diff --git a/CHANGELOG.md b/CHANGELOG.md
index 46065d1e..f35b4971 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
+## [0.19.0]
+
+### Added
+
+- Added support for `security_and_analysis`.
+
## [0.18.0]
### Added
diff --git a/README.md b/README.md
index eed61358..bcb46336 100644
--- a/README.md
+++ b/README.md
@@ -9,11 +9,8 @@
# terraform-github-repository
A [Terraform] module for creating a public or private repository on [Github].
-
**_This module supports Terraform v1.x and is compatible with the Official Terraform GitHub Provider v4.20 and above from `integrations/github`._**
-
**Attention: This module is incompatible with the Hashicorp GitHub Provider! The latest version of this module supporting `hashicorp/github` provider is `~> 0.10.0`**
-
** Note: Versions 5.3.0, 5.4.0, and 5.5.0 of the Terraform Github Provider have broken branch protections support and should not be used.**
@@ -30,6 +27,7 @@ A [Terraform] module for creating a public or private repository on [Github].
- [Deploy Keys Configuration](#deploy-keys-configuration)
- [Branch Protections v3 Configuration](#branch-protections-v3-configuration)
- [Branch Protections v4 Configuration](#branch-protections-v4-configuration)
+ - [Security And Analysis Configuration](#security-and-analysis-configuration)
- [Issue Labels Configuration](#issue-labels-configuration)
- [Projects Configuration](#projects-configuration)
- [Webhooks Configuration](#webhooks-configuration)
@@ -61,18 +59,15 @@ rollouts** and **rollbacks**. It's a comprehensive, ready-to-use blueprint
maintained by our team of platform engineering experts and saves
companies such as yours tons of time by building on top of a pre-configured
solution instead of building and maintaining it yourself.
-
For details please see [https://mineiros.io/github-as-code][github-as-code].
## Module Features
In contrast to the plain `github_repository` resource this module enables various other
features like Branch Protection or Collaborator Management.
-
- **Default Security Settings**:
This module creates a `private` repository by default,
Deploy keys are `read-only` by default
-
- **Standard Repository Features**:
Setting basic Metadata,
Merge Strategy,
@@ -80,7 +75,6 @@ features like Branch Protection or Collaborator Management.
License Template,
Gitignore Template,
Template Repository
-
- **Extended Repository Features**:
Branches,
Branch Protection,
@@ -91,7 +85,6 @@ features like Branch Protection or Collaborator Management.
Deploy Keys,
Projects,
Repository Webhooks
-
- _Features not yet implemented_:
Project Columns support,
Actions,
@@ -100,12 +93,10 @@ features like Branch Protection or Collaborator Management.
## Getting Started
Most basic usage creating a new private github repository.
-
```hcl
module "repository" {
source = "mineiros-io/repository/github"
version = "~> 0.18.0"
-
name = "terraform-github-repository"
license_template = "apache-2.0"
gitignore_template = "Terraform"
@@ -616,12 +607,9 @@ This is due to some terraform limitation and we will update the module once terr
- [**`branch_protections_v4`**](#var-branch_protections_v4): *(Optional `list(branch_protection_v4)`)*
This resource allows you to configure v4 branch protection for repositories in your organization.
-
Each element in the list is a branch to be protected and the value the corresponding to the desired configuration for the branch.
-
When applied, the branch will be protected from forced pushes and deletion.
Additional constraints, such as required status checks or restrictions on users and teams, can also be configured.
-
**_NOTE:_** May conflict with v3 branch protections if used for the same branch.
Default is `[]`.
@@ -749,6 +737,35 @@ This is due to some terraform limitation and we will update the module once terr
Default is `[]`.
+#### Security And Analysis Configuration
+
+- [**`security_and_analysis`**](#var-security_and_analysis): *(Optional `object(security_and_analysis)`)*
+
+ (Optional) The repository's [security and analysis](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository) configuration.
+ See [Security and Analysis Configuration](#security-and-analysis-configuration) below for details.
+
+ Default is `{}`.
