feat: Add repository environment configuration

modules/private_repository/README.md

@@ -35,7 +35,7 @@ No resources.
 | <a name="input_dependabot_secrets"></a> [dependabot\_secrets](#input\_dependabot\_secrets) | An (Optional) map of Dependabot secrets to create for this repository. The key is the name of the secret and the value is the encrypted value. | `map(string)` | `{}` | no |
 | <a name="input_dependabot_security_updates"></a> [dependabot\_security\_updates](#input\_dependabot\_security\_updates) | Enables dependabot security updates. Only works when `has_vulnerability_alerts` is set because that is required to enable dependabot for the repository. | `bool` | `true` | no |
 | <a name="input_description"></a> [description](#input\_description) | The description to give to the repository. Defaults to `""` | `string` | `""` | no |
-| <a name="input_environments"></a> [environments](#input\_environments) | Environments to create for the repository. | <pre>map(object({<br>    action_secrets = optional(map(string))<br>  }))</pre> | `{}` | no |
+| <a name="input_environments"></a> [environments](#input\_environments) | Environments to create for the repository. | <pre>map(object({<br>    wait_timer          = optional(number)<br>    can_admins_bypass   = optional(bool)<br>    prevent_self_review = optional(bool)<br>    action_secrets      = optional(map(string))<br>    reviewers = optional(object({<br>      teams = optional(list(string))<br>      users = optional(list(string))<br>    }))<br>    deployment_branch_policy = optional(object({<br>      protected_branches     = bool<br>      custom_branch_policies = bool<br>      branch_patterns        = list(string)<br>    }))<br>  }))</pre> | `{}` | no |
 | <a name="input_has_ghas_license"></a> [has\_ghas\_license](#input\_has\_ghas\_license) | If the organization owning the repository has a GitHub Advanced Security license or not. Defaults to false. | `bool` | `false` | no |
 | <a name="input_homepage"></a> [homepage](#input\_homepage) | The homepage for the repository | `string` | `""` | no |
 | <a name="input_license_template"></a> [license\_template](#input\_license\_template) | The (Optional) license template to use for the repository | `string` | `null` | no |

modules/private_repository/variables.tf

@@ -100,7 +100,19 @@ variable "dependabot_secrets" {
 variable "environments" {
   description = "Environments to create for the repository."
   type = map(object({
-    action_secrets = optional(map(string))
+    wait_timer          = optional(number)
+    can_admins_bypass   = optional(bool)
+    prevent_self_review = optional(bool)
+    action_secrets      = optional(map(string))
+    reviewers = optional(object({
+      teams = optional(list(string))
+      users = optional(list(string))
+    }))
+    deployment_branch_policy = optional(object({
+      protected_branches     = bool
+      custom_branch_policies = bool
+      branch_patterns        = list(string)
+    }))
   }))
   default = {}
 }

modules/public_repository/README.md

@@ -35,7 +35,7 @@ No resources.
 | <a name="input_dependabot_secrets"></a> [dependabot\_secrets](#input\_dependabot\_secrets) | An (Optional) map of Dependabot secrets to create for this repository. The key is the name of the secret and the value is the encrypted value. | `map(string)` | `{}` | no |
 | <a name="input_dependabot_security_updates"></a> [dependabot\_security\_updates](#input\_dependabot\_security\_updates) | Enables dependabot security updates. Only works when `has_vulnerability_alerts` is set because that is required to enable dependabot for the repository. | `bool` | `true` | no |
 | <a name="input_description"></a> [description](#input\_description) | The description to give to the repository. Defaults to `""` | `string` | `""` | no |
-| <a name="input_environments"></a> [environments](#input\_environments) | Environments to create for the repository. | <pre>map(object({<br>    action_secrets = optional(map(string))<br>  }))</pre> | `{}` | no |
+| <a name="input_environments"></a> [environments](#input\_environments) | Environments to create for the repository. | <pre>map(object({<br>    wait_timer          = optional(number)<br>    can_admins_bypass   = optional(bool)<br>    prevent_self_review = optional(bool)<br>    action_secrets      = optional(map(string))<br>    reviewers = optional(object({<br>      teams = optional(list(string))<br>      users = optional(list(string))<br>    }))<br>    deployment_branch_policy = optional(object({<br>      protected_branches     = bool<br>      custom_branch_policies = bool<br>      branch_patterns        = list(string)<br>    }))<br>  }))</pre> | `{}` | no |
 | <a name="input_homepage"></a> [homepage](#input\_homepage) | The homepage for the repository | `string` | `""` | no |
 | <a name="input_license_template"></a> [license\_template](#input\_license\_template) | The (Optional) license template to apply to the repository | `string` | `null` | no |
 | <a name="input_merge_commit_message"></a> [merge\_commit\_message](#input\_merge\_commit\_message) | (Optional) Can be `PR_BODY`, `PR_TITLE`, or `BLANK` for a default merge commit message. Applicable only if allow\_merge\_commit is `true`. | `string` | `"PR_TITLE"` | no |

modules/public_repository/variables.tf

@@ -94,7 +94,19 @@ variable "dependabot_secrets" {
 variable "environments" {
   description = "Environments to create for the repository."
   type = map(object({
-    action_secrets = optional(map(string))
+    wait_timer          = optional(number)
+    can_admins_bypass   = optional(bool)
+    prevent_self_review = optional(bool)
+    action_secrets      = optional(map(string))
+    reviewers = optional(object({
+      teams = optional(list(string))
+      users = optional(list(string))
+    }))
+    deployment_branch_policy = optional(object({
+      protected_branches     = bool
+      custom_branch_policies = bool
+      branch_patterns        = list(string)
+    }))
   }))
   default = {}
 }

