Team Access Management

Terraform configuration for managing team-based access to Cakewalk applications using Infrastructure as Code principles.

Overview

This Terraform configuration allows you to manage team access to Cakewalk applications as part of your Infrastructure as Code workflow. It supports team-based access definitions, department-specific app mappings, and provides state management for access changes.

Features

Team-based access definitions: Define access patterns for teams and departments
Infrastructure as Code: Manage access changes through version control
State management: Track and manage access changes over time
Drift detection: Identify when actual access differs from desired state
Bulk operations: Manage access for multiple users and applications

Prerequisites

Terraform Dependencies

terraform {
  required_providers {
    http = {
      source  = "hashicorp/http"
      version = "~> 3.0"
    }
  }
}

Environment Variables

Set these environment variables:

export CAKEWALK_API_KEY="your-api-key"
export CAKEWALK_API_SECRET="your-api-secret"

Required Information

You'll need to gather:

WorkApp IDs for applications you want to manage
User IDs for team members
Permission level IDs for each WorkApp

Setup Instructions

1. Create the Terraform Configuration

Create main.tf:

# Using Terraform's HTTP provider to manage Cakewalk access
# This works TODAY without needing a custom provider

terraform {
  required_providers {
    http = {
      source  = "hashicorp/http"
      version = "~> 3.0"
    }
  }
}

variable "cakewalk_api_key" {
  type      = string
  sensitive = true
}

variable "cakewalk_api_secret" {
  type      = string
  sensitive = true
}

locals {
  cakewalk_base_url = "https://open-api.getcakewalk.io"
  
  # Define your WorkApp IDs (find these via: GET /api/v1/WorkApps)
  workapp_ids = {
    github    = "GITHUB_WORKAPP_UUID"
    aws       = "AWS_WORKAPP_UUID"
    slack     = "SLACK_WORKAPP_UUID"
    datadog   = "DATADOG_WORKAPP_UUID"
  }
  
  # Define your user IDs (find these via: GET /api/v1/Users)
  user_ids = {
    alice   = "ALICE_USER_UUID"
    bob     = "BOB_USER_UUID"
    charlie = "CHARLIE_USER_UUID"
  }
  
  # Define permission level IDs per app (find via: GET /api/v1/WorkApps/{id}/PermissionLevels)
  github_permission_levels = {
    developer = "GITHUB_DEVELOPER_PERMISSION_UUID"
    admin     = "GITHUB_ADMIN_PERMISSION_UUID"
  }
  
  aws_permission_levels = {
    developer = "AWS_DEVELOPER_PERMISSION_UUID"
    admin     = "AWS_ADMIN_PERMISSION_UUID"
  }
}

# Grant GitHub access to engineering team
resource "null_resource" "grant_github_access_engineering" {
  # Trigger re-creation if team membership changes
  triggers = {
    users = jsonencode([local.user_ids.alice, local.user_ids.bob, local.user_ids.charlie])
  }
  
  provisioner "local-exec" {
    command = <<-EOT
      # Build access grants JSON
      cat > /tmp/github_grants.json <<EOF
      {
        "data": [
          {
            "workAppId": "${local.workapp_ids.github}",
            "userId": "${local.user_ids.alice}",
            "permissionLevelId": "${local.github_permission_levels.developer}"
          },
          {
            "workAppId": "${local.workapp_ids.github}",
            "userId": "${local.user_ids.bob}",
            "permissionLevelId": "${local.github_permission_levels.developer}"
          },
          {
            "workAppId": "${local.workapp_ids.github}",
            "userId": "${local.user_ids.charlie}",
            "permissionLevelId": "${local.github_permission_levels.admin}"
          }
        ]
      }
      EOF
      
      # Submit grants
      curl -X POST ${local.cakewalk_base_url}/api/v1/WorkApps/Accesses \
        -H "X-API-KEY: ${var.cakewalk_api_key}" \
        -H "X-API-SECRET: ${var.cakewalk_api_secret}" \
        -H "Content-Type: application/json" \
        -d @/tmp/github_grants.json
      
      rm /tmp/github_grants.json
    EOT
    
    interpreter = ["bash", "-c"]
  }
}

# Grant AWS access to senior engineers only
resource "null_resource" "grant_aws_access_senior" {
  triggers = {
    users = jsonencode([local.user_ids.alice, local.user_ids.charlie])
  }
  
  provisioner "local-exec" {
    command = <<-EOT
      cat > /tmp/aws_grants.json <<EOF
      {
        "data": [
          {
            "workAppId": "${local.workapp_ids.aws}",
            "userId": "${local.user_ids.alice}",
            "permissionLevelId": "${local.aws_permission_levels.admin}"
          },
          {
            "workAppId": "${local.workapp_ids.aws}",
            "userId": "${local.user_ids.charlie}",
            "permissionLevelId": "${local.aws_permission_levels.developer}"
          }
        ]
      }
      EOF
      
      curl -X POST ${local.cakewalk_base_url}/api/v1/WorkApps/Accesses \
        -H "X-API-KEY: ${var.cakewalk_api_key}" \
        -H "X-API-SECRET: ${var.cakewalk_api_secret}" \
        -H "Content-Type: application/json" \
        -d @/tmp/aws_grants.json
      
      rm /tmp/aws_grants.json
    EOT
    
    interpreter = ["bash", "-c"]
  }
}

output "github_workapp_id" {
  value = local.workapp_ids.github
}

output "aws_workapp_id" {
  value = local.workapp_ids.aws
}

2. Create Variables File

Create terraform.tfvars:

cakewalk_api_key   = "your-api-key"
cakewalk_api_secret = "your-api-secret"

