CrowdStrike · gpontejos · Aug 12, 2025
diff --git a/docs/data-sources/user.md b/docs/data-sources/user.md
@@ -0,0 +1,36 @@
+---
+page_title: "crowdstrike_user Data Source - crowdstrike"
+subcategory: "User"
+description: |-
+  This data source provides information about an existing CrowdStrike user in the Falcon Console.
+  API Scopes
+  The following API scopes are required:
+  User Management | Read & Write
+---
+
+# crowdstrike_user (Data Source)
+
+This data source provides information about an existing CrowdStrike user in the Falcon Console.
+
+## API Scopes
+
+The following API scopes are required:
+
+- User Management | Read & Write
+
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Optional
+
+- `cid` (String) The CrowdStrike Customer ID (CID) where the existing user resides. If not assigned, the CID associated with the provider credentials will be used.
+- `uid` (String) The user's email address, which serves as their username. Either this or the UUID must be provided to locate an existing user.
+- `uuid` (String) Unique identifier assigned to the user by CrowdStrike. Either uid or uuid must be provided to find an existing user
+
+### Read-Only
+
+- `first_name` (String) First name of the user.
+- `last_name` (String) Last name of the user.
diff --git a/docs/data-sources/user_roles.md b/docs/data-sources/user_roles.md
@@ -0,0 +1,30 @@
+---
+page_title: "crowdstrike_user_roles Data Source - crowdstrike"
+subcategory: "User Roles"
+description: |-
+  This data source retrieves available roles for a specified CID.
+  API Scopes
+  The following API scopes are required:
+  User Management | Read
+---
+
+# crowdstrike_user_roles (Data Source)
+
+This data source retrieves available roles for a specified CID.
+
+## API Scopes
+
+The following API scopes are required:
+
+- User Management | Read
+
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Optional
+
+- `cid` (String) The CrowdStrike Customer ID (CID) associated with the user roles to be retrieved. If not specified, the CID associated with the provider credentials will be used.
+- `role_ids` (List of String) List of role IDs associated with the specified CID
diff --git a/docs/resources/user.md b/docs/resources/user.md
@@ -0,0 +1,94 @@
+---
+page_title: "crowdstrike_user Resource - crowdstrike"
+subcategory: "User"
+description: |-
+  This resource allows management of a user on the CrowdStrike Falcon Platform.
+  Users represent the people who access the Falcon console to manage your Falcon environment. Every user account has a home CID. The home CID is where a user account is created, stored, and managed.
+  For newly created users, the system automatically sends an email containing a link for password configuration, unless the user's CID employs Single Sign-On (SSO).
+  API Scopes
+  The following API scopes are required:
+  User Management | Read & Write
+---
+
+# crowdstrike_user (Resource)
+
+This resource allows management of a user on the CrowdStrike Falcon Platform.
+
+Users represent the people who access the Falcon console to manage your Falcon environment. Every user account has a home CID. The home CID is where a user account is created, stored, and managed.
+For newly created users, the system automatically sends an email containing a link for password configuration, unless the user's CID employs Single Sign-On (SSO).
+
+## API Scopes
+
+The following API scopes are required:
+
+- User Management | Read & Write
+
+
+## Example Usage
+
+```terraform
+terraform {
+  required_providers {
+    crowdstrike = {
+      source = "registry.terraform.io/crowdstrike/crowdstrike"
+    }
+  }
+}
+
+provider "crowdstrike" {
+  cloud = "us-2"
+}
+
+
+resource "crowdstrike_user" "example" {
+  uid        = "[email protected]"
+  first_name = "FirstName"
+  last_name  = "LastName"
+  cid        = "ABCDEF0123456789ABCDEF0123456789"
+}
+
+output "user_uuid" {
+  value = crowdstrike_user.example.uuid
+}
+output "user_uid" {
+  value = crowdstrike_user.example.uid
+}
+output "user_cid" {
+  value = crowdstrike_user.example.cid
+}
+output "user_first_name" {
+  value = crowdstrike_user.example.first_name
+}
+output "user_last_name" {
+  value = crowdstrike_user.example.last_name
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `first_name` (String) First name of the user.
+- `last_name` (String) Last name of the user.
+- `uid` (String) The username to assign to the user. This must be a valid email address. Either uid or uuid must be provided to find an existing user.
+
+### Optional
+
+- `cid` (String) The CrowdStrike Customer ID (CID) for user creation. If not specified, the CID associated with the provider credentials will be used.
+
+### Read-Only
+
+- `uuid` (String) Unique identifier assigned to the user by CrowdStrike.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# User can be imported by specifying the UUID.
+# The UUID can be found in the URL of the user's profile page within the Falcon UI via the query string.
