okta · bogdanprodan-okta · Apr 30, 2021 · Apr 15, 2021 · Apr 15, 2021 · Apr 15, 2021
diff --git a/examples/okta_group_memberships/README.md b/examples/okta_group_memberships/README.md
@@ -0,0 +1,7 @@
+# Okta Group Memberships
+
+Resource to manage a set of memberships for a specific group.
+
+[See Okta documentation regarding group operations](https://developer.okta.com/docs/reference/api/groups/#group-member-operations)
+
+A simple example of usage of this resource can be [found here](./basic.tf).
diff --git a/examples/okta_group_memberships/basic.tf b/examples/okta_group_memberships/basic.tf
@@ -0,0 +1,57 @@
+resource "okta_group" "test" {
+  name        = "testAcc_replace_with_uuid"
+  description = "testing, testing"
+}
+
+resource "okta_user" "test1" {
+  first_name = "TestAcc1"
+  last_name  = "Smith"
+  login      = "[email protected]"
+  email      = "[email protected]"
+
+  lifecycle {
+    ignore_changes = [group_memberships]
+  }
+}
+
+resource "okta_user" "test2" {
+  first_name = "TestAcc2"
+  last_name  = "Brando"
+  login      = "[email protected]"
+  email      = "[email protected]"
+
+  lifecycle {
+    ignore_changes = [group_memberships]
+  }
+}
+
+resource "okta_user" "test3" {
+  first_name = "TestAcc3"
+  last_name  = "Python"
+  login      = "[email protected]"
+  email      = "[email protected]"
+
+  lifecycle {
+    ignore_changes = [group_memberships]
+  }
+}
+
+resource "okta_user" "test4" {
+  first_name = "TestAcc4"
+  last_name  = "Jenkins"
+  login      = "[email protected]"
+  email      = "[email protected]"
+
+  lifecycle {
+    ignore_changes = [group_memberships]
+  }
+}
+
+
+resource "okta_group_memberships" "test" {
+  group_id = okta_group.test.id
+  users = [
+    okta_user.test1.id,
+    okta_user.test2.id,
+  ]
+}
diff --git a/examples/okta_group_memberships/basic_removal.tf b/examples/okta_group_memberships/basic_removal.tf
@@ -0,0 +1,56 @@
+resource "okta_group" "test" {
+  name        = "testAcc_replace_with_uuid"
+  description = "testing, testing"
+}
+
+resource "okta_user" "test1" {
+  first_name = "TestAcc1"
+  last_name  = "Smith"
+  login      = "[email protected]"
+  email      = "[email protected]"
+
+  lifecycle {
+    ignore_changes = [group_memberships]
+  }
+}
+
+resource "okta_user" "test2" {
+  first_name = "TestAcc2"
+  last_name  = "Brando"
+  login      = "[email protected]"
+  email      = "[email protected]"
+
+  lifecycle {
+    ignore_changes = [group_memberships]
+  }
+}
+
+resource "okta_user" "test3" {
+  first_name = "TestAcc3"
+  last_name  = "Python"
+  login      = "[email protected]"
+  email      = "[email protected]"
+
+  lifecycle {
+    ignore_changes = [group_memberships]
+  }
+}
+
+resource "okta_user" "test4" {
+  first_name = "TestAcc4"
+  last_name  = "Jenkins"
+  login      = "[email protected]"
+  email      = "[email protected]"
+
+  lifecycle {
+    ignore_changes = [group_memberships]
+  }
+}
+
+
+resource "okta_group_memberships" "test" {
+  group_id = okta_group.test.id
+  users = [
+    okta_user.test1.id,
+  ]
+}
diff --git a/examples/okta_group_memberships/basic_update.tf b/examples/okta_group_memberships/basic_update.tf
@@ -0,0 +1,58 @@
+resource "okta_group" "test" {
+  name        = "testAcc_replace_with_uuid"
+  description = "testing, testing"
+}
+
+resource "okta_user" "test1" {
+  first_name = "TestAcc1"
+  last_name  = "Smith"
+  login      = "[email protected]"
+  email      = "[email protected]"
+
+  lifecycle {
+    ignore_changes = [group_memberships]
+  }
+}
+
+resource "okta_user" "test2" {
+  first_name = "TestAcc2"
+  last_name  = "Brando"
+  login      = "[email protected]"
+  email      = "[email protected]"
+
+  lifecycle {
+    ignore_changes = [group_memberships]
+  }
+}
+
+resource "okta_user" "test3" {
+  first_name = "TestAcc3"
+  last_name  = "Python"
+  login      = "[email protected]"
+  email      = "[email protected]"
+
+  lifecycle {
+    ignore_changes = [group_memberships]
+  }
+}
+
+resource "okta_user" "test4" {
+  first_name = "TestAcc4"
+  last_name  = "Jenkins"
