terraform-github-organization

A Terraform module that acts as a wrapper around the Terraform GitHub provider and offers a more convenient and tested way to manage GitHub Organizations following best practices.

This module supports Terraform v1.x and is compatible with the Official Terraform GitHub Provider v5.x from integrations/github.

Attention: This module is incompatible with the Hashicorp GitHub Provider! The latest version of this module supporting hashicorp/github provider is ~> 0.6.0

• GitHub as Code
• Module Features
• Getting Started
• Module Argument Reference
  • Top-level Arguments
• Module Outputs
• External Documentation
  • Terraform Github Provider Documentation:
• Module Versioning
  • Backwards compatibility in 0.0.z and 0.y.z version
• About Mineiros
• Reporting Issues
• Contributing
• Makefile Targets
• License

GitHub as Code

GitHub as Code is a commercial solution built on top of our open-source Terraform modules for GitHub. It helps our customers to manage their GitHub organization more efficiently by enabling anyone in their organization to self-service manage on- and offboarding of users, repositories, and settings such as branch protections, secrets, and more through code. GitHub as Code comes with pre-configured GitHub Actions pipelines for change pre-view in Pull Requests, fully automated rollouts and rollbacks. It's a comprehensive, ready-to-use blueprint maintained by our team of platform engineering experts and saves companies such as yours tons of time by building on top of a pre-configured solution instead of building and maintaining it yourself.

For details please see https://mineiros.io/github-as-code.

Module Features

• Standard Module Features: Organization Members, Organization Owners (Admins), Organization Projects, Blocked Users, Manage Organization Settings

• Extended Module Features: Change organization member roles without removing and re-inviting users, Rename projects without recreating (when providing unique ids), No need to import members/admins on first run, Create an all member team that contains every member of your organization

Getting Started

To quickly start managing your GitHub Organization with Terraform:

module "organization" {
  source  = "mineiros-io/organization/github"
  version = "~> 0.9.0"

  all_members_team_name = "Mineiros"

  settings = {
    billing_email                                                = "hello@mineiros.io"
    company                                                      = "Mineiros"
    blog                                                         = "https://blog.mineiros.io"
    email                                                        = "hello@mineiros.io"
    twitter_username                                             = "mineirosio"
    location                                                     = "Berlin"
    name                                                         = "Terraform Tests"
    description                                                  = "This Organization is just used to run some Terraform tests for https://github.com/mineiros-io"
    has_organization_projects                                    = true
    has_repository_projects                                      = true
    default_repository_permission                                = "read"
    members_can_create_repositories                              = false
    members_can_create_public_repositories                       = false
    members_can_create_private_repositories                      = false
    members_can_create_internal_repositories                     = false
    members_can_create_pages                                     = false
    members_can_create_public_pages                              = false
    members_can_create_private_pages                             = false
    members_can_fork_private_repositories                        = false
    web_commit_signoff_required                                  = false
    advanced_security_enabled_for_new_repositories               = false
    dependabot_alerts_enabled_for_new_repositories               = false
    dependabot_security_updates_enabled_for_new_repositories     = false
    dependency_graph_enabled_for_new_repositories                = false
    secret_scanning_enabled_for_new_repositories                 = false
    secret_scanning_push_protection_enabled_for_new_repositories = false
  }

  members = [
    "a-user",
    "b-user",
  ]

  admins = [
    "a-admin",
  ]

  blocked_users = [
    "blocked-user",
    "another-blocked-user",
  ]

  projects = [
    {
      id   = "project-a"
      name = "A Great Project"
      body = "This is a project created by Terraform"
    }
  ]
}

provider "github" {}

terraform {
  required_version = "~> 1.0"

  required_providers {
    github = {
      source  = "integrations/github"
      version = "~> 4.0"
    }
  }
}

Module Argument Reference

See variables.tf and examples/ for details and use-cases.

Top-level Arguments

• settings: (Optional object(settings))

  A map of settings for the GitHub organization.

  Default is {"fixed_response":{"content_type":"plain/text","message_body":"Nothing to see here!","status_code":418}}.

  The settings object accepts the following attributes:

  • billing_email: (Required string)

  The billing email address for the organization.

  • email: (Optional string)

  The email address for the organization.

  • name: (Optional string)

  The name for the organization.

  • description: (Optional string)

  The description for the organization.

  • company_name: (Optional string)

  The company name for the organization.

  • blog: (Optional string)

  The blog URL for the organization.

  • twitter_username: (Optional string)

  The Twitter username for the organization.

  • location: (Optional string)

  The location for the organization.

  • has_organization_projects: (Optional bool)

  Whether or not organization projects are enabled for the organization.

  Default is true.

  • has_repository_projects: (Optional bool)

  Whether or not repository projects are enabled for the organization.

  Default is true.

  • default_repository_permission: (Optional string)

  The default permission for organization members to create new repositories. Can be one of read, write, admin, or none.

  • members_can_create_repositories: (Optional bool)

  Whether or not organization members can create new repositories.

  Default is false.

  • members_can_create_public_repositories: (Optional bool)

  Whether or not organization members can create new public repositories.

  Default is true.

