https://github.com/vmvarela/terraform-github-org
A Terraform module for comprehensive GitHub organization management.
https://github.com/vmvarela/terraform-github-org
github-config terraform-module
Last synced: about 1 year ago
JSON representation
A Terraform module for comprehensive GitHub organization management.
- Host: GitHub
- URL: https://github.com/vmvarela/terraform-github-org
- Owner: vmvarela
- License: apache-2.0
- Created: 2025-03-18T06:24:43.000Z (about 1 year ago)
- Default Branch: master
- Last Pushed: 2025-04-01T08:16:49.000Z (about 1 year ago)
- Last Synced: 2025-04-01T09:26:19.876Z (about 1 year ago)
- Topics: github-config, terraform-module
- Language: HCL
- Homepage: https://registry.terraform.io/modules/vmvarela/org/github
- Size: 47.9 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Code of conduct: .github/CODE_OF_CONDUCT.md
Awesome Lists containing this project
README
# GitHub Org Terraform module
A Terraform module for comprehensive GitHub organization management. This module enables Infrastructure as Code (IaC) practices for GitHub organization administration, providing complete control over organization settings, members, teams, and security configurations.
The module offers seamless management of key organizational resources including:
- Organization settings and profile configuration
- Member management with role-based access control
- Team creation and membership administration
- GitHub Actions organization-level permissions and configuration
- Secrets and variables management across the organization
- Security policy enforcement and advanced security features
- Webhook integration for organization events
- Custom roles and permissions management
- Organization-wide project administration
- Repository creation templates and default settings
Designed for DevOps teams seeking to standardize GitHub organization management through code, this module supports comprehensive governance while maintaining flexibility for organization-specific requirements.
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.6 |
| [github](#requirement\_github) | >= 6.6.0 |
## Providers
| Name | Version |
|------|---------|
| [github](#provider\_github) | >= 6.6.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| [sub](#module\_sub) | vmvarela/suborg/github | n/a |
| [webhook](#module\_webhook) | ./modules/webhook | n/a |
## Resources
| Name | Type |
|------|------|
| [github_actions_organization_secret.encrypted](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_secret) | resource |
| [github_actions_organization_secret.plaintext](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_secret) | resource |
| [github_actions_organization_variable.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
| [github_actions_runner_group.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_runner_group) | resource |
| [github_dependabot_organization_secret.encrypted](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/dependabot_organization_secret) | resource |
| [github_dependabot_organization_secret.plaintext](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/dependabot_organization_secret) | resource |
| [github_organization_block.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/organization_block) | resource |
| [github_organization_custom_role.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/organization_custom_role) | resource |
| [github_organization_ruleset.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/organization_ruleset) | resource |
| [github_organization_settings.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/organization_settings) | resource |
| [github_organization.this](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/organization) | data source |
| [github_organization_teams.this](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/organization_teams) | data source |
| [github_repositories.this](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repositories) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [billing\_email](#input\_billing\_email) | Billing email address. This address is not publicized. | `string` | n/a | yes |
| [blocked](#input\_blocked) | allows you to create and manage blocks for GitHub organizations. | `set(string)` | `null` | no |
| [blog](#input\_blog) | URL of organization blog | `string` | `null` | no |
| [company](#input\_company) | The company name. | `string` | `null` | no |
| [custom\_roles](#input\_custom\_roles) | The list of custom roles of the organization (key: role\_name) |
map(object({
description = optional(string)
base_role = string
