Platform/3833 add non root group capabilities

CHANGELOG.md

@@ -8,6 +8,42 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [1.0.0] - 2025-10-02
+
+[Compare with previous version](https://github.com/sparkfabrik/terraform-gitlab-kubernetes-gitlab-agent/compare/0.13.0...1.0.0)
+
+### Added
+
+- New variable `operate_at_root_group_level` to simplify configuration and replace the combination of `gitlab_agent_grant_access_to_entire_root_namespace` and `gitlab_agent_create_variables_in_root_namespace`.
+- New variable `groups_enabled` to specify groups where the GitLab Agent should be enabled (when not operating at root group level).
+- New variable `projects_enabled` to specify projects where the GitLab Agent should be enabled (when not operating at root group level).
+- Auto-detection of parent group when `operate_at_root_group_level = false` and no groups/projects are specified.
+- Support for creating CI/CD variables in multiple groups and projects simultaneously.
+- Dynamic generation of agent configuration file based on enabled groups/projects using `yamlencode()`.
+- New outputs: `gitlab_enabled_groups`, `gitlab_enabled_projects`, `gitlab_parent_group_auto_detected`.
+
+### Changed
+
+- Agent configuration file is now dynamically generated based on `operate_at_root_group_level` and enabled groups/projects.
+- CI/CD variables can now be created in multiple targets (root group, specific groups, or specific projects) depending on configuration.
+- Output `gitlab_root_namespace_id` now returns `null` when not operating at root group level.
+
+### Removed
+
+- **BREAKING CHANGE**: variable `gitlab_agent_grant_access_to_entire_root_namespace` - replaced by `operate_at_root_group_level`.
+- **BREAKING CHANGE**: variable `gitlab_agent_create_variables_in_root_namespace` - behavior is now determined by `operate_at_root_group_level`.
+- Backward compatibility logic for deprecated variables.
+
+### Migration Guide
+
+If you were using the removed variables, migrate as follows:
+
+- `gitlab_agent_grant_user_access_to_root_namespace = true` -> `operate_at_root_group_level = true` + `gitlab_agent_grant_user_access_to_root_namespace = true`
+- `gitlab_agent_grant_access_to_entire_root_namespace = true` + `gitlab_agent_create_variables_in_root_namespace = true` → `operate_at_root_group_level = true` + `gitlab_agent_grant_user_access_to_root_namespace = true`
+- `gitlab_agent_grant_access_to_entire_root_namespace = false` -> `operate_at_root_group_level = false` + configure `groups_enabled` and/or `projects_enabled`
+
+**Note**: user access is now only available when `operate_at_root_group_level = true`. If you need user access to specific groups/projects, this is not currently supported by Gitlab.
+
 ## [0.12.0] - 2025-05-19
 
 [Compare with previous version](https://github.com/sparkfabrik/terraform-gitlab-kubernetes-gitlab-agent/compare/0.11.0...0.12.0)

files/config.yaml.tftpl

@@ -1,14 +1,31 @@
+%{~ if operate_at_root_group_level ~}
 ci_access:
   groups:
     - id: ${root_namespace}
-
 %{~ if gitlab_agent_grant_user_access_to_root_namespace }
 user_access:
   access_as:
     agent: {}
   groups:
     - id: ${root_namespace}
 %{~ endif ~}
+%{~ else ~}
+%{~ if length(groups_to_enable) > 0 || length(projects_to_enable) > 0 ~}
+ci_access:
+  %{~ if length(groups_to_enable) > 0 ~}
+  groups:
+    %{~ for group in groups_to_enable ~}
+    - id: ${group}
+    %{~ endfor ~}
+  %{~ endif ~}
+  %{~ if length(projects_to_enable) > 0 ~}
+  projects:
+    %{~ for project in projects_to_enable ~}
+    - id: ${project}
+    %{~ endfor ~}
+  %{~ endif ~}
+%{~ endif ~}
+%{~ endif ~}
 
 %{~ if trimspace(gitlab_agent_append_to_config_file) != "" }
 ${gitlab_agent_append_to_config_file}

main.tf

@@ -19,8 +19,32 @@ locals {
   gitlab_agent_commmit_message_computed       = replace(var.gitlab_agent_commmit_message, "{{gitlab_agent_name}}", var.gitlab_agent_name)
   k8s_gitlab_agent_token_secret_name_computed = replace(var.k8s_gitlab_agent_token_secret_name, "{{gitlab_agent_name}}", var.gitlab_agent_name)
 
+  # Determine the parent group of the project
+  project_path_parts = split("/", var.gitlab_project_path_with_namespace)
+  parent_group_path  = length(local.project_path_parts) > 1 ? join("/", slice(local.project_path_parts, 0, length(local.project_path_parts) - 1)) : ""
+
+  # Determine if we are in auto-parent mode
+  auto_detect_parent = !var.operate_at_root_group_level && length(concat(var.groups_enabled, var.projects_enabled)) == 0
+
+  # Final list of groups to enable
+  groups_to_enable = var.operate_at_root_group_level ? [] : (
+    local.auto_detect_parent ? [local.parent_group_path] : var.groups_enabled
+  )
+
+  # Final list of projects to enable
+  projects_to_enable = var.operate_at_root_group_level ? [] : (
+    local.auto_detect_parent ? [] : var.projects_enabled
+  )
+
   # Gitlab Agent configuration file
-  final_configuration_file_content = var.gitlab_agent_custom_config_file_content != "" ? var.gitlab_agent_custom_config_file_content : (var.gitlab_agent_grant_access_to_entire_root_namespace ? templatefile("${path.module}/files/config.yaml.tftpl", { root_namespace = data.gitlab_group.root_namespace.path, gitlab_agent_append_to_config_file = var.gitlab_agent_append_to_config_file, gitlab_agent_grant_user_access_to_root_namespace = var.gitlab_agent_grant_user_access_to_root_namespace }) : "")
+  final_configuration_file_content = var.gitlab_agent_custom_config_file_content != "" ? var.gitlab_agent_custom_config_file_content : templatefile("${path.module}/files/config.yaml.tftpl", {
+    operate_at_root_group_level                      = var.operate_at_root_group_level
+    gitlab_agent_grant_user_access_to_root_namespace = var.gitlab_agent_grant_user_access_to_root_namespace
+    root_namespace                                   = data.gitlab_group.root_namespace.path
+    groups_to_enable                                 = local.groups_to_enable
+    projects_to_enable                               = local.projects_to_enable
+    gitlab_agent_append_to_config_file               = var.gitlab_agent_append_to_config_file
+  })
 
