[TF-27661] Add support for HYOK related attributes

.github/actions/test-go-tfe/action.yml

@@ -97,6 +97,14 @@ runs:
         GITHUB_REGISTRY_MODULE_IDENTIFIER: "hashicorp/terraform-random-module"
         GITHUB_REGISTRY_NO_CODE_MODULE_IDENTIFIER: "hashicorp/terraform-random-no-code-module"
         OAUTH_CLIENT_GITHUB_TOKEN: "${{ inputs.oauth-client-github-token }}"
+        SKIP_HYOK_INTEGRATION_TESTS: "${{ inputs.skip-hyok-integration-tests }}"
+        HYOK_ORGANIZATION_NAME: "${{ inputs.hyok-organization-name }}"
+        HYOK_WORKSPACE_NAME: "${{ inputs.hyok-workspace-name }}"
+        HYOK_POOL_ID: "${{ inputs.hyok-pool-id }}"
+        HYOK_PLAN_ID: "${{ inputs.hyok-plan-id }}"
+        HYOK_STATE_VERSION_ID: "${{ inputs.hyok-state-version-id }}"
+        HYOK_CUSTOMER_KEY_VERSION_ID: "${{ inputs.hyok-customer-key-version-id }}"
+        HYOK_ENCRYPTED_DATA_KEY_ID: "${{ inputs.hyok-encrypted-data-key-id }}"
         GO111MODULE: "on"
         ENABLE_TFE: ${{ inputs.enterprise }}
       run: |

agent_pool.go

@@ -66,18 +66,20 @@ type AgentPool struct {
 	CreatedAt          time.Time `jsonapi:"attr,created-at,iso8601"`
 
 	// Relations
-	Organization       *Organization `jsonapi:"relation,organization"`
-	Workspaces         []*Workspace  `jsonapi:"relation,workspaces"`
-	AllowedWorkspaces  []*Workspace  `jsonapi:"relation,allowed-workspaces"`
-	AllowedProjects    []*Project    `jsonapi:"relation,allowed-projects"`
-	ExcludedWorkspaces []*Workspace  `jsonapi:"relation,excluded-workspaces"`
+	Organization       *Organization        `jsonapi:"relation,organization"`
+	HYOKConfigurations []*HYOKConfiguration `jsonapi:"relation,hyok-configurations"`
+	Workspaces         []*Workspace         `jsonapi:"relation,workspaces"`
+	AllowedWorkspaces  []*Workspace         `jsonapi:"relation,allowed-workspaces"`
+	AllowedProjects    []*Project           `jsonapi:"relation,allowed-projects"`
+	ExcludedWorkspaces []*Workspace         `jsonapi:"relation,excluded-workspaces"`
 }
 
 // A list of relations to include
 // https://developer.hashicorp.com/terraform/cloud-docs/api-docs/agents#available-related-resources
 type AgentPoolIncludeOpt string
 
 const AgentPoolWorkspaces AgentPoolIncludeOpt = "workspaces"
+const AgentPoolHYOKConfigurations AgentPoolIncludeOpt = "hyok-configurations"
 
 type AgentPoolReadOptions struct {
 	Include []AgentPoolIncludeOpt `url:"include,omitempty"`
@@ -188,7 +190,7 @@ func (s *agentPools) ReadWithOptions(ctx context.Context, agentpoolID string, op
 	}
 
 	u := fmt.Sprintf("agent-pools/%s", url.PathEscape(agentpoolID))
-	req, err := s.client.NewRequest("GET", u, nil)
+	req, err := s.client.NewRequest("GET", u, &options)
 	if err != nil {
 		return nil, err
 	}

agent_pool_integration_test.go

@@ -5,6 +5,7 @@ package tfe
 
 import (
 	"context"
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -343,6 +344,25 @@ func TestAgentPoolsRead(t *testing.T) {
 		require.NoError(t, err)
 		assert.NotEmpty(t, k.Workspaces[0])
 	})
+
+	t.Run("read hyok configurations of an agent pool", func(t *testing.T) {
+		skipHYOKIntegrationTests := os.Getenv("SKIP_HYOK_INTEGRATION_TESTS") != "false"
+		if skipHYOKIntegrationTests {
+			t.Skip()
+		}
+
+		// replace the environment variable with a valid agent pool ID that has HYOK configurations
+		hyokPoolID := os.Getenv("HYOK_POOL_ID")
+		if hyokPoolID == "" {
+			t.Fatal("Export a valid HYOK_POOL_ID before running this test!")
+		}
+
+		k, err := client.AgentPools.ReadWithOptions(ctx, hyokPoolID, &AgentPoolReadOptions{
+			Include: []AgentPoolIncludeOpt{AgentPoolHYOKConfigurations},
+		})
+		require.NoError(t, err)
+		assert.NotEmpty(t, k.HYOKConfigurations)
+	})
 }
 
