Add mondoo_team_member resource (#401)

jaym · claude · web-flow · commit 87b66060bc55 · 2026-04-03T12:00:35.000-05:00
* Add mondoo_team_member resource for managing team membership

Adds a new Terraform resource to add/remove users from teams by email.
Uses the addTeamMember/removeTeamMember mutations and the teamMember
query for drift detection.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* Rename email field to identity for team member resource

Use the unified identity field that accepts either email or MRN,
matching the server-side GraphQL API change.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* Fix team member test assertion for pending users

Remove member_mrn check since pending users (no Mondoo account) have
an empty member_mrn, which fails TestCheckResourceAttrSet.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* Add UseStateForUnknown plan modifier to member_mrn

Prevents unnecessary (known after apply) diff noise on every plan
when member_mrn hasn't changed.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* Update copyright headers for team member resource files

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* Add ImportState support for team member resource

Import using composite key format: &lt;team_mrn&gt;:&lt;identity&gt;
Example: terraform import mondoo_team_member.alice "//captain.api.mondoo.app/teams/abc:alice@example.com"

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* update copyright

* Fix ImportState test to use team_mrn as identifier attribute

The resource has no single id/mrn attribute, so use
ImportStateVerifyIdentifierAttribute to specify team_mrn.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/examples/resources/mondoo_team_member/main.tf b/examples/resources/mondoo_team_member/main.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    mondoo = {
+      source  = "mondoohq/mondoo"
+      version = ">= 0.35.7"
+    }
+  }
+}
diff --git a/examples/resources/mondoo_team_member/resource.tf b/examples/resources/mondoo_team_member/resource.tf
@@ -0,0 +1,27 @@
+variable "org_id" {
+  description = "The ID of the organization in which to create the space and teams"
+  type        = string
+}
+
+provider "mondoo" {}
+
+data "mondoo_organization" "example" {
+  id = var.org_id
+}
+
+# Add a member to a team by email
+resource "mondoo_team" "example" {
+  name      = "security-team"
+  scope_mrn = data.mondoo_organization.example.mrn
+}
+
+resource "mondoo_team_member" "alice" {
+  team_mrn = mondoo_team.example.mrn
+  identity = "alice@example.com"
+}
+
+resource "mondoo_team_member" "bob" {
+  team_mrn = mondoo_team.example.mrn
+  identity = "bob@example.com"
+}
+
diff --git a/internal/provider/gql.go b/internal/provider/gql.go
@@ -1374,6 +1374,77 @@ func (c *ExtendedGqlClient) RemoveTeamExternalGroupMapping(ctx context.Context,
 	return c.Mutate(ctx, &mutation, mondoov1.String(mrn), nil)
 }
 
