From f34a072f95f418fdaa075c597508edaedff224a5 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Thu, 18 Apr 2024 14:13:57 -0400 Subject: [PATCH 1/5] fmted and added fields for environment configuration --- modules/private_repository/variables.tf | 14 +++++++- modules/public_repository/variables.tf | 14 +++++++- modules/repository_base/environments.tf | 47 +++++++++++++++++++++++-- modules/repository_base/variables.tf | 14 +++++++- modules/repository_set/variables.tf | 28 +++++++++++++-- 5 files changed, 109 insertions(+), 8 deletions(-) diff --git a/modules/private_repository/variables.tf b/modules/private_repository/variables.tf index 186329a..3db58e2 100644 --- a/modules/private_repository/variables.tf +++ b/modules/private_repository/variables.tf @@ -100,7 +100,19 @@ variable "dependabot_secrets" { variable "environments" { description = "Environments to create for the repository." type = map(object({ - action_secrets = optional(map(string)) + wait_timer = optional(number) + can_admins_bypass = optional(bool) + prevent_self_review = optional(bool) + action_secrets = optional(map(string)) + reviewers = optional(object({ + teams = optional(list(string)) + users = optional(list(string)) + })) + deployment_branch_policy = optional(object({ + protected_branches = bool + custom_branch_policies = bool + branch_patterns = list(string) + })) })) default = {} } diff --git a/modules/public_repository/variables.tf b/modules/public_repository/variables.tf index 99b5ee7..7d5cf79 100644 --- a/modules/public_repository/variables.tf +++ b/modules/public_repository/variables.tf @@ -94,7 +94,19 @@ variable "dependabot_secrets" { variable "environments" { description = "Environments to create for the repository." type = map(object({ - action_secrets = optional(map(string)) + wait_timer = optional(number) + can_admins_bypass = optional(bool) + prevent_self_review = optional(bool) + action_secrets = optional(map(string)) + reviewers = optional(object({ + teams = optional(list(string)) + users = optional(list(string)) + })) + deployment_branch_policy = optional(object({ + protected_branches = bool + custom_branch_policies = bool + branch_patterns = list(string) + })) })) default = {} } diff --git a/modules/repository_base/environments.tf b/modules/repository_base/environments.tf index 08c3f60..a1e060d 100644 --- a/modules/repository_base/environments.tf +++ b/modules/repository_base/environments.tf @@ -1,5 +1,46 @@ +locals { + env_deployment_branch_patterns = { + for env_name, env in coalesce(var.environments, {}) : env_name => env.deployment_branch_policy.branch_patterns if env.deployment_branch_policy != null + } + + deployment_policy_configurations = merge([ + for env_name, branch_patterns in local.env_deployment_branch_patterns : { + for pattern in branch_patterns : "${env_name}:${pattern}" => { + pattern = pattern, + environment = environemnt + } + } + ]...) +} + resource "github_repository_environment" "environment" { - for_each = toset(keys(coalesce(var.environments, {}))) - repository = github_repository.repository.name - environment = each.value + for_each = toset(keys(coalesce(var.environments, {}))) + repository = github_repository.repository.name + environment = each.value + wait_timer = each.value.wait_timer + can_admins_bypass = each.value.can_admins_bypass + prevent_self_review = each.value.prevent_self_review + + dynamic "reviewers" { + for_each = each.value.reviewers != null ? toset([each.value.reviewers]) : [] + content { + teams = reviewers.value.teams + users = reviewers.value.users + } + } + + dynamic "deployment_branch_policy" { + for_each = each.value.deployment_branch_policy != null ? toset([each.value.deployment_branch_policy]) : [] + content { + protected_branches = deployment_branch_policy.value.protected_branches + custom_branch_policies = deployment_branch_policy.value.custom_branch_policies + } + } +} + +resource "github_repository_environment_deployment_policy" "deployment_policy" { + for_each = local.deployment_policy_configurations + repository = github_repository.repository.name + environment = github_repository_environment.environment["${each.value.environment}"].environment + branch_pattern = each.value.pattern } diff --git a/modules/repository_base/variables.tf b/modules/repository_base/variables.tf index 0aa1291..a8808e5 100644 --- a/modules/repository_base/variables.tf +++ b/modules/repository_base/variables.tf @@ -148,7 +148,19 @@ variable "dependabot_secrets" { variable "environments" { description = "An (Optional) map of environments to create for the repository. The key is the name of the environment and the value is the environment configuration." type = map(object({ - action_secrets = optional(map(string)) + wait_timer = optional(number) + can_admins_bypass = optional(bool) + prevent_self_review = optional(bool) + action_secrets = optional(map(string)) + reviewers = optional(object({ + teams = optional(list(string)) + users = optional(list(string)) + })) + deployment_branch_policy = optional(object({ + protected_branches = bool + custom_branch_policies = bool + branch_patterns = list(string) + })) })) default = {} } diff --git a/modules/repository_set/variables.tf b/modules/repository_set/variables.tf index a9ddee6..9288cb9 100644 --- a/modules/repository_set/variables.tf +++ b/modules/repository_set/variables.tf @@ -27,7 +27,19 @@ variable "private_repositories" { codespace_secrets = optional(map(string)) dependabot_secrets = optional(map(string)) environments = optional(map(object({ - action_secrets = optional(map(string)) + wait_timer = optional(number) + can_admins_bypass = optional(bool) + prevent_self_review = optional(bool) + action_secrets = optional(map(string)) + reviewers = optional(object({ + teams = optional(list(string)) + users = optional(list(string)) + })) + deployment_branch_policy = optional(object({ + protected_branches = bool + custom_branch_policies = bool + branch_patterns = list(string) + })) }))) template_repository = optional(object({ owner = string @@ -75,7 +87,19 @@ variable "public_repositories" { codespace_secrets = optional(map(string)) dependabot_secrets = optional(map(string)) environments = optional(map(object({ - action_secrets = optional(map(string)) + wait_timer = optional(number) + can_admins_bypass = optional(bool) + prevent_self_review = optional(bool) + action_secrets = optional(map(string)) + reviewers = optional(object({ + teams = optional(list(string)) + users = optional(list(string)) + })) + deployment_branch_policy = optional(object({ + protected_branches = bool + custom_branch_policies = bool + branch_patterns = list(string) + })) }))) template_repository = optional(object({ owner = string From c302ebd16c999d1b72fb59935e8b761e5fcf7a8a Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Thu, 18 Apr 2024 14:15:10 -0400 Subject: [PATCH 2/5] typo --- modules/repository_base/environments.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/repository_base/environments.tf b/modules/repository_base/environments.tf index a1e060d..f10682f 100644 --- a/modules/repository_base/environments.tf +++ b/modules/repository_base/environments.tf @@ -7,7 +7,7 @@ locals { for env_name, branch_patterns in local.env_deployment_branch_patterns : { for pattern in branch_patterns : "${env_name}:${pattern}" => { pattern = pattern, - environment = environemnt + environment = env_name } } ]...) From c1c6840d6b673daf16f36425e48008afaddd59e7 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Thu, 18 Apr 2024 14:16:40 -0400 Subject: [PATCH 3/5] modified foreach loop --- modules/repository_base/environments.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/repository_base/environments.tf b/modules/repository_base/environments.tf index f10682f..408c4ae 100644 --- a/modules/repository_base/environments.tf +++ b/modules/repository_base/environments.tf @@ -1,6 +1,6 @@ locals { env_deployment_branch_patterns = { - for env_name, env in coalesce(var.environments, {}) : env_name => env.deployment_branch_policy.branch_patterns if env.deployment_branch_policy != null + for env_name, env in var.environments : env_name => env.deployment_branch_policy.branch_patterns if env.deployment_branch_policy != null } deployment_policy_configurations = merge([ @@ -14,9 +14,9 @@ locals { } resource "github_repository_environment" "environment" { - for_each = toset(keys(coalesce(var.environments, {}))) + for_each = var.environments repository = github_repository.repository.name - environment = each.value + environment = each.key wait_timer = each.value.wait_timer can_admins_bypass = each.value.can_admins_bypass prevent_self_review = each.value.prevent_self_review From 859b482d3040d7abcbc957eb8e74e0bf84767f88 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Thu, 18 Apr 2024 14:17:58 -0400 Subject: [PATCH 4/5] added coalescing --- modules/repository_base/environments.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/repository_base/environments.tf b/modules/repository_base/environments.tf index 408c4ae..07f01ec 100644 --- a/modules/repository_base/environments.tf +++ b/modules/repository_base/environments.tf @@ -1,6 +1,7 @@ locals { + coalesced_environments = coalesce(var.environments, {}) env_deployment_branch_patterns = { - for env_name, env in var.environments : env_name => env.deployment_branch_policy.branch_patterns if env.deployment_branch_policy != null + for env_name, env in local.coalesced_environments : env_name => env.deployment_branch_policy.branch_patterns if env.deployment_branch_policy != null } deployment_policy_configurations = merge([ @@ -14,7 +15,7 @@ locals { } resource "github_repository_environment" "environment" { - for_each = var.environments + for_each = local.coalesced_environments repository = github_repository.repository.name environment = each.key wait_timer = each.value.wait_timer From a95fc47348196b270395e8cafa2b2f8de1622d20 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 18 Apr 2024 18:32:15 +0000 Subject: [PATCH 5/5] terraform-docs: automated action --- modules/private_repository/README.md | 2 +- modules/public_repository/README.md | 2 +- modules/repository_base/README.md | 3 ++- modules/repository_set/README.md | 4 ++-- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/modules/private_repository/README.md b/modules/private_repository/README.md index 9559002..bec2428 100644 --- a/modules/private_repository/README.md +++ b/modules/private_repository/README.md @@ -35,7 +35,7 @@ No resources. | [dependabot\_secrets](#input\_dependabot\_secrets) | An (Optional) map of Dependabot secrets to create for this repository. The key is the name of the secret and the value is the encrypted value. | `map(string)` | `{}` | no | | [dependabot\_security\_updates](#input\_dependabot\_security\_updates) | Enables dependabot security updates. Only works when `has_vulnerability_alerts` is set because that is required to enable dependabot for the repository. | `bool` | `true` | no | | [description](#input\_description) | The description to give to the repository. Defaults to `""` | `string` | `""` | no | -| [environments](#input\_environments) | Environments to create for the repository. | 
map(object({
    action_secrets = optional(map(string))
  }))
| `{}` | no | +| [environments](#input\_environments) | Environments to create for the repository. | 
map(object({
    wait_timer          = optional(number)
    can_admins_bypass   = optional(bool)
    prevent_self_review = optional(bool)
    action_secrets      = optional(map(string))
    reviewers = optional(object({
      teams = optional(list(string))
      users = optional(list(string))
    }))
    deployment_branch_policy = optional(object({
      protected_branches     = bool
      custom_branch_policies = bool
      branch_patterns        = list(string)
    }))
  }))
| `{}` | no | | [has\_ghas\_license](#input\_has\_ghas\_license) | If the organization owning the repository has a GitHub Advanced Security license or not. Defaults to false. | `bool` | `false` | no | | [homepage](#input\_homepage) | The homepage for the repository | `string` | `""` | no | | [license\_template](#input\_license\_template) | The (Optional) license template to use for the repository | `string` | `null` | no | diff --git a/modules/public_repository/README.md b/modules/public_repository/README.md index 7a41231..1c4157a 100644 --- a/modules/public_repository/README.md +++ b/modules/public_repository/README.md @@ -35,7 +35,7 @@ No resources. | [dependabot\_secrets](#input\_dependabot\_secrets) | An (Optional) map of Dependabot secrets to create for this repository. The key is the name of the secret and the value is the encrypted value. | `map(string)` | `{}` | no | | [dependabot\_security\_updates](#input\_dependabot\_security\_updates) | Enables dependabot security updates. Only works when `has_vulnerability_alerts` is set because that is required to enable dependabot for the repository. | `bool` | `true` | no | | [description](#input\_description) | The description to give to the repository. Defaults to `""` | `string` | `""` | no | -| [environments](#input\_environments) | Environments to create for the repository. | 
map(object({
    action_secrets = optional(map(string))
  }))
| `{}` | no | +| [environments](#input\_environments) | Environments to create for the repository. | 
map(object({
    wait_timer          = optional(number)
    can_admins_bypass   = optional(bool)
    prevent_self_review = optional(bool)
    action_secrets      = optional(map(string))
    reviewers = optional(object({
      teams = optional(list(string))
      users = optional(list(string))
    }))
    deployment_branch_policy = optional(object({
      protected_branches     = bool
      custom_branch_policies = bool
      branch_patterns        = list(string)
    }))
  }))
| `{}` | no | | [homepage](#input\_homepage) | The homepage for the repository | `string` | `""` | no | | [license\_template](#input\_license\_template) | The (Optional) license template to apply to the repository | `string` | `null` | no | | [merge\_commit\_message](#input\_merge\_commit\_message) | (Optional) Can be `PR_BODY`, `PR_TITLE`, or `BLANK` for a default merge commit message. Applicable only if allow\_merge\_commit is `true`. | `string` | `"PR_TITLE"` | no | diff --git a/modules/repository_base/README.md b/modules/repository_base/README.md index f7a186e..3f039aa 100644 --- a/modules/repository_base/README.md +++ b/modules/repository_base/README.md @@ -30,6 +30,7 @@ | [github_repository_collaborators.collaborators](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_collaborators) | resource | | [github_repository_dependabot_security_updates.automated_security_fixes](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_dependabot_security_updates) | resource | | [github_repository_environment.environment](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_environment) | resource | +| [github_repository_environment_deployment_policy.deployment_policy](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_environment_deployment_policy) | resource | | [github_repository_ruleset.protected_branch_base_rules](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_ruleset) | resource | | [github_organization_custom_role.branch_ruleset_bypasser](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/organization_custom_role) | data