Copying modules over

.github/workflows/on-pull-request.yaml

@@ -0,0 +1,47 @@
+name: "Pull Request Jobs"
+
+on:
+  pull_request:
+
+
+env:
+  tf_version: 1.7.1
+  working_dir: .
+
+jobs:
+  terraform-doc-generation:
+    permissions:
+      contents: 'write'
+      id-token: 'write'
+      pull-requests: 'write'
+      issues: 'write'
+    name: "Terraform Documentation Generation"
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+        working-directory: ${{ env.working_dir }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.tf_version }}
+
+      - name: Check Terraform Format
+        id: fmt
+        run: terraform fmt -check
+
+      - name: Generate TF docs
+        uses: terraform-docs/gh-actions@v1.0.0
+        with:
+          find-dir: modules/
+          recursive: true
+          recursive-path: .
+          git-push: true
+          output-method: replace
+          template: "{{ .Content }}"

modules/foundations-github-organization/README.md

@@ -0,0 +1,60 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_github"></a> [github](#requirement\_github) | 5.44.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_github.enterprise_scoped"></a> [github.enterprise\_scoped](#provider\_github.enterprise\_scoped) | 5.44.0 |
+| <a name="provider_github.foundation_org_scoped"></a> [github.foundation\_org\_scoped](#provider\_github.foundation\_org\_scoped) | 5.44.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [github_actions_organization_variable.tf_state_bucket_location](https://registry.terraform.io/providers/hashicorp/github/5.44.0/docs/resources/actions_organization_variable) | resource |
+| [github_actions_organization_variable.tf_state_bucket_name](https://registry.terraform.io/providers/hashicorp/github/5.44.0/docs/resources/actions_organization_variable) | resource |
+| [github_actions_organization_variable.tf_state_bucket_project_id](https://registry.terraform.io/providers/hashicorp/github/5.44.0/docs/resources/actions_organization_variable) | resource |
+| [github_actions_organization_variable.workload_identity_provider](https://registry.terraform.io/providers/hashicorp/github/5.44.0/docs/resources/actions_organization_variable) | resource |
+| [github_actions_variable.bootstrap_workload_identity_sa](https://registry.terraform.io/providers/hashicorp/github/5.44.0/docs/resources/actions_variable) | resource |
+| [github_actions_variable.gcp_secret_manager_project_id](https://registry.terraform.io/providers/hashicorp/github/5.44.0/docs/resources/actions_variable) | resource |
+| [github_actions_variable.organization_workload_identity_sa](https://registry.terraform.io/providers/hashicorp/github/5.44.0/docs/resources/actions_variable) | resource |
+| [github_branch_protection.protect_bootstrap_main](https://registry.terraform.io/providers/hashicorp/github/5.44.0/docs/resources/branch_protection) | resource |
+| [github_branch_protection.protect_organization_main](https://registry.terraform.io/providers/hashicorp/github/5.44.0/docs/resources/branch_protection) | resource |
+| [github_enterprise_organization.github-foundations](https://registry.terraform.io/providers/hashicorp/github/5.44.0/docs/resources/enterprise_organization) | resource |
+| [github_issue_labels.drift_labels](https://registry.terraform.io/providers/hashicorp/github/5.44.0/docs/resources/issue_labels) | resource |
+| [github_repository.bootstrap_repo](https://registry.terraform.io/providers/hashicorp/github/5.44.0/docs/resources/repository) | resource |
+| [github_repository.organizations_repo](https://registry.terraform.io/providers/hashicorp/github/5.44.0/docs/resources/repository) | resource |
+| [github_repository_collaborators.bootstrap_repo_collaborators](https://registry.terraform.io/providers/hashicorp/github/5.44.0/docs/resources/repository_collaborators) | resource |
+| [github_repository_collaborators.organization_repo_collaborators](https://registry.terraform.io/providers/hashicorp/github/5.44.0/docs/resources/repository_collaborators) | resource |
+| [github_team.foundation_devs](https://registry.terraform.io/providers/hashicorp/github/5.44.0/docs/resources/team) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_admin_logins"></a> [admin\_logins](#input\_admin\_logins) | List of organization owner usernames. | `list(string)` | n/a | yes |
+| <a name="input_billing_email"></a> [billing\_email](#input\_billing\_email) | The email to use for the organizations billing. | `string` | n/a | yes |
+| <a name="input_bootstrap_workload_identity_sa"></a> [bootstrap\_workload\_identity\_sa](#input\_bootstrap\_workload\_identity\_sa) | The service account to use for the bootstrap repository oidc. | `string` | n/a | yes |
+| <a name="input_bucket_location"></a> [bucket\_location](#input\_bucket\_location) | The location of the tf state bucket. | `string` | n/a | yes |
+| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | The name of the tf state bucket. | `string` | n/a | yes |
+| <a name="input_enterprise_id"></a> [enterprise\_id](#input\_enterprise\_id) | The id of the enterprise account to create the organization under. | `string` | n/a | yes |
+| <a name="input_gcp_project_id"></a> [gcp\_project\_id](#input\_gcp\_project\_id) | The id of the gcp project where secret manager was setup. | `string` | n/a | yes |
+| <a name="input_gcp_tf_state_bucket_project_id"></a> [gcp\_tf\_state\_bucket\_project\_id](#input\_gcp\_tf\_state\_bucket\_project\_id) | The id of the gcp project where the tf state bucket was setup. | `string` | n/a | yes |
+| <a name="input_github_foundations_organization_name"></a> [github\_foundations\_organization\_name](#input\_github\_foundations\_organization\_name) | The name of the organization to create. | `string` | n/a | yes |
+| <a name="input_organization_workload_identity_sa"></a> [organization\_workload\_identity\_sa](#input\_organization\_workload\_identity\_sa) | The service account to use for the organization repository oidc. | `string` | n/a | yes |
+| <a name="input_workload_identity_provider_name"></a> [workload\_identity\_provider\_name](#input\_workload\_identity\_provider\_name) | The name of the workload identity provider to use for the oidc of the github foundation repositories. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_foundation_dev_team_id"></a> [foundation\_dev\_team\_id](#output\_foundation\_dev\_team\_id) | n/a |