permissions = set(string)
})) | `null` | no |
| [default\_repository\_permission](#input\_default\_repository\_permission) | Default permission level members have for organization repositories. Can be one of `read`, `write`, `admin`, or `none`. | `string` | `null` | no |
| [defaults](#input\_defaults) | Repositories default configuration (if empty) | `any` | `{}` | no |
| [dependabot\_copy\_secrets](#input\_dependabot\_copy\_secrets) | If dependabot uses same repository secrets (plaintext or encrypted). Makes a copy. | `bool` | `false` | no |
| [dependabot\_secrets](#input\_dependabot\_secrets) | The list of dependabot secrets configuration of the organization (key: secret\_name) | map(object({
encrypted_value = optional(string, null)
plaintext_value = optional(string, null)
visibility = optional(string, null)
repositories = optional(set(string), [])
})) | `{}` | no |
| [dependabot\_secrets\_encrypted](#input\_dependabot\_secrets\_encrypted) | The list of dependabot secrets configuration of the organization (key: secret\_name) | map(object({
encrypted_value = optional(string, null)
plaintext_value = optional(string, null)
visibility = optional(string, null)
repositories = optional(set(string), [])
})) | `{}` | no |
| [description](#input\_description) | The description of the company. The maximum size is 160 characters. | `string` | `null` | no |
| [email](#input\_email) | The publicly visible email address. | `string` | `null` | no |
| [enable\_advanced\_security](#input\_enable\_advanced\_security) | Use to enable or disable GitHub Advanced Security for new repositories. | `bool` | `null` | no |
| [enable\_dependabot\_security\_updates](#input\_enable\_dependabot\_security\_updates) | Set to `true` to enable the automated security fixes for new repositories. | `bool` | `null` | no |
| [enable\_secret\_scanning](#input\_enable\_secret\_scanning) | Use to enable or disable secret scanning for new repositories. | `bool` | `null` | no |
| [enable\_secret\_scanning\_push\_protection](#input\_enable\_secret\_scanning\_push\_protection) | Use to enable or disable secret scanning push protection for new repositories. If set to `true`, the repository's visibility must be `public` or `enable_advanced_security` must also be `true`. | `bool` | `null` | no |
| [enable\_vulnerability\_alerts](#input\_enable\_vulnerability\_alerts) | Either `true` to enable vulnerability alerts, or `false` to disable vulnerability alerts for new repositories. | `bool` | `null` | no |
| [enterprise](#input\_enterprise) | True if the organization is associated with an enterprise account. | `bool` | `false` | no |
| [has\_organization\_projects](#input\_has\_organization\_projects) | Whether an organization can use organization projects. | `bool` | `null` | no |
| [has\_repository\_projects](#input\_has\_repository\_projects) | Whether repositories that belong to the organization can use repository projects. | `bool` | `null` | no |
| [location](#input\_location) | The location. | `string` | `null` | no |
| [members\_can\_create\_internal\_repositories](#input\_members\_can\_create\_internal\_repositories) | Whether organization members can create internal repositories, which are visible to all enterprise members. You can only allow members to create internal repositories if your organization is associated with an enterprise account using GitHub Enterprise Cloud or GitHub Enterprise Server 2.20+. | `bool` | `null` | no |
| [members\_can\_create\_pages](#input\_members\_can\_create\_pages) | Whether organization members can create GitHub Pages sites. Existing published sites will not be impacted. | `bool` | `null` | no |
| [members\_can\_create\_private\_pages](#input\_members\_can\_create\_private\_pages) | Whether organization members can create private GitHub Pages sites. Existing published sites will not be impacted. | `bool` | `null` | no |
| [members\_can\_create\_private\_repositories](#input\_members\_can\_create\_private\_repositories) | Whether organization members can create private repositories, which are visible to organization members with permission. | `bool` | `null` | no |
| [members\_can\_create\_public\_pages](#input\_members\_can\_create\_public\_pages) | Whether organization members can create public GitHub Pages sites. Existing published sites will not be impacted. | `bool` | `null` | no |
| [members\_can\_create\_public\_repositories](#input\_members\_can\_create\_public\_repositories) | Whether organization members can create public repositories, which are visible to anyone. | `bool` | `null` | no |
