ca = base64encode(tls_self_signed_cert.ca.cert_pem)
   retention_days     = 14
-
-  // Prevents Terraform from deleting namespace. Must remove this before destroying resource.
-  lifecycle {
-    prevent_destroy = true
+  namespace_lifecycle = {
+    // Prevents namespace from being deleted accidentally. Must be updated to false before destroying resource.
+    enable_delete_protection = true
   }
 }
 
@@ -103,10 +101,9 @@ resource "temporalcloud_namespace" "terraform3" {
   regions        = ["aws-us-east-1"]
   api_key_auth   = true
   retention_days = 14
-
-  // Prevents Terraform from deleting namespace. Must remove this before destroying resource.
-  lifecycle {
-    prevent_destroy = true
+  namespace_lifecycle = {
+    // Prevents namespace from being deleted accidentally. Must be updated to false before destroying resource.
+    enable_delete_protection = true
   }
 }
 

internal/provider/namespace_resource.go

@@ -34,6 +34,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-log/tflog"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/proto"
 
 	"github.com/hashicorp/terraform-plugin-framework-validators/listvalidator"
 	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
@@ -78,9 +79,13 @@ type (
 		ApiKeyAuth          types.Bool                             `tfsdk:"api_key_auth"`
 		CodecServer         types.Object                           `tfsdk:"codec_server"`
 		Endpoints           types.Object                           `tfsdk:"endpoints"`
+		NamespaceLifecycle  internaltypes.ZeroObjectValue          `tfsdk:"namespace_lifecycle"`
 		ConnectivityRuleIds internaltypes.UnorderedStringListValue `tfsdk:"connectivity_rule_ids"`
+		Timeouts            timeouts.Value                         `tfsdk:"timeouts"`
+	}
 
-		Timeouts timeouts.Value `tfsdk:"timeouts"`
+	lifecycleModel struct {
+		EnableDeleteProtection types.Bool `tfsdk:"enable_delete_protection"`
 	}
 
 	namespaceCertificateFilterModel struct {
@@ -121,6 +126,10 @@ var (
 		"include_cross_origin_credentials": types.BoolType,
 	}
 
+	lifecycleAttrs = map[string]attr.Type{
+		"enable_delete_protection": types.BoolType,
+	}
+
 	endpointsAttrs = map[string]attr.Type{
 		"web_address":       types.StringType,
 		"grpc_address":      types.StringType,
@@ -263,6 +272,23 @@ func (r *namespaceResource) Schema(ctx context.Context, _ resource.SchemaRequest
 				},
 				Computed: true,
 			},
+			"namespace_lifecycle": schema.SingleNestedAttribute{
+				Description: "The lifecycle configuration for the namespace.",
+				CustomType: internaltypes.ZeroObjectType{
+					ObjectType: basetypes.ObjectType{
+						AttrTypes: lifecycleAttrs,
+					},
+				},
+				Attributes: map[string]schema.Attribute{
+					"enable_delete_protection": schema.BoolAttribute{
+						Description: "If true, the namespace cannot be deleted. This is a safeguard against accidental deletion. To delete a namespace with this option enabled, you must first set it to false.",
+						Optional:    true,
+						Computed:    true,
+						Default:     booldefault.StaticBool(false),
+					},
+				},
+				Optional: true,
+			},
 			"connectivity_rule_ids": schema.ListAttribute{
 				Description: "The IDs of the connectivity rules for this namespace.",
 				Optional:    true,
@@ -321,17 +347,28 @@ func (r *namespaceResource) Create(ctx context.Context, req resource.CreateReque
 		}
 	}
 
+	var lifecycle *namespacev1.LifecycleSpec
+	if !plan.NamespaceLifecycle.IsNull() && !plan.NamespaceLifecycle.IsZero(ctx) {
+		var d diag.Diagnostics
+		lifecycle, d = getLifecycleFromModel(ctx, &plan)
+		resp.Diagnostics.Append(d...)
+		if resp.Diagnostics.HasError() {
+			return
+		}
+	}
+
 	connectivityRuleIds, d := getConnectivityRuleIdsFromModel(ctx, &plan)
 	resp.Diagnostics.Append(d...)
 	if resp.Diagnostics.HasError() {
 		return
 	}
 
