diff --git a/.gitignore b/.gitignore index 0807788..f18c1ff 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,7 @@ # Ignore override files as they are usually used to override resources locally *override.tf *override.tf.json +providers.tf # .tfstate files *.tfstate @@ -39,4 +40,5 @@ backend.tf.json **/*.temp **/*.bak **/*.*swp -**/.DS_Store \ No newline at end of file +**/.DS_Store +.terraform.lock.hcl diff --git a/README.md b/README.md index 3fa9097..5815750 100644 --- a/README.md +++ b/README.md @@ -15,36 +15,63 @@ TODO | Name | Version | |------|---------| -| terraform | >= 1.0 | -| random | >= 3.0 | +| terraform | >= 1.3 | ## Providers -| Name | Version | -|------|---------| -| random | >= 3.0 | +No providers. ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| actions_runner_group | ./modules/actions_runner_group | n/a | +| organization_settings | ./modules/organization_settings | n/a | ## Resources -| Name | Type | -|------|------| -| [random_pet.template](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource | +No resources. ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| length | The length of the random name | `number` | `2` | no | +| advanced_security_enabled_for_new_repositories | Whether or not advanced security is enabled for new repositories. Defaults to false. | `bool` | `null` | no | +| allows_public_repositories | Whether public repositories can be added to the runner group | `bool` | `null` | no | +| billing_email | The billing email address for the organization. | `string` | n/a | yes | +| blog | The blog URL for the organization. | `string` | `null` | no | +| company | The company name for the organization. | `string` | `null` | no | +| default_repository_permission | The default permission for organization members to create new repositories. Can be one of read, write, admin, or none. Defaults to read. | `string` | `null` | no | +| dependabot_alerts_enabled_for_new_repositories | Whether or not dependabot alerts are enabled for new repositories. Defaults to false. | `bool` | `null` | no | +| dependabot_security_updates_enabled_for_new_repositories | Whether or not dependabot security updates are enabled for new repositories. Defaults to false. | `bool` | `null` | no | +| dependency_graph_enabled_for_new_repositories | Whether or not dependency graph is enabled for new repositories. Defaults to false. | `bool` | `null` | no | +| description | The description for the organization. | `string` | `null` | no | +| email | The email address for the organization. | `string` | `null` | no | +| has_organization_projects | Whether or not organization projects are enabled for the organization. | `bool` | `null` | no | +| has_repository_projects | Whether or not repository projects are enabled for the organization. | `bool` | `null` | no | +| location | The location for the organization. | `string` | `null` | no | +| members_can_create_internal_repositories | Whether or not organization members can create new internal repositories. For Enterprise Organizations only. | `bool` | `null` | no | +| members_can_create_pages | Whether or not organization members can create new pages. Defaults to true. | `bool` | `null` | no | +| members_can_create_private_pages | Whether or not organization members can create new private pages. Defaults to true. | `bool` | `null` | no | +| members_can_create_private_repositories | Whether or not organization members can create new private repositories. Defaults to true. | `bool` | `null` | no | +| members_can_create_public_pages | Whether or not organization members can create new public pages. Defaults to true. | `bool` | `null` | no | +| members_can_create_public_repositories | Whether or not organization members can create new public repositories. Defaults to true. | `bool` | `null` | no | +| members_can_create_repositories | Whether or not organization members can create new repositories. Defaults to true. | `bool` | `null` | no | +| members_can_fork_private_repositories | Whether or not organization members can fork private repositories. Defaults to false. | `bool` | `null` | no | +| organization_name | The name for the organization. | `string` | `null` | no | +| restricted_to_workflows | If true, the runner group will be restricted to running only the workflows specified in the selected_workflows array. Defaults to false. | `bool` | `null` | no | +| runner_group_name | Name of the runner group | `string` | n/a | yes | +| secret_scanning_enabled_for_new_repositories | Whether or not secret scanning is enabled for new repositories. Defaults to false. | `bool` | `null` | no | +| secret_scanning_push_protection_enabled_for_new_repositories | Whether or not secret