feat(CodeArts/Pipeline): support permission management

docs/data-sources/codearts_pipeline_micro_services.md

@@ -3,12 +3,12 @@ subcategory: "CodeArts Pipeline"
 layout: "huaweicloud"
 page_title: "HuaweiCloud: huaweicloud_codearts_pipeline_micro_services"
 description: |-
-  Use this data source to get a list of CodeArts pipeline groups.
+  Use this data source to get a list of CodeArts pipeline micro services.
 ---
 
 # huaweicloud_codearts_pipeline_micro_services
 
-Use this data source to get a list of CodeArts pipeline groups.
+Use this data source to get a list of CodeArts pipeline micro services.
 
 ## Example Usage
 

docs/data-sources/codearts_pipeline_parameter_groups.md

@@ -3,12 +3,12 @@ subcategory: "CodeArts Pipeline"
 layout: "huaweicloud"
 page_title: "HuaweiCloud: huaweicloud_codearts_pipeline_parameter_groups"
 description: |-
-  Use this data source to get a list of CodeArts pipeline groups.
+  Use this data source to get a list of CodeArts pipeline parameter groups.
 ---
 
 # huaweicloud_codearts_pipeline_parameter_groups
 
-Use this data source to get a list of CodeArts pipeline groups.
+Use this data source to get a list of CodeArts pipeline parameter groups.
 
 ## Example Usage
 

docs/data-sources/codearts_pipeline_user_permissions.md

@@ -0,0 +1,66 @@
+---
+subcategory: "CodeArts Pipeline"
+layout: "huaweicloud"
+page_title: "HuaweiCloud: huaweicloud_codearts_pipeline_user_permissions"
+description: |-
+  Use this data source to get a list of CodeArts pipeline user permissions.
+---
+
+# huaweicloud_codearts_pipeline_user_permissions
+
+Use this data source to get a list of CodeArts pipeline user permissions.
+
+## Example Usage
+
+```hcl
+variable "codearts_project_id" {}
+variable "pipeline_id" {}
+
+data "huaweicloud_codearts_pipeline_user_permissions" "test" {
+  project_id  = var.codearts_project_id
+  pipeline_id = var.pipeline_id
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `region` - (Optional, String) Specifies the region in which to query the data source.
+  If omitted, the provider-level region will be used.
+
+* `project_id` - (Required, String) Specifies the CodeArts project ID.
+
+* `pipeline_id` - (Required, String) Specifies the pipeline ID.
+
+* `user_name` - (Optional, String) Specifies the user name.
+
+## Attribute Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - The data source ID.
+
+* `users` - Indicates the template list.
+  The [users](#attrblock--users) structure is documented below.
+
+<a name="attrblock--users"></a>
+The `users` block supports:
+
+* `user_id` - Indicates the user ID.
+
+* `user_name` - Indicates the user name.
+
+* `operation_authorize` - Indicates whether the user has the permission to authorize.
+
+* `operation_delete` - Indicates whether the user has the permission to delete.
+
+* `operation_execute` - Indicates whether the user has the permission to execute.
+
+* `operation_query` - Indicates whether the user has the permission to query.
+
+* `operation_update` - Indicates whether the user has the permission to update.
+
+* `role_id` - Indicates the role ID.
+
+* `role_name` - Indicates the role name.

docs/resources/codearts_pipeline.md

@@ -171,6 +171,9 @@ The following arguments are supported:
 
 * `tags` - (Optional, List) Specifies the tag IDs.
 
+* `resource_level_permission_switch` - (Optional, Bool) Specifies whether to use resource level permission.
+  Default to **false**, which means project level permission will be used.
+
 <a name="block--sources"></a>
 The `sources` block supports:
 
@@ -325,6 +328,11 @@ In addition to all arguments above, the following attributes are exported:
 * `triggers` - Indicates the pipeline trigger settings.
   The [triggers](#attrblock--triggers) structure is documented below.
 
+* `role_permissions` - Indicates the role permissions.
+  The [role_permissions](#attrblock--role_permissions) structure is documented below.
+
+* `is_allow_edit` - Indicates whether the user is allowed to edit the permission.
+
 <a name="attrblock--schedules"></a>
 The `schedules` block supports:
 
@@ -335,6 +343,23 @@ The `triggers` block supports:
 
 * `hook_id` - Indicates the callback ID.
 
