From 2c4124a9a59acf96cea5f5f2fba4d8e4c61dadf0 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Fri, 8 Mar 2024 10:52:36 -0500 Subject: [PATCH 01/13] modified it so the organization module makes all the organization secrets --- modules/organization/secrets.tf | 42 +++++++++++-- modules/organization_secrets/README.md | 37 ------------ modules/organization_secrets/secrets.tf | 74 ----------------------- modules/organization_secrets/variables.tf | 29 --------- modules/organization_secrets/versions.tf | 9 --- 5 files changed, 36 insertions(+), 155 deletions(-) delete mode 100644 modules/organization_secrets/README.md delete mode 100644 modules/organization_secrets/secrets.tf delete mode 100644 modules/organization_secrets/variables.tf delete mode 100644 modules/organization_secrets/versions.tf diff --git a/modules/organization/secrets.tf b/modules/organization/secrets.tf index e4bad94..864c9ff 100644 --- a/modules/organization/secrets.tf +++ b/modules/organization/secrets.tf @@ -1,7 +1,37 @@ -module "organization_secrets" { - source = "../organization_secrets" +resource "github_actions_organization_secret" "action_secret" { + for_each = var.actions_secrets - organization_action_secrets = var.actions_secrets - organization_codespace_secrets = var.codespaces_secrets - organization_dependabot_secrets = var.dependabot_secrets -} \ No newline at end of file + secret_name = each.key + encrypted_value = each.value.encrypted_value + visibility = each.value.visibility + selected_repository_ids = [] + + lifecycle { + ignore_changes = [selected_repository_ids] + } +} + +resource "github_codespaces_organization_secret" "codespace_secret" { + for_each = var.codespaces_secrets + + secret_name = each.key + encrypted_value = each.value.encrypted_value + visibility = each.value.visibility + selected_repository_ids = [] + + lifecycle { + ignore_changes = [selected_repository_ids] + } +} + +resource "github_dependabot_organization_secret" "dependabot_secret" { + for_each = var.dependabot_secrets + secret_name = each.key + encrypted_value = each.value.encrypted_value + visibility = each.value.visibility + selected_repository_ids = [] + + lifecycle { + ignore_changes = [selected_repository_ids] + } +} diff --git a/modules/organization_secrets/README.md b/modules/organization_secrets/README.md deleted file mode 100644 index 87330a1..0000000 --- a/modules/organization_secrets/README.md +++ /dev/null @@ -1,37 +0,0 @@ -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.7.1 | -| [github](#requirement\_github) | 5.42.0 | - -## Providers - -| Name | Version | -|------|---------| -| [github](#provider\_github) | 5.42.0 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [github_actions_organization_secret.action_secret](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/actions_organization_secret) | resource | -| [github_codespaces_organization_secret.codespace_secret](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/codespaces_organization_secret) | resource | -| [github_dependabot_organization_secret.dependabot_secret](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/dependabot_organization_secret) | resource | -| [github_repository.selected_repositories](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/data-sources/repository) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [organization\_action\_secrets](#input\_organization\_action\_secrets) | A map of organization-level GitHub action secrets to create. The key is the name of the secret and the value is an object describing how to create the secret. If visibility is set to `selected` then `selected_repositories` must be set to a list of repository names to make the secret available. | 
map(object({
    encrypted_value       = string
    visibility            = string
    selected_repositories = optional(list(string))
  }))
| `{}` | no | -| [organization\_codespace\_secrets](#input\_organization\_codespace\_secrets) | A map of organization-level GitHub codespace secrets to create. The key is the name of the secret and the value is an object describing how to create the secret. If visibility is set to `selected` then `selected_repositories` must be set to a list of repository names to make the secret available. | 
map(object({
    encrypted_value       = string
    visibility            = string
    selected_repositories = optional(list(string))
  }))
| `{}` | no | -| [organization\_dependabot\_secrets](#input\_organization\_dependabot\_secrets) | A map of organization-level dependabot secrets to create. The key is the name of the secret and the value is an object describing how to create the secret. If visibility is set to `selected` then `selected_repositories` must be set to a list of repository names to make the secret available. | 
map(object({
    encrypted_value       = string
    visibility            = string
    selected_repositories = optional(list(string))
  }))
| `{}` | no | - -## Outputs - -No outputs. \ No newline at end of file diff --git a/modules/organization_secrets/secrets.tf b/modules/organization_secrets/secrets.tf deleted file mode 100644 index e00e9fb..0000000 --- a/modules/organization_secrets/secrets.tf +++ /dev/null @@ -1,74 +0,0 @@ -locals { - # If no selected repositories are set then sets the field to an empty list - sanitized_action_secrets = merge( - var.organization_action_secrets, - { - for k, v in var.organization_action_secrets : k => { - encrypted_value = v.encrypted_value - visibility = v.visibility - selected_repositories = coalesce(v.selected_repositories, []) - } if v.visibility == "selected" - } - ) - sanitized_codespace_secrets = merge( - var.organization_codespace_secrets, - { - for k, v in var.organization_codespace_secrets : k => { - encrypted_value = v.encrypted_value - visibility = v.visibility - selected_repositories = coalesce(v.selected_repositories, []) - } if v.visibility == "selected" - } - ) - sanitized_dependabot_secrets = merge( - var.organization_dependabot_secrets, - { - for k, v in var.organization_dependabot_secrets : k => { - encrypted_value = v.encrypted_value - visibility = v.visibility - selected_repositories = coalesce(v.selected_repositories, []) - } if v.visibility == "selected" - } - ) - - - all_selected_repositories = { - for repo in concat( - flatten([for secret in values(var.organization_action_secrets) : secret.selected_repositories if secret.visibility == "selected" && secret.selected_repositories != null]), - flatten([for secret in values(var.organization_codespace_secrets) : secret.selected_repositories if secret.visibility == "selected" && secret.selected_repositories != null]), - flatten([for secret in values(var.organization_dependabot_secrets) : secret.selected_repositories if secret.visibility == "selected" && secret.selected_repositories != null]) - ) : repo => repo - } -} - -data "github_repository" "selected_repositories" { - for_each = local.all_selected_repositories - name = each.value -} - -resource "github_actions_organization_secret" "action_secret" { - for_each = local.sanitized_action_secrets - - secret_name = each.key - encrypted_value = each.value.encrypted_value - visibility = each.value.visibility - selected_repository_ids = [for repo in toset(each.value.selected_repositories) : data.github_repository.selected_repositories["${repo}"].repo_id] -} - -resource "github_codespaces_organization_secret" "codespace_secret" { - for_each = local.sanitized_codespace_secrets - - secret_name = each.key - encrypted_value = each.value.encrypted_value - visibility = each.value.visibility - selected_repository_ids = [for repo in toset(each.value.selected_repositories) : data.github_repository.selected_repositories["${repo}"].repo_id] -} - -resource "github_dependabot_organization_secret" "dependabot_secret" { - for_each = local.sanitized_dependabot_secrets - secret_name = each.key - encrypted_value = each.value.encrypted_value - visibility = each.value.visibility - selected_repository_ids = [for repo in toset(each.value.selected_repositories) : data.github_repository.selected_repositories["${repo}"].repo_id] -} - diff --git a/modules/organization_secrets/variables.tf b/modules/organization_secrets/variables.tf deleted file mode 100644 index dbc5082..0000000 --- a/modules/organization_secrets/variables.tf +++ /dev/null @@ -1,29 +0,0 @@ -variable "organization_action_secrets" { - type = map(object({ - encrypted_value = string - visibility = string - selected_repositories = optional(list(string)) - })) - description = "A map of organization-level GitHub action secrets to create. The key is the name of the secret and the value is an object describing how to create the secret. If visibility is set to `selected` then `selected_repositories` must be set to a list of repository names to make the secret available." - default = {} -} - -variable "organization_codespace_secrets" { - type = map(object({ - encrypted_value = string - visibility = string - selected_repositories = optional(list(string)) - })) - description = "A map of organization-level GitHub codespace secrets to create. The key is the name of the secret and the value is an object describing how to create the secret. If visibility is set to `selected` then `selected_repositories` must be set to a list of repository names to make the secret available." - default = {} -} - -variable "organization_dependabot_secrets" { - type = map(object({ - encrypted_value = string - visibility = string - selected_repositories = optional(list(string)) - })) - description = "A map of organization-level dependabot secrets to create. The key is the name of the secret and the value is an object describing how to create the secret. If visibility is set to `selected` then `selected_repositories` must be set to a list of repository names to make the secret available." - default = {} -} diff --git a/modules/organization_secrets/versions.tf b/modules/organization_secrets/versions.tf deleted file mode 100644 index d6e8a27..0000000 --- a/modules/organization_secrets/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.7.1" - required_providers { - github = { - source = "integrations/github" - version = "5.42.0" - } - } -} \ No newline at end of file From 5b2a037f6e9a5baba7039d5247f2bc9dbff5792e Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Fri, 8 Mar 2024 10:52:41 -0500 Subject: [PATCH 02/13] update repository set --- modules/private_repository/outputs.tf | 4 ++++ modules/public_repository/outputs.tf | 4 ++++ modules/repository_base/outputs.tf | 4 ++++ .../repository_set/organization-secrets.tf | 20 +++++++++++++++++++ modules/repository_set/variables.tf | 18 +++++++++++------ 5 files changed, 44 insertions(+), 6 deletions(-) create mode 100644 modules/private_repository/outputs.tf create mode 100644 modules/public_repository/outputs.tf create mode 100644 modules/repository_base/outputs.tf create mode 100644 modules/repository_set/organization-secrets.tf diff --git a/modules/private_repository/outputs.tf b/modules/private_repository/outputs.tf new file mode 100644 index 0000000..0d1a523 --- /dev/null +++ b/modules/private_repository/outputs.tf @@ -0,0 +1,4 @@ +output "id" { + value = module.repository_base.id + description = "The ID of the repository" +} \ No newline at end of file diff --git a/modules/public_repository/outputs.tf b/modules/public_repository/outputs.tf new file mode 100644 index 0000000..0d1a523 --- /dev/null +++ b/modules/public_repository/outputs.tf @@ -0,0 +1,4 @@ +output "id" { + value = module.repository_base.id + description = "The ID of the repository" +} \ No newline at end of file diff --git a/modules/repository_base/outputs.tf b/modules/repository_base/outputs.tf new file mode 100644 index 0000000..4ece1a5 --- /dev/null +++ b/modules/repository_base/outputs.tf @@ -0,0 +1,4 @@ +output "id" { + value = github_repository.repository.id + description = "The ID of the repository" +} \ No newline at end of file diff --git a/modules/repository_set/organization-secrets.tf b/modules/repository_set/organization-secrets.tf new file mode 100644 index 0000000..bc51410 --- /dev/null +++ b/modules/repository_set/organization-secrets.tf @@ -0,0 +1,20 @@ +locals { + organization_action_secrets = distinct(flatten(concat( + [for _, repo in var.var.public_repositories : repo.organization_action_secrets if repo.organization_action_secrets != null], + [for _, repo in var.var.private_repositories : repo.organization_action_secrets if repo.organization_action_secrets != null] + ))) + + organization_action_secrets_repository_id_list = { + for secret in local.organization_action_secrets : secret => toset(distinct(concat( + [for repo_name, repo in var.public_repositories : module.public_repositories["${repo_name}"].repo_id if contains(repo.organization_action_secrets, secret)], + [for repo_name, repo in var.private_repositories : module.module.private_repositories["${repo_name}"].repo_id if contains(repo.organization_action_secrets, secret)] + ))) + } +} + +resource "github_actions_organization_secret_repositories" "org_secret_repo_access" { + for_each = local.organization_action_secrets_repository_id_list + + secret_name = each.key + selected_repository_ids = each.value +} \ No newline at end of file diff --git a/modules/repository_set/variables.tf b/modules/repository_set/variables.tf index 6bf4bb2..aac97f7 100644 --- a/modules/repository_set/variables.tf +++ b/modules/repository_set/variables.tf @@ -11,18 +11,21 @@ variable "private_repositories" { delete_head_on_merge = bool allow_auto_merge = bool dependabot_security_updates = bool + organization_action_secrets = optional(list(string)) + organization_codespace_secrets = optional(list(string)) + organization_dependabot_secrets = optional(list(string)) action_secrets = optional(map(string)) codespace_secrets = optional(map(string)) dependabot_secrets = optional(map(string)) - environments = optional(map(object({ + environments = optional(map(object({ action_secrets = optional(map(string)) }))) - template_repository = optional(object({ + template_repository = optional(object({ owner = string repository = string include_all_branches = bool })) - license_template = optional(string) + license_template = optional(string) })) description = "A map of private repositories where the key is the repository name and the value is the configuration" } @@ -39,18 +42,21 @@ variable "public_repositories" { delete_head_on_merge = bool allow_auto_merge = bool dependabot_security_updates = bool + organization_action_secrets = optional(list(string)) + organization_codespace_secrets = optional(list(string)) + organization_dependabot_secrets = optional(list(string)) action_secrets = optional(map(string)) codespace_secrets = optional(map(string)) dependabot_secrets = optional(map(string)) - environments = optional(map(object({ + environments = optional(map(object({ action_secrets = optional(map(string)) }))) - template_repository = optional(object({ + template_repository = optional(object({ owner = string repository = string include_all_branches = bool })) - license_template = optional(string) + license_template = optional(string) })) description = "A map of public repositories where the key is the repository name and the value is the configuration" } From 070f50c0112c41d671678aea89cc5319e7a0883c Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Fri, 8 Mar 2024 10:53:07 -0500 Subject: [PATCH 03/13] wrong output keys --- modules/repository_base/outputs.tf | 2 +- modules/repository_set/organization-secrets.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/repository_base/outputs.tf b/modules/repository_base/outputs.tf index 4ece1a5..33078a8 100644 --- a/modules/repository_base/outputs.tf +++ b/modules/repository_base/outputs.tf @@ -1,4 +1,4 @@ output "id" { - value = github_repository.repository.id + value = github_repository.repository.repo_id description = "The ID of the repository" } \ No newline at end of file diff --git a/modules/repository_set/organization-secrets.tf b/modules/repository_set/organization-secrets.tf index bc51410..8902b90 100644 --- a/modules/repository_set/organization-secrets.tf +++ b/modules/repository_set/organization-secrets.tf @@ -6,8 +6,8 @@ locals { organization_action_secrets_repository_id_list = { for secret in local.organization_action_secrets : secret => toset(distinct(concat( - [for repo_name, repo in var.public_repositories : module.public_repositories["${repo_name}"].repo_id if contains(repo.organization_action_secrets, secret)], - [for repo_name, repo in var.private_repositories : module.module.private_repositories["${repo_name}"].repo_id if contains(repo.organization_action_secrets, secret)] + [for repo_name, repo in var.public_repositories : module.public_repositories["${repo_name}"].id if contains(repo.organization_action_secrets, secret)], + [for repo_name, repo in var.private_repositories : module.module.private_repositories["${repo_name}"].id if contains(repo.organization_action_secrets, secret)] ))) } } From dd3f61216f391c0ffe486121c8032dc55c48d1a8 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Fri, 8 Mar 2024 10:56:37 -0500 Subject: [PATCH 04/13] I hate autocomplete --- modules/repository_set/organization-secrets.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/repository_set/organization-secrets.tf b/modules/repository_set/organization-secrets.tf index 8902b90..ed2cf04 100644 --- a/modules/repository_set/organization-secrets.tf +++ b/modules/repository_set/organization-secrets.tf @@ -1,7 +1,7 @@ locals { organization_action_secrets = distinct(flatten(concat( - [for _, repo in var.var.public_repositories : repo.organization_action_secrets if repo.organization_action_secrets != null], - [for _, repo in var.var.private_repositories : repo.organization_action_secrets if repo.organization_action_secrets != null] + [for _, repo in var.public_repositories : repo.organization_action_secrets if repo.organization_action_secrets != null], + [for _, repo in var.private_repositories : repo.organization_action_secrets if repo.organization_action_secrets != null] ))) organization_action_secrets_repository_id_list = { From d32e38a20c140880a6915c85f07ccfd647df815e Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Fri, 8 Mar 2024 10:57:26 -0500 Subject: [PATCH 05/13] terraform autocomplete is bad --- modules/repository_set/organization-secrets.