diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..457fe17
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+# Ignore any paths with `.terraform/` folders
+**/.terraform/
+**/.terraform.lock.hcl
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 592d942..98331f6 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -12,7 +12,6 @@ repos:
- id: end-of-file-fixer
- id: check-added-large-files
- id: detect-private-key
- exclude: .*/\.terraform/.*
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.88.1
hooks:
diff --git a/modules/enterprise-organization/README.md b/modules/enterprise-organization/README.md
index b413c5c..8e3d9e5 100644
--- a/modules/enterprise-organization/README.md
+++ b/modules/enterprise-organization/README.md
@@ -2,7 +2,7 @@
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3 |
+| [terraform](#requirement\_terraform) | >= 1.6 |
| [github](#requirement\_github) | ~> 6.0 |
## Providers
diff --git a/modules/enterprise-organization/versions.tf b/modules/enterprise-organization/versions.tf
index bb0a0bb..1957e13 100644
--- a/modules/enterprise-organization/versions.tf
+++ b/modules/enterprise-organization/versions.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 1.3"
+ required_version = ">= 1.6"
required_providers {
github = {
source = "integrations/github"
diff --git a/modules/github-foundations/README.md b/modules/github-foundations/README.md
index 306535f..c5ed838 100644
--- a/modules/github-foundations/README.md
+++ b/modules/github-foundations/README.md
@@ -2,15 +2,16 @@
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3 |
+| [terraform](#requirement\_terraform) | >= 1.6 |
| [github](#requirement\_github) | ~> 6.0 |
+| [local](#requirement\_local) | ~> 2.5.1 |
## Providers
| Name | Version |
|------|---------|
| [github](#provider\_github) | ~> 6.0 |
-| [local](#provider\_local) | n/a |
+| [local](#provider\_local) | ~> 2.5.1 |
## Modules
@@ -47,7 +48,7 @@
|------|-------------|------|---------|:--------:|
| [bootstrap\_repository\_name](#input\_bootstrap\_repository\_name) | The name of the bootstrap repository. | `string` | `"bootstrap"` | no |
| [foundation\_devs\_team\_name](#input\_foundation\_devs\_team\_name) | The name of the foundation developers team. | `string` | `"foundation-devs"` | no |
-| [oidc\_configuration](#input\_oidc\_configuration) | n/a | object({
gcp = optional(object({
workload_identity_provider_name_secret_name = optional(string)
workload_identity_provider_name = string
organization_workload_identity_sa_secret_name = optional(string)
organization_workload_identity_sa = string
gcp_secret_manager_project_id_variable_name = optional(string)
gcp_secret_manager_project_id = string
gcp_tf_state_bucket_project_id_variable_name = optional(string)
gcp_tf_state_bucket_project_id = string
bucket_name_variable_name = optional(string)
bucket_name = string
bucket_location_variable_name = optional(string)
bucket_location = string
}))
custom = optional(object({
organization_secrets = map(string)
organization_variables = map(string)
repository_secrets = map(map(string))
repository_variables = map(map(string))
}))
}) | n/a | yes |
+| [oidc\_configuration](#input\_oidc\_configuration) | n/a | object({
gcp = optional(object({
workload_identity_provider_name_secret_name = optional(string)
workload_identity_provider_name = string
organization_workload_identity_sa_secret_name = optional(string)
organization_workload_identity_sa = string
gcp_secret_manager_project_id_variable_name = optional(string)
gcp_secret_manager_project_id = string
gcp_tf_state_bucket_project_id_variable_name = optional(string)
gcp_tf_state_bucket_project_id = string
bucket_name_variable_name = optional(string)
bucket_name = string
bucket_location_variable_name = optional(string)
bucket_location = string
}))
custom = optional(object({
organization_secrets = map(string)
organization_variables = map(string)
repository_secrets = map(map(string))
repository_variables = map(map(string))
}))
}) | n/a | yes |
| [organizations\_repository\_name](#input\_organizations\_repository\_name) | The name of the organizations repository. | `string` | `"organizations"` | no |
| [readme\_path](#input\_readme\_path) | Local Path to the README file in your current codebase. Pushed to the github foundation repository. | `string` | `""` | no |
diff --git a/modules/github-foundations/gcp-oidc-variables.tf b/modules/github-foundations/gcp-oidc-variables.tf
index 9b5516f..4b59004 100644
--- a/modules/github-foundations/gcp-oidc-variables.tf
+++ b/modules/github-foundations/gcp-oidc-variables.tf
@@ -1,5 +1,5 @@
resource "github_actions_secret" "organization_workload_identity_sa" {
- count = var.oidc_configuration.gcp != null ? 1 : 0
+ count = var.oidc_configuration.gcp != null ? 1 : 0
repository = github_repository.organizations_repo.name
secret_name = coalesce(var.oidc_configuration.gcp.organization_workload_identity_sa_secret_name, "GCP_SERVICE_ACCOUNT")
diff --git a/modules/github-foundations/variables.tf b/modules/github-foundations/variables.tf
index b7808f5..b471c6d 100644
--- a/modules/github-foundations/variables.tf
+++ b/modules/github-foundations/variables.tf
@@ -26,32 +26,32 @@ variable "oidc_configuration" {
type = object({
gcp = optional(object({
workload_identity_provider_name_secret_name = optional(string)
- workload_identity_provider_name = string
+ workload_identity_provider_name = string
organization_workload_identity_sa_secret_name = optional(string)
- organization_workload_identity_sa = string
+ organization_workload_identity_sa = string
gcp_secret_manager_project_id_variable_name = optional(string)
- gcp_secret_manager_project_id = string
+ gcp_secret_manager_project_id = string
gcp_tf_state_bucket_project_id_variable_name = optional(string)
- gcp_tf_state_bucket_project_id = string
+ gcp_tf_state_bucket_project_id = string
bucket_name_variable_name = optional(string)
- bucket_name = string
+ bucket_name = string
bucket_location_variable_name = optional(string)
- bucket_location = string
+ bucket_location = string
}))
custom = optional(object({
- organization_secrets = map(string)
+ organization_secrets = map(string)
organization_variables = map(string)
- repository_secrets = map(map(string))
- repository_variables = map(map(string))
+ repository_secrets = map(map(string))
+ repository_variables = map(map(string))
}))
})
validation {
- condition = var.oidc_configuration.gcp != null || var.oidc_configuration.custom != null
+ condition = var.oidc_configuration.gcp != null || var.oidc_configuration.custom != null
error_message = "At least one oidc_configuration must be set."
