mineiros-io / terraform-github-repository Goto Github PK

similar to #118, I would like to use environments with this module for deployment control.

Hi,

Is there a support for "Always suggest updating pull request branches"?

If not, is there a timeline for this to be supported?

Thanks!

Hi folks!

I came across your repos from this article: https://www.mineiros.io/blog/how-to-manage-your-github-organization-with-terraform which has given me a great headstart as a complete noob to Terraform. Thanks so much for the article and the resources! I have over 90 repos to manage in our open source project and I think this is going to be a very efficient way to work once I get my head around it all!

I'm stumbling upon a challenge though.

In your article you declare the organisation in the main.tf file however this doesn't seem to be working when I try to use the up-to-date example code from your repos.

I had to change a bunch of things by copying from your latest repos because I guess things have changed in the GitHub API since the article was written, so I expect maybe the way to declare the organisation has changed too.

I tried checking your repos for how to declare it with the updated templates but I can't seem to find it in any of your example files. I think that either it's set at the repository.tf or the main.tf level, so hedging my bets and making the request here for a snippet on how to get this working!

So far it's working perfectly, but creating everything in my personal account, not the org.

Thanks in advance for any help!

We have a strong circulation of pull requests/branches. So we have to ignore this branches change. Since terraform does have lifecycle support only for resource scope, we need a workaround for this. Any help would be much appreciated.

The automated-security-fixes key is not supported by this provider which prevents Dependabot PRs to get enabled.

vulnerability_alerts only enable alerts, while the former key enables associated PRs to be enabled.

• REST API endpoint: https://api.github.com/repos/%7Borganization%7D/%7Brepository%7D/automated-security-fixes
• REST API documentation: https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#enable-automated-security-fixes

Would be great to have this implemented as manual changes get overwritten and our automation pipelines are failing.

Is there a way to scan for repositories which already exist, and to apply the configuration to those? Or does this only apply to new projects?

Hi, do you plan support for github provider >= 3.1.0? We would like to use vulnerability scanning of dependencies that was introduced in this provider version.

The Terraform GitHub Provider deprecated the field contexts and from now on checks should be used. Would be good to reflect this change in the module.

Warning: "required_status_checks.0.contexts": [DEPRECATED] GitHub is deprecating the use of contexts. Use a checks array instead.

Hello,

It looks like this module prefers to use branch_protection_v3 rather than branch_protection while the documentation here makes it sound like https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection_v3 branch_protection_v3 is the old resource and we should be preferring branch_protection

As branch_protection uses GraphQL and branch_protection_v3 uses REST

It would be incredibly helpful to allow this module to support GitHub's Discussions feature, similar to how the has_issues, has_wiki, and has_projects works.

Hi,
Checking about protected branches and the key required_pull_request_reviews, documentation about the dismiss_stale_reviews setting mentions that the default value is false.
However, when running a plan adding a protected branch without setting that value, as this:

 branch_protections = [
  {
    branch         = "master"
    enforce_admins = false
    required_pull_request_reviews = {
      require_code_owner_reviews      = true
      required_approving_review_count = 2
    },
    restrictions = {
      apps  = []
      teams = ["novum-moves"]
      users = []
    }
  },
]

a terraform plan is going to set this setting as true.

  # module.repository.github_branch_protection_v3.branch_protection[0] will be created
  + resource "github_branch_protection_v3" "branch_protection" {
      + branch                 = "master"
      + enforce_admins         = false
      + etag                   = (known after apply)
      + id                     = (known after apply)
      + repository             = "repository"
      + require_signed_commits = false

      + required_pull_request_reviews {
          + dismiss_stale_reviews           = true
          + require_code_owner_reviews      = true
          + required_approving_review_count = 2
        }

      + restrictions {
          + teams = [
              + "novum-moves",
            ]
        }
    }

Checking main.tf, I think this value comes from this merge:
https://github.com/mineiros-io/terraform-github-repository/blob/master/main.tf#L67

Tested version:

module "repository" {
  source                                = "mineiros-io/repository/github"
  version                               = "0.10.1"
  ...
}

Not sure what it should be updated, documentation or code ?
I could open a PR to update the needed value.

Thanks!

Implemented #143

This would be a great optional feature with enables easy migration....

Tried to use module on Azure Cloud Shell:

Initializing modules...
Downloading mineiros-io/repository/github 0.5.1 for repository...
- repository in .terraform/modules/repository

Error: Unsupported Terraform Core version

  on .terraform/modules/repository/versions.tf line 6, in terraform:
   6:   required_version = ">= 0.12.20, < 0.14"

When using latest GitHub provider (integrations/github 5.9.0)
I get the following error for the given repository definition.

