ClickHouse · nunoadrego · Jun 2, 2026 · Jun 1, 2026 · Jun 1, 2026 · Jun 1, 2026
@@ -246,7 +246,7 @@ Optional:
 - `certificate` (String, Sensitive) PEM encoded client certificate for mTLS authentication. Use with `MUTUAL_TLS` authentication.
 - `connection_string` (String, Sensitive) The connection string for the Kafka source. Use with `azureeventhub` Kafka source type. Use with `PLAIN` authentication.
 - `password` (String, Sensitive) The password for the Kafka source. Use `password_wo` instead to keep the value out of state.
-- `password_wo` (String, Sensitive) Write-only password for the Kafka source. Not persisted to state. Pair with `password_wo_version` to trigger updates.
+- `password_wo` (String, Sensitive, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) Write-only password for the Kafka source. Not persisted to state. Pair with `password_wo_version` to trigger updates.
 - `password_wo_version` (Number) Version trigger for `password_wo`. Increment to push a new password to the API.
 - `private_key` (String, Sensitive) PEM encoded client private key for mTLS authentication. Use with `MUTUAL_TLS` authentication.
 - `secret_key` (String, Sensitive) The secret key for the Kafka source. Use with `IAM_USER` authentication.
@@ -284,7 +284,7 @@ Required:
 Optional:
 
 - `password` (String, Sensitive) The password for the Schema Registry. Either `password` or `password_wo` must be provided.
-- `password_wo` (String, Sensitive) Write-only password for the Schema Registry. Not persisted to state. Pair with `password_wo_version` to trigger updates.
+- `password_wo` (String, Sensitive, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) Write-only password for the Schema Registry. Not persisted to state. Pair with `password_wo_version` to trigger updates.
 - `password_wo_version` (Number) Version trigger for `password_wo`. Increment to push a new password to the API.
 
 
@@ -376,7 +376,7 @@ Required:
 Optional:
 
 - `password` (String, Sensitive) The password for the MongoDB instance. Use `password_wo` instead to keep the value out of state.
-- `password_wo` (String, Sensitive) Write-only password for the MongoDB instance. Not persisted to state. Pair with `password_wo_version` to trigger updates.
+- `password_wo` (String, Sensitive, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) Write-only password for the MongoDB instance. Not persisted to state. Pair with `password_wo_version` to trigger updates.
 - `password_wo_version` (Number) Version trigger for `password_wo`. Increment to push a new password to the API.
 
 
@@ -412,7 +412,7 @@ Required:
 Optional:
 
 - `password` (String, Sensitive) The password for the MySQL instance. Use `password_wo` instead to keep the value out of state.
-- `password_wo` (String, Sensitive) Write-only password for the MySQL instance. Not persisted to state. Pair with `password_wo_version` to trigger updates.
+- `password_wo` (String, Sensitive, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) Write-only password for the MySQL instance. Not persisted to state. Pair with `password_wo_version` to trigger updates.
 - `password_wo_version` (Number) Version trigger for `password_wo`. Increment to push a new password to the API.
 
 
@@ -518,7 +518,7 @@ Required:
 Optional:
 
 - `password` (String, Sensitive) The password for the Postgres instance. Use `password_wo` instead to keep the value out of state.
-- `password_wo` (String, Sensitive) Write-only password for the Postgres instance. Not persisted to state. Pair with `password_wo_version` to trigger updates.
+- `password_wo` (String, Sensitive, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) Write-only password for the Postgres instance. Not persisted to state. Pair with `password_wo_version` to trigger updates.
 - `password_wo_version` (Number) Version trigger for `password_wo`. Increment to push a new password to the API.
 
 

