[CC-27365] add user_role_grant resource

Previously, the provider supported user role management but only in an
authoritative way.  Using the user_role_grants resource would overwrite
all roles for a user.  This caused churn for terraform users trying to
manage user roles across multiple projects or via the console UI.  We
now add a resource, user_role_grant which allows management of a single
user role grant.  The existing user_role_grants resource is left to
maintain the previous functionality for those that need it.

As part of this changes, I've also renamed the role_resource files which
contain the user_role_grants resource after the full name of the role
since that seems to be the convention.

Additionally, cloud SDK is Update to 1.9.0

CHANGELOG.md

@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- The `user_role_grant` resource was added to allow management of a single role
+  grant.  This resource will not affect other role grants. See
+  [user_role_grants](https://registry.terraform.io/providers/cockroachdb/cockroach/latest/docs/resources/user_role_grant)
+  for more information.
+
 ## [1.3.2] - 2024-03-15
 
 ### Changed

docs/resources/private_endpoint_services.md

@@ -3,12 +3,12 @@
 page_title: "cockroach_private_endpoint_services Resource - terraform-provider-cockroach"
 subcategory: ""
 description: |-
-  PrivateEndpointServices contains services that allow for for private connectivity to the CockroachDB Cloud cluster.
+  PrivateEndpointServices contains services that allow for private connectivity to the CockroachDB Cloud cluster.
 ---
 
 # cockroach_private_endpoint_services (Resource)
 
-PrivateEndpointServices contains services that allow for for private connectivity to the CockroachDB Cloud cluster.
+PrivateEndpointServices contains services that allow for private connectivity to the CockroachDB Cloud cluster.
 
 ## Example Usage
 
@@ -39,7 +39,7 @@ resource "cockroach_private_endpoint_services" "cockroach" {
 
 Read-Only:
 
-- `availability_zone_ids` (List of String) AZ IDs users should create their VPCs in to minimize their cost.
+- `availability_zone_ids` (List of String) Availability Zone IDs of the private endpoint service. It is recommended, for cost optimization purposes, to create the private endpoint spanning these same availability zones. For more information, see data transfer cost information for your cloud provider.
 - `aws` (Attributes, Deprecated) (see [below for nested schema](#nestedatt--services--aws))
 - `cloud_provider` (String) Cloud provider associated with this service.
 - `endpoint_service_id` (String) Server side ID of the private endpoint connection.

docs/resources/user_role_grant.md

@@ -0,0 +1,76 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "cockroach_user_role_grant Resource - terraform-provider-cockroach"
+subcategory: ""
+description: |-
+  A role grant for a user. This resource is recommended to be used when a user's roles are managed across multiple terraform projects or in conjunction with console UI granted roles. For authoritative management over a user's roles, use the userrolegrants user_role_grants resource.
+  As with all terraform resources, care must be taken to limit management of the same resource to a single project.
+---
+
+# cockroach_user_role_grant (Resource)
+
+A role grant for a user. This resource is recommended to be used when a user's roles are managed across multiple terraform projects or in conjunction with console UI granted roles. For authoritative management over a user's roles, use the [user_role_grants](user_role_grants) resource.
+
+ As with all terraform resources, care must be taken to limit management of the same resource to a single project.
+
+## Example Usage
+
+```terraform
+variable "user_id" {
+  type = string
+}
+
+resource "cockroach_user_role_grant" "admin_grant" {
+  user_id = var.user_id
+  role = {
+    role_name     = "CLUSTER_ADMIN",
+    resource_type = "CLUSTER",
+    resource_id   = cockroach_cluster.example.id
+  }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `role` (Attributes) (see [below for nested schema](#nestedatt--role))
+- `user_id` (String) ID of the user to grant these roles to.
+
+<a id="nestedatt--role"></a>
+### Nested Schema for `role`
+
+Required:
+
+- `resource_type` (String) Type of resource. Allowed values are:
+  * ORGANIZATION
+  * CLUSTER
+  * FOLDER
+- `role_name` (String) Name of the role to grant. Allowed values are:
+  * BILLING_COORDINATOR
+  * ORG_ADMIN
+  * ORG_MEMBER
+  * CLUSTER_ADMIN
+  * CLUSTER_OPERATOR_WRITER
+  * CLUSTER_DEVELOPER
+  * CLUSTER_CREATOR
+  * FOLDER_ADMIN
+  * FOLDER_MOVER
+
+Optional:
+
+- `resource_id` (String) ID of the resource. Required if the resource_type is 'FOLDER' or 'CLUSTER'. It should be omitted otherwise.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# Cluster and folder level role grants can be imported using:
+# <user_id>,<role_name>,<resource_type>,<resource_id>
+terraform import cockroach_user_role_grant.admin_grant 1f69fdd2-600a-4cfc-a9ba-16995df0d77d,CLUSTER_ADMIN,CLUSTER,9b9d23fe-3848-40b2-a3c5-d8ccb1c4f831
+
+# Organization level grants can omit the resource_id
+terraform import cockroach_user_role_grant.org_level_grant 1f69fdd2-600a-4cfc-a9ba-16995df0d77d,ORG_ADMIN,ORGANIZATION
+```

docs/resources/user_role_grants.md

@@ -3,12 +3,12 @@
 page_title: "cockroach_user_role_grants Resource - terraform-provider-cockroach"
 subcategory: ""
 description: |-
-  Role grants for a single user.
+  Manage all the role grants for a user. This resource is authoritative.  If role grants are added elsewhere, for example, via the console UI or another terraform project, using this resource will try to reset them. Use the userrolegrant user_role_grant resource for non-authoritative role grants.
 ---
 
 # cockroach_user_role_grants (Resource)
 
-Role grants for a single user.
+Manage all the role grants for a user. This resource is authoritative.  If role grants are added elsewhere, for example, via the console UI or another terraform project, using this resource will try to reset them. Use the [user_role_grant](user_role_grant) resource for non-authoritative role grants.
 
