feat: add new observe_grant resource (#160)

client/internal/meta/operation/rbac_statement.graphql

@@ -16,6 +16,7 @@ fragment RbacStatement on RbacStatement {
                 all
         }
         role
+        version
 }
 
 mutation createRbacStatement($config: RbacStatementInput!) {

client/internal/meta/schema/rbac.graphql

@@ -15,20 +15,31 @@ extend type Query {
     rbacStatement(id: ORN!): RbacStatement!
 
     """
-    All groups defined in this tenant.
+    All groups defined.
     """
     rbacGroups: [RbacGroup!]!
 
     """
-    All group memberships defined in this tenant.
+    All group memberships defined.
     """
     rbacGroupmembers: [RbacGroupmember!]!
 
     """
-    All RBAC statements defined in this tenant.
+    All RBAC statements defined.
     """
     rbacStatements: [RbacStatement!]!
 
+
+    """
+    Get all RBAC Role Statements
+    """
+    rbacRoleStatements: [RbacStatement!]!
+
+    """
+    Get all RBAC resource statements for several objects at once
+    """
+    rbacResourceStatements(ids: [ObjectId!]!): [RbacStatement!]!
+
     """
     Given a particular user, and a particular object/role request, return what would happen.
     Note that we assume that the customer owning the object is the current
@@ -66,6 +77,11 @@ extend type Query {
     Get the group users will be assigned to by default
     """
     rbacDefaultGroup: RbacGroup!
+
+        """
+    Get the group users will be assigned to by default
+    """
+    rbacDefaultSharingGroups: [RbacDefaultSharingGroup!]!
 }
 
 extend type User {
@@ -116,6 +132,8 @@ extend type Mutation {
     """
     setRbacDefaultGroup(id: ORN!): ResultStatus!
     unsetRbacDefaultGroup: ResultStatus!
+
+    setRbacDefaultSharingGroups(shares: [RbacDefaultSharingGroupInput!]): ResultStatus!
 }
 
 scalar ORN @goModel(model: "observe/authorization/id.ORN")
@@ -212,6 +230,8 @@ type RbacStatement implements AuditedObject @goModel(model: "observe/rbac/policy
     object: RbacObject!
     role: RbacRole!
 
+    version: Int
+
     createdBy: UserId!
     createdByInfo: UserInfo! @goField(forceResolver: true)
     createdDate: Time!
@@ -225,6 +245,7 @@ input RbacStatementInput @goModel(model: "observe/rbac/policy.Statement") {
     subject: RbacSubjectInput!
     object: RbacObjectInput!
     role: RbacRole!
+    version: Int
 }
 
 input UpdateRbacStatementInput @goModel(model: "observe/rbac/policy.Statement") {
@@ -233,6 +254,7 @@ input UpdateRbacStatementInput @goModel(model: "observe/rbac/policy.Statement")
     subject: RbacSubjectInput!
     object: RbacObjectInput!
     role: RbacRole!
+    version: Int
 }
 
 type MutateRbacStatementsResponse @goModel(model: "observe/meta/metatypes.MutateRbacStatementsResponse") {
@@ -241,6 +263,16 @@ type MutateRbacStatementsResponse @goModel(model: "observe/meta/metatypes.Mutate
     deletedStatements: [ORN!]!
 }
 
+type RbacDefaultSharingGroup  @goModel(model: "observe/meta/metatypes.RbacDefaultSharingGroup") {
+    groupId: ORN!
+    allowEdit: Boolean!
+}
+
+input RbacDefaultSharingGroupInput @goModel(model: "observe/meta/metatypes.RbacDefaultSharingGroup") {
+    groupId: ORN!
+    allowEdit: Boolean!
+}
+
 """
 A RequestSubject is different from a Subject, because the RequestSubject
 provides all of the values, such that each Statement can match against

docs/data-sources/rbac_group.md

@@ -16,6 +16,12 @@ Fetches metadata for an existing Observe RbacGroup.
 data "observe_rbac_group" "example" {
   name = "example"
 }
+
+// In RBAC v2, "everyone" is a special pre-defined group that always includes all users.
+// Reach out to Observe to enable this feature.
+data "observe_rbac_group" "everyone" {
+  name = "everyone"
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
@@ -24,7 +30,7 @@ data "observe_rbac_group" "example" {
 ### Optional
 
 - `id` (String) RbacGroup ID. Either `name` or `id` must be provided.
-- `name` (String) RbacGroup Name. Either `name` or `id` must be provided
+- `name` (String) RbacGroup Name. Either `name` or `id` must be provided.
 
