-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathmain.tf
More file actions
174 lines (143 loc) · 5.96 KB
/
main.tf
File metadata and controls
174 lines (143 loc) · 5.96 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
# GITLAB GROUP RESOURCE
# =====================
# LOCAL VARIABLES FOR MEMBERSHIP MANAGEMENT
# ==========================================
locals {
# Convert simple user ID lists to sets for efficient management
owner_set = toset([for id in var.owners : tostring(id)])
maintainer_set = toset([for id in var.maintainers : tostring(id)])
developer_set = toset([for id in var.developers : tostring(id)])
reporter_set = toset([for id in var.reporters : tostring(id)])
guest_set = toset([for id in var.guests : tostring(id)])
}
resource "gitlab_group" "this" {
# REQUIRED ATTRIBUTES
# ==================
name = var.name
path = var.path
# OPTIONAL BASIC CONFIGURATION
# ============================
description = var.description
default_branch = var.default_branch
parent_id = var.parent_id
# VISIBILITY AND ACCESS CONTROL
# =============================
visibility_level = var.visibility_level
request_access_enabled = var.request_access_enabled
membership_lock = var.membership_lock
share_with_group_lock = var.share_with_group_lock
prevent_forking_outside_group = var.prevent_forking_outside_group
# PROJECT AND SUBGROUP CREATION PERMISSIONS
# =========================================
project_creation_level = var.project_creation_level
subgroup_creation_level = var.subgroup_creation_level
# EMAIL AND NOTIFICATION SETTINGS
# ===============================
emails_enabled = var.emails_enabled
mentions_disabled = var.mentions_disabled
allowed_email_domains_list = var.allowed_email_domains_list
# LARGE FILE STORAGE (LFS) CONFIGURATION
# ======================================
lfs_enabled = var.lfs_enabled
# AUTO DEVOPS CONFIGURATION
# =========================
auto_devops_enabled = var.auto_devops_enabled
# WIKI ACCESS CONFIGURATION
# =========================
wiki_access_level = var.wiki_access_level
# SHARED RUNNERS CONFIGURATION
# ============================
shared_runners_setting = var.shared_runners_setting
shared_runners_minutes_limit = var.shared_runners_minutes_limit
extra_shared_runners_minutes_limit = var.extra_shared_runners_minutes_limit
# TWO-FACTOR AUTHENTICATION SETTINGS
# ==================================
require_two_factor_authentication = var.require_two_factor_authentication
two_factor_grace_period = var.two_factor_grace_period
# IP RESTRICTION (Top-level groups only)
# ======================================
ip_restriction_ranges = var.ip_restriction_ranges
# AVATAR CONFIGURATION
# ===================
avatar = var.avatar
avatar_hash = var.avatar_hash
# PERMANENT REMOVAL ON DELETE (Subgroups only)
# ============================================
permanently_remove_on_delete = var.permanently_remove_on_delete
# DEFAULT BRANCH PROTECTION DEFAULTS
# ==================================
dynamic "default_branch_protection_defaults" {
for_each = var.default_branch_protection_defaults != null ? [var.default_branch_protection_defaults] : []
content {
allowed_to_push = default_branch_protection_defaults.value.allowed_to_push
allow_force_push = default_branch_protection_defaults.value.allow_force_push
allowed_to_merge = default_branch_protection_defaults.value.allowed_to_merge
developer_can_initial_push = default_branch_protection_defaults.value.developer_can_initial_push
}
}
# PUSH RULES CONFIGURATION
# ========================
dynamic "push_rules" {
for_each = var.push_rules != null ? [var.push_rules] : []
content {
author_email_regex = push_rules.value.author_email_regex
branch_name_regex = push_rules.value.branch_name_regex
commit_committer_check = push_rules.value.commit_committer_check
commit_committer_name_check = push_rules.value.commit_committer_name_check
commit_message_negative_regex = push_rules.value.commit_message_negative_regex
commit_message_regex = push_rules.value.commit_message_regex
deny_delete_tag = push_rules.value.deny_delete_tag
file_name_regex = push_rules.value.file_name_regex
max_file_size = push_rules.value.max_file_size
member_check = push_rules.value.member_check
prevent_secrets = push_rules.value.prevent_secrets
reject_non_dco_commits = push_rules.value.reject_non_dco_commits
reject_unsigned_commits = push_rules.value.reject_unsigned_commits
}
}
}
# GITLAB GROUP MEMBERSHIP RESOURCES
# ==================================
# Custom members with flexible configuration (supports expiration dates)
resource "gitlab_group_membership" "custom_members" {
for_each = var.members
group_id = gitlab_group.this.id
user_id = each.value.user_id
access_level = each.value.access_level
expires_at = each.value.expires_at
}
# Owner members
resource "gitlab_group_membership" "owners" {
for_each = local.owner_set
group_id = gitlab_group.this.id
user_id = tonumber(each.value)
access_level = "owner"
}
# Maintainer members
resource "gitlab_group_membership" "maintainers" {
for_each = local.maintainer_set
group_id = gitlab_group.this.id
user_id = tonumber(each.value)
access_level = "maintainer"
}
# Developer members
resource "gitlab_group_membership" "developers" {
for_each = local.developer_set
group_id = gitlab_group.this.id
user_id = tonumber(each.value)
access_level = "developer"
}
# Reporter members
resource "gitlab_group_membership" "reporters" {
for_each = local.reporter_set
group_id = gitlab_group.this.id
user_id = tonumber(each.value)
access_level = "reporter"
}
# Guest members
resource "gitlab_group_membership" "guests" {
for_each = local.guest_set
group_id = gitlab_group.this.id
user_id = tonumber(each.value)
access_level = "guest"
}