From 07fea22df7603c94707ee0bfdf6fa2f3d83dbff3 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Thu, 7 Mar 2024 15:59:31 -0500 Subject: [PATCH 01/15] added coalesce function calls --- modules/organization_secrets/secrets.tf | 2 +- modules/repository_base/environments.tf | 2 +- modules/repository_base/secrets.tf | 12 ++++++------ 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/organization_secrets/secrets.tf b/modules/organization_secrets/secrets.tf index 844c193..5a250cd 100644 --- a/modules/organization_secrets/secrets.tf +++ b/modules/organization_secrets/secrets.tf @@ -3,7 +3,7 @@ locals { sanitized_action_secrets = merge( var.organization_action_secrets, { - for k, v in var.var.organization_action_secrets : k => { + for k, v in var.organization_action_secrets : k => { encrypted_value = v.encrypted_value visibility = v.visibility selected_repositories = coalesce(v.selected_repositories, []) diff --git a/modules/repository_base/environments.tf b/modules/repository_base/environments.tf index 90c9211..169ba98 100644 --- a/modules/repository_base/environments.tf +++ b/modules/repository_base/environments.tf @@ -1,5 +1,5 @@ resource "github_repository_environment" "environemnt" { - for_each = toset(keys(var.environments)) + for_each = toset(keys(coalesce(var.environments, {}))) repository = github_repository.repository.name environment = each.value } diff --git a/modules/repository_base/secrets.tf b/modules/repository_base/secrets.tf index 9f75449..ccfa129 100644 --- a/modules/repository_base/secrets.tf +++ b/modules/repository_base/secrets.tf @@ -1,15 +1,15 @@ locals { - environment_actions_secrets = try(concat(values({ - for env_name, env in var.environments : env_name => [for secret_name, secret in env.action_secrets : { + environment_actions_secrets = concat(values({ + for env_name, env in coalesce(var.environments, {}) : env_name => [for secret_name, secret in env.action_secrets : { name = secret_name encrypted_value = secret environment = env_name }] if env.action_secrets != null - })), []) + })) } resource "github_actions_secret" "actions_secret" { - for_each = var.action_secrets + for_each = coalesce(var.action_secrets, {}) repository = github_repository.repository.name secret_name = each.key @@ -17,7 +17,7 @@ resource "github_actions_secret" "actions_secret" { } resource "github_codespaces_secret" "codespaces_secret" { - for_each = var.codespace_secrets + for_each = coalesce(var.codespace_secrets, {}) repository = github_repository.repository.name secret_name = each.key @@ -25,7 +25,7 @@ resource "github_codespaces_secret" "codespaces_secret" { } resource "github_dependabot_secret" "dependabot_secret" { - for_each = var.dependabot_secrets + for_each = coalesce(var.dependabot_secrets, {}) repository = github_repository.repository.name secret_name = each.key From f39fbb3d805c22b82050119b6fd33e5a20cbbaf3 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Thu, 7 Mar 2024 16:05:00 -0500 Subject: [PATCH 02/15] attempting to flatten first --- modules/repository_base/secrets.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/repository_base/secrets.tf b/modules/repository_base/secrets.tf index ccfa129..c3323d2 100644 --- a/modules/repository_base/secrets.tf +++ b/modules/repository_base/secrets.tf @@ -1,11 +1,11 @@ locals { - environment_actions_secrets = concat(values({ - for env_name, env in coalesce(var.environments, {}) : env_name => [for secret_name, secret in env.action_secrets : { + environment_actions_secrets = flatten([ + for env_name, env in coalesce(var.environments, {}) : [for secret_name, secret in env.action_secrets : { name = secret_name encrypted_value = secret environment = env_name }] if env.action_secrets != null - })) + ]) } resource "github_actions_secret" "actions_secret" { From 66af71d931f7377e68ee9580b9dff0ee46a9cc74 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Thu, 7 Mar 2024 16:06:01 -0500 Subject: [PATCH 03/15] convert to set --- modules/repository_base/secrets.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/repository_base/secrets.tf b/modules/repository_base/secrets.tf index c3323d2..9d5c369 100644 --- a/modules/repository_base/secrets.tf +++ b/modules/repository_base/secrets.tf @@ -33,7 +33,7 @@ resource "github_dependabot_secret" "dependabot_secret" { } resource "github_actions_environment_secret" "environment_secret" { - for_each = local.environment_actions_secrets + for_each = toset(local.environment_actions_secrets) repository = var.name environment = each.value.environment encrypted_value = each.value.encrypted_value From c5ac38f36901a63bdba7acb92354113d4cdfa60f Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Thu, 7 Mar 2024 16:08:19 -0500 Subject: [PATCH 04/15] double flatten --- modules/repository_base/secrets.