{"id":50842856,"url":"https://github.com/kpeacocke/terraform-github-repo","last_synced_at":"2026-06-14T07:34:57.014Z","repository":{"id":214063378,"uuid":"735597737","full_name":"kpeacocke/terraform-github-repo","owner":"kpeacocke","description":"A terraform module for creating a best practice Github repos","archived":false,"fork":false,"pushed_at":"2026-06-04T13:05:41.000Z","size":5305,"stargazers_count":0,"open_issues_count":24,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-06-14T07:34:49.181Z","etag":null,"topics":["github","github-actions","terraform","terraform-module"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/kpeacocke/repo/github/latest","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kpeacocke.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY-HARDENING-STATUS.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-12-25T13:44:50.000Z","updated_at":"2026-04-30T01:45:03.000Z","dependencies_parsed_at":null,"dependency_job_id":"aa9d2df5-880c-4127-9ff9-1f1bafdb6aca","html_url":"https://github.com/kpeacocke/terraform-github-repo","commit_stats":null,"previous_names":["kpeacocke/git-practice","kpeacocke/terraform-github-repo"],"tags_count":105,"template":false,"template_full_name":null,"purl":"pkg:github/kpeacocke/terraform-github-repo","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpeacocke%2Fterraform-github-repo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpeacocke%2Fterraform-github-repo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpeacocke%2Fterraform-github-repo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpeacocke%2Fterraform-github-repo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kpeacocke","download_url":"https://codeload.github.com/kpeacocke/terraform-github-repo/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpeacocke%2Fterraform-github-repo/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34313515,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-14T02:00:07.365Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github","github-actions","terraform","terraform-module"],"created_at":"2026-06-14T07:34:55.936Z","updated_at":"2026-06-14T07:34:57.004Z","avatar_url":"https://github.com/kpeacocke.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\r\n# terraform-github-repo\r\n\r\n**Comprehensive Terraform module for enforcing GitHub repository best practices and security standards.**\r\n\r\n[![Terraform Registry](https://img.shields.io/badge/registry-terraform--registry-623CE4?logo=terraform\u0026logoColor=white)](https://registry.terraform.io/modules/kpeacocke/terraform-github-repo/latest)\r\n[![Module Version](https://img.shields.io/github/v/release/kpeacocke/terraform-github-repo?label=version\u0026logo=terraform\u0026color=623CE4)](https://github.com/kpeacocke/terraform-github-repo/releases)\r\n[![Downloads](https://img.shields.io/static/v1?label=downloads\u0026message=1k%2B\u0026color=623CE4\u0026logo=terraform\u0026logoColor=white)](https://registry.terraform.io/modules/kpeacocke/terraform-github-repo/latest)\r\n[![CI](https://github.com/kpeacocke/terraform-github-repo/actions/workflows/ci.yml/badge.svg)](https://github.com/kpeacocke/terraform-github-repo/actions/workflows/ci.yml)\r\n[![CodeQL](https://github.com/kpeacocke/terraform-github-repo/actions/workflows/codeql.yml/badge.svg)](https://github.com/kpeacocke/terraform-github-repo/actions/workflows/codeql.yml)\r\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\r\n[![GitHub Stars](https://img.shields.io/github/stars/kpeacocke/terraform-github-repo?style=social)](https://github.com/kpeacocke/terraform-github-repo)\r\n\r\n---\r\n\r\n## Quick Links\r\n\r\n- 📖 [Terraform Registry](https://registry.terraform.io/modules/kpeacocke/terraform-github-repo/latest)  \r\n  Official module page with usage examples\r\n- 🚀 [Getting Started Guide](#-usage)  \r\n  Jump to basic usage examples\r\n- 📋 [Examples](./examples)  \r\n  Complete real-world usage scenarios\r\n- 🔐 [Security Features](#%EF%B8%8F-compliance-guardrails--policy-enforcement)  \r\n  Security scanning and compliance\r\n- 🧪 [Testing Guide](#-local-testing)  \r\n  How to test the module locally\r\n- 📝 [Contributing](./CONTRIBUTING.md)  \r\n  How to contribute to this project\r\n- 🐛 [Issues](https://github.com/kpeacocke/terraform-github-repo/issues)  \r\n  Report bugs or request features\r\n- 💬 [Discussions](https://github.com/kpeacocke/terraform-github-repo/discussions)  \r\n  Community support and Q\u0026A\r\n- 📝 [Contributing](./CONTRIBUTING.md)  \r\n  How to contribute to this project\r\n- 🐛 [Issues](https://github.com/kpeacocke/terraform-github-repo/issues)  \r\n  Report bugs or request features\r\n- 💬 [Discussions](https://github.com/kpeacocke/terraform-github-repo/discussions)  \r\n  Community support and Q\u0026A\r\n\r\n---\r\n\r\n## 🎯 Overview\r\n\r\nThis Terraform module provides a **production-ready**, **security-first** approach to managing GitHub repositories\r\nwith comprehensive governance, compliance, and DevSecOps automation.\r\n\r\n**Perfect for:** Organizations requiring standardized repository governance, security compliance (SOC2, ISO27001),  \r\nand automated DevOps workflows.\r\n\r\n### 🏷️ Keywords\r\n\r\n`terraform` • `github` • `devops` • `security` • `compliance` • `governance` • `devsecops`  \r\n`repository-management` • `gitops` • `automation` • `best-practices` • `branch-protection`  \r\n`codeql` • `dependabot`\r\n\r\n### Module Features\r\n\r\nThis module provides comprehensive GitHub repository configuration with focus on security and best practices.\r\n\r\n## 📦 Features\r\n\r\n- ☑️ GitFlow branch protection\r\n- ☑️ Semantic PR title enforcement\r\n- ☑️ Branch naming conventions\r\n- ☑️ CodeQL security scanning\r\n- ☑️ Test coverage enforcement\r\n- ☑️ Issue and PR integration with Projects\r\n- ☑️ Template bootstrapping (README, LICENSE, etc.)\r\n- ☑️ Dependabot configuration\r\n- ☑️ Requirements traceability enforcement\r\n- ☑️ Auto-labeling and project board linking\r\n- ☑️ Security features (secret scanning, push protection, Dependabot alerts)\r\n- ☑️ **Auto-approve and auto-merge Dependabot PRs**\r\n\r\n## 👨‍💻 Development\r\n\r\nThis repository includes a comprehensive set of guidance for developers:\r\n\r\n- � [**Dev Container Setup**](./.devcontainer/README.md)  \r\n  Complete development environment with all tools (Docker Desktop required)\r\n- 🔑 [**Security Credentials Guide**](./docs/development/security-credentials.md)  \r\n  Important guidance on handling credentials securely\r\n- 📗 [**Contributing Guide**](./CONTRIBUTING.md) - How to contribute to this project\r\n- 🧪 [**Testing Guide**](./docs/development/testing.md) - How to run tests locally\r\n\r\n### Quick Start: Dev Container\r\n\r\nThe easiest way to set up a development environment is using the provided dev container:\r\n\r\n```bash\r\n# 1. Install Docker Desktop and VS Code Dev Containers extension\r\n# 2. Open project in VS Code\r\n# 3. Run: \"Dev Containers: Reopen in Container\"\r\n# 4. Container automatically installs all dependencies\r\n\r\n# Or manually setup environment variables:\r\ncp .env.template .env\r\n```\r\n\r\nThe dev container includes Go, Terraform, Python, Ruby, OPA, AWS CLI, and all testing tools.