From 88899ffca092fe89441f6671ded52d5743f49706 Mon Sep 17 00:00:00 2001 From: Dave Arnold Date: Tue, 18 Feb 2025 16:54:23 -0800 Subject: [PATCH] Enhance GitHub repository management by adding environment support, refining secret handling, and improving collaborator permissions mapping --- README.md | 142 +++++++++++++++++++---- action_secrets.tf | 10 +- collaborators.tf | 22 +++- environment.tf | 56 ++++++++++ github_branch.tf | 44 ++++---- github_files.tf | 9 ++ github_repo.tf | 69 +++++++++--- github_repo.tftest.hcl | 206 +++++++++++++++++++++++++++++++++- github_team_access.tf | 21 +++- outputs.tf | 53 ++++++++- variables.tf | 248 ++++++++++++++++++++++++++--------------- 11 files changed, 717 insertions(+), 163 deletions(-) create mode 100644 environment.tf diff --git a/README.md b/README.md index d2d1411..7248575 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,9 @@ # Terraform GitHub Repository Module -A comprehensive Terraform module for managing GitHub repositories with advanced features like branch protection, file management, and team access control. +A comprehensive Terraform module for managing GitHub repositories with advanced features like branch protection, file management, and team access control. You can use this module to create new repositories or manage existing ones. ## Features - +- Create new repositories or manage existing ones - Complete GitHub repository management - Branch protection rules - File content management @@ -15,37 +15,35 @@ A comprehensive Terraform module for managing GitHub repositories with advanced ## Usage +### Creating a New Repository ```hcl -module "repository" { +module "new_repository" { source = "HappyPathway/repo/github" - + name = "my-repository" repo_org = "MyOrganization" + create_repo = true # Default, can be omitted force_name = true github_repo_description = "Repository description" github_repo_topics = ["terraform", "automation"] github_is_private = false - github_has_issues = true - github_has_projects = true - github_has_wiki = true - vulnerability_alerts = true - gitignore_template = "Node" - - # Managed file content - managed_extra_files = { - "README.md" = { - content = file("${path.module}/templates/readme.md") - overwrite = true - } - "docs/getting-started.md" = { - content = file("${path.module}/templates/getting-started.md") - overwrite = false - } - } } ``` -## Examples +### Managing an Existing Repository +```hcl +module "existing_repository" { + source = "HappyPathway/repo/github" + + name = "existing-repository" + repo_org = "MyOrganization" + create_repo = false # Tell Terraform to manage existing repository + + # All other settings will be applied to the existing repository + github_repo_topics = ["managed", "terraform"] + github_has_issues = true +} +``` ### Basic Repository @@ -99,10 +97,108 @@ module "managed_repo" { } ``` +## Inputs + +| Name | Description | Type | Required | Default | +|------|-------------|------|----------|---------| +| name | Repository name | string | Yes | - | +| repo_org | GitHub organization name | string | No | null | +| create_repo | Whether to create a new repository or manage existing | bool | No | true | +| force_name | Keep exact repository name (no date suffix) | bool | No | false | +| github_repo_description | Repository description | string | No | null | +| github_repo_topics | Repository topics | list(string) | No | [] | +| github_is_private | Make repository private | bool | No | true | +| // ...other inputs... | + +## Outputs + +| Name | Description | +|------|-------------| +| github_repo | All repository attributes (see details below) | +| ssh_clone_url | SSH clone URL | +| node_id | Repository node ID for GraphQL | +| full_name | Full repository name (org/repo) | +| repo_id | Repository ID | +| html_url | Repository web URL | +| http_clone_url | HTTPS clone URL | +| git_clone_url | Git protocol clone URL | +| visibility | Repository visibility (public/private) | +| default_branch | Default branch name | +| topics | Repository topics | +| template | Template repository info | + +### Complete Repository Attributes + +The `github_repo` output includes: + +Basic Info: +- `name` - Repository name +- `full_name` - Full repository name (org/repo) +- `description` - Repository description +- `html_url` - GitHub web URL +- `ssh_clone_url` - SSH clone URL +- `http_clone_url` - HTTPS clone URL +- `git_clone_url` - Git protocol URL +- `visibility` - Public or private status + +Settings: +- `topics` - Repository topics +- `has_issues` - Issue tracking enabled +- `has_projects` - Project boards enabled +- `has_wiki` - Wiki enabled +- `is_template` - Template repository status +- `allow_merge_commit` - Merge commit allowed +- `allow_squash_merge` - Squash merge allowed +- `allow_rebase_merge` - Rebase merge allowed +- `allow_auto_merge` - Auto-merge enabled +- `delete_branch_on_merge` - Branch deletion on merge + +Additional Info: +- `default_branch` - Default branch name +- `archived` - Archive status +- `homepage_url` - Homepage URL if set +- `vulnerability_alerts` - Vulnerability alerts status +- `template` - Template repository details if used +- `gitignore_template` - .gitignore template if used +- `license_template` - License template if used + +## Limitations and Important Notes + +### Managing Existing Repositories +When managing existing repositories (`create_repo = false`): +- The repository must already exist in the specified organization +- You must have admin access to the repository +- Some settings may be read-only if they were set during repository creation +- Initial repository settings (like `auto_init`) are ignored +- Branch protection rules can only be added, not removed + +### Error Cases +The module will fail if: +- When `create_repo = false` and the repository doesn't exist +- When `create_repo = false` and `repo_org` is not specified +- When trying to manage a repository you don't have admin access to +- When applying branch protection rules to a private repository without a GitHub Enterprise plan + +### Best Practices +1. When managing existing repositories: + - Start with `create_repo = false` and minimal settings + - Gradually add configuration to avoid conflicts + - Use `terraform plan` to verify changes + - Consider using `lifecycle` blocks to ignore specific attributes + +2. For new repositories: + - Use `create_repo = true` (default) + - Set `force_name = true` to maintain consistent naming + - Configure all settings during initial creation + ## Testing -This module includes automated tests using Terraform's built-in testing framework: +This module includes automated tests that verify: +- Repository creation +- Data source lookups for existing repositories +- All output attributes +Run the tests using: ```bash terraform test ``` diff --git a/action_secrets.tf b/action_secrets.tf index 6152380..bf012a1 100644 --- a/action_secrets.tf +++ b/action_secrets.tf @@ -1,8 +1,14 @@ +data "github_actions_public_key" "repo_key" { + repository = local.github_repo.name +} + resource "github_actions_secret" "secret" { for_each = tomap({ for secret in var.secrets : secret.name => secret.value }) - secret_name = each.key - plaintext_value = each.value repository = local.github_repo.name + secret_name = each.key + encrypted_value = base64encode(each.value) + + depends_on = [data.github_actions_public_key.repo_key] } resource "github_actions_variable" "variable" { diff --git a/collaborators.tf b/collaborators.tf index 0025b82..ae4a1f2 100644 --- a/collaborators.tf +++ b/collaborators.tf @@ -1,7 +1,27 @@ +locals { + # Permission mapping for collaborator roles + permission_map = { + "pull" = "read" + "triage" = "triage" + "push" = "write" + "maintain" = "maintain" + "admin" = "admin" + } +} + +data "github_user" "collaborators" { + for_each = var.collaborators + username = each.key +} + # Add a collaborator to a repository resource "github_repository_collaborator" "collaborators" { for_each = tomap(var.collaborators) repository = local.github_repo.name username = each.key - permission = each.value + permission = local.permission_map[each.value] + + depends_on = [ + data.github_user.collaborators + ] } diff --git a/environment.tf b/environment.tf new file mode 100644 index 0000000..b201cce --- /dev/null +++ b/environment.tf @@ -0,0 +1,56 @@ +resource "github_repository_environment" "environments" { + for_each = { for env in var.environments : env.name => env } + + environment = each.value.name + repository = github_repository.repo[0].name + reviewers { + teams = try(each.value.reviewers.teams, []) + users = try(each.value.reviewers.users, []) + } + deployment_branch_policy { + protected_branches = try(each.value.deployment_branch_policy.protected_branches, true) + custom_branch_policies = try(each.value.deployment_branch_policy.custom_branch_policies, false) + } +} + +resource "github_actions_environment_secret" "environment_secrets" { + for_each = { + for pair in flatten([ + for env in var.environments : [ + for secret in coalesce(env.secrets, []) : { + env_name = env.name + name = secret.name + value = secret.value + } + ] + ]) : "${pair.env_name}.