Made gcp configuration optional

modules/github-foundations/README.md

@@ -22,12 +22,16 @@
 
 | Name | Type |
 |------|------|
+| [github_actions_organization_secret.custom_oidc_organization_secret](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_secret) | resource |
 | [github_actions_organization_secret.workload_identity_provider](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_secret) | resource |
+| [github_actions_organization_variable.custom_oidc_organization_variable](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
 | [github_actions_organization_variable.tf_state_bucket_location](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
 | [github_actions_organization_variable.tf_state_bucket_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
 | [github_actions_organization_variable.tf_state_bucket_project_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
 | [github_actions_secret.organization_workload_identity_sa](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
+| [github_actions_secret.repository_secret](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
 | [github_actions_variable.gcp_secret_manager_project_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_variable) | resource |
+| [github_actions_variable.repository_variable](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_variable) | resource |
 | [github_issue_labels.drift_labels](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/issue_labels) | resource |
 | [github_repository.bootstrap_repo](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
 | [github_repository.organizations_repo](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
@@ -42,16 +46,10 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_bootstrap_repository_name"></a> [bootstrap\_repository\_name](#input\_bootstrap\_repository\_name) | The name of the bootstrap repository. | `string` | `"bootstrap"` | no |
-| <a name="input_bootstrap_workload_identity_sa"></a> [bootstrap\_workload\_identity\_sa](#input\_bootstrap\_workload\_identity\_sa) | The service account to use for the bootstrap repository oidc. | `string` | n/a | yes |
-| <a name="input_bucket_location"></a> [bucket\_location](#input\_bucket\_location) | The location of the tf state bucket. | `string` | n/a | yes |
-| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | The name of the tf state bucket. | `string` | n/a | yes |
 | <a name="input_foundation_devs_team_name"></a> [foundation\_devs\_team\_name](#input\_foundation\_devs\_team\_name) | The name of the foundation developers team. | `string` | `"foundation-devs"` | no |
-| <a name="input_gcp_project_id"></a> [gcp\_project\_id](#input\_gcp\_project\_id) | The id of the gcp project where secret manager was setup. | `string` | n/a | yes |
-| <a name="input_gcp_tf_state_bucket_project_id"></a> [gcp\_tf\_state\_bucket\_project\_id](#input\_gcp\_tf\_state\_bucket\_project\_id) | The id of the gcp project where the tf state bucket was setup. | `string` | n/a | yes |
-| <a name="input_organization_workload_identity_sa"></a> [organization\_workload\_identity\_sa](#input\_organization\_workload\_identity\_sa) | The service account to use for the organization repository oidc. | `string` | n/a | yes |
+| <a name="input_oidc_configuration"></a> [oidc\_configuration](#input\_oidc\_configuration) | n/a | <pre>object({<br>    gcp = optional(object({<br>      workload_identity_provider_name_secret_name = optional(string)<br>      workload_identity_provider_name = string<br><br>      organization_workload_identity_sa_secret_name = optional(string)<br>      organization_workload_identity_sa = string<br><br>      gcp_secret_manager_project_id_variable_name = optional(string)<br>      gcp_secret_manager_project_id = string<br><br>      gcp_tf_state_bucket_project_id_variable_name = optional(string)<br>      gcp_tf_state_bucket_project_id = string<br><br>      bucket_name_variable_name = optional(string)<br>      bucket_name = string<br><br>      bucket_location_variable_name = optional(string)<br>      bucket_location = string<br>    }))<br>    custom = optional(object({<br>      organization_secrets = map(string)<br>      organization_variables = map(string)<br>      repository_secrets = map(map(string))<br>      repository_variables = map(map(string))<br>    }))<br>  })</pre> | n/a | yes |
 | <a name="input_organizations_repository_name"></a> [organizations\_repository\_name](#input\_organizations\_repository\_name) | The name of the organizations repository. | `string` | `"organizations"` | no |
 | <a name="input_readme_path"></a> [readme\_path](#input\_readme\_path) | Local Path to the README file in your current codebase. Pushed to the github foundation repository. | `string` | `""` | no |
-| <a name="input_workload_identity_provider_name"></a> [workload\_identity\_provider\_name](#input\_workload\_identity\_provider\_name) | The name of the workload identity provider to use for the oidc of the github foundation repositories. | `string` | n/a | yes |
 
