Add support for the custom project variable set permission

[mkam]

Description

This PR adds variable_sets to the project_access of tfe_team_project_access, allowing users to set the project variable set permission of a team when access is set to custom.

This feature has not been released to GA yet, so I've labeled it as do not merge for now.

Remember to:

• Update the Change Log
• Update the Documentation

Testing plan

1. Create a team and a project.
2. Assign the team custom access and set variable_sets.
3. Get the team project access as a data source and output it.
4. Validate for the expected outputted value for variable_sets
5. Validate in the UI or API that variable_sets is set to the expected value.

resource "tfe_project" "test" {
  name         = "TeamProjectVarSetProvider"
  organization = data.tfe_organization.test.name
}


resource "tfe_team" "custom" {
  name         = "custom-project-varset-permission-provider-team"
  organization = data.tfe_organization.test.name
}

resource "tfe_team_project_access" "custom" {
  access     = "custom"
  team_id    = tfe_team.custom.id
  project_id = tfe_project.test.id

  project_access {
    variable_sets = "write"
  }
}

data "tfe_team_project_access" "custom" {
  team_id    = tfe_team.custom.id
  project_id = tfe_project.test.id
  depends_on = [ tfe_team_project_access.custom ]
}

output "custom_team_project_access" {
  value = data.tfe_team_project_access.custom
  depends_on = [ data.tfe_team_project_access.custom ]
}

Setting the new permission

-> % terraform apply
╷
│ Warning: Provider development overrides are in effect
│
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/tfe in /Users/mkam/hashicorp/terraform-provider-tfe
│
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
data.tfe_organization.test: Reading...
data.tfe_organization.test: Read complete after 0s [id=org-uXyx3dqZekFuhw4B]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # data.tfe_team_project_access.custom will be read during apply
  # (config refers to values not yet known)
 <= data "tfe_team_project_access" "custom" {
      + access           = (known after apply)
      + id               = (known after apply)
      + project_access   = (known after apply)
      + project_id       = (known after apply)
      + team_id          = (known after apply)
      + workspace_access = (known after apply)
    }

  # tfe_project.test will be created
  + resource "tfe_project" "test" {
      + id           = (known after apply)
      + name         = "TeamProjectVarSetProvider"
      + organization = "hashicorp"
    }

  # tfe_team.custom will be created
  + resource "tfe_team" "custom" {
      + allow_member_token_management = true
      + id                            = (known after apply)
      + name                          = "custom-project-varset-permission-provider-team"
      + organization                  = "hashicorp"
      + visibility                    = (known after apply)

      + organization_access {
          + access_secret_teams        = (known after apply)
          + manage_agent_pools         = (known after apply)
          + manage_membership          = (known after apply)
          + manage_modules             = (known after apply)
          + manage_organization_access = (known after apply)
          + manage_policies            = (known after apply)
          + manage_policy_overrides    = (known after apply)
          + manage_projects            = (known after apply)
          + manage_providers           = (known after apply)
          + manage_run_tasks           = (known after apply)
          + manage_teams               = (known after apply)
          + manage_vcs_settings        = (known after apply)
          + manage_workspaces          = (known after apply)
          + read_projects              = (known after apply)
          + read_workspaces            = (known after apply)
        }
    }

  # tfe_team_project_access.custom will be created
  + resource "tfe_team_project_access" "custom" {
      + access     = "custom"
      + id         = (known after apply)
      + project_id = (known after apply)
      + team_id    = (known after apply)

      + project_access {
          + settings      = (known after apply)
          + teams         = (known after apply)
          + variable_sets = "write"
        }

      + workspace_access {
          + create         = (known after apply)
          + delete         = (known after apply)
          + locking        = (known after apply)
          + move           = (known after apply)
          + run_tasks      = (known after apply)
          + runs           = (known after apply)
          + sentinel_mocks = (known after apply)
          + state_versions = (known after apply)
          + variables      = (known after apply)
        }
    }

Plan: 3 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + custom_team_project_access = {
      + access           = (known after apply)
      + id               = (known after apply)
      + project_access   = (known after apply)
      + project_id       = (known after apply)
      + team_id          = (known after apply)
      + workspace_access = (known after apply)
    }

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

tfe_project.test: Creating...
tfe_team.custom: Creating...
tfe_team.custom: Creation complete after 1s [id=team-UuMJNXYL9nyYzHgL]
tfe_project.test: Creation complete after 1s [id=prj-QBh7ydm2j6JVRkGD]
tfe_team_project_access.custom: Creating...
tfe_team_project_access.custom: Creation complete after 1s [id=tprj-U9kKxuebyxkuNtwA]
data.tfe_team_project_access.custom: Reading...
data.tfe_team_project_access.custom: Read complete after 0s [id=tprj-U9kKxuebyxkuNtwA]

