terraform/github.tf at main · DevKor-github/terraform · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
terraform {
  required_providers {
    github = {
      source  = "integrations/github"
      version = "~> 6.0"
    }
  }
}
variable "github_token" {
  type        = string
  description = "GitHub token"
}
variable "discord_webhook_url" {
  description = "The Discord webhook URL to send notifications"
  type = string
}

# Configure the GitHub Provider
provider "github" {
  token = var.github_token
  owner = "DevKor-github"
}

data "local_file" "users" {
  filename = "${path.module}/users.json"
}

data "local_file" "teams" {
  filename = "${path.module}/teams.json"
}

data "local_file" "repos" {
  filename = "${path.module}/repos.json"
}

data "local_file" "repo_permissions" {
  filename = "${path.module}/repo_permissions.json"
}

locals {
  users = jsondecode(data.local_file.users.content)
  teams = jsondecode(data.local_file.teams.content)
  repos = jsondecode(data.local_file.repos.content)
  repo_permissions = jsondecode(data.local_file.repo_permissions.content)
}


resource "github_organization_settings" "org_settings" {
  billing_email = "devkor.apply@gmail.com"
  company = "DevKor"
  blog = "https://devkor.club"
  email = "devkor.apply@gmail.com"
  location = "Seoul, Korea"
  name = "DevKor"
  description = "고려대학교 SW 프로덕트 학회 DevKor Github Organization"
  has_organization_projects = true
  has_repository_projects = true
  members_can_create_repositories = false
  members_can_create_private_pages = false

  advanced_security_enabled_for_new_repositories = true
  dependabot_alerts_enabled_for_new_repositories = true
  dependabot_security_updates_enabled_for_new_repositories = true
  dependency_graph_enabled_for_new_repositories = true
  secret_scanning_enabled_for_new_repositories = true
  secret_scanning_push_protection_enabled_for_new_repositories = true
}


# user 초대
resource "github_membership" "user" {
  for_each = { for user in local.users : user.user => user }

  username = each.value.user
  role     = each.value.role
}

# team 생성
resource "github_team" "team" {
  for_each = { for team in local.teams : team.name => team }

  name        = each.key
  description = "DevKor ${each.key} team"
  privacy     = "closed"
}

# 팀별 2 repositories 생성
resource "github_repository" "repo" {
  for_each = { for repo in local.repos : repo.name => repo }


  name        = each.key
  description = "DevKor ${each.key} repository"
  visibility = "public"
  has_projects = true
  has_wiki = true
  has_downloads = true
  has_issues = true
  has_discussions = true

  topics = ["devkor"]
  license_template = "MIT"

  archive_on_destroy = true
  vulnerability_alerts = true

  security_and_analysis {
    secret_scanning {
      status =  "enabled"
    }
    secret_scanning_push_protection {
      status = "enabled"
    }
  }

}
# team - repo permission
resource "github_team_repository" "team_repos" {
  for_each = { for permission in local.repo_permissions : "${permission.team}:${permission.repo}" => permission }
  team_id    = github_team.team[each.value.team].id
  repository = each.value.repo
  permission = each.value.permission
}


resource "github_branch" "main" {
  for_each = { for repo in local.repos : repo.name => repo }

  repository = each.value.name
  branch     = "main"
}

resource "github_branch_default" "default"{
  for_each = { for repo in local.repos : repo.name => repo }

  repository = each.value.name
  branch     = "main"
}

# main branch must have Reviews
resource "github_repository_ruleset" "review_ruleset" {
  name   = "require_reviews"
  target = "branch"
  for_each = { for repo in local.repos : repo.name => repo }

  repository = each.value.name
  enforcement = "active"

  conditions {
    ref_name {
      include = [ "~DEFAULT_BRANCH"]
      exclude = []
    }
  }

  rules {
    pull_request {
      required_approving_review_count = 1
      require_last_push_approval = true
    }

  }
}


# PR -> discord webhook
resource "github_repository_webhook" "discord_pr_webhook" {
  for_each = { for repo in local.repos : repo.name => repo }

  repository = each.value.name

  configuration {
    url          = var.discord_webhook_url
    content_type = "json"
    insecure_ssl = false
  }

  events = ["pull_request", "pull_request_review", "pull_request_review_comment"]
}