hashicorp · dadgar · Nov 2, 2023 · Oct 25, 2023 · Oct 30, 2023 · Oct 30, 2023
@@ -0,0 +1,23 @@
+```release-note:feature
+ Add `hcp_organization_iam_policy` resource.
+ ```
+
+```release-note:feature
+ Add `hcp_organization_iam_binding` resource.
+ ```
+
+```release-note:feature
+ Add `hcp_project_iam_policy` resource.
+ ```
+
+```release-note:feature
+ Add `hcp_project_iam_binding` resource.
+ ```
+
+ ```release-note:feature
+ Add `hcp_iam_policy` data source.
+ ```
+
+ ```release-note:improvement
+ Update to Go 1.21.
+ ```
@@ -1 +1 @@
-1.20.7
+1.21.3
@@ -8,7 +8,7 @@ To learn more about how to create issues and pull requests in this repository, a
 ## Requirements
 
 - [Terraform](https://www.terraform.io/downloads.html) >= 1.1.5
-- [Go](https://golang.org/doc/install) >= 1.20
+- [Go](https://golang.org/doc/install) >= 1.21
 
 ## Building the Provider
 

@@ -0,0 +1,68 @@
+---
+page_title: "hcp_iam_policy Data Source - terraform-provider-hcp"
+subcategory: "Cloud Platform"
+description: |-
+  Generates an IAM policy that may be referenced by and applied to other HCP IAM resources, such as the hcp_project_iam_policy resource.
+---
+
+# hcp_iam_policy (Data Source)
+
+Generates an IAM policy that may be referenced by and applied to other HCP IAM resources, such as the `hcp_project_iam_policy` resource.
+
+To see what each role grants, please see [HCP
+Documentation](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/users#organization-role).
+The basic roles can be referenced as follows:
+
+* `roles/owner`
+* `roles/admin`
+* `roles/contributor`
+* `roles/viewer`
+
+## Example Usage
+
+```terraform
+data "hcp_iam_policy" "example" {
+  bindings = [
+    {
+      role = "roles/admin"
+      principals = [
+        "example-user-id-1",
+        "example-group-id-1",
+        "example-sp-1"
+      ]
+    },
+    {
+      role = "roles/contributor"
+      principals = [
+        "example-user-id-2",
+        "example-group-id-2",
+      ]
+    },
+    {
+      role = "roles/viewer"
+      principals = [
+        "example-sp-3"
+      ]
+    },
+  ]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `bindings` (Attributes Set) A binding associates a set of principals to a role. (see [below for nested schema](#nestedatt--bindings))
+
+### Read-Only
+
+- `policy_data` (String) The policy data in a format suitable for reference by resources that support setting IAM policy.
+
+<a id="nestedatt--bindings"></a>
+### Nested Schema for `bindings`
+
+Required:
+
+- `principals` (Set of String) The set of principals to bind to the given role.
+- `role` (String) The role name to bind to the given principals.
@@ -0,0 +1,37 @@
+---
+page_title: "Resource hcp_organization_iam_binding - terraform-provider-hcp"
+subcategory: "Cloud Platform"
+description: |-
+  Updates the organization's IAM policy to bind a role to a new member. Existing bindings are preserved.
+---
+
+# hcp_organization_iam_binding (Resource)
+
+Updates the organization's IAM policy to bind a role to a new member. Existing bindings are preserved.
+
+~> **Note:** `hcp_organization_iam_binding` can not be used in conjunction with
+`hcp_organization_iam_policy`.
+
+## Example Usage
+
+```terraform
+data "hcp_organization" "example_org" {}
+
+resource "hcp_service_principal" "sp" {
+  name   = "example-sp"
+  parent = data.hcp_organization.example_org.resource_name
+}
+
+resource "hcp_organization_iam_binding" "example" {
+  principal_id = hcp_service_principal.sp.resource_id
+  role         = "roles/contributor"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `principal_id` (String) The principal to bind to the given role.
+- `role` (String) The role name to bind to the given principal.
@@ -0,0 +1,68 @@
+---
+page_title: "Resource hcp_organization_iam_policy - terraform-provider-hcp"
+subcategory: "Cloud Platform"
+description: |-
+  Sets the organization's IAM policy and replaces any existing policy.
+---
+
+# hcp_organization_iam_policy (Resource)
+
+!> **Be Careful!** You can accidentally lock yourself and others out of your
+organization using this resource. In general, this resource should only be used
+with organizations fully managed by Terraform. If you are trying to additively
+give permissions to the organization, prefer using
+`hcp_organization_iam_binding`. If you do use this resource, it is recommended
+to import the policy and carefully inspecting the planned changes before
+applying.
+
+Sets the organization's IAM policy and replaces any existing policy.
+
+~> **Note:** `hcp_organization_iam_policy` can not be used in conjunction with
+`hcp_organization_iam_binding`.
+
+## Example Usage
+
+```terraform
+data "hcp_iam_policy" "example" {
+  bindings = [
+    {
+      role = "roles/owner"
+      principals = [
+        "example-user-id-1",
+      ]
+    },
+    {
+      role = "roles/admin"
+      principals = [
+        "example-group-id-1",
+        "example-sp-1"
+      ]
+    },
+  ]
+}
+
+resource "hcp_organization_iam_policy" "org_policy" {
+  policy_data = data.hcp_iam_policy.example.policy_data
