feat: RBAC datasources to provider (#163)

● [ENG-5987](https://stacklet.atlassian.net/browse/ENG-5987)

  ### what

  <!-- What does this change do? -->

This PR adds two new Terraform data sources for RBAC (Role-Based Access
Control):
  1. `stacklet_role` - Query role information by name
2. `stacklet_role_assignments` - Query role assignments for specific
targets (system, account groups, policy collections, repositories)

  ### why

  <!-- Why is this change being made? -->

  These data sources enable users to:
  - Query existing roles and their permissions
- Discover which principals (users/SSO groups) have access to specific
resources
  - Build access control auditing and reporting workflows in Terraform
  - Reference role information in other Terraform configurations

This is part of the RBAC support feature set, specifically focusing on
read-only data sources (resources will be added in a separate PR).

  ### testing

  <!-- How was this change tested? -->
- [x] Added acceptance tests with recordings for `stacklet_role` data
source
  - [x] All existing acceptance tests pass
  - [x] Go unit tests pass
  - [x] Terraform validation passes (`just lint-tf`)
  - [x] Code builds successfully
  - [x] API integration tested with filter-based GraphQL queries

  ### docs

  <!--
  Does this change need docs?

  - a release note in NEWS.MD
  - user-facing docs in stacklet/docs
  - runbook update in stacklet/docs
  - internal docs in Confluence or elsewhere?

  Please include a link to the new docs or ticket to create them.
  -->

- Example Terraform configurations added in
`examples/data-sources/stacklet_role/` and
`examples/data-sources/stacklet_role_assignments/`
  - Schema documentation included in datasource definitions
  - Release notes should be added to NEWS.MD when merged

[ENG-5987]:
https://stacklet.atlassian.net/browse/ENG-5987?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

---------

Co-authored-by: Claude Sonnet 4.5 <[email protected]>

Author: ChrisMcKenzie

docs/data-sources/account_group.md

@@ -39,3 +39,4 @@ data "stacklet_account_group" "by_name" {
 - `dynamic_filter` (String) Dynamic filter for accounts matching. Null means not dynamic, empty string matches all accounts.
 - `id` (String) The GraphQL Node ID of the account group.
 - `regions` (List of String) The regions for the account group.
+- `role_assignment_target` (String) An opaque identifier for role assignments. Use this value when assigning roles to this resource.

docs/data-sources/policy_collection.md

@@ -40,6 +40,7 @@ data "stacklet_policy_collection" "by_name" {
 - `dynamic` (Boolean) Whether this is a dynamic policy collection.
 - `dynamic_config` (Attributes) Configuration for dynamic behavior. (see [below for nested schema](#nestedatt--dynamic_config))
 - `id` (String) The GraphQL Node ID of the policy collection.
+- `role_assignment_target` (String) An opaque identifier for role assignments. Use this value when assigning roles to this resource.
 - `system` (Boolean) Whether this is a system policy collection.
 
 <a id="nestedatt--dynamic_config"></a>

docs/data-sources/repository.md

@@ -41,6 +41,7 @@ data "stacklet_repository" "by_uuid" {
 - `has_ssh_private_key` (Boolean) Whether the repository has an SSH private key configured.
 - `id` (String) The GraphQL ID of the repository.
 - `name` (String) The name of the repository.
+- `role_assignment_target` (String) An opaque identifier for role assignments. Use this value when assigning roles to this resource.
 - `ssh_public_key` (String) If has_ssh_private_key, identifies that SSH private key.
 - `system` (Boolean) Whether this is a system repository (not user editable).
 - `webhook_url` (String) The URL of the webhook which triggers repository scans.

docs/data-sources/role.md

@@ -0,0 +1,53 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stacklet_role Data Source - terraform-provider-stacklet"
+subcategory: ""
+description: |-
+  Retrieve information about a role by name.
+---
+
+# stacklet_role (Data Source)
+
+Retrieve information about a role by name.
+
+## Example Usage
+
+```terraform
+# Fetch the "owner" system role
+data "stacklet_role" "owner" {
+  name = "owner"
+}
+
+# Fetch the "viewer" system role
+data "stacklet_role" "viewer" {
+  name = "viewer"
+}
+
+# Fetch the "editor" system role
+data "stacklet_role" "editor" {
+  name = "editor"
+}
+
+# Fetch the "admin" system role
+data "stacklet_role" "admin" {
+  name = "admin"
+}
+
+# Output the permissions for the owner role
+output "owner_permissions" {
+  value = data.stacklet_role.owner.permissions
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) The name of the role.
+
+### Read-Only
+
+- `id` (String) The GraphQL Node ID of the role.
+- `permissions` (List of String) The list of permissions granted by this role.
+- `system` (Boolean) Whether this is a system role (cannot be modified).

