feat: support team organization role assignment

github/config.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/google/go-github/v62/github"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/logging"
+	"github.com/octokit/go-sdk/pkg"
 	"github.com/shurcooL/githubv4"
 	"golang.org/x/oauth2"
 )
@@ -32,6 +33,7 @@ type Owner struct {
 	id             int64
 	v3client       *github.Client
 	v4client       *githubv4.Client
+	octokitClient  *pkg.Client
 	StopContext    context.Context
 	IsOrganization bool
 }
@@ -110,6 +112,31 @@ func (c *Config) NewRESTClient(client *http.Client) (*github.Client, error) {
 	return v3client, nil
 }
 
+func (c *Config) NewOctokitClient() (*pkg.Client, error) {
+
+	uv3, err := url.Parse(c.BaseURL)
+	if err != nil {
+		return nil, err
+	}
+
+	if uv3.String() != "https://api.github.com/" {
+		uv3.Path = uv3.Path + "api/v3/"
+	}
+
+	octokitClient, err := pkg.NewApiClient(
+		// pkg.WithUserAgent("my-user-agent"), // Should this be set to terraform-provider-github or similar? Doesn't look like the user-agent is set for the other clients
+		pkg.WithRequestTimeout(5*time.Second),
+		pkg.WithBaseUrl(strings.TrimSuffix(uv3.Path, "/")), // the octokit/go-sdk expects the url to not end with a "/"
+		pkg.WithTokenAuthentication(c.Token),
+	)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return octokitClient, nil
+}
+
 func (c *Config) ConfigureOwner(owner *Owner) (*Owner, error) {
 	ctx := context.Background()
 	owner.name = c.Owner
@@ -152,6 +179,11 @@ func (c *Config) Meta() (interface{}, error) {
 		return nil, err
 	}
 
+	octokitClient, err := c.NewOctokitClient()
+	if err != nil {
+		return nil, err
+	}
+
 	v4client, err := c.NewGraphQLClient(client)
 	if err != nil {
 		return nil, err
@@ -160,6 +192,7 @@ func (c *Config) Meta() (interface{}, error) {
 	var owner Owner
 	owner.v4client = v4client
 	owner.v3client = v3client
+	owner.octokitClient = octokitClient
 	owner.StopContext = context.Background()
 
 	_, err = c.ConfigureOwner(&owner)

github/provider.go

@@ -187,6 +187,7 @@ func Provider() *schema.Provider {
 			"github_team":                                                           resourceGithubTeam(),
 			"github_team_members":                                                   resourceGithubTeamMembers(),
 			"github_team_membership":                                                resourceGithubTeamMembership(),
+			"github_team_organization_role_assignment":                              resourceGithubTeamOrganizationRoleAssignment(),
 			"github_team_repository":                                                resourceGithubTeamRepository(),
 			"github_team_settings":                                                  resourceGithubTeamSettings(),
 			"github_team_sync_group_mapping":                                        resourceGithubTeamSyncGroupMapping(),

