Support membership sync for org-team

tedilabs · Aug 27, 2024 · c6fbc17 · c6fbc17
1 parent 81c007a
commit c6fbc17
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 33 deletions.
diff --git a/modules/org-team/README.md b/modules/org-team/README.md
@@ -5,6 +5,7 @@ This module creates following resources.
 - `github_team`
 - `github_team_settings`
 - `github_team_sync_group_mapping`
+- `github_team_members` (optional)
 - `github_team_membership` (optional)
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -30,6 +31,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [github_team.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team) | resource |
+| [github_team_members.some_team_members](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team_members) | resource |
 | [github_team_membership.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team_membership) | resource |
 | [github_team_settings.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team_settings) | resource |
 | [github_team_sync_group_mapping.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team_sync_group_mapping) | resource |
@@ -48,6 +50,7 @@ No modules.
 | <a name="input_ldap_group_dn"></a> [ldap\_group\_dn](#input\_ldap\_group\_dn) | (Optional) The LDAP Distinguished Name of the group where membership will be synchronized. Only available in GitHub Enterprise Server. | `string` | `null` | no |
 | <a name="input_maintainers"></a> [maintainers](#input\_maintainers) | (Optional) A list of usernames to add users as `maintainer` role. When applied, the user will become a maintainer of the team. | `set(string)` | `[]` | no |
 | <a name="input_members"></a> [members](#input\_members) | (Optional) A list of usernames to add users as `member` role. When applied, the user will become a member of the team. | `set(string)` | `[]` | no |
+| <a name="input_membership_sync_enabled"></a> [membership\_sync\_enabled](#input\_membership\_sync\_enabled) | (Optional) Whether to sync the members of the team. Members added outside of the Terraform code will be removed. Defaults to `false`. | `bool` | `false` | no |
 | <a name="input_parent_id"></a> [parent\_id](#input\_parent\_id) | (Optional) The ID of the parent team, if this is a nested team. | `string` | `null` | no |
 
 ## Outputs

diff --git a/modules/org-team/main.tf b/modules/org-team/main.tf
@@ -1,20 +1,3 @@
-locals {
-  members = [
-    for member in var.members : {
-      username = member
-      role     = "member"
-    }
-  ]
-  maintainers = [
-    for maintainer in var.maintainers : {
-      username = maintainer
-      role     = "maintainer"
-    }
-  ]
-  membership = concat(local.members, local.maintainers)
-}
-
-
 ###################################################
 # GitHub Organization Team
 ###################################################
@@ -68,19 +51,3 @@ resource "github_team_sync_group_mapping" "this" {
     }
   }
 }
-
-
-###################################################
-# Membership of GitHub Organization Team
-###################################################
-
-resource "github_team_membership" "this" {
-  for_each = {
-    for member in local.membership :
-    member.username => member
-  }
-
-  team_id  = github_team.this.id
-  username = each.key
-  role     = each.value.role
-}
diff --git a/modules/org-team/membership.tf b/modules/org-team/membership.tf
@@ -0,0 +1,47 @@
+locals {
+  members = [
+    for member in var.members : {
+      username = member
+      role     = "member"
+    }
+  ]
+  maintainers = [
+    for maintainer in var.maintainers : {
+      username = maintainer
+      role     = "maintainer"
+    }
+  ]
+  membership = concat(local.members, local.maintainers)
+}
+
+
+###################################################
+# Membership of GitHub Organization Team
+###################################################
+
+resource "github_team_membership" "this" {
+  for_each = {
+    for member in(!var.membership_sync_enabled ? local.membership : []) :
+    member.username => member
+  }
+
+  team_id  = github_team.this.id
+  username = each.key
+  role     = each.value.role
+}
+
+resource "github_team_members" "some_team_members" {
+  count = var.membership_sync_enabled ? 1 : 0
+
+  team_id = github_team.this.id
+
+  dynamic "members" {
+    for_each = local.membership
+    iterator = member
+
+    content {
+      username = member.value.username
+      role     = member.value.role
+    }
+  }
+}
diff --git a/modules/org-team/variables.tf b/modules/org-team/variables.tf
@@ -51,6 +51,13 @@ variable "members" {
   nullable    = false
 }
 
+variable "membership_sync_enabled" {
+  description = "(Optional) Whether to sync the members of the team. Members added outside of the Terraform code will be removed. Defaults to `false`."
+  type        = bool
+  default     = false
+  nullable    = false
+}
+
 variable "identity_provider_team_sync" {
   description = <<EOT
   (Optional) A configuration to manage team members using your identity provider groups. `identity_provider_team_sync` block as defined below.