feature: temporalcloud_user_namespace_access

This PR addresses #119, #116, and #115 by decoupling the definition of user accesses from the user itself, via a new resource: `temporalcloud_user_namespace_access`. This resource is intended to provide a many-to-many mapping between namespaces and users. Under the hood, this resource is manipulating a single User object via the API (as the underlying data model stashes all namespaces accesses on the user object), while also preserving the invariant that adding or removing a single user from a single namespace won't obliterate the list of permissions that a user has. I do intend to write some more tests but I wanted to get this out quickly for review for some fast feedback before I write a bunch of tests that exercise things that might change in review.
temporalio · Sep 24, 2024 · 678da87 · 678da87
1 parent cab53e3
commit 678da87
Show file tree

Hide file tree

Showing 9 changed files with 543 additions and 3 deletions.
diff --git a/docs/resources/user.md b/docs/resources/user.md
@@ -59,7 +59,7 @@ resource "temporalcloud_user" "namespace_admin" {
 
 ### Optional
 
-- `namespace_accesses` (Attributes List) The list of namespace accesses. (see [below for nested schema](#nestedatt--namespace_accesses))
+- `namespace_accesses` (Attributes List, Deprecated) The list of namespace accesses. (see [below for nested schema](#nestedatt--namespace_accesses))
 - `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
 