modules/foundations-github-organization/action-variables.tf

@@ -0,0 +1,71 @@
+resource "github_actions_variable" "organization_workload_identity_sa" {
+  provider = github.foundation_org_scoped
+
+  repository    = github_repository.organizations_repo.name
+  variable_name = "GCP_SERVICE_ACCOUNT"
+  value         = var.organization_workload_identity_sa
+}
+
+resource "github_actions_variable" "bootstrap_workload_identity_sa" {
+  provider = github.foundation_org_scoped
+
+  repository    = github_repository.bootstrap_repo.name
+  variable_name = "GCP_SERVICE_ACCOUNT"
+  value         = var.bootstrap_workload_identity_sa
+}
+
+resource "github_actions_variable" "gcp_secret_manager_project_id" {
+  provider = github.foundation_org_scoped
+
+  repository    = github_repository.organizations_repo.name
+  variable_name = "GCP_SECRET_MANAGER_PROJECT"
+  value         = var.gcp_project_id
+}
+
+resource "github_actions_organization_variable" "workload_identity_provider" {
+  provider = github.foundation_org_scoped
+
+  variable_name = "WORKLOAD_IDENTITY_PROVIDER"
+  value         = var.workload_identity_provider_name
+  visibility    = "selected"
+  selected_repository_ids = [
+    github_repository.bootstrap_repo.repo_id,
+    github_repository.organizations_repo.repo_id
+  ]
+}
+
+resource "github_actions_organization_variable" "tf_state_bucket_project_id" {
+  provider = github.foundation_org_scoped
+
+  variable_name = "TF_STATE_BUCKET_PROJECT_ID"
+  value         = var.gcp_tf_state_bucket_project_id
+  visibility    = "selected"
+  selected_repository_ids = [
+    github_repository.bootstrap_repo.repo_id,
+    github_repository.organizations_repo.repo_id
+  ]
+}
+
+resource "github_actions_organization_variable" "tf_state_bucket_name" {
+  provider = github.foundation_org_scoped
+
+  variable_name = "TF_STATE_BUCKET_NAME"
+  value         = var.bucket_name
+  visibility    = "selected"
+  selected_repository_ids = [
+    github_repository.bootstrap_repo.repo_id,
+    github_repository.organizations_repo.repo_id
+  ]
+}
+
+resource "github_actions_organization_variable" "tf_state_bucket_location" {
+  provider = github.foundation_org_scoped
+
+  variable_name = "TF_STATE_BUCKET_LOCATION"
+  value         = var.bucket_location
+  visibility    = "selected"
+  selected_repository_ids = [
+    github_repository.bootstrap_repo.repo_id,
+    github_repository.organizations_repo.repo_id
+  ]
+}

modules/foundations-github-organization/organization.tf

@@ -0,0 +1,11 @@
+resource "github_enterprise_organization" "github-foundations" {
+  provider = github.enterprise_scoped
+
+  enterprise_id = var.enterprise_id
+  name          = var.github_foundations_organization_name
+  display_name  = "Github Foundations"
+  description   = "Organization created to host github foundation toolkit repositories"
+  billing_email = var.billing_email
+  admin_logins  = var.admin_logins
+}
+

modules/foundations-github-organization/outputs.tf

@@ -0,0 +1,3 @@
+output "foundation_dev_team_id" {
+    value = github_team.foundation_devs.id
+}

