Add manage permissions to team org access

CHANGELOG.md

@@ -11,6 +11,7 @@ FEATURES:
 * `d/tfe_oauth_client`: Add `organization_scoped` attribute, by @Netra2104 [1148](https://github.com/hashicorp/terraform-provider-tfe/pull/1148)
 * **New Resource**: `r/tfe_project_oauth_client` attaches/detaches an existing `project` to an existing `oauth client`, by @Netra2104 [1144](https://github.com/hashicorp/terraform-provider-tfe/pull/1144)
 * **New Resource**: `r/tfe_test_variable` is a new resource for creating environment variables used by registry modules for terraform test, by @aaabdelgany [1285](https://github.com/hashicorp/terraform-provider-tfe/pull/1285)
+* `r/tfe_team`: Add attributes `manage_teams`, `manage_organization_access`, and `access_secret_teams` to `organization_access` on `tfe_team` by @juliannatetreault [#1313](https://github.com/hashicorp/terraform-provider-tfe/pull/1313)
 
 BUG FIXES:
 * `r/tfe_organization_default_settings`: Fix import resource address documentation by @Uk1288 [#1324](https://github.com/hashicorp/terraform-provider-tfe/pull/1324)

internal/provider/resource_tfe_team.go

@@ -105,6 +105,21 @@ func resourceTFETeam() *schema.Resource {
 							Optional: true,
 							Default:  false,
 						},
+						"manage_teams": {
+							Type:     schema.TypeBool,
+							Optional: true,
+							Default:  false,
+						},
+						"manage_organization_access": {
+							Type:     schema.TypeBool,
+							Optional: true,
+							Default:  false,
+						},
+						"access_secret_teams": {
+							Type:     schema.TypeBool,
+							Optional: true,
+							Default:  false,
+						},
 					},
 				},
 			},
@@ -144,17 +159,20 @@ func resourceTFETeamCreate(d *schema.ResourceData, meta interface{}) error {
 		organizationAccess := v.([]interface{})[0].(map[string]interface{})
 
 		options.OrganizationAccess = &tfe.OrganizationAccessOptions{
-			ManagePolicies:        tfe.Bool(organizationAccess["manage_policies"].(bool)),
-			ManagePolicyOverrides: tfe.Bool(organizationAccess["manage_policy_overrides"].(bool)),
-			ManageWorkspaces:      tfe.Bool(organizationAccess["manage_workspaces"].(bool)),
-			ManageVCSSettings:     tfe.Bool(organizationAccess["manage_vcs_settings"].(bool)),
-			ManageProviders:       tfe.Bool(organizationAccess["manage_providers"].(bool)),
-			ManageModules:         tfe.Bool(organizationAccess["manage_modules"].(bool)),
-			ManageRunTasks:        tfe.Bool(organizationAccess["manage_run_tasks"].(bool)),
-			ManageProjects:        tfe.Bool(organizationAccess["manage_projects"].(bool)),
-			ReadWorkspaces:        tfe.Bool(organizationAccess["read_workspaces"].(bool)),
-			ReadProjects:          tfe.Bool(organizationAccess["read_projects"].(bool)),
-			ManageMembership:      tfe.Bool(organizationAccess["manage_membership"].(bool)),
+			ManagePolicies:           tfe.Bool(organizationAccess["manage_policies"].(bool)),
+			ManagePolicyOverrides:    tfe.Bool(organizationAccess["manage_policy_overrides"].(bool)),
+			ManageWorkspaces:         tfe.Bool(organizationAccess["manage_workspaces"].(bool)),
+			ManageVCSSettings:        tfe.Bool(organizationAccess["manage_vcs_settings"].(bool)),
+			ManageProviders:          tfe.Bool(organizationAccess["manage_providers"].(bool)),
+			ManageModules:            tfe.Bool(organizationAccess["manage_modules"].(bool)),
+			ManageRunTasks:           tfe.Bool(organizationAccess["manage_run_tasks"].(bool)),
+			ManageProjects:           tfe.Bool(organizationAccess["manage_projects"].(bool)),
+			ReadWorkspaces:           tfe.Bool(organizationAccess["read_workspaces"].(bool)),
+			ReadProjects:             tfe.Bool(organizationAccess["read_projects"].(bool)),
+			ManageMembership:         tfe.Bool(organizationAccess["manage_membership"].(bool)),
+			ManageTeams:              tfe.Bool(organizationAccess["manage_teams"].(bool)),
+			ManageOrganizationAccess: tfe.Bool(organizationAccess["manage_organization_access"].(bool)),
+			AccessSecretTeams:        tfe.Bool(organizationAccess["access_secret_teams"].(bool)),
 		}
 	}
 