 func TestAgentPoolsReadCreatedAt(t *testing.T) {

aws_oidc_configuration_integration_test.go

@@ -2,6 +2,7 @@ package tfe
 
 import (
 	"context"
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -12,13 +13,20 @@ import (
 // To run them locally, follow the instructions outlined in hyok_configuration_integration_test.go
 
 func TestAWSOIDCConfigurationCreateDelete(t *testing.T) {
+	skipHYOKIntegrationTests := os.Getenv("SKIP_HYOK_INTEGRATION_TESTS") != "false"
 	if skipHYOKIntegrationTests {
 		t.Skip()
 	}
 
 	client := testClient(t)
 	ctx := context.Background()
 
+	// replace the environment variable with a valid organization name that has AWS OIDC HYOK configurations
+	hyokOrganizationName := os.Getenv("HYOK_ORGANIZATION_NAME")
+	if hyokOrganizationName == "" {
+		t.Fatal("Export a valid HYOK_ORGANIZATION_NAME before running this test!")
+	}
+
 	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
 	if err != nil {
 		t.Fatal(err)
@@ -48,13 +56,20 @@ func TestAWSOIDCConfigurationCreateDelete(t *testing.T) {
 }
 
 func TestAWSOIDCConfigurationRead(t *testing.T) {
+	skipHYOKIntegrationTests := os.Getenv("SKIP_HYOK_INTEGRATION_TESTS") != "false"
 	if skipHYOKIntegrationTests {
 		t.Skip()
 	}
 
 	client := testClient(t)
 	ctx := context.Background()
 
+	// replace the environment variable with a valid organization name that has AWS OIDC HYOK configurations
+	hyokOrganizationName := os.Getenv("HYOK_ORGANIZATION_NAME")
+	if hyokOrganizationName == "" {
+		t.Fatal("Export a valid HYOK_ORGANIZATION_NAME before running this test!")
+	}
+
 	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
 	if err != nil {
 		t.Fatal(err)
@@ -76,13 +91,20 @@ func TestAWSOIDCConfigurationRead(t *testing.T) {
 }
 
 func TestAWSOIDCConfigurationsUpdate(t *testing.T) {
+	skipHYOKIntegrationTests := os.Getenv("SKIP_HYOK_INTEGRATION_TESTS") != "false"
 	if skipHYOKIntegrationTests {
 		t.Skip()
 	}
 
 	client := testClient(t)
 	ctx := context.Background()
 
+	// replace the environment variable with a valid organization name that has AWS OIDC HYOK configurations
+	hyokOrganizationName := os.Getenv("HYOK_ORGANIZATION_NAME")
+	if hyokOrganizationName == "" {
+		t.Fatal("Export a valid HYOK_ORGANIZATION_NAME before running this test!")
+	}
+
 	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
 	if err != nil {
 		t.Fatal(err)

azure_oidc_configuration_integration_test.go

@@ -2,6 +2,7 @@ package tfe
 
 import (
 	"context"
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -12,13 +13,20 @@ import (
 // To run them locally, follow the instructions outlined in hyok_configuration_integration_test.go
 
 func TestAzureOIDCConfigurationCreateDelete(t *testing.T) {
+	skipHYOKIntegrationTests := os.Getenv("SKIP_HYOK_INTEGRATION_TESTS") != "false"
 	if skipHYOKIntegrationTests {
 		t.Skip()
 	}
 
 	client := testClient(t)
 	ctx := context.Background()
 
+	// replace the environment variable with a valid organization name that has Azure OIDC HYOK configurations
+	hyokOrganizationName := os.Getenv("HYOK_ORGANIZATION_NAME")
+	if hyokOrganizationName == "" {
+		t.Fatal("Export a valid HYOK_ORGANIZATION_NAME before running this test!")
+	}
+
 	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
 	if err != nil {
 		t.Fatal(err)
@@ -75,13 +83,20 @@ func TestAzureOIDCConfigurationCreateDelete(t *testing.T) {
 }
 
 func TestAzureOIDCConfigurationRead(t *testing.T) {
+	skipHYOKIntegrationTests := os.Getenv("SKIP_HYOK_INTEGRATION_TESTS") != "false"
 	if skipHYOKIntegrationTests {
 		t.Skip()
 	}
 
 	client := testClient(t)
 	ctx := context.Background()
 
