From 052fc0f01edcfeb64080033cb6171021b54f956f Mon Sep 17 00:00:00 2001 From: Soren Martius Date: Mon, 13 Jan 2020 13:33:11 +0100 Subject: [PATCH 1/6] change branch_protection_rules to nested object structure --- .../main.tf | 12 ++-- main.tf | 64 +++++++++---------- 2 files changed, 37 insertions(+), 39 deletions(-) diff --git a/examples/public-repository-complete-example/main.tf b/examples/public-repository-complete-example/main.tf index b318ddd3..98227ac1 100644 --- a/examples/public-repository-complete-example/main.tf +++ b/examples/public-repository-complete-example/main.tf @@ -76,23 +76,23 @@ module "repository" { enforce_admins = true require_signed_commits = true - required_status_checks = [{ + required_status_checks = { strict = true contexts = ["ci/travis"] - }] + } - required_pull_request_reviews = [{ + required_pull_request_reviews = { dismiss_stale_reviews = true dismissal_users = ["terraform-test-user-1"] dismissal_teams = [github_team.team.slug] require_code_owner_reviews = true required_approving_review_count = 1 - }] + } - restrictions = [{ + restrictions = { users = ["terraform-test-user"] teams = ["team-1"] - }] + } } ] diff --git a/main.tf b/main.tf index 873a1cf7..1ee397d8 100644 --- a/main.tf +++ b/main.tf @@ -29,33 +29,34 @@ locals { }, b) ] + required_status_checks = [ for b in local.branch_protection_rules : [ - for r in b.required_status_checks : merge({ + merge({ strict = null contexts = [] - }, r) + }, b.required_status_checks) ] ] required_pull_request_reviews = [ for b in local.branch_protection_rules : [ - for r in b.required_pull_request_reviews : merge({ + merge({ dismiss_stale_reviews = true dismissal_users = [] dismissal_teams = [] require_code_owner_reviews = null required_approving_review_count = null - }, r) + }, b.required_pull_request_reviews) ] ] restrictions = [ for b in local.branch_protection_rules : [ - for r in b.restrictions : merge({ + merge({ users = [] teams = [] - }, r) + }, b.restrictions) ] ] } @@ -107,34 +108,22 @@ resource "github_branch_protection" "branch_protection_rule" { enforce_admins = local.branch_protection_rules[count.index].enforce_admins require_signed_commits = local.branch_protection_rules[count.index].require_signed_commits - dynamic "required_status_checks" { - for_each = local.required_status_checks[count.index] - - content { - strict = required_status_checks.value.strict - contexts = required_status_checks.value.contexts - } + required_status_checks { + strict = local.branch_protection_rules[count.index].required_status_checks.strict + contexts = local.branch_protection_rules[count.index].required_status_checks.contexts } - dynamic "required_pull_request_reviews" { - for_each = local.required_pull_request_reviews[count.index] - - content { - dismiss_stale_reviews = required_pull_request_reviews.value.dismiss_stale_reviews - dismissal_users = required_pull_request_reviews.value.dismissal_users - dismissal_teams = required_pull_request_reviews.value.dismissal_teams - require_code_owner_reviews = required_pull_request_reviews.value.require_code_owner_reviews - required_approving_review_count = required_pull_request_reviews.value.required_approving_review_count - } + required_pull_request_reviews { + dismiss_stale_reviews = local.branch_protection_rules[count.index].required_pull_request_reviews.dismiss_stale_reviews + dismissal_users = local.branch_protection_rules[count.index].required_pull_request_reviews.dismissal_users + dismissal_teams = local.branch_protection_rules[count.index].required_pull_request_reviews.dismissal_teams + require_code_owner_reviews = local.branch_protection_rules[count.index].required_pull_request_reviews.require_code_owner_reviews + required_approving_review_count = local.branch_protection_rules[count.index].required_pull_request_reviews.required_approving_review_count } - dynamic "restrictions" { - for_each = local.restrictions[count.index] - - content { - users = restrictions.value.users - teams = restrictions.value.teams - } + restrictions { + users = local.branch_protection_rules[count.index].restrictions.users + teams = local.branch_protection_rules[count.index].restrictions.teams } } @@ -179,9 +168,18 @@ resource "github_repository_collaborator" "collaborator" { # Repository teams # locals { - team_admin = [for i in var.admin_team_ids : { team_id = i, permission = "admin" }] - team_push = [for i in var.push_team_ids : { team_id = i, permission = "push" }] - team_pull = [for i in var.pull_team_ids : { team_id = i, permission = "pull" }] + team_admin = [for i in var.admin_team_ids : { + team_id = i, + permission = "admin" + }] + team_push = [for i in var.push_team_ids : { + team_id = i, + permission = "push" + }] + team_pull = [for i in var.pull_team_ids : { + team_id = i, + permission = "pull" + }] teams = concat(local.team_admin, local.team_push, local.team_pull) } From 7476adc51d240c9cc07d2ecbab784484a0a325e3 Mon Sep 17 00:00:00 2001 From: Soren Martius Date: Mon, 13 Jan 2020 13:36:45 +0100 Subject: [PATCH 2/6] fix branch_protection_rules example syntax --- variables.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/variables.tf b/variables.tf index 6b031c86..5b426476 100644 --- a/variables.tf +++ b/variables.tf @@ -202,23 +202,23 @@ variable "branch_protection_rules" { # enforce_admins = true # require_signed_commits = true # - # required_status_checks = [{ + # required_status_checks = { # strict = false # contexts = ["ci/travis"] - # }] + # } # - # required_pull_request_reviews = [{ + # required_pull_request_reviews = { # dismiss_stale_reviews = true # dismissal_users = ["user1", "user2"] # dismissal_teams = ["team-slug-1", "team-slug-2"] # require_code_owner_reviews = true # required_approving_review_count = 1 - # }] + # } # - # restrictions = [{ + # restrictions = { # users = ["user1"] # teams = ["team-slug-1"] - # }] + # } # } # ] } From 91aab3163b19acd448a6fed263172c525cb34c98 Mon Sep 17 00:00:00 2001 From: Soren Martius Date: Mon, 13 Jan 2020 13:45:54 +0100 Subject: [PATCH 3/6] switch to lookup syntax --- main.tf | 49 +++++++++---------------------------------------- 1 file changed, 9 insertions(+), 40 deletions(-) diff --git a/main.tf b/main.tf index 1ee397d8..e2dc334b 100644 --- a/main.tf +++ b/main.tf @@ -28,37 +28,6 @@ locals { restrictions = [] }, b) ] - - - required_status_checks = [ - for b in local.branch_protection_rules : [ - merge({ - strict = null - contexts = [] - }, b.required_status_checks) - ] - ] - - required_pull_request_reviews = [ - for b in local.branch_protection_rules : [ - merge({ - dismiss_stale_reviews = true - dismissal_users = [] - dismissal_teams = [] - require_code_owner_reviews = null - required_approving_review_count = null - }, b.required_pull_request_reviews) - ] - ] - - restrictions = [ - for b in local.branch_protection_rules : [ - merge({ - users = [] - teams = [] - }, b.restrictions) - ] - ] } resource "github_repository" "repository" { @@ -109,21 +78,21 @@ resource "github_branch_protection" "branch_protection_rule" { require_signed_commits = local.branch_protection_rules[count.index].require_signed_commits required_status_checks { - strict = local.branch_protection_rules[count.index].required_status_checks.strict - contexts = local.branch_protection_rules[count.index].required_status_checks.contexts + strict = lookup(local.branch_protection_rules[count.index].required_status_checks, "strict", null) + contexts = lookup(local.branch_protection_rules[count.index].required_status_checks, "contexts", []) } required_pull_request_reviews { - dismiss_stale_reviews = local.branch_protection_rules[count.index].required_pull_request_reviews.dismiss_stale_reviews - dismissal_users = local.branch_protection_rules[count.index].required_pull_request_reviews.dismissal_users - dismissal_teams = local.branch_protection_rules[count.index].required_pull_request_reviews.dismissal_teams - require_code_owner_reviews = local.branch_protection_rules[count.index].required_pull_request_reviews.require_code_owner_reviews - required_approving_review_count = local.branch_protection_rules[count.index].required_pull_request_reviews.required_approving_review_count + dismiss_stale_reviews = lookup(local.branch_protection_rules[count.index].required_pull_request_reviews, "dismiss_stale_reviews", true) + dismissal_users = lookup(local.branch_protection_rules[count.index].required_pull_request_reviews, "dismissal_users", []) + dismissal_teams = lookup(local.branch_protection_rules[count.index].required_pull_request_reviews, "dismissal_teams", []) + require_code_owner_reviews = lookup(local.branch_protection_rules[count.index].required_pull_request_reviews, "require_code_owner_reviews", null) + required_approving_review_count = lookup(local.branch_protection_rules[count.index].required_pull_request_reviews, "required_approving_review_count", null) } restrictions { - users = local.branch_protection_rules[count.index].restrictions.users - teams = local.branch_protection_rules[count.index].restrictions.teams + users = lookup(local.branch_protection_rules[count.index].restrictions, "users", []) + teams = lookup(local.branch_protection_rules[count.index].restrictions, "teams", []) } } From cfb0ea24d965386933ec71db7c8a2bdfcdb847ea Mon Sep 17 00:00:00 2001 From: Soren Martius Date: Mon, 13 Jan 2020 14:49:28 +0100 Subject: [PATCH 4/6] set type to nested object instead of array --- main.tf | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/main.tf b/main.tf index e2dc334b..46b2a864 100644 --- a/main.tf +++ b/main.tf @@ -20,12 +20,24 @@ locals { locals { branch_protection_rules = [ for b in var.branch_protection_rules : merge({ - branch = null - enforce_admins = null - require_signed_commits = null - required_status_checks = [] - required_pull_request_reviews = [] - restrictions = [] + branch = null + enforce_admins = null + require_signed_commits = null + required_status_checks = { + strict = null + contexts = [] + } + required_pull_request_reviews = { + dismiss_stale_reviews = true + dismissal_users = [] + dismissal_teams = [] + require_code_owner_reviews = null + required_approving_review_count = null + } + restrictions = { + users = [] + teams = [] + } }, b) ] } From e8c886f2547a4b9502e3ef5938b676f1fe10365d Mon Sep 17 00:00:00 2001 From: Soren Martius Date: Mon, 13 Jan 2020 17:05:48 +0100 Subject: [PATCH 5/6] run terraform fmt --- main.tf | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/main.tf b/main.tf index 46b2a864..9e7b8533 100644 --- a/main.tf +++ b/main.tf @@ -20,24 +20,12 @@ locals { locals { branch_protection_rules = [ for b in var.branch_protection_rules : merge({ - branch = null - enforce_admins = null - require_signed_commits = null - required_status_checks = { - strict = null - contexts = [] - } - required_pull_request_reviews = { - dismiss_stale_reviews = true - dismissal_users = [] - dismissal_teams = [] - require_code_owner_reviews = null - required_approving_review_count = null - } - restrictions = { - users = [] - teams = [] - } + branch = null + enforce_admins = null + require_signed_commits = null + required_status_checks = {} + required_pull_request_reviews = {} + restrictions = {} }, b) ] } From 0da9ab662237629627bfe706ef8f2955f348fcf3 Mon Sep 17 00:00:00 2001 From: Soren Martius Date: Mon, 13 Jan 2020 17:16:34 +0100 Subject: [PATCH 6/6] inline format --- main.tf | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/main.tf b/main.tf index 9e7b8533..89a6b7cc 100644 --- a/main.tf +++ b/main.tf @@ -91,8 +91,8 @@ resource "github_branch_protection" "branch_protection_rule" { } restrictions { - users = lookup(local.branch_protection_rules[count.index].restrictions, "users", []) - teams = lookup(local.branch_protection_rules[count.index].restrictions, "teams", []) + users = lookup(local.branch_protection_rules[count.index].restrictions, "users", null) + teams = lookup(local.branch_protection_rules[count.index].restrictions, "teams", null) } } @@ -137,18 +137,9 @@ resource "github_repository_collaborator" "collaborator" { # Repository teams # locals { - team_admin = [for i in var.admin_team_ids : { - team_id = i, - permission = "admin" - }] - team_push = [for i in var.push_team_ids : { - team_id = i, - permission = "push" - }] - team_pull = [for i in var.pull_team_ids : { - team_id = i, - permission = "pull" - }] + team_admin = [for i in var.admin_team_ids : { team_id = i, permission = "admin" }] + team_push = [for i in var.push_team_ids : { team_id = i, permission = "push" }] + team_pull = [for i in var.pull_team_ids : { team_id = i, permission = "pull" }] teams = concat(local.team_admin, local.team_push, local.team_pull) }