-	var spec = &namespacev1.NamespaceSpec{
+	spec := &namespacev1.NamespaceSpec{
 		Name:                plan.Name.ValueString(),
 		Regions:             regions,
 		RetentionDays:       int32(plan.RetentionDays.ValueInt64()),
 		CodecServer:         codecServer,
+		Lifecycle:           lifecycle,
 		ConnectivityRuleIds: connectivityRuleIds,
 	}
 
@@ -404,7 +441,7 @@ func (r *namespaceResource) Read(ctx context.Context, req resource.ReadRequest,
 	if err != nil {
 		switch status.Code(err) {
 		case codes.NotFound:
-			tflog.Warn(ctx, "Namespace Resource not found, removing from state", map[string]interface{}{
+			tflog.Warn(ctx, "Namespace Resource not found, removing from state", map[string]any{
 				"id": state.ID.ValueString(),
 			})
 
@@ -484,12 +521,23 @@ func (r *namespaceResource) Update(ctx context.Context, req resource.UpdateReque
 		}
 	}
 
-	var spec = &namespacev1.NamespaceSpec{
+	var lifecycle *namespacev1.LifecycleSpec
+	if !plan.NamespaceLifecycle.IsNull() && !plan.NamespaceLifecycle.IsZero(ctx) {
+		var d diag.Diagnostics
+		lifecycle, d = getLifecycleFromModel(ctx, &plan)
+		resp.Diagnostics.Append(d...)
+		if resp.Diagnostics.HasError() {
+			return
+		}
+	}
+
+	spec := &namespacev1.NamespaceSpec{
 		Name:                plan.Name.ValueString(),
 		Regions:             regions,
 		RetentionDays:       int32(plan.RetentionDays.ValueInt64()),
 		CodecServer:         codecServer,
 		SearchAttributes:    currentNs.GetNamespace().GetSpec().GetSearchAttributes(),
+		Lifecycle:           lifecycle,
 		ConnectivityRuleIds: connectivityRuleIds,
 	}
 
@@ -576,7 +624,7 @@ func (r *namespaceResource) Delete(ctx context.Context, req resource.DeleteReque
 	if err != nil {
 		switch status.Code(err) {
 		case codes.NotFound:
-			tflog.Warn(ctx, "Namespace Resource not found, removing from state", map[string]interface{}{
+			tflog.Warn(ctx, "Namespace Resource not found, removing from state", map[string]any{
 				"id": state.ID.ValueString(),
 			})
 
@@ -596,7 +644,7 @@ func (r *namespaceResource) Delete(ctx context.Context, req resource.DeleteReque
 	if err != nil {
 		switch status.Code(err) {
 		case codes.NotFound:
-			tflog.Warn(ctx, "Namespace Resource not found, removing from state", map[string]interface{}{
+			tflog.Warn(ctx, "Namespace Resource not found, removing from state", map[string]any{
 				"id": state.ID.ValueString(),
 			})
 
@@ -646,13 +694,17 @@ func getConnectivityRuleIdsFromModel(ctx context.Context, plan *namespaceResourc
 	}
 
 	requestConnectivityRuleIds := make([]string, len(connectivityRuleIds))
-	for i, connectivityRuleId := range connectivityRuleIds {
-		requestConnectivityRuleIds[i] = connectivityRuleId.ValueString()
+	for i, id := range connectivityRuleIds {
+		requestConnectivityRuleIds[i] = id.ValueString()
 	}
 	return requestConnectivityRuleIds, diags
 }
 
