https://github.com/vmvarela/terraform-github-repository
A Terraform module for comprehensive GitHub repository management.
https://github.com/vmvarela/terraform-github-repository
github-config terraform-module
Last synced: about 1 year ago
JSON representation
A Terraform module for comprehensive GitHub repository management.
- Host: GitHub
- URL: https://github.com/vmvarela/terraform-github-repository
- Owner: vmvarela
- License: apache-2.0
- Created: 2025-03-14T09:29:39.000Z (over 1 year ago)
- Default Branch: master
- Last Pushed: 2025-03-22T06:10:02.000Z (about 1 year ago)
- Last Synced: 2025-03-22T06:26:55.190Z (about 1 year ago)
- Topics: github-config, terraform-module
- Language: HCL
- Homepage: https://registry.terraform.io/modules/vmvarela/repository/github
- Size: 85 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# GitHub Repository Terraform module
A Terraform module for comprehensive GitHub repository management. This module offers complete lifecycle control for repositories, including permissions, GitHub Actions configuration, deploy keys, repository properties, user and team access management, autolink references, advanced security features, and ruleset configurations.
The module enables infrastructure-as-code practices for GitHub repositories, supporting key features such as:
- Repository creation with customizable settings (visibility, branch protection, merge strategies)
- Team and user permission management with granular access control
- GitHub Actions integration with secrets and variables management
- Deploy keys configuration for automated deployments
- Autolink references for connecting external resources
- Advanced security features configuration
- Custom ruleset implementation for repository governance
- Branch protection policies with required checks
## Usage
```hcl
module "repo" {
source = "github.com/vmvarela/terraform-github-repository"
name = "my-repo"
visibility = "private"
default_branch = "main"
template = "MarketingPipeline/Awesome-Repo-Template"
}
```
## Examples
- [simple](https://github.com/vmvarela/terraform-github-repository/tree/master/examples/simple) - Single repository from a template
- [complete](https://github.com/vmvarela/terraform-github-repository/tree/master/examples/complete) - Several repositories (with configuration from a .yaml)
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.6 |
| [github](#requirement\_github) | >= 6.6.0 |
| [local](#requirement\_local) | >= 2.5.2 |
| [null](#requirement\_null) | >= 3.2.3 |
| [tls](#requirement\_tls) | >= 4.0.6 |
## Providers
| Name | Version |
|------|---------|
| [github](#provider\_github) | >= 6.6.0 |
| [local](#provider\_local) | >= 2.5.2 |
| [null](#provider\_null) | >= 3.2.3 |
| [tls](#provider\_tls) | >= 4.0.6 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [github_actions_environment_secret.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
| [github_actions_environment_variable.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_variable) | resource |
| [github_actions_repository_access_level.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_repository_access_level) | resource |
| [github_actions_repository_permissions.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_repository_permissions) | resource |
| [github_actions_secret.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
| [github_actions_variable.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_variable) | resource |
| [github_branch.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch) | resource |
| [github_branch_default.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_default) | resource |
| [github_dependabot_secret.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/dependabot_secret) | resource |
| [github_issue_labels.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/issue_labels) | resource |
| [github_repository.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
| [github_repository_autolink_reference.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_autolink_reference) | resource |
| [github_repository_collaborators.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_collaborators) | resource |
| [github_repository_custom_property.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_custom_property) | resource |
| [github_repository_dependabot_security_updates.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_dependabot_security_updates) | resource |
| [github_repository_deploy_key.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_deploy_key) | resource |
| [github_repository_environment.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_environment) | resource |
| [github_repository_environment_deployment_policy.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_environment_deployment_policy) | resource |
| [github_repository_file.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |
| [github_repository_ruleset.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_ruleset) | resource |
