Use org memberships for teams

[beekus]

TODO

• Merge Manage team members via organization membership go-tfe#111
• Update go.mod
• Update changelog.md

Description

This PR adds the tfe_organization_membership and tfe_team_organization_member resource. These resources in combination eliminate some of the back and forth required to get a new team member setup. You no longer need to have the user sign up and send you their username in order to manage their team memberships.

tfe_organization_membership

This resource is the equivalent of inviting a user by email address to the organization, without specifying any teams.

tfe_team_organization_member

This resource allows you to add an invited user to a team. The advantage of using this over something like tfe_team_member or tfe_team_members (both of which require usernames to identify the user) is that you can manage the teams an invited user is on before the user has accepted the invitation.

Requirements

While this PR doesn't introduce a breaking change, it does introduce two new resources which require that the provider be configured to use Terraform Cloud or an instance of Terraform Enterprise at least as new as v202004-1, which is not yet released.

Testing plan

resource "tfe_workspace" "test" {
  name = "workspace"
  organization = "hashicorp"
}

resource "tfe_team" "test" {
  name = "test"
  organization = "hashicorp"
}

resource "tfe_organization_membership" "test" {
  organization = "hashicorp"
  email = "test@testing.com"
}

resource "tfe_team_organization_member" "test" {
  team_id = tfe_team.test.id
  organization_membership_id = tfe_organization_membership.test.id
}

External links

Include any links here that might be helpful for people reviewing your PR. If there are none, feel free to delete this section.

• go-tfe documentation
• API documentation for organization memberships

Output from acceptance tests

Please run the full suite of acceptance tests locally and include the output here.

