Skip to content

Commit

Permalink
feat: added security_and_analysis block support
Browse files Browse the repository at this point in the history
  • Loading branch information
Illia Karenhin committed Nov 28, 2022
1 parent ee6001a commit 5b0ddf5
Show file tree
Hide file tree
Showing 7 changed files with 113 additions and 56 deletions.
6 changes: 6 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

## [0.19.0]

### Added

- Added support for `security_and_analysis`.

## [0.18.0]

### Added
Expand Down
55 changes: 30 additions & 25 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,8 @@
# terraform-github-repository

A [Terraform] module for creating a public or private repository on [Github].

**_This module supports Terraform v1.x and is compatible with the Official Terraform GitHub Provider v4.20 and above from `integrations/github`._**

**Attention: This module is incompatible with the Hashicorp GitHub Provider! The latest version of this module supporting `hashicorp/github` provider is `~> 0.10.0`**

** Note: Versions 5.3.0, 5.4.0, and 5.5.0 of the Terraform Github Provider have broken branch protections support and should not be used.**


Expand All @@ -30,6 +27,7 @@ A [Terraform] module for creating a public or private repository on [Github].
- [Deploy Keys Configuration](#deploy-keys-configuration)
- [Branch Protections v3 Configuration](#branch-protections-v3-configuration)
- [Branch Protections v4 Configuration](#branch-protections-v4-configuration)
- [Security And Analysis Configuration](#security-and-analysis-configuration)
- [Issue Labels Configuration](#issue-labels-configuration)
- [Projects Configuration](#projects-configuration)
- [Webhooks Configuration](#webhooks-configuration)
Expand Down Expand Up @@ -61,26 +59,22 @@ rollouts** and **rollbacks**. It's a comprehensive, ready-to-use blueprint
maintained by our team of platform engineering experts and saves
companies such as yours tons of time by building on top of a pre-configured
solution instead of building and maintaining it yourself.

For details please see [https://mineiros.io/github-as-code][github-as-code].

## Module Features

In contrast to the plain `github_repository` resource this module enables various other
features like Branch Protection or Collaborator Management.

- **Default Security Settings**:
This module creates a `private` repository by default,
Deploy keys are `read-only` by default

- **Standard Repository Features**:
Setting basic Metadata,
Merge Strategy,
Auto Init,
License Template,
Gitignore Template,
Template Repository

- **Extended Repository Features**:
Branches,
Branch Protection,
Expand All @@ -91,7 +85,6 @@ features like Branch Protection or Collaborator Management.
Deploy Keys,
Projects,
Repository Webhooks

- _Features not yet implemented_:
Project Columns support,
Actions,
Expand All @@ -100,12 +93,10 @@ features like Branch Protection or Collaborator Management.
## Getting Started