| [github_repository_webhook.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_webhook) | resource |
| [local_file.private_key_file](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
| [null_resource.create_subfolder](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [tls_private_key.this](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [actions\_access\_level](#input\_actions\_access\_level) | (Optional) The access level for the repository. Must be one of `none`, `user`, `organization`, or `enterprise`. Default: `none` | `string` | `null` | no |
| [actions\_permissions](#input\_actions\_permissions) | (Optional) The list of Github Actions permissions configuration of the repository: `allowed_actions` - (Optional) The permissions policy that controls the actions that are allowed to run. Can be one of: `all`, `local_only`, or `selected`.; `enabled` - (Optional) Should GitHub actions be enabled on this repository?; `github_owned_allowed` - (Optional) Whether GitHub-owned actions are allowed in the repository.; `patterns_allowed` - (Optional) Specifies a list of string-matching patterns to allow specific action(s). Wildcards, tags, and SHAs are allowed. For example, monalisa/octocat@, monalisa/octocat@v2, monalisa/.; `verified_allowed` - (Optional) Whether actions in GitHub Marketplace from verified creators are allowed. Set to true to allow all GitHub Marketplace actions by verified creators. |
object({
allowed_actions = optional(string, null)
github_owned_allowed = optional(bool, true)
patterns_allowed = optional(set(string), null)
verified_allowed = optional(bool, null)
}) | `null` | no |
| [alias](#input\_alias) | (Optional) The original name of the repository (useful for renaming in IaC) | `string` | `null` | no |
| [allow\_auto\_merge](#input\_allow\_auto\_merge) | (Optional) Set to `true` to allow auto-merging pull requests on the repository. | `bool` | `null` | no |
| [allow\_merge\_commit](#input\_allow\_merge\_commit) | (Optional) Either `true` to allow merging pull requests with a merge commit, or `false` to prevent merging pull requests with merge commits. | `bool` | `null` | no |
| [allow\_rebase\_merge](#input\_allow\_rebase\_merge) | (Optional) Either `true` to allow rebase-merging pull requests, or `false` to prevent rebase-merging. | `bool` | `null` | no |
| [allow\_squash\_merge](#input\_allow\_squash\_merge) | (Optional) Either `true` to allow squash-merging pull requests, or `false` to prevent squash-merging. | `bool` | `null` | no |
| [allow\_update\_branch](#input\_allow\_update\_branch) | (Optional) Either `true` to always allow a pull request head branch that is behind its base branch to be updated even if it is not required to be up to date before merging, or `false` otherwise. | `bool` | `null` | no |
| [archive\_on\_destroy](#input\_archive\_on\_destroy) | (Optional) Set to `true` to archive the repository instead of deleting on destroy. | `bool` | `null` | no |
| [archived](#input\_archived) | (Optional) Whether to archive this repository. `false` will unarchive a previously archived repository. | `bool` | `null` | no |
| [auto\_init](#input\_auto\_init) | (Optional) Set to `true` to produce an initial commit in the repository | `bool` | `null` | no |
| [autolink\_references](#input\_autolink\_references) | (Optional) The list of autolink references of the repository (key: key\_prefix) | map(object({
target_url_template = string
is_alphanumeric = optional(bool)
})) | `{}` | no |
| [branches](#input\_branches) | (Optional) The list of branches to create (map of name and source branch) | `map(string)` | `null` | no |
| [custom\_properties](#input\_custom\_properties) | (Optional) The custom properties for the new repository. The keys are the custom property names, and the values are the corresponding custom property values. | `any` | `null` | no |
| [custom\_properties\_types](#input\_custom\_properties\_types) | (Optional) The list of types associated to properties (key: property\_name) | `map(string)` | `null` | no |
| [default\_branch](#input\_default\_branch) | (Optional) Updates the default branch for this repository. | `string` | `null` | no |
| [delete\_branch\_on\_merge](#input\_delete\_branch\_on\_merge) | (Optional) Either `true` to enable automatic deletion of branches on merge, or `false` to disable. | `bool` | `null` | no |
| [dependabot\_secrets](#input\_dependabot\_secrets) | (Optional) The list of secrets configuration of the repository (key: `secret_name`, arguments: `encrypted_value` or `plaintext_value`) | map(object({
encrypted_value = optional(string)
plaintext_value = optional(string)
})) | `null` | no |
| [deploy\_keys](#input\_deploy\_keys) | (Optional) The list of deploy keys of the repository (key: key\_title) | map(object({
key = optional(string) # auto-generated if not provided
read_only = optional(bool, true)
})) | `null` | no |
| [deploy\_keys\_path](#input\_deploy\_keys\_path) | (Optional) The path to the generated deploy keys for this repository | `string` | `"./deploy_keys"` | no |