}
-}
\ No newline at end of file
+}
diff --git a/modules/github-foundations/versions.tf b/modules/github-foundations/versions.tf
index bb0a0bb..6d7e7e0 100644
--- a/modules/github-foundations/versions.tf
+++ b/modules/github-foundations/versions.tf
@@ -1,9 +1,13 @@
terraform {
- required_version = ">= 1.3"
+ required_version = ">= 1.6"
required_providers {
github = {
source = "integrations/github"
version = "~> 6.0"
}
+ local = {
+ source = "hashicorp/local"
+ version = "~> 2.5.1"
+ }
}
}
diff --git a/modules/github-gcloud-oidc/README.md b/modules/github-gcloud-oidc/README.md
index 0609fcd..9624809 100644
--- a/modules/github-gcloud-oidc/README.md
+++ b/modules/github-gcloud-oidc/README.md
@@ -2,22 +2,23 @@
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3 |
+| [terraform](#requirement\_terraform) | >= 1.6 |
| [google](#requirement\_google) | >= 3.77 |
| [google-beta](#requirement\_google-beta) | >= 3.77 |
+| [random](#requirement\_random) | >= 3.6 |
## Providers
| Name | Version |
|------|---------|
| [google](#provider\_google) | >= 3.77 |
-| [random](#provider\_random) | n/a |
+| [random](#provider\_random) | >= 3.6 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [oidc](#module\_oidc) | terraform-google-modules/github-actions-runners/google//modules/gh-oidc | n/a |
+| [oidc](#module\_oidc) | terraform-google-modules/github-actions-runners/google//modules/gh-oidc | 3.1.2 |
## Resources
@@ -57,7 +58,6 @@
| [lifecycle\_rules](#input\_lifecycle\_rules) | Bucket lifecycle rule. | map(object({
action = object({
type = string
storage_class = optional(string)
})
condition = object({
age = optional(number)
created_before = optional(string)
custom_time_before = optional(string)
days_since_custom_time = optional(number)
days_since_noncurrent_time = optional(number)
matches_prefix = optional(list(string))
matches_storage_class = optional(list(string)) # STANDARD, MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE, DURABLE_REDUCED_AVAILABILITY
matches_suffix = optional(list(string))
noncurrent_time_before = optional(string)
num_newer_versions = optional(number)
with_state = optional(string) # "LIVE", "ARCHIVED", "ANY"
})
})) | `{}` | no |
| [location](#input\_location) | Bucket location. | `string` | n/a | yes |
| [logging\_config](#input\_logging\_config) | Bucket logging configuration. | object({
log_bucket = string
log_object_prefix = optional(string)
}) | `null` | no |
-| [organization\_id](#input\_organization\_id) | The organization id. | `string` | n/a | yes |
| [parent](#input\_parent) | Parent in folders/folder\_id or organizations/org\_id format. | `string` | `null` | no |
| [prefix](#input\_prefix) | Optional prefix used to generate project id and name. | `string` | `null` | no |
| [project\_create](#input\_project\_create) | Create project. When set to false, uses a data source to reference existing project. | `bool` | `true` | no |
diff --git a/modules/github-gcloud-oidc/folder.tf b/modules/github-gcloud-oidc/folder.tf
index 9f23744..a92a275 100644
--- a/modules/github-gcloud-oidc/folder.tf
+++ b/modules/github-gcloud-oidc/folder.tf
@@ -1,8 +1,8 @@
locals {
folder = (
var.folder_create
- ? try(google_folder.folder.0, null)
- : try(data.google_folder.folder.0, null)
+ ? try(google_folder.folder[0], null)
+ : try(data.google_folder.folder[0], null)
)
}
@@ -15,4 +15,4 @@ resource "google_folder" "folder" {
count = var.folder_create ? 1 : 0
display_name = var.folder_name
parent = var.parent
-}
\ No newline at end of file
+}
diff --git a/modules/github-gcloud-oidc/oidc.tf b/modules/github-gcloud-oidc/oidc.tf
index ae8fdc9..bf7e6fb 100644
--- a/modules/github-gcloud-oidc/oidc.tf
+++ b/modules/github-gcloud-oidc/oidc.tf
@@ -4,7 +4,6 @@ locals {
bootstrap_repo_name = "bootstrap"
organizations_repo_name = "organizations"
- projects_repo_name = "projects"
state_file_access_roles = tolist(["roles/storage.objectAdmin", "roles/storage.admin"])
@@ -53,6 +52,7 @@ resource "google_project_iam_member" "organizations_member" {
*/
module "oidc" {
source = "terraform-google-modules/github-actions-runners/google//modules/gh-oidc"
+ version = "3.1.2"
depends_on = [google_project_service.project_services, google_service_account.bootstrap_sa, google_service_account.organizations_sa]
project_id = google_project.project[0].project_id
pool_id = local.pool_id
diff --git a/modules/github-gcloud-oidc/project.tf b/modules/github-gcloud-oidc/project.tf
index 81382da..a52ccc9 100644
--- a/modules/github-gcloud-oidc/project.tf
+++ b/modules/github-gcloud-oidc/project.tf
@@ -25,14 +25,14 @@ locals {
project = (
var.project_create ?