+// Team Member types and methods
+
+type AddTeamMemberInput struct {
+	TeamMrn  mondoov1.String  `json:"teamMrn"`
+	Identity *mondoov1.String `json:"identity,omitempty"`
+}
+
+type AddTeamMemberPayload struct {
+	CreatedPending mondoov1.Boolean `json:"createdPending"`
+	MemberMrn      *mondoov1.String `json:"memberMrn"`
+}
+
+type RemoveTeamMemberInput struct {
+	TeamMrn  mondoov1.String  `json:"teamMrn"`
+	Identity *mondoov1.String `json:"identity,omitempty"`
+}
+
+type TeamMemberPayload struct {
+	Mrn   *mondoov1.String `json:"mrn"`
+	Email mondoov1.String  `json:"email"`
+	Name  *mondoov1.String `json:"name"`
+}
+
+func (c *ExtendedGqlClient) AddTeamMember(ctx context.Context, input AddTeamMemberInput) (AddTeamMemberPayload, error) {
+	var mutation struct {
+		AddTeamMember AddTeamMemberPayload `graphql:"addTeamMember(input: $input)"`
+	}
+
+	tflog.Trace(ctx, "AddTeamMemberInput", map[string]interface{}{
+		"input": fmt.Sprintf("%+v", input),
+	})
+
+	err := c.Mutate(ctx, &mutation, input, nil)
+	return mutation.AddTeamMember, err
+}
+
+func (c *ExtendedGqlClient) GetTeamMember(ctx context.Context, teamMrn string, identity string) (*TeamMemberPayload, error) {
+	var query struct {
+		TeamMember *TeamMemberPayload `graphql:"teamMember(teamMrn: $teamMrn, identity: $identity)"`
+	}
+	variables := map[string]interface{}{
+		"teamMrn":  mondoov1.String(teamMrn),
+		"identity": mondoov1.String(identity),
+	}
+
+	tflog.Trace(ctx, "GetTeamMember", map[string]interface{}{
+		"teamMrn":  teamMrn,
+		"identity": identity,
+	})
+
+	err := c.Query(ctx, &query, variables)
+	if err != nil {
+		return nil, err
+	}
+	return query.TeamMember, nil
+}
+
+func (c *ExtendedGqlClient) RemoveTeamMember(ctx context.Context, input RemoveTeamMemberInput) error {
+	var mutation struct {
+		RemoveTeamMember struct {
+			MemberMrn *mondoov1.String `json:"memberMrn"`
+		} `graphql:"removeTeamMember(input: $input)"`
+	}
+
+	tflog.Trace(ctx, "RemoveTeamMemberInput", map[string]interface{}{
+		"input": fmt.Sprintf("%+v", input),
+	})
+
+	return c.Mutate(ctx, &mutation, input, nil)
+}
+
 type RoleInput struct {
 	Mrn mondoov1.String `json:"mrn"`
 }
diff --git a/internal/provider/provider.go b/internal/provider/provider.go
@@ -223,6 +223,7 @@ func (p *MondooProvider) Resources(_ context.Context) []func() resource.Resource
 		NewTeamResource,
 		NewTeamExternalGroupMappingResource,
 		NewResourceContactsResource,
+		NewTeamMemberResource,
 		NewIAMBindingResource,
 		NewExportGSCBucketResource,
 		NewExportS3BucketResource,
diff --git a/internal/provider/team_member_resource.go b/internal/provider/team_member_resource.go
@@ -0,0 +1,220 @@
+// Copyright Mondoo, Inc. 2024, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package provider
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-framework/path"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	mondoov1 "go.mondoo.com/mondoo-go"
+)
+
+// Ensure provider defined types fully satisfy framework interfaces.
+var _ resource.Resource = &TeamMemberResource{}
+var _ resource.ResourceWithImportState = &TeamMemberResource{}
+
+func NewTeamMemberResource() resource.Resource {
+	return &TeamMemberResource{}
+}
+
+// TeamMemberResource defines the resource implementation.
+type TeamMemberResource struct {
+	client *ExtendedGqlClient
+}
+
+// TeamMemberResourceModel describes the resource data model.
+type TeamMemberResourceModel struct {
+	TeamMrn   types.String `tfsdk:"team_mrn"`
+	Identity  types.String `tfsdk:"identity"`
+	MemberMrn types.String `tfsdk:"member_mrn"`
+}
+
+func (r *TeamMemberResource) Metadata(ctx context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_team_member"
+}
+
+func (r *TeamMemberResource) Schema(ctx context.Context, req resource.SchemaRequest, resp *resource.SchemaResponse) {
+	resp.Schema = schema.Schema{
+		MarkdownDescription: `This resource manages team membership in Mondoo. It allows adding users to teams by email address or MRN. If the user does not yet have a Mondoo account, a pending membership is created.
+
+**Example usage:**
+
+` + "```hcl" + `
+resource "mondoo_team" "example" {
+  name      = "security-team"
+  scope_mrn = mondoo_organization.example.mrn
+}
+
+resource "mondoo_team_member" "alice" {
+  team_mrn = mondoo_team.example.mrn
+  identity = "alice@example.com"
+}
+` + "```",
+
+		Attributes: map[string]schema.Attribute{
+			"team_mrn": schema.StringAttribute{
+				MarkdownDescription: "MRN of the team to add the member to.",
+				Required:            true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+				},
+			},
+			"identity": schema.StringAttribute{