  • members_can_create_private_repositories: (Optional bool)

  Whether or not organization members can create new private repositories.

  Default is false.

  • members_can_create_internal_repositories: (Optional bool)

  Whether or not organization members can create new internal repositories. For Enterprise Organizations only.

  Default is false.

  • members_can_create_pages: (Optional bool)

  Whether or not organization members can create new pages.

  Default is false.

  • members_can_create_public_pages: (Optional bool)

  Whether or not organization members can create new public pages.

  Default is false.

  • members_can_fork_private_repositories: (Optional bool)

  Whether or not organization members can fork private repositories.

  Default is false.

  • web_commit_signoff_required: (Optional bool)

  Whether or not commit signatures are required for commits to the organization.

  Default is false.

  • advanced_security_enabled_for_new_repositories: (Optional bool)

  Whether or not advanced security is enabled for new repositories.

  Default is false.

  • dependabot_alerts_enabled_for_new_repositories: (Optional bool)

  Whether or not dependabot alerts are enabled for new repositories.

  Default is false.

  • dependabot_security_updates_enabled_for_new_repositories: (Optional bool)

  Whether or not dependabot security updates are enabled for new repositories.

  Default is false.

  • dependency_graph_enabled_for_new_repositories: (Optional bool)

  Whether or not dependency graph is enabled for new repositories.

  Default is false.

  • secret_scanning_enabled_for_new_repositories: (Optional bool)

  Whether or not secret scanning is enabled for new repositories.

  Default is false.

  • secret_scanning_push_protection_enabled_for_new_repositories: (Optional bool)

  Whether or not secret scanning push protection is enabled for new repositories.

  Default is false.

• blocked_users: (Optional set(string))

  A list of usernames to be blocked from a GitHub organization.

  Default is [].

  Example:

  blocked_users = [
  "blocked-user"
  ]

• members: (Optional set(string))

  A list of users to be added to your organization with member role. When applied, an invitation will be sent to the user to become part of the organization. When destroyed, either the invitation will be cancelled or the user will be removed.

  Default is [].

  Example:

  members = [
  "admin",
  "another-admin"
  ]

• admins: (Optional set(string))

  A list of users to be added to your organization with admin role. When applied, an invitation will be sent to the user to become part of the organization. When destroyed, either the invitation will be cancelled or the user will be removed.

  Default is [].

  Example:

  admins = [
  "admin",
  "another-admin"
  ]

• projects: (Optional list(project))

  Create and manage projects for the GitHub organization.

  Default is [].

  Example:

  projects = [
  {
    name   = "Test Project"
    body   = "This is a test project created by Terraform"
  },
  {
    name   = "Test Project without a body"
  }
  ]

• all_members_team_name: (Optional string)

  The name of the team that contains all members of the organization.

• all_members_team_visibility: (Optional string)

  The level of privacy for the team. Must be one of secret or closed.

  Default is "secret".

• catch_non_existing_members: (Optional bool)

  Validates if the list of GitHub users are existing users on every run. Use carefully as it will trigger one additional API call for every given user on every iteration.

  Default is false.

Module Outputs

The following attributes are exported by the module:

• blocked_users: (set(string))

  A list of github_organization_block resource objects that describe all users that are blocked by the organization.

• memberships: (list(membership))

  A list of github_membership resource objects that describe all members of the organization.

• projects: (list(project))

  A list of github_organization_project resource objects that describe all projects of the organization.

• all_members_team: (object(all_members_team))

  The outputs of the all members team that contains all members of your organization.

• settings: (object(all_members_team))

  The outputs of the organization settings.

External Documentation

Terraform Github Provider Documentation:

• https://www.terraform.io/docs/providers/github/index.html

Module Versioning

This Module follows the principles of Semantic Versioning (SemVer).

Given a version number MAJOR.MINOR.PATCH, we increment the:

1. MAJOR version when we make incompatible changes,
2. MINOR version when we add functionality in a backwards compatible manner, and
3. PATCH version when we make backwards compatible bug fixes.

Backwards compatibility in 0.0.z and 0.y.z version

• Backwards compatibility in versions 0.0.z is not guaranteed when z is increased. (Initial development)
• Backwards compatibility in versions 0.y.z is not guaranteed when y is increased. (Pre-release)

About Mineiros

Mineiros is a DevOps as a Service company based in Berlin, Germany. We offer commercial support for all of our projects and encourage you to reach out if you have any questions or need help. Feel free to send us an email at hello@mineiros.io or join our Community Slack channel.

We can also help you with:

• Terraform modules for all types of infrastructure such as VPCs, Docker clusters, databases, logging and monitoring, CI, etc.
• Consulting & training on AWS, Terraform and DevOps

Reporting Issues

We use GitHub Issues to track community reported issues and missing features.

Contributing

Contributions are always encouraged and welcome! For the process of accepting changes, we use Pull Requests. If you'd like more information, please see our Contribution Guidelines.

Makefile Targets

This repository comes with a handy Makefile. Run make help to see details on each available target.

License

This module is licensed under the Apache License Version 2.0, January 2004. Please see LICENSE for full details.

Copyright © 2021-2022 Mineiros GmbH