Add support for project-owned variable sets

[mkam]

Description

This PR adds parent_project_id to the variable sets resource and data source, which specifies the ID of the project that should own the varset. Project-owned varsets cannot also be global varsets, and if the varset is updated to have a different parent project, then the varset under the old project should be deleted and then recreated under the new project.

Remember to:

• Update the Change Log
• Update the Documentation

Testing plan

1. Create a project-owned varset and an org-owned varset.
2. Validate that the project-owned varset has the expected project ID set and the org-owned does not.
3. Get the project-owned varset as a data source and output it.
4. Validate that the outputted data source has the expected project ID set.

resource "tfe_project" "test_project" {
  name         = "ProjectOwnedVarSetProviderProject"
  organization = data.tfe_organization.test.name
}

resource "tfe_variable_set" "org_owned" {
  name         = "org-owned-owned-varset"
  organization = data.tfe_organization.test.name
}

resource "tfe_variable_set" "project_owned" {
  name              = "project-owned-owned-varset"
  organization      = data.tfe_organization.test.name
  parent_project_id = tfe_project.test_project.id
}

data "tfe_variable_set" "project_owned_data_source" {
  organization = data.tfe_organization.test.name
  name         = tfe_variable_set.project_owned.name
}

output "project_owned_data_source" {
  value = data.tfe_variable_set.project_owned_data_source
}

Creating a project-owned varset

-> % terraform apply
╷
│ Warning: Provider development overrides are in effect
│
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/tfe in /Users/mkam/hashicorp/terraform-provider-tfe
│
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
data.tfe_organization.test: Reading...
data.tfe_organization.unified: Reading...
data.tfe_organization.test: Read complete after 1s [id=org-uXyx3dqZekFuhw4B]
data.tfe_project.default_project: Reading...
data.tfe_organization.unified: Read complete after 1s [id=55d75d5b-277a-44e0-b937-754c0520dc83]
data.tfe_project.default_project: Read complete after 0s [id=prj-gKmEBeazgefwjaBE]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # data.tfe_variable_set.project_owned_data_source will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "tfe_variable_set" "project_owned_data_source" {
      + description       = (known after apply)
      + global            = (known after apply)
      + id                = (known after apply)
      + name              = "project-owned-owned-varset"
      + organization      = "hashicorp"
      + parent_project_id = (known after apply)
      + priority          = (known after apply)
      + project_ids       = (known after apply)
      + variable_ids      = (known after apply)
      + workspace_ids     = (known after apply)
    }

  # tfe_project.test_project will be created
  + resource "tfe_project" "test_project" {
      + id           = (known after apply)
      + name         = "ProjectOwnedVarSetProviderProject"
      + organization = "hashicorp"
    }

  # tfe_variable_set.org_owned will be created
  + resource "tfe_variable_set" "org_owned" {
      + global            = false
      + id                = (known after apply)
      + name              = "org-owned-owned-varset"
      + organization      = "hashicorp"
      + parent_project_id = (known after apply)
      + priority          = false
      + workspace_ids     = (known after apply)
    }

  # tfe_variable_set.project_owned will be created
  + resource "tfe_variable_set" "project_owned" {
      + global            = false
      + id                = (known after apply)
      + name              = "project-owned-owned-varset"
      + organization      = "hashicorp"
      + parent_project_id = (known after apply)
      + priority          = false
      + workspace_ids     = (known after apply)
    }

Plan: 3 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + project_owned_data_source = {
      + description       = (known after apply)
      + global            = (known after apply)
      + id                = (known after apply)
      + name              = "project-owned-owned-varset"
      + organization      = "hashicorp"
      + parent_project_id = (known after apply)
      + priority          = (known after apply)
      + project_ids       = (known after apply)
      + variable_ids      = (known after apply)
      + workspace_ids     = (known after apply)
    }

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

tfe_variable_set.org_owned: Creating...
tfe_project.test_project: Creating...
tfe_variable_set.org_owned: Creation complete after 0s [id=varset-tQZf2cuVwDUc14CL]
tfe_project.test_project: Creation complete after 1s [id=prj-bkCFT1cRaJYXg5RT]
tfe_variable_set.project_owned: Creating...
tfe_variable_set.project_owned: Creation complete after 0s [id=varset-zHK2e1p1F6sHonrv]
data.tfe_variable_set.project_owned_data_source: Reading...
data.tfe_variable_set.project_owned_data_source: Read complete after 1s [id=varset-zHK2e1p1F6sHonrv]

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

Outputs:

project_owned_data_source = {
  "description" = ""
  "global" = false
  "id" = "varset-zHK2e1p1F6sHonrv"
  "name" = "project-owned-owned-varset"
  "organization" = "hashicorp"
  "parent_project_id" = "prj-bkCFT1cRaJYXg5RT"
  "priority" = false
  "project_ids" = toset([])
  "variable_ids" = toset([])
  "workspace_ids" = toset([])
}

Updating a project-owned varset’s project_id

Note that the resource is destroyed and created with the new project_id.

