Skip to content

Commit

Permalink
Add branch protection module (feat)
Browse files Browse the repository at this point in the history
  • Loading branch information
lukiffer committed Jan 2, 2023
1 parent 16b981a commit bcf78f8
Show file tree
Hide file tree
Showing 4 changed files with 184 additions and 0 deletions.
21 changes: 21 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,27 @@ resource "github_branch_default" "default" {
branch = var.default_branch
}

# ---------------------------------------------------------------------------------------------------------------------
# CONFIGURE PROTECTION FOR THE DEFAULT BRANCH
# ---------------------------------------------------------------------------------------------------------------------

module "default_branch_protection" {
source = "./modules/branch-protection"

repository_id = github_repository.repo.id
pattern = var.default_branch

enforce_admins = var.branch_protection_enforce_admins
required_status_checks = var.branch_protection_required_status_checks
strict = var.branch_protection_strict
dismiss_stale_reviews = var.dismiss_stale_reviews
require_code_owner_reviews = var.require_code_owner_reviews
require_signed_commits = var.require_signed_commits
push_restrictions = var.push_restrictions
review_dismissal_restrictions = var.review_dismissal_restrictions
required_approving_review_count = var.required_approving_review_count
}

# ---------------------------------------------------------------------------------------------------------------------
# GRANT READ (PULL) ACCESS TO TEAMS
# ---------------------------------------------------------------------------------------------------------------------
Expand Down
38 changes: 38 additions & 0 deletions modules/branch-protection/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# DEPLOY A GITHUB REPOSITORY WITH DEFAULT SETTINGS
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

terraform {
required_version = ">= 0.12.26"

required_providers {
github = {
source = "integrations/github"
version = ">= 5.12.0"
}
}
}

# ---------------------------------------------------------------------------------------------------------------------
# CREATE THE BRANCH PROTECTION RULE
# ---------------------------------------------------------------------------------------------------------------------

resource "github_branch_protection" "branch_protection_rule" {
repository_id = var.repository_id
pattern = var.pattern
enforce_admins = var.enforce_admins
require_signed_commits = var.require_signed_commits
push_restrictions = var.push_restrictions

required_status_checks {
strict = var.strict
contexts = var.required_status_checks
}

required_pull_request_reviews {
dismiss_stale_reviews = var.dismiss_stale_reviews
require_code_owner_reviews = var.require_code_owner_reviews
dismissal_restrictions = var.review_dismissal_restrictions
required_approving_review_count = var.required_approving_review_count
}
}
71 changes: 71 additions & 0 deletions modules/branch-protection/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
# ---------------------------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ---------------------------------------------------------------------------------------------------------------------

variable "repository_id" {
description = "The ID of the repository in which this branch protection rule will be created."
type = string
}

variable "pattern" {
description = "The pattern identifying branches to which this protection rule will apply."
type = string
}

# ---------------------------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ---------------------------------------------------------------------------------------------------------------------

variable "enforce_admins" {
description = "Setting this to true enforces status checks for repository administrators. In general this should be false to allow admins and service accounts to reconcile branches after a release without creating trailing merge commits -- branches would never be current with one another."
type = bool
default = true
}

variable "required_status_checks" {
description = "A list of status checks (contexts) that must pass before a branch can be merged into the protected branch."
type = set(string)
default = []
}

variable "strict" {
description = "Setting this to true enforces that a branch be current with the base branch before merging."
type = bool
default = true
}

variable "dismiss_stale_reviews" {
description = "Dismiss approved reviews automatically when a new commit is pushed."
type = bool
default = true
}

variable "require_code_owner_reviews" {
description = "Whether or not an approval is required from code owners to merge a pull request."
type = bool
default = true
}

variable "require_signed_commits" {
description = "Requires all commits in the branch to be signed with GPG."
type = bool
default = true
}

variable "push_restrictions" {
description = "A list of actor IDs that are explicitly permitted to push to the branch. Admins have this capability if `enforce_admins` is false."
type = set(string)
default = []
}

variable "review_dismissal_restrictions" {
description = "The list of actor IDs with dismissal access."
type = set(string)
default = []
}

variable "required_approving_review_count" {
description = "The number of approvals required to satisfy branch protection requirements. This must be a number between 1 and 6."
type = number
default = 1
}
54 changes: 54 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,60 @@ variable "default_branch" {
default = "main"
}

variable "branch_protection_enforce_admins" {
description = "Setting this to true enforces status checks for repository administrators. In general this should be false to allow admins and service accounts to reconcile branches after a release without creating trailing merge commits -- branches would never be current with one another."
type = bool
default = true
}

variable "branch_protection_required_status_checks" {
description = "A set of status checks (contexts) that must pass before a branch can be merged into the protected branch."
type = set(string)
default = []
}

variable "branch_protection_strict" {
description = "Setting this to true enforces that a branch be current with the base branch before merging."
type = bool
default = true
}

variable "dismiss_stale_reviews" {
description = "Dismiss approved reviews automatically when a new commit is pushed."
type = bool
default = true
}

variable "require_code_owner_reviews" {
description = "Whether or not an approval is required from code owners to merge a pull request."
type = bool
default = true
}

variable "require_signed_commits" {
description = "Requires all commits in the branch to be signed with GPG."
type = bool
default = true
}

variable "push_restrictions" {
description = "A list of actor IDs that are explicitly permitted to push to the branch. Admins have this capability if `enforce_admins` is false."
type = set(string)
default = []
}

variable "review_dismissal_restrictions" {
description = "The list of actor IDs with permission to dismiss reviews."
type = set(string)
default = []
}

variable "required_approving_review_count" {
description = "The number of approvals required to satisfy branch protection requirements. This must be a number between 1 and 6."
type = number
default = 1
}

variable "labels" {
description = "A set of labels to configure for the repository."
type = set(object({
Expand Down

0 comments on commit bcf78f8

Please sign in to comment.