source | | [github_team.branch_ruleset_bypasser](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/team) | data source | @@ -51,7 +52,7 @@ | [dependabot\_secrets](#input\_dependabot\_secrets) | An (Optional) map of Dependabot secrets to create for this repository. The key is the name of the secret and the value is the encrypted value. | `map(string)` | `{}` | no | | [dependabot\_security\_updates](#input\_dependabot\_security\_updates) | Enables dependabot security updates. Only works when `has_vulnerability_alerts` is set because that is required to enable dependabot for the repository. | `bool` | `true` | no | | [description](#input\_description) | The description to give to the repository. Defaults to `""` | `string` | `""` | no | -| [environments](#input\_environments) | An (Optional) map of environments to create for the repository. The key is the name of the environment and the value is the environment configuration. | 
map(object({
    action_secrets = optional(map(string))
  }))
| `{}` | no | +| [environments](#input\_environments) | An (Optional) map of environments to create for the repository. The key is the name of the environment and the value is the environment configuration. | 
map(object({
    wait_timer          = optional(number)
    can_admins_bypass   = optional(bool)
    prevent_self_review = optional(bool)
    action_secrets      = optional(map(string))
    reviewers = optional(object({
      teams = optional(list(string))
      users = optional(list(string))
    }))
    deployment_branch_policy = optional(object({
      protected_branches     = bool
      custom_branch_policies = bool
      branch_patterns        = list(string)
    }))
  }))
| `{}` | no | | [has\_discussions](#input\_has\_discussions) | Enables Github Discussions. | `bool` | `true` | no | | [has\_downloads](#input\_has\_downloads) | Enables downloads for the repository | `bool` | `false` | no | | [has\_issues](#input\_has\_issues) | Enables Github Issues for the repository | `bool` | `true` | no | diff --git a/modules/repository_set/README.md b/modules/repository_set/README.md index 6477b43..5a74929 100644 --- a/modules/repository_set/README.md +++ b/modules/repository_set/README.md @@ -32,8 +32,8 @@ |------|-------------|------|---------|:--------:| | [default\_repository\_team\_permissions](#input\_default\_repository\_team\_permissions) | A map where the keys are github team slugs and the value is the permissions the team should have by default for every repository. If an entry exists in `repository_team_permissions_override` for a repository then that will take precedence over this default. Defaults to `{}` giving no team access to the repositories. | `map(string)` | `{}` | no | | [has\_ghas\_license](#input\_has\_ghas\_license) | If the organization owning the repositories has a GitHub Advanced Security license or not. Defaults to false. | `bool` | `false` | no | -| [private\_repositories](#input\_private\_repositories) | A map of private repositories where the key is the repository name and the value is the configuration | 
map(object({
    description                          = string
    default_branch                       = string
    protected_branches                   = list(string)
    advance_security                     = bool
    has_vulnerability_alerts             = bool
    topics                               = list(string)
    homepage                             = string
    delete_head_on_merge                 = bool
    requires_web_commit_signing          = bool
    dependabot_security_updates          = bool
    allow_auto_merge                     = optional(bool)
    allow_squash_merge                   = optional(bool)
    allow_rebase_merge                   = optional(bool)
    allow_merge_commit                   = optional(bool)
    squash_merge_commit_title            = optional(string)
    squash_merge_commit_message          = optional(string)
    merge_commit_title                   = optional(string)
    merge_commit_message                 = optional(string)
    repository_team_permissions_override = optional(map(string))
    user_permissions                     = optional(map(string))
    organization_action_secrets          = optional(list(string))
    organization_codespace_secrets       = optional(list(string))
    organization_dependabot_secrets      = optional(list(string))
    action_secrets                       = optional(map(string))
    codespace_secrets                    = optional(map(string))
    dependabot_secrets                   = optional(map(string))
    environments = optional(map(object({
      action_secrets = optional(map(string))
    })))
    template_repository = optional(object({
      owner                = string
      repository           = string
      include_all_branches = bool
    }))
    license_template = optional(string)
    pages = optional(object({
      source = optional(object({
        branch = string
        path   = optional(string)
      }))
      build_type = optional(string)
      cname      = optional(string)
    }))
