A Terraform module for creating a public or private repository on Github.
This module supports Terraform v1.x and is compatible with the Official Terraform GitHub Provider v4.10 and above from integrations/github
.
Attention: This module is incompatible with the Hashicorp GitHub Provider! The latest version of this module supporting hashicorp/github
provider is ~> 0.10.0
Security related notice: Versions 4.7.0, 4.8.0, 4.9.0 and 4.9.1 of the Terraform Github Provider are deny-listed in version constraints as a regression introduced in 4.7.0 and fixed in 4.9.2 creates public repositories from templates even if visibility is set to private.
- Module Features
- Getting Started
- Module Argument Reference
- Main Resource Configuration
- Extended Resource Configuration
- Repository Creation Configuration
- Teams Configuration
- Collaborator Configuration
- Branches Configuration
- Deploy Keys Configuration
- Branch Protections Configuration
- Issue Labels Configuration
- Projects Configuration
- Webhooks Configuration
- Secrets Configuration
- Autolink References Configuration
- App Installations
- Module Configuration
- Module Outputs
- External Documentation
- Module Versioning
- GitHub as Code
- About Mineiros
- Reporting Issues
- Contributing
- Makefile Targets
- License
In contrast to the plain github_repository
resource this module enables various other
features like Branch Protection or Collaborator Management.
-
Default Security Settings: This module creates a
private
repository by default, Deploy keys areread-only
by default -
Standard Repository Features: Setting basic Metadata, Merge Strategy, Auto Init, License Template, Gitignore Template, Template Repository
-
Extended Repository Features: Branches, Branch Protection, Issue Labels, Handle Github Default Issue Labels, Collaborators, Teams, Deploy Keys, Projects, Repository Webhooks
-
Features not yet implemented: Project Columns support, Actions, Repository File
Most basic usage creating a new private github repository.
module "repository" {
source = "mineiros-io/repository/github"
version = "~> 0.16.0"
name = "terraform-github-repository"
license_template = "apache-2.0"
gitignore_template = "Terraform"
}
provider "github" {}
terraform {
required_version = "~> 1.0"
required_providers {
github = {
source = "integrations/github"
version = "~> 4.0"
}
}
}
See variables.tf and examples/ for details and use-cases.
-
name
: (Requiredstring
)The name of the repository.
-
defaults
: (Optionalobject(defaults)
)A object of default settings to use instead of module defaults for top-level arguments. See below for a list of supported arguments.
This is a special argument to set various defaults to be reused for multiple repositories.
The following top-level arguments can be set as defaults:
homepage_url
,visibility
,has_issues
,has_projects
,has_wiki
,allow_merge_commit
,allow_rebase_merge
,allow_squash_merge
,allow_auto_merge
,has_downloads
,auto_init
,gitignore_template
,license_template
,default_branch
,topics
,issue_labels_create
,issue_labels_merge_with_github_labels
.Module defaults are used for all arguments that are not set in
defaults
. Using top level arguments override defaults set by this argument.Default is
{}
. -
pages
: (Optionalobject(pages)
)A object of settings to configure GitHub Pages in this repository. See below for a list of supported arguments.
Default is
{}
.The
pages
object accepts the following attributes: -
allow_merge_commit
: (Optionalbool
)Set to
false
to disable merge commits on the repository. If you set this tofalse
you have to enable eitherallow_squash_merge
orallow_rebase_merge
.Default is
true
. -
allow_squash_merge
: (Optionalbool
)Set to
true
to enable squash merges on the repository.Default is
false
. -
allow_rebase_merge
: (Optionalbool
)Set to
true
to enable rebase merges on the repository.Default is
false
. -
allow_auto_merge
: (Optionalbool
)Set to
true
to allow auto-merging pull requests on the repository. If you enable auto-merge for a pull request, the pull request will merge automatically when all required reviews are met and status checks have passed.Default is
false
. -
description
: (Optionalstring
)A description of the repository.
Default is
""
. -
delete_branch_on_merge
: (Optionalbool
)Set to
false
to disable the automatic deletion of head branches after pull requests are merged.Default is
true
. -
homepage_url
: (Optionalstring
)URL of a page describing the project.
Default is
""
. -
private
: (Optionalbool
)DEPRECATED: Please use
visibility
instead and update your code. parameter will be removed in a future version -
visibility
: (Optionalstring
)Can be
public
orprivate
. If your organization is associated with an enterprise account using GitHub Enterprise Cloud or GitHub Enterprise Server 2.20+,visibility
can also beinternal
. Thevisibility
parameter overrides the deprecatedprivate
parameter.Default is
"private"
. -
has_issues
: (Optionalbool
)Set to true to enable the GitHub Issues features on the repository.
