stackitcloud
diff --git a/‎docs/data-sources/authorization_project_custom_role.md‎
Lines changed: 35 additions & 0 deletions b/‎docs/data-sources/authorization_project_custom_role.md‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎docs/resources/authorization_project_custom_role.md‎
Lines changed: 51 additions & 0 deletions b/‎docs/resources/authorization_project_custom_role.md‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎examples/data-sources/stackit_authorization_project_custom_role/data-source.tf‎
Lines changed: 5 additions & 0 deletions b/‎examples/data-sources/stackit_authorization_project_custom_role/data-source.tf‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎examples/resources/stackit_authorization_project_custom_role/resource.tf‎
Lines changed: 21 additions & 0 deletions b/‎examples/resources/stackit_authorization_project_custom_role/resource.tf‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎stackit/internal/services/authorization/authorization_acc_test.go‎
Lines changed: 116 additions & 2 deletions b/‎stackit/internal/services/authorization/authorization_acc_test.go‎
Lines changed: 116 additions & 2 deletions
@@ -0,0 +1,35 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_authorization_project_custom_role Data Source - stackit"
+subcategory: ""
+description: |-
+  Custom Role resource schema.
+---
+
+# stackit_authorization_project_custom_role (Data Source)
+
+Custom Role resource schema.
+
+## Example Usage
+
+```terraform
+data "stackit_authorization_project_custom_role" "example" {
+  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name       = "my.custom.role"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `resource_id` (String) Resource to add the custom role to.
+- `role_id` (String) The ID of the role.
+
+### Read-Only
+
+- `description` (String) A human readable description of the role.
+- `id` (String) Terraform's internal resource identifier. It is structured as "[resource_id],[role_id]".
+- `name` (String) Name of the role
+- `permissions` (List of String) Permissions for the role
@@ -0,0 +1,51 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_authorization_project_custom_role Resource - stackit"
+subcategory: ""
+description: |-
+  Custom Role resource schema.
+---
+
+# stackit_authorization_project_custom_role (Resource)
+
+Custom Role resource schema.
+
+## Example Usage
+
+```terraform
+resource "stackit_resourcemanager_project" "example" {
+  name                = "example_project"
+  owner_email         = "foo.bar@stackit.cloud"
+  parent_container_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+
+resource "stackit_authorization_project_custom_role" "example" {
+  resource_id = stackit_resourcemanager_project.example.project_id
+  name        = "my.custom.role"
+  description = "Some description"
+  permissions = [
+    "iam.subject.get"
+  ]
+}
+
+# Only use the import statement, if you want to import an existing custom role
+import {
+  to = stackit_authorization_project_custom_role.import-example
+  id = "${var.project_id},${var.custom_role_id}"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `description` (String) A human readable description of the role.
+- `name` (String) Name of the role
+- `permissions` (List of String) Permissions for the role
+- `resource_id` (String) Resource to add the custom role to.
+
+### Read-Only
+
+- `id` (String) Terraform's internal resource identifier. It is structured as "[resource_id],[role_id]".
+- `role_id` (String) The ID of the role.
