Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions modules/repository/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
This module creates following resources.

- `github_repository`
- `github_repository_vulnerability_alerts`
- `github_repository_collaborator` (optional)
- `github_repository_collaborators` (optional)
- `github_repository_custom_property` (optional)
Expand Down Expand Up @@ -49,6 +50,7 @@ This module creates following resources.
| [github_repository_deploy_key.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_deploy_key) | resource |
| [github_repository_file.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |
| [github_repository_topics.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_topics) | resource |
| [github_repository_vulnerability_alerts.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_vulnerability_alerts) | resource |
| [github_team_repository.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team_repository) | resource |

## Inputs
Expand All @@ -66,7 +68,7 @@ This module creates following resources.
| <a name="input_deploy_keys"></a> [deploy\_keys](#input\_deploy\_keys) | (Optional) A list of deploy keys to grant access to the repository. A deploy key is a SSH key. Each item of `deploy_keys` block as defined below.<br/> (Optional) `name` - A name of deploy key.<br/> (Required) `key` - A SSH key. Begins with 'ssh-rsa', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521', 'ssh-ed25519', 'sk-ecdsa-sha2-nistp256@openssh.com', or 'sk-ssh-ed25519@openssh.com'.<br/> (Optional) `writable` - Whether to allow write access to the repository. The key can be used to push to the repository if enabled. Defaults to `false`. | <pre>list(object({<br/> name = optional(string)<br/> key = string<br/> writable = optional(bool, false)<br/> }))</pre> | `[]` | no |
| <a name="input_description"></a> [description](#input\_description) | (Optional) A description of the repository. | `string` | `"Managed by Terraform."` | no |
| <a name="input_environments"></a> [environments](#input\_environments) | (Optional) A list of environments for the repository. Each item of `environments` block as defined below.<br/> (Required) `name` - The name of the environment.<br/> (Optional) `wait_timer` - The amount of time in minutes to wait before allowing deployments to proceed. The default value is `0`.<br/> (Optional) `allow_admin_to_bypass` - Whether to allow admins to bypass the wait timer and deployment review. The default value is `true`.<br/> (Optional) `allow_self_approval` - Whether to allow users to approve their own deployment. The default value is `false`.<br/> (Optional) `reviewers` - A list of reviewers who may review jobs that reference the environment. Each item of `reviewers` block as defined below.<br/> (Required) `type` - The type of the reviewer. Valid values are `USER` or `TEAM`.<br/> (Required) `name` - The name of the reviewer. For a user reviewer, the value should be the user's username. For a team reviewer, the value should be the team's slug.<br/> (Optional) `deployment_policy` - A configuration for deployment policy of the environment. `deployment_policy` block as defined below.<br/> (Optional) `restriction` - The type of deployment restriction. Valid values are `NONE`, `PROTECTED_BRANCH`, or `CUSTOM`. Defaults to `NONE`.<br/> (Optional) `branches` - A set of branch name patterns to restrict deployments to when the restriction type is `CUSTOM`.<br/> (Optional) `tags` - A set of tag name patterns to restrict deployments to when the restriction type is `CUSTOM`.<br/> (Optional) `variables` - A map of GitHub Actions variables to set for the environment. Defaults to `{}`.<br/> (Optional) `secrets` - A map of GitHub Actions secrets to set for the environment. Defaults to `{}`. | <pre>list(object({<br/> name = string<br/> wait_timer = optional(number, 0)<br/> allow_admin_to_bypass = optional(bool, true)<br/> allow_self_approval = optional(bool, false)<br/><br/> reviewers = optional(list(object({<br/> type = string<br/> name = string<br/> })), [])<br/> deployment_policy = optional(object({<br/> restriction = optional(string, "NONE")<br/> branches = optional(set(string), [])<br/> tags = optional(set(string), [])<br/> }), {})<br/><br/> variables = optional(map(string), {})<br/> secrets = optional(map(string), {})<br/> }))</pre> | `[]` | no |
