-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
192 lines (167 loc) · 5.82 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
terraform {
required_providers {
github = {
source = "integrations/github"
version = "~> 5.0"
}
}
}
resource "github_repository" "this" {
name = var.name
description = var.description
visibility = var.private ? "private" : "public"
has_issues = false
has_discussions = false
has_wiki = false
# merge settings
allow_merge_commit = true
merge_commit_title = "PR_TITLE"
merge_commit_message = "PR_BODY"
allow_squash_merge = false
allow_rebase_merge = false
allow_auto_merge = true
delete_branch_on_merge = true
gitignore_template = var.gitignore_template
topics = var.topics
}
resource "github_branch_default" "this" {
repository = github_repository.this.name
branch = var.default_branch
}
resource "github_branch_protection_v3" "this" {
repository = github_repository.this.name
branch = github_branch_default.this.branch
required_status_checks {
strict = true
}
required_pull_request_reviews {
dismiss_stale_reviews = true
require_code_owner_reviews = var.pr_review_required
required_approving_review_count = var.pr_review_required ? 1 : 0
}
}
resource "github_repository_collaborator" "pull" {
for_each = var.pull_collaborators
repository = github_repository.this.name
username = each.value
permission = "pull"
}
resource "github_repository_collaborator" "push" {
for_each = var.push_collaborators
repository = github_repository.this.name
username = each.value
permission = "push"
}
resource "github_repository_collaborator" "maintain" {
for_each = var.maintain_collaborators
repository = github_repository.this.name
username = each.value
permission = "maintain"
}
resource "github_repository_collaborator" "triage" {
for_each = var.triage_collaborators
repository = github_repository.this.name
username = each.value
permission = "triage"
}
resource "github_repository_collaborator" "admin" {
for_each = var.admin_collaborators
repository = github_repository.this.name
username = each.value
permission = "admin"
}
resource "github_actions_secret" "this" {
# See the comment attached to the for_each argument of the
# github_actions_environment_secret resource below.
for_each = nonsensitive(sensitive({
for idx, secret in var.secrets : secret.name => secret.plaintext_value
}))
repository = github_repository.this.name
secret_name = each.key
plaintext_value = each.value
}
resource "github_actions_variable" "this" {
for_each = nonsensitive(sensitive({
for idx, variable in var.variables : variable.name => variable.value
}))
repository = github_repository.this.name
variable_name = each.key
value = each.value
}
resource "github_repository_environment" "this" {
for_each = var.environments
environment = each.key
repository = github_repository.this.name
deployment_branch_policy {
protected_branches = false
custom_branch_policies = true
}
}
resource "github_repository_environment_deployment_policy" "this" {
for_each = {
for env_name, env in var.environments : env_name => env.deployment_policy
if env.deployment_policy != null
}
repository = github_repository.this.name
environment = github_repository_environment.this[each.key].environment
branch_pattern = each.value.branch_pattern
}
resource "github_actions_environment_secret" "this" {
# This for_each has to be marked as nonsensitive because a secret's plaintext
# value is sensitive, which leads Terraform to conclude the for_each is
# dangerous because it contains sensitive information. However, the only part
# of the for_each that cannot be sensitive is the key (as described in
# https://support.hashicorp.com/hc/en-us/articles/4538432032787-Variable-has-a-sensitive-value-and-cannot-be-used-as-for-each-arguments),
# and an index is the key here, which is not sensitive.
#
# The inner sensitive() call is a temporary work-around while v1.7 of
# Terraform remains unreleased. It handles the case where there are no
# secrets, which means env.secrets (below) is simply {}, which is obviously
# not sensitive and therefore causes pre-v1.7 Terraform to complain with
# the following error:
# ```
# while calling nonsensitive(value)
# <snip> is empty set of object
# Invalid value for "value" parameter: the given value is not sensitive, so this call is redundant.
# ```
# See https://github.com/hashicorp/terraform/pull/33856 for more info.
#
# Also note it's acceptable to use the plaintext_value argument because of
# https://github.com/integrations/terraform-provider-github/issues/888#issuecomment-1033059463.
for_each = nonsensitive(sensitive({
for idx, secret in flatten([
for env_name, env in var.environments : [
for secret in env.secrets : {
environment = env_name
secret_name = secret.name
secret_value = secret.plaintext_value
}
]
]) : idx => secret
}))
repository = github_repository.this.name
environment = each.value.environment
secret_name = each.value.secret_name
plaintext_value = each.value.secret_value
}
resource "github_actions_environment_variable" "this" {
for_each = {
for idx, variable in flatten([
for env_name, env in var.environments : [
for variable in env.variables : {
environment = env_name
variable_name = variable.name
variable_value = variable.value
}
]
]) : idx => variable
}
repository = github_repository.this.name
environment = each.value.environment
variable_name = each.value.variable_name
value = each.value.variable_value
}
resource "github_actions_repository_access_level" "this" {
repository = github_repository.this.name
access_level = var.gha_access_level
}