╷
│ Error: at least one permission expected from permissions map
│ 
│   with module.my_repo.github_team_repository.team_repository_by_slug["my_team"],
│   on .terraform/modules/my_repo/main.tf line 441, in resource "github_team_repository" "team_repository_by_slug":
│  441: resource "github_team_repository" "team_repository_by_slug" {
│ 
╵

module "my_repo" {
  source               = "mineiros-io/repository/github"
  version              = "0.18.0"
  name                 = "my_repo"
  defaults             = var.defaults.private
  visibility           = "private"
  has_downloads        = false
  archived             = false
  archive_on_destroy   = true
  vulnerability_alerts = true
  push_teams           = [var.teams.my_team]
}

I can solve it for now by downgrading to integrations/github 5.8.0

The docs state the default for delete_branch_on_merge is false, but in the code it defaults to true.

Happy to submit a PR to fix by either changing the docs or the code, but not sure which is preferred. My personal opinion is that this should default to false as per the docs, so the code should be updated to reflect that, but this will change the behaviour for anyone who hasn't explicitly set this in their config so may need some more thought.

Functionality outlined in this blog:
https://github.blog/changelog/2022-10-20-new-branch-protections-last-pusher-and-locked-branch/

Implemented in the provider here:
integrations/terraform-provider-github#1407

These would be great additions to have, thanks for the great module!

I understand that branch protections are currently a bit up in the air (broken in ~5.7.0), per a previous comment made here:
#132 (comment)

But hopefully this can be added once that is fixed, or in anticipation of 👍

Hi, it seems private has been deprecated for visibility.

I have got the below warning when terraforming --->

Warning: "private": [DEPRECATED] use visibility instead

It would be nice if the module would support the Github Autolink references feature for Repository. The Github Provider for Terraform already supports that, so it should also be possible to integrate this in the module, right?

There is lack of lock_branch argument from github_branch_protection resource.

From Terraform registry

• lock_branch - (Optional) Boolean, Setting this to true will make the branch read-only and preventing any pushes to it. Defaults to false

Require deployments to succeed before merging branch protection setting:
https://github.blog/changelog/2022-04-12-required-deployments/

I'm unsure if this has been implemented in the upstream provider but would be a great addition to have, along with environments (#138)

A couple of months ago, GitHub released a configuration option for branch protections that allows specified users to bypass pull request restrictions. Support for this feature recently made it's way to the GitHub Terraform provider:

• integrations/terraform-provider-github#1030

There does not appear to be an equivalent in the branch_protection_v3 resource (yet?), so this is a request to add support for branch_protection.

A last (for me) missing feature in this module is the possibility to configure branches (besides the default branch). For this github_branch exists and could be easily integrated.

I don't know if the example is supposed to be runnable without modification, but the result when I try to do that is (after a successful "terraform init"):
➜ terraform plan
╷
│ Error: Invalid count argument
│
│ on .terraform/modules/repository/main.tf line 162, in resource "github_branch_protection_v3" "branch_protection":
│ 162: count = length(local.branch_protections)
│
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around
│ this, use the -target argument to first apply only the resources that the count depends on.
╵

I'm not entirely sure here why a set would be preferred over a numbered list, but with this usage:

app_installations = [ var.some_number ]

Produces:

The given "for_each" argument value is unsuitable: "for_each" supports maps
and sets of strings, but you have provided a set containing type number.

Error: Invalid for_each set argument

  on .terraform/modules/terraform_github_modules/main.tf line 505, in resource "github_app_installation_repository" "app_installation_repository":
 505:   for_each = var.app_installations
    ├────────────────
    │ var.app_installations is set of number with 1 element

The example for a public repos sets:

visibility = "private"

Is this an oversight?

Can we please get a release of this module with the maximum version constraint removed so we're not stuck on version 5.x of the GitHub provider.

According to the Terraform Documentation, modules should ideally not specify a maximum version constraint.

I'm also waiting on support to control the commit message format but just fixing this would unblock me from being able to upgrade the GitHub provider.

It was commented in February in #165 that something might be released soon, we're now in June with no release(s).

Likewise for your GitHub team module, as that's also pinned to < 6.

@soerenmartius @mariux

As explained here all attributes from the github_repository resource should be exported by the module.
There is an attribute on the github_repository documentation named repo_id.

However, when I create a github repository with the mineiros-io module, this repo_id attribute does not exist. For example, my attributes look something like this:

{
  "attributes": {
    "allow_merge_commit": true,
    "allow_rebase_merge": true,
    "allow_squash_merge": true,
    "archived": false,
    "auto_init": false,
    "default_branch": "master",
    "delete_branch_on_merge": false,
    "description": "",
    "etag": "W/\"b62fa29d48ada996cea8f6f4742c81c0c62b21256e886a72a356089eb57077c4\"",
    "full_name": "exampleorg/repo-anonymized",
    "git_clone_url": "git://github.com/exampleorg/repo-anonymized.git",
    "gitignore_template": null,
    "has_downloads": true,
    "has_issues": true,
    "has_projects": false,
    "has_wiki": true,
    "homepage_url": "",
    "html_url": "https://github.com/exampleorg/repo-anonymized",
    "http_clone_url": "https://github.com/exampleorg/repo-anonymized.git",
    "id": "repo-anonymized",
    "is_template": false,
    "license_template": null,
    "name": "repo-anonymized",
    "node_id": "MDEwOlJlcG9zaXRvcnk3NDU4OTg4NQ==",
    "private": true,
    "ssh_clone_url": "git@exampleorg/repo-anonymized.git",
    "svn_url": "https://github.com/exampleorg/repo-anonymized",
    "template": [],
    "topics": [],
    "visibility": "private"
  }
}

Is there any reason this one attribute is not generated by the module?

https://registry.terraform.io/providers/integrations/github/latest/docs/resources/app_installation_repository

It would be useful to have support for this within the module.

