Skip to content

Commit

Permalink
Refactor branch protection and repository file configurations for imp…
Browse files Browse the repository at this point in the history 
…roved clarity and resource management
  • Loading branch information
Dave Arnold committed Feb 19, 2025
1 parent a0ae631 commit 3587ae5
Show file tree
Hide file tree
Showing 4 changed files with 451 additions and 105 deletions.
83 changes: 44 additions & 39 deletions branch_protection.tf
View file
Original file line number Diff line number Diff line change
@@ -1,56 +1,61 @@
locals {
branch_protection_rules = {
main = {
pattern = var.github_default_branch
enforce_admins = var.github_enforce_admins_branch_protection
allows_deletions = false
require_signed_commits = var.require_signed_commits
required_linear_history = true
required_status_checks = var.required_status_checks
required_pull_request_reviews = {
dismiss_stale_reviews = var.github_dismiss_stale_reviews
require_code_owner_reviews = var.github_require_code_owner_reviews
required_approving_review_count = var.github_required_approving_review_count
pull_request_bypassers = var.pull_request_bypassers
branch_protection_rules = merge(
var.enforce_prs == true ? {
main = {
pattern = var.github_default_branch
enforce_admins = var.github_enforce_admins_branch_protection
allows_deletions = false
require_signed_commits = var.require_signed_commits
required_linear_history = true
required_status_checks = var.required_status_checks
required_pull_request_reviews = {
dismiss_stale_reviews = var.github_dismiss_stale_reviews
require_code_owner_reviews = var.github_require_code_owner_reviews
required_approving_review_count = var.github_required_approving_review_count
pull_request_bypassers = var.pull_request_bypassers
}
}
}
}
} : {}
)
}

locals {
archived_repo = var.create_repo ? github_repository.repo[0].archived : data.github_repository.existing[0].archived
}
# https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection
resource "github_branch_protection" "protection" {
for_each = local.branch_protection_rules
for_each = {
for k, v in local.branch_protection_rules : k => v
if var.enforce_prs && !local.archived_repo
}

repository_id = local.github_repo.id
pattern = each.value.pattern
enforce_admins = each.value.enforce_admins
allows_deletions = try(each.value.allows_deletions, false)
allows_force_pushes = try(each.value.allows_force_pushes, false)
require_signed_commits = try(each.value.require_signed_commits, false)
required_linear_history = try(each.value.required_linear_history, false)
repository_id = var.create_repo ? github_repository.repo[0].node_id : data.github_repository.existing[0].node_id
pattern = each.key

dynamic "required_status_checks" {
for_each = each.value.required_status_checks != null ? [each.value.required_status_checks] : []
content {
strict = try(required_status_checks.value.strict, true)
contexts = required_status_checks.value.contexts
}
enforce_admins = var.github_enforce_admins_branch_protection
required_linear_history = true
allows_force_pushes = false
allows_deletions = false
require_signed_commits = var.require_signed_commits

required_pull_request_reviews {
required_approving_review_count = var.github_required_approving_review_count
dismiss_stale_reviews = var.github_dismiss_stale_reviews
require_code_owner_reviews = var.github_require_code_owner_reviews
require_last_push_approval = false
}

dynamic "required_pull_request_reviews" {
for_each = each.value.required_pull_request_reviews != null ? [each.value.required_pull_request_reviews] : []
dynamic "required_status_checks" {
for_each = var.required_status_checks != null ? ["true"] : []
content {
dismiss_stale_reviews = try(required_pull_request_reviews.value.dismiss_stale_reviews, true)
restrict_dismissals = try(required_pull_request_reviews.value.restrict_dismissals, false)
require_code_owner_reviews = try(required_pull_request_reviews.value.require_code_owner_reviews, true)
required_approving_review_count = try(required_pull_request_reviews.value.required_approving_review_count, 1)
pull_request_bypassers = try(required_pull_request_reviews.value.pull_request_bypassers, [])
strict = try(var.required_status_checks.strict, true)
contexts = var.required_status_checks.contexts
}
}

depends_on = [
github_repository.repo,
github_repository_file.codeowners,
github_repository_file.extra_files,
github_repository_file.managed_extra_files
github_branch.branch,
github_branch_default.default_main_branch
]
}
49 changes: 1 addition & 48 deletions github_branch.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,51 +32,4 @@ data "github_user" "pull_request_bypassers" {

locals {
pull_request_bypassers = [for user in data.github_user.pull_request_bypassers : user.node_id]
}

# https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection
resource "github_branch_protection" "main" {
count = (var.enforce_prs && !var.github_is_private) || var.github_is_private ? 1 : 0

repository_id = local.github_repo.id
pattern = var.github_default_branch
enforce_admins = var.github_enforce_admins_branch_protection
allows_deletions = false
allows_force_pushes = false
require_signed_commits = true
required_linear_history = true
require_conversation_resolution = true
lock_branch = false

dynamic "required_status_checks" {
for_each = var.required_status_checks != null ? ["true"] : []
content {
strict = try(var.required_status_checks.strict, false)
contexts = try(var.required_status_checks.contexts, [])
}
}

dynamic "required_pull_request_reviews" {
for_each = var.enforce_prs ? ["true"] : []
content {
dismiss_stale_reviews = var.github_dismiss_stale_reviews
restrict_dismissals = true
require_code_owner_reviews = var.github_require_code_owner_reviews
required_approving_review_count = var.github_required_approving_review_count
require_last_push_approval = true
}
}

lifecycle {
ignore_changes = [
required_status_checks[0].contexts
]
}

depends_on = [
github_branch_default.default_main_branch,
github_repository_file.extra_files,
github_repository_file.codeowners,
github_repository_file.managed_extra_files
]
}
}
32 changes: 16 additions & 16 deletions github_files.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,27 +24,27 @@ resource "github_repository_file" "codeowners" {
}
}

data "github_repository" "template_repo" {
count = var.template_repo == null ? 0 : 1
full_name = "${var.template_repo_org}/${var.template_repo}"
}
# data "github_repository" "template_repo" {
# count = var.template_repo == null && var.template_repo_org == var.repo_org ? 0 : 1
# full_name = "${var.template_repo_org == null ? "" : var.template_repo_org}/${var.template_repo == null ? "" : var.template_repo}"
# }

data "github_ref" "ref" {
count = var.template_repo == null ? 0 : 1
owner = var.template_repo_org
repository = var.template_repo
ref = "heads/${element(data.github_repository.template_repo, 0).default_branch}"
}
# data "github_ref" "ref" {
# count = var.template_repo == null && var.template_repo_org == var.repo_org ? 0 : 1
# owner = var.template_repo_org
# repository = var.template_repo
# ref = "heads/${element(data.github_repository.template_repo, 0).default_branch}"
# }

locals {
extra_files = concat(
var.extra_files,
var.template_repo == null ? [] : [
{
path = ".TEMPLATE_SHA",
content = data.github_ref.ref[0].sha
}
]
# var.template_repo == null && var.template_repo_org == var.repo_org ? [] : [
# {
# path = ".TEMPLATE_SHA",
# content = data.github_ref.ref[0].sha
# }
# ]
)
repository_name = var.create_repo ? local.github_repo.name : var.name
}
Expand Down

0 comments on commit 3587ae5

Please sign in to comment.