+<a name="attrblock--role_permissions"></a>
+The `role_permissions` block supports:
+
+* `operation_authorize` - Indicates whether the role has the permission to authorize.
+
+* `operation_delete` - Indicates whether the role has the permission to delete.
+
+* `operation_execute` - Indicates whether the role has the permission to execute.
+
+* `operation_query` - Indicates whether the role has the permission to query.
+
+* `operation_update` - Indicates whether the role has the permission to update.
+
+* `role_id` - Indicates the role ID.
+
+* `role_name` - Indicates the role name.
+
 ## Import
 
 The pipeline can be imported using `project_id` and `id` separated by a slash, e.g.

docs/resources/codearts_pipeline_permission.md

@@ -0,0 +1,104 @@
+---
+subcategory: "CodeArts Pipeline"
+layout: "huaweicloud"
+page_title: "HuaweiCloud: huaweicloud_codearts_pipeline_permission"
+description: |-
+  Manages a CodeArts pipeline permission resource within HuaweiCloud.
+---
+
+# huaweicloud_codearts_pipeline_permission
+
+Manages a CodeArts pipeline permission resource within HuaweiCloud.
+
+## Example Usage
+
+### Modify user permission
+
+```hcl
+variable "codearts_project_id" {}
+variable "pipeline_id" {}
+variable "user_id" {}
+
+resource "huaweicloud_codearts_pipeline_permission" "user" {
+  project_id        = var.codearts_project_id
+  pipeline_id       = var.pipeline_id
+  user_id           = var.user_id
+  operation_delete  = true
+  operation_execute = true
+  operation_query   = true
+  operation_update  = true
+}
+```
+
+### Modify role permission
+
+```hcl
+variable "codearts_project_id" {}
+variable "pipeline_id" {}
+variable "role_id" {}
+
+resource "huaweicloud_codearts_pipeline_permission" "role" {
+  project_id        = var.codearts_project_id
+  pipeline_id       = var.pipeline_id
+  role_id           = var.role_id
+  operation_delete  = true
+  operation_execute = true
+  operation_query   = true
+  operation_update  = true
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `region` - (Optional, String, ForceNew) Specifies the region in which to create the resource.
+  If omitted, the provider-level region will be used.
+  Changing this creates a new resource.
+
+* `project_id` - (Required, String, NonUpdatable) Specifies the CodeArts project ID.
+
+* `pipeline_id` - (Required, String, NonUpdatable) Specifies the pipeline ID.
+
+* `role_id` - (Optional, Int, NonUpdatable) Specifies the role ID.
+
+* `user_id` - (Optional, String, NonUpdatable) Specifies the user ID.
+
+-> Only one of `role_id` and `user_id` can be specified.
+
+* `operation_authorize` - (Optional, Bool) Specifies whether the role has the permission to authorize.
+  Default to **fasle**.
+
+* `operation_delete` - (Optional, Bool) Specifies whether the role has the permission to delete. Default to **fasle**.
+
+* `operation_execute` - (Optional, Bool) Specifies whether the role has the permission to execute. Default to **fasle**.
+
+* `operation_query` - (Optional, Bool) Specifies whether the role has the permission to query. Default to **fasle**.
+
+* `operation_update` - (Optional, Bool) Specifies whether the role has the permission to update. Default to **fasle**.
+
+## Attribute Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - The resource ID.
+
+* `role_name` - Indicates the role name.
+
+* `user_name` - Indicates the user name.
+
+## Import
+
+The pipeline permission can be imported using `project_id`, `pipeline_id`, `role_id` and `user_id`, e.g.
+
+### Import role permission
+
+```bash
+$ terraform import huaweicloud_codearts_pipeline_permission.test <project_id>/<pipeline_id>/role/<role_id>
+```
+
+### Import user permission
+
+```bash
+$ terraform import huaweicloud_codearts_pipeline_permission.test <project_id>/<pipeline_id>/user/<user_id>
+```

huaweicloud/provider.go

@@ -728,6 +728,7 @@ func Provider() *schema.Provider {
 			"huaweicloud_codearts_pipeline_runtime_variables":      codeartspipeline.DataSourceCodeArtsPipelineRuntimeVariables(),
 			"huaweicloud_codearts_pipeline_service_endpoints":      codeartspipeline.DataSourceCodeArtsPipelineServiceEndpoints(),
 			"huaweicloud_codearts_pipeline_tags":                   codeartspipeline.DataSourceCodeArtsPipelineTags(),
+			"huaweicloud_codearts_pipeline_user_permissions":       codeartspipeline.DataSourceCodeArtsPipelineUserPermissions(),
 