+
+ The `security_and_analysis` object accepts the following attributes:
+
+ - [**`advanced_security`**](#attr-security_and_analysis-advanced_security): *(**Required** `string`)*
+
+ The advanced security configuration for the repository. See [Advanced Security Configuration](#advanced-security-configuration) below for details.
+
+ Default is `"disabled"`.
+
+ - [**`secret_scanning`**](#attr-security_and_analysis-secret_scanning): *(**Required** `string`)*
+
+ The secret scanning configuration for the repository. See [Secret Scanning Configuration](#secret-scanning-configuration) below for details.
+
+ Default is `"disabled"`.
+
+ - [**`secret_scanning_push_protection`**](#attr-security_and_analysis-secret_scanning_push_protection): *(**Required** `string`)*
+
+ The secret scanning push protection configuration for the repository. See [Secret Scanning Push Protection Configuration](#secret-scanning-push-protection-configuration) below for details.
+
+ Default is `"disabled"`.
+
#### Issue Labels Configuration
- [**`issue_labels`**](#var-issue_labels): *(Optional `list(issue_label)`)*
@@ -859,13 +876,9 @@ This is due to some terraform limitation and we will update the module once terr
- [**`plaintext_secrets`**](#var-plaintext_secrets): *(Optional `map(string)`)*
This map allows you to create and manage secrets for repositories in your organization.
-
Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding secret in plain text:
-
When applied, a secret with the given key and value will be created in the repositories.
-
The value of the secrets must be given in plain text, GitHub provider is in charge of encrypting it.
-
**Attention:** You should treat state as sensitive always. It is also advised that you do not store plaintext values in your code but rather populate the encrypted_value using fields from a resource, data source or variable as, while encrypted in state, these will be easily accessible in your code. See below for an example of this abstraction.
Default is `{}`.
@@ -882,9 +895,7 @@ This is due to some terraform limitation and we will update the module once terr
- [**`encrypted_secrets`**](#var-encrypted_secrets): *(Optional `map(string)`)*
This map allows you to create and manage encrypted secrets for repositories in your organization.
-
Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding encrypted value of the secret using the Github public key in Base64 format.b
-
When applied, a secret with the given key and value will be created in the repositories.
Default is `{}`.
@@ -1033,9 +1044,7 @@ The following attributes are exported by the module:
## Module Versioning
This Module follows the principles of [Semantic Versioning (SemVer)].
-
Given a version number `MAJOR.MINOR.PATCH`, we increment the:
-
1. `MAJOR` version when we make incompatible changes,
2. `MINOR` version when we add functionality in a backwards compatible manner, and
3. `PATCH` version when we make backwards compatible bug fixes.
@@ -1049,10 +1058,8 @@ Given a version number `MAJOR.MINOR.PATCH`, we increment the:
[Mineiros][homepage] is a remote-first company headquartered in Berlin, Germany
that solves development, automation and security challenges in cloud infrastructure.
-
Our vision is to massively reduce time and overhead for teams to manage and
deploy production-grade and secure cloud infrastructure.
-
We offer commercial support for all of our modules and encourage you to reach out
if you have any questions or need help. Feel free to email us at [hello@mineiros.io] or join our
[Community Slack channel][slack].
@@ -1074,10 +1081,8 @@ Run `make help` to see details on each available target.
## License
[![license][badge-license]][apache20]
-
This module is licensed under the Apache License Version 2.0, January 2004.
Please see [LICENSE] for full details.
-
Copyright © 2020-2022 [Mineiros GmbH][homepage]
diff --git a/README.tfdoc.hcl b/README.tfdoc.hcl
index 1f75765b..9f40bb3c 100644
--- a/README.tfdoc.hcl
+++ b/README.tfdoc.hcl
@@ -38,11 +38,8 @@ section {
toc = true
content = <<-END
A [Terraform] module for creating a public or private repository on [Github].
-
**_This module supports Terraform v1.x and is compatible with the Official Terraform GitHub Provider v4.20 and above from `integrations/github`._**
-
**Attention: This module is incompatible with the Hashicorp GitHub Provider! The latest version of this module supporting `hashicorp/github` provider is `~> 0.10.0`**
-
** Note: Versions 5.3.0, 5.4.0, and 5.5.0 of the Terraform Github Provider have broken branch protections support and should not be used.**
END
@@ -60,7 +57,6 @@ section {
maintained by our team of platform engineering experts and saves
companies such as yours tons of time by building on top of a pre-configured
solution instead of building and maintaining it yourself.