  }))
| n/a | yes | -| [public\_repositories](#input\_public\_repositories) | A map of public repositories where the key is the repository name and the value is the configuration | 
map(object({
    description                          = string
    default_branch                       = string
    protected_branches                   = list(string)
    advance_security                     = bool
    topics                               = list(string)
    homepage                             = string
    delete_head_on_merge                 = bool
    dependabot_security_updates          = bool
    requires_web_commit_signing          = bool
    allow_auto_merge                     = optional(bool)
    allow_squash_merge                   = optional(bool)
    allow_rebase_merge                   = optional(bool)
    allow_merge_commit                   = optional(bool)
    squash_merge_commit_title            = optional(string)
    squash_merge_commit_message          = optional(string)
    merge_commit_title                   = optional(string)
    merge_commit_message                 = optional(string)
    repository_team_permissions_override = optional(map(string))
    user_permissions                     = optional(map(string))
    organization_action_secrets          = optional(list(string))
    organization_codespace_secrets       = optional(list(string))
    organization_dependabot_secrets      = optional(list(string))
    action_secrets                       = optional(map(string))
    codespace_secrets                    = optional(map(string))
    dependabot_secrets                   = optional(map(string))
    environments = optional(map(object({
      action_secrets = optional(map(string))
    })))
    template_repository = optional(object({
      owner                = string
      repository           = string
      include_all_branches = bool
    }))
    license_template = optional(string)
    pages = optional(object({
      source = optional(object({
        branch = string
        path   = optional(string)
      }))
      build_type = optional(string)
      cname      = optional(string)
    }))
  }))
| n/a | yes | +| [private\_repositories](#input\_private\_repositories) | A map of private repositories where the key is the repository name and the value is the configuration | 
map(object({
    description                          = string
    default_branch                       = string
    protected_branches                   = list(string)
    advance_security                     = bool
    has_vulnerability_alerts             = bool
    topics                               = list(string)
    homepage                             = string
    delete_head_on_merge                 = bool
    requires_web_commit_signing          = bool
    dependabot_security_updates          = bool
    allow_auto_merge                     = optional(bool)
    allow_squash_merge                   = optional(bool)
    allow_rebase_merge                   = optional(bool)
    allow_merge_commit                   = optional(bool)
    squash_merge_commit_title            = optional(string)
    squash_merge_commit_message          = optional(string)
    merge_commit_title                   = optional(string)
    merge_commit_message                 = optional(string)
    repository_team_permissions_override = optional(map(string))
    user_permissions                     = optional(map(string))
    organization_action_secrets          = optional(list(string))
    organization_codespace_secrets       = optional(list(string))
    organization_dependabot_secrets      = optional(list(string))
    action_secrets                       = optional(map(string))
    codespace_secrets                    = optional(map(string))
    dependabot_secrets                   = optional(map(string))
    environments = optional(map(object({
      wait_timer          = optional(number)
      can_admins_bypass   = optional(bool)
      prevent_self_review = optional(bool)
      action_secrets      = optional(map(string))
      reviewers = optional(object({
        teams = optional(list(string))
        users = optional(list(string))
      }))
      deployment_branch_policy = optional(object({
        protected_branches     = bool
        custom_branch_policies = bool
        branch_patterns        = list(string)
      }))
    })))
    template_repository = optional(object({
      owner                = string
      repository           = string
      include_all_branches = bool
    }))
    license_template = optional(string)
    pages = optional(object({
      source = optional(object({
        branch = string
        path   = optional(string)
      }))
      build_type = optional(string)
      cname      = optional(string)
    }))
  }))
| n/a | yes | +| [public\_repositories](#input\_public\_repositories) | A map of public repositories where the key is the repository name and the value is the configuration | 
map(object({
    description                          = string
    default_branch                       = string