{
- project_id = try(google_project.project.0.project_id, null)
- number = try(google_project.project.0.number, null)
- name = try(google_project.project.0.name, null)
+ project_id = try(google_project.project[0].project_id, null)
+ number = try(google_project.project[0].number, null)
+ name = try(google_project.project[0].name, null)
}
: {
project_id = local.project_id
- number = try(data.google_project.project.0.number, null)
- name = try(data.google_project.project.0.name, null)
+ number = try(data.google_project.project[0].number, null)
+ name = try(data.google_project.project[0].name, null)
}
)
}
@@ -66,4 +66,3 @@ resource "google_project_service" "project_services" {
disable_on_destroy = var.service_config.disable_on_destroy
disable_dependent_services = var.service_config.disable_dependent_services
}
-
diff --git a/modules/github-gcloud-oidc/storage.tf b/modules/github-gcloud-oidc/storage.tf
index e39de1f..8705ae1 100644
--- a/modules/github-gcloud-oidc/storage.tf
+++ b/modules/github-gcloud-oidc/storage.tf
@@ -1,3 +1,4 @@
+#trivy:ignore:avd-gcp-0066
resource "google_storage_bucket" "bucket" {
name = lower(var.bucket_name)
depends_on = [google_project_service.project_services]
@@ -94,4 +95,4 @@ resource "google_storage_bucket" "bucket" {
data_locations = var.custom_placement_config
}
}
-}
\ No newline at end of file
+}
diff --git a/modules/github-gcloud-oidc/variables.tf b/modules/github-gcloud-oidc/variables.tf
index 8c70aab..e9bede8 100644
--- a/modules/github-gcloud-oidc/variables.tf
+++ b/modules/github-gcloud-oidc/variables.tf
@@ -1,9 +1,3 @@
-#Organization Variables
-variable "organization_id" {
- description = "The organization id."
- type = string
-}
-
#Folder Variables
variable "folder_create" {
description = "Create folder. When set to false, uses id to reference an existing folder."
@@ -277,4 +271,4 @@ variable "custom_placement_config" {
variable "github_foundations_organization_name" {
type = string
description = "The name of the organization that the github foundation repos will be under."
-}
\ No newline at end of file
+}
diff --git a/modules/github-gcloud-oidc/versions.tf b/modules/github-gcloud-oidc/versions.tf
index 6381a79..4658f90 100644
--- a/modules/github-gcloud-oidc/versions.tf
+++ b/modules/github-gcloud-oidc/versions.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 1.3"
+ required_version = ">= 1.6"
required_providers {
google = {
source = "hashicorp/google"
@@ -9,5 +9,9 @@ terraform {
source = "hashicorp/google-beta"
version = ">= 3.77" # tftest
}
+ random = {
+ source = "hashicorp/random"
+ version = ">= 3.6" # tftest
+ }
}
-}
\ No newline at end of file
+}
diff --git a/modules/organization/README.md b/modules/organization/README.md
index 407378c..d99d2e0 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -2,7 +2,7 @@
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3 |
+| [terraform](#requirement\_terraform) | >= 1.6 |
| [github](#requirement\_github) | ~> 6.0 |
## Providers
diff --git a/modules/organization/rulesets.tf b/modules/organization/rulesets.tf
index a51af05..e71ab97 100644
--- a/modules/organization/rulesets.tf
+++ b/modules/organization/rulesets.tf
@@ -84,15 +84,15 @@ module "ruleset" {
bypass_actors = {
repository_roles = [for bypasser in try(toset(coalesce(each.value.bypass_actors.repository_roles, [])), []) : {
- role_id = lookup(local.github_base_role_ids, bypasser.role, data.github_organization_custom_role.branch_ruleset_bypasser["${bypasser.role}"].id)
+ role_id = lookup(local.github_base_role_ids, bypasser.role, data.github_organization_custom_role.branch_ruleset_bypasser[bypasser.role].id)
always_bypass = bypasser.always_bypass
}]
teams = [for bypasser in try(toset(coalesce(each.value.bypass_actors.teams, [])), []) : {
- team_id = data.github_team.branch_ruleset_bypasser["${bypasser.team}"].id
+ team_id = data.github_team.branch_ruleset_bypasser[bypasser.team].id
always_bypass = bypasser.always_bypass
}]
organization_admins = [for bypasser in try(toset(coalesce(each.value.bypass_actors.organization_admins, [])), []) : {
- user_id = data.github_user.branch_ruleset_bypasser["${bypasser.user}"].id
+ user_id = data.github_user.branch_ruleset_bypasser[bypasser.user].id
always_bypass = bypasser.always_bypass
}]
integrations = try(each.value.bypass_actors.integrations, [])
@@ -125,15 +125,15 @@ module "base_default_branch_protection" {
bypass_actors = {
repository_roles = [for bypasser in try(toset(coalesce(var.default_branch_protection_rulesets.bypass_actors.repository_roles, [])), []) : {
- role_id = lookup(local.github_base_role_ids, bypasser.role, data.github_organization_custom_role.branch_ruleset_bypasser["${bypasser.role}"].id)
+ role_id = lookup(local.github_base_role_ids, bypasser.role, data.github_organization_custom_role.branch_ruleset_bypasser[bypasser.role].id)
always_bypass = bypasser.always_bypass
}]
teams = [for bypasser in try(toset(coalesce(var.default_branch_protection_rulesets.bypass_actors.teams, [])), []) : {