scanning push protection is enabled for new repositories. Defaults to false. | `bool` | `null` | no | +| selected_repository_ids | IDs of the repositories which should be added to the runner group | `list(string)` | `[]` | no | +| selected_workflows | List of workflows the runner group should be allowed to run. This setting will be ignored unless restricted_to_workflows is set to true. | `list(string)` | `[]` | no | +| twitter_username | The Twitter username for the organization. | `string` | `null` | no | +| visibility | Visibility of a runner group. Whether the runner group can include `all`, `selected`, or `private` repositories. A value of private is not currently supported due to limitations in the GitHub API. | `string` | n/a | yes | +| web_commit_signoff_required | Whether or not commit signatures are required for commits to the organization. Defaults to false. | `bool` | `null` | no | ## Outputs -| Name | Description | -|------|-------------| -| random_pet_name | The generated random pet name | +No outputs. ## Contributing diff --git a/main.tf b/main.tf index 74e76fd..df10a2c 100644 --- a/main.tf +++ b/main.tf @@ -1,3 +1,140 @@ -resource "random_pet" "template" { - length = var.length +module "organization_settings" { + source = "./modules/organization_settings" + + billing_email = var.billing_email + company = var.company + blog = var.blog + email = var.email + twitter_username = var.twitter_username + location = var.location + name = var.organization_name + description = var.description + has_organization_projects = var.has_organization_projects + has_repository_projects = var.has_repository_projects + default_repository_permission = var.default_repository_permission + members_can_create_repositories = var.members_can_create_repositories + members_can_create_public_repositories = var.members_can_create_public_repositories + members_can_create_private_repositories = var.members_can_create_private_repositories + members_can_create_internal_repositories = var.members_can_create_internal_repositories + members_can_create_pages = var.members_can_create_pages + members_can_create_public_pages = var.members_can_create_public_pages + members_can_create_private_pages = var.members_can_create_private_pages + members_can_fork_private_repositories = var.members_can_fork_private_repositories + web_commit_signoff_required = var.web_commit_signoff_required + advanced_security_enabled_for_new_repositories = var.advanced_security_enabled_for_new_repositories + dependabot_alerts_enabled_for_new_repositories = var.dependabot_alerts_enabled_for_new_repositories + dependabot_security_updates_enabled_for_new_repositories = var.dependabot_security_updates_enabled_for_new_repositories + dependency_graph_enabled_for_new_repositories = var.dependency_graph_enabled_for_new_repositories + secret_scanning_enabled_for_new_repositories = var.secret_scanning_enabled_for_new_repositories + secret_scanning_push_protection_enabled_for_new_repositories = var.secret_scanning_push_protection_enabled_for_new_repositories +} + +module "actions_runner_group" { + source = "./modules/actions_runner_group" + for_each = var.actions_runner_groups + + name = var.runner_group_name + restricted_to_workflows = var.restricted_to_workflows + selected_repository_ids = var.selected_repository_ids + selected_workflows = var.selected_workflows + visibility = var.visibility + allows_public_repositories = var.allows_public_repositories +} + +module "organization_block" { + source = "./modules/organization_block" + for_each = toset(var.blocked_usernames) + + username = each.value +} + +module "organization_ruleset" { + for_each = var.organization_rulesets +} + +variable "organization_rulesets" { + description = "A map of organization rulesets to create. The map key is the name of the ruleset." + type = map(object({ + enforcement = string + rules = list(object({ + # Enterprise only! Use `conditions` block for matching branches. + branch_name_pattern = optional(list(object({ + operator = string + pattern = string + name = optional(string) + negate = optional(bool) + })), []) + # Enterprise only! + commit_author_email_pattern = optional(list(object({ + operator = string + pattern = string + name = optional(string) + negate = optional(bool) + })), []) + # Enterprise only! + commit_message_pattern = optional(list(object({ + operator = string + pattern = string + name = optional(string) + negate = optional(bool) + })), []) + # Enterprise only! + committer_email_pattern = optional(list(object({ + operator = string + pattern = string + name = optional(string) + negate = optional(bool) + })), []) + creation = optional(bool) + deletion = optional(bool) + non_fast_forward = optional(bool) + pull_request = optional(list(object({ + dismiss_stale_reviews_on_push = optional(bool) + require_code_owner_review = optional(bool) + require_last_push_approval = optional(bool) + required_approving_review_count = optional(number) + required_review_thread_resolution = optional(bool) + })), []) + required_linear_history = optional(bool) + required_signatures = optional(bool) + required_status_checks = optional(list(object({ + required_check = list(object({ + context = string + integration_id = optional(number) + })) + strict_required_status_checks_policy = optional(bool) + })), []) + required_workflows = optional(list(object({ + required_workflow = list(object({ + repository_id = number + path = string + ref = optional(string) + })) + })), []) + tag_name_pattern = optional(list(object({ + operator = string + pattern = string + name = optional(string) + negate = optional(bool) + })), []) + update = optional(bool) + })) + target = string + bypass_actors = optional(list(object({ + actor_id = number + actor_type = string + bypass_mode = optional(string) + })), []) + })) +} + +module "organization_secret" { + source = "./modules/actions_organization_secrets" + for_each = var.organization_secrets + + secret_name = each.key + encrypted_value = each.value.encrypted_value + plaintext_value = each.value.plaintext_value + visibility = each.value.visibility + selected_repository_ids = each.value.selected_repository_ids } diff --git a/modules/actions_organization_secrets/README.md b/modules/actions_organization_secrets/README.md new file mode 100644 index 0000000..02eb605 --- /dev/null +++ b/modules/actions_organization_secrets/README.md @@ -0,0 +1,60 @@ + + + +## Requirements + +| Name | Version | +|------|---------| +| terraform | >=1.3.0 | +| github | >= 6.2.3 | + +## Providers + +| Name | Version | +|------|---------| +| github | >= 6.2.3 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [github_actions_organization_secret.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_secret) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| encrypted_value | Encrypted value of the secret using the GitHub public key in Base64 format. | `string` | `null` | no | +| plaintext_value | Plaintext value of the secret to be encrypted. | `string` | `null` | no | +| secret_name | Name of the secret. | `string` | n/a | yes | +| selected_repository_ids | An array of repository ids that can access the organization secret. | `list(string)` | `null` | no | +| visibility | Configures the access that repositories have to the organization secret. Must be one of `all`, `private`, `selected`. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| created_at | n/a | +| updated_at | n/a | + + +## Contributing + +Contributions are welcome and appreciated! + +Found an issue or want to request a feature? [Open an issue](TODO) + +Want to fix a bug you found or add some functionality? Fork, clone, commit, push, and PR and we'll check it out. + +If you have any issues or are waiting a long time for a PR to get merged then feel free to ping us at [hello@masterpoint.io](mailto:hello@masterpoint.io). + +## Built By + +[![Masterpoint Logo](https://i.imgur.com/RDLnuQO.png)](https://masterpoint.io) + + + diff --git a/modules/actions_organization_secrets/main.tf b/modules/actions_organization_secrets/main.tf new file mode 100644 index 0000000..9d82556 --- /dev/null +++ b/modules/actions_organization_secrets/main.tf @@ -0,0 +1,7 @@ +resource "github_actions_organization_secret" "this" { + secret_name = var.secret_name + encrypted_value = var.encrypted_value + plaintext_value = var.plaintext_value + visibility = var.visibility + selected_repository_ids = var.selected_repository_ids +} diff --git a/modules/actions_organization_secrets/outputs.tf b/modules/actions_organization_secrets/outputs.tf new file mode 100644 index 0000000..df6cde4 --- /dev/null +++ b/modules/actions_organization_secrets/outputs.tf @@ -0,0 +1,6 @@ +output "created_at" { + value = github_actions_organization_secret.this.created_at +} +output "updated_at" { + value = github_actions_organization_secret.this.updated_at +} diff --git a/modules/actions_organization_secrets/variables.tf b/modules/actions_organization_secrets/variables.tf new file mode 100644 index 0000000..428c68e --- /dev/null +++ b/modules/actions_organization_secrets/variables.tf @@ -0,0 +1,32 @@ +variable "secret_name" { + type = string + description = "Name of the secret." +} + +variable "encrypted_value" { + type = string + description = "Encrypted value of the secret using the GitHub public key in Base64 format." + default = null +} + +variable "plaintext_value" { + type = string + description = "Plaintext value of the