Add force_unlock_workspace tool#371
Open
sebin wants to merge 3 commits into
Open
Conversation
Adds a new TFE tool that force-unlocks a Terraform workspace by ID via the go-tfe Workspaces.ForceUnlock API. This is intended as a recovery action when a workspace lock is stuck (for example after an interrupted run); using it while a run is still active can leave workspace state inconsistent, so the tool is annotated destructive and gated behind ENABLE_TF_OPERATIONS, matching delete_workspace_safely and action_run. - pkg/tools/tfe/force_unlock_workspace.go: tool + handler - pkg/tools/tfe/force_unlock_workspace_test.go: unit tests - pkg/tools/dynamic_tool.go: ENABLE_TF_OPERATIONS-gated registration - pkg/toolsets/mapping.go: maps tool to the Terraform toolset - cmd/terraform-mcp-server/instructions.md: documents the new tool
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #372.
Summary
force_unlock_workspacethat force-unlocks a Terraform workspace by ID via go-tfeWorkspaces.ForceUnlock.ReadOnlyHint=false,DestructiveHint=true,OpenWorldHint=true) and gated behindENABLE_TF_OPERATIONS, matchingdelete_workspace_safelyandaction_run.Why
The
force-unlockworkspace action is a recovery path operators need but it isn't exposed by the MCP server today. Engineers hitting a stuck workspace lock have to leave their AI assistant context and call the TFE API by hand. Adding it here closes that gap while keeping the operation gated behind the same opt-in flag as the other destructive workspace tools. See #372 for the full feature-request rationale and open questions.Changes
pkg/tools/tfe/force_unlock_workspace.go— tool definition + handler, follows thedelete_workspace_safelypattern.pkg/tools/tfe/force_unlock_workspace_test.go— unit tests for tool creation, annotations, parameter validation, ID format.pkg/tools/dynamic_tool.go— registers the tool whenENABLE_TF_OPERATIONS=trueand the toolset is enabled.pkg/toolsets/mapping.go— mapsforce_unlock_workspaceto theTerraformtoolset.cmd/terraform-mcp-server/instructions.md— documents the new tool under Workspace Management.CHANGELOG.md— entry under 0.5.3 FEATURES.Test plan
go build ./...cleango vet ./...cleango test ./...— 583 tests pass (10 packages)go test ./pkg/tools/tfe/ -run TestForceUnlock -v— 12 new assertions passPCI review checklist
ENABLE_TF_OPERATIONS, the same opt-in flag already used bydelete_workspace_safelyandaction_run. It additionally requires a validTFE_TOKENwhose principal must havecan-force-unlockpermission on the target workspace; the underlying TFE API enforces that.)