terraform-provider-tfe
terraform-provider-tfe copied to clipboard
hashicorp
Manage workspace access declaratively
The tfe_team_access allows managing the access of a single team, but there is currently no way to declaratively manage all access to a workspace.
Proposal:
Add a resource, perhaps tfe_workspace_access with repeatable blocks define all the team access grants for a workspace. When this resource is applied, any existing grants that are not defined as part of the resource get removed.
Using this would be mutually exclusive use of tfe_team_access, akin to google_project_iam_policy vs google_project_iam_member.
Note that sadly there is no direct platform equivalent of Google IAM policies in Terraform Cloud/Enterprise, only direct connections to teams (like Google IAM members). I believe this would require a feature in TFC itself or an argument to r/tfe_workspace directly to declare relationships to teams, and likely not it's own resource (like an IAM policy).
Thank you for the explanation @chrisarcand.
@eriksw have you found a workaround for this...?
The only possible workaround would be some awful exec resource to run a script that removes undesired access.
Because this is kind of an essential function (preventing ACL drift), it makes more sense for this provider to implement it on top of whatever APIs do exist, instead of forcing users to independently cobble together some anti-drift auditing/enforcement on their own.
I don't care whether it's by moving access into tfe_workspace or by adding a new resource.
The odd-related flip side of this is there is no data source to look up all the teams that currently have access to a workspace. You have to already know each team and each workspace ID to use the tfe_team_access data source which seems very limited. Being able to output all the current team access for a particular workspace would be quite helpful.
