rundeck · codydiehl · Mar 4, 2026
diff --git a/rundeck/resource_acl_policy_framework.go b/rundeck/resource_acl_policy_framework.go
@@ -36,6 +36,7 @@
 	ID     types.String `tfsdk:"id"`
 	Name   types.String `tfsdk:"name"`
 	Policy types.String `tfsdk:"policy"`
+	Project types.String `tfsdk:"project"`
 }
 
 // Metadata returns the resource type name.
@@ -66,6 +67,13 @@
 				Description: "YAML formatted ACL Policy string.",
 				Required:    true,
 			},
+			"project": schema.StringAttribute{
+				Description: "Project name for project-level ACL. If not specified, creates a system-level ACL.",
+				Optional:    true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+				},
+			},
 		},
 	}
 }
@@ -102,12 +110,25 @@
 	client := r.clients.V1
 	name := plan.Name.ValueString()
 	policy := plan.Policy.ValueString()
+	project := plan.Project.ValueStringPointer()
 
 	request := &rundeck.SystemACLPolicyCreateRequest{
 		Contents: &policy,
 	}
 
-	response, err := client.SystemACLPolicyCreate(ctx, name, request)
+	var response *rundeck.SetObject
+	var err error
+	if project != nil {
+		// Project-level ACL
+		projectResponse, projectErr := client.ProjectACLPolicyCreate(ctx, *project, name, request)
+		response = &projectResponse
+		err = projectErr
+	} else {
+		// System-level ACL
+		systemResponse, systemErr := client.SystemACLPolicyCreate(ctx, name, request)
+		response = &systemResponse
+		err = systemErr
+	}
 	if err != nil {
 		resp.Diagnostics.AddError(
 			"Error creating ACL policy",
@@ -144,8 +165,21 @@
 	// Get ACL policy from Rundeck
 	client := r.clients.V1
 	name := state.ID.ValueString()
-
-	response, err := client.SystemACLPolicyGet(ctx, name)
+	project := state.Project.ValueStringPointer()
+
+	var response *rundeck.ACLPolicyResponse
+	var err error
+	if project != nil {
+		// Project-level ACL
+		projectResponse, projectErr := client.ProjectACLPolicyGet(ctx, *project, name)
+		response = &projectResponse
+		err = projectErr
+	} else {
+		// System-level ACL
+		systemResponse, systemErr := client.SystemACLPolicyGet(ctx, name)
+		response = &systemResponse
+		err = systemErr
+	}
 	if err != nil {
 		resp.Diagnostics.AddError(
 			"Error reading ACL policy",
@@ -183,12 +217,20 @@
 	client := r.clients.V1
 	name := plan.Name.ValueString()
 	policy := plan.Policy.ValueString()
+	project := plan.Project.ValueStringPointer()
 
 	request := &rundeck.SystemACLPolicyUpdateRequest{
 		Contents: &policy,
 	}
 
-	_, err := client.SystemACLPolicyUpdate(ctx, name, request)
+	var err error
+	if project != nil {
+		// Project-level ACL
+		_, err = client.ProjectACLPolicyUpdate(ctx, *project, name, request)
+	} else {
+		// System-level ACL
+		_, err = client.SystemACLPolicyUpdate(ctx, name, request)
+	}
 	if err != nil {
 		resp.Diagnostics.AddError(
 			"Error updating ACL policy",
@@ -217,8 +259,16 @@
 	// Delete ACL policy
 	client := r.clients.V1
 	name := state.ID.ValueString()
-
-	_, err := client.SystemACLPolicyDelete(ctx, name)
+	project := state.Project.ValueStringPointer()
+
+	var err error
+	if project != nil {
+		// Project-level ACL
+		_, err = client.ProjectACLPolicyDelete(ctx, *project, name)
+	} else {
+		// System-level ACL
+		_, err = client.SystemACLPolicyDelete(ctx, name)
+	}
 	if err != nil {
 		resp.Diagnostics.AddError(
 			"Error deleting ACL policy",

diff --git a/website/docs/r/acl_policy.md b/website/docs/r/acl_policy.md
@@ -8,23 +8,34 @@ description: |-
 
 # rundeck\_acl_policy
 
-Control access to your automation infrastructure. ACL policies define fine-grained permissions for users and groups across projects, jobs, nodes, and key storage. Managing policies as code ensures security is reviewed, versioned, and consistently applied.
+Control access to your automation infrastructure. ACL policies define fine-grained permissions for users and groups across projects, jobs, nodes, and key storage. Managing policies as code ensures security is reviewed, versioned, and consistently applied. The resource supports both System ACLs and Project ACLs.
 
-## Example Usage
+## Example Usage (System ACL)
 
 ```hcl
 data "local_file" "acl" {
   filename = "${path.module}/acl.yaml"
 }
 
-resource "rundeck_acl_policy" "example" {
+resource "rundeck_acl_policy" "system_acl_example" {
   name = "ExampleAcl.aclpolicy"
 
   policy = "${data.local_file.acl.content}"
 }
 ```
 
-Note that the above configuration assumes the existence of an ``acl.yaml`` file in the
+## Example Usage (Project ACL)
+```hcl
+data "local_file" "acl" {
+  filename = "${path.module}/acl.yaml"
+}
+resource "rundeck_acl_policy" "project_acl_example" {
+  name    = "ExampleAcl.aclpolicy"
+  project = "example-project"
+  policy = "${data.local_file.acl.content}"
+}
+```
+Note that the above examples assumes the existence of an ``acl.yaml`` file in the
 project directory. This resource passes the raw YAML policy string to Rundeck which stores
 and returns it as-is. A future ``acl_policy_document`` data source is planned to allow defining
 the policy in terraform configuration.
@@ -37,9 +48,10 @@ The following arguments are supported:
 
 * `policy` - (Required) The name of the job, used to describe the job in the Rundeck UI.
 
-> Note: This example uses an ACL Policy file stored at the current working directory named `acl.yaml`.  Valid contents for that file are shown below.
+* `project` - (Optional) The name of the project to define the project ACL under. If this is not provided the ACL will be a system level ACL policy.
+> Note: These examples use an ACL Policy file stored at the current working directory named `acl.yaml`.  Valid contents for that file are shown below.
 
-```
+```yaml
 by:
   group: terraform
 description: Allow terraform Key Storage Access