search

pulumi / pulumi-github

A Pulumi package to facilitate interacting with GitHub
Apache License 2.0
58 stars 10 forks source link

TeamMembers resource pulls in members from sub teams. #733

Closed MitchellGerdisch closed 2 weeks ago

MitchellGerdisch commented 1 month ago

Describe what happened

This is directly related to terraform issue, https://github.com/integrations/terraform-provider-github/issues/2004

In a nutshell if one has a team that has members as well as sub team(s) with members, then when you import the upper level team, the resource's members property is populated not only with members in the specified team but also the members from the subteam(s). Similarly, even if you modify the resource to remove the subteam members, the update brings back the subteam members.

Although there is the TeamMembership resource where individual members can be managed and thus work-around this flaw with TeamMembers, using TeamMembership results in lots and lots of resources and thus increases the RHUM charges.

So, I wanted to create this issue in Pulumi for a couple of reasons:

Sample program

None

Log output

No response

Affected Resource(s)

No response

Output of pulumi about

[edit] Unavailable. Note: when this issue was originally opened, it was thought that v6.2.3 of the provider was being used. This is not the case - a pre-6.2.3 version was being used. See closed issue comment below. [edit]

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

mjeffryes commented 1 month ago

Based on the discussion on the upstream ticket, it sounds like this behavior is kind of "by-design", because that's what the Github API itself does. (The github UI seems to reflect this limitation too: there's no view that shows just the members of a team that are not a member of a sub-team.)

Given that behavior, I'd be very hesitant to do anything to modify the behavior of this resource. The best solution I can think of at the moment, would be to add a resource that pulls the membership of the team and all the subteams, and then calculates the members that are not part of any subteam on the client.

Edit: it sounds like maybe the graphql API makes a distinction that the rest API does not, so it would be possible to base a new resource on that instead.

Sample query:

query  {
  viewer {
    organization(login:"pulumi") {
      teams(first:100) {
            nodes {
          name
          members(first: 10){
            nodes {
              login
            }
          }
          childTeams(first: 10){
            nodes{
              name
            }
          }
        }
      }
    }
  }
}
MitchellGerdisch commented 2 weeks ago

It appears that version 6.2.3 of the provider does in fact address this issue and works as expected and only the users identified are imported. So, closing the issue.