modules/foundations-github-organization/repositories.tf

@@ -0,0 +1,116 @@
+locals {
+  repos_with_drift_detection = [github_repository.organizations_repo]
+}
+
+#Creates the repository for the bootstrap layer
+resource "github_repository" "bootstrap_repo" {
+  provider = github.foundation_org_scoped
+  #TODO: figure out what seems to be a race condition between repository creation and organization creation
+  depends_on = [github_enterprise_organization.github-foundations]
+
+  name        = "bootstrap"
+  description = "The repository for the bootstrap layer of the foundations. This repository contains the Terraform code to setup the github organization for the foundation repositories, create the GCP project, the GCP service account, the GCP secret manager secrets, and the GCP storage bucket for the state files."
+
+  visibility = "private"
+
+  auto_init              = true
+  delete_branch_on_merge = true
+  vulnerability_alerts   = true
+}
+
+resource "github_repository_collaborators" "bootstrap_repo_collaborators" {
+  provider = github.foundation_org_scoped
+  repository = github_repository.bootstrap_repo.name
+
+  team {
+    permission = "push"
+    team_id    = github_team.foundation_devs.id
+  }
+}
+
+resource "github_branch_protection" "protect_bootstrap_main" {
+  provider = github.foundation_org_scoped
+
+  repository_id = github_repository.bootstrap_repo.id
+
+  pattern          = "main"
+  enforce_admins   = true
+  allows_deletions = false
+
+  # TODO: Add a required check for the terrafom apply workflow
+  required_status_checks {
+    strict = true
+  }
+
+  required_pull_request_reviews {
+    dismiss_stale_reviews           = true
+    restrict_dismissals             = true
+    required_approving_review_count = 1
+    require_last_push_approval      = true
+  }
+}
+
+#Creates the repository for the organizations layer
+resource "github_repository" "organizations_repo" {
+  provider   = github.foundation_org_scoped
+  depends_on = [github_enterprise_organization.github-foundations]
+
+  name        = "organizations"
+  description = "The repository for the organizations layer of the foundations. This repository contains the Terraform code to manage github organizations under the enterprise account and their repositories, teams, and members."
+
+  visibility = "private"
+
+  auto_init              = true
+  delete_branch_on_merge = true
+  vulnerability_alerts   = true
+  has_issues             = true
+}
+
+resource "github_repository_collaborators" "organization_repo_collaborators" {
+  provider = github.foundation_org_scoped
+  repository = github_repository.organizations_repo.name
+
+  team {
+    permission = "push"
+    team_id    = github_team.foundation_devs.id
+  }
+}
+
+
+resource "github_branch_protection" "protect_organization_main" {
+  provider = github.foundation_org_scoped
+
+  repository_id = github_repository.organizations_repo.id
+
+  pattern          = "main"
+  enforce_admins   = true
+  allows_deletions = false
+
+  required_status_checks {
+    strict = true
+  }
+
+  required_pull_request_reviews {
+    dismiss_stale_reviews           = true
+    restrict_dismissals             = true
+    required_approving_review_count = 1
+    require_last_push_approval      = true
+  }
+}
+
+resource "github_issue_labels" "drift_labels" {
+  for_each = { for idx, val in local.repos_with_drift_detection : idx => val }
+  provider = github.foundation_org_scoped
+
+  repository = each.value.name
+
+  label {
+    name  = "Action Required"
+    color = "FF0000"
+  }
+
+  label {
+    name  = "Re-Apply"
+    color = "0800FF"
+  }
+}

modules/foundations-github-organization/teams.tf

@@ -0,0 +1,7 @@
+resource "github_team" "foundation_devs" {
+  provider = github.foundation_org_scoped
+
+  name        = "foundation-devs"
+  description = "Team members with write access to the foundation repositories"
+  privacy     = "closed"
+}

modules/foundations-github-organization/variables.tf

@@ -0,0 +1,55 @@
+variable "enterprise_id" {
+  type        = string
+  description = "The id of the enterprise account to create the organization under."
+}
+
+variable "github_foundations_organization_name" {
+  type        = string
+  description = "The name of the organization to create."
+}
+
+variable "billing_email" {
+  type        = string
+  description = "The email to use for the organizations billing."
+}
+
+variable "admin_logins" {
+  type        = list(string)
+  description = "List of organization owner usernames."
+}
+
+variable "workload_identity_provider_name" {
+  type        = string
+  description = "The name of the workload identity provider to use for the oidc of the github foundation repositories."
+}
+
+variable "bootstrap_workload_identity_sa" {
+  type        = string
+  description = "The service account to use for the bootstrap repository oidc."
+}
+
+variable "organization_workload_identity_sa" {
+  type        = string
+  description = "The service account to use for the organization repository oidc."
+}
+
+variable "gcp_project_id" {
+  type        = string
+  description = "The id of the gcp project where secret manager was setup."
+
+}
+
+variable "gcp_tf_state_bucket_project_id" {
+  type        = string
+  description = "The id of the gcp project where the tf state bucket was setup."
+}
+
+variable "bucket_name" {
+  type        = string
+  description = "The name of the tf state bucket."
+}
+
+variable "bucket_location" {
+  type        = string
+  description = "The location of the tf state bucket."
+}

modules/foundations-github-organization/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3"
+  required_providers {
+    github = {
+      source                = "hashicorp/github"
+      version               = "5.44.0"
+      configuration_aliases = [github.enterprise_scoped, github.foundation_org_scoped]
+    }
+  }
+}