==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test $(go list ./... |grep -v 'vendor') -v  -timeout 15m
?   	github.com/terraform-providers/terraform-provider-tfe	[no test files]
=== RUN   TestAccTFESSHKeyDataSource_basic
--- PASS: TestAccTFESSHKeyDataSource_basic (8.16s)
=== RUN   TestAccTFETeamAccessDataSource_basic
--- PASS: TestAccTFETeamAccessDataSource_basic (12.04s)
=== RUN   TestAccTFETeamDataSource_basic
--- PASS: TestAccTFETeamDataSource_basic (7.52s)
=== RUN   TestAccTFEWorkspaceIDsDataSource_basic
--- PASS: TestAccTFEWorkspaceIDsDataSource_basic (10.37s)
=== RUN   TestAccTFEWorkspaceIDsDataSource_wildcard
--- PASS: TestAccTFEWorkspaceIDsDataSource_wildcard (10.70s)
=== RUN   TestAccTFEWorkspaceDataSource_basic
--- PASS: TestAccTFEWorkspaceDataSource_basic (8.50s)
=== RUN   TestProvider
--- PASS: TestProvider (0.00s)
=== RUN   TestProvider_impl
--- PASS: TestProvider_impl (0.00s)
=== RUN   TestProvider_versionConstraints
--- PASS: TestProvider_versionConstraints (0.00s)
=== RUN   TestAccTFENotificationConfiguration_basic
--- PASS: TestAccTFENotificationConfiguration_basic (8.20s)
=== RUN   TestAccTFENotificationConfiguration_update
--- PASS: TestAccTFENotificationConfiguration_update (13.15s)
=== RUN   TestAccTFENotificationConfiguration_slackWithToken
--- PASS: TestAccTFENotificationConfiguration_slackWithToken (4.65s)
=== RUN   TestAccTFENotificationConfiguration_duplicateTriggers
--- PASS: TestAccTFENotificationConfiguration_duplicateTriggers (7.84s)
=== RUN   TestAccTFENotificationConfigurationImport
--- PASS: TestAccTFENotificationConfigurationImport (8.32s)
=== RUN   TestAccTFEOAuthClient_basic
--- SKIP: TestAccTFEOAuthClient_basic (0.40s)
    resource_tfe_oauth_client_test.go:19: Please set GITHUB_TOKEN to run this test
=== RUN   TestAccTFEOrganizationMembership_basic
--- PASS: TestAccTFEOrganizationMembership_basic (7.16s)
=== RUN   TestAccTFEOrganization_basic
--- PASS: TestAccTFEOrganization_basic (5.76s)
=== RUN   TestAccTFEOrganization_update
--- PASS: TestAccTFEOrganization_update (10.38s)
=== RUN   TestAccTFEOrganization_import
--- PASS: TestAccTFEOrganization_import (5.86s)
=== RUN   TestAccTFEOrganizationToken_basic
--- PASS: TestAccTFEOrganizationToken_basic (7.29s)
=== RUN   TestAccTFEOrganizationToken_existsWithoutForce
--- PASS: TestAccTFEOrganizationToken_existsWithoutForce (9.27s)
=== RUN   TestAccTFEOrganizationToken_existsWithForce
--- PASS: TestAccTFEOrganizationToken_existsWithForce (12.65s)
=== RUN   TestAccTFEOrganizationToken_import
--- PASS: TestAccTFEOrganizationToken_import (8.03s)
=== RUN   TestAccTFEPolicySetParameter_basic
--- PASS: TestAccTFEPolicySetParameter_basic (10.44s)
=== RUN   TestAccTFEPolicySetParameter_update
--- PASS: TestAccTFEPolicySetParameter_update (16.91s)
=== RUN   TestAccTFEPolicySetParameter_import
--- PASS: TestAccTFEPolicySetParameter_import (12.10s)
=== RUN   TestAccTFEPolicySet_basic
--- PASS: TestAccTFEPolicySet_basic (12.50s)
=== RUN   TestAccTFEPolicySet_update
--- PASS: TestAccTFEPolicySet_update (20.36s)
=== RUN   TestAccTFEPolicySet_updateEmpty
--- PASS: TestAccTFEPolicySet_updateEmpty (18.18s)
=== RUN   TestAccTFEPolicySet_updatePopulated
--- PASS: TestAccTFEPolicySet_updatePopulated (25.19s)
=== RUN   TestAccTFEPolicySet_updateToGlobal
--- PASS: TestAccTFEPolicySet_updateToGlobal (21.65s)
=== RUN   TestAccTFEPolicySet_updateToWorkspace
--- PASS: TestAccTFEPolicySet_updateToWorkspace (18.27s)
=== RUN   TestAccTFEPolicySet_vcs
--- SKIP: TestAccTFEPolicySet_vcs (0.40s)
    resource_tfe_policy_set_test.go:255: Please set GITHUB_TOKEN to run this test
=== RUN   TestAccTFEPolicySetImport
--- PASS: TestAccTFEPolicySetImport (13.41s)
=== RUN   TestAccTFERunTrigger_basic
--- PASS: TestAccTFERunTrigger_basic (10.08s)
=== RUN   TestAccTFERunTriggerImport
--- PASS: TestAccTFERunTriggerImport (10.18s)
=== RUN   TestAccTFESentinelPolicy_basic
--- PASS: TestAccTFESentinelPolicy_basic (10.19s)
=== RUN   TestAccTFESentinelPolicy_update
--- PASS: TestAccTFESentinelPolicy_update (17.54s)
=== RUN   TestAccTFESentinelPolicy_import
--- PASS: TestAccTFESentinelPolicy_import (10.32s)
=== RUN   TestAccTFESSHKey_basic
--- PASS: TestAccTFESSHKey_basic (7.67s)
=== RUN   TestAccTFESSHKey_update
--- PASS: TestAccTFESSHKey_update (12.75s)
=== RUN   TestResourceTfeTeamAccessStateUpgradeV0
--- PASS: TestResourceTfeTeamAccessStateUpgradeV0 (0.41s)
=== RUN   TestAccTFETeamAccess_basic
--- PASS: TestAccTFETeamAccess_basic (10.51s)
=== RUN   TestAccTFETeamAccess_import
--- PASS: TestAccTFETeamAccess_import (10.46s)
=== RUN   TestPackTeamMemberID
--- PASS: TestPackTeamMemberID (0.00s)
=== RUN   TestUnpackTeamMemberID
--- PASS: TestUnpackTeamMemberID (0.00s)
=== RUN   TestAccTFETeamMember_basic
--- FAIL: TestAccTFETeamMember_basic (5.27s)
    testing.go:569: Step 0 error: errors during apply:

        Error: Error adding user "admin" to team team-uG7YmNJfK49iBueZ: bad request

        admin is not a member of the organization

          on /var/folders/yt/66g8c6q95yd580n_6rsg38l80000gp/T/tf-test247100603/main.tf line 12:
          (source code not available)