github/resource_github_team_organization_role_assignment.go

@@ -0,0 +1,197 @@
+package github
+
+import (
+	"context"
+	"log"
+	"strconv"
+
+	"github.com/google/go-github/v62/github"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	abs "github.com/microsoft/kiota-abstractions-go"
+)
+
+func resourceGithubTeamOrganizationRoleAssignment() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceGithubTeamOrganizationRoleAssignmentCreate,
+		Read:   resourceGithubTeamOrganizationRoleAssignmentRead,
+		Delete: resourceGithubTeamOrganizationRoleAssignmentDelete,
+		Importer: &schema.ResourceImporter{
+			State: func(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+				teamIdString, roleID, err := parseTwoPartID(d.Id(), "team_id", "role_id")
+				if err != nil {
+					return nil, err
+				}
+
+				teamSlug, err := getTeamSlug(teamIdString, meta)
+				if err != nil {
+					return nil, err
+				}
+
+				d.SetId(buildTwoPartID(teamSlug, roleID))
+				return []*schema.ResourceData{d}, nil
+			},
+		},
+
+		Schema: map[string]*schema.Schema{
+			"team_id": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "The GitHub team id or the GitHub team slug.",
+				ForceNew:    true,
+			},
+			"role_id": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "The GitHub Organization Role id.",
+				ForceNew:    true,
+			},
+		},
+	}
+}
+
+func newOctokitClientDefaultRequestConfig() *abs.RequestConfiguration[abs.DefaultQueryParameters] {
+	headers := abs.NewRequestHeaders()
+	_ = headers.TryAdd("Accept", "application/vnd.github.v3+json")
+	_ = headers.TryAdd("X-GitHub-Api-Version", "2022-11-28")
+
+	return &abs.RequestConfiguration[abs.DefaultQueryParameters]{
+		QueryParameters: &abs.DefaultQueryParameters{},
+		Headers:         headers,
+	}
+}
+
+func resourceGithubTeamOrganizationRoleAssignmentCreate(d *schema.ResourceData, meta interface{}) error {
+	err := checkOrganization(meta)
+	if err != nil {
+		return err
+	}
+
+	octokitClient := meta.(*Owner).octokitClient
+
+	orgName := meta.(*Owner).name
+	ctx := context.Background()
+
+	// The given team id could be an id or a slug
+	givenTeamId := d.Get("team_id").(string)
+	teamSlug, err := getTeamSlug(givenTeamId, meta)
+	if err != nil {
+		return err
+	}
+
+	roleIDString := d.Get("role_id").(string)
+	roleID, err := strconv.ParseInt(roleIDString, 10, 32)
+
+	if err != nil {
+		return err
+	}
+
+	defaultRequestConfig := newOctokitClientDefaultRequestConfig()
+	err = octokitClient.Orgs().ByOrg(orgName).OrganizationRoles().Teams().ByTeam_slug(teamSlug).ByRole_id(int32(roleID)).Put(ctx, defaultRequestConfig)
+	if err != nil {
+		return err
+	}
+
+	d.SetId(buildTwoPartID(teamSlug, roleIDString))
+	return resourceGithubTeamOrganizationRoleAssignmentRead(d, meta)
+}
+
+func resourceGithubTeamOrganizationRoleAssignmentRead(d *schema.ResourceData, meta interface{}) error {
+	err := checkOrganization(meta)
+	if err != nil {
+		return err
+	}
+
+	restClient := meta.(*Owner).v3client
+
+	ctx := context.Background()
+	orgName := meta.(*Owner).name
+
+	teamIdString, roleIDString, err := parseTwoPartID(d.Id(), "team_id", "role_id")
+	if err != nil {
+		return err
+	}
+
+	// The given team id could be an id or a slug
+	teamSlug, err := getTeamSlug(teamIdString, meta)
+	if err != nil {
+		return err
+	}
+
+	roleID, err := strconv.ParseInt(roleIDString, 10, 32)
+	if err != nil {
+		return err
+	}
+
+	// There is no api for checking a specific team role assignment, so instead we iterate over all teams assigned to the role
+	// go-github pagination (https://github.com/google/go-github?tab=readme-ov-file#pagination)
+	options := &github.ListOptions{
+		PerPage: 100,
+	}
+	var foundTeam *github.Team
+	for {
+		teams, resp, err := restClient.Organizations.ListTeamsAssignedToOrgRole(ctx, orgName, roleID, options)
+		if err != nil {
+			return err
+		}
+
+		for _, team := range teams {
+			if team.GetSlug() == teamSlug {
+				foundTeam = team
+			}
+
+		}
+
+		if resp.NextPage == 0 {
+			break
+		}
+		options.Page = resp.NextPage
+	}
+
+	if foundTeam == nil {
+		log.Printf("[WARN] Removing team organization role association %s from state because it no longer exists in GitHub", d.Id())
+		d.SetId("")
+		return nil
+	}
+
+	return nil
+}
+
+func resourceGithubTeamOrganizationRoleAssignmentDelete(d *schema.ResourceData, meta interface{}) error {
+	err := checkOrganization(meta)
+	if err != nil {
+		return err
+	}
+
+	octokitClient := meta.(*Owner).octokitClient
+
+	orgName := meta.(*Owner).name
+	ctx := context.Background()
+
+	teamIdString, roleIDString, err := parseTwoPartID(d.Id(), "team_id", "role_id")
+	if err != nil {
+		return err
+	}
+
+	// The given team id could be an id or a slug
+	teamSlug, err := getTeamSlug(teamIdString, meta)
+	if err != nil {
+		return err
+	}
+
+	roleID, err := strconv.ParseInt(roleIDString, 10, 32)
+	if err != nil {
+		return err
+	}
+
+	if err != nil {
+		return err
+	}
+
+	defaultRequestConfig := newOctokitClientDefaultRequestConfig()
+	err = octokitClient.Orgs().ByOrg(orgName).OrganizationRoles().Teams().ByTeam_slug(teamSlug).ByRole_id(int32(roleID)).Delete(ctx, defaultRequestConfig)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}