- team_id = data.github_team.branch_ruleset_bypasser["${bypasser.team}"].id
+ team_id = data.github_team.branch_ruleset_bypasser[bypasser.team].id
always_bypass = bypasser.always_bypass
}]
organization_admins = [for bypasser in try(toset(coalesce(var.default_branch_protection_rulesets.bypass_actors.organization_admins, [])), []) : {
- user_id = data.github_user.branch_ruleset_bypasser["${bypasser.user}"].id
+ user_id = data.github_user.branch_ruleset_bypasser[bypasser.user].id
always_bypass = bypasser.always_bypass
}]
integrations = try(var.default_branch_protection_rulesets.bypass_actors.integrations, [])
@@ -162,15 +162,15 @@ module "minimum_approvals" {
bypass_actors = {
repository_roles = [for bypasser in try(toset(coalesce(var.default_branch_protection_rulesets.bypass_actors.repository_roles, [])), []) : {
- role_id = lookup(local.github_base_role_ids, bypasser.role, data.github_organization_custom_role.branch_ruleset_bypasser["${bypasser.role}"].id)
+ role_id = lookup(local.github_base_role_ids, bypasser.role, data.github_organization_custom_role.branch_ruleset_bypasser[bypasser.role].id)
always_bypass = bypasser.always_bypass
}]
teams = [for bypasser in try(toset(coalesce(var.default_branch_protection_rulesets.bypass_actors.teams, [])), []) : {
- team_id = data.github_team.branch_ruleset_bypasser["${bypasser.team}"].id
+ team_id = data.github_team.branch_ruleset_bypasser[bypasser.team].id
always_bypass = bypasser.always_bypass
}]
organization_admins = [for bypasser in try(toset(coalesce(var.default_branch_protection_rulesets.bypass_actors.organization_admins, [])), []) : {
- user_id = data.github_user.branch_ruleset_bypasser["${bypasser.user}"].id
+ user_id = data.github_user.branch_ruleset_bypasser[bypasser.user].id
always_bypass = bypasser.always_bypass
}]
integrations = try(var.default_branch_protection_rulesets.bypass_actors.integrations, [])
@@ -199,15 +199,15 @@ module "dismiss_stale_reviews" {
bypass_actors = {
repository_roles = [for bypasser in try(toset(coalesce(var.default_branch_protection_rulesets.bypass_actors.repository_roles, [])), []) : {
- role_id = lookup(local.github_base_role_ids, bypasser.role, data.github_organization_custom_role.branch_ruleset_bypasser["${bypasser.role}"].id)
+ role_id = lookup(local.github_base_role_ids, bypasser.role, data.github_organization_custom_role.branch_ruleset_bypasser[bypasser.role].id)
always_bypass = bypasser.always_bypass
}]
teams = [for bypasser in try(toset(coalesce(var.default_branch_protection_rulesets.bypass_actors.teams, [])), []) : {
- team_id = data.github_team.branch_ruleset_bypasser["${bypasser.team}"].id
+ team_id = data.github_team.branch_ruleset_bypasser[bypasser.team].id
always_bypass = bypasser.always_bypass
}]
organization_admins = [for bypasser in try(toset(coalesce(var.default_branch_protection_rulesets.bypass_actors.organization_admins, [])), []) : {
- user_id = data.github_user.branch_ruleset_bypasser["${bypasser.user}"].id
+ user_id = data.github_user.branch_ruleset_bypasser[bypasser.user].id
always_bypass = bypasser.always_bypass
}]
integrations = try(var.default_branch_protection_rulesets.bypass_actors.integrations, [])
@@ -233,17 +233,17 @@ module "require_signatures" {
bypass_actors = {
repository_roles = [for bypasser in try(toset(coalesce(var.default_branch_protection_rulesets.bypass_actors.repository_roles, [])), []) : {
- role_id = lookup(local.github_base_role_ids, bypasser.role, data.github_organization_custom_role.branch_ruleset_bypasser["${bypasser.role}"].id)
+ role_id = lookup(local.github_base_role_ids, bypasser.role, data.github_organization_custom_role.branch_ruleset_bypasser[bypasser.role].id)
always_bypass = bypasser.always_bypass
}]
teams = [for bypasser in try(toset(coalesce(var.default_branch_protection_rulesets.bypass_actors.teams, [])), []) : {
- team_id = data.github_team.branch_ruleset_bypasser["${bypasser.team}"].id
+ team_id = data.github_team.branch_ruleset_bypasser[bypasser.team].id
always_bypass = bypasser.always_bypass
}]
organization_admins = [for bypasser in try(toset(coalesce(var.default_branch_protection_rulesets.bypass_actors.organization_admins, [])), []) : {
- user_id = data.github_user.branch_ruleset_bypasser["${bypasser.user}"].id
+ user_id = data.github_user.branch_ruleset_bypasser[bypasser.user].id
always_bypass = bypasser.always_bypass
}]
integrations = try(var.default_branch_protection_rulesets.bypass_actors.integrations, [])
}
-}
\ No newline at end of file
+}
diff --git a/modules/organization/versions.tf b/modules/organization/versions.tf
index e58f121..1957e13 100644
--- a/modules/organization/versions.tf
+++ b/modules/organization/versions.tf
@@ -1,9 +1,9 @@
terraform {
- required_version = ">= 1.3"
+ required_version = ">= 1.6"
required_providers {
github = {
source = "integrations/github"
version = "~> 6.0"
}
}
-}
\ No newline at end of file
+}