   # Gitlab Agent CI/CD variables
   gitlab_agent_kubernetes_context_variables = {
@@ -41,10 +65,28 @@ data "gitlab_group" "root_namespace" {
   full_path = local.project_root_namespace
 }
 
+# Data source for parent group when auto-detecting
+data "gitlab_group" "parent_group" {
+  count     = local.auto_detect_parent ? 1 : 0
+  full_path = local.parent_group_path
+}
+
+# Data source for the specified groups
+data "gitlab_group" "enabled_groups" {
+  for_each  = !var.operate_at_root_group_level && !local.auto_detect_parent ? toset(var.groups_enabled) : toset([])
+  full_path = each.value
+}
+
+# Data source for the specified projects
+data "gitlab_project" "enabled_projects" {
+  for_each            = !var.operate_at_root_group_level && !local.auto_detect_parent ? toset(var.projects_enabled) : toset([])
+  path_with_namespace = each.value
+}
+
 resource "gitlab_project" "project" {
   count        = local.use_existing_project == 0 ? 1 : 0
   name         = var.gitlab_project_name
-  namespace_id = data.gitlab_group.root_namespace.group_id
+  namespace_id = var.operate_at_root_group_level ? data.gitlab_group.root_namespace.group_id : data.gitlab_group.parent_group[0].group_id
 }
 
 resource "gitlab_cluster_agent" "this" {
@@ -78,8 +120,9 @@ resource "gitlab_repository_file" "this" {
   ]
 }
 
-resource "gitlab_group_variable" "this" {
-  for_each = var.gitlab_agent_create_variables_in_root_namespace ? local.gitlab_agent_kubernetes_context_variables : {}
+# Variables for root group (when operate_at_root_group_level is true)
+resource "gitlab_group_variable" "root_namespace" {
+  for_each = var.operate_at_root_group_level ? local.gitlab_agent_kubernetes_context_variables : {}
 
   group     = data.gitlab_group.root_namespace.group_id
   key       = each.key
@@ -94,6 +137,42 @@ resource "gitlab_group_variable" "this" {
   ]
 }
 
+# Variables for specific groups (when operate_at_root_group_level is false)
+resource "gitlab_group_variable" "enabled_groups" {
+  for_each = !var.operate_at_root_group_level && length(local.groups_to_enable) > 0 ? {
+    for pair in setproduct(keys(local.gitlab_agent_kubernetes_context_variables), local.groups_to_enable) :
+    "${pair[1]}__${pair[0]}" => {
+      group_path = pair[1]
+      key        = pair[0]
+      value      = local.gitlab_agent_kubernetes_context_variables[pair[0]]
+    }
+  } : {}
+
+  group     = local.auto_detect_parent && each.value.group_path == local.parent_group_path ? data.gitlab_group.parent_group[0].group_id : data.gitlab_group.enabled_groups[each.value.group_path].group_id
+  key       = each.value.key
+  value     = each.value.value
+  protected = false
+  masked    = false
+}
+
+# Variables for specific projects (when operate_at_root_group_level is false)
+resource "gitlab_project_variable" "enabled_projects" {
+  for_each = !var.operate_at_root_group_level && length(local.projects_to_enable) > 0 ? {
+    for pair in setproduct(keys(local.gitlab_agent_kubernetes_context_variables), local.projects_to_enable) :
+    "${pair[1]}__${pair[0]}" => {
+      project_path = pair[1]
+      key          = pair[0]
+      value        = local.gitlab_agent_kubernetes_context_variables[pair[0]]
+    }
+  } : {}
+
+  project   = data.gitlab_project.enabled_projects[each.value.project_path].id
+  key       = each.value.key
+  value     = each.value.value
+  protected = false
+  masked    = false
+}
+
 # Kubernetes resources
 resource "kubernetes_namespace_v1" "this" {
   count = var.create_namespace ? 1 : 0

outputs.tf

@@ -25,6 +25,22 @@ output "gitlab_agents_project_id" {
 }
 
 output "gitlab_root_namespace_id" {
-  description = "The ID of the root namespace of the Gitlab Agents project."
-  value       = data.gitlab_group.root_namespace.group_id
+  description = "The ID of the root namespace of the Gitlab Agents project. Only available when operate_at_root_group_level is true."
+  value       = var.operate_at_root_group_level ? data.gitlab_group.root_namespace.group_id : null
 }
+
+output "gitlab_enabled_groups" {
+  description = "List of groups where the GitLab Agent has been enabled with variables."
+  value       = local.groups_to_enable
+}
+
+output "gitlab_enabled_projects" {
+  description = "List of projects where the GitLab Agent has been enabled with variables."
+  value       = local.projects_to_enable
+}
+
+output "gitlab_parent_group_auto_detected" {
+  description = "Whether the parent group was automatically detected."
+  value       = local.auto_detect_parent
+}
+