From 5b0ddf5fca81bddb7be58bbeb6a188eacd574856 Mon Sep 17 00:00:00 2001 From: Illia Karenhin Date: Mon, 28 Nov 2022 16:01:29 +0200 Subject: [PATCH] feat: added security_and_analysis block support --- CHANGELOG.md | 6 +++++ README.md | 55 +++++++++++++++++++++------------------ README.tfdoc.hcl | 68 ++++++++++++++++++++++++++++++------------------ go.sum | 4 --- main.tf | 16 ++++++++++++ variables.tf | 18 +++++++++++++ versions.tf | 2 +- 7 files changed, 113 insertions(+), 56 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 46065d1..f35b497 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [0.19.0] + +### Added + +- Added support for `security_and_analysis`. + ## [0.18.0] ### Added diff --git a/README.md b/README.md index eed6135..bcb4633 100644 --- a/README.md +++ b/README.md @@ -9,11 +9,8 @@ # terraform-github-repository A [Terraform] module for creating a public or private repository on [Github]. - **_This module supports Terraform v1.x and is compatible with the Official Terraform GitHub Provider v4.20 and above from `integrations/github`._** - **Attention: This module is incompatible with the Hashicorp GitHub Provider! The latest version of this module supporting `hashicorp/github` provider is `~> 0.10.0`** - ** Note: Versions 5.3.0, 5.4.0, and 5.5.0 of the Terraform Github Provider have broken branch protections support and should not be used.** @@ -30,6 +27,7 @@ A [Terraform] module for creating a public or private repository on [Github]. - [Deploy Keys Configuration](#deploy-keys-configuration) - [Branch Protections v3 Configuration](#branch-protections-v3-configuration) - [Branch Protections v4 Configuration](#branch-protections-v4-configuration) + - [Security And Analysis Configuration](#security-and-analysis-configuration) - [Issue Labels Configuration](#issue-labels-configuration) - [Projects Configuration](#projects-configuration) - [Webhooks Configuration](#webhooks-configuration) @@ -61,18 +59,15 @@ rollouts** and **rollbacks**. It's a comprehensive, ready-to-use blueprint maintained by our team of platform engineering experts and saves companies such as yours tons of time by building on top of a pre-configured solution instead of building and maintaining it yourself. - For details please see [https://mineiros.io/github-as-code][github-as-code]. ## Module Features In contrast to the plain `github_repository` resource this module enables various other features like Branch Protection or Collaborator Management. - - **Default Security Settings**: This module creates a `private` repository by default, Deploy keys are `read-only` by default - - **Standard Repository Features**: Setting basic Metadata, Merge Strategy, @@ -80,7 +75,6 @@ features like Branch Protection or Collaborator Management. License Template, Gitignore Template, Template Repository - - **Extended Repository Features**: Branches, Branch Protection, @@ -91,7 +85,6 @@ features like Branch Protection or Collaborator Management. Deploy Keys, Projects, Repository Webhooks - - _Features not yet implemented_: Project Columns support, Actions, @@ -100,12 +93,10 @@ features like Branch Protection or Collaborator Management. ## Getting Started Most basic usage creating a new private github repository. - ```hcl module "repository" { source = "mineiros-io/repository/github" version = "~> 0.18.0" - name = "terraform-github-repository" license_template = "apache-2.0" gitignore_template = "Terraform" @@ -616,12 +607,9 @@ This is due to some terraform limitation and we will update the module once terr - [**`branch_protections_v4`**](#var-branch_protections_v4): *(Optional `list(branch_protection_v4)`)* This resource allows you to configure v4 branch protection for repositories in your organization. - Each element in the list is a branch to be protected and the value the corresponding to the desired configuration for the branch. - When applied, the branch will be protected from forced pushes and deletion. Additional constraints, such as required status checks or restrictions on users and teams, can also be configured. - **_NOTE:_** May conflict with v3 branch protections if used for the same branch. Default is `[]`. @@ -749,6 +737,35 @@ This is due to some terraform limitation and we will update the module once terr Default is `[]`. +#### Security And Analysis Configuration + +- [**`security_and_analysis`**](#var-security_and_analysis): *(Optional `object(security_and_analysis)`)* + + (Optional) The