diff --git a/modules/private_repository/README.md b/modules/private_repository/README.md
index 0ff1289..d3cc6cc 100644
--- a/modules/private_repository/README.md
+++ b/modules/private_repository/README.md
@@ -2,7 +2,7 @@
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3 |
+| [terraform](#requirement\_terraform) | >= 1.6 |
| [github](#requirement\_github) | ~> 6.0 |
## Providers
@@ -24,7 +24,7 @@ No resources.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [action\_secrets](#input\_action\_secrets) | An (Optional) map of GitHub Actions secrets to create for this repository. The key is the name of the secret and the value is the encrypted value. | `map(string)` | `{}` | no |
-| [advance\_security](#input\_advance\_security) | Enables advance security for the repository. If repository is public `advance_security` is enabled by default and cannot be changed. | `bool` | `true` | no |
+| [advance\_security](#input\_advance\_security) | Enables advance security for the repository. | `bool` | `true` | no |
| [allow\_auto\_merge](#input\_allow\_auto\_merge) | Allow auto-merging pull requests on the repository | `bool` | `true` | no |
| [codespace\_secrets](#input\_codespace\_secrets) | An (Optional) map of Github Codespace secrets to create for this repository. The key is the name of the secret and the value is the encrypted value. | `map(string)` | `{}` | no |
| [default\_branch](#input\_default\_branch) | The branch to set as the default branch for this repository. Defaults to "main" | `string` | `"main"` | no |
diff --git a/modules/private_repository/repository.tf b/modules/private_repository/repository.tf
index a872ce4..476c7cd 100644
--- a/modules/private_repository/repository.tf
+++ b/modules/private_repository/repository.tf
@@ -15,10 +15,10 @@ module "repository_base" {
repository_team_permissions = var.repository_team_permissions
repository_user_permissions = var.repository_user_permissions
- default_branch = var.default_branch
- protected_branches = var.protected_branches
- delete_head_on_merge = var.delete_head_on_merge
- allow_auto_merge = var.allow_auto_merge
+ default_branch = var.default_branch
+ protected_branches = var.protected_branches
+ delete_head_on_merge = var.delete_head_on_merge
+ allow_auto_merge = var.allow_auto_merge
requires_web_commit_signing = var.requires_web_commit_signing
secret_scanning = true
diff --git a/modules/private_repository/variables.tf b/modules/private_repository/variables.tf
index b347472..8abc711 100644
--- a/modules/private_repository/variables.tf
+++ b/modules/private_repository/variables.tf
@@ -68,7 +68,7 @@ variable "dependabot_security_updates" {
}
variable "advance_security" {
- description = "Enables advance security for the repository. If repository is public `advance_security` is enabled by default and cannot be changed."
+ description = "Enables advance security for the repository."
type = bool
default = true
}
diff --git a/modules/private_repository/versions.tf b/modules/private_repository/versions.tf
index e58f121..1957e13 100644
--- a/modules/private_repository/versions.tf
+++ b/modules/private_repository/versions.tf
@@ -1,9 +1,9 @@
terraform {
- required_version = ">= 1.3"
+ required_version = ">= 1.6"
required_providers {
github = {
source = "integrations/github"
version = "~> 6.0"
}
}
-}
\ No newline at end of file
+}
diff --git a/modules/public_repository/README.md b/modules/public_repository/README.md
index b47dc90..a04baad 100644
--- a/modules/public_repository/README.md
+++ b/modules/public_repository/README.md
@@ -2,7 +2,7 @@
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3 |
+| [terraform](#requirement\_terraform) | >= 1.6 |
| [github](#requirement\_github) | ~> 6.0 |
## Providers
diff --git a/modules/public_repository/repository.tf b/modules/public_repository/repository.tf
index 811be5c..04a6aec 100644
--- a/modules/public_repository/repository.tf
+++ b/modules/public_repository/repository.tf
@@ -15,10 +15,10 @@ module "repository_base" {
repository_team_permissions = var.repository_team_permissions
repository_user_permissions = var.repository_user_permissions
- default_branch = var.default_branch
- protected_branches = var.protected_branches
- delete_head_on_merge = var.delete_head_on_merge
- allow_auto_merge = var.allow_auto_merge
+ default_branch = var.default_branch
+ protected_branches = var.protected_branches
+ delete_head_on_merge = var.delete_head_on_merge
+ allow_auto_merge = var.allow_auto_merge
requires_web_commit_signing = var.requires_web_commit_signing
secret_scanning = true
diff --git a/modules/public_repository/versions.tf b/modules/public_repository/versions.tf
index e58f121..1957e13 100644
--- a/modules/public_repository/versions.tf
+++ b/modules/public_repository/versions.tf
@@ -1,9 +1,9 @@
terraform {
- required_version = ">= 1.3"
+ required_version = ">= 1.6"
required_providers {
github = {
source = "integrations/github"
version = "~> 6.0"
}
}
-}
\ No newline at end of file
