feat: add ability to downgrade membership when github_membership is destroyed (#1783)

jsifuentes · kfcampbell · web-flow · commit fabff68737e3 · 2023-07-14T11:11:01.000-07:00
* feat: add ability to downgrade membership on destroy

* add docs

* formatting

* formatting

* check membership status before downgrading

* fix lint

* fix lint

* Update github/resource_github_membership.go

Co-authored-by: Keegan Campbell &lt;me@kfcampbell.com&gt;

---------

Co-authored-by: Keegan Campbell &lt;me@kfcampbell.com&gt;
diff --git a/github/resource_github_membership.go b/github/resource_github_membership.go
@@ -38,6 +38,12 @@ func resourceGithubMembership() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"downgrade_on_destroy": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     false,
+				Description: "Instead of removing the member from the org, you can choose to downgrade their membership to 'member' when this resource is destroyed. This is useful when wanting to downgrade admins while keeping them in the organization",
+			},
 		},
 	}
 }
@@ -126,8 +132,40 @@ func resourceGithubMembershipDelete(d *schema.ResourceData, meta interface{}) er
 	orgName := meta.(*Owner).name
 	ctx := context.WithValue(context.Background(), ctxId, d.Id())
 
-	_, err = client.Organizations.RemoveOrgMembership(ctx,
-		d.Get("username").(string), orgName)
+	username := d.Get("username").(string)
+	downgradeOnDestroy := d.Get("downgrade_on_destroy").(bool)
+	downgradeTo := "member"
+
+	if downgradeOnDestroy {
+		log.Printf("[INFO] Downgrading '%s' membership for '%s' to '%s'", orgName, username, downgradeTo)
+
+		// Check to make sure this member still has access to the organization before downgrading.
+		// If we don't do this, the member would just be re-added to the organization.
+		var membership *github.Membership
+		membership, _, err = client.Organizations.GetOrgMembership(ctx, username, orgName)
+		if err != nil {
+			if ghErr, ok := err.(*github.ErrorResponse); ok {
+				if ghErr.Response.StatusCode == http.StatusNotFound {
+					log.Printf("[INFO] Not downgrading '%s' membership for '%s' because they are not a member of the org anymore", orgName, username)
+					return nil
+				}
+			}
+
+			return err
+		}
+
+		if *membership.Role == downgradeTo {
+			log.Printf("[INFO] Not downgrading '%s' membership for '%s' because they are already '%s'", orgName, username, downgradeTo)
+			return nil
+		}
+
+		_, _, err = client.Organizations.EditOrgMembership(ctx, username, orgName, &github.Membership{
+			Role: github.String(downgradeTo),
+		})
+	} else {
+		log.Printf("[INFO] Revoking '%s' membership for '%s'", orgName, username)
+		_, err = client.Organizations.RemoveOrgMembership(ctx, username, orgName)
+	}
 
 	return err
 }
diff --git a/github/resource_github_membership_test.go b/github/resource_github_membership_test.go
@@ -43,6 +43,37 @@ func TestAccGithubMembership_basic(t *testing.T) {
 	})
 }
 
+func TestAccGithubMembership_downgrade(t *testing.T) {
+	if testCollaborator == "" {
+		t.Skip("Skipping because `GITHUB_TEST_COLLABORATOR` is not set")
+	}
+	if err := testAccCheckOrganization(); err != nil {
+		t.Skipf("Skipping because %s.", err.Error())
+	}
+
+	var membership github.Membership
+	rn := "github_membership.test_org_membership"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckGithubMembershipDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccGithubMembershipConfigDowngradable(testCollaborator),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGithubMembershipExists(rn, &membership),
+					testAccCheckGithubMembershipRoleState(rn, &membership),
+				),
+			},
+			{
+				ResourceName: rn,
+				ImportState:  true,
+			},
+		},
+	})
+}
+
 func TestAccGithubMembership_caseInsensitive(t *testing.T) {
 	if testCollaborator == "" {
 		t.Skip("Skipping because `GITHUB_TEST_COLLABORATOR` is not set")
@@ -95,22 +126,36 @@ func testAccCheckGithubMembershipDestroy(s *terraform.State) error {
 		if rs.Type != "github_membership" {
 			continue
 		}
+
 		orgName, username, err := parseTwoPartID(rs.Primary.ID, "organization", "username")
 		if err != nil {
 			return err
 		}
 
+		downgradedOnDestroy := rs.Primary.Attributes["downgrade_on_destroy"] == "true"
 		membership, resp, err := conn.Organizations.GetOrgMembership(context.TODO(), username, orgName)
+		responseIsSuccessful := err == nil && membership != nil && buildTwoPartID(orgName, username) == rs.Primary.ID
 
-		if err == nil {
-			if membership != nil &&
-				buildTwoPartID(orgName, username) == rs.Primary.ID {
-				return fmt.Errorf("organization membership %q still exists", rs.Primary.ID)
+		if downgradedOnDestroy {
+			if !responseIsSuccessful {
+				return fmt.Errorf("could not load organization membership for %q", rs.Primary.ID)
 			}
-		}
-		if resp.StatusCode != 404 {
+
+			if *membership.Role != "member" {
+				return fmt.Errorf("organization membership %q is not a member of the org or is not the 'member' role", rs.Primary.ID)
+			}
+
+			// Now actually remove them from the org to clean up
+			_, removeErr := conn.Organizations.RemoveOrgMembership(context.TODO(), username, orgName)
+			if removeErr != nil {
+				return fmt.Errorf("organization membership %q could not be removed during membership downgrade test case cleanup: %s", rs.Primary.ID, removeErr)
+			}
+		} else if responseIsSuccessful {
+			return fmt.Errorf("organization membership %q still exists", rs.Primary.ID)
+		} else if resp.StatusCode != 404 {
 			return err
 		}
+
 		return nil
 	}
 	return nil
@@ -184,6 +229,16 @@ func testAccGithubMembershipConfig(username string) string {
 `, username)
 }
 
+func testAccGithubMembershipConfigDowngradable(username string) string {
+	return fmt.Sprintf(`
+  resource "github_membership" "test_org_membership" {
+    username = "%s"
+    role = "admin"
+    downgrade_on_destroy = %t
+  }
+`, username, true)
+}
+
 func testAccGithubMembershipTheSame(orig, other *github.Membership) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		if orig.GetURL() != other.GetURL() {
diff --git a/website/docs/r/membership.html.markdown b/website/docs/r/membership.html.markdown
@@ -30,6 +30,10 @@ The following arguments are supported:
 * `username` - (Required) The user to add to the organization.
 * `role` - (Optional) The role of the user within the organization.
             Must be one of `member` or `admin`. Defaults to `member`.
+* `downgrade_on_destroy` - (Optional) Defaults to `false`. If set to true,
+            when this resource is destroyed, the member will not be removed
+            from the organization. Instead, the member's role will be
+            downgraded to 'member'.
 
 
 ## Import