-
For details please see [https://mineiros.io/github-as-code][github-as-code].
END
}
@@ -70,11 +66,9 @@ section {
content = <<-END
In contrast to the plain `github_repository` resource this module enables various other
features like Branch Protection or Collaborator Management.
-
- **Default Security Settings**:
This module creates a `private` repository by default,
Deploy keys are `read-only` by default
-
- **Standard Repository Features**:
Setting basic Metadata,
Merge Strategy,
@@ -82,7 +76,6 @@ section {
License Template,
Gitignore Template,
Template Repository
-
- **Extended Repository Features**:
Branches,
Branch Protection,
@@ -93,7 +86,6 @@ section {
Deploy Keys,
Projects,
Repository Webhooks
-
- _Features not yet implemented_:
Project Columns support,
Actions,
@@ -105,12 +97,10 @@ section {
title = "Getting Started"
content = <<-END
Most basic usage creating a new private github repository.
-
```hcl
module "repository" {
source = "mineiros-io/repository/github"
version = "~> 0.18.0"
-
name = "terraform-github-repository"
license_template = "apache-2.0"
gitignore_template = "Terraform"
@@ -796,12 +786,9 @@ section {
default = []
description = <<-END
This resource allows you to configure v4 branch protection for repositories in your organization.
-
Each element in the list is a branch to be protected and the value the corresponding to the desired configuration for the branch.
-
When applied, the branch will be protected from forced pushes and deletion.
Additional constraints, such as required status checks or restrictions on users and teams, can also be configured.
-
**_NOTE:_** May conflict with v3 branch protections if used for the same branch.
END
@@ -970,6 +957,47 @@ section {
}
}
+ section {
+ title = "Security And Analysis Configuration"
+
+ variable "security_and_analysis" {
+ type = object(security_and_analysis)
+ default = {}
+ description = <<-END
+ (Optional) The repository's [security and analysis](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository) configuration.
+ See [Security and Analysis Configuration](#security-and-analysis-configuration) below for details.
+ END
+
+ attribute "advanced_security" {
+ type = string
+ required = true
+ default = "disabled"
+ description = <<-END
+ The advanced security configuration for the repository. See [Advanced Security Configuration](#advanced-security-configuration) below for details.
+ END
+ }
+
+ attribute "secret_scanning" {
+ type = string
+ required = true
+ default = "disabled"
+ description = <<-END
+ The secret scanning configuration for the repository. See [Secret Scanning Configuration](#secret-scanning-configuration) below for details.
+ END
+ }
+
+ attribute "secret_scanning_push_protection" {
+ type = string
+ required = true
+ default = "disabled"
+ description = <<-END
+ The secret scanning push protection configuration for the repository. See [Secret Scanning Push Protection Configuration](#secret-scanning-push-protection-configuration) below for details.
+ END
+ }
+
+ }
+ }
+
section {
title = "Issue Labels Configuration"
@@ -1134,13 +1162,9 @@ section {
default = {}
description = <<-END
This map allows you to create and manage secrets for repositories in your organization.
-
Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding secret in plain text:
-
When applied, a secret with the given key and value will be created in the repositories.
-
The value of the secrets must be given in plain text, GitHub provider is in charge of encrypting it.
-
**Attention:** You should treat state as sensitive always. It is also advised that you do not store plaintext values in your code but rather populate the encrypted_value using fields from a resource, data source or variable as, while encrypted in state, these will be easily accessible in your code. See below for an example of this abstraction.
END
@@ -1157,9 +1181,7 @@ section {
default = {}
description = <<-END
This map allows you to create and manage encrypted secrets for repositories in your organization.
-
Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding encrypted value of the secret using the Github public key in Base64 format.b
-
When applied, a secret with the given key and value will be created in the repositories.
END
@@ -1379,9 +1401,7 @@ section {
title = "Module Versioning"
content = <<-END
This Module follows the principles of [Semantic Versioning (SemVer)].
