[feat][gov] Add data source + resource for users (#54)

* update repo to reflect v.2.9.0 of the api

* fixes to cursor slop

* notes in readme

* all tests passing, working on a local server with real examples

* docs

* lint fixes

* add comment on folder deletion recursion

* notes on reviewing

* better handling for config variables as secret

* update docs

* lint

* lint

* add data source + resource for users

* docs

* lint

* lint

* lint

* still fighting with local linting....

* one more

* better docs

Author: simplyluke

docs/data-sources/users.md

@@ -0,0 +1,56 @@
+---
+page_title: "Data Source: retool_users"
+description: |-
+  Users data source allows you to retrieve a list of users in Retool.
+---
+
+# Data Source: retool_users
+
+Users data source allows you to retrieve a list of users in Retool.
+
+## Example Usage
+
+```terraform
+data "retool_users" "all_users" {}
+
+output "all_users" {
+  value = data.retool_users.all_users.users
+}
+
+# Filter active users
+output "active_users" {
+  value = [for user in data.retool_users.all_users.users : user if user.active]
+}
+
+# Filter admin users
+output "admin_users" {
+  value = [for user in data.retool_users.all_users.users : user if user.is_admin]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Read-Only
+
+- `users` (Attributes List) A list of users (see [below for nested schema](#nestedatt--users))
+
+<a id="nestedatt--users"></a>
+### Nested Schema for `users`
+
+Read-Only:
+
+- `active` (Boolean) Whether the user is active or not.
+- `created_at` (String) The timestamp when the user was created.
+- `email` (String) The email address of the user.
+- `first_name` (String) The first name of the user.
+- `id` (String) The ID of the user. Currently this is the same as legacy_id but will change in the future.
+- `is_admin` (Boolean) Whether the user is an admin or not.
+- `last_active` (String) The timestamp when the user was last active.
+- `last_name` (String) The last name of the user.
+- `legacy_id` (String) The legacy ID of the user.
+- `metadata` (String) JSON string containing custom metadata for the user.
+- `two_factor_auth_enabled` (Boolean) Whether two-factor authentication is enabled for this user.
+- `user_type` (String) The user type.
+
+

docs/resources/user.md

@@ -0,0 +1,57 @@
+---
+page_title: "Resource: retool_user"
+description: |-
+  A user represents an individual with access to the Retool instance. Users can be granted access to apps, resources, and workflows through group memberships and permissions.
+  Note: Deleting a user resource sets the user to inactive (active: false) rather than permanently removing them from Retool.
+---
+
+# Resource: retool_user
+
+A user represents an individual with access to the Retool instance. Users can be granted access to apps, resources, and workflows through group memberships and permissions.
+
+Note: Deleting a user resource sets the user to inactive (active: false) rather than permanently removing them from Retool.
+
+## Example Usage
+
+```terraform
+resource "retool_user" "example" {
+  email      = "user@example.com"
+  first_name = "John"
+  last_name  = "Doe"
+  active     = true
+  metadata   = "{\"department\":\"engineering\",\"team\":\"platform\"}"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `email` (String) The email address of the user. Cannot be changed after creation.
+- `first_name` (String) The first name of the user.
+- `last_name` (String) The last name of the user.
+
+### Optional
+
+- `active` (Boolean) Whether the user is active or not. Default is true.
+- `metadata` (String) JSON string containing custom metadata for the user.
+- `user_type` (String) The user type. Accepted values vary by Retool instance configuration.
+
+### Read-Only
+
+- `created_at` (String) The timestamp when the user was created.
+- `id` (String) The ID of the user. Currently this is the same as legacy_id but will change in the future.
+- `is_admin` (Boolean) Whether the user is an admin or not.
+- `last_active` (String) The timestamp when the user was last active.
+- `legacy_id` (String) The legacy ID of the user.
+- `two_factor_auth_enabled` (Boolean) Whether two-factor authentication is enabled for this user.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# User can be imported by specifying the id
+terraform import retool_user.example "abc123"
+```

examples/data-sources/retool_users/data-source.tf

@@ -0,0 +1,16 @@
+data "retool_users" "all_users" {}
+
+output "all_users" {
+  value = data.retool_users.all_users.users
+}
+
+# Filter active users
+output "active_users" {
+  value = [for user in data.retool_users.all_users.users : user if user.active]
+}
+
+# Filter admin users
+output "admin_users" {
+  value = [for user in data.retool_users.all_users.users : user if user.is_admin]
+}
+

