From f414126fec273e4d023ea23bb6959675d173e3f0 Mon Sep 17 00:00:00 2001
From: Gus Narea <gnarea@users.noreply.github.com>
Date: Tue, 10 Sep 2024 17:32:44 +0100
Subject: [PATCH] feat: Initial commit

---
 .github/dependabot.yml    |  9 +++++++
 .github/workflows/ci.yml  | 12 +++++++++
 .github/workflows/prs.yml | 12 +++++++++
 .gitignore                |  1 +
 .releaserc.yml            |  5 ++++
 .terraform.lock.hcl       | 25 ++++++++++++++++++
 LICENSE                   | 21 +++++++++++++++
 README.md                 | 16 ++++++++++--
 locals.tf                 |  4 +++
 main.tf                   | 55 +++++++++++++++++++++++++++++++++++++++
 outputs.tf                |  3 +++
 providers.tf              | 10 +++++++
 variables.tf              | 20 ++++++++++++++
 13 files changed, 191 insertions(+), 2 deletions(-)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/ci.yml
 create mode 100644 .github/workflows/prs.yml
 create mode 100644 .gitignore
 create mode 100644 .releaserc.yml
 create mode 100644 .terraform.lock.hcl
 create mode 100644 LICENSE
 create mode 100644 locals.tf
 create mode 100644 main.tf
 create mode 100644 outputs.tf
 create mode 100644 providers.tf
 create mode 100644 variables.tf

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..fe38f98
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,9 @@
+version: 2
+updates:
+- package-ecosystem: terraform
+  directory: "/"
+  schedule:
+    interval: weekly
+  commit-message:
+    prefix: "fix(deps):"
+    prefix-development: "chore(deps):"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..9730120
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,12 @@
+name: CI and releases
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  ci:
+    uses: relaycorp/shared-workflows/.github/workflows/tfmodule-ci.yml@main
+  release:
+    needs: ci
+    uses: relaycorp/shared-workflows/.github/workflows/tfmodule-release.yml@main
diff --git a/.github/workflows/prs.yml b/.github/workflows/prs.yml
new file mode 100644
index 0000000..d2f704b
--- /dev/null
+++ b/.github/workflows/prs.yml
@@ -0,0 +1,12 @@
+name: Process PRs
+
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  pr-ci:
+    uses: relaycorp/shared-workflows/.github/workflows/pr-ci.yml@main
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..3fa8c86
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.terraform
diff --git a/.releaserc.yml b/.releaserc.yml
new file mode 100644
index 0000000..506f704
--- /dev/null
+++ b/.releaserc.yml
@@ -0,0 +1,5 @@
+branches: [main]
+plugins:
+  - "@semantic-release/commit-analyzer"
+  - "@semantic-release/release-notes-generator"
+  - "@semantic-release/github"
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
new file mode 100644
index 0000000..b10e64b
--- /dev/null
+++ b/.terraform.lock.hcl
@@ -0,0 +1,25 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/integrations/github" {
+  version     = "6.2.3"
+  constraints = ">= 6.0.0, < 7.0.0"
+  hashes = [
+    "h1:nHTegsQYYUJZbaTnU1aMJBgnZUbR2zsfCl7DsL/kZjQ=",
+    "zh:05874671652a260b12d784cc46b0eea156f493a5f12e00368d1f6cb319156257",
+    "zh:0c7a3cae5a66e5c5efc3b25ba646a0d46bfe1fd3edba1f5a75f51aede85a9d1b",
+    "zh:174310010d08f13e36e53ff18e44a21dd040c89884ef190a192c6ce27926a912",
+    "zh:23d1d8731e518354ce6a83419f49101aece63882b0ca7c489f3c598cc6ea5d5e",
+    "zh:4e88953816daf11ab1681c32c7988d4e29476fc44f0959fe03173532cf5044de",
+    "zh:6fab07734ccf27f5afee4442abae2d33245eabf35519032ce1e2aad6961a640a",
+    "zh:7b2f324b918e161c892c29ee80d36c48ca8b891b8047e132fc701ca741e5ae72",
+    "zh:8ef4f0d691ade98082ef1f6b36e556468e5ab26e60021f0de0fb22e3acdfd990",
+    "zh:8f0f3e139faa8f2b9075bb9978dd683f4bab5ac91171bbb969addd04d7f0b90f",
+    "zh:97cb6d7fdf640237cc2f0ab830db8f878770968c59fd28298e9dddb8b9e6294d",
+    "zh:a17038d8747c6bb660e4c5981e8ffbbc33c66ba164868fd35d442e7f828a1e01",
+    "zh:aa9f4b7d947f7b11277b4e9ba7147f5594cf60a6589b7aac4344f73d1400d1c0",
+    "zh:c780b951e14d583ef6ffef9a934831b56ee157c50ed8e969c676a636810f7db1",
+    "zh:d8497bb2986fd76107b7208b33cc39281797164fdea09453e987b969a461befb",
+    "zh:fbd1fee2c9df3aa19cf8851ce134dea6e45ea01cb85695c1726670c285797e25",
+  ]
+}
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..bc443af
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021-2024 Relaycorp
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
index bf39e72..c0d825a 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,14 @@
-# terraform-github-closed-source
-Terraform module for closed source projects by Relaycorp
+# Terraform module for closed source projects by Relaycorp
+
+This module is used by the Relaycorp team to manage their closed source projects.
