feat(actions variables): adds organization_secrets, organization_variable, adds root module configuration for one-time resources to add to organization

.gitignore

@@ -1,6 +1,7 @@
 # Ignore override files as they are usually used to override resources locally
 *override.tf
 *override.tf.json
+providers.tf
 
 # .tfstate files
 *.tfstate
@@ -39,4 +40,5 @@ backend.tf.json
 **/*.temp
 **/*.bak
 **/*.*swp
-**/.DS_Store
+**/.DS_Store
+.terraform.lock.hcl

README.md

@@ -15,36 +15,63 @@ TODO
 
 | Name | Version |
 |------|---------|
-| terraform | >= 1.0 |
-| random | >= 3.0 |
+| terraform | >= 1.3 |
 
 ## Providers
 
-| Name | Version |
-|------|---------|
-| random | >= 3.0 |
+No providers.
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| actions_runner_group | ./modules/actions_runner_group | n/a |
+| organization_settings | ./modules/organization_settings | n/a |
 
 ## Resources
 
-| Name | Type |
-|------|------|
-| [random_pet.template](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+No resources.
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| length | The length of the random name | `number` | `2` | no |
+| advanced_security_enabled_for_new_repositories | Whether or not advanced security is enabled for new repositories. Defaults to false. | `bool` | `null` | no |
+| allows_public_repositories | Whether public repositories can be added to the runner group | `bool` | `null` | no |
+| billing_email | The billing email address for the organization. | `string` | n/a | yes |
+| blog | The blog URL for the organization. | `string` | `null` | no |
+| company | The company name for the organization. | `string` | `null` | no |
+| default_repository_permission | The default permission for organization members to create new repositories. Can be one of read, write, admin, or none. Defaults to read. | `string` | `null` | no |
+| dependabot_alerts_enabled_for_new_repositories | Whether or not dependabot alerts are enabled for new repositories. Defaults to false. | `bool` | `null` | no |
+| dependabot_security_updates_enabled_for_new_repositories | Whether or not dependabot security updates are enabled for new repositories. Defaults to false. | `bool` | `null` | no |
+| dependency_graph_enabled_for_new_repositories | Whether or not dependency graph is enabled for new repositories. Defaults to false. | `bool` | `null` | no |
+| description | The description for the organization. | `string` | `null` | no |
+| email | The email address for the organization. | `string` | `null` | no |
+| has_organization_projects | Whether or not organization projects are enabled for the organization. | `bool` | `null` | no |
+| has_repository_projects | Whether or not repository projects are enabled for the organization. | `bool` | `null` | no |
+| location | The location for the organization. | `string` | `null` | no |
+| members_can_create_internal_repositories | Whether or not organization members can create new internal repositories. For Enterprise Organizations only. | `bool` | `null` | no |
+| members_can_create_pages | Whether or not organization members can create new pages. Defaults to true. | `bool` | `null` | no |
+| members_can_create_private_pages | Whether or not organization members can create new private pages. Defaults to true. | `bool` | `null` | no |
+| members_can_create_private_repositories | Whether or not organization members can create new private repositories. Defaults to true. | `bool` | `null` | no |
+| members_can_create_public_pages | Whether or not organization members can create new public pages. Defaults to true. | `bool` | `null` | no |
+| members_can_create_public_repositories | Whether or not organization members can create new public repositories. Defaults to true. | `bool` | `null` | no |
+| members_can_create_repositories | Whether or not organization members can create new repositories. Defaults to true. | `bool` | `null` | no |
+| members_can_fork_private_repositories | Whether or not organization members can fork private repositories. Defaults to false. | `bool` | `null` | no |
+| organization_name | The name for the organization. | `string` | `null` | no |
+| restricted_to_workflows | If true, the runner group will be restricted to running only the workflows specified in the selected_workflows array. Defaults to false. | `bool` | `null` | no |
+| runner_group_name | Name of the runner group | `string` | n/a | yes |
+| secret_scanning_enabled_for_new_repositories | Whether or not secret scanning is enabled for new repositories. Defaults to false. | `bool` | `null` | no |
+| secret_scanning_push_protection_enabled_for_new_repositories | Whether or not secret scanning push protection is enabled for new repositories. Defaults to false. | `bool` | `null` | no |
+| selected_repository_ids | IDs of the repositories which should be added to the runner group | `list(string)` | `[]` | no |
+| selected_workflows | List of workflows the runner group should be allowed to run. This setting will be ignored unless restricted_to_workflows is set to true. | `list(string)` | `[]` | no |
+| twitter_username | The Twitter username for the organization. | `string` | `null` | no |
+| visibility | Visibility of a runner group. Whether the runner group can include `all`, `selected`, or `private` repositories. A value of private is not currently supported due to limitations in the GitHub API. | `string` | n/a | yes |
+| web_commit_signoff_required | Whether or not commit signatures are required for commits to the organization. Defaults to false. | `bool` | `null` | no |
 
 ## Outputs
 
-| Name | Description |
-|------|-------------|
-| random_pet_name | The generated random pet name |
+No outputs.
 
