Merge pull request #717 from njdart/group-env-scope

Add environment scope to gitlab_group_variable

Author: armsnyder

docs/resources/group_variable.md

@@ -8,11 +8,12 @@ documentation](https://docs.gitlab.com/ce/ci/variables/README.html#variables).
 
 ```hcl
 resource "gitlab_group_variable" "example" {
-   group     = "12345"
-   key       = "group_variable_key"
-   value     = "group_variable_value"
-   protected = false
-   masked    = false
+   group             = "12345"
+   key               = "group_variable_key"
+   value             = "group_variable_value"
+   protected         = false
+   masked            = false
+   environment_scope = "*"
 }
 ```
 
@@ -32,10 +33,12 @@ The following arguments are supported:
 
 * `masked` - (Optional, boolean) If set to `true`, the value of the variable will be hidden in job logs. The value must meet the [masking requirements](https://docs.gitlab.com/ee/ci/variables/#masked-variables). Defaults to `false`.
 
+* `environment_scope` - (Optional, string) The environment scope of the variable. Defaults to all environment (`*`). Note that in Community Editions of Gitlab, values other than `*` will cause inconsistent plans. See https://docs.gitlab.com/ee/ci/variables/#add-a-cicd-variable-to-a-group
+
 ## Import
 
-GitLab group variables can be imported using an id made up of `groupid:variablename`, e.g.
+GitLab group variables can be imported using an id made up of `groupid:variablename:scope`, e.g.
 
 ```
-$ terraform import gitlab_group_variable.example 12345:group_variable_key
+$ terraform import gitlab_group_variable.example 12345:group_variable_key:*
 ```

gitlab/resource_gitlab_group_variable.go

@@ -2,13 +2,31 @@ package gitlab
 
 import (
 	"context"
+	"fmt"
 	"log"
+	"strings"
 
+	"github.com/hashicorp/go-retryablehttp"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	gitlab "github.com/xanzy/go-gitlab"
 )
 
+// modifyRequestAddEnvironmentFilter returns a RequestOptionFunc function that
+// can be passed to the go-gitlab library calls to add the environment scope to
+// requests to lookup, modification, and deletion requests. Since gitlab 13.11,
+// an environment variable key is no longer unique and is composit-keyed with
+// the scope.
+// See https://docs.gitlab.com/ee/ci/variables/#add-a-cicd-variable-to-a-group
+func modifyRequestAddEnvironmentFilter(scope string) gitlab.RequestOptionFunc {
+	return func(r *retryablehttp.Request) error {
+		queryParams := r.URL.Query()
+		queryParams.Add("filter[environment_scope]", scope)
+		r.URL.RawQuery = queryParams.Encode()
+		return nil
+	}
+}
+
 func resourceGitlabGroupVariable() *schema.Resource {
 	return &schema.Resource{
 		CreateContext: resourceGitlabGroupVariableCreate,
@@ -52,6 +70,12 @@ func resourceGitlabGroupVariable() *schema.Resource {
 				Optional: true,
 				Default:  false,
 			},
+			"environment_scope": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: true,
+				Default:  "*",
+			},
 		},
 	}
 }
@@ -65,13 +89,15 @@ func resourceGitlabGroupVariableCreate(ctx context.Context, d *schema.ResourceDa
 	variableType := stringToVariableType(d.Get("variable_type").(string))
 	protected := d.Get("protected").(bool)
 	masked := d.Get("masked").(bool)
+	environmentScope := d.Get("environment_scope").(string)
 
 	options := gitlab.CreateGroupVariableOptions{
-		Key:          &key,
-		Value:        &value,
-		VariableType: variableType,
-		Protected:    &protected,
-		Masked:       &masked,
+		Key:              &key,
+		Value:            &value,
+		VariableType:     variableType,
+		Protected:        &protected,
+		Masked:           &masked,
+		EnvironmentScope: &environmentScope,
 	}
 	log.Printf("[DEBUG] create gitlab group variable %s/%s", group, key)
 
