From dade9fac8ae375b4798926705f4f0b243b83a957 Mon Sep 17 00:00:00 2001
From: Benjamin Ritter <benjamin.ritter@stackit.cloud>
Date: Tue, 9 Dec 2025 10:10:50 +0100
Subject: [PATCH 1/2] feat: add folder role assignment resource

Signed-off-by: Benjamin Ritter <benjamin.ritter@stackit.cloud>
---
 .../authorization_folder_role_assignment.md   | 43 +++++++++++++++++++
 .../resource.tf                               | 11 +++++
 .../authorization/roleassignments/resource.go |  1 +
 3 files changed, 55 insertions(+)
 create mode 100644 docs/resources/authorization_folder_role_assignment.md
 create mode 100644 examples/resources/stackit_authorization_folder_role_assignment/resource.tf

diff --git a/docs/resources/authorization_folder_role_assignment.md b/docs/resources/authorization_folder_role_assignment.md
new file mode 100644
index 000000000..15e76601b
--- /dev/null
+++ b/docs/resources/authorization_folder_role_assignment.md
@@ -0,0 +1,43 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_authorization_folder_role_assignment Resource - stackit"
+subcategory: ""
+description: |-
+  folder Role Assignment resource schema.
+  ~> This resource is part of the iam experiment and is likely going to undergo significant changes or be removed in the future. Use it at your own discretion.
+---
+
+# stackit_authorization_folder_role_assignment (Resource)
+
+folder Role Assignment resource schema.
+
+~> This resource is part of the iam experiment and is likely going to undergo significant changes or be removed in the future. Use it at your own discretion.
+
+## Example Usage
+
+```terraform
+resource "stackit_authorization_folder_role_assignment" "example" {
+  resource_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  role        = "owner"
+  subject     = "john.doe@stackit.cloud"
+}
+
+# Only use the import statement, if you want to import an existing folder role assignment
+import {
+  to = stackit_authorization_folder_role_assignment.import-example
+  id = "${var.folder_id},${var.folder_role_assignment_role},${var.folder_role_assignment_subject}"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `resource_id` (String) folder Resource to assign the role to.
+- `role` (String) Role to be assigned
+- `subject` (String) Identifier of user, service account or client. Usually email address or name in case of clients
+
+### Read-Only
+
+- `id` (String) Terraform's internal resource identifier. It is structured as "[resource_id],[role],[subject]".
diff --git a/examples/resources/stackit_authorization_folder_role_assignment/resource.tf b/examples/resources/stackit_authorization_folder_role_assignment/resource.tf
new file mode 100644
index 000000000..a3dda4743
--- /dev/null
+++ b/examples/resources/stackit_authorization_folder_role_assignment/resource.tf
@@ -0,0 +1,11 @@
+resource "stackit_authorization_folder_role_assignment" "example" {
+  resource_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  role        = "owner"
+  subject     = "john.doe@stackit.cloud"
+}
+
+# Only use the import statement, if you want to import an existing folder role assignment
+import {
+  to = stackit_authorization_folder_role_assignment.import-example
+  id = "${var.folder_id},${var.folder_role_assignment_role},${var.folder_role_assignment_subject}"
+}
diff --git a/stackit/internal/services/authorization/roleassignments/resource.go b/stackit/internal/services/authorization/roleassignments/resource.go
index cd29fdb0a..1f896aab7 100644
--- a/stackit/internal/services/authorization/roleassignments/resource.go
+++ b/stackit/internal/services/authorization/roleassignments/resource.go
@@ -30,6 +30,7 @@ import (
 var roleTargets = []string{
 	"project",
 	"organization",
+	"folder",
 }
 
 // Ensure the implementation satisfies the expected interfaces.

From 194cb90a2a8994b2d410ad5345fdae03be2a803e Mon Sep 17 00:00:00 2001
From: Benjamin Ritter <benjamin.ritter@stackit.cloud>
Date: Tue, 9 Dec 2025 10:26:51 +0100
Subject: [PATCH 2/2] feat: add folder role assignment acceptance tests

Signed-off-by: Benjamin Ritter <benjamin.ritter@stackit.cloud>
---
 .../services/authorization/authorization_acc_test.go      | 8 ++++++++
 .../services/authorization/testfiles/folder-role.tf       | 6 ++++++
 .../services/authorization/testfiles/prerequisites.tf     | 6 ++++++
 3 files changed, 20 insertions(+)
 create mode 100644 stackit/internal/services/authorization/testfiles/folder-role.tf

diff --git a/stackit/internal/services/authorization/authorization_acc_test.go b/stackit/internal/services/authorization/authorization_acc_test.go
index 7fcede14d..3c7aab58d 100644
--- a/stackit/internal/services/authorization/authorization_acc_test.go
+++ b/stackit/internal/services/authorization/authorization_acc_test.go
@@ -33,6 +33,9 @@ var invalidRole string
 //go:embed testfiles/organization-role.tf
 var organizationRole string
 
+//go:embed testfiles/folder-role.tf
+var folderRole string
+
 var testConfigVars = config.Variables{
 	"project_id":           config.StringVariable(testutil.ProjectId),
 	"test_service_account": config.StringVariable(testutil.TestProjectServiceAccountEmail),
@@ -73,6 +76,11 @@ func TestAccProjectRoleAssignmentResource(t *testing.T) {
 				ConfigVariables: testConfigVars,
 				Config:          testutil.AuthorizationProviderConfig() + prerequisites + organizationRole,
 			},
+			{
+				// Assign a resource to a folder
+				ConfigVariables: testConfigVars,
+				Config:          testutil.AuthorizationProviderConfig() + prerequisites + folderRole,
+			},
 			{
 				// The Service Account inherits owner permissions for the project from the organization. Check if you can still assign owner permissions on the project explicitly
 				ConfigVariables: testConfigVars,
diff --git a/stackit/internal/services/authorization/testfiles/folder-role.tf b/stackit/internal/services/authorization/testfiles/folder-role.tf
new file mode 100644
index 000000000..9db6a2965
--- /dev/null
+++ b/stackit/internal/services/authorization/testfiles/folder-role.tf
@@ -0,0 +1,6 @@
+
+resource "stackit_authorization_folder_role_assignment" "serviceaccount" {
+  resource_id = stackit_resourcemanager_folder.test.folder_id
+  role        = "owner"
+  subject     = var.test_service_account
+}
\ No newline at end of file
diff --git a/stackit/internal/services/authorization/testfiles/prerequisites.tf b/stackit/internal/services/authorization/testfiles/prerequisites.tf
index 4188842a3..2597a9e63 100644
--- a/stackit/internal/services/authorization/testfiles/prerequisites.tf
+++ b/stackit/internal/services/authorization/testfiles/prerequisites.tf
@@ -8,3 +8,9 @@ resource "stackit_authorization_project_role_assignment" "serviceaccount" {
   role        = "reader"
   subject     = var.test_service_account
 }
+
+resource "stackit_resourcemanager_folder" "test" {
+  name                = "test"
+  owner_email         = "foo.bar@stackit.cloud"
+  parent_container_id = var.organization_id
+}
\ No newline at end of file