[3.2.0] Multi-organization support added

Author: vasiliyskysql

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## [3.2.0] - 2025-10-23
+### Added
+- Multi-organization support.
+
 ## [3.1.5] - 2025-10-23
 ### Fixed
 - prevent start/stop operations on serverless-standalone services.

README.md

@@ -20,3 +20,9 @@ See the examples in `/docs` in this repository for usage examples.
 ```shell
 go install
 ```
+
+## Documentation
+
+See the [documentation](docs/) for usage examples and detailed guides, including:
+
+- [Multi-Organization Support](docs/guides/multi-organization-support.md) - Managing services across multiple SkySQL organizations

docs/guides/multi-organization-support.md

@@ -0,0 +1,148 @@
+---
+page_title: "Multi-Organization Support - SkySQL Terraform Provider"
+description: |-
+  Guide for managing services across multiple SkySQL organizations using the org_id parameter
+---
+
+# Multi-Organization Support
+
+**Version 3.2.0+** supports managing services across multiple organizations using the `org_id` parameter.
+
+## Overview
+
+When a user belongs to multiple SkySQL organizations, the provider can manage services in different organizations by specifying the `org_id` parameter on each service resource. This parameter adds the `X-MDB-Org` header to all API requests for that service, allowing the backend to operate in the context of the specified organization.
+
+## Usage
+
+### Single Organization (Default Behavior)
+
+If you only work with one organization or want to use the organization associated with your API key, simply omit the `org_id` parameter:
+
+```hcl
+resource "skysql_service" "my_service" {
+  name             = "my-database"
+  service_type     = "transactional"
+  topology         = "standalone"
+  cloud_provider   = "aws"
+  region           = "us-east-1"
+  size             = "sky-2x8"
+  storage          = 100
+  ssl_enabled      = true
+  # org_id is not specified - uses the API key's default organization
+}
+```
+
+### Multiple Organizations
+
+When managing services across multiple organizations, specify the `org_id` for each service:
+
+```hcl
+# Production database in organization A
+resource "skysql_service" "prod_db" {
+  org_id           = "org-12345-production"
+  name             = "prod-database"
+  service_type     = "transactional"
+  topology         = "standalone"
+  cloud_provider   = "aws"
+  region           = "us-east-1"
+  size             = "sky-4x16"
+  storage          = 500
+  ssl_enabled      = true
+}
+
+# Development database in organization B
+resource "skysql_service" "dev_db" {
+  org_id           = "org-67890-development"
+  name             = "dev-database"
+  service_type     = "transactional"
+  topology         = "standalone"
+  cloud_provider   = "gcp"
+  region           = "us-central1"
+  size             = "sky-2x8"
+  storage          = 100
+  ssl_enabled      = true
+}
+
+# Staging database in organization C
+resource "skysql_service" "staging_db" {
+  org_id           = "org-11223-staging"
+  name             = "staging-database"
+  service_type     = "analytical"
+  topology         = "standalone"
+  cloud_provider   = "aws"
+  region           = "eu-west-1"
+  size             = "sky-2x8"
+  storage          = 200
+  ssl_enabled      = true
+}
+```
+
+## Important Notes
+
+1. **Replacement Required**: Changing the `org_id` of an existing service will destroy and recreate the service. Plan carefully when setting this value.
+2. **API Key Permissions**: Your API key must have access to all organizations specified in your Terraform configuration. If the API key doesn't have access to an organization, requests will fail with a forbidden error.
+3. **Backward Compatibility**: The `org_id` parameter is optional. Existing Terraform configurations will continue to work without modification.
+
+## Finding Your Organization ID
+
+You can find your organization IDs through:
+
+- The SkySQL web console (Organization Settings)
+- The SkySQL API (`/organization/v1/orgs` endpoint)
+- Your organization administrator
+
+## Example: Team-Based Infrastructure
+
+```hcl
+# Variables for organization IDs
+variable "team_a_org_id" {
+  description = "Organization ID for Team A"
+  type        = string
+}
+
+variable "team_b_org_id" {
+  description = "Organization ID for Team B"
+  type        = string
+}
+
+# Team A's production database
+resource "skysql_service" "team_a_prod" {
+  org_id           = var.team_a_org_id
+  name             = "team-a-prod"
+  service_type     = "transactional"
+  topology         = "standalone"
+  cloud_provider   = "aws"
+  region           = "us-east-1"
+  size             = "sky-8x32"
+  storage          = 1000
+  ssl_enabled      = true
+}
+
+# Team B's production database
+resource "skysql_service" "team_b_prod" {
+  org_id           = var.team_b_org_id
+  name             = "team-b-prod"
+  service_type     = "transactional"
+  topology         = "standalone"
+  cloud_provider   = "aws"
+  region           = "us-west-2"
+  size             = "sky-4x16"
+  storage          = 500
+  ssl_enabled      = true
+}
+```
+
+## Troubleshooting
+
+**Error: "access to this organization is forbidden"**
+- Your API key doesn't have permission to access the specified organization
+- Verify the `org_id` value is correct
+- Check with your organization administrator to ensure your user account has access
+
+**Service created in wrong organization**
+- Double-check the `org_id` value in your configuration
+- Remember that omitting `org_id` uses the API key's default organization
+
+**Unexpected replacement during plan**
+- Changing `org_id` requires resource replacement - this is by design
+- Services cannot be moved between organizations; they must be recreated

