Add support for team member permissions in team resource (v3.1.0)

Nicholas Cecere · Nicholas Cecere · commit 516b3014605b · 2025-05-09T15:13:11.000-04:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.1.0] - 2025-05-09
+
+### Added
+- Support for team member permissions in the `litellm_team` resource
+
 ## [0.3.0] - 2025-04-23
 
 ### Fixed
diff --git a/docs/resources/team.md b/docs/resources/team.md
@@ -10,6 +10,13 @@ resource "litellm_team" "engineering" {
   organization_id = "org_123456"
   models          = ["gpt-4-proxy", "claude-2"]
 
+  team_member_permissions = [
+    "/key/generate",
+    "/key/update",
+    "/key/info",
+    "/key/list"
+  ]
+
   metadata = {
     department = "Engineering"
     project    = "AI Research"
@@ -49,6 +56,8 @@ The following arguments are supported:
   * `monthly`
   * `yearly`
 
+* `team_member_permissions` - (Optional) List of permissions granted to team members. Available permissions can be retrieved from the API endpoint `/team/permissions_list`.
+
 ## Attribute Reference
 
 In addition to the arguments above, the following attributes are exported:
diff --git a/litellm/resource_team.go b/litellm/resource_team.go
@@ -12,10 +12,12 @@ import (
 )
 
 const (
-	endpointTeamNew    = "/team/new"
-	endpointTeamInfo   = "/team/info"
-	endpointTeamUpdate = "/team/update"
-	endpointTeamDelete = "/team/delete"
+	endpointTeamNew               = "/team/new"
+	endpointTeamInfo              = "/team/info"
+	endpointTeamUpdate            = "/team/update"
+	endpointTeamDelete            = "/team/delete"
+	endpointTeamPermissionsList   = "/team/permissions_list"
+	endpointTeamPermissionsUpdate = "/team/permissions_update"
 )
 
 func ResourceLiteLLMTeam() *schema.Resource {
@@ -64,6 +66,12 @@ func ResourceLiteLLMTeam() *schema.Resource {
 				Type:     schema.TypeBool,
 				Optional: true,
 			},
+			"team_member_permissions": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Elem:        &schema.Schema{Type: schema.TypeString},
+				Description: "List of permissions granted to team members",
+			},
 		},
 	}
 }
@@ -139,6 +147,13 @@ func resourceLiteLLMTeamRead(d *schema.ResourceData, m interface{}) error {
 
 	d.Set("blocked", GetBoolValue(teamResp.Blocked, d.Get("blocked").(bool)))
 
+	// Handle team_member_permissions separately as it's a list
+	if teamResp.TeamMemberPermissions != nil {
+		d.Set("team_member_permissions", teamResp.TeamMemberPermissions)
+	} else {
+		d.Set("team_member_permissions", d.Get("team_member_permissions"))
+	}
+
 	log.Printf("[INFO] Successfully read team with ID: %s", d.Id())
 	return nil
 }
@@ -193,7 +208,7 @@ func buildTeamData(d *schema.ResourceData, teamID string) map[string]interface{}
 		"team_alias": d.Get("team_alias").(string),
 	}
 
-	for _, key := range []string{"organization_id", "metadata", "tpm_limit", "rpm_limit", "max_budget", "budget_duration", "models", "blocked"} {
+	for _, key := range []string{"organization_id", "metadata", "tpm_limit", "rpm_limit", "max_budget", "budget_duration", "models", "blocked", "team_member_permissions"} {
 		if v, ok := d.GetOk(key); ok {
 			teamData[key] = v
 		}
@@ -209,3 +224,56 @@ func handleResponse(resp *http.Response, action string) error {
 	}
 	return nil
 }
+
+// TeamPermissionsResponse represents a response from the API containing team permissions information.
+type TeamPermissionsResponse struct {
+	TeamID                  string   `json:"team_id"`
+	TeamMemberPermissions   []string `json:"team_member_permissions"`
+	AllAvailablePermissions []string `json:"all_available_permissions"`
+}
+
+// getTeamPermissions retrieves the current permissions and available permissions for a team.
+func getTeamPermissions(client *Client, teamID string) (*TeamPermissionsResponse, error) {
+	log.Printf("[INFO] Getting permissions for team with ID: %s", teamID)
+
+	resp, err := MakeRequest(client, "GET", fmt.Sprintf("%s?team_id=%s", endpointTeamPermissionsList, teamID), nil)
+	if err != nil {
+		return nil, fmt.Errorf("error getting team permissions: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := ioutil.ReadAll(resp.Body)
+		return nil, fmt.Errorf("error getting team permissions: %s - %s", resp.Status, string(body))
+	}
+
+	var permResp TeamPermissionsResponse
+	if err := json.NewDecoder(resp.Body).Decode(&permResp); err != nil {
+		return nil, fmt.Errorf("error decoding team permissions response: %w", err)
+	}
+
+	return &permResp, nil
+}
+
+// updateTeamPermissions updates the permissions for a team.
+func updateTeamPermissions(client *Client, teamID string, permissions []string) error {
+	log.Printf("[INFO] Updating permissions for team with ID: %s", teamID)
+
+	permData := map[string]interface{}{
+		"team_id":                 teamID,
+		"team_member_permissions": permissions,
+	}
+
+	resp, err := MakeRequest(client, "POST", endpointTeamPermissionsUpdate, permData)
+	if err != nil {
+		return fmt.Errorf("error updating team permissions: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if err := handleResponse(resp, "updating team permissions"); err != nil {
+		return err
+	}
+
+	log.Printf("[INFO] Successfully updated permissions for team with ID: %s", teamID)
+	return nil
+}
diff --git a/litellm/types.go b/litellm/types.go
@@ -31,16 +31,17 @@ type ModelRequest struct {
 
 // TeamResponse represents a response from the API containing team information.
 type TeamResponse struct {
-	TeamID         string                 `json:"team_id,omitempty"`
-	TeamAlias      string                 `json:"team_alias,omitempty"`
-	OrganizationID string                 `json:"organization_id,omitempty"`
-	Metadata       map[string]interface{} `json:"metadata,omitempty"`
-	TPMLimit       int                    `json:"tpm_limit,omitempty"`
-	RPMLimit       int                    `json:"rpm_limit,omitempty"`
-	MaxBudget      float64                `json:"max_budget,omitempty"`
-	BudgetDuration string                 `json:"budget_duration,omitempty"`
-	Models         []string               `json:"models"`
-	Blocked        bool                   `json:"blocked,omitempty"`
+	TeamID                string                 `json:"team_id,omitempty"`
+	TeamAlias             string                 `json:"team_alias,omitempty"`
+	OrganizationID        string                 `json:"organization_id,omitempty"`
+	Metadata              map[string]interface{} `json:"metadata,omitempty"`
+	TPMLimit              int                    `json:"tpm_limit,omitempty"`
+	RPMLimit              int                    `json:"rpm_limit,omitempty"`
+	MaxBudget             float64                `json:"max_budget,omitempty"`
+	BudgetDuration        string                 `json:"budget_duration,omitempty"`
+	Models                []string               `json:"models"`
+	Blocked               bool                   `json:"blocked,omitempty"`
+	TeamMemberPermissions []string               `json:"team_member_permissions,omitempty"`
 }
 
 // LiteLLMParams represents the parameters for LiteLLM.
