From 5cf01a8e19fb71aef185d0da83bd95a571690b3b Mon Sep 17 00:00:00 2001
From: Dave Arnold <dave@roknsound.com>
Date: Tue, 18 Feb 2025 21:42:29 -0800
Subject: [PATCH] Refactor branch protection and file management to use
 configurable variables for commit signing and author details

---
 branch_protection.tf |  2 +-
 github_files.tf      | 40 +++++++++++++++++++++++++---------------
 variables.tf         | 24 ++++++++++++++++++++++++
 3 files changed, 50 insertions(+), 16 deletions(-)

diff --git a/branch_protection.tf b/branch_protection.tf
index c946750..a6af049 100644
--- a/branch_protection.tf
+++ b/branch_protection.tf
@@ -4,7 +4,7 @@ locals {
       pattern                 = var.github_default_branch
       enforce_admins          = var.github_enforce_admins_branch_protection
       allows_deletions        = false
-      require_signed_commits  = true
+      require_signed_commits  = var.require_signed_commits
       required_linear_history = true
       required_status_checks  = var.required_status_checks
       required_pull_request_reviews = {
diff --git a/github_files.tf b/github_files.tf
index 47406ed..d9b70ea 100644
--- a/github_files.tf
+++ b/github_files.tf
@@ -1,14 +1,23 @@
+locals {
+  repo_exists = var.create_repo ? github_repository.repo[0] : data.github_repository.existing[0]
+  
+  # Process files only if commit signing is not required or if explicitly allowed
+  should_manage_files = !try(local.repo_exists.require_signed_commits, false) || var.allow_unsigned_files
+}
+
 # https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file
 resource "github_repository_file" "codeowners" {
-  count               = var.create_codeowners ? 1 : 0
-  repository          = local.repository_name
+  count = var.create_codeowners && local.should_manage_files ? 1 : 0
+
+  repository          = local.repo_exists.name
   branch              = var.github_default_branch
   file                = "CODEOWNERS"
   content             = templatefile("${path.module}/templates/CODEOWNERS", { codeowners = local.codeowners })
   commit_message      = "Update CODEOWNERS file"
-  commit_author       = "Terraform"
-  commit_email        = "terraform@example.com"
+  commit_author       = var.commit_author
+  commit_email        = var.commit_email
   overwrite_on_create = true
+  
   lifecycle {
     ignore_changes = [
       content,
@@ -17,7 +26,6 @@ resource "github_repository_file" "codeowners" {
   }
 }
 
-
 data "github_repository" "template_repo" {
   count     = var.template_repo == null ? 0 : 1
   full_name = "${var.template_repo_org}/${var.template_repo}"
@@ -44,16 +52,17 @@ locals {
 }
 
 resource "github_repository_file" "extra_files" {
-  for_each = tomap({ for file in local.extra_files : "${element(split("/", file.path), length(split("/", file.path)) - 1)}" => file })
-
-  repository          = local.repository_name
+  for_each = local.should_manage_files ? tomap({ for file in local.extra_files : "${element(split("/", file.path), length(split("/", file.path)) - 1)}" => file }) : {}
+  
+  repository          = local.repo_exists.name
   branch              = var.github_default_branch
   file                = each.value.path
   content             = each.value.content
   commit_message      = "Update ${each.value.path}"
-  commit_author       = "Terraform"
-  commit_email        = "terraform@example.com"
+  commit_author       = var.commit_author
+  commit_email        = var.commit_email
   overwrite_on_create = true
+  
   lifecycle {
     ignore_changes = [
       content,
@@ -63,16 +72,17 @@ resource "github_repository_file" "extra_files" {
 }
 
 resource "github_repository_file" "managed_extra_files" {
-  for_each = tomap({ for file in var.managed_extra_files : "${element(split("/", file.path), length(split("/", file.path)) - 1)}" => file })
-
-  repository          = local.repository_name
+  for_each = local.should_manage_files ? tomap({ for file in var.managed_extra_files : "${element(split("/", file.path), length(split("/", file.path)) - 1)}" => file }) : {}
+  
+  repository          = local.repo_exists.name
   branch              = var.github_default_branch
   file                = each.value.path
   content             = each.value.content
   commit_message      = "Update ${each.value.path}"
-  commit_author       = "Terraform"
-  commit_email        = "terraform@example.com"
+  commit_author       = var.commit_author
+  commit_email        = var.commit_email
   overwrite_on_create = true
+  
   lifecycle {
     ignore_changes = [
       branch
diff --git a/variables.tf b/variables.tf
index 754647a..a24d527 100644
--- a/variables.tf
+++ b/variables.tf
@@ -379,4 +379,28 @@ variable "pages_config" {
     cname  = optional(string)
   })
   default = null
+}
+
+variable "allow_unsigned_files" {
+  description = "Whether to allow file management even when signed commits are required"
+  type        = bool
+  default     = false
+}
+
+variable "commit_author" {
+  description = "The author name to use for file commits"
+  type        = string
+  default     = "Terraform"
+}
+
+variable "commit_email" {
+  description = "The email to use for file commits"
+  type        = string
+  default     = "terraform@example.com"
+}
+
+variable "require_signed_commits" {
+  description = "Whether to require signed commits for the default branch"
+  type        = bool
+  default     = false
 }
\ No newline at end of file