@@ -0,0 +1,174 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "clickhouse_role Resource - clickhouse"
+subcategory: ""
+description: |-
+  You can use the clickhouse_role resource to manage custom RBAC roles in ClickHouse Cloud.
+  ~> Note: This resource is in alpha. To assign actors (users or API keys) to a role, use the clickhouse_role_assignment resource.
+  Example Usage
+
+  resource "clickhouse_role" "example" {
+    name = "my-custom-role"
+
+    policies = [
+      # Organization-level permission
+      {
+        effect  = "ALLOW"
+        permissions = ["control-plane:organization:create-api-keys"]
+        resources   = ["organization/<org-id>"]
+      },
+      # Service-level permission scoped to a specific service
+      {
+        effect  = "ALLOW"
+        permissions = ["control-plane:service:view-backups"]
+        resources   = ["instance/<service-id>"]
+      },
+      # SQL console passwordless DB access
+      {
+        effect  = "ALLOW"
+        permissions = ["sql-console:database:access"]
+        resources   = ["instance/<service-id>"]
+        tags = {
+          role = "sql-console-readonly"
+        }
+      },
+    ]
+  }
+
+  data "clickhouse_user" "alice" {
+    email = "alice@example.com"
+  }
+
+  resource "clickhouse_role_assignment" "example" {
+    role_id  = clickhouse_role.example.id
+    user_ids = [data.clickhouse_user.alice.id]
+  }
+---
+
+# clickhouse_role (Resource)
+
+You can use the *clickhouse_role* resource to manage custom RBAC roles in ClickHouse Cloud.
+
+~> **Note:** This resource is in alpha. To assign actors (users or API keys) to a role, use the `clickhouse_role_assignment` resource.
+
+## Example Usage
+
+```hcl
+resource "clickhouse_role" "example" {
+  name = "my-custom-role"
+
+  policies = [
+    # Organization-level permission
+    {
+      effect  = "ALLOW"
+      permissions = ["control-plane:organization:create-api-keys"]
+      resources   = ["organization/<org-id>"]
+    },
+    # Service-level permission scoped to a specific service
+    {
+      effect  = "ALLOW"
+      permissions = ["control-plane:service:view-backups"]
+      resources   = ["instance/<service-id>"]
+    },
+    # SQL console passwordless DB access
+    {
+      effect  = "ALLOW"
+      permissions = ["sql-console:database:access"]
+      resources   = ["instance/<service-id>"]
+      tags = {
+        role = "sql-console-readonly"
+      }
+    },
+  ]
+}
+
+data "clickhouse_user" "alice" {
+  email = "alice@example.com"
+}
+
+resource "clickhouse_role_assignment" "example" {
+  role_id  = clickhouse_role.example.id
+  user_ids = [data.clickhouse_user.alice.id]
+}
+```
+
+## Example Usage
+
+```terraform
+resource "clickhouse_role" "example" {
+  name = "my-custom-role"
+
+  policies = [
+    # Organization-level permission
+    {
+      effect      = "ALLOW"
+      permissions = ["control-plane:organization:create-api-keys"]
+      resources   = ["organization/<org-id>"]
+    },
+    # Service-level permission scoped to a specific service
+    {
+      effect      = "ALLOW"
+      permissions = ["control-plane:service:view-backups"]
+      resources   = ["instance/<service-id>"]
+    },
+  ]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) Name of the custom role.
+
+### Optional
+
+- `policies` (Attributes List) List of policies attached to this role. (see [below for nested schema](#nestedatt--policies))
+
+### Read-Only
+
+- `created_at` (String) Timestamp when the role was created.
+- `id` (String) Unique identifier for the role.
+- `owner_id` (String) Owner ID of this role.
+- `tenant_id` (String) Tenant ID that owns this role.
+- `type` (String) Type of the role. Always 'custom' for managed roles.
+- `updated_at` (String) Timestamp when the role was last updated.
+
+<a id="nestedatt--policies"></a>
+### Nested Schema for `policies`
+
+Required:
+
+- `effect` (String) Whether this policy allows or denies the specified permissions.
+- `permissions` (Set of String) List of permission strings granted or denied by this policy.
+- `resources` (Set of String) List of resources this policy applies to. Format: 'instance/<uuid>' or 'instance/*'.
+
+Optional:
+
+- `tags` (Attributes) Optional tags for additional policy metadata. (see [below for nested schema](#nestedatt--policies--tags))
+
+Read-Only:
+
+- `id` (String) Server-assigned policy ID. Changes on every update since the server replaces all policies on PATCH.
+- `role_id` (String) ID of the role this policy belongs to.
+- `tenant_id` (String) Tenant ID that owns this policy.
+
+<a id="nestedatt--policies--tags"></a>
+### Nested Schema for `policies.tags`
+
+Required:
+
+- `role` (String) SQL console role level for passwordless DB access. One of: sql-console-admin (full access), sql-console-readonly (read-only).
+
+## Import
+
+Import is supported using the following syntax:
+
+The [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import) can be used, for example:
+
+```shell
+#!/bin/bash
+# Roles can be imported by specifying the role ID.
+terraform import clickhouse_role.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+```
@@ -0,0 +1,118 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "clickhouse_role_assignment Resource - clickhouse"
+subcategory: ""
+description: |-
+  Use the clickhouse_role_assignment resource to assign actors (users and/or API keys) to a role. Works for both system roles and custom roles.
+  One resource manages all actors for a given role. Use user_ids to assign users, api_key_ids to assign API keys, or both. Only one clickhouse_role_assignment per role is needed.
+  ~> Note: This resource is in alpha. On delete, all actors are removed from the role.
+  To look up the ID of a system role by name, use the clickhouse_role data source.
+  To look up a user ID by email, use the clickhouse_user data source.
+  Example Usage
+
+  data "clickhouse_role" "member" {
+    name = "Member"
+  }
+
+  data "clickhouse_user" "alice" {
+    email = "alice@example.com"
+  }
+
+  data "clickhouse_user" "bob" {
+    email = "bob@example.com"
+  }
+
+  data "clickhouse_api_key_id" "current" {}
+
+  resource "clickhouse_role_assignment" "member" {
+    role_id = data.clickhouse_role.member.id
+
+    user_ids    = [data.clickhouse_user.alice.id, data.clickhouse_user.bob.id]
+    api_key_ids = [data.clickhouse_api_key_id.current.id]
+  }
+---
+
+# clickhouse_role_assignment (Resource)
+
+Use the *clickhouse_role_assignment* resource to assign actors (users and/or API keys) to a role. Works for both system roles and custom roles.
+
+One resource manages all actors for a given role. Use `user_ids` to assign users, `api_key_ids` to assign API keys, or both. Only one `clickhouse_role_assignment` per role is needed.
+
+~> **Note:** This resource is in alpha. On delete, all actors are removed from the role.
+
+To look up the ID of a system role by name, use the `clickhouse_role` data source.
+To look up a user ID by email, use the `clickhouse_user` data source.
+
+## Example Usage
+
+```hcl
+data "clickhouse_role" "member" {
+  name = "Member"
+}
+
+data "clickhouse_user" "alice" {
+  email = "alice@example.com"
+}
+
+data "clickhouse_user" "bob" {
+  email = "bob@example.com"
+}
+
+data "clickhouse_api_key_id" "current" {}
+
+resource "clickhouse_role_assignment" "member" {
+  role_id = data.clickhouse_role.member.id
+
+  user_ids    = [data.clickhouse_user.alice.id, data.clickhouse_user.bob.id]
+  api_key_ids = [data.clickhouse_api_key_id.current.id]
+}
+```
+
+## Example Usage
+
+```terraform
+data "clickhouse_role" "member" {
+  name = "Member"
+}
+
+data "clickhouse_user" "alice" {
+  email = "alice@example.com"
+}
+
+data "clickhouse_api_key_id" "current" {}
+
+resource "clickhouse_role_assignment" "member" {
+  role_id = data.clickhouse_role.member.id
+
+  user_ids    = [data.clickhouse_user.alice.id]
+  api_key_ids = [data.clickhouse_api_key_id.current.id]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `role_id` (String) ID of the role to assign actors to.
+
+### Optional
+
+- `api_key_ids` (Set of String) Set of API key IDs to assign to the role.
+- `user_ids` (Set of String) Set of user IDs to assign to the role.
+
+### Read-Only
+
+- `id` (String) Same as role_id.
+
+## Import
+
+Import is supported using the following syntax:
+
+The [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import) can be used, for example:
+
+```shell
+#!/bin/bash
+# Role assignments can be imported by specifying the role ID.
+terraform import clickhouse_role_assignment.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+```
@@ -57,6 +57,8 @@ resource "clickhouse_service" "service" {
 