@@ -0,0 +1,5 @@
+data "stackit_authorization_project_custom_role" "example" {
+  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name       = "my.custom.role"
+}
+
@@ -0,0 +1,21 @@
+resource "stackit_resourcemanager_project" "example" {
+  name                = "example_project"
+  owner_email         = "foo.bar@stackit.cloud"
+  parent_container_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+
+resource "stackit_authorization_project_custom_role" "example" {
+  resource_id = stackit_resourcemanager_project.example.project_id
+  name        = "my.custom.role"
+  description = "Some description"
+  permissions = [
+    "iam.subject.get"
+  ]
+}
+
+# Only use the import statement, if you want to import an existing custom role
+import {
+  to = stackit_authorization_project_custom_role.import-example
+  id = "${var.project_id},${var.custom_role_id}"
+}
+
@@ -40,10 +40,15 @@ var (
 
 	//go:embed testdata/resource-org-role-assignment-duplicate.tf
 	resourceOrgRoleAssignmentDuplicate string
+
+	//go:embed testdata/custom-role.tf
+	customRole string
 )
 
-var testProjectName = fmt.Sprintf("proj-%s", acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum))
-var testFolderName = fmt.Sprintf("folder-%s", acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum))
+var (
+	testProjectName = fmt.Sprintf("proj-%s", acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum))
+	testFolderName  = fmt.Sprintf("folder-%s", acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum))
+)
 
 var testConfigVarsProjectRoleAssignment = config.Variables{
 	"name":                config.StringVariable(testProjectName),
@@ -67,6 +72,24 @@ var testConfigVarsOrgRoleAssignment = config.Variables{
 	"subject":             config.StringVariable(testutil.TestProjectServiceAccountEmail),
 }
 
+var testConfigVarsCustomRole = config.Variables{
+	"project_id":           config.StringVariable(testutil.ProjectId),
+	"test_service_account": config.StringVariable(testutil.TestProjectServiceAccountEmail),
+	"organization_id":      config.StringVariable(testutil.OrganizationId),
+	"role_name":            config.StringVariable(fmt.Sprintf("tf-acc-%s", acctest.RandStringFromCharSet(5, acctest.CharSetAlpha))),
+	"role_description":     config.StringVariable("Some description"),
+	"role_permissions_0":   config.StringVariable("iam.role.list"),
+}
+
+var testConfigVarsCustomRoleUpdated = config.Variables{
+	"project_id":           config.StringVariable(testutil.ProjectId),
+	"test_service_account": config.StringVariable(testutil.TestProjectServiceAccountEmail),
+	"organization_id":      config.StringVariable(testutil.OrganizationId),
+	"role_name":            config.StringVariable(fmt.Sprintf("tf-acc-%s", acctest.RandStringFromCharSet(5, acctest.CharSetAlpha))),
+	"role_description":     config.StringVariable("Updated description"),
+	"role_permissions_0":   config.StringVariable("iam.role.edit"),
+}
+
 func testConfigVarsProjectRoleAssignmentUpdated() config.Variables {
 	tempConfig := make(config.Variables, len(testConfigVarsProjectRoleAssignment))
 	maps.Copy(tempConfig, testConfigVarsProjectRoleAssignment)
@@ -480,3 +503,94 @@ func testAccCheckOrganizationRoleAssignmentDestroy(s *terraform.State) error {
 	_, _ = client.RemoveMembers(ctx, containerParentId).RemoveMembersPayload(payload).Execute()
 	return nil
 }
+
+func TestAccProjectCustomRoleResource(t *testing.T) {
+	t.Log("Testing org role assignment resource")
+	resource.Test(t, resource.TestCase{
+		ProtoV6ProviderFactories: testutil.TestAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				ConfigVariables: testConfigVarsCustomRole,
+				Config:          testutil.AuthorizationProviderConfig() + customRole,
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("stackit_authorization_project_custom_role.custom-role", "resource_id", testutil.ConvertConfigVariable(testConfigVarsCustomRole["project_id"])),
+					resource.TestCheckResourceAttr("stackit_authorization_project_custom_role.custom-role", "name", testutil.ConvertConfigVariable(testConfigVarsCustomRole["role_name"])),
+					resource.TestCheckResourceAttr("stackit_authorization_project_custom_role.custom-role", "description", testutil.ConvertConfigVariable(testConfigVarsCustomRole["role_description"])),
