Eks upgrade

branch_protection.tf

@@ -21,9 +21,9 @@ locals {
 
 # https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection
 resource "github_branch_protection" "protection" {
-  for_each = (var.create_repo || length(data.github_repository.existing) > 0) ? {
-    for k, v in local.branch_protection_rules : k => v if var.enforce_prs && (! var.github_is_private || var.github_pro_enabled)
-  } : {}
+  for_each = {
+    for k, v in local.branch_protection_rules : k => v if var.enforce_prs && (!var.github_is_private || var.github_pro_enabled)
+  }
 
   repository_id = var.create_repo ? github_repository.repo[0].node_id : data.github_repository.existing[0].node_id
   pattern       = each.key

github_branch.tf

@@ -5,8 +5,8 @@
 
 # Create non-main default branch if specified
 resource "github_branch" "branch" {
-  count      = var.github_default_branch != "main" && local.github_repo != null ? 1 : 0
-  repository = local.github_repo.name
+  count      = var.github_default_branch != "main" ? 1 : 0
+  repository = local.repository_name
   branch     = var.github_default_branch
   depends_on = [
     github_repository.repo,
@@ -16,14 +16,25 @@ resource "github_branch" "branch" {
 
 # Set the default branch
 resource "github_branch_default" "default_main_branch" {
-  count      = var.github_default_branch != "main" && local.github_repo != null ? 1 : 0
-  repository = local.github_repo.name
+  count      = var.github_default_branch != "main" ? 1 : 0
+  repository = local.repository_name
   branch     = var.github_default_branch
   depends_on = [
     github_branch.branch
   ]
 }
 
+# For new repos: create files_branch inside the module after repo exists.
+# For existing repos: files_branch is created externally (in terraform-eks-deployment) before the module runs.
+resource "github_branch" "files_branch" {
+  count         = var.files_branch != null && var.create_repo ? 1 : 0
+  repository    = local.repo_name
+  branch        = var.files_branch
+  source_branch = var.github_default_branch
+
+  depends_on = [github_repository.repo]
+}
+
 data "github_user" "pull_request_bypassers" {
   for_each = toset(var.pull_request_bypassers)
   username = each.value

github_deploy_keys.tf

@@ -11,12 +11,12 @@ resource "tls_private_key" "deploy_key" {
 
 // Create GitHub deploy keys for all entries
 resource "github_repository_deploy_key" "deploy_key" {
-  for_each = local.github_repo != null ? {
+  for_each = {
     for k, v in var.deploy_keys : k => v
-  } : {}
+  }
 
   title      = each.value.title
-  repository = local.github_repo.name
+  repository = local.repository_name
   key        = each.value.create ? tls_private_key.deploy_key[each.key].public_key_openssh : each.value.key
   read_only  = each.value.read_only
 

github_files.tf

@@ -4,13 +4,13 @@ data "github_user" "current" {
 }
 
 locals {
-  # Process files only if commit signing is not required or if explicitly allowed
-  should_manage_files = ! try(local.github_repo.require_signed_commits, false) || var.allow_unsigned_files
+  # Process files only if commit signing is not required on this module, or if explicitly allowed
+  should_manage_files = !var.require_signed_commits || var.allow_unsigned_files
 }
 
 # https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file
 resource "github_repository_file" "codeowners" {
-  count = var.create_codeowners && local.should_manage_files && local.github_repo != null ? 1 : 0
+  count = var.create_codeowners && local.should_manage_files ? 1 : 0
 
   repository          = local.repository_name
   branch              = var.github_default_branch
@@ -23,6 +23,7 @@ resource "github_repository_file" "codeowners" {
   depends_on = [
     github_repository.repo,
     data.github_repository.existing,
+    github_branch.files_branch,
   ]
   lifecycle {
     ignore_changes = [
@@ -58,11 +59,11 @@ locals {
       }
     ] : []
   )
-  repository_name = coalesce(try(local.github_repo.name, null), var.name)
+  repository_name = var.create_repo ? local.repo_name : var.name
 }
 
 resource "github_repository_file" "extra_files" {
-  for_each = local.should_manage_files && local.github_repo != null ? tomap({ for file in local.extra_files : file.path => file }) : {}
+  for_each = local.should_manage_files ? tomap({ for file in local.extra_files : file.path => file }) : {}
 
   repository          = local.repository_name
   branch              = var.files_branch == null ? var.github_default_branch : var.files_branch
@@ -75,6 +76,7 @@ resource "github_repository_file" "extra_files" {
   depends_on = [
     github_repository.repo,
     data.github_repository.existing,
+    github_branch.files_branch,
   ]
   lifecycle {
     ignore_changes = [
@@ -85,7 +87,7 @@ resource "github_repository_file" "extra_files" {
 }
 
 resource "github_repository_file" "managed_extra_files" {
-  for_each = local.should_manage_files && local.github_repo != null ? tomap({ for file in var.managed_extra_files : file.path => file }) : {}
+  for_each = local.should_manage_files ? tomap({ for file in var.managed_extra_files : file.path => file }) : {}
 
   repository          = local.repository_name
   branch              = var.files_branch == null ? var.github_default_branch : var.files_branch
@@ -98,6 +100,7 @@ resource "github_repository_file" "managed_extra_files" {
   depends_on = [
     github_repository.repo,
     data.github_repository.existing,
+    github_branch.files_branch,
   ]
   lifecycle {
     ignore_changes = [

github_pull_request.tf

@@ -0,0 +1,16 @@
+resource "github_repository_pull_request" "files_branch_to_main" {
+  count = var.files_branch != null ? 1 : 0
+
+  base_repository = local.repository_name
+  base_ref        = "main"
+  head_ref        = var.files_branch
+  title           = "Sync ${var.files_branch} into main"
+  body            = "Automated pull request generated by Terraform for repository configuration updates."
+
+  depends_on = [
+    github_branch.files_branch,
+    github_repository_file.codeowners,
+    github_repository_file.extra_files,
+    github_repository_file.managed_extra_files,
+  ]
+}

github_repo.tf

@@ -3,7 +3,7 @@ locals {
 
   # Safe access to repo and existing resources
   github_repo = var.create_repo && length(github_repository.repo) > 0 ? github_repository.repo[0] : (
-    length(data.github_repository.existing) > 0 ? data.github_repository.existing[0] : null
+    !var.create_repo ? data.github_repository.existing[0] : null
   )
 
   validate_merge_options = (

versions.tf

@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     github = {
-      source = "integrations/github"
+      source  = "integrations/github"
       version = "~> 6.11"
     }
   }