=== RUN   TestAccTFETeamMember_import
--- FAIL: TestAccTFETeamMember_import (5.07s)
    testing.go:569: Step 0 error: errors during apply:

        Error: Error adding user "admin" to team team-7iHNEL25rDbYmoug: bad request

        admin is not a member of the organization

          on /var/folders/yt/66g8c6q95yd580n_6rsg38l80000gp/T/tf-test480748197/main.tf line 12:
          (source code not available)


=== RUN   TestAccTFETeamMembers_basic
--- SKIP: TestAccTFETeamMembers_basic (0.43s)
    resource_tfe_team_members_test.go:22: Please set TFE_USER1 to run this test
=== RUN   TestAccTFETeamMembers_update
--- SKIP: TestAccTFETeamMembers_update (0.42s)
    resource_tfe_team_members_test.go:55: Please set TFE_USER1 to run this test
=== RUN   TestAccTFETeamMembers_import
--- SKIP: TestAccTFETeamMembers_import (0.41s)
    resource_tfe_team_members_test.go:102: Please set TFE_USER1 to run this test
=== RUN   TestPackTeamOrganizationMemberID
--- PASS: TestPackTeamOrganizationMemberID (0.00s)
=== RUN   TestUnpackTeamOrganizationMemberID
--- PASS: TestUnpackTeamOrganizationMemberID (0.00s)
=== RUN   TestAccTFETeamOrganizationMember_basic
--- PASS: TestAccTFETeamOrganizationMember_basic (9.04s)
=== RUN   TestAccTFETeamOrganizationMember_import
--- PASS: TestAccTFETeamOrganizationMember_import (8.72s)
=== RUN   TestAccTFETeam_basic
--- PASS: TestAccTFETeam_basic (6.78s)
=== RUN   TestAccTFETeam_import
--- PASS: TestAccTFETeam_import (7.31s)
=== RUN   TestAccTFETeamToken_basic
--- PASS: TestAccTFETeamToken_basic (8.73s)
=== RUN   TestAccTFETeamToken_existsWithoutForce
--- PASS: TestAccTFETeamToken_existsWithoutForce (11.04s)
=== RUN   TestAccTFETeamToken_existsWithForce
--- PASS: TestAccTFETeamToken_existsWithForce (14.88s)
=== RUN   TestAccTFETeamToken_import
--- PASS: TestAccTFETeamToken_import (8.89s)
=== RUN   TestResourceTfeVariableStateUpgradeV0
--- PASS: TestResourceTfeVariableStateUpgradeV0 (0.24s)
=== RUN   TestAccTFEVariable_basic
--- PASS: TestAccTFEVariable_basic (10.40s)
=== RUN   TestAccTFEVariable_update
--- PASS: TestAccTFEVariable_update (18.10s)
=== RUN   TestAccTFEVariable_import
--- PASS: TestAccTFEVariable_import (12.50s)
=== RUN   TestResourceTfeWorkspaceStateUpgradeV0
--- PASS: TestResourceTfeWorkspaceStateUpgradeV0 (0.00s)
=== RUN   TestAccTFEWorkspace_basic
--- PASS: TestAccTFEWorkspace_basic (8.48s)
=== RUN   TestAccTFEWorkspace_monorepo
--- PASS: TestAccTFEWorkspace_monorepo (8.82s)
=== RUN   TestAccTFEWorkspace_renamed
--- PASS: TestAccTFEWorkspace_renamed (13.43s)
=== RUN   TestAccTFEWorkspace_update
--- PASS: TestAccTFEWorkspace_update (12.34s)
=== RUN   TestAccTFEWorkspace_updateWorkingDirectory
--- PASS: TestAccTFEWorkspace_updateWorkingDirectory (17.62s)
=== RUN   TestAccTFEWorkspace_updateFileTriggers
--- PASS: TestAccTFEWorkspace_updateFileTriggers (11.79s)
=== RUN   TestAccTFEWorkspace_updateTriggerPrefixes
--- PASS: TestAccTFEWorkspace_updateTriggerPrefixes (11.32s)
=== RUN   TestAccTFEWorkspace_sshKey
--- PASS: TestAccTFEWorkspace_sshKey (16.66s)
=== RUN   TestAccTFEWorkspace_import
--- PASS: TestAccTFEWorkspace_import (6.68s)
=== RUN   TestFetchWorkspaceExternalID
=== RUN   TestFetchWorkspaceExternalID/non_exisiting_organization
=== RUN   TestFetchWorkspaceExternalID/non_exisiting_workspace
=== RUN   TestFetchWorkspaceExternalID/found_workspace
--- PASS: TestFetchWorkspaceExternalID (0.27s)
    --- PASS: TestFetchWorkspaceExternalID/non_exisiting_organization (0.00s)
    --- PASS: TestFetchWorkspaceExternalID/non_exisiting_workspace (0.00s)
    --- PASS: TestFetchWorkspaceExternalID/found_workspace (0.00s)
=== RUN   TestFetchWorkspaceHumanID
=== RUN   TestFetchWorkspaceHumanID/non_exisiting_workspace
=== RUN   TestFetchWorkspaceHumanID/found_workspace
--- PASS: TestFetchWorkspaceHumanID (0.00s)
    --- PASS: TestFetchWorkspaceHumanID/non_exisiting_workspace (0.00s)
    --- PASS: TestFetchWorkspaceHumanID/found_workspace (0.00s)
=== RUN   TestPackWorkspaceID
--- PASS: TestPackWorkspaceID (0.00s)
=== RUN   TestUnpackWorkspaceID
--- PASS: TestUnpackWorkspaceID (0.00s)
FAIL
FAIL	github.com/terraform-providers/terraform-provider-tfe/tfe	673.002s
?   	github.com/terraform-providers/terraform-provider-tfe/version	[no test files]
make: *** [testacc] Error 1

