⭐ Detect drift for iam_binding_resource (#372)

jaym · web-flow · commit 6de008993ac6 · 2026-01-20T11:47:26.000-06:00
We now query the currently set roles for the scope, identity pair
diff --git a/internal/provider/gql.go b/internal/provider/gql.go
@@ -1284,6 +1284,28 @@ func (c *ExtendedGqlClient) SetRoles(ctx context.Context, input SetRolesInput) (
 	err := c.Mutate(ctx, &mutation, input, nil)
 	return mutation.SetRoles, err
 }
+
+type GetRolesPayload struct {
+	IdentityMrn   mondoov1.String   `json:"identity_mrn"`
+	IdentityEmail *mondoov1.String  `json:"identity_email"`
+	ScopeMrn      mondoov1.String   `json:"scope_mrn"`
+	Roles         []mondoov1.String `json:"roles"`
+}
+
+func (c *ExtendedGqlClient) GetRoles(ctx context.Context, identity string, scopeMrn string) (*GetRolesPayload, error) {
+	var query struct {
+		GetRoles GetRolesPayload `graphql:"getRoles(identity: $identity, scopeMrn: $scopeMrn)"`
+	}
+	variables := map[string]interface{}{
+		"identity": mondoov1.String(identity),
+		"scopeMrn": mondoov1.String(scopeMrn),
+	}
+	err := c.Query(ctx, &query, variables)
+	if err != nil {
+		return nil, err
+	}
+	return &query.GetRoles, nil
+}
 func (c *ExtendedGqlClient) CreateException(
 	ctx context.Context,
 	scopeMrn string,
diff --git a/internal/provider/iam_binding_resource.go b/internal/provider/iam_binding_resource.go
@@ -162,7 +162,31 @@ func (r *IAMBindingResource) Read(ctx context.Context, req resource.ReadRequest,
 		return
 	}
 
-	// TODO: There's no direct query to get a specific role binding in the GraphQL schema.
+	// Query current roles from the API
+	rolesPayload, err := r.client.GetRoles(ctx, data.IdentityMrn.ValueString(), data.ResourceMrn.ValueString())
+	if err != nil {
+		resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Unable to read IAM binding, got error: %s", err))
+		return
+	}
+
+	// Filter out implicit roles (org-member, space-member) that are automatically added
+	var explicitRoles []string
+	for _, role := range rolesPayload.Roles {
+		roleStr := string(role)
+		// Skip implicit membership roles
+		if roleStr != "//iam.api.mondoo.app/roles/org-member" && roleStr != "//iam.api.mondoo.app/roles/space-member" {
+			explicitRoles = append(explicitRoles, roleStr)
+		}
+	}
+
+	// Convert to Terraform list type
+	rolesList, diags := types.ListValueFrom(ctx, types.StringType, explicitRoles)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	data.Roles = rolesList
 
 	// Save updated data into Terraform state
 	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