+# Example:
+# https://falcon.crowdstrike.com/users-v2/?id=683adeb9-100a-43e6-8968-b2934ebe6a8b
+terraform import crowdstrike_user.example 683adeb9-100a-43e6-8968-b2934ebe6a8b
+```
diff --git a/docs/resources/user_role_assignments.md b/docs/resources/user_role_assignments.md
@@ -0,0 +1,38 @@
+---
+page_title: "crowdstrike_user_role_assignments Resource - crowdstrike"
+subcategory: "User Role Assignments"
+description: |-
+  This resource manages user roles for an existing CrowdStrike userUser roles determine what a user can see and do in the Falcon console. Every Falcon user is required to have at least one role, which is assigned when a user account is created.
+  User roles are granted at the CID level, and you can have different roles in each CID you're associated with. In each CID, you have access to all of the features that your roles allow.
+  API Scopes
+  The following API scopes are required:
+  User Management | Read & Write
+---
+
+# crowdstrike_user_role_assignments (Resource)
+
+This resource manages user roles for an existing CrowdStrike userUser roles determine what a user can see and do in the Falcon console. Every Falcon user is required to have at least one role, which is assigned when a user account is created.
+User roles are granted at the CID level, and you can have different roles in each CID you're associated with. In each CID, you have access to all of the features that your roles allow.
+
+## API Scopes
+
+The following API scopes are required:
+
+- User Management | Read & Write
+
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `assigned_role_ids` (Set of String) Roles to assign to the user. All available for a cid can be retrieved with the `crowdstrike_user_roles` data source
+
+### Optional
+
+- `cid` (String) The CrowdStrike Customer ID (CID) where the existing user resides. If not specified, the CID associated with the provider credentials will be used.
+- `skip_revoke_on_destroy` (Boolean) Retain user permissions upon resource deletion, bypassing the default revocation process
+- `uid` (String) The user's email address, which serves as their username. Either uid or uuid must be provided to find an existing user.
+- `uuid` (String) Unique identifier assigned to the user by CrowdStrike. Either uid or uuid must be provided to find an existing user.
diff --git a/examples/data-sources/crowdstrike_user_data_source/data-source.tf b/examples/data-sources/crowdstrike_user_data_source/data-source.tf
@@ -0,0 +1,32 @@
+terraform {
+  required_providers {
+    crowdstrike = {
+      source = "registry.terraform.io/crowdstrike/crowdstrike"
+    }
+  }
+}
+
+provider "crowdstrike" {
+  cloud = "us-2"
+}
+
+
+data "crowdstrike_user" "example" {
+  uuid = "2db50655-9b58-4d63-9ddd-3edd6499f087"
+}
+
+output "user_data_source_uuid" {
+  value = data.crowdstrike_user.example.uuid
+}
+output "user_data_source_uid" {
+  value = data.crowdstrike_user.example.uid
+}
+output "user_data_source_cid" {
+  value = data.crowdstrike_user.example.cid
+}
+output "user_data_source_first_name" {
+  value = data.crowdstrike_user.example.first_name
+}
+output "user_data_source_last_name" {
+  value = data.crowdstrike_user.example.last_name
+}
diff --git a/examples/data-sources/crowdstrike_user_roles_data_source/data-source.tf b/examples/data-sources/crowdstrike_user_roles_data_source/data-source.tf
@@ -0,0 +1,19 @@
+terraform {
+  required_providers {
+    crowdstrike = {
+      source = "registry.terraform.io/crowdstrike/crowdstrike"
+    }
+  }
+}
+
+provider "crowdstrike" {
+  cloud = "us-2"
+}
+
+
+data "crowdstrike_user_roles" "all" {}
+
+# Filter all roles that contain read or guest
+output "user_data_source" {
+  value = [for role in data.crowdstrike_user_roles.all.role_ids : role if can(regex("(read|guest)", role))]
+}
diff --git a/examples/resources/crowdstrike_user/import.sh b/examples/resources/crowdstrike_user/import.sh
@@ -0,0 +1,5 @@
+# User can be imported by specifying the UUID.
+# The UUID can be found in the URL of the user's profile page within the Falcon UI via the query string.