| <a name="input_features"></a> [features](#input\_features) | (Optional) A list of enabled features on the repository. Available features: `DISCUSSIONS`, `ISSUES`, `PROJECTS`, `WIKI`. Defaults to `["ISSUES"]` | `set(string)` | <pre>[<br/> "ISSUES"<br/>]</pre> | no |
| <a name="input_features"></a> [features](#input\_features) | (Optional) A list of enabled features on the repository. Available features: `DEPENDABOT_ALERTS`, `DISCUSSIONS`, `ISSUES`, `PROJECTS`, `WIKI`. `DEPENDABOT_ALERTS` enables Dependabot alerts for vulnerable dependencies. Defaults to `["ISSUES"]` | `set(string)` | <pre>[<br/> "ISSUES"<br/>]</pre> | no |
| <a name="input_files"></a> [files](#input\_files) | (Optional) A list of files to create and manage within the repository. Each item of `files` block as defined below.<br/> (Required) `file` - A `file` block as defined below.<br/> (Required) `path` - The path of the file to manage.<br/> (Required) `content` - The file content.<br/> (Optional) `commit` - A `commit` block as defined below.<br/> (Optional) `author` - Committer author name to use. NOTE: GitHub app users may omit author and email information so GitHub can verify commits as the GitHub App. This maybe useful when a branch protection rule requires signed commits.<br/> (Optional) `email` - Committer email address to use. NOTE: GitHub app users may omit author and email information so GitHub can verify commits as the GitHub App. This may be useful when a branch protection rule requires signed commits.<br/> (Optional) `message` - The commit message when creating, updating or deleting the managed file. Defaults to `chore: managed by Terraform.`.<br/> (Optional) `overwrite_on_create` - Enable overwriting existing files. If set to true it will overwrite an existing file with the same name. If set to false it will fail if there is an existing file with the same name. Defaults to `true`. | <pre>list(object({<br/> file = object({<br/> path = string<br/> content = string<br/> })<br/> commit = optional(object({<br/> author = optional(string)<br/> email = optional(string)<br/> message = optional(string, "chore: managed by Terraform.")<br/> }), {})<br/> overwrite_on_create = optional(bool, true)<br/> }))</pre> | `[]` | no |
| <a name="input_homepage"></a> [homepage](#input\_homepage) | (Optional) A URL of website describing the repository. | `string` | `""` | no |
| <a name="input_is_template"></a> [is\_template](#input\_is\_template) | (Optional) Whether this is a template repository. Defaults to `false`. | `bool` | `false` | no |
Expand All @@ -76,7 +78,6 @@ This module creates following resources.
| <a name="input_template"></a> [template](#input\_template) | (Optional) Use a template repository, license or gitignore to create the repository.this resource. `template` block as defined below.<br/> (Optional) `gitignore` - Choose which files not to track from a list of templates. Use the name of the template without the extension. For example, `Haskell`.<br/> (Optional) `init_readme` - Whether to produce an initial commit with README.md in the repository. Defaults to `false`.<br/> (Optional) `license` - A license tells others what they can and can't do with your code. Use the name of the license template without the extension. For example, `mit` or `mpl-2.0`.<br/> (Optional) `repository` - Start this repository with a template repository's contents. The full name of the repository is required. A string of the form `owner/repository`. | <pre>object({<br/> gitignore = optional(string)<br/> init_readme = optional(bool, false)<br/> license = optional(string)<br/> repository = optional(string)<br/> })</pre> | `{}` | no |
| <a name="input_topics"></a> [topics](#input\_topics) | (Optional) A list of topics for the repository. | `set(string)` | `[]` | no |
| <a name="input_visibility"></a> [visibility](#input\_visibility) | (Optional) Can be `public`, `private` or `internal`. `internal` visibility is only available if your organization is associated with an enterprise account using GitHub Enterprise Cloud or GitHub Enterprise Server 2.20+. | `string` | `"private"` | no |
| <a name="input_vulnerability_alerts"></a> [vulnerability\_alerts](#input\_vulnerability\_alerts) | (Optional) Set to true to enable security alerts for vulnerable dependencies. Enabling requires alerts to be enabled on the owner level. GitHub enables the alerts on public repos but disables them on private repos by default. | `bool` | `false` | no |