| [members\_can\_create\_repositories](#input\_members\_can\_create\_repositories) | Whether of non-admin organization members can create repositories. | `bool` | `null` | no |
| [members\_can\_fork\_private\_repositories](#input\_members\_can\_fork\_private\_repositories) | Whether organization members can fork private organization repositories. | `bool` | `null` | no |
| [name](#input\_name) | The shorthand name of the company. | `string` | `null` | no |
| [organization](#input\_organization) | Org name. | `string` | `null` | no |
| [repositories](#input\_repositories) | Repositories | `any` | `{}` | no |
| [rulesets](#input\_rulesets) | Organization rules | map(object({
enforcement = optional(string, "active")
rules = optional(object({
branch_name_pattern = optional(object({
operator = optional(string)
pattern = optional(string)
name = optional(string)
negate = optional(bool)
}))
commit_author_email_pattern = optional(object({
operator = optional(string)
pattern = optional(string)
name = optional(string)
negate = optional(bool)
}))
commit_message_pattern = optional(object({
operator = optional(string)
pattern = optional(string)
name = optional(string)
negate = optional(bool)
}))
committer_email_pattern = optional(object({
operator = optional(string)
pattern = optional(string)
name = optional(string)
negate = optional(bool)
}))
creation = optional(bool)
deletion = optional(bool)
non_fast_forward = optional(bool)
pull_request = optional(object({
dismiss_stale_reviews_on_push = optional(bool)
require_code_owner_review = optional(bool)
require_last_push_approval = optional(bool)
required_approving_review_count = optional(number)
required_review_thread_resolution = optional(bool)
}))
required_workflows = optional(list(object({
repository = string
path = string
ref = optional(string)
})))
required_linear_history = optional(bool)
required_signatures = optional(bool)
required_status_checks = optional(map(string))
strict_required_status_checks_policy = optional(bool)
tag_name_pattern = optional(object({
operator = optional(string)
pattern = optional(string)
name = optional(string)
negate = optional(bool)
}))
update = optional(bool)
}))
target = optional(string, "branch")
bypass_actors = optional(map(object({
actor_type = string
bypass_mode = string
})))
include = optional(list(string), [])
exclude = optional(list(string), [])
repositories = optional(list(string))
})) | `{}` | no |
| [runner\_groups](#input\_runner\_groups) | The list of runner groups of the organization (key: runner\_group\_name) | map(object({
visibility = optional(string, null)
workflows = optional(set(string))
repositories = optional(set(string), [])
allow_public_repositories = optional(bool)
})) | `{}` | no |
| [secrets](#input\_secrets) | The list of secrets configuration of the organization (key: secret\_name) | map(object({
encrypted_value = optional(string, null)
plaintext_value = optional(string, null)
visibility = optional(string, null)
repositories = optional(set(string), [])
})) | `{}` | no |
| [secrets\_encrypted](#input\_secrets\_encrypted) | The list of secrets configuration of the organization (key: secret\_name) | map(object({
encrypted_value = optional(string, null)
plaintext_value = optional(string, null)
visibility = optional(string, null)
repositories = optional(set(string), [])
})) | `{}` | no |
| [settings](#input\_settings) | Repositories fixed common configuration (cannot be overwritten) | `any` | `{}` | no |
| [twitter\_username](#input\_twitter\_username) | The Twitter username of the company. | `string` | `null` | no |
| [variables](#input\_variables) | The list of variables configuration of the organization (key: variable\_name) | map(object({
value = optional(string, null)
visibility = optional(string, null)
repositories = optional(set(string), [])
})) | `{}` | no |
| [web\_commit\_signoff\_required](#input\_web\_commit\_signoff\_required) | Whether contributors to organization repositories are required to sign off on commits they make through GitHub's web interface. | `bool` | `null` | no |
| [webhooks](#input\_webhooks) | The list of webhooks of the organization. See webhook sub-module for details. | `any` | `{}` | no |
## Outputs
| Name | Description |
|------|-------------|
| [id](#output\_id) | Github Organization ID |
| [organization](#output\_organization) | Organization data |
| [repositories](#output\_repositories) | All repository IDs |
| [teams](#output\_teams) | Team data |
## Authors
Module is maintained by [Victor M. Varela](https://github.com/vmvarela).
## License
Apache 2 Licensed. See [LICENSE](https://github.com/vmvarela/terraform-github-org/tree/master/LICENSE) for full details.