 ## Outputs
 

modules/github-foundations/custom-oidc-variables.tf

@@ -0,0 +1,65 @@
+locals {
+  expanded_list_of_repo_secrets = try(merge(
+    [
+      for repo, secrets in var.oidc_configuration.custom.repository_secrets : {
+        for name, encrypted_value in secrets : "${repo}_${name}" => {
+          name            = name
+          encrypted_value = encrypted_value
+          repository      = repo
+        }
+      }
+    ]
+  ), [])
+
+  expanded_list_of_repo_variables = try(merge(
+    [
+      for repo, variables in var.oidc_configuration.custom.repository_variables : {
+        for name, value in variables : "${repo}_${name}" => {
+          name       = name
+          value      = value
+          repository = repo
+        }
+      }
+    ]
+  ), [])
+}
+
+resource "github_actions_organization_secret" "custom_oidc_organization_secret" {
+  for_each = try(var.oidc_configuration.custom.organization_secrets, {})
+
+  secret_name     = each.key
+  encrypted_value = each.value
+  visibility      = "selected"
+  selected_repository_ids = [
+    github_repository.bootstrap_repo.repo_id,
+    github_repository.organizations_repo.repo_id
+  ]
+}
+
+resource "github_actions_organization_variable" "custom_oidc_organization_variable" {
+  for_each = try(var.oidc_configuration.custom.organization_variables, {})
+
+  variable_name = each.key
+  value         = each.value
+  visibility    = "selected"
+  selected_repository_ids = [
+    github_repository.bootstrap_repo.repo_id,
+    github_repository.organizations_repo.repo_id
+  ]
+}
+
+resource "github_actions_secret" "repository_secret" {
+  for_each = toset(local.expanded_list_of_repo_secrets)
+
+  repository      = each.value.repository
+  secret_name     = each.value.name
+  encrypted_value = each.value.encrypted_value
+}
+
+resource "github_actions_variable" "repository_variable" {
+  for_each = toset(local.expanded_list_of_repo_variables)
+
+  repository    = each.value.repository
+  variable_name = each.value.name
+  value         = each.value.value
+}