+  login      = "[email protected]"
+  email      = "[email protected]"
+
+  lifecycle {
+    ignore_changes = [group_memberships]
+  }
+}
+
+
+resource "okta_group_memberships" "test" {
+  group_id = okta_group.test.id
+  users = [
+    okta_user.test1.id,
+    okta_user.test3.id,
+    okta_user.test4.id,
+  ]
+}
diff --git a/okta/group.go b/okta/group.go
@@ -2,6 +2,7 @@ package okta
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/okta/okta-sdk-golang/v2/okta"
 	"github.com/okta/okta-sdk-golang/v2/okta/query"
@@ -50,3 +51,55 @@ func listGroups(ctx context.Context, client *okta.Client, qp *query.Params) ([]*
 	}
 	return resGroups, nil
 }
+
+// Group Primary Key Operations (Use when # groups < # users in operations)
+func addGroupMembers(ctx context.Context, client *okta.Client, groupId string, users []string) error {
+	for _, user := range users {
+		resp, err := client.Group.AddUserToGroup(ctx, groupId, user)
+		exists, err := doesResourceExist(resp, err)
+		if err != nil {
+			return fmt.Errorf("failed to add user (%s) to group (%s): %v", user, groupId, err)
+		}
+		if !exists {
+			return fmt.Errorf("targeted object does not exist: %s", err)
+		}
+	}
+	return nil
+}
+
+func removeGroupMembers(ctx context.Context, client *okta.Client, groupId string, users []string) error {
+	for _, user := range users {
+		resp, err := client.Group.RemoveUserFromGroup(ctx, groupId, user)
+		err = suppressErrorOn404(resp, err)
+		if err != nil {
+			return fmt.Errorf("failed to remove user (%s) from group (%s): %v", user, groupId, err)
+		}
+	}
+	return nil
+}
+
+// User Primary Key Operations (use when # users < # groups in operations)
+func addUserToGroups(ctx context.Context, client *okta.Client, userId string, groups []string) error {
+	for _, group := range groups {
+		resp, err := client.Group.AddUserToGroup(ctx, group, userId)
+		exists, err := doesResourceExist(resp, err)
+		if err != nil {
+			return fmt.Errorf("failed to add user (%s) to group (%s): %v", userId, group, err)
+		}
+		if !exists {
+			return fmt.Errorf("targeted object does not exist: %s", err)
+		}
+	}
+	return nil
+}
+
+func removeUserFromGroups(ctx context.Context, client *okta.Client, userId string, groups []string) error {
+	for _, group := range groups {
+		resp, err := client.Group.RemoveUserFromGroup(ctx, group, userId)
+		err = suppressErrorOn404(resp, err)
+		if err != nil {
+			return fmt.Errorf("failed to remove user (%s) from group (%s): %v", userId, group, err)
+		}
+	}
+	return nil
+}
diff --git a/okta/provider.go b/okta/provider.go
@@ -52,6 +52,7 @@ const (
 	oktaGroup              = "okta_group"
 	oktaGroups             = "okta_groups"
 	oktaGroupMembership    = "okta_group_membership"
+	oktaGroupMemberships   = "okta_group_memberships"
 	oktaProfileMapping     = "okta_profile_mapping"
 	oktaUser               = "okta_user"
 	policyMfa              = "okta_policy_mfa"
@@ -203,6 +204,7 @@ func Provider() *schema.Provider {
 			networkZone:            resourceNetworkZone(),
 			oktaGroup:              resourceGroup(),
 			oktaGroupMembership:    resourceGroupMembership(),
+			oktaGroupMemberships:   resourceGroupMemberships(),
 			oktaProfileMapping:     resourceOktaProfileMapping(),
 			oktaUser:               resourceUser(),
 			policyMfa:              resourcePolicyMfa(),

diff --git a/okta/resource_okta_group_membership.go b/okta/resource_okta_group_membership.go
@@ -36,6 +36,7 @@ func resourceGroupMembership() *schema.Resource {
 				ForceNew:    true,
 			},
 		},
+		DeprecationMessage: "resource `okta_group_membersip` is now deprecated, please use `okta_group_memberships` or `okta_user_group_memberships` based on applicable needs",
 	}
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -36,6 +36,7 @@ func resourceGroupMembership() *schema.Resource { @@
     				ForceNew:    true,
     			},
     		},
+    		DeprecationMessage: "resource `okta_group_membersip` is now deprecated, please use `okta_group_memberships` or `okta_user_group_memberships` based on applicable needs",
     	}
     }
@@ Expand Down @@