Adding support for the resource_count attribute on tfe_workspace

[rhughes1]

Description

This PR exposes the resource_count attribute on the tfe_workspace resource. This is to make it easier for users writing a Sentinel policy to prevent workspaces from being deleted prior to deleting all of the resources that belong to the given workspace. This attribute is already exposed as part of the data source call.

Below is a screenshot of the documentation update on the tfe_workspace resource:

Testing plan

1. Create a new workspace using the configuration below

resource "tfe_organization" "test-organization" {
  name  = "my-org-name"
  email = "[email protected]"
}

resource "tfe_workspace" "test" {
  name         = "my-workspace-name"
  organization = tfe_organization.test-organization.name
  tag_names    = ["test", "app"]
}

output "workspace_resource_count" {
  value = tfe_workspace.test.resource_count
}

This should yield a result like this:

$ terraform refresh
...
Outputs:

workspace_resource_count = 0

2. Inside the new workspace (ie my-workspace-name), use the following configuration (or similar) to add resources under the control of the workspace:

resource "tfe_team" "test" {
  name         = "my-team-name"
  organization = "my-org-name"
}

3. Back on the original workspace, re-run a terraform refresh so we can now see that the resource_count has changed from 0 to 1:

$ terraform refresh
...
Outputs:

workspace_resource_count = 1

External links

• Related Issue

Output from acceptance tests

N/A at this point in time.

[hashicorp-cla]

All committers have signed the CLA.

[brandonc]

@rhughes1 Hello! And thanks for the contribution. I completely get the sentiment and know how easy it is to accidentally delete a workspace that has resources under management and I don't have a problem with adding resource_count to tfe_workspace.

I also want to point out that a policy may not be required if you use Terraform Cloud because we are actually rolling out a platform-wide safeguard with this problem in mind, known as safe delete / force delete that is making its way into the provider as a new attribute that you must add to workspace before it can be deleted when resources are still under management.

Hopefully this could also solve your problem without additional policy code. I'll give this a smoke test but it looks pretty good.

[brandonc]

@rhughes1 After more investigation, there seems to be a lot fields that are present in data.tfe_workspace that are not present in the tfe_workspace resource. I wonder if a solution like this could solve your problem while we evaluate if/how the tfe maintainers should should address the larger disparity?

resource "tfe_workspace" "test" {
  name         = "my-workspace-name"
  organization = tfe_organization.test-organization.name
  tag_names    = ["test", "app"]
}

data "tfe_workspace" "test" {
  name         = "my-workspace-name"
  organization = tfe_organization.test-organization.name
  depends_on = [tfe_workspace.test]
}

output "workspace_resource_count" {
  value = data.tfe_workspace.test.resource_count
}

[rhughes1]

@brandonc So that solution you mentioned would indeed work. However, from a Terraform best practice approach I would think it's a little bit odd having a data source and a resource within the same root module for the same resource (Not to mention using a depends_on block).

I think there still might be value in exposing the resource_count for the Terraform workspace.

[brandonc]

I would say it's not ideal to have a data source that references a resource and for what it's worth I just realized you could omit the depends_on argument by specifying the name dependency directly:

resource "tfe_workspace" "test" {
  name         = "my-workspace-name"
  organization = tfe_organization.test-organization.name
  tag_names    = ["test", "app"]
}

data "tfe_workspace" "test" {
  name         = tfe_workspace.test.name
  organization = tfe_organization.test-organization.name
}

output "workspace_resource_count" {
  value = data.tfe_workspace.test.resource_count
}

I think we will unify the tfe_workspace resource/data export-only arguments but might be willing to move forward in adding just resource_count for now. Unfortunately, I can't merge this PR because the tests are failing because the resource_count is not always 0. I will take another look at it this week or next unless you get to it first. Thanks!

[annawinkler]

👋 Hi @rhughes1 - could you please update your fork with the latest? We'll also be looking at the test failure to see if we can suggest an update to fix the problem. ✨

[annawinkler]

💅 A small suggestion to update the changelog entry to be consistent with the format of the file and include a link to the PR:

Suggested change

	* r/tfe_workspace: Add attribute `resource_count`
	* r/tfe_workspace: Add attribute `resource_count` to `tfe_workspace` ([#682](https://github.com/hashicorp/terraform-provider-tfe/pull/682))

[rhughes1]

👋 Hi @rhughes1 - could you please update your fork with the latest? We'll also be looking at the test failure to see if we can suggest an update to fix the problem. ✨

@annawinkler I updated my fork with the latest changes. Let me know how else I can help move this along :)

[annawinkler]

Merged #712

[annawinkler]

Thanks @rhughes1 ! I updated the code in a separate branch to also confirm the tests were running OK too. Appreciate the contribution! 💖