@@ -80,7 +106,9 @@ func resourceGitlabGroupVariableCreate(ctx context.Context, d *schema.ResourceDa
 		return diag.FromErr(err)
 	}
 
-	d.SetId(buildTwoPartID(&group, &key))
+	keyScope := fmt.Sprintf("%s:%s", key, environmentScope)
+
+	d.SetId(buildTwoPartID(&group, &keyScope))
 
 	return resourceGitlabGroupVariableRead(ctx, d, meta)
 }
@@ -93,9 +121,21 @@ func resourceGitlabGroupVariableRead(ctx context.Context, d *schema.ResourceData
 		return diag.FromErr(err)
 	}
 
-	log.Printf("[DEBUG] read gitlab group variable %s/%s", group, key)
+	keyScope := strings.SplitN(key, ":", 2)
+	scope := "*"
+	if len(keyScope) == 2 {
+		key = keyScope[0]
+		scope = keyScope[1]
+	}
+
+	log.Printf("[DEBUG] read gitlab group variable %s/%s/%s", group, key, scope)
 
-	v, _, err := client.GroupVariables.GetVariable(group, key, gitlab.WithContext(ctx))
+	v, _, err := client.GroupVariables.GetVariable(
+		group,
+		key,
+		gitlab.WithContext(ctx),
+		modifyRequestAddEnvironmentFilter(scope),
+	)
 	if err != nil {
 		if is404(err) {
 			log.Printf("[DEBUG] gitlab group variable not found %s/%s", group, key)
@@ -111,6 +151,7 @@ func resourceGitlabGroupVariableRead(ctx context.Context, d *schema.ResourceData
 	d.Set("group", group)
 	d.Set("protected", v.Protected)
 	d.Set("masked", v.Masked)
+	d.Set("environment_scope", v.EnvironmentScope)
 	return nil
 }
 
@@ -123,16 +164,24 @@ func resourceGitlabGroupVariableUpdate(ctx context.Context, d *schema.ResourceDa
 	variableType := stringToVariableType(d.Get("variable_type").(string))
 	protected := d.Get("protected").(bool)
 	masked := d.Get("masked").(bool)
+	environmentScope := d.Get("environment_scope").(string)
 
 	options := &gitlab.UpdateGroupVariableOptions{
-		Value:        &value,
-		Protected:    &protected,
-		VariableType: variableType,
-		Masked:       &masked,
+		Value:            &value,
+		Protected:        &protected,
+		VariableType:     variableType,
+		Masked:           &masked,
+		EnvironmentScope: &environmentScope,
 	}
-	log.Printf("[DEBUG] update gitlab group variable %s/%s", group, key)
-
-	_, _, err := client.GroupVariables.UpdateVariable(group, key, options, gitlab.WithContext(ctx))
+	log.Printf("[DEBUG] update gitlab group variable %s/%s/%s", group, key, environmentScope)
+
+	_, _, err := client.GroupVariables.UpdateVariable(
+		group,
+		key,
+		options,
+		gitlab.WithContext(ctx),
+		modifyRequestAddEnvironmentFilter(environmentScope),
+	)
 	if err != nil {
 		return diag.FromErr(err)
 	}
@@ -143,9 +192,15 @@ func resourceGitlabGroupVariableDelete(ctx context.Context, d *schema.ResourceDa
 	client := meta.(*gitlab.Client)
 	group := d.Get("group").(string)
 	key := d.Get("key").(string)
-	log.Printf("[DEBUG] Delete gitlab group variable %s/%s", group, key)
-
-	_, err := client.GroupVariables.RemoveVariable(group, key, gitlab.WithContext(ctx))
+	environmentScope := d.Get("environment_scope").(string)
+	log.Printf("[DEBUG] Delete gitlab group variable %s/%s/%s", group, key, environmentScope)
+
+	_, err := client.GroupVariables.RemoveVariable(
+		group,
+		key,
+		gitlab.WithContext(ctx),
+		modifyRequestAddEnvironmentFilter(environmentScope),
+	)
 	if err != nil {
 		return diag.FromErr(err)
 	}

