Refactor branch protection and file management to use configurable va…

…riables for commit signing and author details
CSVD · Feb 19, 2025 · 5cf01a8 · 5cf01a8
1 parent b485dc4
commit 5cf01a8
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 16 deletions.
diff --git a/branch_protection.tf b/branch_protection.tf
@@ -4,7 +4,7 @@ locals {
       pattern                 = var.github_default_branch
       enforce_admins          = var.github_enforce_admins_branch_protection
       allows_deletions        = false
-      require_signed_commits  = true
+      require_signed_commits  = var.require_signed_commits
       required_linear_history = true
       required_status_checks  = var.required_status_checks
       required_pull_request_reviews = {

diff --git a/github_files.tf b/github_files.tf
@@ -1,14 +1,23 @@
+locals {
+  repo_exists = var.create_repo ? github_repository.repo[0] : data.github_repository.existing[0]
+
+  # Process files only if commit signing is not required or if explicitly allowed
+  should_manage_files = !try(local.repo_exists.require_signed_commits, false) || var.allow_unsigned_files
+}
+
 # https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file
 resource "github_repository_file" "codeowners" {
-  count               = var.create_codeowners ? 1 : 0
-  repository          = local.repository_name
+  count = var.create_codeowners && local.should_manage_files ? 1 : 0
+
+  repository          = local.repo_exists.name
   branch              = var.github_default_branch
   file                = "CODEOWNERS"
   content             = templatefile("${path.module}/templates/CODEOWNERS", { codeowners = local.codeowners })
   commit_message      = "Update CODEOWNERS file"
-  commit_author       = "Terraform"
-  commit_email        = "terraform@example.com"
+  commit_author       = var.commit_author
+  commit_email        = var.commit_email
   overwrite_on_create = true
+
   lifecycle {
     ignore_changes = [
       content,
@@ -17,7 +26,6 @@ resource "github_repository_file" "codeowners" {
   }
 }
 
-
 data "github_repository" "template_repo" {
   count     = var.template_repo == null ? 0 : 1
   full_name = "${var.template_repo_org}/${var.template_repo}"
@@ -44,16 +52,17 @@ locals {
 }
 
 resource "github_repository_file" "extra_files" {
-  for_each = tomap({ for file in local.extra_files : "${element(split("/", file.path), length(split("/", file.path)) - 1)}" => file })
-
-  repository          = local.repository_name
+  for_each = local.should_manage_files ? tomap({ for file in local.extra_files : "${element(split("/", file.path), length(split("/", file.path)) - 1)}" => file }) : {}
+  
+  repository          = local.repo_exists.name
   branch              = var.github_default_branch
   file                = each.value.path
   content             = each.value.content
   commit_message      = "Update ${each.value.path}"
-  commit_author       = "Terraform"
-  commit_email        = "terraform@example.com"
+  commit_author       = var.commit_author
+  commit_email        = var.commit_email
   overwrite_on_create = true
+
   lifecycle {
     ignore_changes = [
       content,
@@ -63,16 +72,17 @@ resource "github_repository_file" "extra_files" {
 }
 
 resource "github_repository_file" "managed_extra_files" {
-  for_each = tomap({ for file in var.managed_extra_files : "${element(split("/", file.path), length(split("/", file.path)) - 1)}" => file })
-
-  repository          = local.repository_name
+  for_each = local.should_manage_files ? tomap({ for file in var.managed_extra_files : "${element(split("/", file.path), length(split("/", file.path)) - 1)}" => file }) : {}
+  
+  repository          = local.repo_exists.name
   branch              = var.github_default_branch
   file                = each.value.path
   content             = each.value.content
   commit_message      = "Update ${each.value.path}"
-  commit_author       = "Terraform"
-  commit_email        = "terraform@example.com"
+  commit_author       = var.commit_author
+  commit_email        = var.commit_email
   overwrite_on_create = true
+
   lifecycle {
     ignore_changes = [
       branch

diff --git a/variables.tf b/variables.tf
@@ -379,4 +379,28 @@ variable "pages_config" {
     cname  = optional(string)
   })
   default = null
+}
+
+variable "allow_unsigned_files" {
+  description = "Whether to allow file management even when signed commits are required"
+  type        = bool
+  default     = false
+}
+
+variable "commit_author" {
+  description = "The author name to use for file commits"
+  type        = string
+  default     = "Terraform"
+}
+
+variable "commit_email" {
+  description = "The email to use for file commits"
+  type        = string
+  default     = "terraform@example.com"
+}
+
+variable "require_signed_commits" {
+  description = "Whether to require signed commits for the default branch"
+  type        = bool
+  default     = false
 }