Share Individual Resources with Terraform
Roles grant access across a whole organisation or project. Sometimes you want to give one member access to a single resource — one container, one registry, one secret — without changing their role. The bahriyaresourcegrant resource does exactly that.
Roles grant access across a whole organisation or project. Sometimes you want to give one member access to a single resource — one container, one registry, one secret — without changing their role. The bahriya_resource_grant resource does exactly that.
Sharing is additive: a grant only ever adds access to that one instance. It never removes what a member already has through their role, and it never affects any other resource.
Required fields
| Field | Type | Description |
|---|---|---|
touser | string | UUID of the member to share with. Must already be a member of the organisation. |
resourcetype | string | The resource kind, e.g. deployables_container_http, attachables_registries. |
resourceid | string | UUID of the specific instance to share. |
permissions | set(string) | Any of create, read, update, delete. |
Computed (read-only) fields
| Field | Type | Description |
|---|---|---|
id | string | Synthetic id: <resourcetype>|<resourceid>|<touser>. |
grant_ids | list(string) | The individual grant rows backing the share (one per permission). |
Example
Give a teammate read + update access to one specific container:
resource "bahriya_resource_grant" "share_api_container" {
touser = "5f9c1a2b-3d4e-4f60-8a1b-2c3d4e5f6071"
resourcetype = "deployables_container_http"
resourceid = bahriya_container.api.id
permissions = ["read", "update"]
}Share a registry read-only:
resource "bahriya_resource_grant" "share_registry" {
touser = var.contractor_user_id
resourcetype = "attachables_registries"
resourceid = bahriya_registry.ghcr.id
permissions = ["read"]
}Notes
- Additive only. A grant widens the member's access to the one instance. It cannot restrict access, and the member's role is unchanged.
- Members only.
tousermust already belong to the organisation. Invitations are handled outside Terraform. - Changing
permissionsreplaces the grant. Because the API has no in-place update for a grant, changing any field (including the permission set) revokes the old grant and creates a new one. - Destroying the resource revokes exactly the access it granted — nothing the member has via their role is touched.
- The same sharing is available imperatively via the Reis CLI
share:*commands and in the console UI.