From 77fcda80e2621a3de82e8365a01c1a436cfa6da5 Mon Sep 17 00:00:00 2001
From: Byungjin Park <posquit0.bj@gmail.com>
Date: Thu, 8 Aug 2024 19:07:09 +0900
Subject: [PATCH] Support security manager teams for org-organization

---
 modules/org-organization/README.md    |  8 ++++++--
 modules/org-organization/main.tf      | 11 +++++++++++
 modules/org-organization/outputs.tf   | 21 +++++++++++++++++----
 modules/org-organization/variables.tf | 11 +++++++++++
 4 files changed, 45 insertions(+), 6 deletions(-)

diff --git a/modules/org-organization/README.md b/modules/org-organization/README.md
index 44eb829..b2da97d 100644
--- a/modules/org-organization/README.md
+++ b/modules/org-organization/README.md
@@ -4,6 +4,7 @@ This module creates following resources.
 
 - `github_membership` (optional)
 - `github_organization_block` (optional)
+- `github_organization_security_manager` (optional)
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
@@ -17,7 +18,7 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_github"></a> [github](#provider\_github) | 6.2.2 |
+| <a name="provider_github"></a> [github](#provider\_github) | 6.2.3 |
 
 ## Modules
 
@@ -29,6 +30,7 @@ No modules.
 |------|------|
 | [github_membership.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/membership) | resource |
 | [github_organization_block.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/organization_block) | resource |
+| [github_organization_security_manager.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/organization_security_manager) | resource |
 | [github_organization.after](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/organization) | data source |
 | [github_organization.this](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/organization) | data source |
 
@@ -40,12 +42,12 @@ No modules.
 | <a name="input_blocked_users"></a> [blocked\_users](#input\_blocked\_users) | (Optional) A list of usernames to block from organization. | `set(string)` | `[]` | no |
 | <a name="input_members"></a> [members](#input\_members) | (Optional) A list of usernames to add users as `member` role. When applied, an invitation will be sent to the user to become a member of the organization. | `set(string)` | `[]` | no |
 | <a name="input_owners"></a> [owners](#input\_owners) | (Optional) A list of usernames to add users as `admin` role. When applied, an invitation will be sent to the user to become an owner of the organization. | `set(string)` | `[]` | no |
+| <a name="input_security_manager_teams"></a> [security\_manager\_teams](#input\_security\_manager\_teams) | (Optional) A list of team slugs to add as security manager teams. Grant a team permission to manage security alerts and settings across the organization. This team will also be granted read access to all repositories. | `set(string)` | `[]` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_all_members"></a> [all\_members](#output\_all\_members) | A list of all members of the organization. |
 | <a name="output_blocked_users"></a> [blocked\_users](#output\_blocked\_users) | A list of blocked usernames from organization. |
 | <a name="output_description"></a> [description](#output\_description) | The description of the organization. |
 | <a name="output_display_name"></a> [display\_name](#output\_display\_name) | The display name of the organization. |
@@ -55,4 +57,6 @@ No modules.
 | <a name="output_owners"></a> [owners](#output\_owners) | A list of the owners of the organization. |
 | <a name="output_plan"></a> [plan](#output\_plan) | The billing plan of the organization. |
 | <a name="output_repositories"></a> [repositories](#output\_repositories) | A list of the repositories of the organization. |
+| <a name="output_security_manager_teams"></a> [security\_manager\_teams](#output\_security\_manager\_teams) | A list of team slugs to add as security manager teams. |
+| <a name="output_users"></a> [users](#output\_users) | A list of all members of the organization. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/org-organization/main.tf b/modules/org-organization/main.tf
index 8015d36..958918f 100644
--- a/modules/org-organization/main.tf
+++ b/modules/org-organization/main.tf
@@ -51,3 +51,14 @@ resource "github_organization_block" "this" {
 
   username = each.key
 }
+
+
+###################################################
+# Seucrity Manager Teams for GitHub Organization
+###################################################
+
+resource "github_organization_security_manager" "this" {
+  for_each = toset(var.security_manager_teams)
+
+  team_slug = each.key
+}
diff --git a/modules/org-organization/outputs.tf b/modules/org-organization/outputs.tf
index 3d36f99..855f39d 100644
--- a/modules/org-organization/outputs.tf
+++ b/modules/org-organization/outputs.tf
@@ -25,17 +25,25 @@ output "plan" {
 
 output "owners" {
   description = "A list of the owners of the organization."
-  value       = var.owners
+  value = [
+    for user in data.github_organization.after.users :
+    user.login
+    if user.role == "ADMIN"
+  ]
 }
 
 output "members" {
   description = "A list of the members of the organization."
-  value       = var.members
+  value = [
+    for user in data.github_organization.after.users :
+    user.login
+    if user.role == "MEMBER"
+  ]
 }
 
-output "all_members" {
+output "users" {
   description = "A list of all members of the organization."
-  value       = data.github_organization.after.members
+  value       = data.github_organization.after.users
 }
 
 output "repositories" {
@@ -47,3 +55,8 @@ output "blocked_users" {
   description = "A list of blocked usernames from organization."
   value       = var.blocked_users
 }
+
+output "security_manager_teams" {
+  description = "A list of team slugs to add as security manager teams."
+  value       = keys(github_organization_security_manager.this)
+}
diff --git a/modules/org-organization/variables.tf b/modules/org-organization/variables.tf
index 66ea54a..f9a39ad 100644
--- a/modules/org-organization/variables.tf
+++ b/modules/org-organization/variables.tf
@@ -1,22 +1,33 @@
 variable "name" {
   description = "(Required) The name of the organization."
   type        = string
+  nullable    = false
 }
 
 variable "owners" {
   description = "(Optional) A list of usernames to add users as `admin` role. When applied, an invitation will be sent to the user to become an owner of the organization."
   type        = set(string)
   default     = []
+  nullable    = false
 }
 
 variable "members" {
   description = "(Optional) A list of usernames to add users as `member` role. When applied, an invitation will be sent to the user to become a member of the organization."
   type        = set(string)
   default     = []
+  nullable    = false
 }
 
 variable "blocked_users" {
   description = "(Optional) A list of usernames to block from organization."
   type        = set(string)
   default     = []
+  nullable    = false
+}
+
+variable "security_manager_teams" {
+  description = "(Optional) A list of team slugs to add as security manager teams. Grant a team permission to manage security alerts and settings across the organization. This team will also be granted read access to all repositories."
+  type        = set(string)
+  default     = []
+  nullable    = false
 }