Refactor GitHub repository configuration to remove unused security se…

…ttings and update visibility to public
CSVD · Feb 19, 2025 · e9ddaa3 · e9ddaa3
1 parent 6c2c6b8
commit e9ddaa3
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 81 deletions.
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/action_secrets.tf b/action_secrets.tf
@@ -1,19 +1,24 @@
-data "github_actions_public_key" "repo_key" {
-  repository = local.github_repo.name
+locals {
+  repo_exists = var.create_repo ? github_repository.repo[0] : data.github_repository.existing[0]
 }
 
+# data "github_actions_public_key" "repo_key" {
+#   repository = local.github_repo.name
+#   count     = local.repo_exists != null ? 1 : 0
+# }
+
 resource "github_actions_secret" "secret" {
   for_each        = tomap({ for secret in var.secrets : secret.name => secret.value })
   repository      = local.github_repo.name
   secret_name     = each.key
   encrypted_value = base64encode(each.value)
-
-  depends_on = [data.github_actions_public_key.repo_key]
+  depends_on      = [local.repo_exists]
 }
 
 resource "github_actions_variable" "variable" {
   for_each      = tomap({ for _var in var.vars : _var.name => _var.value })
   repository    = local.github_repo.name
   variable_name = each.key
   value         = each.value
+  depends_on    = [local.repo_exists]
 }
diff --git a/github_repo.tf b/github_repo.tf
@@ -95,5 +95,4 @@ resource "github_repository" "repo" {
 data "github_repository" "existing" {
   count     = var.create_repo ? 0 : 1
   name      = var.name
-  full_name = var.repo_org != null ? "${var.repo_org}/${var.name}" : var.name
 }
diff --git a/github_repo.tftest.hcl b/github_repo.tftest.hcl
@@ -3,25 +3,14 @@ variables {
   name                    = "github-repo-test"
   repo_org                = "HappyPathway"
   force_name              = true
-  github_is_private       = true
+  github_is_private       = false
   enforce_prs             = false
   archive_on_destroy      = false
   github_org_teams        = []
   admin_teams             = ["test-team"]
   github_repo_description = "Test repository"
   github_repo_topics      = ["test", "terraform"]
   create_repo             = true
-  security_and_analysis = {
-    advanced_security = {
-      status = "enabled"
-    }
-    secret_scanning = {
-      status = "enabled"
-    }
-    secret_scanning_push_protection = {
-      status = "enabled"
-    }
-  }
   secrets = [
     {
       name  = "TEST_SECRET"
@@ -42,77 +31,44 @@ variables {
   ]
 }
 
-run "repo_tests" {
-  command = plan
-
-  assert {
-    condition     = github_repository.repo.name == "github-repo-test"
-    error_message = "Github Repo name did not match expected"
-  }
-}
-
+# Test repository creation first
 run "create_new_repository" {
-  command = plan
-
-  assert {
-    condition     = module.github_repo[0].name == var.name
-    error_message = "Repository name does not match input"
-  }
-
-  assert {
-    condition     = module.github_repo[0].visibility == "private"
-    error_message = "Repository visibility should be private"
-  }
-
-  assert {
-    condition     = contains(module.github_repo[0].topics, "test")
-    error_message = "Repository topics should include 'test'"
-  }
-
-  assert {
-    condition     = contains(module.github_repo[0].topics, "terraform")
-    error_message = "Repository topics should include 'terraform'"
-  }
-
-  assert {
-    condition     = module.github_repo[0].security_and_analysis.advanced_security.status == "enabled"
-    error_message = "Advanced security should be enabled"
-  }
-
-  assert {
-    condition     = module.github_repo[0].security_and_analysis.secret_scanning.status == "enabled"
-    error_message = "Secret scanning should be enabled"
-  }
+  command = apply
 }
 
+# Then test repository data source
 run "verify_data_source" {
   variables {
     create_repo = false
   }
-
   command = plan
-
   assert {
     condition     = data.github_repository.existing[0].name == var.name
     error_message = "Data source repository name does not match input"
   }
 }
 
+# Now test other components that depend on the repository existing
+run "repo_tests" {
+  command = plan
+  assert {
+    condition     = github_repository.repo[0].name == "github-repo-test"
+    error_message = "Github Repo name did not match expected"
+  }
+}
+
 run "verify_branch_protection" {
   variables {
     github_default_branch                  = "main"
     enforce_prs                            = true
     github_is_private                      = false
     github_required_approving_review_count = 2
   }
-
   command = plan
-
   assert {
     condition     = github_branch_protection.main[0].pattern == "main"
     error_message = "Branch protection pattern should be main"
   }
-
   assert {
     condition     = github_branch_protection.main[0].required_pull_request_reviews[0].required_approving_review_count == 2
     error_message = "Should require 2 review approvals"
@@ -121,12 +77,10 @@ run "verify_branch_protection" {
 
 run "verify_repository_files" {
   command = plan
-
   assert {
     condition     = github_repository_file.extra_files["test.md"].file == "test.md"
     error_message = "Extra file should be created"
   }
-
   assert {
     condition     = github_repository_file.extra_files["test.md"].content == "Test content"
     error_message = "Extra file content should match input"
@@ -135,7 +89,6 @@ run "verify_repository_files" {
 
 run "verify_team_access" {
   command = plan
-
   assert {
     condition     = github_team_repository.admin["test-team"].permission == "admin"
     error_message = "Team should have admin access"
@@ -144,12 +97,10 @@ run "verify_team_access" {
 
 run "verify_action_secrets" {
   command = plan
-
   assert {
     condition     = github_actions_secret.secret["TEST_SECRET"].secret_name == "TEST_SECRET"
     error_message = "Action secret should be created"
   }
-
   assert {
     condition     = github_actions_variable.variable["TEST_VAR"].variable_name == "TEST_VAR"
     error_message = "Action variable should be created"
@@ -158,57 +109,46 @@ run "verify_action_secrets" {
 
 run "verify_outputs" {
   command = plan
-
   assert {
     condition     = output.github_repo.name == var.name
     error_message = "Output repository name does not match input"
   }
-
   assert {
     condition     = output.ssh_clone_url != ""
     error_message = "SSH clone URL should not be empty"
   }
-
   assert {
     condition     = output.node_id != ""
     error_message = "Node ID should not be empty"
   }
-
   assert {
     condition     = output.full_name != ""
     error_message = "Full name should not be empty"
   }
-
   assert {
     condition     = output.repo_id != null
     error_message = "Repository ID should not be null"
   }
-
   assert {
     condition     = output.html_url != ""
     error_message = "HTML URL should not be empty"
   }
-
   assert {
     condition     = output.http_clone_url != ""
     error_message = "HTTP clone URL should not be empty"
   }
-
   assert {
     condition     = output.git_clone_url != ""
     error_message = "Git clone URL should not be empty"
   }
-
   assert {
-    condition     = output.visibility == "private"
-    error_message = "Visibility should be private"
+    condition     = output.visibility == "public"
+    error_message = "Visibility should be public"
   }
-
   assert {
     condition     = output.default_branch == "main"
     error_message = "Default branch should be 'main'"
   }
-
   assert {
     condition     = length(output.topics) == 2
     error_message = "Should have exactly 2 topics"