\r\n\r\nFor detailed instructions, see [.devcontainer/README.md](./.devcontainer/README.md)\r\n\r\n## 🔧 Requirements\r\n\r\n| Name      | Version |\r\n|-----------|---------|\r\n| terraform | \u003e= 1.5.0 |\r\n| github provider | \u003e= 6.0 |\r\n\r\n## 🛠 Providers\r\n\r\n| Name   | Source                | Version |\r\n|--------|-----------------------|---------|\r\n| github | integrations/github   | ~\u003e 6.0  |\r\n\r\n## ⚠️ Default: GitHub Actions Disabled Until Provisioning\r\n\r\nBy default, this module disables GitHub Actions workflows for new repositories until provisioning is complete.\r\nThis prevents excessive notification emails and failed workflow runs during initial setup.\r\n\r\nTo enable Actions after provisioning, set the variable  \r\n`disable_actions_until_provisioning = false`  \r\nin your environment or Terraform configuration:\r\n\r\n```hcl\r\nmodule \"github_repo\" {\r\n  source = \"...\"\r\n  # ... other variables ...\r\n  disable_actions_until_provisioning = false\r\n}\r\n```\r\n\r\nIf you are bootstrapping a new environment, keep Actions disabled until all resources are provisioned.\r\nThen re-apply with Actions enabled.\r\n\r\n## 🚀 Usage\r\n\r\n### Backend Configuration\r\n\r\nRecommend using a local backend in your root Terraform configuration:\r\n\r\n```hcl\r\nterraform {\r\n  backend \"local\" {\r\n    path = \"terraform.tfstate\"\r\n  }\r\n}\r\n```\r\n\r\n### Module Call\r\n\r\n```hcl\r\nmodule \"github_repo\" {\r\n  source = \"github.com/kpeacocke/terraform-github-repo\"\r\n\r\n  name        = \"my-repo\"\r\n  owners      = [\"kpeacocke\"]\r\n  visibility  = \"private\"\r\n  license     = \"MIT\"\r\n  languages   = [\"go\", \"python\"]\r\n\r\n  enforce_gitflow           = true\r\n  enforce_tests             = true\r\n  enforce_security          = true\r\n  enforce_docs              = true\r\n  enforce_issue_integration = true\r\n  enforce_project_board     = false\r\n  traceability_enabled      = false\r\n  enable_weekly_reporting   = false\r\n  enable_codeql             = true\r\n  enable_dependabot         = true\r\n  enable_secret_scanning    = true\r\n  enable_secret_scanning_push_protection = true\r\n  enable_dependabot_alerts  = true\r\n  enable_dependabot_security_updates = true\r\n  require_codeql_workflow   = true\r\n  allow_auto_merge          = true\r\n  enable_dependabot_automerge_minor = true\r\n  enable_dependabot_autoapprove = true\r\n}\r\n```\r\n\r\nSee [`variables.tf`](./variables.tf) for all available options.\r\n\r\n## 📝 Examples\r\n\r\nSee the [examples](./examples) directory for complete usage scenarios.\r\n\r\n\u003c!-- markdownlint-disable MD033 --\u003e\r\n\u003c!-- BEGIN_TF_DOCS --\u003e\n## Requirements\n\n| Name | Version |\n| ---- | ------- |\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.5.0 |\n| \u003ca name=\"requirement_github\"\u003e\u003c/a\u003e [github](#requirement\\_github) | ~\u003e 6.6 |\n| \u003ca name=\"requirement_null\"\u003e\u003c/a\u003e [null](#requirement\\_null) | ~\u003e 3.2 |\n\n## Providers\n\n| Name | Version |\n| ---- | ------- |\n| \u003ca name=\"provider_github\"\u003e\u003c/a\u003e [github](#provider\\_github) | 6.6.0 |\n| \u003ca name=\"provider_null\"\u003e\u003c/a\u003e [null](#provider\\_null) | 3.2.4 |\n\n## Modules\n\nNo modules.\n\n## Resources\n\n| Name | Type |\n| ---- | ---- |\n| [github_actions_repository_permissions.repo_perms](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_repository_permissions) | resource |\n| [github_branch_protection.release](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection) | resource |\n| [github_repository.