integrations · kfcampbell · Jun 26, 2023 · May 25, 2023 · May 26, 2023 · May 26, 2023
diff --git a/github/data_source_github_organization_custom_role.go b/github/data_source_github_organization_custom_role.go
@@ -0,0 +1,78 @@
+package github
+
+import (
+	"context"
+	"fmt"
+	"log"
+
+	"github.com/google/go-github/v53/github"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+)
+
+func dataSourceGithubOrganizationCustomRole() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceGithubOrganizationCustomRoleRead,
+
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"base_role": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"permissions": {
+				Type:     schema.TypeSet,
+				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+			"description": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func dataSourceGithubOrganizationCustomRoleRead(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*Owner).v3client
+	ctx := context.Background()
+	orgName := meta.(*Owner).name
+
+	err := checkOrganization(meta)
+	if err != nil {
+		return err
+	}
+
+	// ListCustomRepoRoles returns a list of all custom repository roles for an organization.
+	// There is an API endpoint for getting a single custom repository role, but is not
+	// implemented in the go-github library.
+	roleList, _, err := client.Organizations.ListCustomRepoRoles(ctx, orgName)
+	if err != nil {
+		return fmt.Errorf("error querying GitHub custom repository roles %s: %s", orgName, err)
+	}
+
+	var role *github.CustomRepoRoles
+	for _, r := range roleList.CustomRepoRoles {
+		if fmt.Sprint(*r.Name) == d.Get("name").(string) {
+			role = r
+			break
+		}
+	}
+
+	if role == nil {
+		log.Printf("[WARN] GitHub custom repository role (%s) not found.", d.Get("name").(string))
+		d.SetId("")
+		return nil
+	}
+
+	d.SetId(fmt.Sprint(*role.ID))
+	d.Set("name", role.Name)
+	d.Set("description", role.Description)
+	d.Set("base_role", role.BaseRole)
+	d.Set("permissions", role.Permissions)
+
+	return nil
+}
diff --git a/github/data_source_github_organization_custom_role_test.go b/github/data_source_github_organization_custom_role_test.go
@@ -0,0 +1,85 @@
+package github
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+)
+
+func TestAccGithubOrganizationCustomRoleDataSource(t *testing.T) {
+
+	t.Run("queries a custom repo role", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+
+		config := fmt.Sprintf(`
+			resource "github_organization_custom_role" "test" {
+				name        = "tf-acc-test-%s"
+				description = "Test role description"
+				base_role   = "read"
+				permissions = [
+					"reopen_issue",
+					"reopen_pull_request",
+				]
+			}
+		`, randomID)
+
+		config2 := config + `
+			data "github_organization_custom_role" "test" {
+				name = github_organization_custom_role.test.name
+			}
+		`
+
+		check := resource.ComposeTestCheckFunc(
+			resource.TestCheckResourceAttrSet(
+				"data.github_organization_custom_role.test", "name",
+			),
+			resource.TestCheckResourceAttr(
+				"data.github_organization_custom_role.test", "name",
+				fmt.Sprintf(`tf-acc-test-%s`, randomID),
+			),
+			resource.TestCheckResourceAttr(
+				"data.github_organization_custom_role.test", "description",
+				"Test role description",
+			),
+			resource.TestCheckResourceAttr(
+				"data.github_organization_custom_role.test", "base_role",
+				"read",
+			),
+			resource.TestCheckResourceAttr(
+				"data.github_organization_custom_role.test", "permissions.#",
+				"2",
+			),
+		)
+
+		testCase := func(t *testing.T, mode string) {
+			resource.Test(t, resource.TestCase{
+				PreCheck:  func() { skipUnlessMode(t, mode) },
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config: config,
+						Check:  resource.ComposeTestCheckFunc(),
+					},
+					{
+						Config: config2,
+						Check:  check,
+					},
+				},
+			})
+		}
+
+		t.Run("with an anonymous account", func(t *testing.T) {
+			t.Skip("anonymous account not supported for this operation")
+		})
+
+		t.Run("with an individual account", func(t *testing.T) {
+			t.Skip("individual account not supported for this operation")
+		})
+
+		t.Run("with an organization account", func(t *testing.T) {
+			testCase(t, organization)
+		})
+	})
+}
diff --git a/github/provider.go b/github/provider.go
@@ -122,6 +122,7 @@ func Provider() terraform.ResourceProvider {
 			"github_issue_label":                                                    resourceGithubIssueLabel(),
 			"github_membership":                                                     resourceGithubMembership(),
 			"github_organization_block":                                             resourceOrganizationBlock(),
+			"github_organization_custom_role":                                       resourceGithubOrganizationCustomRole(),
 			"github_organization_project":                                           resourceGithubOrganizationProject(),
 			"github_organization_security_manager":                                  resourceGithubOrganizationSecurityManager(),
 			"github_organization_settings":                                          resourceGithubOrganizationSettings(),
@@ -181,6 +182,7 @@ func Provider() terraform.ResourceProvider {
 			"github_issue_labels":                                                   dataSourceGithubIssueLabels(),
 			"github_membership":                                                     dataSourceGithubMembership(),
 			"github_organization":                                                   dataSourceGithubOrganization(),
+			"github_organization_custom_role":                                       dataSourceGithubOrganizationCustomRole(),
 			"github_organization_ip_allow_list":                                     dataSourceGithubOrganizationIpAllowList(),
 			"github_organization_team_sync_groups":                                  dataSourceGithubOrganizationTeamSyncGroups(),
 			"github_organization_teams":                                             dataSourceGithubOrganizationTeams(),

diff --git a/github/resource_github_organization_custom_role.go b/github/resource_github_organization_custom_role.go
@@ -0,0 +1,171 @@
+package github
+
+import (
+	"context"
+	"fmt"
+	"log"
+
+	"github.com/google/go-github/v53/github"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+)
+
+func resourceGithubOrganizationCustomRole() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceGithubOrganizationCustomRoleCreate,
+		Read:   resourceGithubOrganizationCustomRoleRead,
+		Update: resourceGithubOrganizationCustomRoleUpdate,
+		Delete: resourceGithubOrganizationCustomRoleDelete,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "The organization custom repository role to create.",
+			},
+			"base_role": {
+				Type:         schema.TypeString,
+				Required:     true,
+				Description:  "The base role for the custom repository role.",
+				ValidateFunc: validateValueFunc([]string{"read", "triage", "write", "maintain"}),
+			},
+			"permissions": {
+				Type:        schema.TypeSet,
+				Required:    true,
+				Elem:        &schema.Schema{Type: schema.TypeString},
+				MinItems:    1, // At least one permission should be passed.