modules/repository_base/README.md

@@ -30,6 +30,7 @@
 | [github_repository_collaborators.collaborators](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_collaborators) | resource |
 | [github_repository_dependabot_security_updates.automated_security_fixes](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_dependabot_security_updates) | resource |
 | [github_repository_environment.environment](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_environment) | resource |
+| [github_repository_environment_deployment_policy.deployment_policy](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_environment_deployment_policy) | resource |
 | [github_repository_ruleset.protected_branch_base_rules](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_ruleset) | resource |
 | [github_organization_custom_role.branch_ruleset_bypasser](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/organization_custom_role) | data source |
 | [github_team.branch_ruleset_bypasser](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/team) | data source |
@@ -51,7 +52,7 @@
 | <a name="input_dependabot_secrets"></a> [dependabot\_secrets](#input\_dependabot\_secrets) | An (Optional) map of Dependabot secrets to create for this repository. The key is the name of the secret and the value is the encrypted value. | `map(string)` | `{}` | no |
 | <a name="input_dependabot_security_updates"></a> [dependabot\_security\_updates](#input\_dependabot\_security\_updates) | Enables dependabot security updates. Only works when `has_vulnerability_alerts` is set because that is required to enable dependabot for the repository. | `bool` | `true` | no |
 | <a name="input_description"></a> [description](#input\_description) | The description to give to the repository. Defaults to `""` | `string` | `""` | no |
-| <a name="input_environments"></a> [environments](#input\_environments) | An (Optional) map of environments to create for the repository. The key is the name of the environment and the value is the environment configuration. | <pre>map(object({<br>    action_secrets = optional(map(string))<br>  }))</pre> | `{}` | no |
+| <a name="input_environments"></a> [environments](#input\_environments) | An (Optional) map of environments to create for the repository. The key is the name of the environment and the value is the environment configuration. | <pre>map(object({<br>    wait_timer          = optional(number)<br>    can_admins_bypass   = optional(bool)<br>    prevent_self_review = optional(bool)<br>    action_secrets      = optional(map(string))<br>    reviewers = optional(object({<br>      teams = optional(list(string))<br>      users = optional(list(string))<br>    }))<br>    deployment_branch_policy = optional(object({<br>      protected_branches     = bool<br>      custom_branch_policies = bool<br>      branch_patterns        = list(string)<br>    }))<br>  }))</pre> | `{}` | no |
 | <a name="input_has_discussions"></a> [has\_discussions](#input\_has\_discussions) | Enables Github Discussions. | `bool` | `true` | no |
 | <a name="input_has_downloads"></a> [has\_downloads](#input\_has\_downloads) | Enables downloads for the repository | `bool` | `false` | no |
 | <a name="input_has_issues"></a> [has\_issues](#input\_has\_issues) | Enables Github Issues for the repository | `bool` | `true` | no |

modules/repository_base/environments.tf

@@ -1,5 +1,47 @@
+locals {
+  coalesced_environments = coalesce(var.environments, {})
+  env_deployment_branch_patterns = {
+    for env_name, env in local.coalesced_environments : env_name => env.deployment_branch_policy.branch_patterns if env.deployment_branch_policy != null
+  }
+
+  deployment_policy_configurations = merge([
+    for env_name, branch_patterns in local.env_deployment_branch_patterns : {
+      for pattern in branch_patterns : "${env_name}:${pattern}" => {
+        pattern     = pattern,
+        environment = env_name
+      }
+    }
+  ]...)
+}
+
 resource "github_repository_environment" "environment" {
-  for_each    = toset(keys(coalesce(var.environments, {})))
-  repository  = github_repository.repository.name
-  environment = each.value
+  for_each            = local.coalesced_environments
+  repository          = github_repository.repository.name
+  environment         = each.key
+  wait_timer          = each.value.wait_timer
+  can_admins_bypass   = each.value.can_admins_bypass
+  prevent_self_review = each.value.prevent_self_review
+
+  dynamic "reviewers" {
+    for_each = each.value.reviewers != null ? toset([each.value.reviewers]) : []
+    content {
+      teams = reviewers.value.teams
+      users = reviewers.value.users
+    }
+  }
+
+  dynamic "deployment_branch_policy" {
+    for_each = each.value.deployment_branch_policy != null ? toset([each.value.deployment_branch_policy]) : []
+    content {
+      protected_branches     = deployment_branch_policy.value.protected_branches
+      custom_branch_policies = deployment_branch_policy.value.custom_branch_policies
+    }
+  }
+}
+
+resource "github_repository_environment_deployment_policy" "deployment_policy" {
+  for_each       = local.deployment_policy_configurations
+  repository     = github_repository.repository.name
+  environment    = github_repository_environment.environment["${each.value.environment}"].environment
+  branch_pattern = each.value.pattern
 }

modules/repository_base/variables.tf

@@ -148,7 +148,19 @@ variable "dependabot_secrets" {
 variable "environments" {
   description = "An (Optional) map of environments to create for the repository. The key is the name of the environment and the value is the environment configuration."
   type = map(object({
-    action_secrets = optional(map(string))
+    wait_timer          = optional(number)
+    can_admins_bypass   = optional(bool)
+    prevent_self_review = optional(bool)
+    action_secrets      = optional(map(string))
+    reviewers = optional(object({
+      teams = optional(list(string))
+      users = optional(list(string))
+    }))
+    deployment_branch_policy = optional(object({
+      protected_branches     = bool
+      custom_branch_policies = bool
+      branch_patterns        = list(string)
+    }))
   }))
   default = {}
 }