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/repository_set/organization-secrets.tf b/modules/repository_set/organization-secrets.tf index ed2cf04..8e363ad 100644 --- a/modules/repository_set/organization-secrets.tf +++ b/modules/repository_set/organization-secrets.tf @@ -7,7 +7,7 @@ locals { organization_action_secrets_repository_id_list = { for secret in local.organization_action_secrets : secret => toset(distinct(concat( [for repo_name, repo in var.public_repositories : module.public_repositories["${repo_name}"].id if contains(repo.organization_action_secrets, secret)], - [for repo_name, repo in var.private_repositories : module.module.private_repositories["${repo_name}"].id if contains(repo.organization_action_secrets, secret)] + [for repo_name, repo in var.private_repositories : module.private_repositories["${repo_name}"].id if contains(repo.organization_action_secrets, secret)] ))) } } From ddec543cd5c987a1ed8cab8796c280512ef850f7 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Fri, 8 Mar 2024 11:07:00 -0500 Subject: [PATCH 06/13] added coalescing and other secrets --- .../repository_set/organization-secrets.tf | 51 +++++++++++++++++-- 1 file changed, 46 insertions(+), 5 deletions(-) diff --git a/modules/repository_set/organization-secrets.tf b/modules/repository_set/organization-secrets.tf index 8e363ad..f802c92 100644 --- a/modules/repository_set/organization-secrets.tf +++ b/modules/repository_set/organization-secrets.tf @@ -1,20 +1,61 @@ locals { + coalesced_public_repositories = coalesce(var.public_repositories, {}) + coalesced_private_repositories = coalesce(var.private_repositories, {}) + organization_action_secrets = distinct(flatten(concat( - [for _, repo in var.public_repositories : repo.organization_action_secrets if repo.organization_action_secrets != null], - [for _, repo in var.private_repositories : repo.organization_action_secrets if repo.organization_action_secrets != null] + [for _, repo in local.coalesced_public_repositories : repo.organization_action_secrets if repo.organization_action_secrets != null], + [for _, repo in local.coalesced_private_repositories : repo.organization_action_secrets if repo.organization_action_secrets != null] ))) organization_action_secrets_repository_id_list = { for secret in local.organization_action_secrets : secret => toset(distinct(concat( - [for repo_name, repo in var.public_repositories : module.public_repositories["${repo_name}"].id if contains(repo.organization_action_secrets, secret)], - [for repo_name, repo in var.private_repositories : module.private_repositories["${repo_name}"].id if contains(repo.organization_action_secrets, secret)] + [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(repo.organization_action_secrets, secret)], + [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(repo.organization_action_secrets, secret)] + ))) + } + + codespace_secrets = distinct(flatten(concat( + [for _, repo in local.coalesced_public_repositories : repo.codespace_secrets if repo.codespace_secrets != null], + [for _, repo in local.coalesced_private_repositories : repo.codespace_secrets if repo.codespace_secrets != null] + ))) + + codespace_secrets_repository_id_list = { + for secret in local.codespace_secrets : secret => toset(distinct(concat( + [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(repo.codespace_secrets, secret)], + [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(repo.codespace_secrets, secret)] + ))) + } + + dependabot_secrets = distinct(flatten(concat( + [for _, repo in local.coalesced_public_repositories : repo.dependabot_secrets if repo.dependabot_secrets != null], + [for _, repo in local.coalesced_private_repositories : repo.dependabot_secrets if repo.dependabot_secrets != null] + ))) + + dependabot_secrets_id_list = { + for secret in local.dependabot_secrets : secret => toset(distinct(concat( + [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(repo.dependabot_secrets, secret)], + [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(repo.dependabot_secrets, secret)] ))) } } -resource "github_actions_organization_secret_repositories" "org_secret_repo_access" { +resource "github_actions_organization_secret_repositories" "org__action_secret_repo_access" { for_each = local.organization_action_secrets_repository_id_list + secret_name = each.key + selected_repository_ids = each.value +} + +resource "github_codespaces_organization_secret_repositories" "org__codespace_secret_repo_access" { + for_each = local.codespace_secrets_repository_id_list + + secret_name = each.key + selected_repository_ids = each.value +} + +resource "github_dependabot_organization_secret_repositories" "org__dependabot_secret_repo_access" { + for_each = local.dependabot_secrets_id_list + secret_name = each.key selected_repository_ids = each.value } \ No newline at end of file From ceed4eb3f4afe2df03b9dffbae778eba39154d77 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Fri, 8 Mar 2024 11:09:16 -0500 Subject: [PATCH 07/13] come on tyler --- modules/repository_set/organization-secrets.tf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/repository_set/organization-secrets.tf b/modules/repository_set/organization-secrets.tf index f802c92..8e74404 100644 --- a/modules/repository_set/organization-secrets.tf +++ b/modules/repository_set/organization-secrets.tf @@ -15,26 +15,26 @@ locals { } codespace_secrets = distinct(flatten(concat( - [for _, repo in local.coalesced_public_repositories : repo.codespace_secrets if repo.codespace_secrets != null], - [for _, repo in local.coalesced_private_repositories : repo.codespace_secrets if repo.codespace_secrets != null] + [for _, repo in local.coalesced_public_repositories : repo.organization_codespace_secrets if repo.organization_codespace_secrets != null], + [for _, repo in local.coalesced_private_repositories : repo.organization_codespace_secrets if repo.organization_codespace_secrets != null] ))) codespace_secrets_repository_id_list = { for secret in local.codespace_secrets : secret => toset(distinct(concat( - [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(repo.codespace_secrets, secret)], - [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(repo.codespace_secrets, secret)] + [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(repo.organization_codespace_secrets, secret)], + [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(repo.organization_codespace_secrets, secret)] ))) } dependabot_secrets = distinct(flatten(concat( - [for _, repo in local.coalesced_public_repositories : repo.dependabot_secrets if repo.dependabot_secrets != null], - [for _, repo in local.coalesced_private_repositories : repo.dependabot_secrets if repo.dependabot_secrets != null] + [for _, repo in local.coalesced_public_repositories : repo.organization_dependabot_secrets if repo.organization_dependabot_secrets != null], + [for _, repo in local.coalesced_private_repositories : repo.organization_dependabot_secrets if repo.organization_dependabot_secrets != null] ))) dependabot_secrets_id_list = { for secret in local.dependabot_secrets : secret => toset(distinct(concat( - [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(repo.dependabot_secrets, secret)], - [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(repo.dependabot_secrets, secret)] + [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(repo.organization_dependabot_secrets, secret)], + [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(repo.organization_dependabot_secrets, secret)] ))) } } From 06f3491000e2b234e0f22c5ed18290235e83b608 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Fri, 8 Mar 2024 11:14:51 -0500 Subject: [PATCH 08/13] check for null --- modules/repository_set/organization-secrets.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/repository_set/organization-secrets.tf b/modules/repository_set/organization-secrets.tf index 8e74404..e06becb 100644 --- a/modules/repository_set/organization-secrets.tf +++ b/modules/repository_set/organization-secrets.tf @@ -9,8 +9,8 @@ locals { organization_action_secrets_repository_id_list = { for secret in local.organization_action_secrets : secret => toset(distinct(concat( - [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(repo.organization_action_secrets, secret)], - [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(repo.organization_action_secrets, secret)] + [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if repo.organization_action_secrets != null && contains(repo.organization_action_secrets, secret)], + [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if repo.organization_action_secrets != null && contains(repo.organization_action_secrets, secret)] ))) } @@ -21,8 +21,8 @@ locals { codespace_secrets_repository_id_list = { for secret in local.codespace_secrets : secret => toset(distinct(concat( - [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(repo.organization_codespace_secrets, secret)], - [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(repo.organization_codespace_secrets, secret)] + [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if repo.organization_codespace_secrets != null && contains(repo.organization_codespace_secrets, secret)], + [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if repo.organization_codespace_secrets != null && contains(repo.organization_codespace_secrets, secret)] ))) } @@ -33,8 +33,8 @@ locals { dependabot_secrets_id_list = { for secret in local.dependabot_secrets : secret => toset(distinct(concat( - [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(repo.organization_dependabot_secrets, secret)], - [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(repo.organization_dependabot_secrets, secret)] + [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if repo.organization_dependabot_secrets != null && contains(repo.organization_dependabot_secrets, secret)], + [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if repo.organization_dependabot_secrets != null && contains(repo.organization_dependabot_secrets, secret)] ))) } } From d40a1fe5c227fda957e87b211d1be8e546a61757 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Fri, 8 Mar 2024 11:16:12 -0500 Subject: [PATCH 09/13] falling back to coalescing --- modules/repository_set/organization-secrets.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/repository_set/organization-secrets.tf b/modules/repository_set/organization-secrets.tf index e06becb..4a00bb6 100644 --- a/modules/repository_set/organization-secrets.tf +++ b/modules/repository_set/organization-secrets.tf @@ -9,8 +9,8 @@ locals { organization_action_secrets_repository_id_list = { for secret in local.organization_action_secrets : secret => toset(distinct(concat( - [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if repo.organization_action_secrets != null && contains(repo.organization_action_secrets, secret)], - [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if repo.organization_action_secrets != null && contains(repo.organization_action_secrets, secret)] + [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(coalesce(repo.organization_action_secrets, []), secret)], + [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(coalesce(repo.organization_action_secrets), secret)] ))) } @@ -21,8 +21,8 @@ locals { codespace_secrets_repository_id_list = { for secret in local.codespace_secrets : secret => toset(distinct(concat( - [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if repo.organization_codespace_secrets != null && contains(repo.organization_codespace_secrets, secret)], - [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if repo.organization_codespace_secrets != null && contains(repo.organization_codespace_secrets, secret)] + [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(coalesce(repo.organization_codespace_secrets), secret)], + [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(coalesce(repo.organization_codespace_secrets), secret)] ))) } @@ -33,8 +33,8 @@ locals { dependabot_secrets_id_list = { for secret in local.dependabot_secrets : secret => toset(distinct(concat( - [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if repo.organization_dependabot_secrets != null && contains(repo.organization_dependabot_secrets, secret)], - [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if repo.organization_dependabot_secrets != null && contains(repo.organization_dependabot_secrets, secret)] + [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(coalesce(repo.organization_dependabot_secrets), secret)], + [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(coalesce(repo.organization_dependabot_secrets), secret)] ))) } } From bc2ea6ebfefb07a99d63cab9025c9848859f4122 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Fri, 8 Mar 2024 11:18:47 -0500 Subject: [PATCH 10/13] come on tyler --- modules/repository_set/organization-secrets.