From d2aa4449655b26e3969e99488568ca13d4c6162b Mon Sep 17 00:00:00 2001
From: vedantthapa <thapavedant@gmail.com>
Date: Wed, 1 Oct 2025 10:48:55 -0300
Subject: [PATCH 1/3] feat: combine github_team_membership resource blocks into
 one

---
 modules/team/members.tf      | 21 ++++++++++-----------
 modules/team/team.tftest.hcl | 24 ++++++++++++------------
 2 files changed, 22 insertions(+), 23 deletions(-)

diff --git a/modules/team/members.tf b/modules/team/members.tf
index 09b98cd..dd92dc4 100644
--- a/modules/team/members.tf
+++ b/modules/team/members.tf
@@ -1,17 +1,16 @@
 locals {
   team_id = local.create_team ? github_team.team[0].id : var.team_id
+  
+  # Combine team_maintainers and team_members into a single map with respective roles
+  memberships = merge(
+    { for username in var.team_maintainers : username => "maintainer" },
+    { for username in var.team_members : username => "member" }
+  )
 }
 
-resource "github_team_membership" "maintainers" {
-  for_each = toset(var.team_maintainers)
+resource "github_team_membership" "memberships" {
+  for_each = local.memberships
   team_id  = local.team_id
-  username = each.value
-  role     = "maintainer"
-}
-
-resource "github_team_membership" "members" {
-  for_each = toset(var.team_members)
-  team_id  = local.team_id
-  username = each.value
-  role     = "member"
+  username = each.key
+  role     = each.value
 }
diff --git a/modules/team/team.tftest.hcl b/modules/team/team.tftest.hcl
index 3372213..d45eb17 100644
--- a/modules/team/team.tftest.hcl
+++ b/modules/team/team.tftest.hcl
@@ -16,31 +16,31 @@ run "team_test" {
   command = apply
 
   assert {
-    condition     = github_team_membership.maintainers[var.team_maintainers[0]].team_id == var.team_id
-    error_message = "The maintainer's team id is incorrect. Expected: ${var.team_id}, Actual: ${github_team_membership.maintainers[var.team_maintainers[0]].team_id}"
+    condition     = github_team_membership.memberships[var.team_maintainers[0]].team_id == var.team_id
+    error_message = "The maintainer's team id is incorrect. Expected: ${var.team_id}, Actual: ${github_team_membership.memberships[var.team_maintainers[0]].team_id}"
   }
   assert {
-    condition     = github_team_membership.maintainers[var.team_maintainers[0]].username == var.team_maintainers[0]
-    error_message = "The maintainer's username is incorrect. Expected: ${var.team_maintainers[0]}, Actual: ${github_team_membership.maintainers[var.team_maintainers[0]].username}"
+    condition     = github_team_membership.memberships[var.team_maintainers[0]].username == var.team_maintainers[0]
+    error_message = "The maintainer's username is incorrect. Expected: ${var.team_maintainers[0]}, Actual: ${github_team_membership.memberships[var.team_maintainers[0]].username}"
   }
   assert {
-    condition     = github_team_membership.maintainers[var.team_maintainers[0]].role == "maintainer"
-    error_message = "The maintainer's role is incorrect. Expected: maintainer, Actual: ${github_team_membership.maintainers[var.team_maintainers[0]].role}"
+    condition     = github_team_membership.memberships[var.team_maintainers[0]].role == "maintainer"
+    error_message = "The maintainer's role is incorrect. Expected: maintainer, Actual: ${github_team_membership.memberships[var.team_maintainers[0]].role}"
   }
 }
 
 run "team_member_test" {
   assert {
-    condition     = github_team_membership.members[var.team_members[0]].team_id == var.team_id
-    error_message = "The member's team id is incorrect. Expected: ${var.team_id}, Actual: ${github_team_membership.members[var.team_members[0]].team_id}"
+    condition     = github_team_membership.memberships[var.team_members[0]].team_id == var.team_id
+    error_message = "The member's team id is incorrect. Expected: ${var.team_id}, Actual: ${github_team_membership.memberships[var.team_members[0]].team_id}"
   }
   assert {
-    condition     = github_team_membership.members[var.team_members[0]].username == var.team_members[0]
-    error_message = "The member's username is incorrect. Expected: ${var.team_members[0]}, Actual: ${github_team_membership.members[var.team_members[0]].username}"
+    condition     = github_team_membership.memberships[var.team_members[0]].username == var.team_members[0]
+    error_message = "The member's username is incorrect. Expected: ${var.team_members[0]}, Actual: ${github_team_membership.memberships[var.team_members[0]].username}"
   }
   assert {
-    condition     = github_team_membership.members[var.team_members[0]].role == "member"
-    error_message = "The member's role is incorrect. Expected: member, Actual: ${github_team_membership.members[var.team_members[0]].role}"
+    condition     = github_team_membership.memberships[var.team_members[0]].role == "member"
+    error_message = "The member's role is incorrect. Expected: member, Actual: ${github_team_membership.memberships[var.team_members[0]].role}"
   }
 
 }

From 246928d5342724177bd1a011dd415786e1dcb097 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Wed, 1 Oct 2025 15:08:56 +0000
Subject: [PATCH 2/3] terraform-docs: automated action

---
 modules/team/README.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/team/README.md b/modules/team/README.md
index 8bface2..0a5eea9 100644
--- a/modules/team/README.md
+++ b/modules/team/README.md
@@ -20,8 +20,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [github_team.team](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team) | resource |
-| [github_team_membership.maintainers](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team_membership) | resource |
-| [github_team_membership.members](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team_membership) | resource |
+| [github_team_membership.memberships](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team_membership) | resource |
 
 ## Inputs
 

From b6bc323c28492121351fadd124209196138c4502 Mon Sep 17 00:00:00 2001
From: vedantthapa <thapavedant@gmail.com>
Date: Wed, 1 Oct 2025 12:16:43 -0300
Subject: [PATCH 3/3] feat: flip order to fail towards higher privlege in
 presence of duplicates

---
 modules/team/members.tf | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/team/members.tf b/modules/team/members.tf
index dd92dc4..311ce59 100644
--- a/modules/team/members.tf
+++ b/modules/team/members.tf
@@ -2,9 +2,10 @@ locals {
   team_id = local.create_team ? github_team.team[0].id : var.team_id
   
   # Combine team_maintainers and team_members into a single map with respective roles
+  # If a user appears in both lists, `maintainer` role takes precedence
   memberships = merge(
-    { for username in var.team_maintainers : username => "maintainer" },
-    { for username in var.team_members : username => "member" }
+    { for username in var.team_members : username => "member" },
+    { for username in var.team_maintainers : username => "maintainer" }
   )
 }