Default is
false
. -
has_projects
: (Optionalbool
)Set to true to enable the GitHub Projects features on the repository.
Default is
false
. -
has_wiki
: (Optionalbool
)Set to true to enable the GitHub Wiki features on the repository.
Default is
false
. -
has_downloads
: (Optionalbool
)Set to
true
to enable the (deprecated) downloads features on the repository.Default is
false
. -
is_template
: (Optionalbool
)Set to
true
to tell GitHub that this is a template repository.Default is
false
. -
default_branch
: (Optionalstring
)The name of the default branch of the repository. NOTE: The configured default branch must exist in the repository. If the branch doesn't exist yet, or if you are creating a new repository, please add the desired default branch to the
branches
variable, which will cause Terraform to create it for you.Default is
""
. -
archived
: (Optionalbool
)Specifies if the repository should be archived. NOTE: Currently, the API does not support unarchiving.
Default is
false
. -
topics
: (Optionallist(string)
)The list of topics of the repository.
Default is
[]
. -
extra_topics
: (Optionallist(string)
)A list of additional topics of the repository. Those topics will be added to the list of
topics
. This is useful ifdefault.topics
are used and the list should be extended with more topics.Default is
[]
. -
vulnerability_alerts
: (Optionalbool
)Set to
false
to disable security alerts for vulnerable dependencies. Enabling requires alerts to be enabled on the owner level. -
archive_on_destroy
: (Optionalbool
)Set to
false
to not archive the repository instead of deleting on destroy.Default is
true
.
The following four arguments can only be set at repository creation and changes will be ignored for repository updates and will not show a diff in plan or apply phase.
-
auto_init
: (Optionalbool
)Set to
false
to not produce an initial commit in the repository.Default is
true
. -
gitignore_template
: (Optionalstring
)Use the name of the template without the extension.
Default is
""
. -
license_template
: (Optionalstring
)Use the name of the template without the extension.
Default is
""
. -
template
: (Optionalobject(template)
)Use a template repository to create this resource.
Default is
{}
.The
template
object accepts the following attributes:-
owner
: (Requiredstring
)The GitHub organization or user the template repository is owned by.
-
repository
: (Requiredstring
)The name of the template repository.
-
Your can use non-computed (known at terraform plan
) team names or slugs (*_teams
Attributes)
or computed (only known in terraform apply
phase) team IDs (*_team_ids
Attributes).
When using non-computed names/slugs teams need to exist before running plan.
This is due to some terraform limitation and we will update the module once terraform removed this limitation.
-
pull_teams
: (Optionallist(string)
)Can also be
pull_team_ids
. A list of teams to grant pull (read-only) permission. Recommended for non-code contributors who want to view or discuss your project.Default is
[]
. -
triage_teams
: (Optionallist(string)
)Can also be
triage_team_ids
. A list of teams to grant triage permission. Recommended for contributors who need to proactively manage issues and pull requests without write access.Default is
[]
. -
push_teams
: (Optionallist(string)
)Can also be
push_team_ids
. A list of teams to grant push (read-write) permission. Recommended for contributors who actively push to your project.Default is
[]
. -
maintain_teams
: (Optionallist(string)
)Can also be
maintain_team_ids
. A list of teams to grant maintain permission. Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.Default is
[]
. -
admin_teams
: (Optionallist(string)
)Can also be
admin_team_ids
. A list of teams to grant admin (full) permission. Recommended for people who need full access to the project, including sensitive and destructive actions like managing security or deleting a repository.Default is
[]
.
-
pull_collaborators
: (Optionallist(string)
)A list of user names to add as collaborators granting them pull (read-only) permission. Recommended for non-code contributors who want to view or discuss your project.
Default is
[]
. -
triage_collaborators
: (Optionallist(string)
)A list of user names to add as collaborators granting them triage permission. Recommended for contributors who need to proactively manage issues and pull requests without write access.
Default is
[]
. -
push_collaborators
: (Optionallist(string)
)A list of user names to add as collaborators granting them push (read-write) permission. Recommended for contributors who actively push to your project.
Default is
[]
. -
maintain_collaborators
: (Optionallist(string)
)A list of user names to add as collaborators granting them maintain permission. Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
Default is
[]
. -
admin_collaborators
: (Optionallist(string)
)A list of user names to add as collaborators granting them admin (full) permission. Recommended for people who need full access to the project, including sensitive and destructive actions like managing security or deleting a repository.