+}
diff --git a/modules/repository_base/README.md b/modules/repository_base/README.md
index 94c955e..ff0ecd4 100644
--- a/modules/repository_base/README.md
+++ b/modules/repository_base/README.md
@@ -2,7 +2,7 @@
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3 |
+| [terraform](#requirement\_terraform) | >= 1.6 |
| [github](#requirement\_github) | ~> 6.0 |
## Providers
diff --git a/modules/repository_base/repository.tf b/modules/repository_base/repository.tf
index 6811c5f..bc3c38b 100644
--- a/modules/repository_base/repository.tf
+++ b/modules/repository_base/repository.tf
@@ -1,7 +1,6 @@
locals {
enable_dependabot_automated_security_fixes = var.has_vulnerability_alerts && var.dependabot_security_updates ? 1 : 0
- is_public = var.visibility == "public"
- can_configure_security_and_analysis = !local.is_public && var.advance_security
+ can_configure_security_and_analysis = var.advance_security || var.secret_scanning || var.secret_scanning_on_push
protected_branches_refs = [
for branch in var.protected_branches : "refs/heads/${branch}"
@@ -11,36 +10,48 @@ locals {
resource "github_repository" "repository" {
name = var.name
description = var.description
- visibility = var.visibility
+ #trivy:ignore:avd-git-0001
+ visibility = var.visibility
- auto_init = true
- archive_on_destroy = false
- has_downloads = var.has_downloads
- has_issues = var.has_issues
- has_projects = var.has_projects
- has_wiki = var.has_wiki
- has_discussions = var.has_discussions
- vulnerability_alerts = var.has_vulnerability_alerts
- topics = var.topics
- homepage_url = var.homepage
- delete_branch_on_merge = var.delete_head_on_merge
- allow_auto_merge = var.allow_auto_merge
+ auto_init = true
+ archive_on_destroy = false
+ has_downloads = var.has_downloads
+ has_issues = var.has_issues
+ has_projects = var.has_projects
+ has_wiki = var.has_wiki
+ has_discussions = var.has_discussions
+ vulnerability_alerts = var.has_vulnerability_alerts
+ topics = var.topics
+ homepage_url = var.homepage
+ delete_branch_on_merge = var.delete_head_on_merge
+ allow_auto_merge = var.allow_auto_merge
web_commit_signoff_required = var.requires_web_commit_signing
- license_template = var.license_template
+ license_template = var.license_template
# A hacky way of getting around the 422 errors received from github api
dynamic "security_and_analysis" {
for_each = local.can_configure_security_and_analysis ? [1] : []
content {
- advanced_security {
- status = var.advance_security ? "enabled" : "disabled"
+ dynamic "advanced_security" {
+ for_each = var.advance_security ? [var.advance_security] : []
+ content {
+ status = "enabled"
+ }
}
- secret_scanning {
- status = var.secret_scanning ? "enabled" : "disabled"
+
+ dynamic "secret_scanning" {
+ for_each = var.secret_scanning ? [var.secret_scanning] : []
+ content {
+ status = "enabled"
+ }
}
- secret_scanning_push_protection {
- status = var.secret_scanning_on_push ? "enabled" : "disabled"
+
+ dynamic "secret_scanning_push_protection" {
+ for_each = var.secret_scanning_on_push ? [var.secret_scanning_on_push] : []
+ content {
+ status = "enabled"
+ }
}
}
}
@@ -69,7 +80,7 @@ resource "github_branch_default" "default_branch" {
}
resource "github_repository_ruleset" "protected_branch_base_rules" {
- count = length(toset(local.protected_branches_refs)) > 0 ? 1 : 0
+ count = length(toset(local.protected_branches_refs)) > 0 ? 1 : 0
name = "protected_branch_base_ruleset"
repository = github_repository.repository.name
diff --git a/modules/repository_base/rulesets.tf b/modules/repository_base/rulesets.tf
index 7fdfa52..384e035 100644
--- a/modules/repository_base/rulesets.tf
+++ b/modules/repository_base/rulesets.tf
@@ -82,15 +82,15 @@ module "ruleset" {
bypass_actors = {
repository_roles = [for bypasser in try(toset(coalesce(each.value.bypass_actors.repository_roles, [])), []) : {
- role_id = lookup(local.github_base_role_ids, bypasser.role, data.github_organization_custom_role.branch_ruleset_bypasser["${bypasser.role}"].id)
+ role_id = lookup(local.github_base_role_ids, bypasser.role, data.github_organization_custom_role.branch_ruleset_bypasser[bypasser.role].id)
always_bypass = bypasser.always_bypass
}]
teams = [for bypasser in try(toset(coalesce(each.value.bypass_actors.teams, [])), []) : {
- team_id = data.github_team.branch_ruleset_bypasser["${bypasser.team}"].id
+ team_id = data.github_team.branch_ruleset_bypasser[bypasser.team].id
always_bypass = bypasser.always_bypass
}]
organization_admins = [for bypasser in try(toset(coalesce(each.value.bypass_actors.organization_admins, [])), []) : {
- user_id = data.github_user.branch_ruleset_bypasser["${bypasser.user}"].id
+ user_id = data.github_user.branch_ruleset_bypasser[bypasser.user].id
always_bypass = bypasser.always_bypass
}]
integrations = try(each.value.bypass_actors.repository_roles, [])
@@ -98,4 +98,4 @@ module "ruleset" {
ref_name_inclusions = each.value.conditions.ref_name.include