examples/resources/retool_user/import.sh

@@ -0,0 +1,3 @@
+# User can be imported by specifying the id
+terraform import retool_user.example "abc123"
+

examples/resources/retool_user/resource.tf

@@ -0,0 +1,8 @@
+resource "retool_user" "example" {
+  email      = "user@example.com"
+  first_name = "John"
+  last_name  = "Doe"
+  active     = true
+  metadata   = "{\"department\":\"engineering\",\"team\":\"platform\"}"
+}
+

internal/provider/provider.go

@@ -29,6 +29,7 @@ import (
 	"github.com/tryretool/terraform-provider-retool/internal/provider/sourcecontrolsettings"
 	"github.com/tryretool/terraform-provider-retool/internal/provider/space"
 	"github.com/tryretool/terraform-provider-retool/internal/provider/sso"
+	"github.com/tryretool/terraform-provider-retool/internal/provider/user"
 	"github.com/tryretool/terraform-provider-retool/internal/provider/utils"
 	"github.com/tryretool/terraform-provider-retool/internal/sdk/api"
 )
@@ -293,6 +294,7 @@ func (p *retoolProvider) DataSources(_ context.Context) []func() datasource.Data
 		folder.NewDataSource,
 		group.NewDataSource,
 		environments.NewDataSource,
+		user.NewDataSource,
 	}
 }
 
@@ -308,5 +310,6 @@ func (p *retoolProvider) Resources(_ context.Context) []func() resource.Resource
 		sourcecontrol.NewResource,
 		sourcecontrolsettings.NewResource,
 		configurationvariable.NewResource,
+		user.NewResource,
 	}
 }

