Adjust pipeline creation so it works for non-admins #112
Conversation
For Buildkite organizations with teams enabled, it's possible for non-admins to create pipelines within their own teams. However, it only works if the team is included in the pipelineCreate() mutation. For a non-admin graphql token, pipelineCreate() will return an error if the input includes no teams. The existing code was calling pipelineCreate() with no teams, and then following up with a teamPipelineCreate() mutation to apply the teams. We never got to the follow up though, because the initial pipelineCreate() was failing. This merges the two steps so the initial pipelineCreate() includes teams. Once the pipeline has been created, team management is still done independently of the rest of the pipeline. That should be fine though, it's only pipelineCreate() that requires teams to be include2. Non-admin graphql tokens can call pipelineUpdate() without teams just fine. Fixes #84
|
The permutations here are a real headache, and I'd love to get some acceptance tests in place. Without tests, I'm sure we'll inadvertently break the experience for non-admin users who want to use the terraform provider. Interestingly, in the current provider there's very few things a non-admin user can do beyond managing pipelines and pipeline schedules. The other resources (teams, agent tokens) require admin privileges, and future resources (like user) would presumably also be admin-only. This PR was 10% working out the graphql query to include teams into |
| teamsData := make([]PipelineTeamAssignmentInput, 0) | ||
| for _, team := range teamPipelines { | ||
| log.Printf("converting team slug '%s' to an ID", string(team.Team.Slug)) | ||
| teamID, err := GetTeamID(string(team.Team.Slug), client) |
There was a problem hiding this comment.
this is a bit gross - for each team slug listed in the pipeline we do a graphql query to convert it into an ID. It's no worse than what we have on main though - reconcileTeamPipelines() also calls GetTeamID()
|
@chloeruka and I have manually confirm pipeline creating and updating work with both admin and non-admin API tokens. We also have a plan for acceptance testing with non-admin tokens, which we'll tackle in a follow up PR. |
… API token In PR #112 we fixed the pipeline resource so it can be created and updated by non-admin API tokens. To prevent regressions, this adds a new acceptance test step to the build pipeline that will run only the subset of acceptance tests that will work with a non-admin API token. Non-admins can manage pipelines and pipeline schedules, but only if the pipeline belongs to a team where the user is a team maintainer. Before this we had no acctests with teams declared on a pipeline, so none of them would work for non-admins. This has added a couple of basic tests that use teams. The new tests will also run in the normal acctest step (using an admin token), which is a nice bonus.
For Buildkite organizations with teams enabled, it's possible for non-admins to create pipelines within their own teams.
However, it only works if the team is included in the
pipelineCreate()mutation. For a non-admin graphql token,pipelineCreate()will return an error if the input includes no teams.The existing code was calling
pipelineCreate()with no teams, and then following up with ateamPipelineCreate()mutation to apply the teams. We never got to the follow up though, because the initialpipelineCreate()was failing.This merges the two steps so the initial
pipelineCreate()includes teams. Once the pipeline has been created, team management is still done independently of the rest of the pipeline. That should be fine though, it's onlypipelineCreate()that requires teams to be include2. Non-admin graphql tokens can callpipelineUpdate()without teams just fine.Still needs a fair bit of polish:
Fixes #84