From 271f20fc5ee7db33276ae14c833c9ba2e6a7cada Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 19 Mar 2026 17:07:45 -0400 Subject: [PATCH] update workflow for PRs and file handling --- branch_protection.tf | 6 +++--- github_branch.tf | 19 +++++++++++++++---- github_deploy_keys.tf | 6 +++--- github_files.tf | 15 +++++++++------ github_pull_request.tf | 16 ++++++++++++++++ github_repo.tf | 2 +- versions.tf | 2 +- 7 files changed, 48 insertions(+), 18 deletions(-) create mode 100644 github_pull_request.tf diff --git a/branch_protection.tf b/branch_protection.tf index 44de797..163f331 100644 --- a/branch_protection.tf +++ b/branch_protection.tf @@ -21,9 +21,9 @@ locals { # https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection resource "github_branch_protection" "protection" { - for_each = (var.create_repo || length(data.github_repository.existing) > 0) ? { - for k, v in local.branch_protection_rules : k => v if var.enforce_prs && (! var.github_is_private || var.github_pro_enabled) - } : {} + for_each = { + for k, v in local.branch_protection_rules : k => v if var.enforce_prs && (!var.github_is_private || var.github_pro_enabled) + } repository_id = var.create_repo ? github_repository.repo[0].node_id : data.github_repository.existing[0].node_id pattern = each.key diff --git a/github_branch.tf b/github_branch.tf index 26f833c..57ccf01 100644 --- a/github_branch.tf +++ b/github_branch.tf @@ -5,8 +5,8 @@ # Create non-main default branch if specified resource "github_branch" "branch" { - count = var.github_default_branch != "main" && local.github_repo != null ? 1 : 0 - repository = local.github_repo.name + count = var.github_default_branch != "main" ? 1 : 0 + repository = local.repository_name branch = var.github_default_branch depends_on = [ github_repository.repo, @@ -16,14 +16,25 @@ resource "github_branch" "branch" { # Set the default branch resource "github_branch_default" "default_main_branch" { - count = var.github_default_branch != "main" && local.github_repo != null ? 1 : 0 - repository = local.github_repo.name + count = var.github_default_branch != "main" ? 1 : 0 + repository = local.repository_name branch = var.github_default_branch depends_on = [ github_branch.branch ] } +# For new repos: create files_branch inside the module after repo exists. +# For existing repos: files_branch is created externally (in terraform-eks-deployment) before the module runs. +resource "github_branch" "files_branch" { + count = var.files_branch != null && var.create_repo ? 1 : 0 + repository = local.repo_name + branch = var.files_branch + source_branch = var.github_default_branch + + depends_on = [github_repository.repo] +} + data "github_user" "pull_request_bypassers" { for_each = toset(var.pull_request_bypassers) username = each.value diff --git a/github_deploy_keys.tf b/github_deploy_keys.tf index 39768e4..ebe2c99 100644 --- a/github_deploy_keys.tf +++ b/github_deploy_keys.tf @@ -11,12 +11,12 @@ resource "tls_private_key" "deploy_key" { // Create GitHub deploy keys for all entries resource "github_repository_deploy_key" "deploy_key" { - for_each = local.github_repo != null ? { + for_each = { for k, v in var.deploy_keys : k => v - } : {} + } title = each.value.title - repository = local.github_repo.name + repository = local.repository_name key = each.value.create ? tls_private_key.deploy_key[each.key].public_key_openssh : each.value.key read_only = each.value.read_only diff --git a/github_files.tf b/github_files.tf index ff7ecd7..1eed66d 100644 --- a/github_files.tf +++ b/github_files.tf @@ -4,13 +4,13 @@ data "github_user" "current" { } locals { - # Process files only if commit signing is not required or if explicitly allowed - should_manage_files = ! try(local.github_repo.require_signed_commits, false) || var.allow_unsigned_files + # Process files only if commit signing is not required on this module, or if explicitly allowed + should_manage_files = !var.require_signed_commits || var.allow_unsigned_files } # https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file resource "github_repository_file" "codeowners" { - count = var.create_codeowners && local.should_manage_files && local.github_repo != null ? 1 : 0 + count = var.create_codeowners && local.should_manage_files ? 1 : 0 repository = local.repository_name branch = var.github_default_branch @@ -23,6 +23,7 @@ resource "github_repository_file" "codeowners" { depends_on = [ github_repository.repo, data.github_repository.existing, + github_branch.files_branch, ] lifecycle { ignore_changes = [ @@ -58,11 +59,11 @@ locals { } ] : [] ) - repository_name = coalesce(try(local.github_repo.name, null), var.name) + repository_name = var.create_repo ? local.repo_name : var.name } resource "github_repository_file" "extra_files" { - for_each = local.should_manage_files && local.github_repo != null ? tomap({ for file in local.extra_files : file.path => file }) : {} + for_each = local.should_manage_files ? tomap({ for file in local.extra_files : file.path => file }) : {} repository = local.repository_name branch = var.files_branch == null ? var.github_default_branch : var.files_branch @@ -75,6 +76,7 @@ resource "github_repository_file" "extra_files" { depends_on = [ github_repository.repo, data.github_repository.existing, + github_branch.files_branch, ] lifecycle { ignore_changes = [ @@ -85,7 +87,7 @@ resource "github_repository_file" "extra_files" { } resource "github_repository_file" "managed_extra_files" { - for_each = local.should_manage_files && local.github_repo != null ? tomap({ for file in var.managed_extra_files : file.path => file }) : {} + for_each = local.should_manage_files ? tomap({ for file in var.managed_extra_files : file.path => file }) : {} repository = local.repository_name branch = var.files_branch == null ? var.github_default_branch : var.files_branch @@ -98,6 +100,7 @@ resource "github_repository_file" "managed_extra_files" { depends_on = [ github_repository.repo, data.github_repository.existing, + github_branch.files_branch, ] lifecycle { ignore_changes = [ diff --git a/github_pull_request.tf b/github_pull_request.tf new file mode 100644 index 0000000..90622c8 --- /dev/null +++ b/github_pull_request.tf @@ -0,0 +1,16 @@ +resource "github_repository_pull_request" "files_branch_to_main" { + count = var.files_branch != null ? 1 : 0 + + base_repository = local.repository_name + base_ref = "main" + head_ref = var.files_branch + title = "Sync ${var.files_branch} into main" + body = "Automated pull request generated by Terraform for repository configuration updates." + + depends_on = [ + github_branch.files_branch, + github_repository_file.codeowners, + github_repository_file.extra_files, + github_repository_file.managed_extra_files, + ] +} \ No newline at end of file diff --git a/github_repo.tf b/github_repo.tf index 8243f9b..b654a04 100644 --- a/github_repo.tf +++ b/github_repo.tf @@ -3,7 +3,7 @@ locals { # Safe access to repo and existing resources github_repo = var.create_repo && length(github_repository.repo) > 0 ? github_repository.repo[0] : ( - length(data.github_repository.existing) > 0 ? data.github_repository.existing[0] : null + !var.create_repo ? data.github_repository.existing[0] : null ) validate_merge_options = ( diff --git a/versions.tf b/versions.tf index 5264752..9a33236 100644 --- a/versions.tf +++ b/versions.tf @@ -1,7 +1,7 @@ terraform { required_providers { github = { - source = "integrations/github" + source = "integrations/github" version = "~> 6.11" } }