docs/index.md

@@ -337,6 +337,10 @@ Bye
 
 Run `terraform destroy` to destroy the service.
 
+## Guides
+
+- [Multi-Organization Support](guides/multi-organization-support.md) - Learn how to manage services across multiple SkySQL organizations
+
 ## SkySQL provider configuration
 
 Configuration for the SkySQL provider can be derived from several sources,

docs/resources/skysql_service.md

@@ -63,6 +63,7 @@ resource "skysql_service" "default" {
 - `maxscale_size` (String) The size of the MaxScale nodes. Valid values are: sky-2x4, sky-2x8 etc
 - `nodes` (Number) The number of nodes
 - `nosql_enabled` (Boolean) Whether to enable NoSQL. Valid values are: true or false
+- `org_id` (String) The organization ID to create the service in. When specified, adds the X-MDB-Org header to API requests. **Note:** Changing this value will destroy and recreate the service. See the [Multi-Organization Support guide](../guides/multi-organization-support.md) for more information.
 - `primary_host` (String) The primary host of the service
 - `project_id` (String) The ID of the project to create the service in
 - `replication_enabled` (Boolean) Whether to enable global replication. Valid values are: true or false. Works for xpand-direct topology only

internal/provider/service_resource.go

@@ -99,6 +99,7 @@ type ServiceResourceModel struct {
 	FQDN               types.String   `tfsdk:"fqdn"`
 	AvailabilityZone   types.String   `tfsdk:"availability_zone"`
 	Tags               types.Map      `tfsdk:"tags"`
+	OrgID              types.String   `tfsdk:"org_id"`
 }
 
 // ServiceResourceNamedPortModel is an endpoint port
@@ -410,6 +411,13 @@ var serviceResourceSchemaV0 = schema.Schema{
 				&tagsNamePlanModifier{},
 			},
 		},
+		"org_id": schema.StringAttribute{
+			Optional:    true,
+			Description: "The organization ID to use for this service. When specified, all API requests will include the X-MDB-Org header to operate in this organization's context. This allows managing services across multiple organizations.",
+			PlanModifiers: []planmodifier.String{
+				stringplanmodifier.RequiresReplace(),
+			},
+		},
 	},
 	Blocks: map[string]schema.Block{
 		"timeouts": timeouts.Block(context.Background(), timeouts.Opts{
@@ -532,7 +540,7 @@ func (r *ServiceResource) Create(ctx context.Context, req resource.CreateRequest
 		}
 	}
 
-	service, err := r.client.CreateService(ctx, createServiceRequest)
+	service, err := r.client.CreateService(ctx, createServiceRequest, skysql.WithOrgID(state.OrgID.ValueString()))
 	if err != nil {
 		resp.Diagnostics.AddError("Error creating service", err.Error())
 		return
@@ -595,7 +603,7 @@ func (r *ServiceResource) Create(ctx context.Context, req resource.CreateRequest
 		}
 
 		err = sdkresource.RetryContext(ctx, createTimeout, func() *sdkresource.RetryError {
-			service, err := r.client.GetServiceByID(ctx, service.ID)
+			service, err := r.client.GetServiceByID(ctx, service.ID, skysql.WithOrgID(state.OrgID.ValueString()))
 			if err != nil {
 				return sdkresource.NonRetryableError(fmt.Errorf("error retrieving service details: %v", err))
 			}
@@ -688,7 +696,7 @@ func (r *ServiceResource) Read(ctx context.Context, req resource.ReadRequest, re
 }
 
 func (r *ServiceResource) readServiceState(ctx context.Context, data *ServiceResourceModel) error {
-	service, err := r.client.GetServiceByID(ctx, data.ID.ValueString())
+	service, err := r.client.GetServiceByID(ctx, data.ID.ValueString(), skysql.WithOrgID(data.OrgID.ValueString()))
 	if err != nil {
 		return err
 	}
@@ -863,7 +871,7 @@ func (r *ServiceResource) updateServiceStorage(ctx context.Context, plan *Servic
 			"throughput_to":   plan.VolumeThroughput.ValueInt64(),
 		})
 
-		err := r.client.ModifyServiceStorage(ctx, state.ID.ValueString(), plan.Storage.ValueInt64(), plan.VolumeIOPS.ValueInt64(), plan.VolumeThroughput.ValueInt64())
+		err := r.client.ModifyServiceStorage(ctx, state.ID.ValueString(), plan.Storage.ValueInt64(), plan.VolumeIOPS.ValueInt64(), plan.VolumeThroughput.ValueInt64(), skysql.WithOrgID(state.OrgID.ValueString()))
 		if err != nil {
 			resp.Diagnostics.AddError("Error updating a storage for the service",
 				fmt.Sprintf("Unable to update a storage size for the service, got error: %s", err))
@@ -888,7 +896,7 @@ func (r *ServiceResource) updateNumberOfNodeForService(ctx context.Context, plan
 			"to":   plan.Nodes.ValueInt64(),
 		})
 
-		err := r.client.ModifyServiceNodeNumber(ctx, state.ID.ValueString(), plan.Nodes.ValueInt64())
+		err := r.client.ModifyServiceNodeNumber(ctx, state.ID.ValueString(), plan.Nodes.ValueInt64(), skysql.WithOrgID(state.OrgID.ValueString()))
 		if err != nil {
 			resp.Diagnostics.AddError("Error updating a number of nodes for the service", fmt.Sprintf("Unable to update a nodes number for the service, got error: %s", err))
 			return
@@ -911,7 +919,7 @@ func (r *ServiceResource) updateServiceSize(ctx context.Context, plan *ServiceRe
 			"to":   plan.Size.ValueString(),
 		})
 
-		err := r.client.ModifyServiceSize(ctx, state.ID.ValueString(), plan.Size.ValueString())
+		err := r.client.ModifyServiceSize(ctx, state.ID.ValueString(), plan.Size.ValueString(), skysql.WithOrgID(state.OrgID.ValueString()))
 		if err != nil {
 			resp.Diagnostics.AddError("Error updating service size", fmt.Sprintf("Unable to update service size, got error: %s", err))
 			return
@@ -963,7 +971,8 @@ func (r *ServiceResource) updateServiceEndpoints(ctx context.Context, plan *Serv
 			state.ID.ValueString(),
 			plan.Mechanism.ValueString(),
 			planAllowedAccounts,
-			visibility)
+			visibility,
+			skysql.WithOrgID(state.OrgID.ValueString()))
 		if err != nil {
 			resp.Diagnostics.AddError("Can not update service", err.Error())
 			return
@@ -1010,7 +1019,7 @@ func (r *ServiceResource) updateAllowList(ctx context.Context, plan *ServiceReso
 				})
 			}
 