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/repository_base/secrets.tf b/modules/repository_base/secrets.tf index 9d5c369..a912a7a 100644 --- a/modules/repository_base/secrets.tf +++ b/modules/repository_base/secrets.tf @@ -1,11 +1,11 @@ locals { - environment_actions_secrets = flatten([ + environment_actions_secrets = flatten(flatten([ for env_name, env in coalesce(var.environments, {}) : [for secret_name, secret in env.action_secrets : { name = secret_name encrypted_value = secret environment = env_name }] if env.action_secrets != null - ]) + ])) } resource "github_actions_secret" "actions_secret" { From 6c3bada42113af7078157e8a41c6f41bebcc737a Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Thu, 7 Mar 2024 16:11:13 -0500 Subject: [PATCH 05/15] attempting to conver to list --- modules/repository_base/secrets.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/repository_base/secrets.tf b/modules/repository_base/secrets.tf index a912a7a..8ea9ccb 100644 --- a/modules/repository_base/secrets.tf +++ b/modules/repository_base/secrets.tf @@ -1,11 +1,11 @@ locals { - environment_actions_secrets = flatten(flatten([ - for env_name, env in coalesce(var.environments, {}) : [for secret_name, secret in env.action_secrets : { + environment_actions_secrets = flatten([ + for env_name, env in coalesce(var.environments, {}) : tolist([for secret_name, secret in env.action_secrets : { name = secret_name encrypted_value = secret environment = env_name - }] if env.action_secrets != null - ])) + }]) if env.action_secrets != null + ]) } resource "github_actions_secret" "actions_secret" { From af0c2e889aaa24efb57d3e2d1ade62c542ccdc8d Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Thu, 7 Mar 2024 16:17:47 -0500 Subject: [PATCH 06/15] removed list conversion --- modules/repository_base/secrets.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/repository_base/secrets.tf b/modules/repository_base/secrets.tf index 8ea9ccb..ddd858b 100644 --- a/modules/repository_base/secrets.tf +++ b/modules/repository_base/secrets.tf @@ -1,10 +1,10 @@ locals { environment_actions_secrets = flatten([ - for env_name, env in coalesce(var.environments, {}) : tolist([for secret_name, secret in env.action_secrets : { + for env_name, env in coalesce(var.environments, {}) : [for secret_name, secret in env.action_secrets : { name = secret_name encrypted_value = secret environment = env_name - }]) if env.action_secrets != null + }] if env.action_secrets != null ]) } From b15c0a2750378b4503592f1fcba5d7733bb551f0 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Thu, 7 Mar 2024 16:31:01 -0500 Subject: [PATCH 07/15] trying a two step approach --- modules/repository_base/secrets.tf | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/modules/repository_base/secrets.tf b/modules/repository_base/secrets.tf index ddd858b..4d30cb2 100644 --- a/modules/repository_base/secrets.tf +++ b/modules/repository_base/secrets.tf @@ -1,11 +1,15 @@ locals { - environment_actions_secrets = flatten([ - for env_name, env in coalesce(var.environments, {}) : [for secret_name, secret in env.action_secrets : { - name = secret_name - encrypted_value = secret + action_secrets_per_environment = { + for env_name, env in coalesce(var.environments, {}): env_name => [ for secret_name, secret_value in env.var.action_secrets : { name = secret_name, encrypted_value = secret_value}] if env.action_secrets != null + } + + environment_action_secrets = { + for env_name, secrets in local.action_secrets_per_environment: "${env_name}:${secrets[*].name}" => { environment = env_name - }] if env.action_secrets != null - ]) + name = secrets[*].name + value = secrets[*].encrypted_value + } + } } resource "github_actions_secret" "actions_secret" { @@ -33,7 +37,7 @@ resource "github_dependabot_secret" "dependabot_secret" { } resource "github_actions_environment_secret" "environment_secret" { - for_each = toset(local.environment_actions_secrets) + for_each = local.environment_action_secrets repository = var.name environment = each.value.environment encrypted_value = each.value.encrypted_value From ae9272c91381102f4b0b7613e8e81ba8e28926d2 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Thu, 7 Mar 2024 16:32:00 -0500 Subject: [PATCH 08/15] I hate autocomplete --- modules/repository_base/secrets.