feat: RBAC datasources to provider

docs/data-sources/account_group.md

@@ -39,3 +39,4 @@ data "stacklet_account_group" "by_name" {
 - `dynamic_filter` (String) Dynamic filter for accounts matching. Null means not dynamic, empty string matches all accounts.
 - `id` (String) The GraphQL Node ID of the account group.
 - `regions` (List of String) The regions for the account group.
+- `role_assignment_target` (String) An opaque identifier for role assignments. Use this value when assigning roles to this resource.

docs/data-sources/policy_collection.md

@@ -40,6 +40,7 @@ data "stacklet_policy_collection" "by_name" {
 - `dynamic` (Boolean) Whether this is a dynamic policy collection.
 - `dynamic_config` (Attributes) Configuration for dynamic behavior. (see [below for nested schema](#nestedatt--dynamic_config))
 - `id` (String) The GraphQL Node ID of the policy collection.
+- `role_assignment_target` (String) An opaque identifier for role assignments. Use this value when assigning roles to this resource.
 - `system` (Boolean) Whether this is a system policy collection.
 
 <a id="nestedatt--dynamic_config"></a>

docs/data-sources/repository.md

@@ -41,6 +41,7 @@ data "stacklet_repository" "by_uuid" {
 - `has_ssh_private_key` (Boolean) Whether the repository has an SSH private key configured.
 - `id` (String) The GraphQL ID of the repository.
 - `name` (String) The name of the repository.
+- `role_assignment_target` (String) An opaque identifier for role assignments. Use this value when assigning roles to this resource.
 - `ssh_public_key` (String) If has_ssh_private_key, identifies that SSH private key.
 - `system` (Boolean) Whether this is a system repository (not user editable).
 - `webhook_url` (String) The URL of the webhook which triggers repository scans.

docs/data-sources/role.md

@@ -0,0 +1,53 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stacklet_role Data Source - terraform-provider-stacklet"
+subcategory: ""
+description: |-
+  Retrieve information about a role by name.
+---
+
+# stacklet_role (Data Source)
+
+Retrieve information about a role by name.
+
+## Example Usage
+
+```terraform
+# Fetch the "owner" system role
+data "stacklet_role" "owner" {
+  name = "owner"
+}
+
+# Fetch the "viewer" system role
+data "stacklet_role" "viewer" {
+  name = "viewer"
+}
+
+# Fetch the "editor" system role
+data "stacklet_role" "editor" {
+  name = "editor"
+}
+
+# Fetch the "admin" system role
+data "stacklet_role" "admin" {
+  name = "admin"
+}
+
+# Output the permissions for the owner role
+output "owner_permissions" {
+  value = data.stacklet_role.owner.permissions
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) The name of the role.
+
+### Read-Only
+
+- `id` (String) The GraphQL Node ID of the role.
+- `permissions` (List of String) The list of permissions granted by this role.
+- `system` (Boolean) Whether this is a system role (cannot be modified).