    protected_branches                   = list(string)
    advance_security                     = bool
    topics                               = list(string)
    homepage                             = string
    delete_head_on_merge                 = bool
    dependabot_security_updates          = bool
    requires_web_commit_signing          = bool
    allow_auto_merge                     = optional(bool)
    allow_squash_merge                   = optional(bool)
    allow_rebase_merge                   = optional(bool)
    allow_merge_commit                   = optional(bool)
    squash_merge_commit_title            = optional(string)
    squash_merge_commit_message          = optional(string)
    merge_commit_title                   = optional(string)
    merge_commit_message                 = optional(string)
    repository_team_permissions_override = optional(map(string))
    user_permissions                     = optional(map(string))
    organization_action_secrets          = optional(list(string))
    organization_codespace_secrets       = optional(list(string))
    organization_dependabot_secrets      = optional(list(string))
    action_secrets                       = optional(map(string))
    codespace_secrets                    = optional(map(string))
    dependabot_secrets                   = optional(map(string))
    environments = optional(map(object({
      wait_timer          = optional(number)
      can_admins_bypass   = optional(bool)
      prevent_self_review = optional(bool)
      action_secrets      = optional(map(string))
      reviewers = optional(object({
        teams = optional(list(string))
        users = optional(list(string))
      }))
      deployment_branch_policy = optional(object({
        protected_branches     = bool
        custom_branch_policies = bool
        branch_patterns        = list(string)
      }))
    })))
    template_repository = optional(object({
      owner                = string
      repository           = string
      include_all_branches = bool
    }))
    license_template = optional(string)
    pages = optional(object({
      source = optional(object({
        branch = string
        path   = optional(string)
      }))
      build_type = optional(string)
      cname      = optional(string)
    }))
  }))
| n/a | yes | | [rulesets](#input\_rulesets) | n/a | 
map(object({
    bypass_actors = optional(object({
      repository_roles = optional(list(object({
        role          = string
        always_bypass = optional(bool)
      })))
      teams = optional(list(object({
        team          = string
        always_bypass = optional(bool)
      })))
      integrations = optional(list(object({
        installation_id = number
        always_bypass   = optional(bool)
      })))
      organization_admins = optional(list(object({
        user          = string
        always_bypass = optional(bool)
      })))
    }))
    conditions = optional(object({
      ref_name = object({
        include = list(string)
        exclude = list(string)
      })
    }))
    rules = object({
      branch_name_pattern = optional(object({
        operator = string
        pattern  = string
        name     = optional(string)
        negate   = optional(bool)
      }))
      tag_name_pattern = optional(object({
        operator = string
        pattern  = string
        name     = optional(string)
        negate   = optional(bool)
      }))
      commit_author_email_pattern = optional(object({
        operator = string
        pattern  = string
        name     = optional(string)
        negate   = optional(bool)
      }))
      commit_message_pattern = optional(object({
        operator = string
        pattern  = string
        name     = optional(string)
        negate   = optional(bool)
      }))
      committer_email_pattern = optional(object({
        operator = string
        pattern  = string
        name     = optional(string)
        negate   = optional(bool)
      }))
      creation                      = optional(bool)
      deletion                      = optional(bool)
      update                        = optional(bool)
      non_fast_forward              = optional(bool)
      required_linear_history       = optional(bool)
      required_signatures           = optional(bool)
      update_allows_fetch_and_merge = optional(bool)
      pull_request = optional(object({
        dismiss_stale_reviews_on_push     = optional(bool)
        require_code_owner_review         = optional(bool)
        require_last_push_approval        = optional(bool)
        required_approving_review_count   = optional(number)
        required_review_thread_resolution = optional(bool)
      }))
      required_status_checks = optional(object({
        required_check = list(object({
          context        = string
          integration_id = optional(number)
        }))
        strict_required_status_check_policy = optional(bool)
      }))
      required_deployment_environments = optional(list(string))
    })
    target       = string
    enforcement  = string
    repositories = list(string)
  }))
| `{}` | no | ## Outputs