gitlab/resource_gitlab_group_variable_test.go

@@ -25,8 +25,9 @@ func TestAccGitlabGroupVariable_basic(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckGitlabGroupVariableExists("gitlab_group_variable.foo", &groupVariable),
 					testAccCheckGitlabGroupVariableAttributes(&groupVariable, &testAccGitlabGroupVariableExpectedAttributes{
-						Key:   fmt.Sprintf("key_%s", rString),
-						Value: fmt.Sprintf("value-%s", rString),
+						Key:              fmt.Sprintf("key_%s", rString),
+						Value:            fmt.Sprintf("value-%s", rString),
+						EnvironmentScope: "*",
 					}),
 				),
 			},
@@ -36,9 +37,10 @@ func TestAccGitlabGroupVariable_basic(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckGitlabGroupVariableExists("gitlab_group_variable.foo", &groupVariable),
 					testAccCheckGitlabGroupVariableAttributes(&groupVariable, &testAccGitlabGroupVariableExpectedAttributes{
-						Key:       fmt.Sprintf("key_%s", rString),
-						Value:     fmt.Sprintf("value-inverse-%s", rString),
-						Protected: true,
+						Key:              fmt.Sprintf("key_%s", rString),
+						Value:            fmt.Sprintf("value-inverse-%s", rString),
+						Protected:        true,
+						EnvironmentScope: "*",
 					}),
 				),
 			},
@@ -48,9 +50,80 @@ func TestAccGitlabGroupVariable_basic(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckGitlabGroupVariableExists("gitlab_group_variable.foo", &groupVariable),
 					testAccCheckGitlabGroupVariableAttributes(&groupVariable, &testAccGitlabGroupVariableExpectedAttributes{
-						Key:       fmt.Sprintf("key_%s", rString),
-						Value:     fmt.Sprintf("value-%s", rString),
-						Protected: false,
+						Key:              fmt.Sprintf("key_%s", rString),
+						Value:            fmt.Sprintf("value-%s", rString),
+						Protected:        false,
+						EnvironmentScope: "*",
+					}),
+				),
+			},
+		},
+	})
+}
+
+func TestAccGitlabGroupVariable_scope(t *testing.T) {
+	var groupVariableA, groupVariableB gitlab.GroupVariable
+	rString := acctest.RandString(5)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckGitlabGroupVariableDestroy,
+		Steps: []resource.TestStep{
+			// Create a group and variables with same keys, different scopes
+			{
+				Config:   testAccGitlabGroupVariableScopeConfig(rString, "*", "review/*"),
+				SkipFunc: isRunningInCE,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabGroupVariableExists("gitlab_group_variable.a", &groupVariableA),
+					testAccCheckGitlabGroupVariableExists("gitlab_group_variable.b", &groupVariableB),
+					testAccCheckGitlabGroupVariableAttributes(&groupVariableA, &testAccGitlabGroupVariableExpectedAttributes{
+						Key:              fmt.Sprintf("key_%s", rString),
+						Value:            fmt.Sprintf("value-%s-a", rString),
+						EnvironmentScope: "*",
+					}),
+					testAccCheckGitlabGroupVariableAttributes(&groupVariableB, &testAccGitlabGroupVariableExpectedAttributes{
+						Key:              fmt.Sprintf("key_%s", rString),
+						Value:            fmt.Sprintf("value-%s-b", rString),
+						EnvironmentScope: "review/*",
+					}),
+				),
+			},
+			// Change a variable's scope
+			{
+				Config:   testAccGitlabGroupVariableScopeConfig(rString, "my-new-scope", "review/*"),
+				SkipFunc: isRunningInCE,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabGroupVariableExists("gitlab_group_variable.a", &groupVariableA),
+					testAccCheckGitlabGroupVariableExists("gitlab_group_variable.b", &groupVariableB),
+					testAccCheckGitlabGroupVariableAttributes(&groupVariableA, &testAccGitlabGroupVariableExpectedAttributes{
+						Key:              fmt.Sprintf("key_%s", rString),
+						Value:            fmt.Sprintf("value-%s-a", rString),
+						EnvironmentScope: "my-new-scope",
+					}),
+					testAccCheckGitlabGroupVariableAttributes(&groupVariableB, &testAccGitlabGroupVariableExpectedAttributes{
+						Key:              fmt.Sprintf("key_%s", rString),
+						Value:            fmt.Sprintf("value-%s-b", rString),
+						EnvironmentScope: "review/*",
+					}),
+				),
+			},
+			// Change both variables scopes at the same time
+			{
+				Config:   testAccGitlabGroupVariableScopeConfig(rString, "my-new-new-scope", "review/hello-world"),
+				SkipFunc: isRunningInCE,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabGroupVariableExists("gitlab_group_variable.a", &groupVariableA),
+					testAccCheckGitlabGroupVariableExists("gitlab_group_variable.b", &groupVariableB),
+					testAccCheckGitlabGroupVariableAttributes(&groupVariableA, &testAccGitlabGroupVariableExpectedAttributes{
+						Key:              fmt.Sprintf("key_%s", rString),
+						Value:            fmt.Sprintf("value-%s-a", rString),
+						EnvironmentScope: "my-new-new-scope",
+					}),
+					testAccCheckGitlabGroupVariableAttributes(&groupVariableB, &testAccGitlabGroupVariableExpectedAttributes{
+						Key:              fmt.Sprintf("key_%s", rString),
+						Value:            fmt.Sprintf("value-%s-b", rString),
+						EnvironmentScope: "review/hello-world",
 					}),
 				),
 			},
@@ -85,10 +158,11 @@ func testAccCheckGitlabGroupVariableExists(n string, groupVariable *gitlab.Group
 }
 
 type testAccGitlabGroupVariableExpectedAttributes struct {
-	Key       string
-	Value     string
-	Protected bool
-	Masked    bool
+	Key              string
+	Value            string
+	Protected        bool
+	Masked           bool
+	EnvironmentScope string
 }
 
 func testAccCheckGitlabGroupVariableAttributes(variable *gitlab.GroupVariable, want *testAccGitlabGroupVariableExpectedAttributes) resource.TestCheckFunc {
@@ -109,6 +183,10 @@ func testAccCheckGitlabGroupVariableAttributes(variable *gitlab.GroupVariable, w
 			return fmt.Errorf("got masked %t; want %t", variable.Masked, want.Masked)
 		}
 
+		if variable.EnvironmentScope != want.EnvironmentScope {
+			return fmt.Errorf("got environment_scope %s; want %s", variable.EnvironmentScope, want.EnvironmentScope)
+		}
+
 		return nil
 	}
 }
@@ -170,3 +248,26 @@ resource "gitlab_group_variable" "foo" {
 }
 	`, rString, rString, rString, rString)
 }
+
+func testAccGitlabGroupVariableScopeConfig(rString, scopeA, scopeB string) string {
+	return fmt.Sprintf(`
+resource "gitlab_group" "foo" {
+  name = "foo%v"
+  path = "foo%v"
+}
+
+resource "gitlab_group_variable" "a" {
+  group             = "${gitlab_group.foo.id}"
+  key               = "key_%s"
+  value             = "value-%s-a"
+  environment_scope = "%s"
+}
+
+resource "gitlab_group_variable" "b" {
+  group             = "${gitlab_group.foo.id}"
+  key               = "key_%s"
+  value             = "value-%s-b"
+  environment_scope = "%s"
+}
+	`, rString, rString, rString, rString, scopeA, rString, rString, scopeB)
+}