@@ -204,17 +222,20 @@ func resourceTFETeamRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("name", team.Name)
 	if team.OrganizationAccess != nil {
 		organizationAccess := []map[string]bool{{
-			"manage_policies":         team.OrganizationAccess.ManagePolicies,
-			"manage_policy_overrides": team.OrganizationAccess.ManagePolicyOverrides,
-			"manage_workspaces":       team.OrganizationAccess.ManageWorkspaces,
-			"manage_vcs_settings":     team.OrganizationAccess.ManageVCSSettings,
-			"manage_providers":        team.OrganizationAccess.ManageProviders,
-			"manage_modules":          team.OrganizationAccess.ManageModules,
-			"manage_run_tasks":        team.OrganizationAccess.ManageRunTasks,
-			"manage_projects":         team.OrganizationAccess.ManageProjects,
-			"read_projects":           team.OrganizationAccess.ReadProjects,
-			"read_workspaces":         team.OrganizationAccess.ReadWorkspaces,
-			"manage_membership":       team.OrganizationAccess.ManageMembership,
+			"manage_policies":            team.OrganizationAccess.ManagePolicies,
+			"manage_policy_overrides":    team.OrganizationAccess.ManagePolicyOverrides,
+			"manage_workspaces":          team.OrganizationAccess.ManageWorkspaces,
+			"manage_vcs_settings":        team.OrganizationAccess.ManageVCSSettings,
+			"manage_providers":           team.OrganizationAccess.ManageProviders,
+			"manage_modules":             team.OrganizationAccess.ManageModules,
+			"manage_run_tasks":           team.OrganizationAccess.ManageRunTasks,
+			"manage_projects":            team.OrganizationAccess.ManageProjects,
+			"read_projects":              team.OrganizationAccess.ReadProjects,
+			"read_workspaces":            team.OrganizationAccess.ReadWorkspaces,
+			"manage_membership":          team.OrganizationAccess.ManageMembership,
+			"manage_teams":               team.OrganizationAccess.ManageTeams,
+			"manage_organization_access": team.OrganizationAccess.ManageOrganizationAccess,
+			"access_secret_teams":        team.OrganizationAccess.AccessSecretTeams,
 		}}
 		if err := d.Set("organization_access", organizationAccess); err != nil {
 			return fmt.Errorf("error setting organization access for team %s: %w", d.Id(), err)
@@ -241,17 +262,20 @@ func resourceTFETeamUpdate(d *schema.ResourceData, meta interface{}) error {
 		organizationAccess := v.([]interface{})[0].(map[string]interface{})
 
