This module is a Boldlink opinionated structure adapted to our internal requirements for creating organization repositories. This template creates your custom Github repository, team repositories allowing to configure access, branches and branches protection
- Option to create additional branches when creating the repository.
- Option to set a different branch as your default.
- You get to configure branch protection for your default branch using either
github_branch_protectionorgithub_branch_protection_v3. - Option to create new issue labels for your repository.
- Using this module, you are able to create and manage github action secrets for your repository.
- All github actions secrets are encrypted in conformance with security best practices
- Default configurations have been validated by Checkov to ensure best practices and security.
We use sodium_encrypted_item to encrypt all the secrets being created. This requires the repository's github_actions_public_key and the secret string encoded with base64.
NOTE Both github_branch_protection_v3.main and github_branch_protection.main require an upgrade to github team/enterprise, or the repository to be made public.
Examples available here
NOTE: Github provider is currently locked to version 5.8.0 in the examples as it is the highest stable version that didn't break when we did tests.
NOTE: These examples use the latest version of this module
module "minimum" {
source = "boldlink/repository/github"
name = "example-minimum"
description = "Terraform sample github repository "
}
Terraform module documentation
| Name | Version |
|---|---|
| terraform | >= 0.14.11 |
| github | >= 4.24.1 |
| sodium | 0.0.3 |
| Name | Version |
|---|---|
| github | 5.23.0 |
| sodium | 0.0.3 |
No modules.
| Name | Type |
|---|---|
| github_actions_secret.main | resource |
| github_branch.branch | resource |
| github_branch.default | resource |
| github_branch_default.default | resource |
| github_branch_protection.main | resource |
| github_branch_protection_v3.main | resource |
| github_issue_label.main | resource |
| github_repository.main | resource |
| github_team_repository.main | resource |
| github_actions_public_key.main | data source |
| sodium_encrypted_item.main | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allow_auto_merge | (Optional) Set to true to allow auto-merging pull requests on the repository. | bool |
true |
no |
| allow_merge_commit | (Optional) Set to false to disable merge commits on the repository. (Default: true) | bool |
true |
no |
| allow_rebase_merge | (Optional) Set to true to enable rebase merges on the repository. (Default: false) | bool |
false |
no |
| allow_squash_merge | (Optional) Set to true to enable squash merges on the repository. (Default: false) | bool |
false |
no |
| allows_deletions | (Optional) Boolean, setting this to true to allow the branch to be deleted. | bool |
true |
no |
| allows_force_pushes | (Optional) Boolean, setting this to true to allow force pushes on the branch. | bool |
false |
no |
| archive_on_destroy | (Optional) Set to false to not archive the repository instead of deleting on destroy. |
bool |
false |
no |
| archived | (Optional) Specifies if the repository should be archived. (Default: false) | bool |
false |
no |
| auto_init | (Optional) Whether or not to produce an initial commit in the repository. (Default: true) | bool |
true |
no |
| branch | (Required) The branch (e.g. stage) | list(string) |
[] |
no |
| branch_protection_version | Provide the branch protection options.Either branch_protection_v3 or branch_protection Only one option can be true. |
object({ |
{ |
no |
| default_branch | The default branch (e.g. develop) | string |
"main" |
no |
| delete_branch_on_merge | (Optional) Whether or not to delete the merged branch after merging a pull request. (Default: false) | bool |
true |
no |
| description | (Optional) A description of the repository. | string |
null |
no |
| enforce_admins | (Optional) Boolean, setting this to true enforces status checks for repository |
bool |
true |
no |
| gitignore_template | (Optional) Use the name of the template without the extension. For example, Haskell. Available templates: https://github.com/github/gitignore | string |
null |
no |
| has_downloads | (Optional) Set to true to enable the (deprecated) downloads features on the repository. (Default: false) | bool |
false |
no |
| has_issues | (Optional) Set to true to enable the GitHub Issues features on the repository. (Default: false) | bool |
false |
no |
| has_projects | (Optional) Set to true to enable the GitHub Projects features on the repository. Per the github documentation when in an organization that has disabled repository projects it will default to false and will otherwise default to true. If you specify true when it has been disabled it will return an error. (Default: false) | bool |
false |
no |
| has_wiki | (Optional) Set to true to enable the GitHub Wiki features on the repository. (Default: false) | bool |
false |
no |
| homepage_url | (Optional) The website of the repository. | string |