${pair.name}" => pair + } + + repository = github_repository.repo[0].name + environment = each.value.env_name + secret_name = each.value.name + plaintext_value = each.value.value + + depends_on = [github_repository_environment.environments] +} + +resource "github_actions_environment_variable" "environment_variables" { + for_each = { + for pair in flatten([ + for env in var.environments : [ + for _var in coalesce(env.vars, []) : { + env_name = env.name + name = _var.name + value = _var.value + } + ] + ]) : "${pair.env_name}.${pair.name}" => pair + } + + repository = github_repository.repo[0].name + environment = each.value.env_name + variable_name = each.value.name + value = each.value.value + + depends_on = [github_repository_environment.environments] +} \ No newline at end of file diff --git a/github_branch.tf b/github_branch.tf index 6c03592..cd10a81 100644 --- a/github_branch.tf +++ b/github_branch.tf @@ -33,35 +33,39 @@ locals { # https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection resource "github_branch_protection" "main" { - count = var.enforce_prs && !var.github_is_private ? 1 : 0 - enforce_admins = var.github_enforce_admins_branch_protection - pattern = var.github_default_branch - # push_restrictions = var.github_push_restrictions + count = (var.enforce_prs && !var.github_is_private) || var.github_is_private ? 1 : 0 + repository_id = local.github_repo.node_id + pattern = var.github_default_branch + + # Basic protection settings + enforce_admins = var.github_enforce_admins_branch_protection + allows_deletions = false + allows_force_pushes = false + require_signed_commits = true + required_linear_history = true + require_conversation_resolution = true + + required_status_checks { + strict = try(var.required_status_checks.strict, false) + contexts = try(var.required_status_checks.contexts, []) + } + required_pull_request_reviews { dismiss_stale_reviews = var.github_dismiss_stale_reviews + restrict_dismissals = true + pull_request_bypassers = var.pull_request_bypassers require_code_owner_reviews = var.github_require_code_owner_reviews required_approving_review_count = var.github_required_approving_review_count - pull_request_bypassers = local.pull_request_bypassers } + + restrict_pushes { + push_allowances = var.github_push_restrictions + } + lifecycle { ignore_changes = [ required_status_checks[0].contexts ] } - - dynamic "required_status_checks" { - for_each = var.required_status_checks == null ? [] : ["*"] - content { - contexts = required_status_checks.value.contexts - strict = required_status_checks.value.strict - } - } - - depends_on = [ - # first let the automation create the codeowners and backend file then only create branch protection rule - # if branch protection rule is created first, codeowners will fail - github_repository_file.codeowners, - github_repository_file.extra_files - ] } diff --git a/github_files.tf b/github_files.tf index 406c71d..38c3e10 100644 --- a/github_files.tf +++ b/github_files.tf @@ -5,6 +5,9 @@ resource "github_repository_file" "codeowners" { branch = var.github_default_branch file = "CODEOWNERS" content = templatefile("${path.module}/templates/CODEOWNERS", { codeowners = local.codeowners }) + commit_message = "Update CODEOWNERS file" + commit_author = "Terraform" + commit_email = "terraform@example.com" overwrite_on_create = true lifecycle { ignore_changes = [ @@ -45,6 +48,9 @@ resource "github_repository_file" "extra_files" { branch = var.github_default_branch file = each.value.path content = each.value.content + commit_message = "Update ${each.value.path}" + commit_author = "Terraform" + commit_email = "terraform@example.com" overwrite_on_create = true lifecycle { ignore_changes = [ @@ -60,6 +66,9 @@ resource "github_repository_file" "managed_extra_files" { branch = var.github_default_branch file = each.value.path content = each.value.content + commit_message = "Update ${each.value.path}" + commit_author = "Terraform" + commit_email = "terraform@example.com" overwrite_on_create = true lifecycle { ignore_changes = [ diff --git a/github_repo.tf b/github_repo.tf index fea05e0..2cde3f1 100644 --- a/github_repo.tf +++ b/github_repo.tf @@ -5,25 +5,27 @@ locals { } resource "github_repository" "repo" { - count = var.create_repo ? 1 : 0 - name = local.repo_name - description = var.github_repo_description - visibility = var.github_is_private ? "private" : "public" - auto_init = var.github_auto_init + count = var.create_repo ? 