Team permissions by workspace

[juan-vg]

Feature description 💡

Currently TFC allows to set different permissions for different teams per each workspace. In this way, a team can be admin (or have write permissions, without fully admin) on some workspaces where the team is owner, while at the same have only read permissions on other workspaces where they're not owners. So to recap:

• One or more teams should be assignable to each workspace
• Each team assignation to a workspace should have its own set of permissions

Anything else?

It would be awesome to make the permissions more granular. Instead of just read/write, I would like to have read/write/admin. In fact, it would be even better to be able to customize every action possible (I mean, manage a workspace implies many actions that are all allowed at the same time when the manage permission is enabled), so with just read/write for each action we could define different roles that could achieve the read/write/admin and even more combinations.

[jordanjthomas]

+1 This is definitely needed. Looking to move our Enterprise from TFC to Terrakube and this is going to be a major pain point in convincing teams to adopt it.

[BenjaminDecreusefond]

+1

[BenjaminDecreusefond]

Hi @alfespa17 !

Sorry to bother you but, would you have an ETA for when do you think this will be available ? It appears to be really needed for us to manage our privileges :)

Regards !

[alfespa17]

Maybe in the next couple of weeks, I did some progress in this branch but I still need to validate several things because of the way elide manage security.

[BenjaminDecreusefond]

great ! thank you !

[BenjaminDecreusefond]

Hi @alfespa17 !

I also got a new idea, do you think it would be possible to allow teams to trigger only specific templates ? For instance, dev teams could only be able to trigger Plan template however, DevOps team have privilege to trigger any template ?

WDYT ?

[juan-vg]

While RBAC for templates could make sense, what I would do is to rely on operations (plan/apply/read-outputs/read-state/...) RBAC. What I mean is that templates are just pipelines of operations, so they will inherently have RBAC if the operations already have it.

As an example, these are the team permissions by workspace in TFC

[BenjaminDecreusefond]

Hmmm I'm not sure to follow your point ? Templates are set at organization level. Currently you can give rights to allow to run jobs on templates from UI but you can't for instance open plans from UI to devs and prevent them to run destroy template at the same time ?

[juan-vg]

If for a certain (workspace,team) tuple the operation (plan/apply/destroy/...) is not allowed, the template containing that specific operation could either:

• be not available to be triggered for that (workspace,team) tuple
• be available, but fail at the step where the operation is not allowed for the given (workspace,team) tuple

Does this clarify what I meant?

[BenjaminDecreusefond]

Hmmm yep I get this part, but this is currently not possible to do that right ? Unless I missed smth

[juan-vg]

Hmmm yep I get this part, but this is currently not possible to do that right ? Unless I missed smth

yep, not possible right now, but from my POV is an improvement to your new idea 👇

I also got a new idea, do you think it would be possible to allow teams to trigger only specific templates ? For instance, dev teams could only be able to trigger Plan template however, DevOps team have privilege to trigger any template ?

I mean, once the Team permissions by workspace are implemented, what you said about allowing templates should be a consequence because templates rely on steps running operations, which rely on Team permissions by workspace

[BenjaminDecreusefond]

Oh yeah sure ! Agreed !

[alfespa17]

Not sure if I understand correctly, something like this to only allow certain teams to trigger the template?

onlyAllowToExecuteUsing:
  - Team1
  - Team2
flow:
  - type: "terraformPlan"
    step: 100
  - type: "terraformApply"
    step: 200

[BenjaminDecreusefond]

Could do the trick ! But it should be reflected (I mean you should not be able to trigger from UI then) and editable from the UI perhaps (with a similar interface to the current one for team privileges) ?

Or we can store template privilege in the DB instead ? It would avoid having to modify templates ?

[alfespa17]

Could do the trick ! But it should be reflected (I mean you should not be able to trigger from UI then) and editable from the UI perhaps (with a similar interface to the current one for team privileges) ?

Or we can store template privilege in the DB instead ? It would avoid having to modify templates ?

The above was just an idea, it could be saved into the database too, or maybe add some reference in the workspace that is only allowed to run certain templates

You also need to consider that allowing to run certain templates will only work with VCS workspaces, the CLI driven workflow in some way is "hardcoded" and you can only execute it if you have workspace permission

[BenjaminDecreusefond]

The above was just an idea, it could be saved into the database too, or maybe add some reference in the workspace that is > only allowed to run certain templates

Hmmmm if we think about it I think we should be able to:
For instance: When we create a workspace we have the possibility to specify teams with a set of templates attached to it. This holds for the UI and for CLI as well. So let's I create a workspace and want dev to only be able to run plans we could specify a parameter like this to the workspace

permissions
{
    devops-team: [Plan_template_id, apply_template_id, destroy_template_id...],
    dev-team: [plan_template_id(on maybe we should use names ? idk what's best)]
}

By default no permission are specified and if left empty the workspace is free to access for everyone to perform any action.
I think it might create some conflicts with the current permission system where we already allow to trigger or not templates.

Let me know your thoughts ? Dunno if it's good idea !

You also need to consider that allowing to run certain templates will only work with VCS workspaces, the CLI driven workflow in some way is "hardcoded" and you can only execute it if you have workspace permission

No issue ! we only use VCS workspaces !

[juan-vg]

Sorry to bother you guys, but if this template-permissions topic is not related to both teams and workspaces at the same time (the tuple I mentioned before), I'm afraid this discussion doesn't belong here

[alfespa17]

Sorry to bother you guys, but if this template-permissions topic is not related to both teams and workspaces at the same time (the tuple I mentioned before), I'm afraid this discussion doesn't belong here

Yeah maybe you can create a new issue to discuss it

[alfespa17]

I think I got the team permission by workspace working, I still need to test it a little bit more but maybe I can merge the changes in the following days

[alfespa17]

Provider support was added here:

AzBuilder/terraform-provider-terrakube#97