-func updateModelFromSpec(ctx context.Context, state *namespaceResourceModel, ns *namespacev1.Namespace) diag.Diagnostics {
+func updateModelFromSpec(
+	ctx context.Context,
+	state *namespaceResourceModel,
+	ns *namespacev1.Namespace,
+) diag.Diagnostics {
 	var diags diag.Diagnostics
 
 	state.ID = types.StringValue(ns.GetNamespace())
@@ -726,6 +778,21 @@ func updateModelFromSpec(ctx context.Context, state *namespaceResourceModel, ns
 	}
 	state.CodecServer = codecServerState
 
+	if lifecycleSpec := ns.GetSpec().GetLifecycle(); lifecycleSpec != nil && !proto.Equal(lifecycleSpec, &namespacev1.LifecycleSpec{}) {
+		lifecycle := &lifecycleModel{
+			EnableDeleteProtection: types.BoolValue(lifecycleSpec.GetEnableDeleteProtection()),
+		}
+		st, objectDiags := types.ObjectValueFrom(ctx, lifecycleAttrs, lifecycle)
+		diags.Append(objectDiags...)
+		if diags.HasError() {
+			return diags
+		}
+		state.NamespaceLifecycle = internaltypes.ZeroObjectValue{ObjectValue: st}
+	} else if !state.NamespaceLifecycle.IsZero(ctx) {
+		// only update the lifecycle if its not already set to zero
+		state.NamespaceLifecycle = internaltypes.ZeroObjectValue{ObjectValue: types.ObjectNull(lifecycleAttrs)}
+	}
+
 	endpoints := &endpointsModel{
 		GrpcAddress:     stringOrNull(ns.GetEndpoints().GetGrpcAddress()),
 		WebAddress:      stringOrNull(ns.GetEndpoints().GetWebAddress()),
@@ -810,6 +877,18 @@ func getCodecServerFromModel(ctx context.Context, model *namespaceResourceModel)
 	}, diags
 }
 
+func getLifecycleFromModel(ctx context.Context, model *namespaceResourceModel) (*namespacev1.LifecycleSpec, diag.Diagnostics) {
+	var diags diag.Diagnostics
+	var lifecycle lifecycleModel
+	diags.Append(model.NamespaceLifecycle.As(ctx, &lifecycle, basetypes.ObjectAsOptions{})...)
+	if diags.HasError() {
+		return nil, diags
+	}
+	return &namespacev1.LifecycleSpec{
+		EnableDeleteProtection: lifecycle.EnableDeleteProtection.ValueBool(),
+	}, diags
+}
+
 func stringOrNull(s string) types.String {
 	if s == "" {
 		return types.StringNull()

internal/provider/namespace_resource_test.go

@@ -45,7 +45,7 @@ func TestNamespaceSchema(t *testing.T) {
 
 func TestAccBasicNamespace(t *testing.T) {
 	name := fmt.Sprintf("%s-%s", "tf-basic-namespace", randomString(10))
-	config := func(name string, retention int) string {
+	config := func(name string, retention int, deleteProtection bool) string {
 		return fmt.Sprintf(`
 provider "temporalcloud" {
 
@@ -71,7 +71,10 @@ PEM
 )
 
   retention_days     = %d
-}`, name, retention)
+  namespace_lifecycle = {
+	  enable_delete_protection = %t
+  }
+}`, name, retention, deleteProtection)
 	}
 
 	resource.ParallelTest(t, resource.TestCase{
@@ -80,16 +83,19 @@ PEM
 		Steps: []resource.TestStep{
 			{
 				// New namespace with retention of 7
-				Config: config(name, 7),
+				Config: config(name, 7, true),
 			},
 			{
-				Config: config(name, 14),
+				Config: config(name, 14, true),
 			},
 			{
 				ImportState:       true,
 				ImportStateVerify: true,
 				ResourceName:      "temporalcloud_namespace.terraform",
 			},
+			{
+				Config: config(name, 14, false), // disable delete protection for deletion to succeed
+			},
 			// Delete testing automatically occurs in TestCase
 		},
 	})