1 : 0 + name = local.repo_name + description = var.github_repo_description + visibility = var.github_is_private ? "private" : "public" + has_issues = var.github_has_issues + has_projects = var.github_has_projects + has_wiki = var.github_has_wiki + auto_init = var.github_auto_init + archive_on_destroy = var.archive_on_destroy + archived = var.archived + vulnerability_alerts = var.vulnerability_alerts + topics = var.github_repo_topics + homepage_url = var.homepage_url + gitignore_template = var.gitignore_template + is_template = var.is_template + allow_merge_commit = var.github_allow_merge_commit allow_squash_merge = var.github_allow_squash_merge allow_rebase_merge = var.github_allow_rebase_merge - archive_on_destroy = var.archive_on_destroy + allow_auto_merge = var.github_allow_auto_merge delete_branch_on_merge = var.github_delete_branch_on_merge - has_projects = var.github_has_projects - has_issues = var.github_has_issues - has_wiki = var.github_has_wiki - topics = var.github_repo_topics - gitignore_template = var.gitignore_template - is_template = var.is_template - archived = var.archived - homepage_url = var.homepage_url - vulnerability_alerts = var.vulnerability_alerts dynamic "template" { for_each = var.template_repo == null ? [] : ["*"] @@ -32,10 +34,41 @@ resource "github_repository" "repo" { repository = var.template_repo } } + + dynamic "security_and_analysis" { + for_each = var.security_and_analysis == null ? [] : ["*"] + content { + dynamic "advanced_security" { + for_each = try(var.security_and_analysis.advanced_security, null) == null ? [] : ["*"] + content { + status = var.security_and_analysis.advanced_security.status + } + } + dynamic "secret_scanning" { + for_each = try(var.security_and_analysis.secret_scanning, null) == null ? [] : ["*"] + content { + status = var.security_and_analysis.secret_scanning.status + } + } + dynamic "secret_scanning_push_protection" { + for_each = try(var.security_and_analysis.secret_scanning_push_protection, null) == null ? [] : ["*"] + content { + status = var.security_and_analysis.secret_scanning_push_protection.status + } + } + } + } + + lifecycle { + ignore_changes = [ + auto_init, + template + ] + } } data "github_repository" "existing" { - count = var.create_repo ? 0 : 1 - name = local.repo_name - full_name = var.repo_org != null ? "${var.repo_org}/${local.repo_name}" : local.repo_name + count = var.create_repo ? 0 : 1 + name = var.name + full_name = var.repo_org != null ? "${var.repo_org}/${var.name}" : var.name } diff --git a/github_repo.tftest.hcl b/github_repo.tftest.hcl index 25ccacb..a78edb1 100644 --- a/github_repo.tftest.hcl +++ b/github_repo.tftest.hcl @@ -2,20 +2,216 @@ variables { force_name = true github_is_private = true - repo_org = "HappyPathway" - name = "github-repo-test" + repo_org = "test-org" + name = "test-repo" enforce_prs = false archive_on_destroy = false github_org_teams = [] - admin_teams = [] + github_repo_description = "Test repository" + github_repo_topics = ["test", "terraform"] + create_repo = true + security_and_analysis = { + advanced_security = { + status = "enabled" + } + secret_scanning = { + status = "enabled" + } + secret_scanning_push_protection = { + status = "enabled" + } + } + secrets = [ + { + name = "TEST_SECRET" + value = "secret-value" + } + ] + vars = [ + { + name = "TEST_VAR" + value = "test-value" + } + ] + extra_files = [ + { + path = "test.md" + content = "Test content" + } + ] + admin_teams = ["test-team"] } run "repo_tests" { + command = plan + assert { + condition = github_repository.repo.name == "test-repo" + error_message = "Github Repo name did not match expected" + } +} +run "create_new_repository" { command = plan + // Basic repository checks assert { - condition = github_repository.repo.name == "github-repo-test" - error_message = "Github Repo name did not match expected" + condition = module.github_repo[0].name == var.name + error_message = "Repository name does not match input" + } + + assert { + condition = module.github_repo[0].visibility == "private" + error_message = "Repository visibility should be private" + } + + assert { + condition = contains(module.github_repo[0].topics, "test") + error_message = "Repository topics should include 'test'" + } + + assert { + condition = contains(module.github_repo[0].topics, "terraform") + error_message = "Repository topics should include 'terraform'" + } + + // Security and analysis checks + assert { + condition = module.github_repo[0].security_and_analysis.advanced_security.status == "enabled" + error_message = "Advanced security should be enabled" + } + + assert { + condition = module.github_repo[0].security_and_analysis.secret_scanning.status == "enabled" + error_message = "Secret scanning should be enabled" + } +} + +run "verify_data_source" { + variables { + create_repo = false + } + + command = plan + + assert { + condition = data.github_repository.existing[0].name == var.name + error_message = "Data source repository name does not match input" + } +} + +run "verify_branch_protection" { + variables { + github_default_branch = "main" + enforce_prs = true + github_is_private = false + github_required_approving_review_count = 2 + } + + command = plan + + assert { + condition = github_branch_protection.main[0].pattern == "main" + error_message = "Branch protection pattern should be main" + } + + assert { + condition = github_branch_protection.main[0].required_pull_request_reviews[0].required_approving_review_count == 2 + error_message = "Should require 2 review approvals" + } +} + +run "verify_repository_files" { + command = plan + + assert { + condition = github_repository_file.extra_files["test.md"].file == "test.md" + error_message = "Extra file should be created" + } + + assert { + condition = github_repository_file.extra_files["test.md"].content == "Test content" + error_message = "Extra file content should match input" + } +} + +run "verify_team_access" { + command = plan + + assert { + condition = github_team_repository.admin["test-team"].permission == "admin" + error_message = "Team should have admin access" + } +} + +run "verify_action_secrets" { + command = plan + + assert { + condition = github_actions_secret.secret["TEST_SECRET"].secret_name == "TEST_SECRET" + error_message = "Action secret should be created" + } + + assert { + condition = github_actions_variable.variable["TEST_VAR"].variable_name == "TEST_VAR" + error_message = "Action variable should be created" + } +} + +run "verify_outputs" { + command = plan + + assert { + condition = output.github_repo.name == var.name + error_message = "Output repository name does not match input" + } + + assert { + condition = output.ssh_clone_url != "" + error_message = "SSH clone URL should not be empty" + } + + assert { + condition = output.node_id != "" + error_message = "Node ID should not be empty" + } + + assert { + condition = output.full_name != "" + error_message = "Full name should not be empty" + } + + assert { + condition = output.repo_id != null + error_message = "Repository ID should not be null" + } + + assert { + condition = output.html_url != "" + error_message = "HTML URL should not be empty" + } + + assert { + condition = output.http_clone_url != "" + error_message = "HTTP clone URL should not be empty" + } + + assert { + condition = output.git_clone_url != "" + error_message = "Git clone URL should not be empty" + } + + assert { + condition = output.visibility == "private" + error_message = "Visibility should be private" + } + + assert { + condition = output.default_branch == "main" + error_message = "Default branch should be 'main'" + } + + assert { + condition = length(output.topics) == 2 + error_message = "Should have exactly 2 topics" } } diff --git a/github_team_access.tf b/github_team_access.tf index 3949835..21e14bc 100644 --- a/github_team_access.tf +++ b/github_team_access.tf @@ -1,19 +1,32 @@ # https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository data "github_organization_teams" "root_teams" { - count = var.github_org_teams == null ? 1 : 0 + count = var.github_org_teams == null && var.repo_org != null ? 1 : 0 root_teams_only = false } +data "github_team" "admin_teams" { + for_each = toset(var.admin_teams) + slug = each.value +} + locals { - github_org_teams = var.github_org_teams == null ? data.github_organization_teams.root_teams[0].teams : var.github_org_teams + github_org_teams = var.github_org_teams == null ? try(data.github_organization_teams.root_teams[0].teams, []) : var.github_org_teams github_teams = { for obj in local.github_org_teams : "${obj.slug}" => obj.id } + team_repository_permissions = { + "pull" = "read" + "triage" = "triage" + "push" = "write" + "maintain" = "maintain" + "admin" = "admin" + } } resource "github_team_repository" "admin" { - for_each = toset(var.admin_teams) - team_id = lookup(local.github_teams, each.value) + for_each = { for team in var.admin_teams : team => data.github_team.admin_teams[team].id } + team_id = each.value repository = local.github_repo.name permission = "admin" + lifecycle { ignore_changes = [ team_id diff --git a/outputs.tf b/outputs.tf index 50dc163..5afc19d 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,8 +1,59 @@ output "github_repo" { - value = local.github_repo + description = "All attributes of the GitHub repository" + value = local.github_repo } output "ssh_clone_url" { description = "URL that can be provided to