docs/data-sources/role_assignments.md

@@ -0,0 +1,92 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stacklet_role_assignments Data Source - terraform-provider-stacklet"
+subcategory: ""
+description: |-
+  Retrieve role assignments for a specific target. This data source allows you to query which principals (users or SSO groups) have been granted roles on a particular target (system, account group, policy collection, or repository).
+---
+
+# stacklet_role_assignments (Data Source)
+
+Retrieve role assignments for a specific target. This data source allows you to query which principals (users or SSO groups) have been granted roles on a particular target (system, account group, policy collection, or repository).
+
+## Example Usage
+
+```terraform
+# Query all system-level role assignments
+data "stacklet_role_assignments" "system_access" {
+  target = "system:all"
+}
+
+# Query role assignments for a specific account group
+data "stacklet_role_assignments" "production_acl" {
+  target = "account-group:00000000-0000-0000-0000-000000000001"
+}
+
+# Query role assignments for a policy collection
+data "stacklet_role_assignments" "security_policies_access" {
+  target = "policy-collection:00000000-0000-0000-0000-000000000002"
+}
+
+# Query role assignments for a repository
+data "stacklet_role_assignments" "repo_access" {
+  target = "repository:00000000-0000-0000-0000-000000000003"
+}
+
+# Output all system administrators
+output "system_admins" {
+  description = "All principals with system-level access"
+  value = [
+    for assignment in data.stacklet_role_assignments.system_access.assignments :
+    {
+      role      = assignment.role_name
+      principal = assignment.principal
+    }
+  ]
+}
+
+# Output production account group access control list
+output "production_access_summary" {
+  description = "Summary of who has access to the production account group"
+  value = {
+    total_assignments = length(data.stacklet_role_assignments.production_acl.assignments)
+    assignments       = data.stacklet_role_assignments.production_acl.assignments
+  }
+}
+
+# Check if specific user has access
+locals {
+  user_id_to_check = 123
+
+  user_has_production_access = anytrue([
+    for assignment in data.stacklet_role_assignments.production_acl.assignments :
+    assignment.principal.type == "user" && assignment.principal.id == local.user_id_to_check
+  ])
+}
+
+output "user_has_access" {
+  description = "Whether user 123 has any role on the production account group"
+  value       = local.user_has_production_access
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `target` (String) An opaque target identifier to query role assignments for. Use the 'role_assignment_target' attribute from resource outputs.
+
+### Read-Only
+
+- `assignments` (Attributes List) The list of role assignments for the target. (see [below for nested schema](#nestedatt--assignments))
+
+<a id="nestedatt--assignments"></a>
+### Nested Schema for `assignments`
+
+Read-Only:
+
+- `id` (String) The unique identifier of the role assignment.
+- `principal` (String) An opaque principal identifier.
+- `role_name` (String) The name of the role assigned.
+- `target` (String) An opaque target identifier.

docs/resources/account_group.md

@@ -46,6 +46,7 @@ resource "stacklet_account_group" "development" {
 ### Read-Only
 
 - `id` (String) The GraphQL Node ID of the account group.
+- `role_assignment_target` (String) An opaque identifier for role assignments. Use this value when assigning roles to this resource.
 - `uuid` (String) The UUID of the account group.
 
 ## Import

docs/resources/binding.md

@@ -82,14 +82,14 @@ resource "stacklet_binding" "example" {
 - `policy_resource_limit` (Block List) Per-policy overrides for resource limits for binding execution. Map keys are policy unqualified names. (see [below for nested schema](#nestedblock--policy_resource_limit))
 - `resource_limits` (Attributes) Default resource limits for binding execution. (see [below for nested schema](#nestedatt--resource_limits))
 - `schedule` (String) The schedule for the binding (e.g., 'rate(1 hour)', 'rate(2 hours)', or cron expression).
-- `security_context` (String) The binding execution security context.
 - `security_context_wo` (String, Sensitive, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) The input value for the security context for the execution configuration.
 - `security_context_wo_version` (String) The version for the security context. Must be changed to update security_context_wo.
 - `variables` (String) JSON-encoded dictionary of values used for policy templating.
 
 ### Read-Only
 
 - `id` (String) The GraphQL Node ID of the binding.
+- `security_context` (String) The binding execution security context.
 - `system` (Boolean) Whether the binding is a system one. Always false for resources.
 - `uuid` (String) The UUID of the binding.
 

docs/resources/policy_collection.md

@@ -55,6 +55,7 @@ resource "stacklet_policy_collection" "policies" {
 
 - `dynamic` (Boolean) Whether this is a dynamic policy collection.
 - `id` (String) The GraphQL Node ID of the policy collection.
+- `role_assignment_target` (String) An opaque identifier for role assignments. Use this value when assigning roles to this resource.
 - `system` (Boolean) Whether this is a system policy collection.
 - `uuid` (String) The UUID of the policy collection.
 

docs/resources/repository.md

@@ -80,6 +80,7 @@ resource "stacklet_repository" "example_codecommit" {
 - `has_ssh_passphrase` (Boolean) Whether ssh_passphrase_wo has a value set.
 - `has_ssh_private_key` (Boolean) Whether ssh_private_key_wo has a value set.
 - `id` (String) The GraphQL node ID.
+- `role_assignment_target` (String) An opaque identifier for role assignments. Use this value when assigning roles to this resource.
 - `ssh_public_key` (String) The public key associated with the value set via ssh_private_key_wo.
 - `system` (Boolean) System repositories cannot be changed.
 - `uuid` (String) The UUID of the repository.