Default is
[]
.
-
branches
: (Optionallist(branch)
)Create and manage branches within your repository. Additional constraints can be applied to ensure your branch is created from another branch or commit.
Default is
[]
.Each
branch
object in the list accepts the following attributes:-
name
: (Requiredstring
)The name of the branch to create.
-
source_branch
: (Optionalstring
)The branch name to start from. Uses the configured default branch per default.
-
source_sha
: (Optionalbool
)The commit hash to start from. Defaults to the tip of
source_branch
. If provided,source_branch
is ignored.Default is
true
.
-
-
deploy_keys
: (Optionallist(deploy_key)
)Can also be type
list(string)
. Specifies deploy keys and access-level of deploy keys used in this repository. Everystring
in the list will be converted internally into theobject
representation with thekey
argument being set to thestring
.object
details are explained below.Default is
[]
.Each
deploy_key
object in the list accepts the following attributes:-
key
: (Requiredstring
)The SSH public key.
-
title
: (Optionalstring
)A Title for the key. Default is the comment field of SSH public key if it is not empty else it defaults to
md5(key)
. -
read_only
: (Optionalbool
)Specifies the level of access for the key.
Default is
true
. -
id
: (Optionalstring
)Specifies an ID which is used to prevent resource recreation when the order in the list of deploy keys changes. The ID must be unique between
deploy_keys
anddeploy_keys_computed
.Default is
"md5(key)"
.
-
-
deploy_keys_computed
: (Optionallist(deploy_key)
)Can also be type
string
. Same asdeploy_keys
argument with the following differences: Use this argument if you depend on computed keys that terraform can not use in resourcefor_each
execution. Downside of this is the recreation of deploy key resources whenever the order in the list changes. Preferdeploy_keys
whenever possible. This argument does not conflict withdeploy_keys
and should exclusively be used for computed resources.Default is
[]
.Each
deploy_key
object in the list accepts the following attributes:-
key
: (Requiredstring
)The SSH public key.
-
title
: (Optionalstring
)A Title for the key. Default is the comment field of SSH public key if it is not empty else it defaults to
md5(key)
. -
read_only
: (Optionalbool
)Specifies the level of access for the key.
Default is
true
. -
id
: (Optionalstring
)Specifies an ID which is used to prevent resource recreation when the order in the list of deploy keys changes. The ID must be unique between
deploy_keys
anddeploy_keys_computed
.Default is
"md5(key)"
.
-
-
branch_protections_v3
: (Optionallist(branch_protection_v3)
)This resource allows you to configure branch protection for repositories in your organization. When applied, the branch will be protected from forced pushes and deletion. Additional constraints, such as required status checks or restrictions on users and teams, can also be configured.
Default is
[]
.Each
branch_protection_v3
object in the list accepts the following attributes:-
branch
: (Requiredstring
)The Git branch to protect.
-
enforce_admins
: (Optionalbool
)Setting this to true enforces status checks for repository administrators.
Default is
false
. -
require_conversation_resolution
: (Optionalbool
)Setting this to true requires all conversations to be resolved.
Default is
false
. -
require_signed_commits
: (Optionalbool
)Setting this to true requires all commits to be signed with GPG.
Default is
false
. -
required_status_checks
: (Optionalobject(required_status_checks)
)Enforce restrictions for required status checks. See Required Status Checks below for details.
Default is
{}
.The
required_status_checks
object accepts the following attributes: -
required_pull_request_reviews
: (Optionalobject(required_pull_request_reviews)
)Enforce restrictions for pull request reviews.
Default is
{}
.The
required_pull_request_reviews
object accepts the following attributes:-
dismiss_stale_reviews
: (Optionalbool
)Dismiss approved reviews automatically when a new commit is pushed.
Default is
true
. -
dismissal_users
: (Optionallist(string)
)The list of user logins with dismissal access
Default is
[]
. -
dismissal_teams
: (Optionallist(string)
)The list of team slugs with dismissal access. Always use slug of the team, not its name. Each team already has to have access to the repository.
Default is
[]
. -
require_code_owner_reviews
: (Optionalbool
)Require an approved review in pull requests including files with a designated code owner.
Default is
false
.
-
-
restrictions
: (Optionalobject(restrictions)
)Enforce restrictions for the users and teams that may push to the branch - only available for organization-owned repositories. See Restrictions below for details.
Default is
{}
.The
restrictions
object accepts the following attributes:-
users
: (Optionallist(string)
)The list of user logins with push access.