git clone to clone the repository via SSH" value = local.github_repo.ssh_clone_url } + +output "node_id" { + description = "Node ID of the repository, used for GraphQL API access" + value = local.github_repo.node_id +} + +output "full_name" { + description = "Full name of the repository in org/repo format" + value = local.github_repo.full_name +} + +output "repo_id" { + description = "Repository ID" + value = local.github_repo.repo_id +} + +output "html_url" { + description = "URL to the repository on GitHub" + value = local.github_repo.html_url +} + +output "http_clone_url" { + description = "URL that can be provided to git clone to clone the repository via HTTPS" + value = local.github_repo.http_clone_url +} + +output "git_clone_url" { + description = "URL that can be provided to git clone to clone the repository anonymously via the git protocol" + value = local.github_repo.git_clone_url +} + +output "visibility" { + description = "Whether the repository is private or public" + value = local.github_repo.visibility +} + +output "default_branch" { + description = "Default branch of the repository" + value = local.github_repo.default_branch +} + +output "topics" { + description = "List of topics applied to the repository" + value = local.github_repo.topics +} + +output "template" { + description = "Template repository this repository was created from" + value = local.github_repo.template +} diff --git a/variables.tf b/variables.tf index 293790c..4e79d40 100644 --- a/variables.tf +++ b/variables.tf @@ -1,9 +1,12 @@ variable "name" { - description = "Name of the terraform workspace and optionally github repo" + description = "Name of the repository" + type = string } variable "repo_org" { - default = null + description = "GitHub organization name" + type = string + default = null } variable "github_codeowners_team" { @@ -11,120 +14,151 @@ variable "github_codeowners_team" { } variable "github_repo_description" { - default = null + description = "Repository description" + type = string + default = null } variable "github_repo_topics" { - description = "Github Repo Topics" - type = list(any) + description = "Repository topics" + type = list(string) default = [] } variable "github_push_restrictions" { - description = "Github Push Restrictions" - type = list(any) + description = "List of team/user IDs with push access" + type = list(string) default = [] } variable "github_is_private" { - default = true + description = "Make repository private" + type = bool + default = true } variable "github_auto_init" { - default = true + description = "Initialize repository with README" + type = bool + default = true } variable "github_allow_merge_commit" { - default = false + description = "Allow merge commits" + type = bool + default = false } variable "github_allow_squash_merge" { - default = true + description = "Allow squash merging" + type = bool + default = true } variable "github_allow_rebase_merge" { - default = false + description = "Allow rebase merging" + type = bool + default = false } variable "github_delete_branch_on_merge" { - default = true + description = "Delete head branch after merge" + type = bool + default = true } variable "github_has_projects" { - default = true + description = "Enable projects feature" + type = bool + default = true } variable "github_has_issues" { - default = true + description = "Enable issues feature" + type = bool + default = false } variable "github_has_wiki" { - default = true + description = "Enable wiki feature" + type = bool + default = true } variable "github_default_branch" { - default = "main" + description = "Default branch name" + type = string + default = "main" } variable "github_required_approving_review_count" { - default = 1 + description = "Number of approvals needed for pull requests" + type = number + default = 1 } variable "github_require_code_owner_reviews" { - default = true + description = "Require code owner review" + type = bool + default = true } variable "github_dismiss_stale_reviews" { - default = true + description = "Dismiss stale pull request approvals" + type = bool + default = true } variable "github_enforce_admins_branch_protection" { - default = true + description = "Enforce branch protection rules on administrators" + type = bool + default = true +} + +variable "github_allow_auto_merge" { + description = "Allow auto-merging pull requests" + type = bool + default = false } variable "additional_codeowners" { - description = "Enable adding of Codeowner Teams" - type = list(any) + description = "Additional entries for CODEOWNERS file" + type = list(string) default = [] } variable "prefix" { - default = null + description = "Prefix to add to repository name" + type = string + default = null } variable "force_name" { - description = "Force Naming of Repo. If forced, archive management will not operate on this repo" + description = "Keep exact repository name (no date suffix)" + type = bool default = false } variable "github_org_teams" { + description = "Organization teams configuration" type = list(any) - description = "provide module with list of teams so that module does not need to look them up" default = null } variable "template_repo_org" { - default = null + description = "Template repository organization" + type = string + default = null } variable "template_repo" { - default = null + description = "Template repository name" + type = string + default = null } variable "is_template" { - default = false + description = "Make this repository a template" + type = bool + default = false } variable "admin_teams" { - description = "Admin Teams" - type = list(any) + description = "Teams to grant admin access" + type = list(string) default = [] } variable "required_status_checks" { - description = <[, ]). Matrixes should be specified -based on the order of matrix properties in the workflow file. See GitHub Documentation for more -information. For workflows that use reusable workflows, -the pattern is / . -This can extend multiple levels. -EOT + description = "Required status checks for protected branches" type = object({ contexts = list(string) strict = optional(bool, false) @@ -133,102 +167,116 @@ EOT } variable "archived" { - default = false + description = "Archive this repository" + type = bool + default = false } variable "secrets" { + description = "GitHub Actions secrets" type = list(object({ - name = string, + name = string value = string })) default = [] - description = "Github Action Secrets" + validation { + condition = alltrue([for s in var.secrets : can(regex("^[A-Z0-9_]+$", s.name))]) + error_message = "Secret names must contain only uppercase letters, numbers, and underscores." + } } variable "vars" { + description = "GitHub Actions variables" type = list(object({ - name = string, + name = string value = string })) default = [] - description = "Github Action Vars" + validation { + condition = alltrue([for v in var.vars : can(regex("^[A-Z0-9_]+$", v.name))]) + error_message = "Variable names must contain only uppercase letters, numbers, and underscores." + } } variable "extra_files" { + description = "Additional files to create in the repository" type = list(object({ - path = string, + path = string content = string })) default = [] - description = "Extra Files" } variable "managed_extra_files" { + description = "Additional files to manage in the repository" type = list(object({ - path = string, + path = string content = string })) default = [] - description = "Managed Extra Files. Changes to Content will be updated" } variable "pull_request_bypassers" { - default = [] - type = list(any) + description = "Users/teams that can bypass pull request requirements" + type = list(string) + default = [] } variable "create_codeowners" { - default = true - type = bool + description = "Create CODEOWNERS file" + type = bool + default = true } variable "enforce_prs" { - default = true - type = bool + description = "Enforce pull request reviews" + type = bool + default = true } variable "collaborators" { + description = "Map of collaborators and their permission levels" type = map(string) - description = "list of repo callaborators" default = {} + validation { + condition = alltrue([for perm in values(var.collaborators) : contains(["pull", "triage", "push", "maintain", "admin"], perm)]) + error_message = "Valid permissions are: pull, triage, push, maintain, admin" + } } variable "archive_on_destroy" { - type = bool - default = true + description = "Archive repository instead of deleting on destroy" + type = bool + default = true } variable "vulnerability_alerts" { - type = bool - default = false + description = "Enable Dependabot alerts" + type = bool + default = false } variable "gitignore_template" { - default = null + description = "Gitignore template to use" + type = string + default = null } variable "homepage_url" { - default = null + description = "Repository homepage URL" + type = string + default = null } variable "create_repo" { - description = "Whether to create a new repository or lookup an existing one" + description = "Whether to create a new repository or manage an existing one" type = bool default = true } variable "security_and_analysis" { - description = <