 			"huaweicloud_codearts_build_tasks":        codeartsbuild.DataSourceCodeArtsBuildTasks(),
 			"huaweicloud_codearts_build_task_records": codeartsbuild.DataSourceCodeArtsBuildTaskRecords(),
@@ -2856,6 +2857,7 @@ func Provider() *schema.Provider {
 			"huaweicloud_codearts_pipeline_group":            codeartspipeline.ResourceCodeArtsPipelineGroup(),
 			"huaweicloud_codearts_pipeline_group_swap":       codeartspipeline.ResourceCodeArtsPipelineGroupSwap(),
 			"huaweicloud_codearts_pipeline":                  codeartspipeline.ResourceCodeArtsPipeline(),
+			"huaweicloud_codearts_pipeline_permission":       codeartspipeline.ResourceCodeArtsPipelinePermission(),
 			"huaweicloud_codearts_pipeline_tag":              codeartspipeline.ResourceCodeArtsPipelineTag(),
 			"huaweicloud_codearts_pipeline_action":           codeartspipeline.ResourceCodeArtsPipelineAction(),
 			"huaweicloud_codearts_pipeline_by_template":      codeartspipeline.ResourceCodeArtsPipelineByTemplate(),

huaweicloud/services/acceptance/codeartspipeline/data_source_huaweicloud_codearts_pipeline_user_permissions_test.go

@@ -0,0 +1,69 @@
+package codeartspipeline
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+
+	"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/services/acceptance"
+)
+
+func TestAccDataSourcePipelineUserPermissions_basic(t *testing.T) {
+	dataSource := "data.huaweicloud_codearts_pipeline_user_permissions.test"
+	name := acceptance.RandomAccResourceName()
+	dc := acceptance.InitDataSourceCheck(dataSource)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:          func() { acceptance.TestAccPreCheck(t) },
+		ProviderFactories: acceptance.TestAccProviderFactories,
+		CheckDestroy:      nil,
+		Steps: []resource.TestStep{
+			{
+				Config: testDataSourcePipelineUserPermissions_basic(name),
+				Check: resource.ComposeTestCheckFunc(
+					dc.CheckResourceExists(),
+					resource.TestCheckResourceAttrSet(dataSource, "users.#"),
+					resource.TestCheckResourceAttrSet(dataSource, "users.0.user_id"),
+					resource.TestCheckResourceAttrSet(dataSource, "users.0.user_name"),
+					resource.TestCheckResourceAttrSet(dataSource, "users.0.operation_query"),
+					resource.TestCheckResourceAttrSet(dataSource, "users.0.operation_execute"),
+					resource.TestCheckResourceAttrSet(dataSource, "users.0.operation_update"),
+					resource.TestCheckResourceAttrSet(dataSource, "users.0.operation_delete"),
+					resource.TestCheckResourceAttrSet(dataSource, "users.0.operation_authorize"),
+					resource.TestCheckResourceAttrSet(dataSource, "users.0.role_id"),
+					resource.TestCheckResourceAttrSet(dataSource, "users.0.role_name"),
+
+					resource.TestCheckOutput("is_user_name_filter_useful", "true"),
+				),
+			},
+		},
+	})
+}
+
+func testDataSourcePipelineUserPermissions_basic(name string) string {
+	return fmt.Sprintf(`
+%[1]s
+
+data "huaweicloud_codearts_pipeline_user_permissions" "test" {
+  project_id  = huaweicloud_codearts_project.test.id
+  pipeline_id = huaweicloud_codearts_pipeline.test.id
+}
+
+// filter by user name
+data "huaweicloud_codearts_pipeline_user_permissions" "filter_by_user_name" {
+  project_id  = huaweicloud_codearts_project.test.id
+  pipeline_id = huaweicloud_codearts_pipeline.test.id
+  user_name   = data.huaweicloud_codearts_pipeline_user_permissions.test.users[0].user_name
+}
+
+locals {
+  filter_result_by_user_name = [for v in data.huaweicloud_codearts_pipeline_user_permissions.filter_by_user_name.users[*].user_name :
+    v == data.huaweicloud_codearts_pipeline_user_permissions.test.users[0].user_name]
+}
+
+output "is_user_name_filter_useful" {
+  value = length(local.filter_result_by_user_name) > 0 && alltrue(local.filter_result_by_user_name)
+}
+`, testPipeline_basic(name))
+}