-> % terraform apply
╷
│ Warning: Provider development overrides are in effect
│
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/tfe in /Users/mkam/hashicorp/terraform-provider-tfe
│
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
data.tfe_organization.test: Reading...
data.tfe_organization.unified: Reading...
data.tfe_organization.unified: Read complete after 0s [id=55d75d5b-277a-44e0-b937-754c0520dc83]
data.tfe_organization.test: Read complete after 0s [id=org-uXyx3dqZekFuhw4B]
data.tfe_project.default_project: Reading...
tfe_project.test_project: Refreshing state... [id=prj-bkCFT1cRaJYXg5RT]
tfe_variable_set.org_owned: Refreshing state... [id=varset-tQZf2cuVwDUc14CL]
data.tfe_project.default_project: Read complete after 1s [id=prj-gKmEBeazgefwjaBE]
tfe_variable_set.project_owned: Refreshing state... [id=varset-zHK2e1p1F6sHonrv]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement
 <= read (data resources)

Terraform will perform the following actions:

  # data.tfe_variable_set.project_owned_data_source will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "tfe_variable_set" "project_owned_data_source" {
      + description       = (known after apply)
      + global            = (known after apply)
      + id                = (known after apply)
      + name              = "project-owned-owned-varset"
      + organization      = "hashicorp"
      + parent_project_id = (known after apply)
      + priority          = (known after apply)
      + project_ids       = (known after apply)
      + variable_ids      = (known after apply)
      + workspace_ids     = (known after apply)
    }

  # tfe_variable_set.project_owned must be replaced
-/+ resource "tfe_variable_set" "project_owned" {
      ~ id                = "varset-zHK2e1p1F6sHonrv" -> (known after apply)
        name              = "project-owned-owned-varset"
      ~ parent_project_id = "prj-bkCFT1cRaJYXg5RT" -> "prj-gKmEBeazgefwjaBE" # forces replacement
      ~ workspace_ids     = [] -> (known after apply)
        # (4 unchanged attributes hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Changes to Outputs:
  ~ project_owned_data_source = {
      ~ description       = "" -> (known after apply)
      ~ global            = false -> (known after apply)
      ~ id                = "varset-zHK2e1p1F6sHonrv" -> (known after apply)
        name              = "project-owned-owned-varset"
      ~ parent_project_id = "prj-bkCFT1cRaJYXg5RT" -> (known after apply)
      ~ priority          = false -> (known after apply)
      ~ project_ids       = [] -> (known after apply)
      ~ variable_ids      = [] -> (known after apply)
      ~ workspace_ids     = [] -> (known after apply)
        # (1 unchanged attribute hidden)
    }

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

tfe_variable_set.project_owned: Destroying... [id=varset-zHK2e1p1F6sHonrv]
tfe_variable_set.project_owned: Destruction complete after 1s
tfe_variable_set.project_owned: Creating...
tfe_variable_set.project_owned: Creation complete after 0s [id=varset-EQciAsw8NFYAdNUE]
data.tfe_variable_set.project_owned_data_source: Reading...
data.tfe_variable_set.project_owned_data_source: Read complete after 1s [id=varset-EQciAsw8NFYAdNUE]

Apply complete! Resources: 1 added, 0 changed, 1 destroyed.

Outputs:

project_owned_data_source = {
  "description" = ""
  "global" = false
  "id" = "varset-EQciAsw8NFYAdNUE"
  "name" = "project-owned-owned-varset"
  "organization" = "hashicorp"
  "parent_project_id" = "prj-gKmEBeazgefwjaBE"
  "priority" = false
  "project_ids" = toset([])
  "variable_ids" = toset([])
  "workspace_ids" = toset([])
}

Creating an invalid project-owned varset where global is set to true

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: global must be 'false' when setting parent_project_id
│
│   with tfe_variable_set.project_owned,
│   on main.tf line 29, in resource "tfe_variable_set" "project_owned":
│   29: resource "tfe_variable_set" "project_owned" {
│
╵

Output from acceptance tests

Tested against environment where beta feature is enabled:

-> % ENABLE_BETA=1 TESTARGS="-run TestAccTFEVariableSet" make testacc

TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEVariableSet -timeout 15m
?   	github.com/hashicorp/terraform-provider-tfe	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/client	0.887s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/logging	0.882s [no tests to run]
?   	github.com/hashicorp/terraform-provider-tfe/internal/provider/validators	[no test files]
?   	github.com/hashicorp/terraform-provider-tfe/version	[no test files]
=== RUN   TestAccTFEVariableSetsDataSource_basic
--- PASS: TestAccTFEVariableSetsDataSource_basic (6.23s)
=== RUN   TestAccTFEVariableSetsDataSource_full
--- PASS: TestAccTFEVariableSetsDataSource_full (8.75s)
=== RUN   TestAccTFEVariableSetsDataSource_ProjectOwned
--- PASS: TestAccTFEVariableSetsDataSource_ProjectOwned (6.64s)
=== RUN   TestAccTFEVariableSet_basic
--- PASS: TestAccTFEVariableSet_basic (3.64s)
=== RUN   TestAccTFEVariableSet_full
--- PASS: TestAccTFEVariableSet_full (6.30s)
=== RUN   TestAccTFEVariableSet_update
--- PASS: TestAccTFEVariableSet_update (7.67s)
=== RUN   TestAccTFEVariableSet_import
--- PASS: TestAccTFEVariableSet_import (3.95s)
=== RUN   TestAccTFEVariableSet_project_owned
--- PASS: TestAccTFEVariableSet_project_owned (8.83s)
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/provider	52.936s

Also tested against environment where beta feature is disabled

-> % ENABLE_BETA=0 TESTARGS="-run TestAccTFEVariableSet" make testacc

TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEVariableSet -timeout 15m
?   	github.com/hashicorp/terraform-provider-tfe	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/client	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/logging	(cached) [no tests to run]
?   	github.com/hashicorp/terraform-provider-tfe/version	[no test files]
?   	github.com/hashicorp/terraform-provider-tfe/internal/provider/validators	[no test files]
=== RUN   TestAccTFEVariableSetsDataSource_basic
--- PASS: TestAccTFEVariableSetsDataSource_basic (6.99s)
=== RUN   TestAccTFEVariableSetsDataSource_full
--- PASS: TestAccTFEVariableSetsDataSource_full (8.62s)
=== RUN   TestAccTFEVariableSetsDataSource_ProjectOwned
    helper_test.go:226: Skipping test related to a HCP Terraform and Terraform Enterprise beta feature. Set ENABLE_BETA=1 to run.
--- SKIP: TestAccTFEVariableSetsDataSource_ProjectOwned (0.00s)
=== RUN   TestAccTFEVariableSet_basic
--- PASS: TestAccTFEVariableSet_basic (3.69s)
=== RUN   TestAccTFEVariableSet_full
--- PASS: TestAccTFEVariableSet_full (6.15s)
=== RUN   TestAccTFEVariableSet_update
--- PASS: TestAccTFEVariableSet_update (7.91s)
=== RUN   TestAccTFEVariableSet_import
--- PASS: TestAccTFEVariableSet_import (3.69s)
=== RUN   TestAccTFEVariableSet_project_owned
    helper_test.go:226: Skipping test related to a HCP Terraform and Terraform Enterprise beta feature. Set ENABLE_BETA=1 to run.
--- SKIP: TestAccTFEVariableSet_project_owned (0.00s)
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/provider	37.474s

Output from Documentation Preview

Resource

Data source

tfe_workspace_variable_set

tfe_project_variable_set

[jbonhag]

🎉 Looks terrific! Would you mind adding some documentation to the project_variable_set resource as well so we can alleviate any potential confusion between the resources? We should also add a note here about the difference between this parent_project_id and project_variable_set.

[jbonhag]

🙌

[mkam]

Changed for consistency with tfe_project_variable_set.

[jbonhag]

That makes sense, especially because making it consistent on the project side to read "Adds and removes variable sets from a project" could be ambiguous.

[mkam]

Not sure if adding both makes the example section too long, but I thought it would be valuable to make it clear that a project-owned varset doesn't necessarily/automatically apply itself to the project and that it can be scoped to workspaces.

[jbonhag]

Definitely, great idea to make that behavior clear.

[jbonhag]

Looks good! Thanks for the great examples.

[jbonhag]

Definitely, great idea to make that behavior clear.

[jbonhag]

That makes sense, especially because making it consistent on the project side to read "Adds and removes variable sets from a project" could be ambiguous.

[ctrombley]

Looks good, thanks!

[mkam]

Rebased to fix merge conflict with the Changelog, no other changes were made.