[leetrout]

Updated go.mod to use go-tfe 0.6.0.

Re-tested locally:

terraform show
# tfe_organization.theorg:
resource "tfe_organization" "theorg" {
    collaborator_auth_policy = "password"
    email                    = "no@no.no"
    id                       = "tfe-provider"
    name                     = "tfe-provider"
    session_remember_minutes = 0
    session_timeout_minutes  = 0
}

# tfe_organization_membership.admin:
resource "tfe_organization_membership" "admin" {
    email        = "foo@foo.foo22"
    id           = "ou-HkXARrCWRiL8YCDZ"
    organization = "tfe-provider"
}

# tfe_organization_membership.noteam:
resource "tfe_organization_membership" "noteam" {
    email        = "foo@foo.foo33"
    id           = "ou-3kz7jfS6TaWEcuaZ"
    organization = "tfe-provider"
}

# tfe_team.theteam:
resource "tfe_team" "theteam" {
    id           = "team-qo2ownpGo1qcKfjd"
    name         = "tfe-team"
    organization = "tfe-provider"
}

# tfe_team_organization_member.theteam-foo:
resource "tfe_team_organization_member" "theteam-foo" {
    id                         = "team-qo2ownpGo1qcKfjd/ou-HkXARrCWRiL8YCDZ"
    organization_membership_id = "ou-HkXARrCWRiL8YCDZ"
    team_id                    = "team-qo2ownpGo1qcKfjd"
}

[lafentres]

i'm not super familiar with this part of the api but the code makes sense and the example config worked for apply/destroy.

i did notice one weird thing and i just want a little clarification on it before i hit approve. is it expected that a user managed this way changing their email address would mess things up? i suspect the answer is yes, since we are using an attribute that can be changed to identify team members.

i ran apply with the example config, accepted the invitation and created a new account. i then changed the email address on my new account and tried to run an apply again. this apply basically invited a new user and added them back to the team. so the management of the original user is kind of lost now.

if we do expect this behavior and there isn't a different solution, we might want to add something to the docs explaining what to expect/recommendations in this case.

[lafentres]

just for my own knowledge because i still don't understand what this does: what's the impact of turning this on here? like what does it change/do?

[leetrout]

Line 16 of this config sets the working directory to a folder within the GOPATH:

/go/src/github.com/terraform-providers/terraform-provider-tfe

GO111MODULE defaults to "auto" which for Go 1.11 and 1.12 means not using go modules when inside the Go path (but changes with 1.13 to using modules while inside the Go path). We are using modules to track our dependencies and have been updating the vendor directory but with this flag set it is not necessary to continue to vendor these dependencies in the vendor folder.

I will vendor the dependency and take this out.

[beekus]

@lafentres added:

~> **NOTE:** This resource cannot be used to update an existing user's email address
since users themselves are the only ones permitted to update their email address.
If a user updates their email address, configurations using the email address should
be updated manually.