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `policy_data` (String) The policy to apply.
+
+### Read-Only
+
+- `etag` (String) The etag captures the existing state of the policy.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# No import ID is needed. The organization is determined by the provider
+# configuration.
+terraform import hcp_organization_iam_policy.example ""
+```
@@ -0,0 +1,44 @@
+---
+page_title: "Resource hcp_project_iam_binding - terraform-provider-hcp"
+subcategory: "Cloud Platform"
+description: |-
+  Updates the project's IAM policy to bind a role to a new member. Existing bindings are preserved.
+---
+
+# hcp_project_iam_binding (Resource)
+
+Updates the project's IAM policy to bind a role to a new member. Existing bindings are preserved.
+
+~> **Note:** `hcp_project_iam_binding` can not be used in conjunction with
+`hcp_project_iam_policy`.
+
+## Example Usage
+
+```terraform
+resource "hcp_project" "example" {
+  name = "example"
+}
+
+resource "hcp_service_principal" "sp" {
+  name   = "example-sp"
+  parent = hcp_project.example.resource_name
+}
+
+resource "hcp_project_iam_binding" "example" {
+  project_id   = hcp_project.example.resource_id
+  principal_id = hcp_service_principal.sp.resource_id
+  role         = "roles/contributor"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `principal_id` (String) The principal to bind to the given role.
+- `role` (String) The role name to bind to the given principal.
+
+### Optional
+
+- `project_id` (String) The ID of the HCP project to apply the IAM Policy to. If unspecified, the project configured on the provider is used.
@@ -0,0 +1,72 @@
+---
+page_title: "Resource hcp_project_iam_policy - terraform-provider-hcp"
+subcategory: "Cloud Platform"
+description: |-
+  Sets the project's IAM policy and replaces any existing policy.
+---
+
+# hcp_project_iam_policy (Resource)
+
+!> **Be Careful!** You can accidentally lock yourself out of your project using
+this resource. Deleting a hcp_project_iam_policy removes access from anyone
+without organization-level access to the project. It is not recommended to use
+hcp_project_iam_policy with your provider project to avoid locking yourself out,
+and it should generally only be used with projects fully managed by Terraform.
+If you are trying to additively give permissions to the project, prefer using
+`hcp_project_iam_binding`. If you do use this resource, it is recommended to
+import the policy before applying the change.
+
+Sets the project's IAM policy and replaces any existing policy.
+
+~> **Note:** `hcp_project_iam_policy` can not be used in conjunction with
+`hcp_project_iam_binding`.
+
+## Example Usage
+
+```terraform
+data "hcp_iam_policy" "example" {
+  bindings = [
+    {
+      role = "roles/contributor"
+      principals = [
+        "example-user-id-1",
+        "example-group-id-1",
+        "example-sp-1"
+      ]
+    },
+  ]
+}
+
+resource "hcp_project" "my_project" {
+  name = "example"
+}
+
+resource "hcp_project_iam_policy" "project_policy" {
+  project_id  = hcp_project.my_project.resource_id
+  policy_data = data.hcp_iam_policy.example.policy_data
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `policy_data` (String) The policy to apply.
+
+### Optional
+
+- `project_id` (String) The ID of the HCP project to apply the IAM Policy to. If unspecified, the project configured on the provider is used.
+
+### Read-Only
+
+- `etag` (String) The etag captures the existing state of the policy.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# Project IAM Policy can be imported by specifying the project id
+terraform import hcp_project_iam_policy.example 840e3701-55b6-4f86-8c17-b1fe397303c5
+```
@@ -0,0 +1,25 @@
+data "hcp_iam_policy" "example" {
+  bindings = [
+    {
+      role = "roles/admin"
+      principals = [
+        "example-user-id-1",
+        "example-group-id-1",
+        "example-sp-1"
+      ]
+    },
+    {
+      role = "roles/contributor"
+      principals = [
+        "example-user-id-2",
+        "example-group-id-2",
+      ]
+    },
+    {
+      role = "roles/viewer"
+      principals = [
+        "example-sp-3"
+      ]
+    },
+  ]
+}
@@ -0,0 +1,11 @@
+data "hcp_organization" "example_org" {}
+
+resource "hcp_service_principal" "sp" {
+  name   = "example-sp"
+  parent = data.hcp_organization.example_org.resource_name
+}
+
+resource "hcp_organization_iam_binding" "example" {
+  principal_id = hcp_service_principal.sp.resource_id
+  role         = "roles/contributor"
+}
@@ -0,0 +1,3 @@
+# No import ID is needed. The organization is determined by the provider
+# configuration.
+terraform import hcp_organization_iam_policy.example ""
@@ -0,0 +1,21 @@
+data "hcp_iam_policy" "example" {
+  bindings = [
+    {
+      role = "roles/owner"
+      principals = [
+        "example-user-id-1",
+      ]
+    },
+    {
+      role = "roles/admin"
+      principals = [
+        "example-group-id-1",
+        "example-sp-1"
+      ]
+    },
+  ]
+}
+
+resource "hcp_organization_iam_policy" "org_policy" {
+  policy_data = data.hcp_iam_policy.example.policy_data
+}