Default is
[]
. -
teams
: (Optionallist(string)
)The list of team slugs with push access. Always use slug of the team, not its name. Each team already has to have access to the repository.
Default is
[]
. -
apps
: (Optionallist(string)
)The list of app slugs with push access.
Default is
[]
.
-
-
-
branch_protections
: (Optionallist(branch_protection_v3)
)DEPRECATED To ensure compatibility with future versions of this module, please use
branch_protections_v3
. This argument is ignored ifbranch_protections_v3
is used. Please seebranch_protections_v3
for supported attributes.Default is
[]
.
-
issue_labels
: (Optionallist(issue_label)
)This resource allows you to create and manage issue labels within your GitHub organization. Issue labels are keyed off of their "name", so pre-existing issue labels result in a 422 HTTP error if they exist outside of Terraform. Normally this would not be an issue, except new repositories are created with a "default" set of labels, and those labels easily conflict with custom ones. This resource will first check if the label exists, and then issue an update, otherwise it will create.
Default is
[]
.Each
issue_label
object in the list accepts the following attributes:-
name
: (Requiredstring
)The name of the label.
-
color
: (Requiredstring
)A 6 character hex code, without the leading
#
, identifying the color of the label. -
description
: (Optionalstring
)A short description of the label.
Default is
""
. -
id
: (Optionalstring
)Specifies an ID which is used to prevent resource recreation when the order in the list of issue labels changes.
Default is
"name"
.
-
-
issue_labels_merge_with_github_labels
: (Optionalbool
)Specify if github default labels will be handled by terraform. This should be decided on upon creation of the repository. If you later decide to disable this feature, github default labels will be destroyed if not replaced by labels set in
issue_labels
argument. -
issue_labels_create
: (Optionalbool
)Specify whether you want to force or suppress the creation of issues labels. Default is
true
ifhas_issues
istrue
orissue_labels
is non-empty.
-
projects
: (Optionallist(project)
)This resource allows you to create and manage projects for GitHub repository.
Default is
[]
.Each
project
object in the list accepts the following attributes:
-
webhooks
: (Optionallist(webhook)
)This resource allows you to create and manage webhooks for repositories in your organization. When applied, a webhook will be created which specifies a URL to receive events and which events to receieve. Additional constraints, such as SSL verification, pre-shared secret and content type can also be configured
Default is
[]
.Each
webhook
object in the list accepts the following attributes:-
events
: (Requiredlist(string)
)A list of events which should trigger the webhook. See a list of available events.
-
url
: (Requiredstring
)The URL to which the payloads will be delivered.
-
active
: (Optionalbool
)Indicate if the webhook should receive events. Defaults to
true
. -
content_type
: (Optionalstring
)The media type used to serialize the payloads. Supported values include
json
andform
.Default is
"form"
. -
secret
: (Optionalstring
)If provided, the
secret
will be used as thekey
to generate the HMAC hex digest value in the X-Hub-Signature header. -
insecure_ssl
: (Optionalbool
)Determines whether the SSL certificate of the host for
url
will be verified when delivering payloads. Supported values include0
(verification is performed) and1
(verification is not performed). The default is0
. We strongly recommend not setting this to1
as you are subject to man-in-the-middle and other attacks.
-
-
plaintext_secrets
: (Optionalmap(string)
)This map allows you to create and manage secrets for repositories in your organization.
Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding secret in plain text:
When applied, a secret with the given key and value will be created in the repositories.
The value of the secrets must be given in plain text, GitHub provider is in charge of encrypting it.
Attention: You should treat state as sensitive always. It is also advised that you do not store plaintext values in your code but rather populate the encrypted_value using fields from a resource, data source or variable as, while encrypted in state, these will be easily accessible in your code. See below for an example of this abstraction.
Default is
{}
.Example:
plaintext_secrets = { SECRET_NAME_1 = "plaintext_secret_value_1" SECRET_NAME_2 = "plaintext_secret_value_2" }
-
encrypted_secrets
: (Optionalmap(string)
)This map allows you to create and manage encrypted secrets for repositories in your organization.
Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding encrypted value of the secret using the Github public key in Base64 format.b
When applied, a secret with the given key and value will be created in the repositories.
Default is
{}
.Example:
encrypted_secrets = { SECRET_NAME_1 = "c2VjcmV0X3ZhbHVlXzE=" SECRET_NAME_2 = "c2VjcmV0X3ZhbHVlXzI=" }
-
required_approving_review_count
: (Optionalnumber
)Require x number of approvals to satisfy branch protection requirements. If this is specified it must be a number between 1-6. This requirement matches Github's API, see the upstream documentation for more information. Default is no approving reviews are required.