 ### Optional
 
+> **NOTE**: [Write-only arguments](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments) are supported in Terraform 1.11 and later.
+
 - `backup_configuration` (Attributes) Configuration of service backup settings. (see [below for nested schema](#nestedatt--backup_configuration))
 - `backup_id` (String) ID of the backup to restore when creating new service. If specified, the service will be created as a restore operation
 - `byoc_id` (String) BYOC ID related to the cloud provider account you want to create this service into.
@@ -75,7 +77,7 @@ resource "clickhouse_service" "service" {
 - `num_replicas` (Number) Number of replicas for the service.
 - `password` (String, Sensitive) Password for the default user. One of either `password`, `password_wo`, or `password_hash` must be specified.
 - `password_hash` (String, Sensitive) SHA256 hash of password for the default user. One of either `password`, `password_wo`, or `password_hash` must be specified.
-- `password_wo` (String, Sensitive) Password for the default user (write-only, not persisted to state). Use this instead of `password` to avoid storing the password hash in Terraform state.
+- `password_wo` (String, Sensitive, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) Password for the default user (write-only, not persisted to state). Use this instead of `password` to avoid storing the password hash in Terraform state.
 - `password_wo_version` (Number) Version number for password_wo. Increment this to trigger a password update when using password_wo.
 - `query_api_endpoints` (Attributes) Configuration of the query API endpoints feature. (see [below for nested schema](#nestedatt--query_api_endpoints))
 - `readonly` (Boolean) Indicates if this service should be read only. Only allowed for secondary services, those which share data with another service (i.e. when `warehouse_id` field is set).