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/repository_base/secrets.tf b/modules/repository_base/secrets.tf index 4d30cb2..5419a34 100644 --- a/modules/repository_base/secrets.tf +++ b/modules/repository_base/secrets.tf @@ -1,6 +1,6 @@ locals { action_secrets_per_environment = { - for env_name, env in coalesce(var.environments, {}): env_name => [ for secret_name, secret_value in env.var.action_secrets : { name = secret_name, encrypted_value = secret_value}] if env.action_secrets != null + for env_name, env in coalesce(var.environments, {}): env_name => [ for secret_name, secret_value in env.action_secrets : { name = secret_name, encrypted_value = secret_value}] if env.action_secrets != null } environment_action_secrets = { From cfacb99130ca21df402767c0690257e69563b5c7 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Fri, 8 Mar 2024 08:48:30 -0500 Subject: [PATCH 09/15] two variables to convert into map --- modules/repository_base/secrets.tf | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/modules/repository_base/secrets.tf b/modules/repository_base/secrets.tf index 5419a34..fbd3ddc 100644 --- a/modules/repository_base/secrets.tf +++ b/modules/repository_base/secrets.tf @@ -1,13 +1,14 @@ locals { - action_secrets_per_environment = { - for env_name, env in coalesce(var.environments, {}): env_name => [ for secret_name, secret_value in env.action_secrets : { name = secret_name, encrypted_value = secret_value}] if env.action_secrets != null - } - - environment_action_secrets = { - for env_name, secrets in local.action_secrets_per_environment: "${env_name}:${secrets[*].name}" => { - environment = env_name - name = secrets[*].name - value = secrets[*].encrypted_value + environment_action_secrets_list = flatten([ + for env_name, env in coalesce(var.environments, {}) : [for secret_name, secret_value in env.action_secrets : { name = secret_name, encrypted_value = secret_value, environment = env_name }] if env.action_secrets != null + ]) + + # Terraform can't loop over a list of objects so we convert it into a map + environment_action_secrets_map = { + for environment_secret in local.environment_action_secrets_list : "${env_name}:${environment_secret.name}" => { + environment = environment_secret.environment + name = environment_secret.name + value = environment_secret.encrypted_value } } } @@ -37,7 +38,7 @@ resource "github_dependabot_secret" "dependabot_secret" { } resource "github_actions_environment_secret" "environment_secret" { - for_each = local.environment_action_secrets + for_each = local.environment_action_secrets_map repository = var.name environment = each.value.environment encrypted_value = each.value.encrypted_value From e784c2ea3d10b07ac2a125499f6028053e676270 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Fri, 8 Mar 2024 08:49:34 -0500 Subject: [PATCH 10/15] bad var --- modules/repository_base/secrets.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/repository_base/secrets.tf b/modules/repository_base/secrets.tf index fbd3ddc..09cc5d2 100644 --- a/modules/repository_base/secrets.tf +++ b/modules/repository_base/secrets.tf @@ -5,7 +5,7 @@ locals { # Terraform can't loop over a list of objects so we convert it into a map environment_action_secrets_map = { - for environment_secret in local.environment_action_secrets_list : "${env_name}:${environment_secret.name}" => { + for environment_secret in local.environment_action_secrets_list : "${environment_secret.environment}:${environment_secret.name}" => { environment = environment_secret.environment name = environment_secret.name value = environment_secret.encrypted_value From 1a3b77aa68997d59c7a0b8fb71d0f531820e6a81 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Fri, 8 Mar 2024 08:51:01 -0500 Subject: [PATCH 11/15] wake up tyler --- modules/repository_base/secrets.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/repository_base/secrets.tf b/modules/repository_base/secrets.tf index 09cc5d2..06f062e 100644 --- a/modules/repository_base/secrets.tf +++ b/modules/repository_base/secrets.tf @@ -6,9 +6,9 @@ locals { # Terraform can't loop over a list of objects so we convert it into a map environment_action_secrets_map = { for environment_secret in local.environment_action_secrets_list : "${environment_secret.environment}:${environment_secret.name}" => { - environment = environment_secret.environment - name = environment_secret.name - value = environment_secret.encrypted_value + environment = environment_secret.environment + name = environment_secret.name + encrypted_value = environment_secret.encrypted_value } } } From 7529408adbe46a4249d7d1aff58411a6acbf4b30 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Fri, 8 Mar 2024 08:56:39 -0500 Subject: [PATCH 12/15] added depends on --- modules/repository_base/secrets.