Share Individual Resources with Terraform

Roles grant access across a whole organisation or project. Sometimes you want to give one member access to a single resource — one container, one registry, one secret — without changing their role. The bahriyaresourcegrant resource does exactly that.

Updated 5 Jul 20262 min read

Roles grant access across a whole organisation or project. Sometimes you want to give one member access to a single resource — one container, one registry, one secret — without changing their role. The bahriya_resource_grant resource does exactly that.

Sharing is additive: a grant only ever adds access to that one instance. It never removes what a member already has through their role, and it never affects any other resource.

Required fields

FieldTypeDescription
touserstringUUID of the member to share with. Must already be a member of the organisation.
resourcetypestringThe resource kind, e.g. deployables_container_http, attachables_registries.
resourceidstringUUID of the specific instance to share.
permissionsset(string)Any of create, read, update, delete.

Computed (read-only) fields

FieldTypeDescription
idstringSynthetic id: <resourcetype>|<resourceid>|<touser>.
grant_idslist(string)The individual grant rows backing the share (one per permission).

Example

Give a teammate read + update access to one specific container:

resource "bahriya_resource_grant" "share_api_container" {
  touser       = "5f9c1a2b-3d4e-4f60-8a1b-2c3d4e5f6071"
  resourcetype = "deployables_container_http"
  resourceid   = bahriya_container.api.id
  permissions  = ["read", "update"]
}

Share a registry read-only:

resource "bahriya_resource_grant" "share_registry" {
  touser       = var.contractor_user_id
  resourcetype = "attachables_registries"
  resourceid   = bahriya_registry.ghcr.id
  permissions  = ["read"]
}

Notes

  • Additive only. A grant widens the member's access to the one instance. It cannot restrict access, and the member's role is unchanged.
  • Members only. touser must already belong to the organisation. Invitations are handled outside Terraform.
  • Changing permissions replaces the grant. Because the API has no in-place update for a grant, changing any field (including the permission set) revokes the old grant and creates a new one.
  • Destroying the resource revokes exactly the access it granted — nothing the member has via their role is touched.
  • The same sharing is available imperatively via the Reis CLI share:* commands and in the console UI.