 ### Read-Only
 

docs/resources/grant.md

@@ -0,0 +1,93 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "observe_grant Resource - terraform-provider-observe"
+subcategory: ""
+description: |-
+  NOTE: This feature is still under development. It is not meant for customer use yet.
+  Manages an Observe grant. Grants allow configuring permissions for users and groups by
+  assigning roles. A grant may also optionally be qualified by an object id. Replaces
+  rbac_statement. Reach out to Observe to enable this feature.
+---
+# observe_grant
+
+NOTE: This feature is still under development. It is not meant for customer use yet.
+
+Manages an Observe grant. Grants allow configuring permissions for users and groups by
+assigning roles. A grant may also optionally be qualified by an object id. Replaces
+rbac_statement. Reach out to Observe to enable this feature.
+## Example Usage
+```terraform
+data "observe_workspace" "default" {
+  name = "Default"
+}
+
+data "observe_user" "example" {
+  email = "[email protected]"
+}
+
+data "observe_rbac_group" "example" {
+  name = "engineering"
+}
+
+// "everyone" is a special pre-defined group that always includes all users
+data "observe_rbac_group" "everyone" {
+  name = "everyone"
+}
+
+data "observe_dataset" "example" {
+  workspace = data.observe_workspace.default.oid
+  name      = "Engineering Logs"
+}
+
+// Allow user example to create worksheets
+resource "observe_grant" "user_example" {
+  subject = data.observe_user.example.oid
+  role    = "worksheet_creator"
+}
+
+// Allow group engineering to edit dataset Engineering Logs
+resource "observe_grant" "group_example" {
+  subject = data.observe_rbac_group.example.oid
+  role    = "dataset_editor"
+  qualifier {
+    oid = data.observe_dataset.example.oid
+  }
+}
+
+// Allow everyone to view dataset Engineering Logs
+resource "observe_grant" "everyone_example" {
+  subject = data.observe_rbac_group.everyone.oid
+  role    = "dataset_viewer"
+  qualifier {
+    oid = data.observe_dataset.example.oid
+  }
+}
+```
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `role` (String) The role to grant.
+- `subject` (String) OID of the subject. Must be a user or a group.
+
+### Optional
+
+- `qualifier` (Block List, Max: 1) (see [below for nested schema](#nestedblock--qualifier))
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `oid` (String)
+
+<a id="nestedblock--qualifier"></a>
+### Nested Schema for `qualifier`
+
+Optional:
+
+- `oid` (String) OID of the object this grant applies to.
+## Import
+Import is supported using the following syntax:
+```shell
+terraform import observe_grant.example 1414010
+```

examples/data-sources/observe_rbac_group/data-source.tf

@@ -1,3 +1,9 @@
 data "observe_rbac_group" "example" {
   name = "example"
 }
+
+// In RBAC v2, "everyone" is a special pre-defined group that always includes all users.
+// Reach out to Observe to enable this feature.
+data "observe_rbac_group" "everyone" {
+  name = "everyone"
+}

examples/resources/observe_grant/import.sh

@@ -0,0 +1 @@
+terraform import observe_grant.example 1414010

examples/resources/observe_grant/resource.tf

@@ -0,0 +1,45 @@
+data "observe_workspace" "default" {
+  name = "Default"
+}
+
+data "observe_user" "example" {
+  email = "[email protected]"
+}
+
+data "observe_rbac_group" "example" {
+  name = "engineering"
+}
+
+// "everyone" is a special pre-defined group that always includes all users
+data "observe_rbac_group" "everyone" {
+  name = "everyone"
+}
+
+data "observe_dataset" "example" {
+  workspace = data.observe_workspace.default.oid
+  name      = "Engineering Logs"
+}
+
+// Allow user example to create worksheets
+resource "observe_grant" "user_example" {
+  subject = data.observe_user.example.oid
+  role    = "worksheet_creator"
+}
+
+// Allow group engineering to edit dataset Engineering Logs
+resource "observe_grant" "group_example" {
+  subject = data.observe_rbac_group.example.oid
+  role    = "dataset_editor"
+  qualifier {
+    oid = data.observe_dataset.example.oid
+  }
+}
+
+// Allow everyone to view dataset Engineering Logs
+resource "observe_grant" "everyone_example" {
+  subject = data.observe_rbac_group.everyone.oid
+  role    = "dataset_viewer"
+  qualifier {
+    oid = data.observe_dataset.example.oid
+  }
+}

observe/data_source_rbac_group.go

@@ -12,7 +12,7 @@ import (
 const (
 	schemaRbacGroupIdDescription          = "RbacGroup ID. Either `name` or `id` must be provided."
 	schemaRbacGroupOIDDescription         = "The Observe ID for rbacGroup."
-	schemaRbacGroupNameDescription        = "RbacGroup Name. Either `name` or `id` must be provided"
+	schemaRbacGroupNameDescription        = "RbacGroup Name. Either `name` or `id` must be provided."
 	schemaRbacGroupDescriptionDescription = "RbacGroup description."
 )
 
@@ -63,6 +63,17 @@ func dataSourceRbacGroupRead(ctx context.Context, data *schema.ResourceData, met
 		r, err = client.GetRbacGroup(ctx, explicitId)
 	} else if name != "" {
 		r, err = client.LookupRbacGroup(ctx, name)
+
+		// In RBAC v2, "everyone" is a special group with id "1" that always includes all users.
+		// To prevent issues for customers who have a real group named "everyone", only
+		// return this special group if the lookup failed.
+		if err != nil && name == "everyone" {
+			r = &gql.RbacGroup{
+				Id:   "1",
+				Name: "everyone",
+			}
+			err = nil
+		}
 	}
 
 	if err != nil {

observe/descriptions/grant.yaml

@@ -0,0 +1,15 @@
+description: |
+  NOTE: This feature is still under development. It is not meant for customer use yet.
+
+  Manages an Observe grant. Grants allow configuring permissions for users and groups by
+  assigning roles. A grant may also optionally be qualified by an object id. Replaces
+  rbac_statement. Reach out to Observe to enable this feature.
+
+schema:
+  subject: |
+    OID of the subject. Must be a user or a group.
+  role: |
+    The role to grant.
+  qualifier:
+    oid: |
+      OID of the object this grant applies to.