+				Description: "The permissions for the custom repository role.",
+			},
+			"description": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "The description of the custom repository role.",
+			},
+		},
+	}
+}
+
+func resourceGithubOrganizationCustomRoleCreate(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*Owner).v3client
+	orgName := meta.(*Owner).name
+	ctx := context.Background()
+
+	err := checkOrganization(meta)
+	if err != nil {
+		return err
+	}
+
+	permissions := d.Get("permissions").(*schema.Set).List()
+	permissionsStr := make([]string, len(permissions))
+	for i, v := range permissions {
+		permissionsStr[i] = v.(string)
+	}
+
+	role, _, err := client.Organizations.CreateCustomRepoRole(ctx, orgName, &github.CreateOrUpdateCustomRoleOptions{
+		Name:        github.String(d.Get("name").(string)),
+		Description: github.String(d.Get("description").(string)),
+		BaseRole:    github.String(d.Get("base_role").(string)),
+		Permissions: permissionsStr,
+	})
+
+	if err != nil {
+		return fmt.Errorf("error creating GitHub custom repository role %s (%s): %s", orgName, d.Get("name").(string), err)
+	}
+
+	d.SetId(fmt.Sprint(*role.ID))
+	return resourceGithubOrganizationCustomRoleRead(d, meta)
+}
+
+func resourceGithubOrganizationCustomRoleRead(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*Owner).v3client
+	ctx := context.Background()
+	orgName := meta.(*Owner).name
+
+	err := checkOrganization(meta)
+	if err != nil {
+		return err
+	}
+
+	roleID := d.Id()
+
+	// ListCustomRepoRoles returns a list of all custom repository roles for an organization.
+	// There is an API endpoint for getting a single custom repository role, but is not
+	// implemented in the go-github library.
+	roleList, _, err := client.Organizations.ListCustomRepoRoles(ctx, orgName)
+	if err != nil {
+		return fmt.Errorf("error querying GitHub custom repository roles %s: %s", orgName, err)
+	}
+
+	var role *github.CustomRepoRoles
+	for _, r := range roleList.CustomRepoRoles {
+		if fmt.Sprint(*r.ID) == roleID {
+			role = r
+			break
+		}
+	}
+
+	if role == nil {
+		log.Printf("[WARN] GitHub custom repository role (%s/%s) not found, removing from state", orgName, roleID)
+		d.SetId("")
+		return nil
+	}
+
+	d.Set("name", role.Name)
+	d.Set("description", role.Description)
+	d.Set("base_role", role.BaseRole)
+	d.Set("permissions", role.Permissions)
+
+	return nil
+}
+
+func resourceGithubOrganizationCustomRoleUpdate(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*Owner).v3client
+	ctx := context.Background()
+	orgName := meta.(*Owner).name
+
+	err := checkOrganization(meta)
+	if err != nil {
+		return err
+	}
+
+	roleID := d.Id()
+	permissions := d.Get("permissions").(*schema.Set).List()
+	permissionsStr := make([]string, len(permissions))
+	for i, v := range permissions {
+		permissionsStr[i] = v.(string)
+	}
+
+	update := &github.CreateOrUpdateCustomRoleOptions{
+		Name:        github.String(d.Get("name").(string)),
+		Description: github.String(d.Get("description").(string)),
+		BaseRole:    github.String(d.Get("base_role").(string)),
+		Permissions: permissionsStr,
+	}
+
+	if _, _, err := client.Organizations.UpdateCustomRepoRole(ctx, orgName, roleID, update); err != nil {
+		return fmt.Errorf("error updating GitHub custom repository role %s (%s): %s", orgName, roleID, err)
+	}
+
+	return resourceGithubOrganizationCustomRoleRead(d, meta)
+}
+
+func resourceGithubOrganizationCustomRoleDelete(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*Owner).v3client
+	ctx := context.Background()
+	orgName := meta.(*Owner).name
+
+	err := checkOrganization(meta)
+	if err != nil {
+		return err
+	}
+	roleID := d.Id()
+
+	_, err = client.Organizations.DeleteCustomRepoRole(ctx, orgName, roleID)
+	if err != nil {
+		return fmt.Errorf("Error deleting GitHub custom repository role %s (%s): %s", orgName, roleID, err)
+	}
+
+	return nil
+}