From bddbebd5edb3a82da23b82cd20d8dfc12f864697 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Tue, 26 Nov 2024 07:44:22 +0000 Subject: [PATCH 1/2] Validate github teams prior to applying repo access --- terraform/github/modules/contributor/data.tf | 4 ++++ terraform/github/modules/contributor/locals.tf | 5 +++++ terraform/github/modules/contributor/main.tf | 2 +- 3 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 terraform/github/modules/contributor/data.tf create mode 100644 terraform/github/modules/contributor/locals.tf diff --git a/terraform/github/modules/contributor/data.tf b/terraform/github/modules/contributor/data.tf new file mode 100644 index 000000000..4add693b8 --- /dev/null +++ b/terraform/github/modules/contributor/data.tf @@ -0,0 +1,4 @@ +# Fetch all teams in the organization +data "github_organization_teams" "all_teams" { + summary_only = true +} diff --git a/terraform/github/modules/contributor/locals.tf b/terraform/github/modules/contributor/locals.tf new file mode 100644 index 000000000..08ffe406b --- /dev/null +++ b/terraform/github/modules/contributor/locals.tf @@ -0,0 +1,5 @@ +locals { + all_team_slugs = [ + for team in data.github_organization_teams.all_teams.teams : team.slug + ] +} diff --git a/terraform/github/modules/contributor/main.tf b/terraform/github/modules/contributor/main.tf index 79e9ae34f..eacd3fee2 100644 --- a/terraform/github/modules/contributor/main.tf +++ b/terraform/github/modules/contributor/main.tf @@ -1,5 +1,5 @@ resource "github_team_repository" "main" { - for_each = { for team in var.application_teams : team => team } + for_each = { for team in var.application_teams : team => team if contains(local.all_team_slugs, team)} team_id = each.value repository = var.repository_id permission = "push" From d7156d96cfd3237ca70b89229edda522c22991a3 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Tue, 26 Nov 2024 08:02:25 +0000 Subject: [PATCH 2/2] Reimplementing in the calling terraform instead -- within module it overwhelms the API --- terraform/github/locals.tf | 17 ++++++++++++++--- terraform/github/modules/contributor/data.tf | 4 ---- terraform/github/modules/contributor/locals.tf | 5 ----- terraform/github/modules/contributor/main.tf | 2 +- terraform/github/teams.tf | 2 +- 5 files changed, 16 insertions(+), 14 deletions(-) delete mode 100644 terraform/github/modules/contributor/data.tf delete mode 100644 terraform/github/modules/contributor/locals.tf diff --git a/terraform/github/locals.tf b/terraform/github/locals.tf index a18b29c42..a1c66055a 100644 --- a/terraform/github/locals.tf +++ b/terraform/github/locals.tf @@ -3,6 +3,12 @@ data "http" "environments_file" { url = "https://raw.githubusercontent.com/ministryofjustice/modernisation-platform/main/environments/${local.testing_application_name}.json" } + +# Fetch all teams in the organization +data "github_organization_teams" "all_teams" { + summary_only = true +} + locals { testing_application_name = "testing" @@ -45,7 +51,7 @@ locals { "connormaglynn", "richgreen-moj", # Richard Green "khatraf", # Khatra Farah - "sukeshreddyg", # Sukesh Reddy Gade + "sukeshreddyg", # Sukesh Reddy Gade "mikereiddigital", # Mike Reid "Kudzai-moj" # Kudzai Mtoko ] @@ -71,14 +77,19 @@ locals { }, jsondecode(file("../../environments/${file}"))) ] - application_sso_group_names = concat( + all_team_slugs = [ + for team in data.github_organization_teams.all_teams.teams : team.slug + ] + + application_github_group_names = concat( # intentional rename: this is only applicable to Github teams ["all-org-members"], distinct(flatten([ for application in local.environments_json : [ for environment in application.environments : [ for access in environment.access : access.sso_group_name - if application.account-type == "member" && !contains(["modernisation-platform", "modernisation-platform-engineers"], access.sso_group_name) + if application.account-type == "member" && !contains(["modernisation-platform", "modernisation-platform-engineers"], access.sso_group_name) && + contains(local.all_team_slugs, access.sso_group_name) # Filter out invalid Github teams (ex. azure-aws-sso-*) ] ] ])) diff --git a/terraform/github/modules/contributor/data.tf b/terraform/github/modules/contributor/data.tf deleted file mode 100644 index 4add693b8..000000000 --- a/terraform/github/modules/contributor/data.tf +++ /dev/null @@ -1,4 +0,0 @@ -# Fetch all teams in the organization -data "github_organization_teams" "all_teams" { - summary_only = true -} diff --git a/terraform/github/modules/contributor/locals.tf b/terraform/github/modules/contributor/locals.tf deleted file mode 100644 index 08ffe406b..000000000 --- a/terraform/github/modules/contributor/locals.tf +++ /dev/null @@ -1,5 +0,0 @@ -locals { - all_team_slugs = [ - for team in data.github_organization_teams.all_teams.teams : team.slug - ] -} diff --git a/terraform/github/modules/contributor/main.tf b/terraform/github/modules/contributor/main.tf index eacd3fee2..79e9ae34f 100644 --- a/terraform/github/modules/contributor/main.tf +++ b/terraform/github/modules/contributor/main.tf @@ -1,5 +1,5 @@ resource "github_team_repository" "main" { - for_each = { for team in var.application_teams : team => team if contains(local.all_team_slugs, team)} + for_each = { for team in var.application_teams : team => team } team_id = each.value repository = var.repository_id permission = "push" diff --git a/terraform/github/teams.tf b/terraform/github/teams.tf index 302dc02ed..08f97ac29 100644 --- a/terraform/github/teams.tf +++ b/terraform/github/teams.tf @@ -74,6 +74,6 @@ module "long-term-storage" { module "contributor-access" { for_each = toset(local.modernisation_platform_repositories) source = "./modules/contributor" - application_teams = local.application_sso_group_names + application_teams = local.application_github_group_names # Run only on valid Github teams repository_id = each.key }