Feature request: Ability to create GitHub repository variables

It is supported in the underlying integrations/github module with the github_actions_variable resource.

https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_tag_protection

It would be great if this module supported GitHub's recent tag protection

From provider docs:
allow_auto_merge - (Optional) Set to true to allow auto-merging pull requests on the repository.

Hi, I have been trying to import some repos into a master repo forked from this, but some repositories couldn't be imported because the module doesn't support pages or environments which a repo may have. Is there anything we can do about this, even if it is just so it doesn't make any change to it but allows me to import the repo?

i would like to discuss changing some defaults in this early phase:

• change private to default to true to make it more secure/private by default.

• change has_issues to default to false so you have to specify the features you want to have and not those you do not want to have (opt-in instead of out) In addition this would be more consistent with other has_* options (and match the current description)

• set allow_merge_commit, allow_squash_merge and allow_rebase_merge to false so that you have to opt-in and are forced to specify at least one.

The module seems to allow spaces to be used in the name of the repository.

It will apparently converts them into - while building the plan (I've not found yet where this is done).

However, it partially fails to apply the plan: the repository will be created in GitHub but Terraform will fail.

How to reproduce

1. Create a new repository like this:

module "space_repo" {
  source  = "mineiros-io/repository/github"
  version = "~> 0.18.0"

  name = "space repo"
}

2. Execute terraform plan - should give something like this:

# module.space_repo.github_repository.repository will be created
+ resource "github_repository" "repository" {
   ...
   + name = "space repo"
   ...
 }

3. Execute terraform apply - should fail with this error:

module.space_repo.github_repository.repository: Creating...

Error: PATCH https://api.github.com/repos/my-org/space-repo: 422 Validation Failed []

  with module.space_repo.github_repository.repository,
  on .terraform/modules/space_repo/main.tf line 91, in resource "github_repository" "repository":
  91: resource "github_repository" "repository" {

4. Subsequent terrafrom apply should fail again with this other error:

module.space_repo.github_repository.repository: Destroying... [id=space-repo]
module.space_repo.github_repository.repository: Destruction complete after 0s
module.space_repo.github_repository.repository: Creating...

Error: POST https://api.github.com/orgs/my-org/repos: 422 Repository creation failed. [{Resource:Repository Field:name Code:custom Message:name already exists on this account}]

  with module.space_repo.github_repository.repository,
  on .terraform/modules/space_repo/main.tf line 91, in resource "github_repository" "repository":
  91: resource "github_repository" "repository" {

(Because archive_on_destroy is set to true by default I suppose).

Expected behavior

I suppose the terraform plan command should explicitly fail and report the presence of invalid character(s) in the name.

github_actions_environment_variable has been added to the official github integration. would be grest to have support for this.

GitHub releases a week ago a new major version of the provider: https://github.com/integrations/terraform-provider-github/releases

The module should support that version :-)

Trying to use the same public key in multiple repositories, but its erroring in deploy_keys.

Would be possible to reference an already created "key" ?

When trying to upgrade to the latest integration/github version I get this error.

Could not retrieve the list of available versions for provider integrations/github: no available releases match the given constraints >= 4.20.0, 5.14.0, >= 5.15.0, < 6.0.0

I am currently running github version 5.14.0 and i have tried upgrading to the different version 5.15.0, 5.16.0, and 5.17.0 I get the same error message on each version.

I have wiped the modules and providers directory and still get the error.

Has any one else had an issue upgrading?
Terraform version 1.3.7
Mac M1

The required providers section of the module seems like it would allow anything between 4.2.0 and 6.0.0

GitHub allows for team slug to contain underscores, therefore these shouldn't be replaced with hyphens in code such as at

GitHub recently added an option for is_alphanumeric in github_repository_autolink_reference. This was added to v5.8.0 of terraform-github-provider and documented here

Bumping the provider causes a change to all our current autolinks, like below.

-/+ resource "github_repository_autolink_reference" "repository_autolink_reference" {
      + etag                = (known after apply)
      ~ id                  = "346367" -> (known after apply)
      + is_alphanumeric     = true # forces replacement
        # (3 unchanged attributes hidden)
  }

It would be great if autolink_references could be extented to support setting is_alphanumeric.

Github added some months ago this nice option --> https://github.blog/changelog/2022-05-11-default-to-pr-titles-for-squash-merge-commit-messages/

And, as far as I understand, the terraform provider for github already has it. integrations/terraform-provider-github#1263

I don't think I have seen this option in the variables, nor any related issue.

Am I missing something? And, if not, is this something expected to be added?