[Feature Request] Authoritative repository access management

[eriksw]

Currently, there appears to be no way to authoritatively manage repository permissions using the GitHub terraform provider.

My use case is that there are repositories that have been created over the years, that have been imported into management by terraform, but these repositories have miscellaneous grants of read/admin/write permissions to arbitrary teams and users. (Most commonly, 'admin' to the user that initially created the repo, but there's also cases like read access being granted to a contract pentester that nobody remembered to revoke, etc...)

github_team_repository and github_repository_collaborator exist, but they are only additive: the absence of a resource setting the access for a team/user will not remove that user's access.

It would be great if there was an equivalent to google_project_iam_policy — something where I can declare what users and teams should have what levels of access, and that upon apply will remove all other access.

[j-martin]

In case it may help somebody we ended with this hack on top of a hack.

locals {
  members = toset([
    "userA",
  ])

  owners = toset([
    "userB",
  ])

  all_members       = setunion(local.owners, local.members)
  existing_members  = toset(data.github_organization.main.members)
  unmanaged_members = setsubtract(local.existing_members, local.all_members)
}

data "github_organization" "main" {
  name = "<your-org>"
}

resource "github_membership" "main" {
  for_each = setunion(local.members, local.owners)
  username = each.value
  role     = contains(local.owners, each.value) ? "admin" : "member"
}

// The GitHub provider is not authoritative for the members of the organization
// and Terraform does not support raising exceptions so we have to hack this check.
// https://github.com/integrations/terraform-provider-github/issues/395
// https://github.com/hashicorp/terraform/issues/15469#issuecomment-814789329

resource "github_membership" "unmanaged_members_this_should_be_empty" {
  for_each = local.unmanaged_members
  username = each.value
  role     = "member"
}

resource "null_resource" "unmanaged_members" {
  count = length(local.unmanaged_members) == 0 ? 0 : "There are members who are not managed by Terraform. Comment out this resource to find who. The last one will surprise you!"
}

It can be refatored/modified into a module to manage team memberships.

[maroux]

Just opened a PR for this issue, still working on tests.

[maroux]

@jcudit could someone take a look at the linked PR and let me know if this is something you'd be open to merging?

[maroux]

cc @kfcampbell maybe?

The PR is now complete with tests.

[eriksw]

@maroux Is your PR intended to cover team access as well, or just individual users?

What I'm hoping will eventually be part of this provider is a resource where there's one instance of that resource per repository and it covers both team and user(/collaborator) access in an authoritative manner. (Everything that's not a GitHub App and not inherited from the organization level.)

[maroux]

@eriksw both teams and individual users. Example config:

resource "github_repository_collaborators" "a_repo_collaborators" {
  repository = "our-cool-repo"

  user {
    permission = "admin"
    username  = "SomeUser"
  }
  
  team {
    permission = "pull"
    team_id = "SomeTeam"
  }
}

[github-actions]

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!

[eriksw]

Please don't close this until an authoritative resource is available.