secret to be encrypted." + sensitive = true + default = null +} + +variable "visibility" { + type = string + description = "Configures the access that repositories have to the organization secret. Must be one of `all`, `private`, `selected`." + validation { + condition = var.visibility == "all" || var.visibility == "private" || var.visibility == "selected" + error_message = "Visibility must be either 'all' or 'private'." + } +} + +variable "selected_repository_ids" { + type = list(string) + description = "An array of repository ids that can access the organization secret." + default = null +} diff --git a/modules/actions_organization_secrets/versions.tf b/modules/actions_organization_secrets/versions.tf new file mode 100644 index 0000000..a6a814d --- /dev/null +++ b/modules/actions_organization_secrets/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">=1.3.0" + required_providers { + github = { + source = "integrations/github" + version = ">= 6.2.3" + } + } +} diff --git a/modules/actions_organization_variable/README.md b/modules/actions_organization_variable/README.md new file mode 100644 index 0000000..c5b6838 --- /dev/null +++ b/modules/actions_organization_variable/README.md @@ -0,0 +1,61 @@ + + + +## Requirements + +| Name | Version | +|------|---------| +| terraform | >=1.3.0 | +| github | >= 6.2.3 | + +## Providers + +| Name | Version | +|------|---------| +| github | >= 6.2.3 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [github_actions_organization_variable.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| selected_repository_ids | An array of repository ids that can access the organization secret. | `list(string)` | `null` | no | +| value | Value of the variable. | `string` | n/a | yes | +| variable_name | Name of the variable. | `string` | n/a | yes | +| visibility | Configures the access that repositories have to the organization variable. Must be one of `all`, `private`, `selected`. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| created_at | n/a | +| updated_at | n/a | +| value | n/a | +| variable_name | n/a | + + +## Contributing + +Contributions are welcome and appreciated! + +Found an issue or want to request a feature? [Open an issue](TODO) + +Want to fix a bug you found or add some functionality? Fork, clone, commit, push, and PR and we'll check it out. + +If you have any issues or are waiting a long time for a PR to get merged then feel free to ping us at [hello@masterpoint.io](mailto:hello@masterpoint.io). + +## Built By + +[![Masterpoint Logo](https://i.imgur.com/RDLnuQO.png)](https://masterpoint.io) + + + diff --git a/modules/actions_organization_variable/main.tf b/modules/actions_organization_variable/main.tf new file mode 100644 index 0000000..24f1c7f --- /dev/null +++ b/modules/actions_organization_variable/main.tf @@ -0,0 +1,6 @@ +resource "github_actions_organization_variable" "this" { + variable_name = var.variable_name + visibility = var.visibility + value = var.value + selected_repository_ids = var.selected_repository_ids +} diff --git a/modules/actions_organization_variable/outputs.tf b/modules/actions_organization_variable/outputs.tf new file mode 100644 index 0000000..6a7e8c4 --- /dev/null +++ b/modules/actions_organization_variable/outputs.tf @@ -0,0 +1,15 @@ +output "created_at" { + value = github_actions_organization_variable.this.created_at +} + +output "updated_at" { + value = github_actions_organization_variable.this.updated_at +} + +output "variable_name" { + value = github_actions_organization_variable.this.variable_name +} + +output "value" { + value = github_actions_organization_variable.this.value +} diff --git a/modules/actions_organization_variable/variables.tf b/modules/actions_organization_variable/variables.tf new file mode 100644 index 0000000..4e1d18b --- /dev/null +++ b/modules/actions_organization_variable/variables.tf @@ -0,0 +1,24 @@ +variable "variable_name" { + type = string + description = "Name of the variable." +} + +variable "value" { + type = string + description = "Value of the variable." +} + +variable "visibility" { + type = string + description = "Configures the access that repositories have to the organization variable. Must be one of `all`, `private`, `selected`." + validation { + condition = var.visibility == "all" || var.visibility == "private" || var.visibility == "selected" + error_message = "Visibility must be one of 'all', 'private', or 'selected'." + } +} + +variable "selected_repository_ids" { + type = list(string) + description = "An array of repository ids that can access the organization secret." + default = null +} diff --git a/modules/actions_organization_variable/versions.tf b/modules/actions_organization_variable/versions.tf