TF-5569 add support for custom project permissions

[rberecka]

Description

With the release of customizable project permissions in TFC, we want people to be able to do use the new permissions in their terraform configs as well. There are two types of customizable permissions that can be set on team_projects, project_access which control access to certain abilities on the project itself as well as workspace_access permissions which effect all workspaces inside of the project.

This pr:

• Adds a new access level Custom option
• Adds the ability to read/write/update/import the new access levels and the corresponding workspace_access and project_access permissions.
• Makes it impossible to write config that has both an non-custom access level AND workspace_access and project_access permissions. This is done by using a CustomizeDiff Function: checkForCustomPermissions. Due to some limitations to GetChange and GetOk (if it doesn't exist in the config, but still exists in state -- the permission attributes didn't show up as empty) I had to also use the RawConfig function which returns a cty.Value that I could scoop the actual value of the attribute from the actual config being processed for update.

• Update the Change Log_

• Update the Documentation_

Testing plan

Example main.tf

• Test you can create a team_project_access resource with access: "custom" and custom permissions set.

terraform {
  required_providers {
    tfe = {
      version = "~> 0.46.0"
    }
  }
}

data "tfe_organization" "org" {
  name = "<name of org with business access>"
}

resource "tfe_team" "test_team" {
  name         = "a1team"
  organization = data.tfe_organization.org.name
}

resource "tfe_project" "test_project" {
  name         = "a1project"
  organization = data.tfe_organization.org.name
}

resource "tfe_team_project_access" "custom_foobar" {
  access     = "custom"
  team_id    = tfe_team.test_team.id
  project_id = tfe_project.test_project.id
  project_access {
    settings = "delete"
    teams    = "manage"
  }
  workspace_access {
    state_versions = "read"
    sentinel_mocks = "none"
    runs           = "apply"
    variables      = "write"
    create         = true
    locking        = true
    move           = true
    delete         = true
    run_tasks      = true
  }
}

• Test that you can update the values of some of the permissions
• Test that if you change access to read with the project_access and workspace_access sets that you get an error
• Test that you can change access to read, remove the project_access and workspace_access sections, that you can successfully apply the update. The values of the permissions in the state file should also be updated to match the implied permissions (easiest way to see that working is to update again to admin access -- you should then see permissions to do ALL the things v.s. what you see for read, but you can also check the docs for those)
• Test that you can import a team_project_access data source of a team_project that already exists

data "tfe_team_project_access" "tpa" {
  team_id    = "team-a3LLXuFdT6uBj53m"
  project_id = "prj-nevQrQZiVvyc8bpr"
}

• Test that you can destroy the team_project_access resources that you've made

External links

• API documentation on Project Team Access
• Related PR

Output from acceptance tests

TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFETeamProjectCustomAccess -timeout 15m
?       github.com/hashicorp/terraform-provider-tfe     [no test files]
?       github.com/hashicorp/terraform-provider-tfe/version     [no test files]
=== RUN   TestAccTFETeamProjectCustomAccessDataSource_basic
2023/08/03 11:07:57 [DEBUG] Configuring client for host "tfcdev-3519dce5.ngrok.io"
2023/08/03 11:07:57 [ERROR] Error reading CLI config or credentials file /Users/rachaelberecka/.terraformrc: open /Users/rachaelberecka/.terraformrc: no such file or directory
2023/08/03 11:07:57 [DEBUG] Service discovery for tfcdev-3519dce5.ngrok.io at https://tfcdev-3519dce5.ngrok.io/.well-known/terraform.json
--- PASS: TestAccTFETeamProjectCustomAccessDataSource_basic (19.36s)
=== RUN   TestAccTFETeamProjectCustomAccess
--- PASS: TestAccTFETeamProjectCustomAccess (16.39s)
=== RUN   TestAccTFETeamProjectCustomAccess_import
--- PASS: TestAccTFETeamProjectCustomAccess_import (17.42s)
=== RUN   TestAccTFETeamProjectCustomAccess_full_update
--- PASS: TestAccTFETeamProjectCustomAccess_full_update (20.34s)
=== RUN   TestAccTFETeamProjectCustomAccess_partial_update
--- PASS: TestAccTFETeamProjectCustomAccess_partial_update (20.97s)
=== RUN   TestAccTFETeamProjectCustomAccess_invalid_custom_access
--- PASS: TestAccTFETeamProjectCustomAccess_invalid_custom_access (1.97s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/tfe 97.006s