+
+See also the [open source project module](https://github.com/relaycorp/terraform-github-oss-project).
+
+## Third-party contributions
+
+Since this module is meant to be 100% specific to Relaycorp,
+we will only accept bug fixes from third parties.
+New features won't be accepted.
+If you see anything you like here,
+feel free to use it under the terms of the [licence](https://github.com/relaycorp/terraform-github-oss-project/blob/main/LICENSE).
+Backwards compatibility isn't guaranteed.
diff --git a/locals.tf b/locals.tf
new file mode 100644
index 0000000..020a93b
--- /dev/null
+++ b/locals.tf
@@ -0,0 +1,4 @@
+locals {
+  // Work around https://github.com/integrations/terraform-provider-github/issues/1009
+  github_actions_app_node_id = "MDM6QXBwMTUzNjg=" // https://api.github.com/apps/github-actions
+}
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..cdd7fc1
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,55 @@
+resource "github_repository" "main" {
+  name         = var.name
+  description  = var.description
+  homepage_url = var.homepage_url
+  visibility   = "private"
+
+  // PR merging
+  allow_merge_commit          = false
+  allow_rebase_merge          = false
+  squash_merge_commit_title   = "PR_TITLE"
+  squash_merge_commit_message = "PR_BODY"
+  allow_auto_merge            = true
+  delete_branch_on_merge      = true
+
+  has_issues      = false
+  has_discussions = false
+  has_downloads   = false
+  auto_init       = true
+
+  vulnerability_alerts = true
+
+  lifecycle {
+    // Prevent imported repos from being recreated
+    ignore_changes = [auto_init]
+  }
+}
+
+resource "github_branch_protection" "main" {
+  repository_id = github_repository.main.node_id
+  pattern       = "main"
+
+  required_linear_history         = true
+  require_conversation_resolution = true
+
+  required_status_checks {
+    strict = true
+    contexts = concat(
+      var.support_releases ? ["pr-ci / semantic-pr-title", "release / release"] : [],
+      var.ci_contexts,
+      ["license/cla"]
+    )
+  }
+
+  required_pull_request_reviews {
+    dismiss_stale_reviews           = true
+    required_approving_review_count = 1
+  }
+
+  restrict_pushes {
+    blocks_creations = true
+    push_allowances = [
+      local.github_actions_app_node_id, # Allow @semantic-release/github to create GH releases
+    ]
+  }
+}
diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 0000000..1d55f32
--- /dev/null
+++ b/outputs.tf
@@ -0,0 +1,3 @@
+output "name" {
+  value = var.name
+}
diff --git a/providers.tf b/providers.tf
new file mode 100644
index 0000000..efb5003
--- /dev/null
+++ b/providers.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = ">= 6.0.0, < 7.0.0"
+    }
+  }
+
+  required_version = ">= 1.5.0"
+}
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..4bfda5f
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,20 @@
+variable "name" {
+  description = "GitHub project name"
+}
+variable "description" {
+  description = "GitHub project description"
+}
+variable "homepage_url" {
+  default     = ""
+  description = "GitHub project homepage"
+}
+variable "ci_contexts" {
+  default     = []
+  type        = list(string)
+  description = "Required CI contexts for PRs to merged in the main branch"
+}
+
+variable "support_releases" {
+  default     = true
+  description = "Whether the project uses Semantic Releases"
+}