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |\n| [github_repository_file.auto_approve_dependabot](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.build](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.changelog](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.ci_enforcement_workflow](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.codeowners](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.codeql_workflow](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.contributing](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.dependabot](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.editorconfig](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.gitignore](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.issue_template_bug](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.issue_template_feature](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.license](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.nvmrc](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.pull_request_template](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.readme](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.release](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.release_config](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.scorecard](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.security](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.stale](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [github_repository_file.traceability](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |\n| [null_resource.files_created](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |\n| [null_resource.mute_notifications](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |\n| [null_resource.wait_for_github_repo](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n| ---- | ----------- | ---- | ------- | :------: |\n| \u003ca name=\"input_allow_auto_merge\"\u003e\u003c/a\u003e [allow\\_auto\\_merge](#input\\_allow\\_auto\\_merge) | Allow auto-merge for pull requests (including Dependabot). | `bool` | `true` | no |\n| \u003ca name=\"input_bootstrap_with_templates\"\u003e\u003c/a\u003e [bootstrap\\_with\\_templates](#input\\_bootstrap\\_with\\_templates) | If true, initialize the repo with standard files like README.md, LICENSE, SECURITY.md. | `bool` | `true` | no |\n| \u003ca name=\"input_branch\"\u003e\u003c/a\u003e [branch](#input\\_branch) | The branch to commit files to. | `string` | `\"main\"` | no |\n| \u003ca name=\"input_coverage_threshold\"\u003e\u003c/a\u003e [coverage\\_threshold](#input\\_coverage\\_threshold) | Minimum coverage threshold to enforce (as percentage) | `number` | `80` | no |\n| \u003ca name=\"input_disable_actions_until_provisioning\"\u003e\u003c/a\u003e [disable\\_actions\\_until\\_provisioning](#input\\_disable\\_actions\\_until\\_provisioning) | Disable GitHub Actions workflows until provisioning is complete to avoid failure notifications and excess emails. Default: true. Set to false to enable Actions after provisioning. | `bool` | `true` | no |\n| \u003ca name=\"input_enable_auto_labeling\"\u003e\u003c/a\u003e [enable\\_auto\\_labeling](#input\\_enable\\_auto\\_labeling) | If true, automatically labels PRs and issues based on file paths or content. | `bool` | `false` | no |\n| \u003ca name=\"input_enable_ci\"\u003e\u003c/a\u003e [enable\\_ci](#input\\_enable\\_ci) | If true, adds build/test workflow for CI validation. | `bool` | `true` | no |\n| \u003ca name=\"input_enable_codeql\"\u003e\u003c/a\u003e [enable\\_codeql](#input\\_enable\\_codeql) | Enable CodeQL analysis workflow. | `bool` | `true` | no |\n| \u003ca name=\"input_enable_coverage\"\u003e\u003c/a\u003e [enable\\_coverage](#input\\_enable\\_coverage) | Enable test coverage reporting | `bool` | `false` | no |\n| \u003ca name=\"input_enable_dependabot\"\u003e\u003c/a\u003e [enable\\_dependabot](#input\\_enable\\_dependabot) | Enable Dependabot configuration and workflows. | `bool` | `true` | no |\n| \u003ca name=\"input_enable_dependabot_alerts\"\u003e\u003c/a\u003e [enable\\_dependabot\\_alerts](#input\\_enable\\_dependabot\\_alerts) | Enable Dependabot alerts for the repository via workflow. | `bool` | `true` | no |\n| \u003ca name=\"input_enable_dependabot_autoapprove\"\u003e\u003c/a\u003e [enable\\_dependabot\\_autoapprove](#input\\_enable\\_dependabot\\_autoapprove) | Enable workflow to auto-approve and auto-merge Dependabot PRs. | `bool` | `true` | no |\n| \u003ca name=\"input_enable_dependabot_automerge_minor\"\u003e\u003c/a\u003e [enable\\_dependabot\\_automerge\\_minor](#input\\_enable\\_dependabot\\_automerge\\_minor) | Enable Dependabot auto-merge for minor upgrades. | `bool` | `true` | no |\n| \u003ca name=\"input_enable_dependabot_security_updates\"\u003e\u003c/a\u003e [enable\\_dependabot\\_security\\_updates](#input\\_enable\\_dependabot\\_security\\_updates) | Enable Dependabot security updates for the repository via workflow. | `bool` | `true` | no |\n| \u003ca name=\"input_enable_matrix\"\u003e\u003c/a\u003e [enable\\_matrix](#input\\_enable\\_matrix) | If true, use a version matrix for test workflows | `bool` | `false` | no |\n| \u003ca name=\"input_enable_release\"\u003e\u003c/a\u003e [enable\\_release](#input\\_enable\\_release) | If true, adds semantic-release GitHub workflow. | `bool` | `true` | no |\n| \u003ca name=\"input_enable_secret_scanning\"\u003e\u003c/a\u003e [enable\\_secret\\_scanning](#input\\_enable\\_secret\\_scanning) | Enable secret scanning for the repository via workflow. | `bool` | `true` | no |\n| \u003ca name=\"input_enable_secret_scanning_push_protection\"\u003e\u003c/a\u003e [enable\\_secret\\_scanning\\_push\\_protection](#input\\_enable\\_secret\\_scanning\\_push\\_protection) | Enable secret scanning push protection for the repository via workflow. | `bool` | `true` | no |\n| \u003ca name=\"input_enable_weekly_reporting\"\u003e\u003c/a\u003e [enable\\_weekly\\_reporting](#input\\_enable\\_weekly\\_reporting) | If true, adds stale issue management and OpenSSF Scorecard workflows. | `bool` | `false` | no |\n| \u003ca name=\"input_enforce_branch_naming\"\u003e\u003c/a\u003e [enforce\\_branch\\_naming](#input\\_enforce\\_branch\\_naming) | If true, enables branch naming convention enforcement (e.g. feature/*) | `bool` | `false` | no |\n| \u003ca name=\"input_enforce_docs\"\u003e\u003c/a\u003e [enforce\\_docs](#input\\_enforce\\_docs) | If true, enforce documentation updates in PRs. | `bool` | `false` | no |\n| \u003ca name=\"input_enforce_gitflow\"\u003e\u003c/a\u003e [enforce\\_gitflow](#input\\_enforce\\_gitflow) | Whether to enforce GitFlow naming and branch protection rules. | `bool` | `true` | no |\n| \u003ca name=\"input_enforce_issue_integration\"\u003e\u003c/a\u003e [enforce\\_issue\\_integration](#input\\_enforce\\_issue\\_integration) | If true, enforce that PRs are linked to issues. | `bool` | `false` | no |\n| \u003ca name=\"input_enforce_project_board\"\u003e\u003c/a\u003e [enforce\\_project\\_board](#input\\_enforce\\_project\\_board) | If true, link issues and PRs to a GitHub project board. | `bool` | `false` | no |\n| \u003ca name=\"input_enforce_security\"\u003e\u003c/a\u003e [enforce\\_security](#input\\_enforce\\_security) | Enable security tools such as CodeQL scanning and Dependabot alerts. | `bool` | `false` | no |\n| \u003ca name=\"input_enforce_semantic_pr_title\"\u003e\u003c/a\u003e [enforce\\_semantic\\_pr\\_title](#input\\_enforce\\_semantic\\_pr\\_title) | If true, enforces semantic PR titles via GitHub Actions | `bool` | `false` | no |\n| \u003ca name=\"input_enforce_tests\"\u003e\u003c/a\u003e [enforce\\_tests](#input\\_enforce\\_tests) | If true, enforce test updates in PRs. | `bool` | `false` | no |\n| \u003ca name=\"input_github_owner\"\u003e\u003c/a\u003e [github\\_owner](#input\\_github\\_owner) | GitHub owner (user or org) for API access (used in provisioning wait step) | `string` | n/a | yes |\n| \u003ca name=\"input_github_project_url\"\u003e\u003c/a\u003e [github\\_project\\_url](#input\\_github\\_project\\_url) | The full URL of the GitHub project to attach issues/PRs to. | `string` | `\"\"` | no |\n| \u003ca name=\"input_github_token\"\u003e\u003c/a\u003e [github\\_token](#input\\_github\\_token) | GitHub token for API access (used in provisioning wait step) | `string` | n/a | yes |\n| \u003ca name=\"input_language_default_versions\"\u003e\u003c/a\u003e [language\\_default\\_versions](#input\\_language\\_default\\_versions) | Map of default single-version values for each language | `map(string)` | \u003cpre\u003e{\u003cbr/\u003e  \"go\": \"1.21\",\u003cbr/\u003e  \"javascript\": \"20\",\u003cbr/\u003e  \"python\": \"3.11\",\u003cbr/\u003e  \"typescript\": \"20\"\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_language_matrix_versions\"\u003e\u003c/a\u003e [language\\_matrix\\_versions](#input\\_language\\_matrix\\_versions) | Map of version lists for matrix testing per language | `map(list(string))` | \u003cpre\u003e{\u003cbr/\u003e  \"go\": [\u003cbr/\u003e    \"1.20\",\u003cbr/\u003e    \"1.21\",\u003cbr/\u003e    \"1.22\"\u003cbr/\u003e  ],\u003cbr/\u003e  \"javascript\": [\u003cbr/\u003e    \"16\",\u003cbr/\u003e    \"18\",\u003cbr/\u003e    \"20\"\u003cbr/\u003e  ],\u003cbr/\u003e  \"python\": [\u003cbr/\u003e    \"3.9\",\u003cbr/\u003e    \"3.10\",\u003cbr/\u003e    \"3.11\"\u003cbr/\u003e  ],\u003cbr/\u003e  \"typescript\": [\u003cbr/\u003e    \"4.5\",\u003cbr/\u003e    \"4.6\",\u003cbr/\u003e    \"4.7\"\u003cbr/\u003e  ]\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_languages\"\u003e\u003c/a\u003e [languages](#input\\_languages) | List of languages for CodeQL analysis and templates. | `list(string)` | `[]` | no |\n| \u003ca name=\"input_license\"\u003e\u003c/a\u003e [license](#input\\_license) | The open source license to apply (MIT, Apache-2.0, GPL-3.0, BSD-3-Clause, MPL-2.0). | `string` | `\"MIT\"` | no |\n| \u003ca name=\"input_name\"\u003e\u003c/a\u003e [name](#input\\_name) | The name of the GitHub repository to create. | `string` | n/a | yes |\n| \u003ca name=\"input_owners\"\u003e\u003c/a\u003e [owners](#input\\_owners) | List of GitHub users or teams who should be set as CODEOWNERS. | `list(string)` | n/a | yes |\n| \u003ca name=\"input_release_branches\"\u003e\u003c/a\u003e [release\\_branches](#input\\_release\\_branches) | List of branch patterns to apply branch protection rules (e.g. [\"main\", \"release/*\"]). | `list(string)` | \u003cpre\u003e[\u003cbr/\u003e  \"main\"\u003cbr/\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_require_codeql_workflow\"\u003e\u003c/a\u003e [require\\_codeql\\_workflow](#input\\_require\\_codeql\\_workflow) | Require that the CodeQL workflow exists in the repository. | `bool` | `true` | no |\n| \u003ca name=\"input_security_contact\"\u003e\u003c/a\u003e [security\\_contact](#input\\_security\\_contact) | Email or contact address to report security issues. | `string` | `\"security@kpeacocke.com\"` | no |\n| \u003ca name=\"input_status_check_contexts\"\u003e\u003c/a\u003e [status\\_check\\_contexts](#input\\_status\\_check\\_contexts) | List