-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.tf
More file actions
97 lines (78 loc) · 2.67 KB
/
main.tf
File metadata and controls
97 lines (78 loc) · 2.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
resource "github_repository" "repository" {
for_each = var.github_repositories
name = each.key
description = each.value.description
homepage_url = each.value.homepage
topics = each.value.topics
visibility = each.value.visibility
has_issues = each.value.enable_issues
has_projects = each.value.enable_projects
has_wiki = each.value.enable_wiki
allow_merge_commit = each.value.enable_merge_commit
allow_rebase_merge = each.value.enable_rebase_merge
allow_squash_merge = each.value.enable_squash_merge
allow_update_branch = each.value.enable_update_branch
squash_merge_commit_title = each.value.squash_merge_commit_title
squash_merge_commit_message = each.value.squash_merge_commit_message
delete_branch_on_merge = each.value.delete_branch_on_merge
dynamic "security_and_analysis" {
for_each = each.value.visibility == "public" ? [1] : []
content {
secret_scanning {
status = each.value.enable_secret_scanning ? "enabled" : "disabled"
}
secret_scanning_push_protection {
status = each.value.enable_secret_push_protection ? "enabled" : "disabled"
}
}
}
lifecycle {
ignore_changes = [template]
}
}
resource "github_branch_protection" "branch_protection" {
for_each = {
for name, repo in var.github_repositories : name => repo
if repo.visibility == "public"
}
repository_id = github_repository.repository[each.key].node_id
pattern = "master"
enforce_admins = true
required_pull_request_reviews {
required_approving_review_count = 0
}
required_status_checks {
strict = true
}
lifecycle {
ignore_changes = [required_status_checks[0].contexts]
}
}
resource "github_repository_vulnerability_alerts" "vulnerability_alerts" {
for_each = {
for name, repo in var.github_repositories : name => repo
if repo.enable_vulnerability_alerts
}
repository = github_repository.repository[each.key].name
}
resource "github_repository_dependabot_security_updates" "dependabot_security_updates" {
for_each = {
for name, repo in var.github_repositories : name => repo
if repo.enable_vulnerability_alerts && repo.enable_dependabot_security_updates
}
repository = github_repository.repository[each.key].name
enabled = true
depends_on = [github_repository_vulnerability_alerts.vulnerability_alerts]
}
resource "github_issue_labels" "issue_labels" {
for_each = var.github_repositories
repository = each.key
dynamic "label" {
for_each = var.github_issue_labels
content {
name = label.key
color = label.value.color
description = label.value.description
}
}
}