 		options.OrganizationAccess = &tfe.OrganizationAccessOptions{
-			ManagePolicies:        tfe.Bool(organizationAccess["manage_policies"].(bool)),
-			ManagePolicyOverrides: tfe.Bool(organizationAccess["manage_policy_overrides"].(bool)),
-			ManageWorkspaces:      tfe.Bool(organizationAccess["manage_workspaces"].(bool)),
-			ManageVCSSettings:     tfe.Bool(organizationAccess["manage_vcs_settings"].(bool)),
-			ManageProviders:       tfe.Bool(organizationAccess["manage_providers"].(bool)),
-			ManageModules:         tfe.Bool(organizationAccess["manage_modules"].(bool)),
-			ManageRunTasks:        tfe.Bool(organizationAccess["manage_run_tasks"].(bool)),
-			ManageProjects:        tfe.Bool(organizationAccess["manage_projects"].(bool)),
-			ReadProjects:          tfe.Bool(organizationAccess["read_projects"].(bool)),
-			ReadWorkspaces:        tfe.Bool(organizationAccess["read_workspaces"].(bool)),
-			ManageMembership:      tfe.Bool(organizationAccess["manage_membership"].(bool)),
+			ManagePolicies:           tfe.Bool(organizationAccess["manage_policies"].(bool)),
+			ManagePolicyOverrides:    tfe.Bool(organizationAccess["manage_policy_overrides"].(bool)),
+			ManageWorkspaces:         tfe.Bool(organizationAccess["manage_workspaces"].(bool)),
+			ManageVCSSettings:        tfe.Bool(organizationAccess["manage_vcs_settings"].(bool)),
+			ManageProviders:          tfe.Bool(organizationAccess["manage_providers"].(bool)),
+			ManageModules:            tfe.Bool(organizationAccess["manage_modules"].(bool)),
+			ManageRunTasks:           tfe.Bool(organizationAccess["manage_run_tasks"].(bool)),
+			ManageProjects:           tfe.Bool(organizationAccess["manage_projects"].(bool)),
+			ReadProjects:             tfe.Bool(organizationAccess["read_projects"].(bool)),
+			ReadWorkspaces:           tfe.Bool(organizationAccess["read_workspaces"].(bool)),
+			ManageMembership:         tfe.Bool(organizationAccess["manage_membership"].(bool)),
+			ManageTeams:              tfe.Bool(organizationAccess["manage_teams"].(bool)),
+			ManageOrganizationAccess: tfe.Bool(organizationAccess["manage_organization_access"].(bool)),
+			AccessSecretTeams:        tfe.Bool(organizationAccess["access_secret_teams"].(bool)),
 		}
 	}
 

