Create an operations team and switch admins to moderators

tim-schilling · tim-schilling · commit dd03789348d2 · 2025-10-10T16:03:26.000-05:00
The operations team will have admin permissions in the GitHub org
while the admins team will have moderator permissions.

This needs to be followed up with another commit to reduce the
permissions of the org admins teams to member. This is being
split up to avoid removing all admin permissions.
diff --git a/terraform/production/org.tfvars b/terraform/production/org.tfvars
@@ -7,6 +7,14 @@ admins = [
   "williln",
 ]
 
+ops_team = [
+  "cunla",
+  "ryancheley",
+  "Stormheg",
+  "tim-schilling",
+  "williln",
+]
+
 # Design members
 #
 # Enable following members when they've accepted the invite
@@ -104,10 +112,23 @@ members = [
   "viscofuse",
   "Zakui",
 ]
-
 organization_teams = {
+  # This team should be enabled as moderators which can't be configured
+  # via the GitHub Terraform integration.
+  # https://github.com/organizations/django-commons/settings/moderators
   "Admins" = {
-    description = "django-commons administrators"
+    description = "django-commons administrators team with moderator permissions in the org."
+    # Use maintainers for organizational teams
+    maintainers = [
+      "cunla",
+      "ryancheley",
+      "Stormheg",
+      "tim-schilling",
+      "williln",
+    ]
+  }
+  "operations" = {
+    description = "django-commons operations team with admin permissions in the org."
     # Use maintainers for organizational teams
     maintainers = [
       "cunla",
diff --git a/terraform/resources-org.tf b/terraform/resources-org.tf
@@ -1,7 +1,7 @@
 # GitHub Membership Resource
 # https://registry.terraform.io/providers/integrations/github/latest/docs/resources/membership
 data "github_users" "users" {
-  usernames = setunion(var.admins, var.members)
+  usernames = setunion(var.admins, var.ops_team, var.members)
 }
 
 output "invalid_users" {
@@ -11,6 +11,7 @@ output "invalid_users" {
 locals {
   users = merge(
     { for user in var.admins : user => "admin" if contains(data.github_users.users.logins, user) },
+    { for user in var.ops_team : user => "admin" if contains(data.github_users.users.logins, user) },
     { for user in var.members : user => "member" if contains(data.github_users.users.logins, user) }
   )
 }
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -2,7 +2,12 @@
 # https://www.terraform.io/language/values/variables
 
 variable "admins" {
-  description = "A set of admins to add to the organization"
+  description = "A set of users who are admins to add to the organization"
+  type        = set(string)
+}
+
+variable "ops_team" {
+  description = "A set of users who have operational permissions to add to the organization"
   type        = set(string)
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`# GitHub Membership Resource`
`2`	`2`	`# https://registry.terraform.io/providers/integrations/github/latest/docs/resources/membership`
`3`	`3`	`data "github_users" "users" {`
`4`		`- usernames = setunion(var.admins, var.members)`
	`4`	`+ usernames = setunion(var.admins, var.ops_team, var.members)`
`5`	`5`	`}`
`6`	`6`
`7`	`7`	`output "invalid_users" {`
`@@ -11,6 +11,7 @@ output "invalid_users" {`
`11`	`11`	`locals {`
`12`	`12`	`users = merge(`
`13`	`13`	`{ for user in var.admins : user => "admin" if contains(data.github_users.users.logins, user) },`
	`14`	`+ { for user in var.ops_team : user => "admin" if contains(data.github_users.users.logins, user) },`
`14`	`15`	`{ for user in var.members : user => "member" if contains(data.github_users.users.logins, user) }`
`15`	`16`	`)`
`16`	`17`	`}`