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/repository_set/organization-secrets.tf b/modules/repository_set/organization-secrets.tf index 4a00bb6..12c0127 100644 --- a/modules/repository_set/organization-secrets.tf +++ b/modules/repository_set/organization-secrets.tf @@ -10,7 +10,7 @@ locals { organization_action_secrets_repository_id_list = { for secret in local.organization_action_secrets : secret => toset(distinct(concat( [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(coalesce(repo.organization_action_secrets, []), secret)], - [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(coalesce(repo.organization_action_secrets), secret)] + [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(coalesce(repo.organization_action_secrets, []), secret)] ))) } @@ -21,8 +21,8 @@ locals { codespace_secrets_repository_id_list = { for secret in local.codespace_secrets : secret => toset(distinct(concat( - [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(coalesce(repo.organization_codespace_secrets), secret)], - [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(coalesce(repo.organization_codespace_secrets), secret)] + [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(coalesce(repo.organization_codespace_secrets, []), secret)], + [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(coalesce(repo.organization_codespace_secrets, []), secret)] ))) } @@ -33,8 +33,8 @@ locals { dependabot_secrets_id_list = { for secret in local.dependabot_secrets : secret => toset(distinct(concat( - [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(coalesce(repo.organization_dependabot_secrets), secret)], - [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(coalesce(repo.organization_dependabot_secrets), secret)] + [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(coalesce(repo.organization_dependabot_secrets, []), secret)], + [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(coalesce(repo.organization_dependabot_secrets, []), secret)] ))) } } From 368425816b7a84b69d41550c98671726bcbe953a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 8 Mar 2024 16:22:46 +0000 Subject: [PATCH 11/13] terraform-docs: automated action --- modules/organization/README.md | 7 ++++--- modules/private_repository/README.md | 4 +++- modules/public_repository/README.md | 4 +++- modules/repository_base/README.md | 4 +++- modules/repository_set/README.md | 14 ++++++++++---- 5 files changed, 23 insertions(+), 10 deletions(-) diff --git a/modules/organization/README.md b/modules/organization/README.md index e2169e5..3b7677f 100644 --- a/modules/organization/README.md +++ b/modules/organization/README.md @@ -13,14 +13,15 @@ ## Modules -| Name | Source | Version | -|------|--------|---------| -| [organization\_secrets](#module\_organization\_secrets) | ../organization_secrets | n/a | +No modules. ## Resources | Name | Type | |------|------| +| [github_actions_organization_secret.action_secret](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/actions_organization_secret) | resource | +| [github_codespaces_organization_secret.codespace_secret](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/codespaces_organization_secret) | resource | +| [github_dependabot_organization_secret.dependabot_secret](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/dependabot_organization_secret) | resource | | [github_membership.membership_for_user](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/membership) | resource | | [github_organization_block.blocked_user](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/organization_block) | resource | | [github_organization_custom_role.community_manager_role](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/organization_custom_role) | resource | diff --git a/modules/private_repository/README.md b/modules/private_repository/README.md index f76df21..f516dee 100644 --- a/modules/private_repository/README.md +++ b/modules/private_repository/README.md @@ -43,4 +43,6 @@ No resources. ## Outputs -No outputs. \ No newline at end of file +| Name | Description | +|------|-------------| +| [id](#output\_id) | The ID of the repository | \ No newline at end of file diff --git a/modules/public_repository/README.md b/modules/public_repository/README.md index 2b1af93..038a54e 100644 --- a/modules/public_repository/README.md +++ b/modules/public_repository/README.md @@ -43,4 +43,6 @@ No resources. ## Outputs -No outputs. \ No newline at end of file +| Name | Description | +|------|-------------| +| [id](#output\_id) | The ID of the repository | \ No newline at end of file diff --git a/modules/repository_base/README.md b/modules/repository_base/README.md index c5d93de..f357a5d 100644 --- a/modules/repository_base/README.md +++ b/modules/repository_base/README.md @@ -63,4 +63,6 @@ No modules. ## Outputs -No outputs. \ No newline at end of file +| Name | Description | +|------|-------------| +| [id](#output\_id) | The ID of the repository | \ No newline at end of file diff --git a/modules/repository_set/README.md b/modules/repository_set/README.md index ae5af00..534a87f 100644 --- a/modules/repository_set/README.md +++ b/modules/repository_set/README.md @@ -7,7 +7,9 @@ ## Providers -No providers. +| Name | Version | +|------|---------| +| [github](#provider\_github) | 5.42.0 | ## Modules @@ -18,15 +20,19 @@ No providers. ## Resources -No resources. +| Name | Type | +|------|------| +| [github_actions_organization_secret_repositories.org__action_secret_repo_access](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/actions_organization_secret_repositories) | resource | +| [github_codespaces_organization_secret_repositories.org__codespace_secret_repo_access](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/codespaces_organization_secret_repositories) | resource | +| [github_dependabot_organization_secret_repositories.org__dependabot_secret_repo_access](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/dependabot_organization_secret_repositories) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [default\_repository\_team\_permissions](#input\_default\_repository\_team\_permissions) | A map where the keys are github team slugs and the value is the permissions the team should have by default for every repository. If an entry exists in `repository_team_permissions_override` for a repository then that will take precedence over this default. | `map(string)` | n/a | yes | -| [private\_repositories](#input\_private\_repositories) | A map of private repositories where the key is the repository name and the value is the configuration | 