of status check contexts required for branch protection. | `list(string)` | `[]` | no |\n| \u003ca name=\"input_traceability_enabled\"\u003e\u003c/a\u003e [traceability\\_enabled](#input\\_traceability\\_enabled) | Enable traceability enforcement such as issue states, assignments, or labels. | `bool` | `false` | no |\n| \u003ca name=\"input_visibility\"\u003e\u003c/a\u003e [visibility](#input\\_visibility) | Whether the repository should be 'private' or 'public'. | `string` | `\"private\"` | no |\n\n## Outputs\n\n| Name | Description |\n| ---- | ----------- |\n| \u003ca name=\"output_branch_protection_enforcement\"\u003e\u003c/a\u003e [branch\\_protection\\_enforcement](#output\\_branch\\_protection\\_enforcement) | Map of branch patterns to admin enforcement status. |\n| \u003ca name=\"output_branch_protection_patterns\"\u003e\u003c/a\u003e [branch\\_protection\\_patterns](#output\\_branch\\_protection\\_patterns) | List of protected branch patterns and their status. |\n| \u003ca name=\"output_branch_protection_rule_ids\"\u003e\u003c/a\u003e [branch\\_protection\\_rule\\_ids](#output\\_branch\\_protection\\_rule\\_ids) | List of branch protection rule resource IDs for each release branch. |\n| \u003ca name=\"output_repository_full_name\"\u003e\u003c/a\u003e [repository\\_full\\_name](#output\\_repository\\_full\\_name) | The full name (e.g., owner/repo) of the GitHub repository. |\n| \u003ca name=\"output_repository_http_clone_url\"\u003e\u003c/a\u003e [repository\\_http\\_clone\\_url](#output\\_repository\\_http\\_clone\\_url) | The HTTP(S) clone URL of the GitHub repository. |\n| \u003ca name=\"output_repository_id\"\u003e\u003c/a\u003e [repository\\_id](#output\\_repository\\_id) | The GitHub repository ID. |\n| \u003ca name=\"output_repository_name\"\u003e\u003c/a\u003e [repository\\_name](#output\\_repository\\_name) | The name of the created GitHub repository. |\n| \u003ca name=\"output_repository_node_id\"\u003e\u003c/a\u003e [repository\\_node\\_id](#output\\_repository\\_node\\_id) | The GraphQL node ID of the GitHub repository. |\n| \u003ca name=\"output_repository_ssh_clone_url\"\u003e\u003c/a\u003e [repository\\_ssh\\_clone\\_url](#output\\_repository\\_ssh\\_clone\\_url) | The SSH URL of the GitHub repository. |\n| \u003ca name=\"output_repository_url\"\u003e\u003c/a\u003e [repository\\_url](#output\\_repository\\_url) | The HTTPS URL of the GitHub repository. |\n| \u003ca name=\"output_workflow_file_shas\"\u003e\u003c/a\u003e [workflow\\_file\\_shas](#output\\_workflow\\_file\\_shas) | Map of workflow file paths to commit SHAs. |\n\u003c!-- END_TF_DOCS --\u003e\r\n\u003c!-- markdownlint-enable MD033 --\u003e\r\n\r\n## 🧪 Local Testing\r\n\r\nRun Terratest from the root:\r\n\r\n```bash\r\ntask test\r\n```\r\n\r\n\u003e Requires valid `GITHUB_TOKEN` exported in your terminal or `.env`.\r\n\r\n## ⚙️ Integration Testing\r\n\r\nWe use kitchen-terraform with Terragrunt and InSpec to run `terraform plan` in isolation against the root module  \r\nand verify its JSON output.\r\n\r\nPrerequisites:\r\n\r\n- Ruby (2.7+)\r\n- Bundler (`gem install bundler`)\r\n\r\nInstall dependencies:\r\n\r\n```bash\r\nbundle install\r\n```\r\n\r\nRun tests:\r\n\r\n```bash\r\nbundle exec kitchen test\r\n```\r\n\r\nOr, to run kitchen directly without Bundler:\r\n\r\n```bash\r\ngem install kitchen-terraform inspec\r\nkitchen test\r\n```\r\n\r\n## 📜 License\r\n\r\n[MIT](LICENSE)\r\n\r\n## 🛡️ Compliance Guardrails \u0026 Policy Enforcement\r\n\r\nThis module enforces best-practice compliance guardrails using static analysis and policy-as-code in CI:\r\n\r\n- **Trivy** and **tflint**: Run automatically in CI for static security and lint checks.