stackitcloud · Markus-Schwer · Jan 14, 2026
@@ -0,0 +1,35 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_authorization_project_custom_role Data Source - stackit"
+subcategory: ""
+description: |-
+  Custom Role resource schema.
+---
+
+# stackit_authorization_project_custom_role (Data Source)
+
+Custom Role resource schema.
+
+## Example Usage
+
+```terraform
+data "stackit_authorization_project_custom_role" "example" {
+  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name       = "my.custom.role"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `resource_id` (String) Resource to add the custom role to.
+- `role_id` (String) The ID of the role.
+
+### Read-Only
+
+- `description` (String) A human readable description of the role.
+- `id` (String) Terraform's internal resource identifier. It is structured as "[resource_id],[role_id]".
+- `name` (String) Name of the role
+- `permissions` (List of String) Permissions for the role
@@ -0,0 +1,51 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_authorization_project_custom_role Resource - stackit"
+subcategory: ""
+description: |-
+  Custom Role resource schema.
+---
+
+# stackit_authorization_project_custom_role (Resource)
+
+Custom Role resource schema.
+
+## Example Usage
+
+```terraform
+resource "stackit_resourcemanager_project" "example" {
+  name                = "example_project"
+  owner_email         = "foo.bar@stackit.cloud"
+  parent_container_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+
+resource "stackit_authorization_project_custom_role" "example" {
+  resource_id = stackit_resourcemanager_project.example.project_id
+  name        = "my.custom.role"
+  description = "Some description"
+  permissions = [
+    "iam.subject.get"
+  ]
+}
+
+# Only use the import statement, if you want to import an existing custom role
+import {
+  to = stackit_authorization_project_custom_role.import-example
+  id = "${var.project_id},${var.custom_role_id}"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `description` (String) A human readable description of the role.
+- `name` (String) Name of the role
+- `permissions` (List of String) Permissions for the role
+- `resource_id` (String) Resource to add the custom role to.
+
+### Read-Only
+
+- `id` (String) Terraform's internal resource identifier. It is structured as "[resource_id],[role_id]".
+- `role_id` (String) The ID of the role.
@@ -0,0 +1,5 @@
+data "stackit_authorization_project_custom_role" "example" {
+  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name       = "my.custom.role"
+}
+
@@ -0,0 +1,21 @@
+resource "stackit_resourcemanager_project" "example" {
+  name                = "example_project"
+  owner_email         = "foo.bar@stackit.cloud"
+  parent_container_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+
+resource "stackit_authorization_project_custom_role" "example" {
+  resource_id = stackit_resourcemanager_project.example.project_id
+  name        = "my.custom.role"
+  description = "Some description"
+  permissions = [
+    "iam.subject.get"
+  ]
+}
+
+# Only use the import statement, if you want to import an existing custom role
+import {
+  to = stackit_authorization_project_custom_role.import-example
+  id = "${var.project_id},${var.custom_role_id}"
+}
+
@@ -11,6 +11,7 @@ import (
 	_ "embed"
 
 	"github.com/hashicorp/terraform-plugin-testing/config"
+	"github.com/hashicorp/terraform-plugin-testing/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
 	stackitSdkConfig "github.com/stackitcloud/stackit-sdk-go/core/config"
@@ -33,12 +34,33 @@ var invalidRole string
 //go:embed testfiles/organization-role.tf
 var organizationRole string
 
+//go:embed testfiles/custom-role.tf
+var customRole string
+
 var testConfigVars = config.Variables{
 	"project_id":           config.StringVariable(testutil.ProjectId),
 	"test_service_account": config.StringVariable(testutil.TestProjectServiceAccountEmail),
 	"organization_id":      config.StringVariable(testutil.OrganizationId),
 }
 
+var testConfigVarsCustomRole = config.Variables{
+	"project_id":           config.StringVariable(testutil.ProjectId),
+	"test_service_account": config.StringVariable(testutil.TestProjectServiceAccountEmail),
+	"organization_id":      config.StringVariable(testutil.OrganizationId),
+	"role_name":            config.StringVariable(fmt.Sprintf("tf-acc-%s", acctest.RandStringFromCharSet(5, acctest.CharSetAlpha))),
+	"role_description":     config.StringVariable("Some description"),
+	"role_permissions_0":   config.StringVariable("iam.role.list"),
+}
+
+var testConfigVarsCustomRoleUpdated = config.Variables{
+	"project_id":           config.StringVariable(testutil.ProjectId),
+	"test_service_account": config.StringVariable(testutil.TestProjectServiceAccountEmail),
+	"organization_id":      config.StringVariable(testutil.OrganizationId),
+	"role_name":            config.StringVariable(fmt.Sprintf("tf-acc-%s", acctest.RandStringFromCharSet(5, acctest.CharSetAlpha))),
+	"role_description":     config.StringVariable("Updated description"),
+	"role_permissions_0":   config.StringVariable("iam.role.edit"),
+}
+
 func TestAccProjectRoleAssignmentResource(t *testing.T) {
 	t.Log(testutil.AuthorizationProviderConfig())
 	resource.Test(t, resource.TestCase{
@@ -53,8 +75,7 @@ func TestAccProjectRoleAssignmentResource(t *testing.T) {
 						return err
 					}
 
-					members, err := client.ListMembers(context.TODO(), "project", testutil.ProjectId).Execute()
-
+					members, err := client.ListMembers(context.Background(), "project", testutil.ProjectId).Execute()
 					if err != nil {
 						return err
 					}
@@ -95,16 +116,106 @@ func TestAccProjectRoleAssignmentResource(t *testing.T) {
 	})
 }
 