repository's [security and analysis](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository) configuration. + See [Security and Analysis Configuration](#security-and-analysis-configuration) below for details. + + Default is `{}`. + + The `security_and_analysis` object accepts the following attributes: + + - [**`advanced_security`**](#attr-security_and_analysis-advanced_security): *(**Required** `string`)* + + The advanced security configuration for the repository. See [Advanced Security Configuration](#advanced-security-configuration) below for details. + + Default is `"disabled"`. + + - [**`secret_scanning`**](#attr-security_and_analysis-secret_scanning): *(**Required** `string`)* + + The secret scanning configuration for the repository. See [Secret Scanning Configuration](#secret-scanning-configuration) below for details. + + Default is `"disabled"`. + + - [**`secret_scanning_push_protection`**](#attr-security_and_analysis-secret_scanning_push_protection): *(**Required** `string`)* + + The secret scanning push protection configuration for the repository. See [Secret Scanning Push Protection Configuration](#secret-scanning-push-protection-configuration) below for details. + + Default is `"disabled"`. + #### Issue Labels Configuration - [**`issue_labels`**](#var-issue_labels): *(Optional `list(issue_label)`)* @@ -859,13 +876,9 @@ This is due to some terraform limitation and we will update the module once terr - [**`plaintext_secrets`**](#var-plaintext_secrets): *(Optional `map(string)`)* This map allows you to create and manage secrets for repositories in your organization. - Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding secret in plain text: - When applied, a secret with the given key and value will be created in the repositories. - The value of the secrets must be given in plain text, GitHub provider is in charge of encrypting it. - **Attention:** You should treat state as sensitive always. It is also advised that you do not store plaintext values in your code but rather populate the encrypted_value using fields from a resource, data source or variable as, while encrypted in state, these will be easily accessible in your code. See below for an example of this abstraction. Default is `{}`. @@ -882,9 +895,7 @@ This is due to some terraform limitation and we will update the module once terr - [**`encrypted_secrets`**](#var-encrypted_secrets): *(Optional `map(string)`)* This map allows you to create and manage encrypted secrets for repositories in your organization. - Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding encrypted value of the secret using the Github public key in Base64 format.b - When applied, a secret with the given key and value will be created in the repositories. Default is `{}`. @@ -1033,9 +1044,7 @@ The following attributes are exported by the module: ## Module Versioning This Module follows the principles of [Semantic Versioning (SemVer)]. - Given a version number `MAJOR.MINOR.PATCH`, we increment the: - 1. `MAJOR` version when we make incompatible changes, 2. `MINOR` version when we add functionality in a backwards compatible manner, and 3. `PATCH` version when we make backwards compatible bug fixes. @@ -1049,10 +1058,8 @@ Given a version number `MAJOR.MINOR.PATCH`, we increment the: [Mineiros][homepage] is a remote-first company headquartered in Berlin, Germany that solves development, automation and security challenges in cloud infrastructure. - Our vision is to massively reduce time and overhead for teams to manage and deploy production-grade and secure cloud infrastructure. - We offer commercial support for all of our modules and encourage you to reach out if you have any questions or need help. Feel free to email us at [hello@mineiros.io] or join our [Community Slack channel][slack]. @@ -1074,10 +1081,8 @@ Run `make help` to see details on each available target. ## License [![license][badge-license]][apache20] - This module is licensed under the Apache License Version 2.0, January 2004. Please see [LICENSE] for full details. - Copyright © 2020-2022 [Mineiros GmbH][homepage] diff --git a/README.tfdoc.hcl b/README.tfdoc.hcl index 1f75765..9f40bb3 100644 --- a/README.tfdoc.hcl +++ b/README.tfdoc.hcl @@ -38,11 +38,8 @@ section { toc = true content = <<-END A [Terraform] module for creating a public or private repository on [Github]. - **_This module supports Terraform v1.x and is compatible with the Official Terraform GitHub Provider v4.20 and above from `integrations/github`._** - **Attention: This module is incompatible with the Hashicorp GitHub Provider! The latest version of this module supporting `hashicorp/github` provider is `~> 0.10.0`** - ** Note: Versions 5.3.0, 5.4.0, and 5.5.0 of the Terraform Github Provider have broken branch protections support and should not be used.