new file mode 100644 index 0000000..a6a814d --- /dev/null +++ b/modules/actions_organization_variable/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">=1.3.0" + required_providers { + github = { + source = "integrations/github" + version = ">= 6.2.3" + } + } +} diff --git a/modules/actions_runner_group/README.md b/modules/actions_runner_group/README.md index 5451bdf..4cd557c 100644 --- a/modules/actions_runner_group/README.md +++ b/modules/actions_runner_group/README.md @@ -35,9 +35,9 @@ No modules. | allows_public_repositories | Whether public repositories can be added to the runner group | `bool` | `null` | no | | name | Name of the runner group | `string` | n/a | yes | | restricted_to_workflows | If true, the runner group will be restricted to running only the workflows specified in the selected_workflows array. Defaults to false. | `bool` | `null` | no | -| selected_repository_ids | IDs of the repositories which should be added to the runner group | `list(string)` | `[]` | no | -| selected_workflows | List of workflows the runner group should be allowed to run. This setting will be ignored unless restricted_to_workflows is set to true. | `list(string)` | `[]` | no | -| visibility | Visibility of a runner group. Whether the runner group can include all, selected, or private repositories. A value of private is not currently supported due to limitations in the GitHub API. | `string` | `null` | no | +| selected_repository_ids | IDs of the repositories which should be added to the runner group | `list(string)` | `null` | no | +| selected_workflows | List of workflows the runner group should be allowed to run. This setting will be ignored unless restricted_to_workflows is set to true. | `list(string)` | `null` | no | +| visibility | Visibility of a runner group. Whether the runner group can include `all`, `selected`, or `private` repositories. A value of private is not currently supported due to limitations in the GitHub API. | `string` | `null` | no | ## Outputs diff --git a/modules/actions_runner_group/variables.tf b/modules/actions_runner_group/variables.tf index 4c6b65a..b8d681c 100644 --- a/modules/actions_runner_group/variables.tf +++ b/modules/actions_runner_group/variables.tf @@ -12,19 +12,23 @@ variable "restricted_to_workflows" { variable "selected_repository_ids" { description = "IDs of the repositories which should be added to the runner group" type = list(string) - default = [] + default = null } variable "selected_workflows" { description = "List of workflows the runner group should be allowed to run. This setting will be ignored unless restricted_to_workflows is set to true." type = list(string) - default = [] + default = null } variable "visibility" { - description = "Visibility of a runner group. Whether the runner group can include all, selected, or private repositories. A value of private is not currently supported due to limitations in the GitHub API." + description = "Visibility of a runner group. Whether the runner group can include `all`, `selected`, or `private` repositories. A value of private is not currently supported due to limitations in the GitHub API." type = string default = null + validation { + condition = can(regex("^(all|selected|private)$", var.visibility)) || var.visibility == null + error_message = "visibility must be one of 'all' 'selected' or 'private'" + } } variable "allows_public_repositories" { diff --git a/modules/organization_settings/README.md b/modules/organization_settings/README.md index e7782c5..4f3f88b 100644 --- a/modules/organization_settings/README.md +++ b/modules/organization_settings/README.md @@ -26,6 +26,7 @@ No modules. | Name | Type | |------|------| +| [github_actions_organization_oidc_subject_claim_customization_template.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_oidc_subject_claim_customization_template) | resource | | [github_organization_settings.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/organization_settings) | resource | ## Inputs @@ -54,6 +55,7 @@ No modules. | members_can_create_repositories | Whether or not organization members can create new repositories. Defaults to true. | `bool` | `null` | no | | members_can_fork_private_repositories | Whether or not organization members can fork private repositories. Defaults to false. | `bool` | `null` | no | | name | The name for the organization. | `string` | `null` | no | +| oidc_subject_include_claim_keys | A list of claim keys to include in the OIDC subject claim customization template. | `list(string)` | `null` | no | | secret_scanning_enabled_for_new_repositories | Whether or not secret scanning is enabled for new repositories. Defaults to false. | `bool` | `null` | no | | secret_scanning_push_protection_enabled_for_new_repositories | Whether or not secret scanning push protection is enabled for new repositories. Defaults to false. | `bool` | `null` | no | | twitter_username | The Twitter username for the organization. | `string` | `null` | no | diff --git a/modules/organization_settings/main.tf b/modules/organization_settings/main.tf index 8aaaf73..a30471f 100644 --- a/modules/organization_settings/main.tf +++ b/modules/organization_settings/main.tf @@ -26,3 +26,13 @@ resource "github_organization_settings" "this" { secret_scanning_enabled_for_new_repositories = var.secret_scanning_enabled_for_new_repositories secret_scanning_push_protection_enabled_for_new_repositories = var.secret_scanning_push_protection_enabled_for_new_repositories } + +resource "github_actions_organization_oidc_subject_claim_customization_template" "this" { + include_claim_keys = var.oidc_subject_include_claim_keys +} + +variable "oidc_subject_include_claim_keys" { + type = list(string) + description = "A list of claim keys to include in the OIDC subject claim customization template." + default = null +} diff --git a/modules/organization_settings/outputs.tf b/modules/organization_settings/outputs.tf index 51fa0a1..6b6d0bd 100644 --- a/modules/organization_settings/outputs.tf +++ b/modules/organization_settings/outputs.tf @@ -1,4 +1,4 @@ output "id" { description = "The ID of the organization settings." - value = github_organization_setting.this.id + value = github_organization_settings.this.id } diff --git a/outputs.tf b/outputs.tf index c44df14..8b13789 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,4 +1 @@ -output "random_pet_name" { - description = "The generated random pet name" - value = random_pet.template.id -} + diff --git a/variables.tf b/variables.tf index 6348a57..96bea9e 100644 --- a/variables.tf +++ b/variables.tf @@ -1,5 +1,241 @@ -variable "length" { - description = "The length of the random name" - type = number - default = 2 +################################ +# GitHub Organization Settings # +################################ + +variable "billing_email" { + description = "The billing email address for the organization." + type = string +} + +variable "company" { + description = "The company name for the organization." + type = string + default = null +} + +variable "blog" { + description = "The blog URL for the organization." + type = string + default = null +} + +variable "email" { + description = "The email address for the organization." + type = string + default = null +} + +variable "twitter_username" { + description = "The Twitter username for the organization." + type = string + default = null +} + +variable "location" { + description = "The location for the organization." + type = string + default = null +} + +variable "organization_name" { + description = "The name for the organization." + type = string + default = null +} + +variable "description" { + description = "The description for the organization." + type = string + default = null +} + +variable "has_organization_projects" { + description = "Whether or not organization projects are enabled for the organization." + type = bool + default = null +} + +variable "has_repository_projects" { + description = "Whether or not repository projects are enabled for the organization." + type = bool + default = null +} + +variable "default_repository_permission" { + description = "The default permission for organization members to create new repositories. Can be one of read, write, admin, or none. Defaults to read." + type = string + default = null +} + +variable "members_can_create_repositories" { + description = "Whether or not organization members can create new repositories. Defaults to true." + type = bool + default = null +} + +variable "members_can_create_public_repositories" { + description = "Whether or not organization members can create new public repositories. Defaults to true." + type = bool + default = null +} + +variable "members_can_create_private_repositories" { + description = "Whether or not organization members can create new private repositories. Defaults to true." + type = bool + default = null +} + +variable "members_can_create_internal_repositories" { + description = "Whether or not organization members can create new internal repositories. For Enterprise Organizations only." + type = bool + default = null +} + +variable "members_can_create_pages" { + description = "Whether or not organization members can create new pages. Defaults to true." + type = bool + default = null +} + +variable "members_can_create_public_pages" { + description = "Whether or not organization members can create new public pages. Defaults to