map(object({
    description                          = string
    default_branch                       = string
    repository_team_permissions_override = map(string)
    protected_branches                   = list(string)
    advance_security                     = bool
    has_vulnerability_alerts             = bool
    topics                               = list(string)
    homepage                             = string
    delete_head_on_merge                 = bool
    allow_auto_merge                     = bool
    dependabot_security_updates          = bool
    action_secrets                       = optional(map(string))
    codespace_secrets                    = optional(map(string))
    dependabot_secrets                   = optional(map(string))
    environments                         = optional(map(object({
      action_secrets = optional(map(string))
    })))
    template_repository                  = optional(object({
      owner                = string
      repository           = string
      include_all_branches = bool
    }))
    license_template                     = optional(string)
  }))
| n/a | yes | -| [public\_repositories](#input\_public\_repositories) | A map of public repositories where the key is the repository name and the value is the configuration | 
map(object({
    description                          = string
    default_branch                       = string
    repository_team_permissions_override = map(string)
    protected_branches                   = list(string)
    advance_security                     = bool
    topics                               = list(string)
    homepage                             = string
    delete_head_on_merge                 = bool
    allow_auto_merge                     = bool
    dependabot_security_updates          = bool
    action_secrets                       = optional(map(string))
    codespace_secrets                    = optional(map(string))
    dependabot_secrets                   = optional(map(string))
    environments                         = optional(map(object({
      action_secrets = optional(map(string))
    })))
    template_repository                  = optional(object({
      owner                = string
      repository           = string
      include_all_branches = bool
    }))
    license_template                     = optional(string)
  }))
| n/a | yes | +| [private\_repositories](#input\_private\_repositories) | A map of private repositories where the key is the repository name and the value is the configuration | 
map(object({
    description                          = string
    default_branch                       = string
    repository_team_permissions_override = map(string)
    protected_branches                   = list(string)
    advance_security                     = bool
    has_vulnerability_alerts             = bool
    topics                               = list(string)
    homepage                             = string
    delete_head_on_merge                 = bool
    allow_auto_merge                     = bool
    dependabot_security_updates          = bool
    organization_action_secrets          = optional(list(string))
    organization_codespace_secrets       = optional(list(string))
    organization_dependabot_secrets      = optional(list(string))
    action_secrets                       = optional(map(string))
    codespace_secrets                    = optional(map(string))
    dependabot_secrets                   = optional(map(string))
    environments = optional(map(object({
      action_secrets = optional(map(string))
    })))
    template_repository = optional(object({
      owner                = string
      repository           = string
      include_all_branches = bool
    }))
    license_template = optional(string)
  }))
| n/a | yes | +| [public\_repositories](#input\_public\_repositories) | A map of public repositories where the key is the repository name and the value is the configuration | 
map(object({
    description                          = string
    default_branch                       = string
    repository_team_permissions_override = map(string)
    protected_branches                   = list(string)
    advance_security                     = bool
    topics                               = list(string)
    homepage                             = string
    delete_head_on_merge                 = bool
    allow_auto_merge                     = bool
    dependabot_security_updates          = bool
    organization_action_secrets          = optional(list(string))
    organization_codespace_secrets       = optional(list(string))
    organization_dependabot_secrets      = optional(list(string))
    action_secrets                       = optional(map(string))
    codespace_secrets                    = optional(map(string))
    dependabot_secrets                   = optional(map(string))
    environments = optional(map(object({
      action_secrets = optional(map(string))
    })))
    template_repository = optional(object({
      owner                = string
      repository           = string
      include_all_branches = bool
    }))
    license_template = optional(string)
  }))
