Add support for the custom project variable set permission

[mkam]

Description

This PR adds variable_sets to the project_access of tfe_team_project_access, allowing users to set the project variable set permission of a team when access is set to custom.

This feature has not been released to GA yet, so I've labeled it as do not merge for now.

Remember to:

• Update the Change Log
• Update the Documentation

Testing plan

1. Create a team and a project.
2. Assign the team custom access and set variable_sets.
3. Get the team project access as a data source and output it.
4. Validate for the expected outputted value for variable_sets
5. Validate in the UI or API that variable_sets is set to the expected value.

resource "tfe_project" "test" {
  name         = "TeamProjectVarSetProvider"
  organization = data.tfe_organization.test.name
}


resource "tfe_team" "custom" {
  name         = "custom-project-varset-permission-provider-team"
  organization = data.tfe_organization.test.name
}

resource "tfe_team_project_access" "custom" {
  access     = "custom"
  team_id    = tfe_team.custom.id
  project_id = tfe_project.test.id

  project_access {
    variable_sets = "write"
  }
}

data "tfe_team_project_access" "custom" {
  team_id    = tfe_team.custom.id
  project_id = tfe_project.test.id
  depends_on = [ tfe_team_project_access.custom ]
}

output "custom_team_project_access" {
  value = data.tfe_team_project_access.custom
  depends_on = [ data.tfe_team_project_access.custom ]
}

Setting the new permission

-> % terraform apply
╷
│ Warning: Provider development overrides are in effect
│
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/tfe in /Users/mkam/hashicorp/terraform-provider-tfe
│
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
data.tfe_organization.test: Reading...
data.tfe_organization.test: Read complete after 0s [id=org-uXyx3dqZekFuhw4B]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # data.tfe_team_project_access.custom will be read during apply
  # (config refers to values not yet known)
 <= data "tfe_team_project_access" "custom" {
      + access           = (known after apply)
      + id               = (known after apply)
      + project_access   = (known after apply)
      + project_id       = (known after apply)
      + team_id          = (known after apply)
      + workspace_access = (known after apply)
    }

  # tfe_project.test will be created
  + resource "tfe_project" "test" {
      + id           = (known after apply)
      + name         = "TeamProjectVarSetProvider"
      + organization = "hashicorp"
    }

  # tfe_team.custom will be created
  + resource "tfe_team" "custom" {
      + allow_member_token_management = true
      + id                            = (known after apply)
      + name                          = "custom-project-varset-permission-provider-team"
      + organization                  = "hashicorp"
      + visibility                    = (known after apply)

      + organization_access {
          + access_secret_teams        = (known after apply)
          + manage_agent_pools         = (known after apply)
          + manage_membership          = (known after apply)
          + manage_modules             = (known after apply)
          + manage_organization_access = (known after apply)
          + manage_policies            = (known after apply)
          + manage_policy_overrides    = (known after apply)
          + manage_projects            = (known after apply)
          + manage_providers           = (known after apply)
          + manage_run_tasks           = (known after apply)
          + manage_teams               = (known after apply)
          + manage_vcs_settings        = (known after apply)
          + manage_workspaces          = (known after apply)
          + read_projects              = (known after apply)
          + read_workspaces            = (known after apply)
        }
    }

  # tfe_team_project_access.custom will be created
  + resource "tfe_team_project_access" "custom" {
      + access     = "custom"
      + id         = (known after apply)
      + project_id = (known after apply)
      + team_id    = (known after apply)

      + project_access {
          + settings      = (known after apply)
          + teams         = (known after apply)
          + variable_sets = "write"
        }

      + workspace_access {
          + create         = (known after apply)
          + delete         = (known after apply)
          + locking        = (known after apply)
          + move           = (known after apply)
          + run_tasks      = (known after apply)
          + runs           = (known after apply)
          + sentinel_mocks = (known after apply)
          + state_versions = (known after apply)
          + variables      = (known after apply)
        }
    }

Plan: 3 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + custom_team_project_access = {
      + access           = (known after apply)
      + id               = (known after apply)
      + project_access   = (known after apply)
      + project_id       = (known after apply)
      + team_id          = (known after apply)
      + workspace_access = (known after apply)
    }

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

tfe_project.test: Creating...
tfe_team.custom: Creating...
tfe_team.custom: Creation complete after 1s [id=team-UuMJNXYL9nyYzHgL]
tfe_project.test: Creation complete after 1s [id=prj-QBh7ydm2j6JVRkGD]
tfe_team_project_access.custom: Creating...
tfe_team_project_access.custom: Creation complete after 1s [id=tprj-U9kKxuebyxkuNtwA]
data.tfe_team_project_access.custom: Reading...
data.tfe_team_project_access.custom: Read complete after 0s [id=tprj-U9kKxuebyxkuNtwA]

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

Outputs:

custom_team_project_access = {
  "access" = "custom"
  "id" = "tprj-U9kKxuebyxkuNtwA"
  "project_access" = tolist([
    {
      "settings" = "read"
      "teams" = "none"
      "variable_sets" = "write"
    },
  ])
  "project_id" = "prj-QBh7ydm2j6JVRkGD"
  "team_id" = "team-UuMJNXYL9nyYzHgL"
  "workspace_access" = tolist([
    {
      "create" = false
      "delete" = false
      "locking" = false
      "move" = false
      "run_tasks" = false
      "runs" = "read"
      "sentinel_mocks" = "none"
      "state_versions" = "none"
      "variables" = "none"
    },
  ])
}

