GitHub Org Terraform module

A Terraform module for comprehensive GitHub organization management. This module enables Infrastructure as Code (IaC) practices for GitHub organization administration, providing complete control over organization settings, members, teams, and security configurations.

The module offers seamless management of key organizational resources including:

• Organization settings and profile configuration
• Member management with role-based access control
• Team creation and membership administration
• GitHub Actions organization-level permissions and configuration
• Secrets and variables management across the organization
• Security policy enforcement and advanced security features
• Webhook integration for organization events
• Custom roles and permissions management
• Organization-wide project administration
• Repository creation templates and default settings

Designed for DevOps teams seeking to standardize GitHub organization management through code, this module supports comprehensive governance while maintaining flexibility for organization-specific requirements.

Requirements

Name	Version
terraform	>= 1.6
github	>= 6.6.0

Providers

Name	Version
github	>= 6.6.0

Modules

Name	Source	Version
sub	vmvarela/suborg/github	n/a
webhook	./modules/webhook	n/a

Resources

Name	Type
github_actions_organization_secret.encrypted	resource
github_actions_organization_secret.plaintext	resource
github_actions_organization_variable.this	resource
github_actions_runner_group.this	resource
github_dependabot_organization_secret.encrypted	resource
github_dependabot_organization_secret.plaintext	resource
github_organization_block.this	resource
github_organization_custom_role.this	resource
github_organization_ruleset.this	resource
github_organization_settings.this	resource
github_organization.this	data source
github_organization_teams.this	data source
github_repositories.this	data source