-
Given a version number `MAJOR.MINOR.PATCH`, we increment the:
-
1. `MAJOR` version when we make incompatible changes,
2. `MINOR` version when we add functionality in a backwards compatible manner, and
3. `PATCH` version when we make backwards compatible bug fixes.
@@ -1401,10 +1421,8 @@ section {
content = <<-END
[Mineiros][homepage] is a remote-first company headquartered in Berlin, Germany
that solves development, automation and security challenges in cloud infrastructure.
-
Our vision is to massively reduce time and overhead for teams to manage and
deploy production-grade and secure cloud infrastructure.
-
We offer commercial support for all of our modules and encourage you to reach out
if you have any questions or need help. Feel free to email us at [hello@mineiros.io] or join our
[Community Slack channel][slack].
@@ -1438,10 +1456,8 @@ section {
title = "License"
content = <<-END
[![license][badge-license]][apache20]
-
This module is licensed under the Apache License Version 2.0, January 2004.
Please see [LICENSE] for full details.
-
Copyright © 2020-2022 [Mineiros GmbH][homepage]
END
}
@@ -1541,4 +1557,4 @@ references {
ref "contribution guidelines" {
value = "https://github.com/mineiros-io/terraform-github-repository/blob/main/CONTRIBUTING.md"
}
-}
+}
\ No newline at end of file
diff --git a/go.sum b/go.sum
index e5e98c0a..e1d8cd33 100644
--- a/go.sum
+++ b/go.sum
@@ -379,7 +379,6 @@ golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8U
golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586 h1:7KByu05hhLed2MO29w7p1XfZvZ13m8mub3shuVftRs0=
golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -424,12 +423,10 @@ golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR
golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 h1:fHDIZ2oxGnUZRN6WgWFCbYBjH9uqVPRCUVUDhs0wnbA=
golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 h1:efeOvDhwQ29Dj3SdAV/MJf8oukgn+8D8WgaCaRMchF8=
golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
@@ -579,7 +576,6 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWD
gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
diff --git a/main.tf b/main.tf
index 587e1bb6..858dc397 100644
--- a/main.tf
+++ b/main.tf
@@ -133,6 +133,22 @@ resource "github_repository" "repository" {
}
}
+ dynamic "security_and_analysis" {
+ for_each = var.security_and_analysis != null ? [true] : []
+
+ content {
+ advanced_security {
+ status = var.security_and_analysis.advanced_security
+ }
+ secret_scanning {
+ status = var.security_and_analysis.secret_scanning
+ }
+ secret_scanning_push_protection {
+ status = var.security_and_analysis.secret_scanning_push_protection
+ }
+ }
+ }
+
lifecycle {
ignore_changes = [
auto_init,
diff --git a/variables.tf b/variables.tf
index 7599034c..31c6879c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -373,6 +373,24 @@ variable "branch_protections_v4" {
}
}
+variable "security_and_analysis" {
+ description = "(Optional) Security and analysis configuration block"
+ type = object({
+ advanced_security = optional(string, "disabled")
+ secret_scanning = optional(string, "disabled")
+ secret_scanning_push_protection = optional(string, "disabled")
+ })
+ default = {}
+ validation {
+ condition = alltrue(
+ [
+ for key, value in var.security_and_analysis : contains(["enabled", "disabled"], value)
+ ]
+ )
+ error_message = "Allowed values for security_and_analysis.advanced_security, security_and_analysis.secret_scanning, security_and_analysis.secret_scanning_push_protection are \"disabled\" and \"enabled\""
+ }
+}
+
variable "issue_labels_merge_with_github_labels" {
description = "(Optional) Specify if you want to merge and control githubs default set of issue labels."
type = bool
diff --git a/versions.tf b/versions.tf
index 01e52ac3..3eaa0f18 100644
--- a/versions.tf
+++ b/versions.tf
@@ -9,7 +9,7 @@ terraform {
required_providers {
github = {
source = "integrations/github"
- version = ">= 4.20, < 6.0"
+ version = ">= 5.9.0, < 6.0"
}
}
}