internal/provider/user/data_source.go

@@ -0,0 +1,208 @@
+// Package user provides implementation of the User resource and Users data source.
+package user
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-framework/datasource"
+	"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
+
+	"github.com/tryretool/terraform-provider-retool/internal/provider/utils"
+	"github.com/tryretool/terraform-provider-retool/internal/sdk/api"
+)
+
+// NewDataSource creates a new data source for users.
+func NewDataSource() datasource.DataSource {
+	return &usersDataSource{}
+}
+
+// Ensure the implementation satisfies the expected interfaces.
+var (
+	_ datasource.DataSource              = &usersDataSource{}
+	_ datasource.DataSourceWithConfigure = &usersDataSource{}
+)
+
+type usersDataSource struct {
+	client *api.APIClient
+}
+
+type usersDataSourceModel struct {
+	Users []userDataSourceModel `tfsdk:"users"`
+}
+
+type userDataSourceModel struct {
+	ID                   types.String `tfsdk:"id"`
+	LegacyID             types.String `tfsdk:"legacy_id"`
+	Email                types.String `tfsdk:"email"`
+	FirstName            types.String `tfsdk:"first_name"`
+	LastName             types.String `tfsdk:"last_name"`
+	Active               types.Bool   `tfsdk:"active"`
+	Metadata             types.String `tfsdk:"metadata"`
+	UserType             types.String `tfsdk:"user_type"`
+	CreatedAt            types.String `tfsdk:"created_at"`
+	LastActive           types.String `tfsdk:"last_active"`
+	IsAdmin              types.Bool   `tfsdk:"is_admin"`
+	TwoFactorAuthEnabled types.Bool   `tfsdk:"two_factor_auth_enabled"`
+}
+
+// Configure adds the provider configured client to the data source.
+func (d *usersDataSource) Configure(_ context.Context, req datasource.ConfigureRequest, resp *datasource.ConfigureResponse) {
+	// Add a nil check when handling ProviderData because Terraform
+	// sets that data after it calls the ConfigureProvider RPC.
+	if req.ProviderData == nil {
+		return
+	}
+
+	providerData, ok := req.ProviderData.(*utils.ProviderData)
+	if !ok {
+		resp.Diagnostics.AddError(
+			"Unexpected Data Source Configure Type",
+			fmt.Sprintf("Expected *utils.ProviderData, got: %T. Please report this issue to the provider developers.", req.ProviderData),
+		)
+		return
+	}
+
+	d.client = providerData.Client
+}
+
+func (d *usersDataSource) Metadata(_ context.Context, req datasource.MetadataRequest, resp *datasource.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_users"
+}
+
+func (d *usersDataSource) Schema(_ context.Context, _ datasource.SchemaRequest, resp *datasource.SchemaResponse) {
+	resp.Schema = schema.Schema{
+		Description: "Users data source allows you to retrieve a list of users in Retool.",
+		Attributes: map[string]schema.Attribute{
+			"users": schema.ListNestedAttribute{
+				Computed:    true,
+				Description: "A list of users",
+				NestedObject: schema.NestedAttributeObject{
+					Attributes: map[string]schema.Attribute{
+						"id": schema.StringAttribute{
+							Computed:    true,
+							Description: "The ID of the user. Currently this is the same as legacy_id but will change in the future.",
+						},
+						"legacy_id": schema.StringAttribute{
+							Computed:    true,
+							Description: "The legacy ID of the user.",
+						},
+						"email": schema.StringAttribute{
+							Computed:    true,
+							Description: "The email address of the user.",
+						},
+						"first_name": schema.StringAttribute{
+							Computed:    true,
+							Description: "The first name of the user.",
+						},
+						"last_name": schema.StringAttribute{
+							Computed:    true,
+							Description: "The last name of the user.",
+						},
+						"active": schema.BoolAttribute{
+							Computed:    true,
+							Description: "Whether the user is active or not.",
+						},
+						"metadata": schema.StringAttribute{
+							Computed:    true,
+							Description: "JSON string containing custom metadata for the user.",
+						},
+						"user_type": schema.StringAttribute{
+							Computed:    true,
+							Description: "The user type.",
+						},
+						"created_at": schema.StringAttribute{
+							Computed:    true,
+							Description: "The timestamp when the user was created.",
+						},
+						"last_active": schema.StringAttribute{
+							Computed:    true,
+							Description: "The timestamp when the user was last active.",
+						},
+						"is_admin": schema.BoolAttribute{
+							Computed:    true,
+							Description: "Whether the user is an admin or not.",
+						},
+						"two_factor_auth_enabled": schema.BoolAttribute{
+							Computed:    true,
+							Description: "Whether two-factor authentication is enabled for this user.",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func (d *usersDataSource) Read(ctx context.Context, _ datasource.ReadRequest, resp *datasource.ReadResponse) {
+	var state usersDataSourceModel
+
+	users, httpResponse, err := d.client.UsersAPI.UsersGet(ctx).Execute()
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Unable to Read Users via Retool API",
+			err.Error(),
+		)
+		tflog.Error(ctx, "Error reading users", utils.AddHTTPStatusCode(map[string]any{"error": err.Error()}, httpResponse))
+		return
+	}
+	tflog.Info(ctx, "Read Users via Retool API", map[string]any{"num_users": len(users.Data)})
+
+	for _, user := range users.Data {
+		userModel := userDataSourceModel{
+			ID:                   types.StringValue(user.Id),
+			LegacyID:             types.StringValue(fmt.Sprintf("%.0f", user.LegacyId)),
+			Email:                types.StringValue(user.Email),
+			Active:               types.BoolValue(user.Active),
+			IsAdmin:              types.BoolValue(user.IsAdmin),
+			UserType:             types.StringValue(user.UserType),
+			TwoFactorAuthEnabled: types.BoolValue(user.TwoFactorAuthEnabled),
+			CreatedAt:            types.StringValue(user.CreatedAt.String()),
+		}
+
+		// Handle nullable fields.
+		if user.FirstName.Get() != nil {
+			userModel.FirstName = types.StringValue(*user.FirstName.Get())
+		} else {
+			userModel.FirstName = types.StringNull()
+		}
+
+		if user.LastName.Get() != nil {
+			userModel.LastName = types.StringValue(*user.LastName.Get())
+		} else {
+			userModel.LastName = types.StringNull()
+		}
+
+		if user.LastActive.Get() != nil {
+			userModel.LastActive = types.StringValue(user.LastActive.Get().String())
+		} else {
+			userModel.LastActive = types.StringNull()
+		}
+
+		// Handle metadata.
+		if len(user.Metadata) > 0 {
+			metadataStr, err := utils.MapToJSONString(user.Metadata)
+			if err != nil {
+				resp.Diagnostics.AddError(
+					"Error serializing metadata",
+					fmt.Sprintf("Could not serialize metadata for user %s: %s", user.Email, err.Error()),
+				)
+				return
+			}
+			userModel.Metadata = types.StringValue(metadataStr)
+		} else {
+			userModel.Metadata = types.StringNull()
+		}
+
+		state.Users = append(state.Users, userModel)
+	}
+
+	// Set state.
+	diags := resp.State.Set(ctx, &state)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+}