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

Outputs:

custom_team_project_access = {
  "access" = "custom"
  "id" = "tprj-U9kKxuebyxkuNtwA"
  "project_access" = tolist([
    {
      "settings" = "read"
      "teams" = "none"
      "variable_sets" = "write"
    },
  ])
  "project_id" = "prj-QBh7ydm2j6JVRkGD"
  "team_id" = "team-UuMJNXYL9nyYzHgL"
  "workspace_access" = tolist([
    {
      "create" = false
      "delete" = false
      "locking" = false
      "move" = false
      "run_tasks" = false
      "runs" = "read"
      "sentinel_mocks" = "none"
      "state_versions" = "none"
      "variables" = "none"
    },
  ])
}

Output from acceptance tests

-> % ENABLE_BETA=1 TESTARGS="-run TestAccTFETeamProject" make testacc
TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFETeamProject -timeout 15m
?   	github.com/hashicorp/terraform-provider-tfe	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/client	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/logging	(cached) [no tests to run]
?   	github.com/hashicorp/terraform-provider-tfe/internal/provider/validators	[no test files]
?   	github.com/hashicorp/terraform-provider-tfe/version	[no test files]
=== RUN   TestAccTFETeamProjectAccessDataSource_basic
2025/01/14 14:03:09 [DEBUG] Configuring client for host "tfcdev-ac1517e2.ngrok.app"
2025/01/14 14:03:09 [DEBUG] Service discovery for tfcdev-ac1517e2.ngrok.app at https://tfcdev-ac1517e2.ngrok.app/.well-known/terraform.json
--- PASS: TestAccTFETeamProjectAccessDataSource_basic (9.38s)
=== RUN   TestAccTFETeamProjectCustomAccessDataSource_basic
--- PASS: TestAccTFETeamProjectCustomAccessDataSource_basic (8.35s)
=== RUN   TestAccTFETeamProjectCustomAccessDataSource_basic_with_project_variable_sets
--- PASS: TestAccTFETeamProjectCustomAccessDataSource_basic_with_project_variable_sets (8.27s)
=== RUN   TestAccTFETeamProjectAccess
--- PASS: TestAccTFETeamProjectAccess (24.48s)
=== RUN   TestAccTFETeamProjectCustomAccess
--- PASS: TestAccTFETeamProjectCustomAccess (6.38s)
=== RUN   TestAccTFETeamProjectCustomAccess_with_project_variable_sets
--- PASS: TestAccTFETeamProjectCustomAccess_with_project_variable_sets (6.32s)
=== RUN   TestAccTFETeamProjectAccess_import
--- PASS: TestAccTFETeamProjectAccess_import (6.46s)
=== RUN   TestAccTFETeamProjectCustomAccess_import
--- PASS: TestAccTFETeamProjectCustomAccess_import (6.55s)
=== RUN   TestAccTFETeamProjectCustomAccess_import_with_project_variable_set
--- PASS: TestAccTFETeamProjectCustomAccess_import_with_project_variable_set (6.58s)
=== RUN   TestAccTFETeamProjectCustomAccess_full_update
--- PASS: TestAccTFETeamProjectCustomAccess_full_update (9.26s)
=== RUN   TestAccTFETeamProjectCustomAccess_full_update_with_project_variable_sets
--- PASS: TestAccTFETeamProjectCustomAccess_full_update_with_project_variable_sets (9.28s)
=== RUN   TestAccTFETeamProjectCustomAccess_partial_update
--- PASS: TestAccTFETeamProjectCustomAccess_partial_update (8.85s)
=== RUN   TestAccTFETeamProjectCustomAccess_partial_update_with_project_variable_sets
--- PASS: TestAccTFETeamProjectCustomAccess_partial_update_with_project_variable_sets (9.65s)
=== RUN   TestAccTFETeamProjectCustomAccess_invalid_custom_access
--- PASS: TestAccTFETeamProjectCustomAccess_invalid_custom_access (0.27s)
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/provider	120.786s

Output from Documentation Preview

The doc-preview tool doesn't seem to support markdown tables, which is why the formatting looks off here.

[mkam]

I made this change because it otherwise wasn't passing for me locally. It would fail because the organization name (which is based on this random integer) already exists from the previous test case run.

Not sure why it was failing locally but not in CI, though! The change seemed simple enough that I didn't bother digging any further.

[Maed223]

Weird, seems like the cleanup call has time to finish in CI but not locally. In any case this change is fine with me.

[mkam]

This change was required as part of updating go-tfe to 1.74.0.

[Maed223]

Changes are looking good! Feel free to merge when GA

[hs26gill]

nit: spacing

[hs26gill]

Looking good!

[mkam]

Rebased to fix merge conflict with changelog and fixed a few spacing/formatting issues while I was at it. No changes otherwise.

[jbonhag]

Tested it out locally, works great! 👍

[mkam]

Rebased to fix merge conflicts with go.mod and the changelog. No changes otherwise.

[brandonc]

👍