+func TestAccProjectCustomRoleResource(t *testing.T) {
+	t.Log(testutil.AuthorizationProviderConfig())
+	resource.Test(t, resource.TestCase{
+		ProtoV6ProviderFactories: testutil.TestAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				ConfigVariables: testConfigVarsCustomRole,
+				Config:          testutil.AuthorizationProviderConfig() + customRole,
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("stackit_authorization_project_custom_role.custom-role", "resource_id", testutil.ConvertConfigVariable(testConfigVarsCustomRole["project_id"])),
+					resource.TestCheckResourceAttr("stackit_authorization_project_custom_role.custom-role", "name", testutil.ConvertConfigVariable(testConfigVarsCustomRole["role_name"])),
+					resource.TestCheckResourceAttr("stackit_authorization_project_custom_role.custom-role", "description", testutil.ConvertConfigVariable(testConfigVarsCustomRole["role_description"])),
+					resource.TestCheckResourceAttr("stackit_authorization_project_custom_role.custom-role", "permissions.#", "1"),
+					resource.TestCheckTypeSetElemAttr("stackit_authorization_project_custom_role.custom-role", "permissions.*", testutil.ConvertConfigVariable(testConfigVarsCustomRole["role_permissions_0"])),
+					resource.TestCheckResourceAttrSet("stackit_authorization_project_custom_role.custom-role", "role_id"),
+				),
+			},
+			// Data source
+			{
+				ConfigVariables: testConfigVarsCustomRole,
+				Config: fmt.Sprintf(`
+					%s
+
+					data "stackit_authorization_project_custom_role" "custom-role" {
+						resource_id  = stackit_authorization_project_custom_role.custom-role.resource_id
+						role_id  = stackit_authorization_project_custom_role.custom-role.role_id
+					}
+					`,
+					testutil.AuthorizationProviderConfig()+customRole,
+				),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("data.stackit_authorization_project_custom_role.custom-role", "resource_id", testutil.ConvertConfigVariable(testConfigVarsCustomRole["project_id"])),
+					resource.TestCheckResourceAttrPair(
+						"stackit_authorization_project_custom_role.custom-role", "resource_id",
+						"data.stackit_authorization_project_custom_role.custom-role", "resource_id",
+					),
+					resource.TestCheckResourceAttrPair(
+						"stackit_authorization_project_custom_role.custom-role", "role_id",
+						"data.stackit_authorization_project_custom_role.custom-role", "role_id",
+					),
+					resource.TestCheckResourceAttrPair(
+						"stackit_authorization_project_custom_role.custom-role", "name",
+						"data.stackit_authorization_project_custom_role.custom-role", "name",
+					),
+					resource.TestCheckResourceAttrPair(
+						"stackit_authorization_project_custom_role.custom-role", "description",
+						"data.stackit_authorization_project_custom_role.custom-role", "description",
+					),
+					resource.TestCheckResourceAttrPair(
+						"stackit_authorization_project_custom_role.custom-role", "permissions",
+						"data.stackit_authorization_project_custom_role.custom-role", "permissions",
+					),
+				),
+			},
+			// Import
+			{
+				ConfigVariables: testConfigVarsCustomRole,
+				ResourceName:    "stackit_authorization_project_custom_role.custom-role",
+				ImportStateIdFunc: func(s *terraform.State) (string, error) {
+					r, ok := s.RootModule().Resources["stackit_authorization_project_custom_role.custom-role"]
+					if !ok {
+						return "", fmt.Errorf("couldn't find resource stackit_authorization_project_custom_role.custom-role")
+					}
+					roleId, ok := r.Primary.Attributes["role_id"]
+					if !ok {
+						return "", fmt.Errorf("couldn't find attribute role_id")
+					}
+
+					return fmt.Sprintf("%s,%s", testutil.ProjectId, roleId), nil
+				},
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			// Update
+			{
+				ConfigVariables: testConfigVarsCustomRoleUpdated,
+				Config:          testutil.AuthorizationProviderConfig() + customRole,
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("stackit_authorization_project_custom_role.custom-role", "resource_id", testutil.ConvertConfigVariable(testConfigVarsCustomRoleUpdated["project_id"])),
+					resource.TestCheckResourceAttr("stackit_authorization_project_custom_role.custom-role", "name", testutil.ConvertConfigVariable(testConfigVarsCustomRoleUpdated["role_name"])),
+					resource.TestCheckResourceAttr("stackit_authorization_project_custom_role.custom-role", "description", testutil.ConvertConfigVariable(testConfigVarsCustomRoleUpdated["role_description"])),
+					resource.TestCheckResourceAttr("stackit_authorization_project_custom_role.custom-role", "permissions.#", "1"),
+					resource.TestCheckTypeSetElemAttr("stackit_authorization_project_custom_role.custom-role", "permissions.*", testutil.ConvertConfigVariable(testConfigVarsCustomRoleUpdated["role_permissions_0"])),
+					resource.TestCheckResourceAttrSet("stackit_authorization_project_custom_role.custom-role", "role_id"),
+				),
+			},
+			// Deletion is done by the framework implicitly
+		},
+	})
+}
+
 func authApiClient() (*authorization.APIClient, error) {
 	var client *authorization.APIClient
 	var err error
-	if testutil.AuthorizationCustomEndpoint == "" {
-		client, err = authorization.NewAPIClient(
-			stackitSdkConfig.WithRegion("eu01"),
-		)
+	if testutil.AuthorizationCustomEndpoint == "" || testutil.TokenCustomEndpoint == "" {
+		client, err = authorization.NewAPIClient()
 	} else {
 		client, err = authorization.NewAPIClient(
 			stackitSdkConfig.WithEndpoint(testutil.AuthorizationCustomEndpoint),
+			stackitSdkConfig.WithTokenEndpoint(testutil.TokenCustomEndpoint),
 		)
 	}
 	if err != nil {