-			allowListResp, err := r.client.UpdateServiceAllowListByID(ctx, plan.ID.ValueString(), allowListUpdateRequest)
+			allowListResp, err := r.client.UpdateServiceAllowListByID(ctx, plan.ID.ValueString(), allowListUpdateRequest, skysql.WithOrgID(plan.OrgID.ValueString()))
 			if err != nil {
 				if errors.Is(err, skysql.ErrorServiceNotFound) {
 					tflog.Warn(ctx, "SkySQL service not found, removing from state", map[string]interface{}{
@@ -1048,7 +1057,7 @@ func (r *ServiceResource) updateServicePowerState(ctx context.Context, plan *Ser
 			"id":        state.ID.ValueString(),
 			"is_active": plan.IsActive.ValueBool(),
 		})
-		err := r.client.SetServicePowerState(ctx, state.ID.ValueString(), plan.IsActive.ValueBool())
+		err := r.client.SetServicePowerState(ctx, state.ID.ValueString(), plan.IsActive.ValueBool(), skysql.WithOrgID(state.OrgID.ValueString()))
 		if err != nil {
 			resp.Diagnostics.AddError("Can not update service", err.Error())
 			return
@@ -1093,7 +1102,7 @@ func (r *ServiceResource) updateServiceTags(ctx context.Context, plan *ServiceRe
 				"id": state.ID.ValueString(),
 			})
 
-			err := r.client.UpdateServiceTags(ctx, state.ID.ValueString(), planTags)
+			err := r.client.UpdateServiceTags(ctx, state.ID.ValueString(), planTags, skysql.WithOrgID(state.OrgID.ValueString()))
 			if err != nil {
 				if errors.Is(err, skysql.ErrorServiceNotFound) {
 					tflog.Warn(ctx, "SkySQL service not found, removing from state", map[string]interface{}{
@@ -1125,7 +1134,7 @@ var serviceUpdateWaitStates = []string{"ready", "failed", "stopped"}
 func (r *ServiceResource) waitForUpdate(ctx context.Context, state *ServiceResourceModel, resp *resource.UpdateResponse) {
 	if state.WaitForUpdate.ValueBool() {
 		err := sdkresource.RetryContext(ctx, defaultUpdateTimeout, func() *sdkresource.RetryError {
-			service, err := r.client.GetServiceByID(ctx, state.ID.ValueString())
+			service, err := r.client.GetServiceByID(ctx, state.ID.ValueString(), skysql.WithOrgID(state.OrgID.ValueString()))
 			if err != nil {
 				return sdkresource.NonRetryableError(fmt.Errorf("error retrieving service details: %v", err))
 			}
@@ -1162,7 +1171,7 @@ func (r *ServiceResource) Delete(ctx context.Context, req resource.DeleteRequest
 		return
 	}
 
-	err := r.client.DeleteServiceByID(ctx, state.ID.ValueString())
+	err := r.client.DeleteServiceByID(ctx, state.ID.ValueString(), skysql.WithOrgID(state.OrgID.ValueString()))
 	if err != nil {
 		if errors.Is(err, skysql.ErrorServiceNotFound) {
 			tflog.Warn(ctx, "SkySQL service not found, removing from state", map[string]interface{}{
@@ -1183,7 +1192,7 @@ func (r *ServiceResource) Delete(ctx context.Context, req resource.DeleteRequest
 		}
 
 		err = sdkresource.RetryContext(ctx, deleteTimeout, func() *sdkresource.RetryError {
-			service, err := r.client.GetServiceByID(ctx, state.ID.ValueString())
+			service, err := r.client.GetServiceByID(ctx, state.ID.ValueString(), skysql.WithOrgID(state.OrgID.ValueString()))
 			if err != nil {
 				if errors.Is(err, skysql.ErrorServiceNotFound) {
 					return nil