examples/data-sources/stacklet_role/data-source.tf

@@ -0,0 +1,24 @@
+# Fetch the "owner" system role
+data "stacklet_role" "owner" {
+  name = "owner"
+}
+
+# Fetch the "viewer" system role
+data "stacklet_role" "viewer" {
+  name = "viewer"
+}
+
+# Fetch the "editor" system role
+data "stacklet_role" "editor" {
+  name = "editor"
+}
+
+# Fetch the "admin" system role
+data "stacklet_role" "admin" {
+  name = "admin"
+}
+
+# Output the permissions for the owner role
+output "owner_permissions" {
+  value = data.stacklet_role.owner.permissions
+}

examples/data-sources/stacklet_role_assignments/data-source.tf

@@ -0,0 +1,55 @@
+# Query all system-level role assignments
+data "stacklet_role_assignments" "system_access" {
+  target = "system:all"
+}
+
+# Query role assignments for a specific account group
+data "stacklet_role_assignments" "production_acl" {
+  target = "account-group:00000000-0000-0000-0000-000000000001"
+}
+
+# Query role assignments for a policy collection
+data "stacklet_role_assignments" "security_policies_access" {
+  target = "policy-collection:00000000-0000-0000-0000-000000000002"
+}
+
+# Query role assignments for a repository
+data "stacklet_role_assignments" "repo_access" {
+  target = "repository:00000000-0000-0000-0000-000000000003"
+}
+
+# Output all system administrators
+output "system_admins" {
+  description = "All principals with system-level access"
+  value = [
+    for assignment in data.stacklet_role_assignments.system_access.assignments :
+    {
+      role      = assignment.role_name
+      principal = assignment.principal
+    }
+  ]
+}
+
+# Output production account group access control list
+output "production_access_summary" {
+  description = "Summary of who has access to the production account group"
+  value = {
+    total_assignments = length(data.stacklet_role_assignments.production_acl.assignments)
+    assignments       = data.stacklet_role_assignments.production_acl.assignments
+  }
+}
+
+# Check if specific user has access
+locals {
+  user_id_to_check = 123
+
+  user_has_production_access = anytrue([
+    for assignment in data.stacklet_role_assignments.production_acl.assignments :
+    assignment.principal.type == "user" && assignment.principal.id == local.user_id_to_check
+  ])
+}
+
+output "user_has_access" {
+  description = "Whether user 123 has any role on the production account group"
+  value       = local.user_has_production_access
+}