modules/github-foundations/gcp-oidc-variables.tf

@@ -0,0 +1,63 @@
+resource "github_actions_secret" "organization_workload_identity_sa" {
+  count           = var.oidc_configuration.gcp != null ? 1 : 0
+
+  repository      = github_repository.organizations_repo.name
+  secret_name     = coalesce(var.oidc_configuration.gcp.organization_workload_identity_sa_secret_name, "GCP_SERVICE_ACCOUNT")
+  plaintext_value = var.oidc_configuration.gcp.organization_workload_identity_sa
+}
+
+resource "github_actions_variable" "gcp_secret_manager_project_id" {
+  count = var.oidc_configuration.gcp != null ? 1 : 0
+
+  repository    = github_repository.organizations_repo.name
+  variable_name = coalesce(var.oidc_configuration.gcp.gcp_secret_manager_project_id_variable_name, "GCP_SECRET_MANAGER_PROJECT")
+  value         = var.oidc_configuration.gcp.gcp_secret_manager_project_id
+}
+
+resource "github_actions_organization_secret" "workload_identity_provider" {
+  count = var.oidc_configuration.gcp != null ? 1 : 0
+
+  secret_name     = coalesce(var.oidc_configuration.gcp.workload_identity_provider_name_secret_name, "WORKLOAD_IDENTITY_PROVIDER")
+  plaintext_value = var.oidc_configuration.gcp.workload_identity_provider_name
+  visibility      = "selected"
+  selected_repository_ids = [
+    github_repository.bootstrap_repo.repo_id,
+    github_repository.organizations_repo.repo_id
+  ]
+}
+
+resource "github_actions_organization_variable" "tf_state_bucket_project_id" {
+  count = var.oidc_configuration.gcp != null ? 1 : 0
+
+  variable_name = coalesce(var.oidc_configuration.gcp.gcp_tf_state_bucket_project_id_variable_name, "TF_STATE_BUCKET_PROJECT_ID")
+  value         = var.oidc_configuration.gcp.gcp_tf_state_bucket_project_id
+  visibility    = "selected"
+  selected_repository_ids = [
+    github_repository.bootstrap_repo.repo_id,
+    github_repository.organizations_repo.repo_id
+  ]
+}
+
+resource "github_actions_organization_variable" "tf_state_bucket_name" {
+  count = var.oidc_configuration.gcp != null ? 1 : 0
+
+  variable_name = coalesce(var.oidc_configuration.gcp.bucket_name_variable_name, "TF_STATE_BUCKET_NAME")
+  value         = var.oidc_configuration.gcp.bucket_name
+  visibility    = "selected"
+  selected_repository_ids = [
+    github_repository.bootstrap_repo.repo_id,
+    github_repository.organizations_repo.repo_id
+  ]
+}
+
+resource "github_actions_organization_variable" "tf_state_bucket_location" {
+  count = var.oidc_configuration.gcp != null ? 1 : 0
+
+  variable_name = coalesce(var.oidc_configuration.gcp.bucket_location_variable_name, "TF_STATE_BUCKET_LOCATION")
+  value         = var.oidc_configuration.gcp.bucket_location
+  visibility    = "selected"
+  selected_repository_ids = [
+    github_repository.bootstrap_repo.repo_id,
+    github_repository.organizations_repo.repo_id
+  ]
+}

modules/github-foundations/variables.tf

@@ -1,39 +1,3 @@
-variable "workload_identity_provider_name" {
-  type        = string
-  description = "The name of the workload identity provider to use for the oidc of the github foundation repositories."
-}
-
-variable "bootstrap_workload_identity_sa" {
-  type        = string
-  description = "The service account to use for the bootstrap repository oidc."
-}
-
-variable "organization_workload_identity_sa" {
-  type        = string
-  description = "The service account to use for the organization repository oidc."
-}
-
-variable "gcp_project_id" {
-  type        = string
-  description = "The id of the gcp project where secret manager was setup."
-
-}
-
-variable "gcp_tf_state_bucket_project_id" {
-  type        = string
-  description = "The id of the gcp project where the tf state bucket was setup."
-}
-
-variable "bucket_name" {
-  type        = string
-  description = "The name of the tf state bucket."
-}
-
-variable "bucket_location" {
-  type        = string
-  description = "The location of the tf state bucket."
-}
-
 variable "readme_path" {
   type        = string
   description = "Local Path to the README file in your current codebase. Pushed to the github foundation repository."
@@ -56,4 +20,38 @@ variable "foundation_devs_team_name" {
   type        = string
   description = "The name of the foundation developers team."
   default     = "foundation-devs"
+}
+
+variable "oidc_configuration" {
+  type = object({
+    gcp = optional(object({
+      workload_identity_provider_name_secret_name = optional(string)
+      workload_identity_provider_name = string
+
+      organization_workload_identity_sa_secret_name = optional(string)
+      organization_workload_identity_sa = string
+
+      gcp_secret_manager_project_id_variable_name = optional(string)
+      gcp_secret_manager_project_id = string
+
+      gcp_tf_state_bucket_project_id_variable_name = optional(string)
+      gcp_tf_state_bucket_project_id = string
+
+      bucket_name_variable_name = optional(string)
+      bucket_name = string
+
+      bucket_location_variable_name = optional(string)
+      bucket_location = string
+    }))
+    custom = optional(object({
+      organization_secrets = map(string)
+      organization_variables = map(string)
+      repository_secrets = map(map(string))
+      repository_variables = map(map(string))
+    }))
+  })
+  validation {
+    condition = var.oidc_configuration.gcp != null || var.oidc_configuration.custom != null
+    error_message = "At least one oidc_configuration must be set."
+  }
 }