github, terraform,

GitHub EMU external groups with Terraform

Jul 01, 2022 · 1 min read · Post a comment

GitHub EMU (Enterprise Managed Users) in general allows users to manage their enterprise members through IdPs (identity providers). Azure Active Directory and Okta are the only ones supported at the time of writing.

If you’ve ever been using the TF resource github_emu_group_mapping – it basically manages the mapping between the external groups and the GitHub teams. But, there’s a gotcha moment. Currently, there isn’t any “official” data source that fetches the EMU external groups group_id attribute.

As usually, here’s a workaround.


  • GitHub enterprise account
  • Terraform


Use the http data source to get the external group attributes and store them as local values.

variable "github_org" {
  description = "GitHub organization name."
  type        = string

variable "github_token" {
  description = "A GitHub OAuth / Personal Access Token."
  type        = string

## terraform.tfvars
github_org = "<insert_github_org_id_here>"
github_token = "<insert_github_token_here>"

data "http" "external_groups" {
  url = "${var.github_org}/external-groups"

  request_headers = {
    Accept        = "application/vnd.github.v3+json"
    Authorization = "Bearer ${var.github_token}"

locals {
  external_groups = jsondecode(data.http.external_groups.body)["groups"]

You could also track the issue as it was originally posted (including the solution) here.


Any questions, thoughts and opinions are much appreciated. On a side note, follow our official channel on Telegram.