internal/acceptance_tests/recordings/TestAccAccountGroupDataSource.json

@@ -1,8 +1,8 @@
 {
-  "mutation ($input:AddAccountGroupInput!){addAccountGroup(input: $input){group{id,uuid,name,description,dynamicFilter,provider,regions}}}:{\"input\":{\"description\":\"Test account group\",\"name\":\"test-group-ds\",\"provider\":\"AWS\",\"regions\":[\"us-east-1\"]}}": [
+  "mutation ($input:AddAccountGroupInput!){addAccountGroup(input: $input){group{id,uuid,name,description,dynamicFilter,provider,regions,roleAssignmentTarget}}}:{\"input\":{\"description\":\"Test account group\",\"name\":\"test-group-ds\",\"provider\":\"AWS\",\"regions\":[\"us-east-1\"]}}": [
     {
       "request": {
-        "query": "mutation ($input:AddAccountGroupInput!){addAccountGroup(input: $input){group{id,uuid,name,description,dynamicFilter,provider,regions}}}",
+        "query": "mutation ($input:AddAccountGroupInput!){addAccountGroup(input: $input){group{id,uuid,name,description,dynamicFilter,provider,regions,roleAssignmentTarget}}}",
         "variables": {
           "input": {
             "description": "Test account group",
@@ -26,7 +26,8 @@
               "regions": [
                 "us-east-1"
               ],
-              "uuid": "f8511577-a9a1-45b3-b581-c92c7127d532"
+              "uuid": "f8511577-a9a1-45b3-b581-c92c7127d532",
+              "roleAssignmentTarget": "account-group:f8511577-a9a1-45b3-b581-c92c7127d532"
             }
           }
         }
@@ -52,10 +53,10 @@
       }
     }
   ],
-  "query ($name:String!$uuid:String!){accountGroup(uuid: $uuid, name: $name){id,uuid,name,description,dynamicFilter,provider,regions}}:{\"name\":\"\",\"uuid\":\"f8511577-a9a1-45b3-b581-c92c7127d532\"}": [
+  "query ($name:String!$uuid:String!){accountGroup(uuid: $uuid, name: $name){id,uuid,name,description,dynamicFilter,provider,regions,roleAssignmentTarget}}:{\"name\":\"\",\"uuid\":\"f8511577-a9a1-45b3-b581-c92c7127d532\"}": [
     {
       "request": {
-        "query": "query ($name:String!$uuid:String!){accountGroup(uuid: $uuid, name: $name){id,uuid,name,description,dynamicFilter,provider,regions}}",
+        "query": "query ($name:String!$uuid:String!){accountGroup(uuid: $uuid, name: $name){id,uuid,name,description,dynamicFilter,provider,regions,roleAssignmentTarget}}",
         "variables": {
           "name": "",
           "uuid": "f8511577-a9a1-45b3-b581-c92c7127d532"
@@ -72,16 +73,17 @@
             "regions": [
               "us-east-1"
             ],
-            "uuid": "f8511577-a9a1-45b3-b581-c92c7127d532"
+            "uuid": "f8511577-a9a1-45b3-b581-c92c7127d532",
+            "roleAssignmentTarget": "account-group:f8511577-a9a1-45b3-b581-c92c7127d532"
           }
         }
       }
     }
   ],
-  "query ($name:String!$uuid:String!){accountGroup(uuid: $uuid, name: $name){id,uuid,name,description,dynamicFilter,provider,regions}}:{\"name\":\"test-group-ds\",\"uuid\":\"\"}": [
+  "query ($name:String!$uuid:String!){accountGroup(uuid: $uuid, name: $name){id,uuid,name,description,dynamicFilter,provider,regions,roleAssignmentTarget}}:{\"name\":\"test-group-ds\",\"uuid\":\"\"}": [
     {
       "request": {
-        "query": "query ($name:String!$uuid:String!){accountGroup(uuid: $uuid, name: $name){id,uuid,name,description,dynamicFilter,provider,regions}}",
+        "query": "query ($name:String!$uuid:String!){accountGroup(uuid: $uuid, name: $name){id,uuid,name,description,dynamicFilter,provider,regions,roleAssignmentTarget}}",
         "variables": {
           "name": "test-group-ds",
           "uuid": ""
@@ -98,14 +100,15 @@
             "regions": [
               "us-east-1"
             ],
-            "uuid": "f8511577-a9a1-45b3-b581-c92c7127d532"
+            "uuid": "f8511577-a9a1-45b3-b581-c92c7127d532",
+            "roleAssignmentTarget": "account-group:f8511577-a9a1-45b3-b581-c92c7127d532"
           }
         }
       }
     },
     {
       "request": {
-        "query": "query ($name:String!$uuid:String!){accountGroup(uuid: $uuid, name: $name){id,uuid,name,description,dynamicFilter,provider,regions}}",
+        "query": "query ($name:String!$uuid:String!){accountGroup(uuid: $uuid, name: $name){id,uuid,name,description,dynamicFilter,provider,regions,roleAssignmentTarget}}",
         "variables": {
           "name": "test-group-ds",
           "uuid": ""
@@ -122,14 +125,15 @@
             "regions": [
               "us-east-1"
             ],
-            "uuid": "f8511577-a9a1-45b3-b581-c92c7127d532"
+            "uuid": "f8511577-a9a1-45b3-b581-c92c7127d532",
+            "roleAssignmentTarget": "account-group:f8511577-a9a1-45b3-b581-c92c7127d532"
           }
         }
       }
     },
     {
       "request": {
-        "query": "query ($name:String!$uuid:String!){accountGroup(uuid: $uuid, name: $name){id,uuid,name,description,dynamicFilter,provider,regions}}",
+        "query": "query ($name:String!$uuid:String!){accountGroup(uuid: $uuid, name: $name){id,uuid,name,description,dynamicFilter,provider,regions,roleAssignmentTarget}}",
         "variables": {
           "name": "test-group-ds",
           "uuid": ""
@@ -146,7 +150,8 @@
             "regions": [
               "us-east-1"
             ],
-            "uuid": "f8511577-a9a1-45b3-b581-c92c7127d532"
+            "uuid": "f8511577-a9a1-45b3-b581-c92c7127d532",
+            "roleAssignmentTarget": "account-group:f8511577-a9a1-45b3-b581-c92c7127d532"
           }
         }
       }