 ### Read-Only

diff --git a/docs/resources/user_namespace_access.md b/docs/resources/user_namespace_access.md
@@ -0,0 +1,100 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "temporalcloud_user_namespace_access Resource - terraform-provider-temporalcloud"
+subcategory: ""
+description: |-
+  
+---
+
+# temporalcloud_user_namespace_access (Resource)
+
+
+
+## Example Usage
+
+```terraform
+terraform {
+  required_providers {
+    temporalcloud = {
+      source = "temporalio/temporalcloud"
+    }
+  }
+}
+
+provider "temporalcloud" {
+}
+
+resource "temporalcloud_namespace" "terraform" {
+  name               = "terraform-users"
+  regions            = ["aws-us-east-1"]
+  accepted_client_ca = base64encode(file("${path.module}/ca.pem"))
+  retention_days     = 14
+}
+
+resource "temporalcloud_namespace" "second_ns" {
+  name               = "terraform-users-2"
+  regions            = ["aws-us-east-1"]
+  accepted_client_ca = base64encode(file("${path.module}/ca.pem"))
+  retention_days     = 14
+}
+
+resource "temporalcloud_user" "namespace_admin" {
+  email          = "[email protected]"
+  account_access = "developer"
+}
+
+resource "temporalcloud_user" "namespace_write" {
+  email          = "[email protected]"
+  account_access = "developer"
+}
+
+resource "temporalcloud_user" "namespace_read" {
+  email          = "[email protected]"
+  account_access = "developer"
+}
+
+resource "temporalcloud_user_namespace_access" "admin" {
+  user_id      = temporalcloud_user.namespace_admin.id
+  namespace_id = temporalcloud_namespace.terraform.id
+  permission   = "admin"
+}
+
+resource "temporalcloud_user_namespace_access" "write" {
+  user_id      = temporalcloud_user.namespace_write.id
+  namespace_id = temporalcloud_namespace.terraform.id
+  permission   = "write"
+}
+
+resource "temporalcloud_user_namespace_access" "read" {
+  user_id      = temporalcloud_user.namespace_read.id
+  namespace_id = temporalcloud_namespace.terraform.id
+  permission   = "read"
+}
+
+resource "temporalcloud_user_namespace_access" "read_second_ns" {
+  user_id      = temporalcloud_user.namespace_read.id
+  namespace_id = temporalcloud_namespace.second_ns.id
+  permission   = "read"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `namespace_id` (String) The ID of the namespace to which this user should be given the requested role
+- `permission` (String) The permission to grant the user in the namespace
+- `user_id` (String) The ID of the user to which this namespace access should be granted
+
+### Read-Only
+
+- `id` (String) The unique identifier for the user namespace access.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import temporalcloud_user_namespace_access myuserid/terraform.badf00d
+```
diff --git a/examples/resources/temporalcloud_user_namespace_access/ca.pem b/examples/resources/temporalcloud_user_namespace_access/ca.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxjCCAU2gAwIBAgIRAlyZ5KUmunPLeFAupDwGL8AwCgYIKoZIzj0EAwMwEjEQ
+MA4GA1UEChMHdGVzdGluZzAeFw0yNDA4MTMyMzQ2NThaFw0yNTA4MTMyMzQ3NTha
+MBIxEDAOBgNVBAoTB3Rlc3RpbmcwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARG+EuL
+uKRsNWs7Rbz6ciaJQB7QINTRLmTgGGE8H/wAs+KjvctjPdDdqFPZrxShRY3PUdk2
+pgQKRugMTe3N52pxBx4Iablz8felfdv4kyLQbdsJzY9XmCYX3D68/9Hxsl2jZzBl
+MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSYC5/u
+K78bK1M8Fv1M6ELMjF2ZMDAjBgNVHREEHDAaghhjbGllbnQucm9vdC50ZXN0aW5n
+LjBycDUwCgYIKoZIzj0EAwMDZwAwZAIwSycjxxmYTgV5eSJbaGMINr5LQgyKQUHQ
+ryBKSGLKASa/e2ntyhsqRhj77gJ8DmkZAjAIlpDacF+Sq1kpZ5tMV7ZLElcujzj4
+US8pEmNuIiCguEGwi+pb5CWfabETEHApxmo=
+-----END CERTIFICATE-----
diff --git a/examples/resources/temporalcloud_user_namespace_access/import.sh b/examples/resources/temporalcloud_user_namespace_access/import.sh
@@ -0,0 +1 @@
+terraform import temporalcloud_user_namespace_access myuserid/terraform.badf00d
diff --git a/examples/resources/temporalcloud_user_namespace_access/resource.tf b/examples/resources/temporalcloud_user_namespace_access/resource.tf
@@ -0,0 +1,63 @@
+terraform {
+  required_providers {
+    temporalcloud = {
+      source = "temporalio/temporalcloud"
+    }
+  }
+}
+
+provider "temporalcloud" {
+}
+
+resource "temporalcloud_namespace" "terraform" {
+  name               = "terraform-users"
+  regions            = ["aws-us-east-1"]
+  accepted_client_ca = base64encode(file("${path.module}/ca.pem"))
+  retention_days     = 14
+}
+
+resource "temporalcloud_namespace" "second_ns" {
+  name               = "terraform-users-2"
+  regions            = ["aws-us-east-1"]
+  accepted_client_ca = base64encode(file("${path.module}/ca.pem"))
+  retention_days     = 14
+}
+
+resource "temporalcloud_user" "namespace_admin" {
+  email          = "[email protected]"
+  account_access = "developer"
+}
+
+resource "temporalcloud_user" "namespace_write" {
+  email          = "[email protected]"
+  account_access = "developer"
+}
+
+resource "temporalcloud_user" "namespace_read" {
+  email          = "[email protected]"
+  account_access = "developer"
+}
+
+resource "temporalcloud_user_namespace_access" "admin" {
+  user_id      = temporalcloud_user.namespace_admin.id
+  namespace_id = temporalcloud_namespace.terraform.id
+  permission   = "admin"
+}
+
+resource "temporalcloud_user_namespace_access" "write" {
+  user_id      = temporalcloud_user.namespace_write.id
+  namespace_id = temporalcloud_namespace.terraform.id
+  permission   = "write"
+}
+
+resource "temporalcloud_user_namespace_access" "read" {
+  user_id      = temporalcloud_user.namespace_read.id
+  namespace_id = temporalcloud_namespace.terraform.id
+  permission   = "read"
+}
+
+resource "temporalcloud_user_namespace_access" "read_second_ns" {
+  user_id      = temporalcloud_user.namespace_read.id
+  namespace_id = temporalcloud_namespace.second_ns.id
+  permission   = "read"
+}
diff --git a/internal/provider/provider.go b/internal/provider/provider.go
@@ -138,6 +138,7 @@ func (p *TerraformCloudProvider) Resources(ctx context.Context) []func() resourc
 		NewNamespaceResource,
 		NewNamespaceSearchAttributeResource,
 		NewUserResource,
+		NewUserNamespaceAccessResource,
 	}
 }