+					resource.TestCheckResourceAttr("stackit_authorization_project_custom_role.custom-role", "permissions.#", "1"),
+					resource.TestCheckTypeSetElemAttr("stackit_authorization_project_custom_role.custom-role", "permissions.*", testutil.ConvertConfigVariable(testConfigVarsCustomRole["role_permissions_0"])),
+					resource.TestCheckResourceAttrSet("stackit_authorization_project_custom_role.custom-role", "role_id"),
+				),
+			},
+			// Data source
+			{
+				ConfigVariables: testConfigVarsCustomRole,
+				Config: fmt.Sprintf(`
+					%s
+
+					data "stackit_authorization_project_custom_role" "custom-role" {
+						resource_id  = stackit_authorization_project_custom_role.custom-role.resource_id
+						role_id  = stackit_authorization_project_custom_role.custom-role.role_id
+					}
+					`,
+					testutil.AuthorizationProviderConfig()+customRole,
+				),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("data.stackit_authorization_project_custom_role.custom-role", "resource_id", testutil.ConvertConfigVariable(testConfigVarsCustomRole["project_id"])),
+					resource.TestCheckResourceAttrPair(
+						"stackit_authorization_project_custom_role.custom-role", "resource_id",
+						"data.stackit_authorization_project_custom_role.custom-role", "resource_id",
+					),
+					resource.TestCheckResourceAttrPair(
+						"stackit_authorization_project_custom_role.custom-role", "role_id",
+						"data.stackit_authorization_project_custom_role.custom-role", "role_id",
+					),
+					resource.TestCheckResourceAttrPair(
+						"stackit_authorization_project_custom_role.custom-role", "name",
+						"data.stackit_authorization_project_custom_role.custom-role", "name",
+					),
+					resource.TestCheckResourceAttrPair(
+						"stackit_authorization_project_custom_role.custom-role", "description",
+						"data.stackit_authorization_project_custom_role.custom-role", "description",
+					),
+					resource.TestCheckResourceAttrPair(
+						"stackit_authorization_project_custom_role.custom-role", "permissions",
+						"data.stackit_authorization_project_custom_role.custom-role", "permissions",
+					),
+				),
+			},
+			// Import
+			{
+				ConfigVariables: testConfigVarsCustomRole,
+				ResourceName:    "stackit_authorization_project_custom_role.custom-role",
+				ImportStateIdFunc: func(s *terraform.State) (string, error) {
+					r, ok := s.RootModule().Resources["stackit_authorization_project_custom_role.custom-role"]
+					if !ok {
+						return "", fmt.Errorf("couldn't find resource stackit_authorization_project_custom_role.custom-role")
+					}
+					roleId, ok := r.Primary.Attributes["role_id"]
+					if !ok {
+						return "", fmt.Errorf("couldn't find attribute role_id")
+					}
+
+					return fmt.Sprintf("%s,%s", testutil.ProjectId, roleId), nil
+				},
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			// Update
+			{
+				ConfigVariables: testConfigVarsCustomRoleUpdated,
+				Config:          testutil.AuthorizationProviderConfig() + customRole,
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("stackit_authorization_project_custom_role.custom-role", "resource_id", testutil.ConvertConfigVariable(testConfigVarsCustomRoleUpdated["project_id"])),
+					resource.TestCheckResourceAttr("stackit_authorization_project_custom_role.custom-role", "name", testutil.ConvertConfigVariable(testConfigVarsCustomRoleUpdated["role_name"])),
+					resource.TestCheckResourceAttr("stackit_authorization_project_custom_role.custom-role", "description", testutil.ConvertConfigVariable(testConfigVarsCustomRoleUpdated["role_description"])),
+					resource.TestCheckResourceAttr("stackit_authorization_project_custom_role.custom-role", "permissions.#", "1"),
+					resource.TestCheckTypeSetElemAttr("stackit_authorization_project_custom_role.custom-role", "permissions.*", testutil.ConvertConfigVariable(testConfigVarsCustomRoleUpdated["role_permissions_0"])),
+					resource.TestCheckResourceAttrSet("stackit_authorization_project_custom_role.custom-role", "role_id"),
+				),
+			},
+			// Deletion is done by the framework implicitly
+		},
+	})
+}