+# Example:
+# https://falcon.crowdstrike.com/users-v2/?id=683adeb9-100a-43e6-8968-b2934ebe6a8b
+terraform import crowdstrike_user.example 683adeb9-100a-43e6-8968-b2934ebe6a8b
diff --git a/examples/resources/crowdstrike_user/resource.tf b/examples/resources/crowdstrike_user/resource.tf
@@ -0,0 +1,35 @@
+terraform {
+  required_providers {
+    crowdstrike = {
+      source = "registry.terraform.io/crowdstrike/crowdstrike"
+    }
+  }
+}
+
+provider "crowdstrike" {
+  cloud = "us-2"
+}
+
+
+resource "crowdstrike_user" "example" {
+  uid        = "[email protected]"
+  first_name = "FirstName"
+  last_name  = "LastName"
+  cid        = "ABCDEF0123456789ABCDEF0123456789"
+}
+
+output "user_uuid" {
+  value = crowdstrike_user.example.uuid
+}
+output "user_uid" {
+  value = crowdstrike_user.example.uid
+}
+output "user_cid" {
+  value = crowdstrike_user.example.cid
+}
+output "user_first_name" {
+  value = crowdstrike_user.example.first_name
+}
+output "user_last_name" {
+  value = crowdstrike_user.example.last_name
+}
diff --git a/examples/resources/crowdstrike_user_role_assignment/import.sh b/examples/resources/crowdstrike_user_role_assignment/import.sh
@@ -0,0 +1,2 @@
+# Import existing User Role Assignment by specifying the user's UUID followed by their assigned roles, separated by commas
+terraform import crowdstrike_user_role_assignments.example "2db50655-9b58-4d63-9ddd-3edd6499f087,falcon_console_guest,image_viewer"
diff --git a/examples/resources/crowdstrike_user_role_assignment/resource.tf b/examples/resources/crowdstrike_user_role_assignment/resource.tf
@@ -0,0 +1,35 @@
+terraform {
+  required_providers {
+    crowdstrike = {
+      source = "registry.terraform.io/crowdstrike/crowdstrike"
+    }
+  }
+}
+
+provider "crowdstrike" {
+  cloud = "us-2"
+}
+
+locals {
+  // Get all read and guest roles
+  read_guest_roles = [for role in data.crowdstrike_user_roles.all.role_ids : role if can(regex("(read|guest)", role))]
+}
+
+data "crowdstrike_user_roles" "all" {}
+
+resource "crowdstrike_user" "example" {
+  uid        = "[email protected]"
+  first_name = "FirstName"
+  last_name  = "LastName"
+  cid        = "ABCDEF0123456789ABCDEF0123456789"
+}
+
+resource "crowdstrike_user_role_assignments" "example" {
+  uuid              = crowdstrike_user.example.uuid
+  assigned_role_ids = local.read_guest_roles
+  depends_on        = [crowdstrike_user.example]
+}
+
+output "user_role_assignments" {
+  value = crowdstrike_user_role_grant.example
+}
diff --git a/internal/acctest/acctest.go b/internal/acctest/acctest.go
@@ -1,12 +1,16 @@
 package acctest
 
 import (
+	"net/http"
 	"os"
 	"testing"
 
+	"github.com/crowdstrike/gofalcon/falcon"
+	"github.com/crowdstrike/gofalcon/falcon/client"
 	"github.com/crowdstrike/terraform-provider-crowdstrike/internal/provider"
 	"github.com/hashicorp/terraform-plugin-framework/providerserver"
 	"github.com/hashicorp/terraform-plugin-go/tfprotov6"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/logging"
 )
 
 const (
@@ -47,3 +51,32 @@ func PreCheck(t *testing.T, optionalEnvVars ...OptionalEnvVar) {
 		}
 	}
 }
+
+func FalconTestClient(t *testing.T) *client.CrowdStrikeAPISpecification {
+	cloud := os.Getenv("FALCON_CLOUD")
+	clientId := os.Getenv("FALCON_CLIENT_ID")
+	clientSecret := os.Getenv("FALCON_CLIENT_SECRET")
+
+	if cloud == "" {
+		cloud = "autodiscover"
+	}
+
+	apiConfig := falcon.ApiConfig{
+		Cloud:             falcon.Cloud(cloud),
+		ClientId:          clientId,
+		ClientSecret:      clientSecret,
+		UserAgentOverride: "terraform-provider-crowdstrike/test",
+		Context:           t.Context(),
+		HostOverride:      os.Getenv("HOST_OVERRIDE"),
+		TransportDecorator: falcon.TransportDecorator(func(r http.RoundTripper) http.RoundTripper {
+			return logging.NewLoggingHTTPTransport(r)
+		}),
+	}
+
+	client, err := falcon.NewClient(&apiConfig)
+	if err != nil {
+		t.Fatalf("Unable to create falcon client: %s", err)
+	}
+
+	return client
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Import existing User Role Assignment by specifying the user's UUID followed by their assigned roles, separated by commas
		terraform import crowdstrike_user_role_assignments.example "2db50655-9b58-4d63-9ddd-3edd6499f087,falcon_console_guest,image_viewer"