ref_name_exclusions = each.value.conditions.ref_name.exclude
-}
\ No newline at end of file
+}
diff --git a/modules/repository_base/secrets.tf b/modules/repository_base/secrets.tf
index dd73ce2..a976385 100644
--- a/modules/repository_base/secrets.tf
+++ b/modules/repository_base/secrets.tf
@@ -40,7 +40,7 @@ resource "github_dependabot_secret" "dependabot_secret" {
resource "github_actions_environment_secret" "environment_secret" {
for_each = local.environment_action_secrets_map
repository = var.name
- environment = github_repository_environment.environment["${each.value.environment}"].environment
+ environment = github_repository_environment.environment[each.value.environment].environment
encrypted_value = each.value.encrypted_value
secret_name = each.value.name
}
diff --git a/modules/repository_base/versions.tf b/modules/repository_base/versions.tf
index e58f121..1957e13 100644
--- a/modules/repository_base/versions.tf
+++ b/modules/repository_base/versions.tf
@@ -1,9 +1,9 @@
terraform {
- required_version = ">= 1.3"
+ required_version = ">= 1.6"
required_providers {
github = {
source = "integrations/github"
version = "~> 6.0"
}
}
-}
\ No newline at end of file
+}
diff --git a/modules/repository_set/README.md b/modules/repository_set/README.md
index 6e325f0..d885ab0 100644
--- a/modules/repository_set/README.md
+++ b/modules/repository_set/README.md
@@ -2,7 +2,7 @@
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3 |
+| [terraform](#requirement\_terraform) | >= 1.6 |
| [github](#requirement\_github) | ~> 6.0 |
## Providers
diff --git a/modules/repository_set/organization-secrets.tf b/modules/repository_set/organization-secrets.tf
index 599a08c..ab5f84d 100644
--- a/modules/repository_set/organization-secrets.tf
+++ b/modules/repository_set/organization-secrets.tf
@@ -9,8 +9,8 @@ locals {
organization_action_secrets_repository_id_list = {
for secret in local.organization_action_secrets : secret => toset(distinct(concat(
- [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(coalesce(repo.organization_action_secrets, []), secret)],
- [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(coalesce(repo.organization_action_secrets, []), secret)]
+ [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories[repo_name].id if contains(coalesce(repo.organization_action_secrets, []), secret)],
+ [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories[repo_name].id if contains(coalesce(repo.organization_action_secrets, []), secret)]
)))
}
@@ -21,8 +21,8 @@ locals {
codespace_secrets_repository_id_list = {
for secret in local.codespace_secrets : secret => toset(distinct(concat(
- [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(coalesce(repo.organization_codespace_secrets, []), secret)],
- [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(coalesce(repo.organization_codespace_secrets, []), secret)]
+ [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories[repo_name].id if contains(coalesce(repo.organization_codespace_secrets, []), secret)],
+ [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories[repo_name].id if contains(coalesce(repo.organization_codespace_secrets, []), secret)]
)))
}
@@ -33,8 +33,8 @@ locals {
dependabot_secrets_id_list = {
for secret in local.dependabot_secrets : secret => toset(distinct(concat(
- [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories["${repo_name}"].id if contains(coalesce(repo.organization_dependabot_secrets, []), secret)],
- [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories["${repo_name}"].id if contains(coalesce(repo.organization_dependabot_secrets, []), secret)]
+ [for repo_name, repo in local.coalesced_public_repositories : module.public_repositories[repo_name].id if contains(coalesce(repo.organization_dependabot_secrets, []), secret)],
+ [for repo_name, repo in local.coalesced_private_repositories : module.private_repositories[repo_name].id if contains(coalesce(repo.organization_dependabot_secrets, []), secret)]
)))
}
}
@@ -58,4 +58,4 @@ resource "github_dependabot_organization_secret_repositories" "org__dependabot_s
secret_name = each.key
selected_repository_ids = each.value
-}
\ No newline at end of file
+}
diff --git a/modules/repository_set/versions.tf b/modules/repository_set/versions.tf
index e58f121..1957e13 100644
--- a/modules/repository_set/versions.tf
+++ b/modules/repository_set/versions.tf
@@ -1,9 +1,9 @@
terraform {
- required_version = ">= 1.3"
+ required_version = ">= 1.6"
required_providers {
github = {
source = "integrations/github"
version = "~> 6.0"
}
}
-}
\ No newline at end of file
+}
diff --git a/modules/ruleset/README.md b/modules/ruleset/README.md
index 7853302..a50dc9d 100644
--- a/modules/ruleset/README.md
+++ b/modules/ruleset/README.md
@@ -2,7 +2,7 @@
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3 |
+| [terraform](#requirement\_terraform) | >= 1.6 |
| [github](#requirement\_github) | ~> 6.0 |
## Providers
@@ -31,7 +31,6 @@ No modules.