$ TFE_HOSTNAME=<tfcdev>TFE_TOKEN=<user token on owner's team in org>="-run TestAccTFETeamProjectCustomAccess" make testacc
...

Example outputs from plans/applies

Here's the output of a create plan & apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # tfe_project.test_project will be created
  + resource "tfe_project" "test_project" {
      + id           = (known after apply)
      + name         = "a1project"
      + organization = "hashicorp"
    }

  # tfe_team.test_team will be created
  + resource "tfe_team" "test_team" {
      + id           = (known after apply)
      + name         = "a1team"
      + organization = "hashicorp"
      + visibility   = "secret"

      + organization_access {
          + manage_membership       = (known after apply)
          + manage_modules          = (known after apply)
          + manage_policies         = (known after apply)
          + manage_policy_overrides = (known after apply)
          + manage_projects         = (known after apply)
          + manage_providers        = (known after apply)
          + manage_run_tasks        = (known after apply)
          + manage_vcs_settings     = (known after apply)
          + manage_workspaces       = (known after apply)
          + read_projects           = (known after apply)
          + read_workspaces         = (known after apply)
        }
    }

  # tfe_team_project_access.custom_foobar will be created
  + resource "tfe_team_project_access" "custom_foobar" {
      + access     = "custom"
      + id         = (known after apply)
      + project_id = (known after apply)
      + team_id    = (known after apply)

      + project_access {
          + settings = "delete"
          + teams    = "manage"
        }

      + workspace_access {
          + create         = false
          + delete         = true
          + locking        = false
          + move           = false
          + run_tasks      = true
          + runs           = "apply"
          + sentinel_mocks = "read"
          + state_versions = "write"
          + variables      = "read"
        }
    }

Plan: 3 to add, 0 to change, 0 to destroy.

first apply


Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

tfe_team.test_team: Creating...
tfe_project.test_project: Creating...
tfe_team.test_team: Creation complete after 0s [id=team-fySqgKuUviv6q3iY]
tfe_project.test_project: Creation complete after 0s [id=prj-k8bhRZevJuY23gjh]
tfe_team_project_access.custom_foobar: Creating...
tfe_team_project_access.custom_foobar: Creation complete after 1s [id=tprj-R7FXUdKiDKUp9XuR]

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

Example state of from team_project_access data_source:

    {
      "mode": "data",
      "type": "tfe_team_project_access",
      "name": "tpa",
      "provider": "provider[\"registry.terraform.io/hashicorp/tfe\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "access": "custom",
            "id": "tprj-QbvzFkZVe86aGJDu",
            "project_access": [
              {
                "settings": "delete",
                "teams": "manage"
              }
            ],
            "project_id": "prj-nevQrQZiVvyc8bpr",
            "team_id": "team-a3LLXuFdT6uBj53m",
            "workspace_access": [
              {
                "create": true,
                "delete": true,
                "locking": true,
                "move": true,
                "run_tasks": true,
                "runs": "apply",
                "sentinel_mocks": "read",
                "state_versions": "write",
                "variables": "write"
              }
            ]
          },
          "sensitive_attributes": []
        }
      ]
    }

Docs update Preview

[sebasslash]

First off awesome work @rberecka -- This code has my approval ✅ , but I have not yet smoke tested. I'd like to test how this resource responds to drift.

Can't approve nor merge until go.mod points to a go-tfe release.

[sebasslash]

🚀 We can always clean up the changelog upon release. Can you squash the commits when you merge?

[sebasslash]

Double 🚀