 
 ## Contributing

main.tf

@@ -1,3 +1,140 @@
-resource "random_pet" "template" {
-  length = var.length
+module "organization_settings" {
+  source = "./modules/organization_settings"
+
+  billing_email                                                = var.billing_email
+  company                                                      = var.company
+  blog                                                         = var.blog
+  email                                                        = var.email
+  twitter_username                                             = var.twitter_username
+  location                                                     = var.location
+  name                                                         = var.organization_name
+  description                                                  = var.description
+  has_organization_projects                                    = var.has_organization_projects
+  has_repository_projects                                      = var.has_repository_projects
+  default_repository_permission                                = var.default_repository_permission
+  members_can_create_repositories                              = var.members_can_create_repositories
+  members_can_create_public_repositories                       = var.members_can_create_public_repositories
+  members_can_create_private_repositories                      = var.members_can_create_private_repositories
+  members_can_create_internal_repositories                     = var.members_can_create_internal_repositories
+  members_can_create_pages                                     = var.members_can_create_pages
+  members_can_create_public_pages                              = var.members_can_create_public_pages
+  members_can_create_private_pages                             = var.members_can_create_private_pages
+  members_can_fork_private_repositories                        = var.members_can_fork_private_repositories
+  web_commit_signoff_required                                  = var.web_commit_signoff_required
+  advanced_security_enabled_for_new_repositories               = var.advanced_security_enabled_for_new_repositories
+  dependabot_alerts_enabled_for_new_repositories               = var.dependabot_alerts_enabled_for_new_repositories
+  dependabot_security_updates_enabled_for_new_repositories     = var.dependabot_security_updates_enabled_for_new_repositories
+  dependency_graph_enabled_for_new_repositories                = var.dependency_graph_enabled_for_new_repositories
+  secret_scanning_enabled_for_new_repositories                 = var.secret_scanning_enabled_for_new_repositories
+  secret_scanning_push_protection_enabled_for_new_repositories = var.secret_scanning_push_protection_enabled_for_new_repositories
+}
+
+module "actions_runner_group" {
+  source   = "./modules/actions_runner_group"
+  for_each = var.actions_runner_groups
+
+  name                       = var.runner_group_name
+  restricted_to_workflows    = var.restricted_to_workflows
+  selected_repository_ids    = var.selected_repository_ids
+  selected_workflows         = var.selected_workflows
+  visibility                 = var.visibility
+  allows_public_repositories = var.allows_public_repositories
+}
+
+module "organization_block" {
+  source   = "./modules/organization_block"
+  for_each = toset(var.blocked_usernames)
+
+  username = each.value
+}
+
+module "organization_ruleset" {
+  for_each = var.organization_rulesets
+}
+
+variable "organization_rulesets" {
+  description = "A map of organization rulesets to create. The map key is the name of the ruleset."
+  type = map(object({
+    enforcement = string
+    rules = list(object({
+      # Enterprise only! Use `conditions` block for matching branches.
+      branch_name_pattern = optional(list(object({
+        operator = string
+        pattern  = string
+        name     = optional(string)
+        negate   = optional(bool)
+      })), [])
+      # Enterprise only!
+      commit_author_email_pattern = optional(list(object({
+        operator = string
+        pattern  = string
+        name     = optional(string)
+        negate   = optional(bool)
+      })), [])
+      # Enterprise only!
+      commit_message_pattern = optional(list(object({
+        operator = string
+        pattern  = string
+        name     = optional(string)
+        negate   = optional(bool)
+      })), [])
+      # Enterprise only!
+      committer_email_pattern = optional(list(object({
+        operator = string
+        pattern  = string
+        name     = optional(string)
+        negate   = optional(bool)
+      })), [])
+      creation         = optional(bool)
+      deletion         = optional(bool)
+      non_fast_forward = optional(bool)
+      pull_request = optional(list(object({
+        dismiss_stale_reviews_on_push     = optional(bool)
+        require_code_owner_review         = optional(bool)
+        require_last_push_approval        = optional(bool)
+        required_approving_review_count   = optional(number)
+        required_review_thread_resolution = optional(bool)
+      })), [])
+      required_linear_history = optional(bool)
+      required_signatures     = optional(bool)
+      required_status_checks = optional(list(object({
+        required_check = list(object({
+          context        = string
+          integration_id = optional(number)
+        }))
+        strict_required_status_checks_policy = optional(bool)
+      })), [])
+      required_workflows = optional(list(object({
+        required_workflow = list(object({
+          repository_id = number
+          path          = string
+          ref           = optional(string)
+        }))
+      })), [])
+      tag_name_pattern = optional(list(object({
+        operator = string
+        pattern  = string
+        name     = optional(string)
+        negate   = optional(bool)
+      })), [])
+      update = optional(bool)
+    }))
+    target = string
+    bypass_actors = optional(list(object({
+      actor_id    = number
+      actor_type  = string
+      bypass_mode = optional(string)
+    })), [])
+  }))
+}
+
+module "organization_secret" {
+  source   = "./modules/actions_organization_secrets"
+  for_each = var.organization_secrets
+
+  secret_name             = each.key
+  encrypted_value         = each.value.encrypted_value
+  plaintext_value         = each.value.plaintext_value
+  visibility              = each.value.visibility
+  selected_repository_ids = each.value.selected_repository_ids
 }