3. Initialize Terraform

terraform init

4. Plan and Apply

# Review changes
terraform plan

# Apply changes
terraform apply

Advanced Configuration

Dynamic Data Fetching

For more advanced setups, you can fetch WorkApps and Users dynamically:

# Fetch all WorkApps
data "http" "workapps" {
  url = "${local.cakewalk_base_url}/api/v1/WorkApps"
  
  request_headers = {
    X-API-KEY    = var.cakewalk_api_key
    X-API-SECRET = var.cakewalk_api_secret
  }
}

# Fetch all Users
data "http" "users" {
  url = "${local.cakewalk_base_url}/api/v1/Users"
  
  request_headers = {
    X-API-KEY    = var.cakewalk_api_key
    X-API-SECRET = var.cakewalk_api_secret
  }
}

locals {
  workapps_data = jsondecode(data.http.workapps.response_body).data
  users_data    = jsondecode(data.http.users.response_body).data
  
  # Find IDs by name/email
  github_id = [for wa in local.workapps_data : wa.id if wa.name == "GitHub"][0]
  alice_id  = [for u in local.users_data : u.id if u.email == "[email protected]"][0]
}

Team-Based Configuration

Create separate configurations for different teams:

# Engineering team
locals {
  engineering_team = {
    github = {
      users = [local.user_ids.alice, local.user_ids.bob]
      permission_level = local.github_permission_levels.developer
    }
    aws = {
      users = [local.user_ids.alice, local.user_ids.charlie]
      permission_level = local.aws_permission_levels.developer
    }
  }
}

# Sales team
locals {
  sales_team = {
    salesforce = {
      users = [local.user_ids.david, local.user_ids.eve]
      permission_level = "SALESFORCE_USER_PERMISSION_UUID"
    }
    hubspot = {
      users = [local.user_ids.david, local.user_ids.eve]
      permission_level = "HUBSPOT_USER_PERMISSION_UUID"
    }
  }
}

State Management

For production use, configure remote state:

terraform {
  backend "s3" {
    bucket         = "your-terraform-state"
    key            = "cakewalk/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    dynamodb_table = "terraform-locks"
  }
}

Customization

Adding New Teams

To add a new team, update the configuration:

locals {
  new_team = {
    app_name = {
      users = [local.user_ids.new_user]
      permission_level = "APP_PERMISSION_UUID"
    }
  }
}

Adding New Applications

To add a new application:

locals {
  workapp_ids = {
    # ... existing apps
    new_app = "NEW_APP_WORKAPP_UUID"
  }
  
  new_app_permission_levels = {
    user = "NEW_APP_USER_PERMISSION_UUID"
    admin = "NEW_APP_ADMIN_PERMISSION_UUID"
  }
}

Conditional Access

Add conditional access based on user attributes:

locals {
  senior_engineers = [
    for user in local.users_data : user.id
    if user.jobTitle == "Senior Engineer" || user.jobTitle == "Staff Engineer"
  ]
}

Monitoring & Troubleshooting

State Management

Use terraform plan to review changes before applying
Monitor state drift with terraform plan
Implement state locking to prevent concurrent modifications

Common Issues

"User not found" Error:

Verify the user exists in Cakewalk
Check user ID spelling and case sensitivity
Ensure the user has been invited to your organization

"401 Unauthorized" Error:

Verify API key and secret are correct
Check that credentials haven't expired
Ensure proper header formatting

"Resource conflicts" Error:

Check for duplicate access grants
Verify WorkApp and permission level IDs are correct

Security Considerations

API Credentials: Store as environment variables or use Terraform Cloud
State Management: Use remote state with encryption
Access Control: Limit who can modify Terraform configurations
Review Process: Implement code review for all changes

Next Steps

Set up monitoring: Configure alerts for Terraform failures
Add validation: Implement custom validation rules
Automate further: Consider triggering from other systems
Scale up: Expand to more teams and applications

Last updated 6 months ago

Was this helpful?

hashtagOverview

hashtagFeatures

hashtagPrerequisites

hashtagTerraform Dependencies

hashtagEnvironment Variables

hashtagRequired Information

hashtagSetup Instructions

hashtag1. Create the Terraform Configuration

hashtag2. Create Variables File

hashtag3. Initialize Terraform

hashtag4. Plan and Apply

hashtagAdvanced Configuration

hashtagDynamic Data Fetching

hashtagTeam-Based Configuration

hashtagState Management

hashtagCustomization

hashtagAdding New Teams

hashtagAdding New Applications

hashtagConditional Access

hashtagMonitoring & Troubleshooting

hashtagState Management

hashtagCommon Issues

hashtagSecurity Considerations

hashtagNext Steps

Overview

Features

Prerequisites

Terraform Dependencies

Environment Variables

Required Information

Setup Instructions

1. Create the Terraform Configuration

2. Create Variables File

3. Initialize Terraform

4. Plan and Apply

Advanced Configuration

Dynamic Data Fetching

Team-Based Configuration

State Management

Customization

Adding New Teams

Adding New Applications

Conditional Access

Monitoring & Troubleshooting

State Management

Common Issues

Security Considerations

Next Steps