+	// replace the environment variable with a valid organization name that has Azure OIDC HYOK configurations
+	hyokOrganizationName := os.Getenv("HYOK_ORGANIZATION_NAME")
+	if hyokOrganizationName == "" {
+		t.Fatal("Export a valid HYOK_ORGANIZATION_NAME before running this test!")
+	}
+
 	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
 	if err != nil {
 		t.Fatal(err)
@@ -103,13 +118,20 @@ func TestAzureOIDCConfigurationRead(t *testing.T) {
 }
 
 func TestAzureOIDCConfigurationUpdate(t *testing.T) {
+	skipHYOKIntegrationTests := os.Getenv("SKIP_HYOK_INTEGRATION_TESTS") != "false"
 	if skipHYOKIntegrationTests {
 		t.Skip()
 	}
 
 	client := testClient(t)
 	ctx := context.Background()
 
+	// replace the environment variable with a valid organization name that has Azure OIDC HYOK configurations
+	hyokOrganizationName := os.Getenv("HYOK_ORGANIZATION_NAME")
+	if hyokOrganizationName == "" {
+		t.Fatal("Export a valid HYOK_ORGANIZATION_NAME before running this test!")
+	}
+
 	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
 	if err != nil {
 		t.Fatal(err)

errors.go

@@ -89,6 +89,9 @@ var (
 	// it is locked. "conflict" followed by newline is used to preserve go-tfe version
 	// compatibility with the error constructed at runtime before it was defined here.
 	ErrWorkspaceLockedCannotDelete = errors.New("conflict\nWorkspace is currently locked. Workspace must be unlocked before it can be safely deleted")
+
+	// ErrHYOKCannotBeDisabled is returned when attempting to disable HYOK on a workspace that already has it enabled.
+	ErrHYOKCannotBeDisabled = errors.New("bad request\n\nhyok may not be disabled once it has been turned on for a workspace")
 )
 
 // Invalid values for resources/struct fields
@@ -410,6 +413,8 @@ var (
 
 	ErrStateVersionUploadNotSupported = errors.New("upload not supported by this version of Terraform Enterprise")
 
+	ErrSanitizedStateUploadURLMissing = errors.New("sanitized state upload URL is missing")
+
 	ErrRequiredRoleARN = errors.New("role-arn is required for AWS OIDC configuration")
 
 	ErrRequiredServiceAccountEmail = errors.New("service-account-email is required for GCP OIDC configuration")

gcp_oidc_configuration_integration_test.go

@@ -2,6 +2,7 @@ package tfe
 
 import (
 	"context"
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -12,13 +13,20 @@ import (
 // To run them locally, follow the instructions outlined in hyok_configuration_integration_test.go
 
 func TestGCPOIDCConfigurationCreateDelete(t *testing.T) {
+	skipHYOKIntegrationTests := os.Getenv("SKIP_HYOK_INTEGRATION_TESTS") != "false"
 	if skipHYOKIntegrationTests {
 		t.Skip()
 	}
 
 	client := testClient(t)
 	ctx := context.Background()
 
+	// replace the environment variable with a valid organization name that has GCP OIDC HYOK configurations
+	hyokOrganizationName := os.Getenv("HYOK_ORGANIZATION_NAME")
+	if hyokOrganizationName == "" {
+		t.Fatal("Export a valid HYOK_ORGANIZATION_NAME before running this test!")
+	}
+
 	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
 	if err != nil {
 		t.Fatal(err)
@@ -75,13 +83,20 @@ func TestGCPOIDCConfigurationCreateDelete(t *testing.T) {
 }
 
 func TestGCPOIDCConfigurationRead(t *testing.T) {
+	skipHYOKIntegrationTests := os.Getenv("SKIP_HYOK_INTEGRATION_TESTS") != "false"
 	if skipHYOKIntegrationTests {
 		t.Skip()
 	}
 
 	client := testClient(t)
 	ctx := context.Background()
 
+	// replace the environment variable with a valid organization name that has GCP OIDC HYOK configurations
+	hyokOrganizationName := os.Getenv("HYOK_ORGANIZATION_NAME")
+	if hyokOrganizationName == "" {
+		t.Fatal("Export a valid HYOK_ORGANIZATION_NAME before running this test!")
+	}
+
 	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
 	if err != nil {
 		t.Fatal(err)
@@ -103,13 +118,20 @@ func TestGCPOIDCConfigurationRead(t *testing.T) {
 }
 
 func TestGCPOIDCConfigurationUpdate(t *testing.T) {
+	skipHYOKIntegrationTests := os.Getenv("SKIP_HYOK_INTEGRATION_TESTS") != "false"
 	if skipHYOKIntegrationTests {
 		t.Skip()
 	}
 
 	client := testClient(t)
 	ctx := context.Background()
 
+	// replace the environment variable with a valid organization name that has GCP OIDC HYOK configurations
+	hyokOrganizationName := os.Getenv("HYOK_ORGANIZATION_NAME")
+	if hyokOrganizationName == "" {
+		t.Fatal("Export a valid HYOK_ORGANIZATION_NAME before running this test!")
+	}
+
 	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
 	if err != nil {
 		t.Fatal(err)