feat(iam): add admins and developers teams for ArgoCD RBAC

xnoto · xnoto · commit 3a2c3a923aa6 · 2025-12-21T13:07:16.000-07:00
Creates GitHub teams that map to ArgoCD roles:
- admins: role:admin
- developers: role:readonly
diff --git a/README.md b/README.md
@@ -24,6 +24,9 @@ No modules.
 | [github_branch_protection.protections](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection) | resource |
 | [github_membership.admin](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/membership) | resource |
 | [github_repository.repositories](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
+| [github_team.admins](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team) | resource |
+| [github_team.developers](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team) | resource |
+| [github_team_membership.admins_xnoto](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team_membership) | resource |
 | [sops_file.secret_vars](https://registry.terraform.io/providers/carlpett/sops/latest/docs/data-sources/file) | data source |
 
 ## Inputs
diff --git a/gh-iam.tf b/gh-iam.tf
@@ -2,3 +2,23 @@ resource "github_membership" "admin" {
   username = "xnoto"
   role     = "admin"
 }
+
+# Teams for ArgoCD RBAC integration
+resource "github_team" "admins" {
+  name        = "admins"
+  description = "ArgoCD administrators"
+  privacy     = "closed"
+}
+
+resource "github_team" "developers" {
+  name        = "developers"
+  description = "ArgoCD read-only access"
+  privacy     = "closed"
+}
+
+# Team memberships
+resource "github_team_membership" "admins_xnoto" {
+  team_id  = github_team.admins.id
+  username = "xnoto"
+  role     = "maintainer"
+}