 ## Example Usage
 
@@ -61,8 +61,6 @@ Required:
   * CLUSTER
   * FOLDER
 - `role_name` (String) Name of the role to grant. Allowed values are:
-  * DEVELOPER
-  * ADMIN
   * BILLING_COORDINATOR
   * ORG_ADMIN
   * ORG_MEMBER
@@ -75,6 +73,6 @@ Required:
 
 Optional:
 
-- `resource_id` (String) ID of the resource. Omit if resource_type is 'ORGANIZATION'.
+- `resource_id` (String) ID of the resource. Required if the resource_type is 'FOLDER' or 'CLUSTER'. It should be omitted otherwise.
 
 

examples/resources/cockroach_user_role_grant/import.sh

@@ -0,0 +1,6 @@
+# Cluster and folder level role grants can be imported using:
+# <user_id>,<role_name>,<resource_type>,<resource_id>
+terraform import cockroach_user_role_grant.admin_grant 1f69fdd2-600a-4cfc-a9ba-16995df0d77d,CLUSTER_ADMIN,CLUSTER,9b9d23fe-3848-40b2-a3c5-d8ccb1c4f831
+
+# Organization level grants can omit the resource_id
+terraform import cockroach_user_role_grant.org_level_grant 1f69fdd2-600a-4cfc-a9ba-16995df0d77d,ORG_ADMIN,ORGANIZATION

examples/resources/cockroach_user_role_grant/resource.tf

@@ -0,0 +1,12 @@
+variable "user_id" {
+  type = string
+}
+
+resource "cockroach_user_role_grant" "admin_grant" {
+  user_id = var.user_id
+  role = {
+    role_name     = "CLUSTER_ADMIN",
+    resource_type = "CLUSTER",
+    resource_id   = cockroach_cluster.example.id
+  }
+}

go.mod

@@ -5,7 +5,7 @@ go 1.21
 toolchain go1.21.0
 
 require (
-	github.com/cockroachdb/cockroach-cloud-sdk-go v1.8.0
+	github.com/cockroachdb/cockroach-cloud-sdk-go v1.9.0
 	github.com/golang/mock v1.6.0
 	github.com/google/uuid v1.4.0
 	github.com/hashicorp/go-retryablehttp v0.7.4

go.sum

@@ -27,8 +27,8 @@ github.com/bufbuild/protocompile v0.4.0 h1:LbFKd2XowZvQ/kajzguUp2DC9UEIQhIq77fZZ
 github.com/bufbuild/protocompile v0.4.0/go.mod h1:3v93+mbWn/v3xzN+31nwkJfrEpAUwp+BagBSZWx+TP8=
 github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
 github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
-github.com/cockroachdb/cockroach-cloud-sdk-go v1.8.0 h1:bz/hTomytW/XM8uFtYSF7nay/LW2u4vh0R06kGBm5Bk=
-github.com/cockroachdb/cockroach-cloud-sdk-go v1.8.0/go.mod h1:oG9ylbcVGOF7IbVAW2nx5F6ry9a2dZD1H9rd+qd4P60=
+github.com/cockroachdb/cockroach-cloud-sdk-go v1.9.0 h1:sChoEfkpNaAurC9I11WSZQ16sn4r9OeA931cfzElk+U=
+github.com/cockroachdb/cockroach-cloud-sdk-go v1.9.0/go.mod h1:oG9ylbcVGOF7IbVAW2nx5F6ry9a2dZD1H9rd+qd4P60=
 github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
 github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

internal/provider/models.go

@@ -271,12 +271,17 @@ type Role struct {
 	ResourceId   types.String `tfsdk:"resource_id"`
 }
 
-type RoleGrant struct {
+type UserRoleGrants struct {
 	ID     types.String `tfsdk:"id"`
 	UserId types.String `tfsdk:"user_id"`
 	Roles  []Role       `tfsdk:"roles"`
 }
 
+type UserRoleGrant struct {
+	UserID types.String `tfsdk:"user_id"`
+	Role   Role         `tfsdk:"role"`
+}
+
 type Folder struct {
 	ID       types.String `tfsdk:"id"`
 	Name     types.String `tfsdk:"name"`

internal/provider/provider.go

@@ -138,7 +138,8 @@ func (p *provider) Resources(_ context.Context) []func() resource.Resource {
 		NewMetricExportDatadogConfigResource,
 		NewMetricExportCloudWatchConfigResource,
 		NewClientCACertResource,
-		NewRoleResource,
+		NewUserRoleGrantsResource,
+		NewUserRoleGrantResource,
 		NewMaintenanceWindowResource,
 		NewVersionDeferralResource,
 		NewFolderResource,