-
autolink_references
: (Optionallist(autolink_reference)
)This resource allows you to create and manage autolink references for GitHub repository.
Default is
[]
.Each
autolink_reference
object in the list accepts the following attributes:-
key_prefix
: (Requiredstring
)This prefix appended by a number will generate a link any time it is found in an issue, pull request, or commit.
-
target_url_template
: (Requiredstring
)The template of the target URL used for the links; must be a valid URL and contain
<num>
for the reference number.
-
-
app_installations
: (Optionalset(string)
)A set of GitHub App IDs to be installed in this repository.
Default is
{}
.Example:
app_installations = ["05405144", "12556423"]
-
module_depends_on
: (Optionallist(dependency)
)Due to the fact, that terraform does not offer
depends_on
on modules as of today (v0.12.24) we might hit race conditions when dealing with team names instead of ids. So when using the feature of adding teams by slug/name to the repository when creating it, make sure to add all teams to this list as indirect dependencies.Default is
[]
.
The following attributes are exported by the module:
-
repository
: (object(repository)
)All repository attributes as returned by the
github_repository
resource containing all arguments as specified above and the other attributes as specified below. -
branches
: (object(branches)
)All repository attributes as returned by the [
github_branch
] resource containing all arguments as specified above and the other attributes as specified below. -
full_name
: (string
)A string of the form "orgname/reponame".
-
html_url
: (string
)URL to the repository on the web.
-
ssh_clone_url
: (string
)URL that can be provided to git clone to clone the repository via SSH.
-
http_clone_url
: (string
)URL that can be provided to git clone to clone the repository via HTTPS.
-
git_clone_url
: (string
)URL that can be provided to git clone to clone the repository anonymously via the git protocol.
-
collaborators
: (object(collaborators)
)A map of Collaborator objects keyed by the
name
of the collaborator as returned by thegithub_repository_collaborator
resource. -
deploy_keys
: (object(deploy_keys)
)A merged map of deploy key objects for the keys originally passed via
deploy_keys
anddeploy_keys_computed
as returned by thegithub_repository_deploy_key
resource keyed by the inputid
of the key. -
projects
: (object(project)
)A map of Project objects keyed by the
id
of the project as returned by thegithub_repository_project
resource -
issue_labels
: (object(issue_label)
)A map of issue labels keyed by label input id or name.
-
webhooks
: (object(webhook)
)All attributes and arguments as returned by the
github_repository_webhook
resource. -
secrets
: (object(secret)
)List of secrets available.
-
app_installations
: (set(number)
)A map of deploy app installations keyed by installation id.
- https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository
- https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch
- https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_collaborator
- https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_deploy_key
- https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_project
- https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_autolink_reference
This Module follows the principles of Semantic Versioning (SemVer).
Given a version number MAJOR.MINOR.PATCH
, we increment the:
MAJOR
version when we make incompatible changes,MINOR
version when we add functionality in a backwards compatible manner, andPATCH
version when we make backwards compatible bug fixes.
- Backwards compatibility in versions
0.0.z
is not guaranteed whenz
is increased. (Initial development) - Backwards compatibility in versions
0.y.z
is not guaranteed wheny
is increased. (Pre-release)
GitHub as Code is a commercial solution built on top of our open-source Terraform modules for GitHub. It helps our customers to manage their GitHub organization more efficiently by enabling anyone in their organization to self-service manage on- and offboarding of users, repositories, and settings such as branch protections, secrets, and more through code.
For details please see https://mineiros.io/github-as-code.
Mineiros is a remote-first company headquartered in Berlin, Germany that solves development, automation and security challenges in cloud infrastructure.
Our vision is to massively reduce time and overhead for teams to manage and deploy production-grade and secure cloud infrastructure.
We offer commercial support for all of our modules and encourage you to reach out if you have any questions or need help. Feel free to email us at [email protected] or join our Community Slack channel.
We use GitHub Issues to track community reported issues and missing features.
Contributions are always encouraged and welcome! For the process of accepting changes, we use Pull Requests. If you'd like more information, please see our Contribution Guidelines.
This repository comes with a handy Makefile.
Run make help
to see details on each available target.
This module is licensed under the Apache License Version 2.0, January 2004. Please see LICENSE for full details.
Copyright © 2020-2022 Mineiros GmbH