+				MarkdownDescription: "Email address or MRN of the user to add to the team.",
+				Required:            true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+				},
+			},
+			"member_mrn": schema.StringAttribute{
+				MarkdownDescription: "MRN of the member. Empty if the user has not yet registered.",
+				Computed:            true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.UseStateForUnknown(),
+				},
+			},
+		},
+	}
+}
+
+func (r *TeamMemberResource) Configure(ctx context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
+	// Prevent panic if the provider has not been configured.
+	if req.ProviderData == nil {
+		return
+	}
+
+	client, ok := req.ProviderData.(*ExtendedGqlClient)
+
+	if !ok {
+		resp.Diagnostics.AddError(
+			"Unexpected Resource Configure Type",
+			fmt.Sprintf("Expected *ExtendedGqlClient, got: %T. Please report this issue to the provider developers.", req.ProviderData),
+		)
+
+		return
+	}
+
+	r.client = client
+}
+
+func (r *TeamMemberResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
+	var data TeamMemberResourceModel
+
+	// Read Terraform plan data into the model
+	resp.Diagnostics.Append(req.Plan.Get(ctx, &data)...)
+
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	identity := mondoov1.String(data.Identity.ValueString())
+	input := AddTeamMemberInput{
+		TeamMrn:  mondoov1.String(data.TeamMrn.ValueString()),
+		Identity: &identity,
+	}
+
+	payload, err := r.client.AddTeamMember(ctx, input)
+	if err != nil {
+		resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Unable to add team member, got error: %s", err))
+		return
+	}
+
+	// Map response back to schema
+	if payload.MemberMrn != nil {
+		data.MemberMrn = types.StringValue(string(*payload.MemberMrn))
+	} else {
+		data.MemberMrn = types.StringValue("")
+	}
+
+	// Save data into Terraform state
+	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
+}
+
+func (r *TeamMemberResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
+	var data TeamMemberResourceModel
+
+	// Read Terraform prior state data into the model
+	resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
+
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	// Get the team member from the API
+	member, err := r.client.GetTeamMember(ctx, data.TeamMrn.ValueString(), data.Identity.ValueString())
+	if err != nil {
+		resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Unable to read team member, got error: %s", err))
+		return
+	}
+
+	// If the member is not found, remove from state (drift detection)
+	if member == nil {
+		resp.State.RemoveResource(ctx)
+		return
+	}
+
+	// Map response back to schema
+	if member.Mrn != nil {
+		data.MemberMrn = types.StringValue(string(*member.Mrn))
+	} else {
+		data.MemberMrn = types.StringValue("")
+	}
+
+	// Save updated data into Terraform state
+	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
+}
+
+func (r *TeamMemberResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
+	// Team members are immutable - both team_mrn and identity require replacement
+	// This method should never be called due to RequiresReplace plan modifiers
+	resp.Diagnostics.AddError(
+		"Unexpected Update Call",
+		"Team members cannot be updated. Both team_mrn and identity changes require replacement.",
+	)
+}
+
+func (r *TeamMemberResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
+	var data TeamMemberResourceModel
+
+	// Read Terraform prior state data into the model
+	resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
+
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	identity := mondoov1.String(data.Identity.ValueString())
+	input := RemoveTeamMemberInput{
+		TeamMrn:  mondoov1.String(data.TeamMrn.ValueString()),
+		Identity: &identity,
+	}
+
+	err := r.client.RemoveTeamMember(ctx, input)
+	if err != nil {
+		resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Unable to remove team member, got error: %s", err))
+		return
+	}
+}
+
+func (r *TeamMemberResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
+	// Import ID format: <team_mrn>:<identity>
+	parts := strings.SplitN(req.ID, ":", 2)
+	if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
+		resp.Diagnostics.AddError(
+			"Invalid Import ID",
+			fmt.Sprintf("Expected import ID format: <team_mrn>:<identity>, got: %s", req.ID),
+		)
+		return
+	}
+
+	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("team_mrn"), parts[0])...)
+	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("identity"), parts[1])...)
+}
diff --git a/internal/provider/team_member_resource_test.go b/internal/provider/team_member_resource_test.go