Most basic usage creating a new private github repository.

```hcl
module "repository" {
source = "mineiros-io/repository/github"
version = "~> 0.18.0"
name = "terraform-github-repository"
license_template = "apache-2.0"
gitignore_template = "Terraform"
Expand Down Expand Up @@ -616,12 +607,9 @@ This is due to some terraform limitation and we will update the module once terr
- [**`branch_protections_v4`**](#var-branch_protections_v4): *(Optional `list(branch_protection_v4)`)*<a name="var-branch_protections_v4"></a>

This resource allows you to configure v4 branch protection for repositories in your organization.

Each element in the list is a branch to be protected and the value the corresponding to the desired configuration for the branch.

When applied, the branch will be protected from forced pushes and deletion.
Additional constraints, such as required status checks or restrictions on users and teams, can also be configured.

**_NOTE:_** May conflict with v3 branch protections if used for the same branch.

Default is `[]`.
Expand Down Expand Up @@ -749,6 +737,35 @@ This is due to some terraform limitation and we will update the module once terr

Default is `[]`.

#### Security And Analysis Configuration

- [**`security_and_analysis`**](#var-security_and_analysis): *(Optional `object(security_and_analysis)`)*<a name="var-security_and_analysis"></a>

(Optional) The repository's [security and analysis](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository) configuration.
See [Security and Analysis Configuration](#security-and-analysis-configuration) below for details.

Default is `{}`.

The `security_and_analysis` object accepts the following attributes:

- [**`advanced_security`**](#attr-security_and_analysis-advanced_security): *(**Required** `string`)*<a name="attr-security_and_analysis-advanced_security"></a>

The advanced security configuration for the repository. See [Advanced Security Configuration](#advanced-security-configuration) below for details.

Default is `"disabled"`.

- [**`secret_scanning`**](#attr-security_and_analysis-secret_scanning): *(**Required** `string`)*<a name="attr-security_and_analysis-secret_scanning"></a>

The secret scanning configuration for the repository. See [Secret Scanning Configuration](#secret-scanning-configuration) below for details.

Default is `"disabled"`.

- [**`secret_scanning_push_protection`**](#attr-security_and_analysis-secret_scanning_push_protection): *(**Required** `string`)*<a name="attr-security_and_analysis-secret_scanning_push_protection"></a>

The secret scanning push protection configuration for the repository. See [Secret Scanning Push Protection Configuration](#secret-scanning-push-protection-configuration) below for details.

Default is `"disabled"`.

#### Issue Labels Configuration

- [**`issue_labels`**](#var-issue_labels): *(Optional `list(issue_label)`)*<a name="var-issue_labels"></a>
Expand Down Expand Up @@ -859,13 +876,9 @@ This is due to some terraform limitation and we will update the module once terr
- [**`plaintext_secrets`**](#var-plaintext_secrets): *(Optional `map(string)`)*<a name="var-plaintext_secrets"></a>

This map allows you to create and manage secrets for repositories in your organization.

Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding secret in plain text:

When applied, a secret with the given key and value will be created in the repositories.

The value of the secrets must be given in plain text, GitHub provider is in charge of encrypting it.

**Attention:** You should treat state as sensitive always. It is also advised that you do not store plaintext values in your code but rather populate the encrypted_value using fields from a resource, data source or variable as, while encrypted in state, these will be easily accessible in your code. See below for an example of this abstraction.

Default is `{}`.
Expand All @@ -882,9 +895,7 @@ This is due to some terraform limitation and we will update the module once terr
- [**`encrypted_secrets`**](#var-encrypted_secrets): *(Optional `map(string)`)*<a name="var-encrypted_secrets"></a>

This map allows you to create and manage encrypted secrets for repositories in your organization.

Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding encrypted value of the secret using the Github public key in Base64 format.b

When applied, a secret with the given key and value will be created in the repositories.

Default is `{}`.
Expand Down Expand Up @@ -1033,9 +1044,7 @@ The following attributes are exported by the module:
## Module Versioning

This Module follows the principles of [Semantic Versioning (SemVer)].

Given a version number `MAJOR.MINOR.PATCH`, we increment the:

1. `MAJOR` version when we make incompatible changes,
2. `MINOR` version when we add functionality in a backwards compatible manner, and
3. `PATCH` version when we make backwards compatible bug fixes.
Expand All @@ -1049,10 +1058,8 @@ Given a version number `MAJOR.MINOR.PATCH`, we increment the:

[Mineiros][homepage] is a remote-first company headquartered in Berlin, Germany
that solves development, automation and security challenges in cloud infrastructure.

Our vision is to massively reduce time and overhead for teams to manage and
deploy production-grade and secure cloud infrastructure.

We offer commercial support for all of our modules and encourage you to reach out
if you have any questions or need help. Feel free to email us at [[email protected]] or join our
[Community Slack channel][slack].
Expand All @@ -1074,10 +1081,8 @@ Run `make help` to see details on each available target.
## License

[![license][badge-license]][apache20]

This module is licensed under the Apache License Version 2.0, January 2004.
Please see [LICENSE] for full details.

Copyright &copy; 2020-2022 [Mineiros GmbH][homepage]


Expand Down
68 changes: 42 additions & 26 deletions README.tfdoc.hcl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,11 +38,8 @@ section {
toc = true
content = <<-END
A [Terraform] module for creating a public or private repository on [Github].
**_This module supports Terraform v1.x and is compatible with the Official Terraform GitHub Provider v4.20 and above from `integrations/github`._**
**Attention: This module is incompatible with the Hashicorp GitHub Provider! The latest version of this module supporting `hashicorp/github` provider is `~> 0.10.0`**
** Note: Versions 5.3.0, 5.4.0, and 5.5.0 of the Terraform Github Provider have broken branch protections support and should not be used.**
END

Expand All @@ -60,7 +57,6 @@ section {
maintained by our team of platform engineering experts and saves
companies such as yours tons of time by building on top of a pre-configured
solution instead of building and maintaining it yourself.
For details please see [https://mineiros.io/github-as-code][github-as-code].
END
}
Expand All @@ -70,19 +66,16 @@ section {
content = <<-END
In contrast to the plain `github_repository` resource this module enables various other
features like Branch Protection or Collaborator Management.
- **Default Security Settings**:
This module creates a `private` repository by default,
Deploy keys are `read-only` by default
- **Standard Repository Features**:
Setting basic Metadata,
Merge Strategy,
Auto Init,
License Template,
Gitignore Template,
Template Repository
- **Extended Repository Features**:
Branches,
Branch Protection,
Expand All @@ -93,7 +86,6 @@ section {
Deploy Keys,
Projects,
Repository Webhooks
- _Features not yet implemented_:
Project Columns support,
Actions,
Expand All @@ -105,12 +97,10 @@ section {
title = "Getting Started"
content = <<-END
Most basic usage creating a new private github repository.
```hcl
module "repository" {
source = "mineiros-io/repository/github"
version = "~> 0.18.0"
name = "terraform-github-repository"
license_template = "apache-2.0"
gitignore_template = "Terraform"
Expand Down Expand Up @@ -796,12 +786,9 @@ section {
default = []
description = <<-END
This resource allows you to configure v4 branch protection for repositories in your organization.
Each element in the list is a branch to be protected and the value the corresponding to the desired configuration for the branch.
When applied, the branch will be protected from forced pushes and deletion.
Additional constraints, such as required status checks or restrictions on users and teams, can also be configured.
**_NOTE:_** May conflict with v3 branch protections if used for the same branch.
END