modules/actions_organization_secrets/README.md

@@ -0,0 +1,60 @@
+<!-- BEGIN_TF_DOCS -->
+<!-- prettier-ignore-start -->
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >=1.3.0 |
+| github | >= 6.2.3 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| github | >= 6.2.3 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [github_actions_organization_secret.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_secret) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| encrypted_value | Encrypted value of the secret using the GitHub public key in Base64 format. | `string` | `null` | no |
+| plaintext_value | Plaintext value of the secret to be encrypted. | `string` | `null` | no |
+| secret_name | Name of the secret. | `string` | n/a | yes |
+| selected_repository_ids | An array of repository ids that can access the organization secret. | `list(string)` | `null` | no |
+| visibility | Configures the access that repositories have to the organization secret. Must be one of `all`, `private`, `selected`. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| created_at | n/a |
+| updated_at | n/a |
+
+
+## Contributing
+
+Contributions are welcome and appreciated!
+
+Found an issue or want to request a feature? [Open an issue](TODO)
+
+Want to fix a bug you found or add some functionality? Fork, clone, commit, push, and PR and we'll check it out.
+
+If you have any issues or are waiting a long time for a PR to get merged then feel free to ping us at [hello@masterpoint.io](mailto:hello@masterpoint.io).
+
+## Built By
+
+[![Masterpoint Logo](https://i.imgur.com/RDLnuQO.png)](https://masterpoint.io)
+
+<!-- prettier-ignore-end -->
+<!-- END_TF_DOCS -->

modules/actions_organization_secrets/main.tf

@@ -0,0 +1,7 @@
+resource "github_actions_organization_secret" "this" {
+  secret_name             = var.secret_name
+  encrypted_value         = var.encrypted_value
+  plaintext_value         = var.plaintext_value
+  visibility              = var.visibility
+  selected_repository_ids = var.selected_repository_ids
+}

modules/actions_organization_secrets/outputs.tf

@@ -0,0 +1,6 @@
+output "created_at" {
+  value = github_actions_organization_secret.this.created_at
+}
+output "updated_at" {
+  value = github_actions_organization_secret.this.updated_at
+}

modules/actions_organization_secrets/variables.tf

@@ -0,0 +1,32 @@
+variable "secret_name" {
+  type        = string
+  description = "Name of the secret."
+}
+
+variable "encrypted_value" {
+  type        = string
+  description = "Encrypted value of the secret using the GitHub public key in Base64 format."
+  default     = null
+}
+
+variable "plaintext_value" {
+  type        = string
+  description = "Plaintext value of the secret to be encrypted."
+  sensitive   = true
+  default     = null
+}
+
+variable "visibility" {
+  type        = string
+  description = "Configures the access that repositories have to the organization secret. Must be one of `all`, `private`, `selected`."
+  validation {
+    condition     = var.visibility == "all" || var.visibility == "private" || var.visibility == "selected"
+    error_message = "Visibility must be either 'all' or 'private'."
+  }
+}
+
+variable "selected_repository_ids" {
+  type        = list(string)
+  description = "An array of repository ids that can access the organization secret."
+  default     = null
+}

modules/actions_organization_secrets/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">=1.3.0"
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = ">= 6.2.3"
+    }
+  }
+}