Inputs

Name	Description	Type	Default	Required
billing_email	Billing email address. This address is not publicized.	string	n/a	yes
blocked	allows you to create and manage blocks for GitHub organizations.	set(string)	null	no
blog	URL of organization blog	string	null	no
company	The company name.	string	null	no
custom_roles	The list of custom roles of the organization (key: role_name)	map(object({ description = optional(string) base_role = string permissions = set(string) }))	null	no
default_repository_permission	Default permission level members have for organization repositories. Can be one of read, write, admin, or none.	string	null	no
defaults	Repositories default configuration (if empty)	any	{}	no
dependabot_copy_secrets	If dependabot uses same repository secrets (plaintext or encrypted). Makes a copy.	bool	false	no
dependabot_secrets	The list of dependabot secrets configuration of the organization (key: secret_name)	map(object({ encrypted_value = optional(string, null) plaintext_value = optional(string, null) visibility = optional(string, null) repositories = optional(set(string), []) }))	{}	no
dependabot_secrets_encrypted	The list of dependabot secrets configuration of the organization (key: secret_name)	map(object({ encrypted_value = optional(string, null) plaintext_value = optional(string, null) visibility = optional(string, null) repositories = optional(set(string), []) }))	{}	no
description	The description of the company. The maximum size is 160 characters.	string	null	no
email	The publicly visible email address.	string	null	no
enable_advanced_security	Use to enable or disable GitHub Advanced Security for new repositories.	bool	null	no
enable_dependabot_security_updates	Set to true to enable the automated security fixes for new repositories.	bool	null	no
enable_secret_scanning	Use to enable or disable secret scanning for new repositories.	bool	null	no
enable_secret_scanning_push_protection	Use to enable or disable secret scanning push protection for new repositories. If set to true, the repository's visibility must be public or enable_advanced_security must also be true.	bool	null	no
enable_vulnerability_alerts	Either true to enable vulnerability alerts, or false to disable vulnerability alerts for new repositories.	bool	null	no
enterprise	True if the organization is associated with an enterprise account.	bool	false	no
has_organization_projects	Whether an organization can use organization projects.	bool	null	no
has_repository_projects	Whether repositories that belong to the organization can use repository projects.	bool	null	no
location	The location.	string	null	no
members_can_create_internal_repositories	Whether organization members can create internal repositories, which are visible to all enterprise members. You can only allow members to create internal repositories if your organization is associated with an enterprise account using GitHub Enterprise Cloud or GitHub Enterprise Server 2.20+.	bool	null	no
members_can_create_pages	Whether organization members can create GitHub Pages sites. Existing published sites will not be impacted.	bool	null	no
members_can_create_private_pages	Whether organization members can create private GitHub Pages sites. Existing published sites will not be impacted.	bool	null	no
members_can_create_private_repositories	Whether organization members can create private repositories, which are visible to organization members with permission.	bool	null	no
members_can_create_public_pages	Whether organization members can create public GitHub Pages sites. Existing published sites will not be impacted.	bool	null	no
members_can_create_public_repositories	Whether organization members can create public repositories, which are visible to anyone.	bool	null	no
members_can_create_repositories	Whether of non-admin organization members can create repositories.	bool	null	no
members_can_fork_private_repositories	Whether organization members can fork private organization repositories.	bool	null	no
name	The shorthand name of the company.	string	null	no
organization	Org name.	string	null	no
repositories	Repositories	any	{}	no
rulesets	Organization rules	map(object({ enforcement = optional(string, "active") rules = optional(object({ branch_name_pattern = optional(object({ operator = optional(string) pattern = optional(string) name = optional(string) negate = optional(bool) })) commit_author_email_pattern = optional(object({ operator = optional(string) pattern = optional(string) name = optional(string) negate = optional(bool) })) commit_message_pattern = optional(object({ operator = optional(string) pattern = optional(string) name = optional(string) negate = optional(bool) })) committer_email_pattern = optional(object({ operator = optional(string) pattern = optional(string) name = optional(string) negate = optional(bool) })) creation = optional(bool) deletion = optional(bool) non_fast_forward = optional(bool) pull_request = optional(object({ dismiss_stale_reviews_on_push = optional(bool) require_code_owner_review = optional(bool) require_last_push_approval = optional(bool) required_approving_review_count = optional(number) required_review_thread_resolution = optional(bool) })) required_workflows = optional(list(object({ repository = string path = string ref = optional(string) }))) required_linear_history = optional(bool) required_signatures = optional(bool) required_status_checks = optional(map(string)) strict_required_status_checks_policy = optional(bool) tag_name_pattern = optional(object({ operator = optional(string) pattern = optional(string) name = optional(string) negate = optional(bool) })) update = optional(bool) })) target = optional(string, "branch") bypass_actors = optional(map(object({ actor_type = string bypass_mode = string }))) include = optional(list(string), []) exclude = optional(list(string), []) repositories = optional(list(string)) }))	{}	no
runner_groups	The list of runner groups of the organization (key: runner_group_name)	map(object({ visibility = optional(string, null) workflows = optional(set(string)) repositories = optional(set(string), []) allow_public_repositories = optional(bool) }))	{}	no
secrets	The list of secrets configuration of the organization (key: secret_name)	map(object({ encrypted_value = optional(string, null) plaintext_value = optional(string, null) visibility = optional(string, null) repositories = optional(set(string), []) }))	{}	no
secrets_encrypted	The list of secrets configuration of the organization (key: secret_name)	map(object({ encrypted_value = optional(string, null) plaintext_value = optional(string, null) visibility = optional(string, null) repositories = optional(set(string), []) }))	{}	no
settings	Repositories fixed common configuration (cannot be overwritten)	any	{}	no
twitter_username	The Twitter username of the company.	string	null	no
variables	The list of variables configuration of the organization (key: variable_name)	map(object({ value = optional(string, null) visibility = optional(string, null) repositories = optional(set(string), []) }))	{}	no
web_commit_signoff_required	Whether contributors to organization repositories are required to sign off on commits they make through GitHub's web interface.	bool	null	no
webhooks	The list of webhooks of the organization. See webhook sub-module for details.	any	{}	no

Outputs

Name	Description
id	Github Organization ID
organization	Organization data
repositories	All repository IDs
teams	Team data

Authors

Module is maintained by Victor M. Varela.

License

Apache 2 Licensed. See LICENSE for full details.