| [name](#input\_name) | The name of the ruleset. | `string` | n/a | yes |
| [ref\_name\_exclusions](#input\_ref\_name\_exclusions) | A list of ref names or patterns to exclude. Defaults to an empty list. If set and `ruleset_type` is set to `organization` then either `repository_name_inclusions` or `repository_name_exclusions` must be set to a list of atleast 1 string. | `list(string)` | `[]` | no |
| [ref\_name\_inclusions](#input\_ref\_name\_inclusions) | A list of ref names or patterns to include. Defaults to an empty list. If set and `ruleset_type` is set to `organization` then either `repository_name_inclusions` or `repository_name_exclusions` must be set to a list of atleast 1 string. | `list(string)` | `[]` | no |
-| [repository](#input\_repository) | The repository to create the ruleset under. Only applicable if `ruleset_type` is set to `repository`. Defaults to "" | `string` | `""` | no |
| [repository\_name\_exclusions](#input\_repository\_name\_exclusions) | A list of repository names or patterns to exclude. If `ruleset_type` is set to `repository` then this field is ignored. | `list(string)` | `[]` | no |
| [repository\_name\_inclusions](#input\_repository\_name\_inclusions) | A list of repository names or patterns to include. If `ruleset_type` is set to `repository` then this field is ignored. | `list(string)` | `[]` | no |
| [rules](#input\_rules) | An object containing fields for all the rule definitions the ruleset should enforce. | object({
branch_name_pattern = optional(object({
operator = string
pattern = string
name = optional(string)
negate = optional(bool)
}))
tag_name_pattern = optional(object({
operator = string
pattern = string
name = optional(string)
negate = optional(bool)
}))
commit_author_email_pattern = optional(object({
operator = string
pattern = string
name = optional(string)
negate = optional(bool)
}))
commit_message_pattern = optional(object({
operator = string
pattern = string
name = optional(string)
negate = optional(bool)
}))
committer_email_pattern = optional(object({
operator = string
pattern = string
name = optional(string)
negate = optional(bool)
}))
creation = optional(bool)
deletion = optional(bool)
update = optional(bool)
non_fast_forward = optional(bool)
required_linear_history = optional(bool)
required_signatures = optional(bool)
update_allows_fetch_and_merge = optional(bool)
pull_request = optional(object({
dismiss_stale_reviews_on_push = optional(bool)
require_code_owner_review = optional(bool)
require_last_push_approval = optional(bool)
required_approving_review_count = optional(number)
required_review_thread_resolution = optional(bool)
}))
required_status_checks = optional(object({
required_check = list(object({
context = string
integration_id = optional(number)
}))
strict_required_status_check_policy = optional(bool)
}))
required_workflows = optional(object({
required_workflows = list(object({
repository_id = number
path = string
ref = optional(string)
}))
}))
required_deployment_environments = optional(list(string))
}) | n/a | yes |
diff --git a/modules/ruleset/variables.tf b/modules/ruleset/variables.tf
index d442c16..2ba4590 100644
--- a/modules/ruleset/variables.tf
+++ b/modules/ruleset/variables.tf
@@ -142,9 +142,3 @@ variable "enforcement" {
error_message = "The enforcement level must be either `active`, `evaluate` or `disabled`."
}
}
-
-variable "repository" {
- type = string
- description = "The repository to create the ruleset under. Only applicable if `ruleset_type` is set to `repository`. Defaults to \"\""
- default = ""
-}
diff --git a/modules/ruleset/versions.tf b/modules/ruleset/versions.tf
index e58f121..1957e13 100644
--- a/modules/ruleset/versions.tf
+++ b/modules/ruleset/versions.tf
@@ -1,9 +1,9 @@
terraform {
- required_version = ">= 1.3"
+ required_version = ">= 1.6"
required_providers {
github = {
source = "integrations/github"
version = "~> 6.0"
}
}
-}
\ No newline at end of file
+}
diff --git a/modules/team/README.md b/modules/team/README.md
index e71b7c9..8bface2 100644
--- a/modules/team/README.md
+++ b/modules/team/README.md
@@ -2,7 +2,7 @@
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3 |
+| [terraform](#requirement\_terraform) | >= 1.6 |
| [github](#requirement\_github) | ~> 6.0 |
## Providers
diff --git a/modules/team/versions.tf b/modules/team/versions.tf
index e58f121..1957e13 100644
--- a/modules/team/versions.tf
+++ b/modules/team/versions.tf
@@ -1,9 +1,9 @@
terraform {
- required_version = ">= 1.3"
+ required_version = ">= 1.6"
required_providers {
github = {
source = "integrations/github"
version = "~> 6.0"
}
}
-}
\ No newline at end of file
+}
diff --git a/modules/team_set/README.md b/modules/team_set/README.md
index e8f78c8..fcf9e7a 100644
--- a/modules/team_set/README.md
+++ b/modules/team_set/README.md
@@ -2,7 +2,7 @@
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3 |
+| [terraform](#requirement\_terraform) | >= 1.6 |
| [github](#requirement\_github) | ~> 6.0 |
## Providers
diff --git a/modules/team_set/data.tf b/modules/team_set/data.tf
index c4879a2..148afd9 100644
--- a/modules/team_set/data.tf
+++ b/modules/team_set/data.tf
@@ -16,11 +16,11 @@ locals {
data "terraform_remote_state" "state" {
for_each = {
- for i, state in local.distinct_states : "${i}" => state
+ for i, state in local.distinct_states : i => state
}
backend = "gcs"
config = {
bucket = each.value.bucket
prefix = each.value.prefix
}
-}
\ No newline at end of file
+}
diff --git a/modules/team_set/teams.tf b/modules/team_set/teams.tf
index 498d3b8..e6f0d42 100644
--- a/modules/team_set/teams.tf
+++ b/modules/team_set/teams.tf
@@ -15,7 +15,7 @@ module "prexisting_team" {
source = "../team"
for_each = var.preexisting_teams
- team_id = data.terraform_remote_state.state[local.team_to_state_index_map[each.key]].outputs["${each.value.output_name}"]
+ team_id = data.terraform_remote_state.state[local.team_to_state_index_map[each.key]].outputs[each.value.output_name]
team_maintainers = each.value.maintainers
team_members = each.value.members
diff --git a/modules/team_set/versions.tf b/modules/team_set/versions.tf
index bb0a0bb..1957e13 100644
--- a/modules/team_set/versions.tf
+++ b/modules/team_set/versions.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 1.3"
+ required_version = ">= 1.6"
required_providers {
github = {
source = "integrations/github"