| [description](#input\_description) | (Optional) A short description of the repository that will show up on GitHub | `string` | `null` | no |
| [enable\_actions](#input\_enable\_actions) | (Optional) Either `true` to enable Github Actions, or `false` to disable. | `bool` | `null` | no |
| [enable\_advanced\_security](#input\_enable\_advanced\_security) | (Optional) Use to enable or disable GitHub Advanced Security for this repository. | `bool` | `null` | no |
| [enable\_dependabot\_security\_updates](#input\_enable\_dependabot\_security\_updates) | (Optional) Set to `true` to enable the automated security fixes. | `bool` | `null` | no |
| [enable\_secret\_scanning](#input\_enable\_secret\_scanning) | (Optional) Use to enable or disable secret scanning for this repository. If set to `true`, the repository's visibility must be `public` or `enable_advanced_security` must also be `true`. | `bool` | `null` | no |
| [enable\_secret\_scanning\_push\_protection](#input\_enable\_secret\_scanning\_push\_protection) | (Optional) Use to enable or disable secret scanning push protection for this repository. If set to `true`, the repository's visibility must be `public` or `enable_advanced_security` must also be `true`. | `bool` | `null` | no |
| [enable\_vulnerability\_alerts](#input\_enable\_vulnerability\_alerts) | (Optional) Either `true` to enable vulnerability alerts, or `false` to disable vulnerability alerts. | `bool` | `null` | no |
| [environments](#input\_environments) | (Optional) The list of environments configuration of the repository (key: environment\_name) | map(object({
wait_timer = optional(number)
can_admins_bypass = optional(bool)
prevent_self_review = optional(bool)
reviewers_users = optional(set(string), [])
reviewers_teams = optional(set(string), [])
protected_branches = optional(bool)
custom_branch_policies = optional(set(string))
secrets = optional(map(object({
encrypted_value = optional(string)
plaintext_value = optional(string)
})))
variables = optional(map(string))
})) | `null` | no |
| [files](#input\_files) | (Optional) The list of files of the repository (key: file\_path) | map(object({
content = optional(string)
from_file = optional(string)
branch = optional(string)
commit_author = optional(string)
commit_email = optional(string)
commit_message = optional(string)
overwrite_on_create = optional(bool, true)
})) | `null` | no |
| [gitignore\_template](#input\_gitignore\_template) | (Optional) Use the [name of the template](https://github.com/github/gitignore) without the extension. For example, `Haskell`. | `string` | `null` | no |
| [has\_downloads](#input\_has\_downloads) | (Optional) Whether downloads are enabled. | `bool` | `null` | no |
| [has\_issues](#input\_has\_issues) | (Optional) Either `true` to enable issues for this repository or `false` to disable them. | `bool` | `null` | no |
| [has\_projects](#input\_has\_projects) | (Optional) Either `true` to enable projects for this repository or `false` to disable them. **Note:** If you're creating a repository in an organization that has disabled repository projects, the default is `false`, and if you pass `true`, the API returns an error. | `bool` | `null` | no |
| [has\_wiki](#input\_has\_wiki) | (Optional) Either `true` to enable the wiki for this repository, `false` to disable it. | `bool` | `null` | no |
| [homepage](#input\_homepage) | (Optional) A URL with more information about the repository | `string` | `null` | no |
| [is\_template](#input\_is\_template) | (Optional) Either `true` to make this repo available as a template repository or `false` to prevent it. | `bool` | `null` | no |
| [issue\_labels](#input\_issue\_labels) | (Optional) The list of issue labels of the repository (key: `label_name`, arguments: `color` and `description`) | map(object({
color = optional(string)
description = optional(string)
})) | `null` | no |
| [license\_template](#input\_license\_template) | (Optional) Use the [name of the template](https://github.com/github/choosealicense.com/tree/gh-pages/_licenses) without the extension. For example, `mit` or `mpl-2.0`. | `string` | `null` | no |
| [merge\_commit\_message](#input\_merge\_commit\_message) | (Optional) Can be `PR_BODY`, `PR_TITLE`, or `BLANK` for a default merge commit message. Applicable only if `allow_merge_commit` is `true`. | `string` | `null` | no |
| [merge\_commit\_title](#input\_merge\_commit\_title) | (Optional) Can be `PR_TITLE` or `MERGE_MESSAGE` for a default merge commit title. Applicable only if `allow_merge_commit` is `true`. | `string` | `null` | no |
| [name](#input\_name) | (Required) The name of the repository. Changing this will rename the repository | `string` | n/a | yes |