| n/a | yes | ## Outputs From c8588da3f63152653b259e08485017d7fb81edb8 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Fri, 8 Mar 2024 11:24:20 -0500 Subject: [PATCH 12/13] removed unused variable field --- modules/organization/variables.tf | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/modules/organization/variables.tf b/modules/organization/variables.tf index 06ed294..271739b 100644 --- a/modules/organization/variables.tf +++ b/modules/organization/variables.tf @@ -137,9 +137,8 @@ variable "actions_secrets" { type = map(object({ encrypted_value = string visibility = string - selected_repositories = optional(list(string)) })) - description = "A map of organization-level GitHub Actions secrets to create. The key is the name of the secret and the value is an object describing how to create the secret. If visibility is set to `selected` then `selected_repositories` must be set to a list of repository names to make the secret available." + description = "A map of organization-level GitHub Actions secrets to create. The key is the name of the secret and the value is an object describing how to create the secret." default = {} } @@ -147,9 +146,8 @@ variable "codespaces_secrets" { type = map(object({ encrypted_value = string visibility = string - selected_repositories = optional(list(string)) })) - description = "A map of organization-level GitHub Codespaces secrets to create. The key is the name of the secret and the value is an object describing how to create the secret. If visibility is set to `selected` then `selected_repositories` must be set to a list of repository names to make the secret available." + description = "A map of organization-level GitHub Codespaces secrets to create. The key is the name of the secret and the value is an object describing how to create the secret." default = {} } @@ -157,9 +155,8 @@ variable "dependabot_secrets" { type = map(object({ encrypted_value = string visibility = string - selected_repositories = optional(list(string)) })) - description = "A map of organization-level Dependabot secrets to create. The key is the name of the secret and the value is an object describing how to create the secret. If visibility is set to `selected` then `selected_repositories` must be set to a list of repository names to make the secret available." + description = "A map of organization-level Dependabot secrets to create. The key is the name of the secret and the value is an object describing how to create the secret." default = {} } From 73072d42e7540180a8c86800868d8b16d97b0d67 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 8 Mar 2024 16:24:42 +0000 Subject: [PATCH 13/13] terraform-docs: automated action --- modules/organization/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/organization/README.md b/modules/organization/README.md index 3b7677f..7166a13 100644 --- a/modules/organization/README.md +++ b/modules/organization/README.md @@ -34,10 +34,10 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [actions\_secrets](#input\_actions\_secrets) | A map of organization-level GitHub Actions secrets to create. The key is the name of the secret and the value is an object describing how to create the secret. If visibility is set to `selected` then `selected_repositories` must be set to a list of repository names to make the secret available. | 
map(object({
    encrypted_value       = string
    visibility            = string
    selected_repositories = optional(list(string))
  }))
| `{}` | no | -| [codespaces\_secrets](#input\_codespaces\_secrets) | A map of organization-level GitHub Codespaces secrets to create. The key is the name of the secret and the value is an object describing how to create the secret. If visibility is set to `selected` then `selected_repositories` must be set to a list of repository names to make the secret available. | 
map(object({
    encrypted_value       = string
    visibility            = string
    selected_repositories = optional(list(string))
  }))
| `{}` | no | +| [actions\_secrets](#input\_actions\_secrets) | A map of organization-level GitHub Actions secrets to create. The key is the name of the secret and the value is an object describing how to create the secret. | 
map(object({
    encrypted_value       = string
    visibility            = string
  }))
| `{}` | no | +| [codespaces\_secrets](#input\_codespaces\_secrets) | A map of organization-level GitHub Codespaces secrets to create. The key is the name of the secret and the value is an object describing how to create the secret. | 
map(object({
    encrypted_value       = string
    visibility            = string
  }))
| `{}` | no | | [custom\_repository\_roles](#input\_custom\_repository\_roles) | A map of custom repository roles to create. The key is the name of the role and the value is the role configurations. | 
map(object({
    description = string
    base_role   = string
    permissions = list(string)
  }))
| n/a | yes | -| [dependabot\_secrets](#input\_dependabot\_secrets) | A map of organization-level Dependabot secrets to create. The key is the name of the secret and the value is an object describing how to create the secret. If visibility is set to `selected` then `selected_repositories` must be set to a list of repository names to make the secret available. | 
map(object({
    encrypted_value       = string
    visibility            = string
    selected_repositories = optional(list(string))
  }))
| `{}` | no | +| [dependabot\_secrets](#input\_dependabot\_secrets) | A map of organization-level Dependabot secrets to create. The key is the name of the secret and the value is an object describing how to create the secret. | 
map(object({
    encrypted_value       = string
    visibility            = string
  }))
| `{}` | no | | [enable\_community\_manager\_role](#input\_enable\_community\_manager\_role) | If `true` will create a custom repository role for community managers. Defaults to `false`. If `true` the maximum number of `custom_repository_roles` that can be defined will be reduced by one. | `bool` | `false` | no | | [enable\_contractor\_role](#input\_enable\_contractor\_role) | If `true` will create a custom repository role for contractors. Defaults to `false`. If `true` the maximum number of `custom_repository_roles` that can be defined will be reduced by one. | `bool` | `false` | no | | [enable\_security\_engineer\_role](#input\_enable\_security\_engineer\_role) | If `true` will create a custom repository role for security engineers. Defaults to `false`. If `true` the maximum number of `custom_repository_roles` that can be defined will be reduced by one. | `bool` | `false` | no |