## Outputs

Expand Down Expand Up @@ -109,5 +110,4 @@ This module creates following resources.
| <a name="output_topics"></a> [topics](#output\_topics) | A list of topics for the repository. |
| <a name="output_url"></a> [url](#output\_url) | The URL of the repository. |
| <a name="output_visibility"></a> [visibility](#output\_visibility) | The visibility of the repository. Can be `public`, `private` or `internal`. |
| <a name="output_vulnerability_alerts"></a> [vulnerability\_alerts](#output\_vulnerability\_alerts) | Whether the security alerts are enabled for vulnerable dpendencies. |
<!-- END_TF_DOCS -->
13 changes: 11 additions & 2 deletions modules/repository/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ locals {
# INFO: Use a separate resource
# - `topics`
# - `default_branch`
# - `vulnerability_alerts`
resource "github_repository" "this" {
name = var.name
description = var.description
Expand All @@ -28,8 +29,6 @@ resource "github_repository" "this" {
archived = var.archived
archive_on_destroy = var.archive_on_destroy

vulnerability_alerts = var.vulnerability_alerts


## Template
is_template = var.is_template
Expand Down Expand Up @@ -107,6 +106,16 @@ resource "github_repository" "this" {
}


###################################################
# Vulnerability Alerts for GitHub Repository
###################################################

resource "github_repository_vulnerability_alerts" "this" {
repository = github_repository.this.name
enabled = contains(var.features, "DEPENDABOT_ALERTS")
}
Comment on lines +113 to +116

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The github_repository_vulnerability_alerts resource in the GitHub provider does not support an enabled argument. To conditionally enable or disable vulnerability alerts, you should use the count meta-argument to conditionally create the resource based on var.vulnerability_alerts.

resource "github_repository_vulnerability_alerts" "this" {
  count      = var.vulnerability_alerts ? 1 : 0
  repository = github_repository.this.name
}



###################################################
# Custom Properties for GitHub Repository
###################################################
Expand Down
5 changes: 0 additions & 5 deletions modules/repository/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -170,11 +170,6 @@ output "files" {
}
}

output "vulnerability_alerts" {
description = "Whether the security alerts are enabled for vulnerable dpendencies."
value = github_repository.this.vulnerability_alerts
}

output "deploy_keys" {
description = "A map of deploy keys granted access to the repository."
value = {
Expand Down
13 changes: 3 additions & 10 deletions modules/repository/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ variable "template" {

variable "features" {
description = <<EOF
(Optional) A list of enabled features on the repository. Available features: `DISCUSSIONS`, `ISSUES`, `PROJECTS`, `WIKI`. Defaults to `["ISSUES"]`
(Optional) A list of enabled features on the repository. Available features: `DEPENDABOT_ALERTS`, `DISCUSSIONS`, `ISSUES`, `PROJECTS`, `WIKI`. `DEPENDABOT_ALERTS` enables Dependabot alerts for vulnerable dependencies. Defaults to `["ISSUES"]`
EOF
type = set(string)
default = ["ISSUES"]
Expand All @@ -77,9 +77,9 @@ variable "features" {
validation {
condition = alltrue([
for feature in var.features :
contains(["DISCUSSIONS", "ISSUES", "PROJECTS", "WIKI"], feature)
contains(["DEPENDABOT_ALERTS", "DISCUSSIONS", "ISSUES", "PROJECTS", "WIKI"], feature)
])
error_message = "Available features: `DISCUSSIONS`, `ISSUES`, `PROJECTS`, `WIKI`."
error_message = "Available features: `DEPENDABOT_ALERTS`, `DISCUSSIONS`, `ISSUES`, `PROJECTS`, `WIKI`."
}
}

Expand Down Expand Up @@ -304,13 +304,6 @@ variable "files" {
nullable = false
}

variable "vulnerability_alerts" {
description = "(Optional) Set to true to enable security alerts for vulnerable dependencies. Enabling requires alerts to be enabled on the owner level. GitHub enables the alerts on public repos but disables them on private repos by default."
type = bool
default = false
nullable = false
}

variable "deploy_keys" {
description = <<EOF
(Optional) A list of deploy keys to grant access to the repository. A deploy key is a SSH key. Each item of `deploy_keys` block as defined below.
Expand Down
Loading