Expand Down Expand Up @@ -970,6 +957,47 @@ section {
}
}

section {
title = "Security And Analysis Configuration"

variable "security_and_analysis" {
type = object(security_and_analysis)
default = {}
description = <<-END
(Optional) The repository's [security and analysis](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository) configuration.
See [Security and Analysis Configuration](#security-and-analysis-configuration) below for details.
END

attribute "advanced_security" {
type = string
required = true
default = "disabled"
description = <<-END
The advanced security configuration for the repository. See [Advanced Security Configuration](#advanced-security-configuration) below for details.
END
}

attribute "secret_scanning" {
type = string
required = true
default = "disabled"
description = <<-END
The secret scanning configuration for the repository. See [Secret Scanning Configuration](#secret-scanning-configuration) below for details.
END
}

attribute "secret_scanning_push_protection" {
type = string
required = true
default = "disabled"
description = <<-END
The secret scanning push protection configuration for the repository. See [Secret Scanning Push Protection Configuration](#secret-scanning-push-protection-configuration) below for details.
END
}

}
}

section {
title = "Issue Labels Configuration"

Expand Down Expand Up @@ -1134,13 +1162,9 @@ section {
default = {}
description = <<-END
This map allows you to create and manage secrets for repositories in your organization.
Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding secret in plain text:
When applied, a secret with the given key and value will be created in the repositories.
The value of the secrets must be given in plain text, GitHub provider is in charge of encrypting it.
**Attention:** You should treat state as sensitive always. It is also advised that you do not store plaintext values in your code but rather populate the encrypted_value using fields from a resource, data source or variable as, while encrypted in state, these will be easily accessible in your code. See below for an example of this abstraction.
END

Expand All @@ -1157,9 +1181,7 @@ section {
default = {}
description = <<-END
This map allows you to create and manage encrypted secrets for repositories in your organization.
Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding encrypted value of the secret using the Github public key in Base64 format.b
When applied, a secret with the given key and value will be created in the repositories.
END

Expand Down Expand Up @@ -1379,9 +1401,7 @@ section {
title = "Module Versioning"
content = <<-END
This Module follows the principles of [Semantic Versioning (SemVer)].
Given a version number `MAJOR.MINOR.PATCH`, we increment the:
1. `MAJOR` version when we make incompatible changes,
2. `MINOR` version when we add functionality in a backwards compatible manner, and
3. `PATCH` version when we make backwards compatible bug fixes.
Expand All @@ -1401,10 +1421,8 @@ section {
content = <<-END
[Mineiros][homepage] is a remote-first company headquartered in Berlin, Germany
that solves development, automation and security challenges in cloud infrastructure.
Our vision is to massively reduce time and overhead for teams to manage and
deploy production-grade and secure cloud infrastructure.
We offer commercial support for all of our modules and encourage you to reach out
if you have any questions or need help. Feel free to email us at [[email protected]] or join our
[Community Slack channel][slack].
Expand Down Expand Up @@ -1438,10 +1456,8 @@ section {
title = "License"
content = <<-END
[![license][badge-license]][apache20]
This module is licensed under the Apache License Version 2.0, January 2004.
Please see [LICENSE] for full details.
Copyright &copy; 2020-2022 [Mineiros GmbH][homepage]
END
}
Expand Down Expand Up @@ -1541,4 +1557,4 @@ references {
ref "contribution guidelines" {
value = "https://github.com/mineiros-io/terraform-github-repository/blob/main/CONTRIBUTING.md"
}
}
}
4 changes: 0 additions & 4 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -379,7 +379,6 @@ golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8U
golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586 h1:7KByu05hhLed2MO29w7p1XfZvZ13m8mub3shuVftRs0=
golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
Expand Down Expand Up @@ -424,12 +423,10 @@ golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR
golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 h1:fHDIZ2oxGnUZRN6WgWFCbYBjH9uqVPRCUVUDhs0wnbA=
golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 h1:efeOvDhwQ29Dj3SdAV/MJf8oukgn+8D8WgaCaRMchF8=
golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
Expand Down Expand Up @@ -579,7 +576,6 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWD
gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
Expand Down
Loading

0 comments on commit 5b0ddf5

Please sign in to comment.