\r\n- **OPA (Open Policy Agent) with conftest**: Custom Rego policies in `policy/` directory enforce organization\r\n  guardrails on every PR.\r\n\r\n### Guardrails Enforced\r\n\r\n- S3 buckets and RDS instances must be encrypted, versioned, and tagged (Owner, Environment)\r\n- No public S3 buckets or open security groups (0.0.0.0/0)\r\n- No IAM users or inline IAM policies\r\n- RDS must have backup retention and monitoring\r\n- All providers must be version-pinned (no wildcards)\r\n- No hardcoded secrets in code\r\n- Resource names must include environment (prod/dev/staging)\r\n- All variables must have descriptions\r\n- No deprecated resources (e.g., discourage direct aws_instance)\r\n- Logging required for S3, monitoring for RDS\r\n- Cost estimation enforced (fail if Infracost \u003e $1000)\r\n- No public IPs on EC2\r\n- MFA required for IAM users\r\n- IAM policies must not allow Action: *or Resource:*\r\n- Only approved AWS regions allowed (configurable in `policy/extra-guardrails.rego`)\r\n- All endpoints must use HTTPS\r\n\r\n### How it works\r\n\r\n- On every PR, CI runs `terraform plan -json`, then runs `conftest` with all policies in `policy/`.\r\n- Any violation fails the build and prints a clear message.\r\n\r\n### Local Policy Testing\r\n\r\nYou can test policies locally before pushing:\r\n\r\n```sh\r\n# Install conftest if needed\r\nwget https://github.com/open-policy-agent/conftest/releases/download/v0.51.0/conftest_0.51.0_$(uname -s)_x86_64.tar.gz\r\n tar xzf conftest_0.51.0_$(uname -s)_x86_64.tar.gz\r\n sudo mv conftest /usr/local/bin/\r\n\r\n# Generate a Terraform plan in JSON\r\nterraform plan -out=tfplan.binary\r\nterraform show -json tfplan.binary \u003e plan.json\r\n\r\n# Run all OPA policies\r\nconftest test --policy policy/ plan.json\r\n```\r\n\r\nEdit `policy/extra-guardrails.rego` to configure allowed AWS regions or add more rules.\r\n\r\n### Custom Policies\r\n\r\n- Add new `.rego` files to the `policy/` directory to enforce additional org-specific rules.\r\n- See [Open Policy Agent docs](https://www.openpolicyagent.org/docs/latest/) for more examples.\r\n\r\n## 📊 Module Statistics\r\n\r\n![GitHub commit activity](https://img.shields.io/github/commit-activity/m/kpeacocke/terraform-github-repo)\r\n![GitHub last commit](https://img.shields.io/github/last-commit/kpeacocke/terraform-github-repo)\r\n![GitHub repo size](https://img.shields.io/github/repo-size/kpeacocke/terraform-github-repo)\r\n![Lines of code](https://img.shields.io/tokei/lines/github/kpeacocke/terraform-github-repo)\r\n\r\n## 🤝 Support \u0026 Community\r\n\r\n- 💡 **Have questions?** Start a [Discussion](https://github.com/kpeacocke/terraform-github-repo/discussions)\r\n- 🐛 **Found a bug?** Create an [Issue](https://github.com/kpeacocke/terraform-github-repo/issues)\r\n- 🚀 **Want to contribute?** See our [Contributing Guide](./CONTRIBUTING.md)\r\n- 📚 **Need examples?** Check our [Examples Directory](./examples)\r\n\r\n## 🎖️ Acknowledgments\r\n\r\nThis module is inspired by and follows best practices from:\r\n\r\n- [HashiCorp Terraform Module Standards](https://www.terraform.io/docs/registry/modules/publish.html)\r\n- [GitHub Security Best Practices](https://docs.github.com/en/code-security)\r\n- [Open Source Security Foundation (OpenSSF)](https://openssf.org/)\r\n- [Cloud Security Alliance](https://cloudsecurityalliance.org/)\r\n\r\n---\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkpeacocke%2Fterraform-github-repo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkpeacocke%2Fterraform-github-repo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkpeacocke%2Fterraform-github-repo/lists"}