[SETU-2677] Add USM cluster-level RBAC role-binding scopes to CLI

[Varun PV (varunpv)]

Summary

SETU-2677 Adds CLI support for cluster-level RBAC role bindings at USM Kafka and USM Connect cluster scope. This is the confluent CLI counterpart to cc-role-definitions#444 and section 4.3 of the Cluster-Level RBAC Implementation for USM 1-pager (Design C — usm-kafka-cluster and usm-connect-cluster modeled as independent sibling scopes of cloud-cluster under environment).

Changes

• New scope flags --usm-kafka-cluster and --usm-connect-cluster on iam rbac role-binding create / list / delete (cloud login only).
• CRN construction appends the full scope name — /usm-kafka-cluster=<id> and /usm-connect-cluster=<id> (deliberately not abbreviated like --kafka-cluster→/kafka=).
• Scope validation: the USM cluster-scoped roles (UsmKafkaClusterAdmin, UsmKafkaOperator, UsmKafkaMetricsViewer, and the UsmConnect* trio) require --environment plus their matching USM cluster flag, mirroring the existing CloudClusterAdmin / --cloud-cluster rules.
• Cleaner list output: USM bindings render as Cluster Type = USM Kafka / USM Connect with the cluster id under Logical Cluster.
• Examples added to create/list/delete help.

Note: --role takes the role name (e.g. UsmKafkaClusterAdmin), not the display name (UsmClusterAdmin). These roles are bindWithResource: false, so they are scope-bound and do not use --resource.

Example:

confluent iam rbac role-binding create --principal User:u-123456 \
  --role UsmKafkaClusterAdmin --environment env-123456 \
  --usm-kafka-cluster usmkc-123456

Test plan

• go test ./internal/iam/... — unit tests for CRN construction + scope validation (parseV2BaseCrnPattern)
• make integration-test INTEGRATION_TEST_ARGS="-run TestCLI/TestIamRbacRoleBinding" — create/list/delete against the mock server, with golden files
• make integration-test INTEGRATION_TEST_ARGS="-run TestCLI/TestHelp" — regenerated help goldens
• Blocked on backend: cannot be live-e2e tested against Confluent Cloud until the new scopes are recognized server-side (cc-role-definitions#444 deployed + LaunchDarkly filter enabled). Do not merge until then.

🤖 Generated with Claude Code

[confluent-cla-assistant]

🎉 All Contributor License Agreements have been signed. Ready to merge.
_{Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.}

[Copilot]

Pull request overview

Adds CLI support and tests for USM Kafka and USM Connect cluster-level RBAC role-binding scopes in cloud mode.

Changes:

• Adds --usm-kafka-cluster and --usm-connect-cluster scope flags for role-binding create/list/delete.
• Builds USM CRN scope segments and validates required environment/cluster flags for USM roles.
• Updates integration tests, test-server fixtures, and help/output goldens for USM role-binding workflows.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
internal/iam/command_rbac_role_binding.go	Adds USM scope flags, role sets, CRN construction, and validation.
internal/iam/command_rbac_role_binding_create.go	Adds create examples for USM Kafka and Connect roles.
internal/iam/command_rbac_role_binding_delete.go	Adds delete example for USM Kafka role bindings.
internal/iam/command_rbac_role_binding_list.go	Adds list flags/example and renders USM scopes in list output.
internal/iam/command_rbac_role_binding_test.go	Adds unit tests for USM CRN construction and validation.
test/iam_test.go	Adds integration test cases for USM create/list/delete/error flows.
test/test-server/iam_handlers.go	Adds mock USM role bindings for integration tests.
test/fixtures/output/iam/rbac/role-binding/create-help.golden	Updates create help output.
test/fixtures/output/iam/rbac/role-binding/create-usm-kafka-cluster-admin-cloud.golden	Adds USM Kafka create output fixture.
test/fixtures/output/iam/rbac/role-binding/create-usm-connect-cluster-admin-cloud.golden	Adds USM Connect create output fixture.
test/fixtures/output/iam/rbac/role-binding/delete-help.golden	Updates delete help output.
test/fixtures/output/iam/rbac/role-binding/delete-missing-role-cloud.golden	Updates delete error/help fixture.
test/fixtures/output/iam/rbac/role-binding/delete-usm-kafka-cluster-admin-cloud.golden	Adds USM Kafka delete output fixture.
test/fixtures/output/iam/rbac/role-binding/list-help.golden	Updates list help output.
test/fixtures/output/iam/rbac/role-binding/list-failure-help-cloud.golden	Updates list failure help fixture.
test/fixtures/output/iam/rbac/role-binding/list-usm-kafka-cluster-admin-cloud.golden	Adds USM Kafka role list fixture.
test/fixtures/output/iam/rbac/role-binding/list-user-usm-kafka-cloud.golden	Adds USM Kafka principal list fixture.
test/fixtures/output/iam/rbac/role-binding/list-user-usm-connect-cloud.golden	Adds USM Connect principal list fixture.
test/fixtures/output/iam/rbac/role-binding/missing-usm-kafka-cluster-cloud.golden	Adds missing USM Kafka cluster error fixture.
test/fixtures/output/iam/rbac/role-binding/missing-usm-connect-cluster-cloud.golden	Adds missing USM Connect cluster error fixture.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqube-confluent]

Quality Gate passed

Issues
16 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
95.0% Coverage on New Code
2.5% Duplication on New Code

See analysis details on SonarQube