From b413f7c8bf4385f2a6eab89911314d156120caf1 Mon Sep 17 00:00:00 2001
From: Tim Schilling <schillingt@better-simple.com>
Date: Fri, 10 Oct 2025 15:57:07 -0500
Subject: [PATCH 1/3] Create an operations team and switch admins to moderators

The operations team will have admin permissions in the GitHub org
while the admins team will have moderator permissions.

This needs to be followed up with another commit to reduce the
permissions of the org admins teams to member. This is being
split up to avoid removing all admin permissions.
---
 terraform/production/org.tfvars | 25 +++++++++++++++++++++++--
 terraform/resources-org.tf      |  3 ++-
 terraform/variables.tf          |  7 ++++++-
 3 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/terraform/production/org.tfvars b/terraform/production/org.tfvars
index e9ac044..e9ead17 100644
--- a/terraform/production/org.tfvars
+++ b/terraform/production/org.tfvars
@@ -7,6 +7,14 @@ admins = [
   "williln",
 ]
 
+ops_team = [
+  "cunla",
+  "ryancheley",
+  "Stormheg",
+  "tim-schilling",
+  "williln",
+]
+
 # Design members
 designers = [
   "akshayvinchurkar",
@@ -109,10 +117,23 @@ members = [
   "viscofuse",
   "Zakui",
 ]
-
 organization_teams = {
+  # This team should be enabled as moderators which can't be configured
+  # via the GitHub Terraform integration.
+  # https://github.com/organizations/django-commons/settings/moderators
   "Admins" = {
-    description = "django-commons administrators"
+    description = "django-commons administrators team with moderator permissions in the org."
+    # Use maintainers for organizational teams
+    maintainers = [
+      "cunla",
+      "ryancheley",
+      "Stormheg",
+      "tim-schilling",
+      "williln",
+    ]
+  }
+  "operations" = {
+    description = "django-commons operations team with admin permissions in the org."
     # Use maintainers for organizational teams
     maintainers = [
       "cunla",
diff --git a/terraform/resources-org.tf b/terraform/resources-org.tf
index 3022e2d..b193799 100644
--- a/terraform/resources-org.tf
+++ b/terraform/resources-org.tf
@@ -1,7 +1,7 @@
 # GitHub Membership Resource
 # https://registry.terraform.io/providers/integrations/github/latest/docs/resources/membership
 data "github_users" "users" {
-  usernames = setunion(var.admins, var.members)
+  usernames = setunion(var.admins, var.ops_team, var.members)
 }
 
 output "invalid_users" {
@@ -11,6 +11,7 @@ output "invalid_users" {
 locals {
   users = merge(
     { for user in var.admins : user => "admin" if contains(data.github_users.users.logins, user) },
+    { for user in var.ops_team : user => "admin" if contains(data.github_users.users.logins, user) },
     { for user in var.members : user => "member" if contains(data.github_users.users.logins, user) }
   )
 }
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 108ed16..69ab8a1 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -2,7 +2,12 @@
 # https://www.terraform.io/language/values/variables
 
 variable "admins" {
-  description = "A set of admins to add to the organization"
+  description = "A set of users who are admins to add to the organization"
+  type        = set(string)
+}
+
+variable "ops_team" {
+  description = "A set of users who have operational permissions to add to the organization"
   type        = set(string)
 }
 

From f0c02592e1f0fa03172612e00a1426879157a4ad Mon Sep 17 00:00:00 2001
From: Tim Schilling <schillingt@better-simple.com>
Date: Fri, 5 Dec 2025 13:48:45 -0600
Subject: [PATCH 2/3] Rename ops team to super admins.

---
 terraform/production/org.tfvars | 2 +-
 terraform/resources-org.tf      | 4 ++--
 terraform/variables.tf          | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/terraform/production/org.tfvars b/terraform/production/org.tfvars
index e9ead17..70ad8d9 100644
--- a/terraform/production/org.tfvars
+++ b/terraform/production/org.tfvars
@@ -7,7 +7,7 @@ admins = [
   "williln",
 ]
 
-ops_team = [
+super_admins = [
   "cunla",
   "ryancheley",
   "Stormheg",
diff --git a/terraform/resources-org.tf b/terraform/resources-org.tf
index b193799..d7e49ae 100644
--- a/terraform/resources-org.tf
+++ b/terraform/resources-org.tf
@@ -1,7 +1,7 @@
 # GitHub Membership Resource
 # https://registry.terraform.io/providers/integrations/github/latest/docs/resources/membership
 data "github_users" "users" {
-  usernames = setunion(var.admins, var.ops_team, var.members)
+  usernames = setunion(var.admins, var.super_admins, var.members)
 }
 
 output "invalid_users" {
@@ -11,7 +11,7 @@ output "invalid_users" {
 locals {
   users = merge(
     { for user in var.admins : user => "admin" if contains(data.github_users.users.logins, user) },
-    { for user in var.ops_team : user => "admin" if contains(data.github_users.users.logins, user) },
+    { for user in var.super_admins : user => "admin" if contains(data.github_users.users.logins, user) },
     { for user in var.members : user => "member" if contains(data.github_users.users.logins, user) }
   )
 }
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 69ab8a1..6d7e0be 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -6,7 +6,7 @@ variable "admins" {
   type        = set(string)
 }
 
-variable "ops_team" {
+variable "super_admins" {
   description = "A set of users who have operational permissions to add to the organization"
   type        = set(string)
 }

From f8a427161215933d3a2eee4f642460b7f0c4f01a Mon Sep 17 00:00:00 2001
From: Tim Schilling <schillingt@better-simple.com>
Date: Fri, 10 Oct 2025 16:05:15 -0500
Subject: [PATCH 3/3] Reduce org admins team to only be members

This removes them as owners from the organization.
---
 terraform/resources-org.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/resources-org.tf b/terraform/resources-org.tf
index d7e49ae..962e04a 100644
--- a/terraform/resources-org.tf
+++ b/terraform/resources-org.tf
@@ -10,7 +10,7 @@ output "invalid_users" {
 
 locals {
   users = merge(
-    { for user in var.admins : user => "admin" if contains(data.github_users.users.logins, user) },
+    { for user in var.admins : user => "member" if contains(data.github_users.users.logins, user) },
     { for user in var.super_admins : user => "admin" if contains(data.github_users.users.logins, user) },
     { for user in var.members : user => "member" if contains(data.github_users.users.logins, user) }
   )