Terraform - GitHub Provider | scalable methods in managing organizations

Question

I'm trying to manage GitHub Enterprise with 200+ organizations using Terraform. Here's what I've achieved so far:

I've used the GitHub Provider (integrations/github) in Terraform to create/modify 10+ organizations by creating a custom organizations module.

The module I built does as follows:

The variables will get the teams configuration:

variable "team-configuration" {
  description = "Define the GitHub Teams organization configuration."
  type = map(object({
    entraid-group-name  = string
    gh-team-name        = string
    gh-team-description = optional(string, null)
    gh-team-privacy     = optional(string, "secret")
    gh-team-parent_id   = optional(string, null)
    gh-team-ldap-dn     = optional(string, null)
  }))
}

I created a local to loop the entraid-group-name as every key will be different value:

locals {
  ## Following local will iterate with the value entered in variable -> `team-configuration` and get the value entered to `entraid-group-name`.
  target_groups = {
    for k, v in var.team-configuration : k => {
      group_id = [for g in data.github_external_groups.idp-groups.external_groups : g.group_id if g.group_name == v.entraid-group-name][0]
    }
  }
}

Which ensured the data is validated from the following data block:

data "github_external_groups" "idp-groups" {}

It will then apply to the following resource mapping:

resource "github_emu_group_mapping" "map-team-with-idp" {
  for_each  = var.team-configuration

  team_slug = github_team.org-teams[each.key].slug
  group_id  = local.target_groups[each.key].group_id
}

followed by creating the github teams:

resource "github_team" "org-teams" {
  for_each    = var.team-configuration

  name        = each.value.gh-team-name
  description = each.value.gh-team-description
  privacy     = each.value.gh-team-privacy
}

That is the module done and how it works

---

Calling the module:

module "gh-teams" {
  source = "../modules/gh_teams"

  team-configuration = var.team-configuration
}

will eventually building the module successfully.

  # module.gh-teams.github_emu_group_mapping.map-team-with-idp["this"] will be created
  + resource "github_emu_group_mapping" "map-team-with-idp" {
      + etag      = (known after apply)
      + group_id  = 1234
      + id        = (known after apply)
      + team_slug = (known after apply)
    }

  # module.gh-teams.github_team.org-teams["this"] will be created
  + resource "github_team" "org-teams" {
      + create_default_maintainer = false
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "xyz"
      + node_id                   = (known after apply)
      + privacy                   = "secret"
      + slug                      = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

while I am pointing to the following organization in provider:

provider "github" {
  token = var.GITHUB_TOKEN
  owner = "x-org"
}

---

Help needed:

I want to provision Teams in multiple GitHub Organizations with the smoothest way possible and single state file as possible.

I tried alias method, but it doesn't seem to be very feasible, because I have to create more modules.

provider "github" {
  token = var.GITHUB_TOKEN
  alias = "this"
  owner = "x-org"
}

I tried using for_each in providers in both Terraform and Tofu, and both have returned with the error. The provider argument name "for_each" is reserved for use by Terraform/OpenTofu in a future version.

provider "github" {
  for_each = toset(var.orgs)
  token = var.GITHUB_TOKEN
  owner = each.key
}

Also to note that Tofu doesn't acknowledge my token as organization.

Any recommendations, so I can provision GitHub Organization Teams to specific Organization without all of them having applied the same configuration?

Terraform - GitHub Provider | scalable methods in managing organizations

Answers (1)

Related Questions