null |
no |
| is_template | (Optional) Whether or not to tell GitHub that this is a template repository. ( Default: false) | bool |
false |
no |
| issue_label | A map of labels to add to the repository | map(any) |
{} |
no |
| license_template | (Optional) Use the name of the template without the extension. For example, 'mit' or 'mpl-2.0'. Available licenses: https://github.com/github/choosealicense.com/tree/gh-pages/_licenses | string |
null |
no |
| name | (Required) The name of the repository. | string |
n/a | yes |
| pages | The repository's GitHub Pages configuration, see examples for working example and required properties | any |
null |
no |
| pattern | (Required) Identifies the protection rule pattern. | string |
"main" |
no |
| push_restrictions | (Optional) The list of actor IDs that may push to the branch. | list(string) |
[] |
no |
| require_conversation_resolution | (Optional) Boolean, setting this to true requires all conversations on code must be resolved before a pull request can be merged. | bool |
true |
no |
| require_signed_commits | (Optional) Boolean, setting this to true requires all commits to be signed with GPG. | bool |
false |
no |
| required_linear_history | (Optional) Boolean, setting this to true enforces a linear commit Git history, which prevents anyone from pushing merge commits to a branch | bool |
true |
no |
| required_pull_request_reviews | (Optional) Enforce restrictions for pull request reviews. | object({ |
null |
no |
| required_pull_request_reviews_v3 | supports the following arguments: dismiss_stale_reviews (Optional) Dismiss approved reviews automatically when a new commit is pushed. Defaults to false / dismissal_users (Optional) The list of user logins with dismissal access / dismissal_teams (Optional) The list of team slugs with dismissal access. Always use slug of the team, not its name. Each team already has to have access to the repository. / / require_code_owner_reviews (Optional) Require an approved review in pull requests including files with a designated code owner. Defaults to false / required_approving_review_count (Optional) Require x number of approvals to satisfy branch protection requirements. If this is specified it must be a number between 1-6 |
object({ |
null |
no |
| required_status_checks | Enforce restrictions for required status checks, strict (Optional) Require branches to be up to date before merging. Defaults to false contexts (Optional) The list of status checks to require in order to merge into this branch. No status checks are required by default. |
object({ |
null |
no |
| restrictions | supports the following arguments: users (Optional) The list of user logins with push access. / teams (Optional) The list of team slugs with push access. Always use slug of the team, not its name. Each team already has to have access to the repository. / apps (Optional) The list of app slugs with push access. |
object({ |
null |
no |
| secrets | A map of secrets to be created with your repository | map(any) |
{} |
no |
| teams | The teams and respective permissions to the repository, for example admin = maintainer |
map(string) |
{} |
no |
| template | Template repository to use, specify a owner and a repository id |
object({ |
null |
no |
| topics | (Optional) The list of topics of the repository. (Default: []) | list(string) |
[] |
no |
| visibility | (Optional) Can be 'public', 'private' or 'internal' .The visibility parameter overrides the private parameter. Defaults to 'private' if neither private nor visibility are set, default to state of private parameter if it is set. | string |
"private" |
no |
| vulnerability_alerts | (Optional) Set to false to disable security alerts for vulnerable dependencies. Enabling requires alerts to be enabled on the owner level. |
bool |
true |
no |
| Name | Description |
|---|---|
| full_name | A string of the form 'orgname/reponame'. |
| git_clone_url | URL that can be provided to git clone to clone the repository anonymously via the git protocol. |
| html_url | URL to the repository on the web. |
| http_clone_url | URL that can be provided to git clone to clone the repository via HTTPS. |
| repository | All attributes and arguments as returned by the github_repository resource. |
| ssh_clone_url | URL that can be provided to git clone to clone the repository via SSH. |
This repository uses third party software:
- pre-commit - Used to help ensure code and documentation consistency
- Install with
brew install pre-commit - Manually use with
pre-commit run
- Install with
- terraform 0.14.11 For backwards compatibility we are using version 0.14.11 for testing making this the min version tested and without issues with terraform-docs.
- terraform-docs - Used to generate the Inputs and Outputs sections
- Install with
brew install terraform-docs - Manually use via pre-commit
- Install with
- tflint - Used to lint the Terraform code
- Install with
brew install tflint - Manually use via pre-commit
- Install with
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent