mineiros-io / terraform-github-repository Goto Github PK
View Code? Open in Web Editor NEWA Terraform module to manage GitHub Repositories. https://github.com/
License: Apache License 2.0
A Terraform module to manage GitHub Repositories. https://github.com/
License: Apache License 2.0
similar to #118, I would like to use environments with this module for deployment control.
Hi folks!
I came across your repos from this article: https://www.mineiros.io/blog/how-to-manage-your-github-organization-with-terraform which has given me a great headstart as a complete noob to Terraform. Thanks so much for the article and the resources! I have over 90 repos to manage in our open source project and I think this is going to be a very efficient way to work once I get my head around it all!
I'm stumbling upon a challenge though.
In your article you declare the organisation in the main.tf file however this doesn't seem to be working when I try to use the up-to-date example code from your repos.
I had to change a bunch of things by copying from your latest repos because I guess things have changed in the GitHub API since the article was written, so I expect maybe the way to declare the organisation has changed too.
I tried checking your repos for how to declare it with the updated templates but I can't seem to find it in any of your example files. I think that either it's set at the repository.tf or the main.tf level, so hedging my bets and making the request here for a snippet on how to get this working!
So far it's working perfectly, but creating everything in my personal account, not the org.
Thanks in advance for any help!
We have a strong circulation of pull requests/branches. So we have to ignore this branches change. Since terraform does have lifecycle support only for resource scope, we need a workaround for this. Any help would be much appreciated.
The automated-security-fixes
key is not supported by this provider which prevents Dependabot PRs to get enabled.
vulnerability_alerts
only enable alerts, while the former key enables associated PRs to be enabled.
https://api.github.com/repos/%7Borganization%7D/%7Brepository%7D/automated-security-fixes
Would be great to have this implemented as manual changes get overwritten and our automation pipelines are failing.
Is there a way to scan for repositories which already exist, and to apply the configuration to those? Or does this only apply to new projects?
Hi, do you plan support for github provider >= 3.1.0? We would like to use vulnerability scanning of dependencies that was introduced in this provider version.
The Terraform GitHub Provider deprecated the field contexts
and from now on checks
should be used. Would be good to reflect this change in the module.
Warning: "required_status_checks.0.contexts": [DEPRECATED] GitHub is deprecating the use of
contexts
. Use achecks
array instead.
Hello,
It looks like this module prefers to use branch_protection_v3
rather than branch_protection
while the documentation here makes it sound like https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection_v3 branch_protection_v3
is the old resource and we should be preferring branch_protection
As branch_protection
uses GraphQL and branch_protection_v3
uses REST
It would be incredibly helpful to allow this module to support GitHub's Discussions feature, similar to how the has_issues
, has_wiki
, and has_projects
works.
terraform-github-repository/variables.tf
Line 57 in ee6001a
terraform-github-repository/variables.tf
Line 63 in ee6001a
terraform-github-repository/variables.tf
Line 69 in ee6001a
Hi,
Checking about protected branches and the key required_pull_request_reviews
, documentation about the dismiss_stale_reviews
setting mentions that the default value is false
.
However, when running a plan adding a protected branch without setting that value, as this:
branch_protections = [
{
branch = "master"
enforce_admins = false
required_pull_request_reviews = {
require_code_owner_reviews = true
required_approving_review_count = 2
},
restrictions = {
apps = []
teams = ["novum-moves"]
users = []
}
},
]
a terraform plan is going to set this setting as true
.
# module.repository.github_branch_protection_v3.branch_protection[0] will be created
+ resource "github_branch_protection_v3" "branch_protection" {
+ branch = "master"
+ enforce_admins = false
+ etag = (known after apply)
+ id = (known after apply)
+ repository = "repository"
+ require_signed_commits = false
+ required_pull_request_reviews {
+ dismiss_stale_reviews = true
+ require_code_owner_reviews = true
+ required_approving_review_count = 2
}
+ restrictions {
+ teams = [
+ "novum-moves",
]
}
}
Checking main.tf
, I think this value comes from this merge:
https://github.com/mineiros-io/terraform-github-repository/blob/master/main.tf#L67
Tested version:
module "repository" {
source = "mineiros-io/repository/github"
version = "0.10.1"
...
}
Not sure what it should be updated, documentation or code ?
I could open a PR to update the needed value.
Thanks!
Implemented #143
This would be a great optional feature with enables easy migration....
Tried to use module on Azure Cloud Shell:
Initializing modules...
Downloading mineiros-io/repository/github 0.5.1 for repository...
- repository in .terraform/modules/repository
Error: Unsupported Terraform Core version
on .terraform/modules/repository/versions.tf line 6, in terraform:
6: required_version = ">= 0.12.20, < 0.14"
When using latest GitHub provider (integrations/github 5.9.0)
I get the following error for the given repository definition.
╷
│ Error: at least one permission expected from permissions map
│
│ with module.my_repo.github_team_repository.team_repository_by_slug["my_team"],
│ on .terraform/modules/my_repo/main.tf line 441, in resource "github_team_repository" "team_repository_by_slug":
│ 441: resource "github_team_repository" "team_repository_by_slug" {
│
╵
module "my_repo" {
source = "mineiros-io/repository/github"
version = "0.18.0"
name = "my_repo"
defaults = var.defaults.private
visibility = "private"
has_downloads = false
archived = false
archive_on_destroy = true
vulnerability_alerts = true
push_teams = [var.teams.my_team]
}
I can solve it for now by downgrading to integrations/github 5.8.0
The docs state the default for delete_branch_on_merge
is false, but in the code it defaults to true
.
Happy to submit a PR to fix by either changing the docs or the code, but not sure which is preferred. My personal opinion is that this should default to false
as per the docs, so the code should be updated to reflect that, but this will change the behaviour for anyone who hasn't explicitly set this in their config so may need some more thought.
Functionality outlined in this blog:
https://github.blog/changelog/2022-10-20-new-branch-protections-last-pusher-and-locked-branch/
Implemented in the provider here:
integrations/terraform-provider-github#1407
These would be great additions to have, thanks for the great module!
I understand that branch protections are currently a bit up in the air (broken in ~5.7.0), per a previous comment made here:
#132 (comment)
But hopefully this can be added once that is fixed, or in anticipation of 👍
Hi, it seems private has been deprecated for visibility.
I have got the below warning when terraforming --->
Warning: "private": [DEPRECATED] use visibility instead
It would be nice if the module would support the Github Autolink references feature for Repository. The Github Provider for Terraform already supports that, so it should also be possible to integrate this in the module, right?
There is lack of lock_branch
argument from github_branch_protection
resource.
From Terraform registry
Require deployments to succeed before merging
branch protection setting:
https://github.blog/changelog/2022-04-12-required-deployments/
I'm unsure if this has been implemented in the upstream provider but would be a great addition to have, along with environments (#138)
A couple of months ago, GitHub released a configuration option for branch protections that allows specified users to bypass pull request restrictions. Support for this feature recently made it's way to the GitHub Terraform provider:
There does not appear to be an equivalent in the branch_protection_v3
resource (yet?), so this is a request to add support for branch_protection
.
A last (for me) missing feature in this module is the possibility to configure branches (besides the default branch). For this github_branch
exists and could be easily integrated.
I don't know if the example is supposed to be runnable without modification, but the result when I try to do that is (after a successful "terraform init"):
➜ terraform plan
╷
│ Error: Invalid count argument
│
│ on .terraform/modules/repository/main.tf line 162, in resource "github_branch_protection_v3" "branch_protection":
│ 162: count = length(local.branch_protections)
│
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around
│ this, use the -target argument to first apply only the resources that the count depends on.
╵
I'm not entirely sure here why a set would be preferred over a numbered list, but with this usage:
app_installations = [ var.some_number ]
Produces:
The given "for_each" argument value is unsuitable: "for_each" supports maps
and sets of strings, but you have provided a set containing type number.
Error: Invalid for_each set argument
on .terraform/modules/terraform_github_modules/main.tf line 505, in resource "github_app_installation_repository" "app_installation_repository":
505: for_each = var.app_installations
├────────────────
│ var.app_installations is set of number with 1 element
The example for a public repos sets:
visibility = "private"
Is this an oversight?
Can we please get a release of this module with the maximum version constraint removed so we're not stuck on version 5.x of the GitHub provider.
According to the Terraform Documentation, modules should ideally not specify a maximum version constraint.
I'm also waiting on support to control the commit message format but just fixing this would unblock me from being able to upgrade the GitHub provider.
It was commented in February in #165 that something might be released soon, we're now in June with no release(s).
Likewise for your GitHub team module, as that's also pinned to < 6
.
As explained here all attributes from the github_repository resource should be exported by the module.
There is an attribute on the github_repository documentation named repo_id
.
However, when I create a github repository with the mineiros-io module, this repo_id
attribute does not exist. For example, my attributes look something like this:
{
"attributes": {
"allow_merge_commit": true,
"allow_rebase_merge": true,
"allow_squash_merge": true,
"archived": false,
"auto_init": false,
"default_branch": "master",
"delete_branch_on_merge": false,
"description": "",
"etag": "W/\"b62fa29d48ada996cea8f6f4742c81c0c62b21256e886a72a356089eb57077c4\"",
"full_name": "exampleorg/repo-anonymized",
"git_clone_url": "git://github.com/exampleorg/repo-anonymized.git",
"gitignore_template": null,
"has_downloads": true,
"has_issues": true,
"has_projects": false,
"has_wiki": true,
"homepage_url": "",
"html_url": "https://github.com/exampleorg/repo-anonymized",
"http_clone_url": "https://github.com/exampleorg/repo-anonymized.git",
"id": "repo-anonymized",
"is_template": false,
"license_template": null,
"name": "repo-anonymized",
"node_id": "MDEwOlJlcG9zaXRvcnk3NDU4OTg4NQ==",
"private": true,
"ssh_clone_url": "git@exampleorg/repo-anonymized.git",
"svn_url": "https://github.com/exampleorg/repo-anonymized",
"template": [],
"topics": [],
"visibility": "private"
}
}
Is there any reason this one attribute is not generated by the module?
It would be useful to have support for this within the module.
Feature request: Ability to create GitHub repository variables
It is supported in the underlying integrations/github
module with the github_actions_variable resource.
It would be great if this module supported GitHub's recent tag protection
From provider docs:
allow_auto_merge - (Optional) Set to true to allow auto-merging pull requests on the repository.
Hi, I have been trying to import some repos into a master repo forked from this, but some repositories couldn't be imported because the module doesn't support pages or environments which a repo may have. Is there anything we can do about this, even if it is just so it doesn't make any change to it but allows me to import the repo?
i would like to discuss changing some defaults in this early phase:
change private
to default to true
to make it more secure/private by default.
change has_issues
to default to false
so you have to specify the features you want to have and not those you do not want to have (opt-in instead of out) In addition this would be more consistent with other has_*
options (and match the current description)
set allow_merge_commit
, allow_squash_merge
and allow_rebase_merge
to false
so that you have to opt-in and are forced to specify at least one.
The module seems to allow spaces to be used in the name of the repository.
It will apparently converts them into -
while building the plan (I've not found yet where this is done).
However, it partially fails to apply the plan: the repository will be created in GitHub but Terraform will fail.
module "space_repo" {
source = "mineiros-io/repository/github"
version = "~> 0.18.0"
name = "space repo"
}
terraform plan
- should give something like this:# module.space_repo.github_repository.repository will be created
+ resource "github_repository" "repository" {
...
+ name = "space repo"
...
}
terraform apply
- should fail with this error:module.space_repo.github_repository.repository: Creating...
Error: PATCH https://api.github.com/repos/my-org/space-repo: 422 Validation Failed []
with module.space_repo.github_repository.repository,
on .terraform/modules/space_repo/main.tf line 91, in resource "github_repository" "repository":
91: resource "github_repository" "repository" {
terrafrom apply
should fail again with this other error:module.space_repo.github_repository.repository: Destroying... [id=space-repo]
module.space_repo.github_repository.repository: Destruction complete after 0s
module.space_repo.github_repository.repository: Creating...
Error: POST https://api.github.com/orgs/my-org/repos: 422 Repository creation failed. [{Resource:Repository Field:name Code:custom Message:name already exists on this account}]
with module.space_repo.github_repository.repository,
on .terraform/modules/space_repo/main.tf line 91, in resource "github_repository" "repository":
91: resource "github_repository" "repository" {
(Because archive_on_destroy
is set to true
by default I suppose).
I suppose the terraform plan
command should explicitly fail and report the presence of invalid character(s) in the name.
github_actions_environment_variable has been added to the official github integration. would be grest to have support for this.
GitHub releases a week ago a new major version of the provider: https://github.com/integrations/terraform-provider-github/releases
The module should support that version :-)
Trying to use the same public key in multiple repositories, but its erroring in deploy_keys.
Would be possible to reference an already created "key" ?
When trying to upgrade to the latest integration/github version I get this error.
Could not retrieve the list of available versions for provider integrations/github: no available releases match the given constraints >= 4.20.0, 5.14.0, >= 5.15.0, < 6.0.0
I am currently running github version 5.14.0 and i have tried upgrading to the different version 5.15.0, 5.16.0, and 5.17.0 I get the same error message on each version.
I have wiped the modules and providers directory and still get the error.
Has any one else had an issue upgrading?
Terraform version 1.3.7
Mac M1
The required providers section of the module seems like it would allow anything between 4.2.0 and 6.0.0
GitHub allows for team slug to contain underscores, therefore these shouldn't be replaced with hyphens in code such as at
terraform-github-repository/main.tf
Lines 345 to 349 in 390fccd
GitHub recently added an option for is_alphanumeric
in github_repository_autolink_reference
. This was added to v5.8.0
of terraform-github-provider and documented here
Bumping the provider causes a change to all our current autolinks, like below.
-/+ resource "github_repository_autolink_reference" "repository_autolink_reference" {
+ etag = (known after apply)
~ id = "346367" -> (known after apply)
+ is_alphanumeric = true # forces replacement
# (3 unchanged attributes hidden)
}
It would be great if autolink_references
could be extented to support setting is_alphanumeric
.
Github added some months ago this nice option --> https://github.blog/changelog/2022-05-11-default-to-pr-titles-for-squash-merge-commit-messages/
And, as far as I understand, the terraform provider for github already has it. integrations/terraform-provider-github#1263
I don't think I have seen this option in the variables, nor any related issue.
Am I missing something? And, if not, is this something expected to be added?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.