feat: add tf-account to support multiple customers

[obs-gh-nikhildua]

Description

• Borrowed from here to support applying tf-account-* to multiple customers
• Additional customer is passed in as an optional input to workflow (additional_customers)
• This additional customer gets mapped to be a new workspace.
• Plan comments has been updated
• New workflow step to create /select workspaces and configure the correct backend
• Backend for non-default: -backend-config="workspace_key_prefix=${{ github.event.repository.name }}"
  which gets mapped in the bucket as <repo_name>/<workspace>/<key> where key is <repo_name>/tf-state

Note: For terraform to apply this workspace, additional customer MUST have a mapping present in the tf-account provider.tf!
See: https://github.com/observeinc/tf-account-dual-terraform/pull/2/files

Testing

• Test PR to run this workflow call with two plans against two workspaces (https://github.com/observeinc/tf-account-dual-terraform/pull/2)
• Workspace 1 is default. Workspace 2 (supplied) is called cap2 which is mapped as OBSERVE_CUSTOMER_2 secrets key
• The secret key can be anything (eg: OBSERVE_CUSTOMER_CAP2 etc.. as specified here where this is added as another key value pair to the Jenkins job. In this testing case, I just added OBSERVE_CUSTOMER_2 as key and the second required environment as the value (https://www.notion.so/observeinc/tf-account-GitOps-Tutorial-fd38d97057bd40f8b615e63bbeb5325c)

locals {
  workspace_to_customer_map = {
    default = local.secrets["OBSERVE_CUSTOMER"]   # Default customer for tf-account 
    cap2    = local.secrets["OBSERVE_CUSTOMER_2"] # Additional customer for tf-account
  }

  customer = lookup(local.workspace_to_customer_map, terraform.workspace)

}

[bendrucker]

Good start. Key feedback here is that this should support n customers, not n=2.

For terraform to apply this workspace, additional customer MUST have a mapping present in the tf-account provider.tf!

Let's pare back the misuse of secrets instead of creating extra indirection. You should not have to touch your Terraform configuration whatsoever to get this working or make it aware of workspaces. The workflow should handle passing in the right values.

[bendrucker]

Avoid force push. It's a bad habit we've ingrained in people via workflows all over worry that a trivial config (squash and merge) won't be enforced reliably in all calling repos. Outside of observeinc/terraform-observe-* repos that enforce otherwise, it's good PR etiquette to use commits to provide a timeline of meaningful changes. Not too small but not too large. Rewriting and squashing or amending commits in a PR (vs on merge) prevents reviewers from seeing that history.

[obs-gh-nikhildua]

@bendrucker @jta
See: https://github.com/observeinc/tf-account-o2/pull/1 for first use of this PR to "setup" foundation for O2

I'd like to get this merged fairly soon and iterate on it later if needed, as I'll have to switch priorities shortly.

[bendrucker]

Nice! All should be quick fixes but feel free to merge this and follow up.