Output from acceptance tests

-> % ENABLE_BETA=1 TESTARGS="-run TestAccTFETeamProject" make testacc
TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFETeamProject -timeout 15m
?   	github.com/hashicorp/terraform-provider-tfe	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/client	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/logging	(cached) [no tests to run]
?   	github.com/hashicorp/terraform-provider-tfe/internal/provider/validators	[no test files]
?   	github.com/hashicorp/terraform-provider-tfe/version	[no test files]
=== RUN   TestAccTFETeamProjectAccessDataSource_basic
2025/01/14 14:03:09 [DEBUG] Configuring client for host "tfcdev-ac1517e2.ngrok.app"
2025/01/14 14:03:09 [DEBUG] Service discovery for tfcdev-ac1517e2.ngrok.app at https://tfcdev-ac1517e2.ngrok.app/.well-known/terraform.json
--- PASS: TestAccTFETeamProjectAccessDataSource_basic (9.38s)
=== RUN   TestAccTFETeamProjectCustomAccessDataSource_basic
--- PASS: TestAccTFETeamProjectCustomAccessDataSource_basic (8.35s)
=== RUN   TestAccTFETeamProjectCustomAccessDataSource_basic_with_project_variable_sets
--- PASS: TestAccTFETeamProjectCustomAccessDataSource_basic_with_project_variable_sets (8.27s)
=== RUN   TestAccTFETeamProjectAccess
--- PASS: TestAccTFETeamProjectAccess (24.48s)
=== RUN   TestAccTFETeamProjectCustomAccess
--- PASS: TestAccTFETeamProjectCustomAccess (6.38s)
=== RUN   TestAccTFETeamProjectCustomAccess_with_project_variable_sets
--- PASS: TestAccTFETeamProjectCustomAccess_with_project_variable_sets (6.32s)
=== RUN   TestAccTFETeamProjectAccess_import
--- PASS: TestAccTFETeamProjectAccess_import (6.46s)
=== RUN   TestAccTFETeamProjectCustomAccess_import
--- PASS: TestAccTFETeamProjectCustomAccess_import (6.55s)
=== RUN   TestAccTFETeamProjectCustomAccess_import_with_project_variable_set
--- PASS: TestAccTFETeamProjectCustomAccess_import_with_project_variable_set (6.58s)
=== RUN   TestAccTFETeamProjectCustomAccess_full_update
--- PASS: TestAccTFETeamProjectCustomAccess_full_update (9.26s)
=== RUN   TestAccTFETeamProjectCustomAccess_full_update_with_project_variable_sets
--- PASS: TestAccTFETeamProjectCustomAccess_full_update_with_project_variable_sets (9.28s)
=== RUN   TestAccTFETeamProjectCustomAccess_partial_update
--- PASS: TestAccTFETeamProjectCustomAccess_partial_update (8.85s)
=== RUN   TestAccTFETeamProjectCustomAccess_partial_update_with_project_variable_sets
--- PASS: TestAccTFETeamProjectCustomAccess_partial_update_with_project_variable_sets (9.65s)
=== RUN   TestAccTFETeamProjectCustomAccess_invalid_custom_access
--- PASS: TestAccTFETeamProjectCustomAccess_invalid_custom_access (0.27s)
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/provider	120.786s

Output from Documentation Preview

The doc-preview tool doesn't seem to support markdown tables, which is why the formatting looks off here.

[mkam]

The three test failures are also failing on main (ref):

=== Failed
=== FAIL: internal/provider TestAccTFEWorkspaceDataSource_readAutoDestroyDuration (3.68s)
    data_source_workspace_test.go:196: Step 2/2 error: Error running apply: exit status 1
        
        Error: Error updating workspace ws-meiEaCbBLNt7NKHj: invalid attribute
        
        Auto destroy activity duration workspace auto destroy duration must match project auto destroy duration, consider setting inherits_project_auto_destroy to false
        
          with tfe_workspace.foobar,
          on terraform_plugin_test.tf line 8, in resource "tfe_workspace" "foobar":
           8: resource "tfe_workspace" "foobar" {
        

=== FAIL: internal/provider TestAccTFEWorkspace_createWithAutoDestroyDuration (1.92s)
    resource_tfe_workspace_test.go:2745: Step 1/1 error: Error running apply: exit status 1
        
        Error: Error creating workspace workspace-test for organization tst-terraform-3874574571509827851: invalid attribute
        
        Auto destroy activity duration workspace auto destroy duration must match project auto destroy duration, consider setting inherits_project_auto_destroy to false
        
          with tfe_workspace.foobar,
          on terraform_plugin_test.tf line 8, in resource "tfe_workspace" "foobar":
           8: resource "tfe_workspace" "foobar" {
        

=== FAIL: internal/provider TestAccTFEWorkspace_updateWithAutoDestroyDuration (2.03s)
    resource_tfe_workspace_test.go:2764: Step 1/4 error: Error running apply: exit status 1
        
        Error: Error creating workspace workspace-test for organization tst-terraform-6126007935236601393: invalid attribute
        
        Auto destroy activity duration workspace auto destroy duration must match project auto destroy duration, consider setting inherits_project_auto_destroy to false
        
          with tfe_workspace.foobar,
          on terraform_plugin_test.tf line 8, in resource "tfe_workspace" "foobar":
           8: resource "tfe_workspace" "foobar" {
        

DONE 450 tests, 54 skipped, 3 failures in 1594.191s