| [pages](#input\_pages) | (Optional) The repository's GitHub Pages configuration. Supports the following: `source_branch` - (Optional) The repository branch used to publish the site's source files. (i.e. main or gh-pages).; `source_path` - (Optional) The repository directory from which the site publishes (Default: `/`).; (Optional) The type of GitHub Pages site to build. Can be `legacy` or `workflow`. If you use `legacy` as build type you need to set the option `source_branch`.; `cname` - (Optional) The custom domain for the repository. This can only be set after the repository has been created. | object({
source_branch = optional(string)
source_path = optional(string)
build_type = optional(string, "workflow")
cname = optional(string)
}) | `null` | no |
| [private](#input\_private) | (Optional) Either true to make the repository private or false to make it public. Default: false. **Note:** You will get a 422 error if the organization restricts changing repository visibility to organization owners and a non-owner tries to change the value of private. | `bool` | `null` | no |
| [rulesets](#input\_rulesets) | (Optional) Repository rules | map(object({
enforcement = optional(string, "active")
target = optional(string, "branch")
include = optional(set(string), [])
exclude = optional(set(string), [])
bypass_mode = optional(string, "always")
bypass_organization_admin = optional(bool)
bypass_roles = optional(set(string))
bypass_teams = optional(set(string))
bypass_integration = optional(set(string))
regex_branch_name = optional(string)
regex_tag_name = optional(string)
regex_commit_author_email = optional(string)
regex_committer_email = optional(string)
regex_commit_message = optional(string)
forbidden_creation = optional(bool)
forbidden_deletion = optional(bool)
forbidden_update = optional(bool)
forbidden_fast_forward = optional(bool)
dismiss_pr_stale_reviews_on_push = optional(bool)
required_pr_code_owner_review = optional(bool)
required_pr_last_push_approval = optional(bool)
required_pr_approving_review_count = optional(number)
required_pr_review_thread_resolution = optional(bool)
required_deployment_environments = optional(set(string))
required_linear_history = optional(bool)
required_signatures = optional(bool)
required_checks = optional(set(string))
required_code_scanning = optional(map(object({ # index is name of tool
alerts_threshold = optional(string)
security_alerts_threshold = optional(string)
})))
})) | `null` | no |
| [secrets](#input\_secrets) | (Optional) The list of secrets configuration of the repository (key: secret\_name) | map(object({
encrypted_value = optional(string)
plaintext_value = optional(string)
})) | `null` | no |
| [squash\_merge\_commit\_message](#input\_squash\_merge\_commit\_message) | (Optional) Can be `PR_BODY`, `COMMIT_MESSAGES`, or `BLANK` for a default squash merge commit message. Applicable only if `allow_squash_merge` is `true`. | `string` | `null` | no |
| [squash\_merge\_commit\_title](#input\_squash\_merge\_commit\_title) | (Optional) Can be `PR_TITLE` or `COMMIT_OR_PR_TITLE` for a default squash merge commit title. Applicable only if `allow_squash_merge` is `true`. | `string` | `null` | no |
| [teams](#input\_teams) | (Optional) The list of collaborators (teams) of the repository | `map(string)` | `null` | no |
| [template](#input\_template) | (Optional) Use a template repository to create this resource (owner/repo) | `string` | `null` | no |
| [template\_include\_all\_branches](#input\_template\_include\_all\_branches) | (Optional) Whether the new repository should include all the branches from the template repository (defaults to false, which includes only the default branch from the template). | `bool` | `null` | no |
| [topics](#input\_topics) | (Optional) A list of topics to set on the repository | `set(string)` | `null` | no |
| [users](#input\_users) | (Optional) The list of collaborators (users) of the repository | `map(string)` | `null` | no |
| [variables](#input\_variables) | (Optional) The list of variables configuration of the repository (key: variable\_name) | `map(string)` | `null` | no |
| [visibility](#input\_visibility) | (Optional) Can be `public` or `private` (or `internal` if your organization is associated with an enterprise account using GitHub Enterprise Cloud or GitHub Enterprise Server 2.20+). The visibility parameter overrides the `private` parameter. | `string` | `null` | no |
| [web\_commit\_signoff\_required](#input\_web\_commit\_signoff\_required) | (Optional) Require contributors to sign off on web-based commits. See more here. Defaults to `false` | `bool` | `null` | no |
| [webhooks](#input\_webhooks) | (Optional) The list of webhooks of the repository (key: webhook\_url) | map(object({
content_type = string
insecure_ssl = optional(bool, false)
secret = optional(string)
events = optional(set(string))
})) | `null` | no |
## Outputs
| Name | Description |
|------|-------------|
| [alias](#output\_alias) | Alias (used for renaming) |
| [repository](#output\_repository) | Created repository |
## Authors
Module is maintained by [Victor M. Varela](https://github.com/vmvarela).
## License
Apache 2 Licensed. See [LICENSE](https://github.com/vmvarela/terraform-github-repository/tree/master/LICENSE) for full details.