feat: add Enterprise SCIM data sources (groups and users)

Add four new data sources for querying SCIM provisioning information
in GitHub Enterprise:

- github_enterprise_scim_group: Lookup single SCIM group by ID
- github_enterprise_scim_groups: List all SCIM groups with filtering
- github_enterprise_scim_user: Lookup single SCIM user by ID
- github_enterprise_scim_users: List all SCIM users with filtering

Features:
- Automatic pagination for list endpoints
- SCIM filter support (server-side filtering)
- Full attribute exposure: schemas, meta, members, emails, roles
- Proper error handling with diag.Errorf

Testing:
- Acceptance tests with t.Run() sub-tests pattern
- Inline configs and checks following project conventions
- Uses testAccConf.enterpriseSlug and skipUnlessEnterprise(t)

Documentation:
- Complete docs with examples and filter usage notes
- Attribute reference for all fields

Author: github-actions[bot]

github/data_source_github_enterprise_scim_group.go

@@ -0,0 +1,104 @@
+package github
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func dataSourceGithubEnterpriseSCIMGroup() *schema.Resource {
+	return &schema.Resource{
+		Description: "Lookup SCIM provisioning information for a single GitHub enterprise group.",
+		ReadContext: dataSourceGithubEnterpriseSCIMGroupRead,
+
+		Schema: map[string]*schema.Schema{
+			"enterprise": {
+				Description: "The enterprise slug.",
+				Type:        schema.TypeString,
+				Required:    true,
+			},
+			"scim_group_id": {
+				Description: "The SCIM group ID.",
+				Type:        schema.TypeString,
+				Required:    true,
+			},
+
+			"schemas": {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Description: "SCIM schemas for this group.",
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
+			"id": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "The SCIM group ID.",
+			},
+			"external_id": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "The external ID for the group.",
+			},
+			"display_name": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "The SCIM group displayName.",
+			},
+			"members": {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Description: "Group members.",
+				Elem:        &schema.Resource{Schema: enterpriseSCIMGroupMemberSchema()},
+			},
+			"meta": {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Description: "Resource metadata.",
+				Elem:        &schema.Resource{Schema: enterpriseSCIMMetaSchema()},
+			},
+		},
+	}
+}
+
+func dataSourceGithubEnterpriseSCIMGroupRead(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	client := meta.(*Owner).v3client
+
+	enterprise := d.Get("enterprise").(string)
+	scimGroupID := d.Get("scim_group_id").(string)
+
+	group, _, err := client.Enterprise.GetProvisionedSCIMGroup(ctx, enterprise, scimGroupID, nil)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId(fmt.Sprintf("%s/%s", enterprise, scimGroupID))
+
+	if err := d.Set("schemas", group.Schemas); err != nil {
+		return diag.Errorf("error setting schemas: %s", err)
+	}
+	if group.ID != nil {
+		if err := d.Set("id", *group.ID); err != nil {
+			return diag.Errorf("error setting id: %s", err)
+		}
+	}
+	if group.ExternalID != nil {
+		if err := d.Set("external_id", *group.ExternalID); err != nil {
+			return diag.Errorf("error setting external_id: %s", err)
+		}
+	}
+	if group.DisplayName != nil {
+		if err := d.Set("display_name", *group.DisplayName); err != nil {
+			return diag.Errorf("error setting display_name: %s", err)
+		}
+	}
+	if err := d.Set("members", flattenEnterpriseSCIMGroupMembers(group.Members)); err != nil {
+		return diag.Errorf("error setting members: %s", err)
+	}
+	if err := d.Set("meta", flattenEnterpriseSCIMMeta(group.Meta)); err != nil {
+		return diag.Errorf("error setting meta: %s", err)
+	}
+
+	return nil
+}

github/data_source_github_enterprise_scim_group_test.go

@@ -0,0 +1,34 @@
+package github
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccGithubEnterpriseSCIMGroupDataSource(t *testing.T) {
+	t.Run("reads group without error", func(t *testing.T) {
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessEnterprise(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{{
+				Config: fmt.Sprintf(`
+					data "github_enterprise_scim_groups" "all" {
+						enterprise = "%s"
+					}
+
+					data "github_enterprise_scim_group" "test" {
+						enterprise    = "%[1]s"
+						scim_group_id = data.github_enterprise_scim_groups.all.resources[0].id
+					}
+				`, testAccConf.enterpriseSlug),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet("data.github_enterprise_scim_group.test", "id"),
+					resource.TestCheckResourceAttrSet("data.github_enterprise_scim_group.test", "display_name"),
+					resource.TestCheckResourceAttrSet("data.github_enterprise_scim_group.test", "schemas.#"),
+				),
+			}},
+		})
+	})
+}