internal/provider/resource_tfe_team_test.go

@@ -79,6 +79,12 @@ func TestAccTFETeam_full(t *testing.T) {
 						"tfe_team.foobar", "organization_access.0.read_workspaces", "true"),
 					resource.TestCheckResourceAttr(
 						"tfe_team.foobar", "organization_access.0.manage_membership", "true"),
+					resource.TestCheckResourceAttr(
+						"tfe_team.foobar", "organization_access.0.manage_teams", "true"),
+					resource.TestCheckResourceAttr(
+						"tfe_team.foobar", "organization_access.0.manage_organization_access", "true"),
+					resource.TestCheckResourceAttr(
+						"tfe_team.foobar", "organization_access.0.access_secret_teams", "true"),
 				),
 			},
 		},
@@ -126,6 +132,12 @@ func TestAccTFETeam_full_update(t *testing.T) {
 						"tfe_team.foobar", "organization_access.0.read_workspaces", "true"),
 					resource.TestCheckResourceAttr(
 						"tfe_team.foobar", "organization_access.0.manage_membership", "true"),
+					resource.TestCheckResourceAttr(
+						"tfe_team.foobar", "organization_access.0.manage_teams", "true"),
+					resource.TestCheckResourceAttr(
+						"tfe_team.foobar", "organization_access.0.manage_organization_access", "true"),
+					resource.TestCheckResourceAttr(
+						"tfe_team.foobar", "organization_access.0.access_secret_teams", "true"),
 				),
 			},
 			{
@@ -160,6 +172,12 @@ func TestAccTFETeam_full_update(t *testing.T) {
 						"tfe_team.foobar", "sso_team_id", "changed-sso-id"),
 					resource.TestCheckResourceAttr(
 						"tfe_team.foobar", "organization_access.0.manage_membership", "false"),
+					resource.TestCheckResourceAttr(
+						"tfe_team.foobar", "organization_access.0.manage_teams", "false"),
+					resource.TestCheckResourceAttr(
+						"tfe_team.foobar", "organization_access.0.manage_organization_access", "false"),
+					resource.TestCheckResourceAttr(
+						"tfe_team.foobar", "organization_access.0.access_secret_teams", "false"),
 				),
 			},
 			{
@@ -195,6 +213,12 @@ func TestAccTFETeam_full_update(t *testing.T) {
 						"tfe_team.foobar", "sso_team_id", ""),
 					resource.TestCheckResourceAttr(
 						"tfe_team.foobar", "organization_access.0.manage_membership", "false"),
+					resource.TestCheckResourceAttr(
+						"tfe_team.foobar", "organization_access.0.manage_teams", "false"),
+					resource.TestCheckResourceAttr(
+						"tfe_team.foobar", "organization_access.0.manage_organization_access", "false"),
+					resource.TestCheckResourceAttr(
+						"tfe_team.foobar", "organization_access.0.access_secret_teams", "false"),
 				),
 			},
 		},
@@ -447,6 +471,16 @@ func testAccCheckTFETeamAttributes_full(
 		if !team.OrganizationAccess.ManageMembership {
 			return fmt.Errorf("OrganizationAccess.ManageMembership should be true")
 		}
+		if !team.OrganizationAccess.ManageTeams {
+			return fmt.Errorf("OrganizationAccess.ManageTeams should be true")
+		}
+		if !team.OrganizationAccess.ManageOrganizationAccess {
+			return fmt.Errorf("OrganizationAccess.ManageOrganizationAccess should be true")
+		}
+		if !team.OrganizationAccess.AccessSecretTeams {
+			return fmt.Errorf("OrganizationAccess.AccessSecretTeams should be true")
+		}
+
 		if team.SSOTeamID != "team-test-sso-id" {
 			return fmt.Errorf("Bad SSO Team ID: %s", team.SSOTeamID)
 		}
@@ -484,6 +518,15 @@ func testAccCheckTFETeamAttributes_full_update(
 		if team.OrganizationAccess.ManageMembership {
 			return fmt.Errorf("OrganizationAccess.ManageMembership should be false")
 		}
+		if team.OrganizationAccess.ManageTeams {
+			return fmt.Errorf("OrganizationAccess.ManageTeams should be false")
+		}
+		if team.OrganizationAccess.ManageOrganizationAccess {
+			return fmt.Errorf("OrganizationAccess.ManageOrganizationAccess should be false")
+		}
+		if team.OrganizationAccess.AccessSecretTeams {
+			return fmt.Errorf("OrganizationAccess.AccessSecretTeams should be false")
+		}
 
 		if team.SSOTeamID != "changed-sso-id" {
 			return fmt.Errorf("Bad SSO Team ID: %s", team.SSOTeamID)
@@ -552,6 +595,9 @@ resource "tfe_team" "foobar" {
 	read_workspaces = true
 	read_projects = true
 	manage_membership = true
+	manage_teams = true
+	manage_organization_access = true
+	access_secret_teams = true
   }
   sso_team_id = "team-test-sso-id"
 }`, rInt)
@@ -582,6 +628,9 @@ resource "tfe_team" "foobar" {
 	read_projects = false
 	read_workspaces = false
 	manage_membership = false
+	manage_teams = false
+	manage_organization_access = false
+	access_secret_teams = false
   }
 
   sso_team_id = "changed-sso-id"

website/docs/r/team.html.markdown

@@ -55,6 +55,9 @@ The `organization_access` block supports:
 * `manage_run_tasks` - (Optional) Allow members to create, edit, and delete the organization's run tasks.
 * `manage_projects` - (Optional) Allow members to create and administrate all projects within the organization. Requires `manage_workspaces` to be set to `true`.
 * `manage_membership` - (Optional) Allow members to add/remove users from the organization, and to add/remove users from visible teams.
+* `manage_teams` - (Optional) Allow members to create, update, and delete teams.
+* `manage_organization_access` - (Optional) Allow members to update the organization access settings of teams.
+* `access_secret_teams` - (Optional) Allow members access to secret teams up to the level of permissions granted by their team permissions setting.
 
 ## Attributes Reference