docs/data-sources/role_assignments.md

@@ -0,0 +1,92 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stacklet_role_assignments Data Source - terraform-provider-stacklet"
+subcategory: ""
+description: |-
+  Retrieve role assignments for a specific target. This data source allows you to query which principals (users or SSO groups) have been granted roles on a particular target (system, account group, policy collection, or repository).
+---
+
+# stacklet_role_assignments (Data Source)
+
+Retrieve role assignments for a specific target. This data source allows you to query which principals (users or SSO groups) have been granted roles on a particular target (system, account group, policy collection, or repository).
+
+## Example Usage
+
+```terraform
+# Query all system-level role assignments
+data "stacklet_role_assignments" "system_access" {
+  target = "system:all"
+}
+
+# Query role assignments for a specific account group
+data "stacklet_role_assignments" "production_acl" {
+  target = "account-group:00000000-0000-0000-0000-000000000001"
+}
+
+# Query role assignments for a policy collection
+data "stacklet_role_assignments" "security_policies_access" {
+  target = "policy-collection:00000000-0000-0000-0000-000000000002"
+}
+
+# Query role assignments for a repository
+data "stacklet_role_assignments" "repo_access" {
+  target = "repository:00000000-0000-0000-0000-000000000003"
+}
+
+# Output all system administrators
+output "system_admins" {
+  description = "All principals with system-level access"
+  value = [
+    for assignment in data.stacklet_role_assignments.system_access.assignments :
+    {
+      role      = assignment.role_name
+      principal = assignment.principal
+    }
+  ]
+}
+
+# Output production account group access control list
+output "production_access_summary" {
+  description = "Summary of who has access to the production account group"
+  value = {
+    total_assignments = length(data.stacklet_role_assignments.production_acl.assignments)
+    assignments       = data.stacklet_role_assignments.production_acl.assignments
+  }
+}
+
+# Check if specific user has access
+locals {
+  user_id_to_check = 123
+
+  user_has_production_access = anytrue([
+    for assignment in data.stacklet_role_assignments.production_acl.assignments :
+    assignment.principal.type == "user" && assignment.principal.id == local.user_id_to_check
+  ])
+}
+
+output "user_has_access" {
+  description = "Whether user 123 has any role on the production account group"
+  value       = local.user_has_production_access
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `target` (String) An opaque target identifier to query role assignments for. Use the 'role_assignment_target' attribute from resource outputs.
+
+### Read-Only
+
+- `assignments` (Attributes List) The list of role assignments for the target. (see [below for nested schema](#nestedatt--assignments))
+
+<a id="nestedatt--assignments"></a>
+### Nested Schema for `assignments`
+
+Read-Only:
+
+- `id` (String) The unique identifier of the role assignment.
+- `principal` (String) An opaque principal identifier.
+- `role_name` (String) The name of the role assigned.
+- `target` (String) An opaque target identifier.

docs/resources/account_group.md

@@ -46,6 +46,7 @@ resource "stacklet_account_group" "development" {
 ### Read-Only
 
 - `id` (String) The GraphQL Node ID of the account group.
+- `role_assignment_target` (String) An opaque identifier for role assignments. Use this value when assigning roles to this resource.
 - `uuid` (String) The UUID of the account group.
 
 ## Import

docs/resources/binding.md

@@ -82,14 +82,14 @@ resource "stacklet_binding" "example" {
 - `policy_resource_limit` (Block List) Per-policy overrides for resource limits for binding execution. Map keys are policy unqualified names. (see [below for nested schema](#nestedblock--policy_resource_limit))
 - `resource_limits` (Attributes) Default resource limits for binding execution. (see [below for nested schema](#nestedatt--resource_limits))
 - `schedule` (String) The schedule for the binding (e.g., 'rate(1 hour)', 'rate(2 hours)', or cron expression).
-- `security_context` (String) The binding execution security context.
 - `security_context_wo` (String, Sensitive, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) The input value for the security context for the execution configuration.
 - `security_context_wo_version` (String) The version for the security context. Must be changed to update security_context_wo.
 - `variables` (String) JSON-encoded dictionary of values used for policy templating.
 
 ### Read-Only
 
 - `id` (String) The GraphQL Node ID of the binding.
+- `security_context` (String) The binding execution security context.
 - `system` (Boolean) Whether the binding is a system one. Always false for resources.
 - `uuid` (String) The UUID of the binding.
 

docs/resources/policy_collection.md

@@ -55,6 +55,7 @@ resource "stacklet_policy_collection" "policies" {
 
 - `dynamic` (Boolean) Whether this is a dynamic policy collection.
 - `id` (String) The GraphQL Node ID of the policy collection.
+- `role_assignment_target` (String) An opaque identifier for role assignments. Use this value when assigning roles to this resource.
 - `system` (Boolean) Whether this is a system policy collection.
 - `uuid` (String) The UUID of the policy collection.
 

docs/resources/repository.md

@@ -80,6 +80,7 @@ resource "stacklet_repository" "example_codecommit" {
 - `has_ssh_passphrase` (Boolean) Whether ssh_passphrase_wo has a value set.
 - `has_ssh_private_key` (Boolean) Whether ssh_private_key_wo has a value set.
 - `id` (String) The GraphQL node ID.
+- `role_assignment_target` (String) An opaque identifier for role assignments. Use this value when assigning roles to this resource.
 - `ssh_public_key` (String) The public key associated with the value set via ssh_private_key_wo.
 - `system` (Boolean) System repositories cannot be changed.
 - `uuid` (String) The UUID of the repository.

examples/data-sources/stacklet_role/data-source.tf

@@ -0,0 +1,24 @@
+# Fetch the "owner" system role
+data "stacklet_role" "owner" {
+  name = "owner"
+}
+
+# Fetch the "viewer" system role
+data "stacklet_role" "viewer" {
+  name = "viewer"
+}
+
+# Fetch the "editor" system role
+data "stacklet_role" "editor" {
+  name = "editor"
+}
+
+# Fetch the "admin" system role
+data "stacklet_role" "admin" {
+  name = "admin"
+}
+
+# Output the permissions for the owner role
+output "owner_permissions" {
+  value = data.stacklet_role.owner.permissions
+}