** END @@ -60,7 +57,6 @@ section { maintained by our team of platform engineering experts and saves companies such as yours tons of time by building on top of a pre-configured solution instead of building and maintaining it yourself. - For details please see [https://mineiros.io/github-as-code][github-as-code]. END } @@ -70,11 +66,9 @@ section { content = <<-END In contrast to the plain `github_repository` resource this module enables various other features like Branch Protection or Collaborator Management. - - **Default Security Settings**: This module creates a `private` repository by default, Deploy keys are `read-only` by default - - **Standard Repository Features**: Setting basic Metadata, Merge Strategy, @@ -82,7 +76,6 @@ section { License Template, Gitignore Template, Template Repository - - **Extended Repository Features**: Branches, Branch Protection, @@ -93,7 +86,6 @@ section { Deploy Keys, Projects, Repository Webhooks - - _Features not yet implemented_: Project Columns support, Actions, @@ -105,12 +97,10 @@ section { title = "Getting Started" content = <<-END Most basic usage creating a new private github repository. - ```hcl module "repository" { source = "mineiros-io/repository/github" version = "~> 0.18.0" - name = "terraform-github-repository" license_template = "apache-2.0" gitignore_template = "Terraform" @@ -796,12 +786,9 @@ section { default = [] description = <<-END This resource allows you to configure v4 branch protection for repositories in your organization. - Each element in the list is a branch to be protected and the value the corresponding to the desired configuration for the branch. - When applied, the branch will be protected from forced pushes and deletion. Additional constraints, such as required status checks or restrictions on users and teams, can also be configured. - **_NOTE:_** May conflict with v3 branch protections if used for the same branch. END @@ -970,6 +957,47 @@ section { } } + section { + title = "Security And Analysis Configuration" + + variable "security_and_analysis" { + type = object(security_and_analysis) + default = {} + description = <<-END + (Optional) The repository's [security and analysis](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository) configuration. + See [Security and Analysis Configuration](#security-and-analysis-configuration) below for details. + END + + attribute "advanced_security" { + type = string + required = true + default = "disabled" + description = <<-END + The advanced security configuration for the repository. See [Advanced Security Configuration](#advanced-security-configuration) below for details. + END + } + + attribute "secret_scanning" { + type = string + required = true + default = "disabled" + description = <<-END + The secret scanning configuration for the repository. See [Secret Scanning Configuration](#secret-scanning-configuration) below for details. + END + } + + attribute "secret_scanning_push_protection" { + type = string + required = true + default = "disabled" + description = <<-END + The secret scanning push protection configuration for the repository. See [Secret Scanning Push Protection Configuration](#secret-scanning-push-protection-configuration) below for details. + END + } + + } + } + section { title = "Issue Labels Configuration" @@ -1134,13 +1162,9 @@ section { default = {} description = <<-END This map allows you to create and manage secrets for repositories in your organization. - Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding secret in plain text: - When applied, a secret with the given key and value will be created in the repositories. - The value of the secrets must be given in plain text, GitHub provider is in charge of encrypting it. - **Attention:** You should treat state as sensitive always. It is also advised that you do not store plaintext values in your code but rather populate the encrypted_value using fields from a resource, data source or variable as, while encrypted in state, these will be easily accessible in your