true." + type = bool + default = null +} + +variable "members_can_create_private_pages" { + description = "Whether or not organization members can create new private pages. Defaults to true." + type = bool + default = null +} + +variable "members_can_fork_private_repositories" { + description = "Whether or not organization members can fork private repositories. Defaults to false." + type = bool + default = null +} + +variable "web_commit_signoff_required" { + description = "Whether or not commit signatures are required for commits to the organization. Defaults to false." + type = bool + default = null +} + +variable "advanced_security_enabled_for_new_repositories" { + description = "Whether or not advanced security is enabled for new repositories. Defaults to false." + type = bool + default = null +} + +variable "dependabot_alerts_enabled_for_new_repositories" { + description = "Whether or not dependabot alerts are enabled for new repositories. Defaults to false." + type = bool + default = null +} + +variable "dependabot_security_updates_enabled_for_new_repositories" { + description = "Whether or not dependabot security updates are enabled for new repositories. Defaults to false." + type = bool + default = null +} + +variable "dependency_graph_enabled_for_new_repositories" { + description = "Whether or not dependency graph is enabled for new repositories. Defaults to false." + type = bool + default = null +} + +variable "secret_scanning_enabled_for_new_repositories" { + description = "Whether or not secret scanning is enabled for new repositories. Defaults to false." + type = bool + default = null +} + +variable "secret_scanning_push_protection_enabled_for_new_repositories" { + description = "Whether or not secret scanning push protection is enabled for new repositories. Defaults to false." + type = bool + default = null +} + +############################### +# GitHub Actions Runner Group # +############################### + +variable "runner_group_name" { + description = "Name of the runner group" + type = string +} + +variable "restricted_to_workflows" { + description = "If true, the runner group will be restricted to running only the workflows specified in the selected_workflows array. Defaults to false." + type = bool + default = null +} + +variable "selected_repository_ids" { + description = "IDs of the repositories which should be added to the runner group" + type = list(string) + default = [] +} + +variable "selected_workflows" { + description = "List of workflows the runner group should be allowed to run. This setting will be ignored unless restricted_to_workflows is set to true." + type = list(string) + default = [] +} + +variable "visibility" { + description = "Visibility of a runner group. Whether the runner group can include `all`, `selected`, or `private` repositories. A value of private is not currently supported due to limitations in the GitHub API." + type = string + validation { + condition = can(regex("^(all|selected|private)$", var.visibility)) + error_message = "visibility must be one of 'all' 'selected' or 'private'" + } +} + +variable "allows_public_repositories" { + description = "Whether public repositories can be added to the runner group" + type = bool + default = null +} + +################# +# Blocked users # +################# + +variable "blocked_usernames" { + type = list(string) + description = "A list of usernames to block from your GitHub organization." + default = [] +} + +######################### +# Actions runner groups # +######################### + +variable "actions_runner_groups" { + type = map(object({ + restricted_to_workflows = optional(list(string)) + selected_repository_ids = optional(list(string)) + selected_workflows = optional(list(string)) + visibility = optional(string) + allows_public_repositories = optional(bool) + })) + description = "A map of actions runner groups to create in your GitHub organization. Map key is the name of the runner group." + default = {} +} + +################################ +# Organization actions secrets # +################################ + +variable "organization_secrets" { + description = "A map of organization secrets to create. The map key is the secret name." + type = map(object({ + encrypted_value = optional(string) + plaintext_value = optional(string) + visibility = string + selected_repository_ids = optional(list(string)) + })) + default = {} } diff --git a/versions.tf b/versions.tf index 0cf661c..6964268 100644 --- a/versions.tf +++ b/versions.tf @@ -1,10 +1,3 @@ terraform { - required_version = ">= 1.0" - - required_providers { - random = { - source = "hashicorp/random" - version = ">= 3.0" - } - } + required_version = ">= 1.3" }