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/repository_base/secrets.tf b/modules/repository_base/secrets.tf index 06f062e..5bdcab3 100644 --- a/modules/repository_base/secrets.tf +++ b/modules/repository_base/secrets.tf @@ -39,6 +39,7 @@ resource "github_dependabot_secret" "dependabot_secret" { resource "github_actions_environment_secret" "environment_secret" { for_each = local.environment_action_secrets_map + depends_on = [ github_repository_environment.environemnt[*] ] repository = var.name environment = each.value.environment encrypted_value = each.value.encrypted_value From 00778d55dd66c4bbfe283f2bff918e788ad8120c Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Fri, 8 Mar 2024 08:57:49 -0500 Subject: [PATCH 13/15] reference single env --- modules/repository_base/secrets.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/repository_base/secrets.tf b/modules/repository_base/secrets.tf index 5bdcab3..702ef6a 100644 --- a/modules/repository_base/secrets.tf +++ b/modules/repository_base/secrets.tf @@ -39,7 +39,7 @@ resource "github_dependabot_secret" "dependabot_secret" { resource "github_actions_environment_secret" "environment_secret" { for_each = local.environment_action_secrets_map - depends_on = [ github_repository_environment.environemnt[*] ] + depends_on = [ github_repository_environment.environemnt["${each.value.environment}"] ] repository = var.name environment = each.value.environment encrypted_value = each.value.encrypted_value From 3365a0acdaf0bb38cd79187a7f4a43c5b7381e9f Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Fri, 8 Mar 2024 09:01:01 -0500 Subject: [PATCH 14/15] fixed typo and trying immplicit depends --- modules/repository_base/environments.tf | 2 +- modules/repository_base/secrets.tf | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/repository_base/environments.tf b/modules/repository_base/environments.tf index 169ba98..08c3f60 100644 --- a/modules/repository_base/environments.tf +++ b/modules/repository_base/environments.tf @@ -1,4 +1,4 @@ -resource "github_repository_environment" "environemnt" { +resource "github_repository_environment" "environment" { for_each = toset(keys(coalesce(var.environments, {}))) repository = github_repository.repository.name environment = each.value diff --git a/modules/repository_base/secrets.tf b/modules/repository_base/secrets.tf index 702ef6a..dd73ce2 100644 --- a/modules/repository_base/secrets.tf +++ b/modules/repository_base/secrets.tf @@ -39,9 +39,8 @@ resource "github_dependabot_secret" "dependabot_secret" { resource "github_actions_environment_secret" "environment_secret" { for_each = local.environment_action_secrets_map - depends_on = [ github_repository_environment.environemnt["${each.value.environment}"] ] repository = var.name - environment = each.value.environment + environment = github_repository_environment.environment["${each.value.environment}"].environment encrypted_value = each.value.encrypted_value secret_name = each.value.name } From 90239f8dbdfbd4acbc3c41a309146f2b9666cd9c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 8 Mar 2024 14:01:22 +0000 Subject: [PATCH 15/15] terraform-docs: automated action --- modules/repository_base/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/repository_base/README.md b/modules/repository_base/README.md index 721e0b1..2240c6b 100644 --- a/modules/repository_base/README.md +++ b/modules/repository_base/README.md @@ -27,7 +27,7 @@ No modules. | [github_repository.repository](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/repository) | resource | | [github_repository_collaborators.collaborators](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/repository_collaborators) | resource | | [github_repository_dependabot_security_updates.automated_security_fixes](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/repository_dependabot_security_updates) | resource | -| [github_repository_environment.environemnt](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/repository_environment) | resource | +| [github_repository_environment.environment](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/repository_environment) | resource | | [github_repository_ruleset.protected_branch_base_rules](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/repository_ruleset) | resource | ## Inputs