code. See below for an example of this abstraction. END @@ -1157,9 +1181,7 @@ section { default = {} description = <<-END This map allows you to create and manage encrypted secrets for repositories in your organization. - Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding encrypted value of the secret using the Github public key in Base64 format.b - When applied, a secret with the given key and value will be created in the repositories. END @@ -1379,9 +1401,7 @@ section { title = "Module Versioning" content = <<-END This Module follows the principles of [Semantic Versioning (SemVer)]. - Given a version number `MAJOR.MINOR.PATCH`, we increment the: - 1. `MAJOR` version when we make incompatible changes, 2. `MINOR` version when we add functionality in a backwards compatible manner, and 3. `PATCH` version when we make backwards compatible bug fixes. @@ -1401,10 +1421,8 @@ section { content = <<-END [Mineiros][homepage] is a remote-first company headquartered in Berlin, Germany that solves development, automation and security challenges in cloud infrastructure. - Our vision is to massively reduce time and overhead for teams to manage and deploy production-grade and secure cloud infrastructure. - We offer commercial support for all of our modules and encourage you to reach out if you have any questions or need help. Feel free to email us at [hello@mineiros.io] or join our [Community Slack channel][slack]. @@ -1438,10 +1456,8 @@ section { title = "License" content = <<-END [![license][badge-license]][apache20] - This module is licensed under the Apache License Version 2.0, January 2004. Please see [LICENSE] for full details. - Copyright © 2020-2022 [Mineiros GmbH][homepage] END } @@ -1541,4 +1557,4 @@ references { ref "contribution guidelines" { value = "https://github.com/mineiros-io/terraform-github-repository/blob/main/CONTRIBUTING.md" } -} +} \ No newline at end of file diff --git a/go.sum b/go.sum index e5e98c0..e1d8cd3 100644 --- a/go.sum +++ b/go.sum @@ -379,7 +379,6 @@ golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586 h1:7KByu05hhLed2MO29w7p1XfZvZ13m8mub3shuVftRs0= golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -424,12 +423,10 @@ golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 h1:fHDIZ2oxGnUZRN6WgWFCbYBjH9uqVPRCUVUDhs0wnbA= golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 h1:efeOvDhwQ29Dj3SdAV/MJf8oukgn+8D8WgaCaRMchF8= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= @@ -579,7 +576,6 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWD gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= diff --git a/main.tf b/main.tf index 587e1bb..858dc39 100644 --- a/main.tf +++ b/main.tf @@ -133,6 +133,22 @@ resource "github_repository" "repository" { } } + dynamic "security_and_analysis" { + for_each = var.security_and_analysis != null ? [true] : [] + + content { + advanced_security { + status = var.security_and_analysis.advanced_security + } + secret_scanning { + status = var.security_and_analysis.secret_scanning + } + secret_scanning_push_protection { + status = var.security_and_analysis.secret_scanning_push_protection + } + } + } + lifecycle { ignore_changes = [ auto_init, diff --git a/variables.tf b/variables.tf index 7599034..31c6879 100644 --- a/variables.tf +++ b/variables.tf @@ -373,6 +373,24 @@ variable "branch_protections_v4" { } } +variable "security_and_analysis" { + description = "(Optional) Security and analysis configuration block" + type = object({ + advanced_security = optional(string, "disabled") + secret_scanning = optional(string, "disabled") + secret_scanning_push_protection = optional(string, "disabled") + }) + default = {} + validation { + condition = alltrue( + [ + for key, value in var.security_and_analysis : contains(["enabled", "disabled"], value) + ] + ) + error_message = "Allowed values for security_and_analysis.advanced_security, security_and_analysis.secret_scanning, security_and_analysis.secret_scanning_push_protection are \"disabled\" and \"enabled\"" + } +} + variable "issue_labels_merge_with_github_labels" { description = "(Optional) Specify if you want to merge and control githubs default set of issue labels." type = bool diff --git a/versions.tf b/versions.tf index 01e52ac..3eaa0f1 100644 --- a/versions.tf +++ b/versions.tf @@ -9,7 +9,7 @@ terraform { required_providers { github = { source = "integrations/github" - version = ">= 4.20, < 6.0" + version = ">= 5.9.0, < 6.0" } } }