github/data_source_github_enterprise_scim_groups.go

@@ -0,0 +1,208 @@
+package github
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+)
+
+func dataSourceGithubEnterpriseSCIMGroups() *schema.Resource {
+	return &schema.Resource{
+		Description: "Lookup SCIM groups provisioned for a GitHub enterprise.",
+		ReadContext: dataSourceGithubEnterpriseSCIMGroupsRead,
+
+		Schema: map[string]*schema.Schema{
+			"enterprise": {
+				Description: "The enterprise slug.",
+				Type:        schema.TypeString,
+				Required:    true,
+			},
+			"filter": {
+				Description: "Optional SCIM filter. See GitHub SCIM enterprise docs for supported filters.",
+				Type:        schema.TypeString,
+				Optional:    true,
+			},
+			"results_per_page": {
+				Description:  "Number of results per request (mapped to SCIM 'count'). Used while auto-fetching all pages.",
+				Type:         schema.TypeInt,
+				Optional:     true,
+				Default:      100,
+				ValidateFunc: validation.IntBetween(1, 100),
+			},
+
+			"schemas": {
+				Description: "SCIM response schemas.",
+				Type:        schema.TypeList,
+				Computed:    true,
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
+			"total_results": {
+				Description: "The total number of results returned by the SCIM endpoint.",
+				Type:        schema.TypeInt,
+				Computed:    true,
+			},
+			"start_index": {
+				Description: "The startIndex from the first SCIM page.",
+				Type:        schema.TypeInt,
+				Computed:    true,
+			},
+			"items_per_page": {
+				Description: "The itemsPerPage from the first SCIM page.",
+				Type:        schema.TypeInt,
+				Computed:    true,
+			},
+			"resources": {
+				Description: "All SCIM groups.",
+				Type:        schema.TypeList,
+				Computed:    true,
+				Elem: &schema.Resource{
+					Schema: enterpriseSCIMGroupSchema(),
+				},
+			},
+		},
+	}
+}
+
+func dataSourceGithubEnterpriseSCIMGroupsRead(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	client := meta.(*Owner).v3client
+
+	enterprise := d.Get("enterprise").(string)
+	filter := d.Get("filter").(string)
+	count := d.Get("results_per_page").(int)
+
+	groups, first, err := enterpriseSCIMListAllGroups(ctx, client, enterprise, filter, count)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	flat := make([]any, 0, len(groups))
+	for _, g := range groups {
+		flat = append(flat, flattenEnterpriseSCIMGroup(g))
+	}
+
+	id := fmt.Sprintf("%s/scim-groups", enterprise)
+	if filter != "" {
+		id = fmt.Sprintf("%s?filter=%s", id, url.QueryEscape(filter))
+	}
+
+	d.SetId(id)
+
+	if err := d.Set("schemas", first.Schemas); err != nil {
+		return diag.Errorf("error setting schemas: %s", err)
+	}
+	if first.TotalResults != nil {
+		if err := d.Set("total_results", *first.TotalResults); err != nil {
+			return diag.Errorf("error setting total_results: %s", err)
+		}
+	}
+	if first.StartIndex != nil && *first.StartIndex > 0 {
+		if err := d.Set("start_index", *first.StartIndex); err != nil {
+			return diag.Errorf("error setting start_index: %s", err)
+		}
+	} else {
+		if err := d.Set("start_index", 1); err != nil {
+			return diag.Errorf("error setting start_index: %s", err)
+		}
+	}
+	if first.ItemsPerPage != nil && *first.ItemsPerPage > 0 {
+		if err := d.Set("items_per_page", *first.ItemsPerPage); err != nil {
+			return diag.Errorf("error setting items_per_page: %s", err)
+		}
+	} else {
+		if err := d.Set("items_per_page", count); err != nil {
+			return diag.Errorf("error setting items_per_page: %s", err)
+		}
+	}
+	if err := d.Set("resources", flat); err != nil {
+		return diag.Errorf("error setting resources: %s", err)
+	}
+
+	return nil
+}
+
+func enterpriseSCIMMetaSchema() map[string]*schema.Schema {
+	return map[string]*schema.Schema{
+		"resource_type": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "The SCIM resource type.",
+		},
+		"created": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "The creation timestamp.",
+		},
+		"last_modified": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "The lastModified timestamp.",
+		},
+		"location": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "The resource location.",
+		},
+	}
+}
+
+func enterpriseSCIMGroupSchema() map[string]*schema.Schema {
+	return map[string]*schema.Schema{
+		"schemas": {
+			Type:        schema.TypeList,
+			Computed:    true,
+			Description: "SCIM schemas for this group.",
+			Elem:        &schema.Schema{Type: schema.TypeString},
+		},
+		"id": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "The SCIM group ID.",
+		},
+		"external_id": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "The external ID for the group.",
+		},
+		"display_name": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "The SCIM group displayName.",
+		},
+		"members": {
+			Type:        schema.TypeList,
+			Computed:    true,
+			Description: "Group members.",
+			Elem:        &schema.Resource{Schema: enterpriseSCIMGroupMemberSchema()},
+		},
+		"meta": {
+			Type:        schema.TypeList,
+			Computed:    true,
+			Description: "Resource metadata.",
+			Elem:        &schema.Resource{Schema: enterpriseSCIMMetaSchema()},
+		},
+	}
+}
+
+func enterpriseSCIMGroupMemberSchema() map[string]*schema.Schema {
+	return map[string]*schema.Schema{
+		"value": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "Member identifier.",
+		},
+		"ref": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "Member reference URL.",
+		},
+		"display_name": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "Member display name.",
+		},
+	}
+}

github/data_source_github_enterprise_scim_groups_test.go

@@ -0,0 +1,30 @@
+package github
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccGithubEnterpriseSCIMGroupsDataSource(t *testing.T) {
+	t.Run("lists groups without error", func(t *testing.T) {
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessEnterprise(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{{
+				Config: fmt.Sprintf(`
+					data "github_enterprise_scim_groups" "test" {
+						enterprise = "%s"
+					}
+				`, testAccConf.enterpriseSlug),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet("data.github_enterprise_scim_groups.test", "id"),
+					resource.TestCheckResourceAttrSet("data.github_enterprise_scim_groups.test", "total_results"),
+					resource.TestCheckResourceAttrSet("data.github_enterprise_scim_groups.test", "schemas.#"),
+					resource.TestCheckResourceAttrSet("data.github_enterprise_scim_groups.test", "resources.#"),
+				),
+			}},
+		})
+	})
+}