feat: add github repository, rulesets, and branch protection rules

Author: fredleger

github/branch-protection/.terraform.lock.hcl

@@ -0,0 +1,4 @@
+plugin "terraform" {
+  enabled = true
+  preset  = "recommended"
+}

github/branch-protection/.tflint.hcl

@@ -0,0 +1 @@
+terraform 1.3.1

github/branch-protection/.tool-versions

@@ -0,0 +1,83 @@
+# GitHub repository branch protection rules
+
+Add branch protection rule to your GitHub repository
+
+## Authentication
+
+- you must create a github app or a classic token with admin rights
+- then add the following in your provider configuration :
+
+reference: https://registry.terraform.io/providers/integrations/github/latest/docs
+
+### using an app (recommended)
+
+```hcl
+provider "github" {
+  owner = var.github_organization
+  # set one of GITHUB_APP_ID, GITHUB_APP_INSTALLATION_ID, GITHUB_APP_PEM_FILE env var
+  app_auth {}
+}
+```
+
+### using a github token (classic)
+
+```hcl
+provider "github" {
+  owner = var.github_organization
+  # and set GITHUB_TOKEN env var in your shell
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.3 |
+| <a name="requirement_github"></a> [github](#requirement\_github) | ~> 6.0 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | ~> 0.9.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_github"></a> [github](#provider\_github) | ~> 6.0 |
+| <a name="provider_time"></a> [time](#provider\_time) | ~> 0.9.1 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [github_branch_protection.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection) | resource |
+| [time_static.last_update](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/static) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_allows_deletions"></a> [allows\_deletions](#input\_allows\_deletions) | Allow branch deletions | `bool` | `false` | no |
+| <a name="input_allows_force_pushes"></a> [allows\_force\_pushes](#input\_allows\_force\_pushes) | Allow force pushes | `bool` | `false` | no |
+| <a name="input_branch_pattern"></a> [branch\_pattern](#input\_branch\_pattern) | Branch name pattern to protect | `string` | `"main"` | no |
+| <a name="input_customer"></a> [customer](#input\_customer) | Customer for the current deployment | `string` | `""` | no |
+| <a name="input_enforce_admins"></a> [enforce\_admins](#input\_enforce\_admins) | Enforce required status checks for repository administrators | `bool` | `true` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | Environment for the current deployment | `string` | `""` | no |
+| <a name="input_force_push_bypassers"></a> [force\_push\_bypassers](#input\_force\_push\_bypassers) | List of actor IDs that can bypass force push restrictions | `any` | `[]` | no |
+| <a name="input_lock_branch"></a> [lock\_branch](#input\_lock\_branch) | Lock the branch | `bool` | `false` | no |
+| <a name="input_name"></a> [name](#input\_name) | The name of the branch protection rule | `string` | n/a | yes |
+| <a name="input_repository_id"></a> [repository\_id](#input\_repository\_id) | Name or id of the GitHub repository to protect | `string` | n/a | yes |
+| <a name="input_require_conversation_resolution"></a> [require\_conversation\_resolution](#input\_require\_conversation\_resolution) | Require conversation resolution before merging | `bool` | `true` | no |
+| <a name="input_require_signed_commits"></a> [require\_signed\_commits](#input\_require\_signed\_commits) | Require commits to be signed | `bool` | `true` | no |
+| <a name="input_required_linear_history"></a> [required\_linear\_history](#input\_required\_linear\_history) | Enforce a linear commit history | `bool` | `true` | no |
+| <a name="input_required_pull_request_reviews"></a> [required\_pull\_request\_reviews](#input\_required\_pull\_request\_reviews) | Require pull request reviews before merging | `any` | `{}` | no |
+| <a name="input_required_status_checks"></a> [required\_status\_checks](#input\_required\_status\_checks) | Require status checks to pass before merging | `any` | `{}` | no |
+| <a name="input_restrict_pushes"></a> [restrict\_pushes](#input\_restrict\_pushes) | Restrict who can push to the branch | `any` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Default tags to add to resources | `map(any)` | `{}` | no |
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

github/branch-protection/README.md

@@ -0,0 +1,37 @@
+resource "github_branch_protection" "main" {
+  #checkov:skip=CKV_GIT_5:invalid - it's up to the user choice
+  repository_id                   = var.repository_id
+  pattern                         = var.branch_pattern
+  enforce_admins                  = var.enforce_admins
+  require_signed_commits          = var.require_signed_commits
+  required_linear_history         = var.required_linear_history
+  require_conversation_resolution = var.require_conversation_resolution
+  allows_deletions                = var.allows_deletions
+  allows_force_pushes             = var.allows_force_pushes
+  lock_branch                     = var.lock_branch
+  force_push_bypassers            = var.force_push_bypassers
+
+  dynamic "required_status_checks" {
+    for_each = var.required_status_checks != {} ? [var.required_status_checks] : []
+    content {
+      strict   = required_status_checks.strict
+      contexts = required_status_checks.contexts
+    }
+  }
+
+  dynamic "required_pull_request_reviews" {
+    for_each = var.required_pull_request_reviews != {} ? [var.required_pull_request_reviews] : []
+    content {
+      dismiss_stale_reviews  = required_pull_request_reviews.dismiss_stale_reviews
+      restrict_dismissals    = required_pull_request_reviews.restrict_dismissals
+      dismissal_restrictions = required_pull_request_reviews.dismissal_restrictions
+    }
+  }
+
+  dynamic "restrict_pushes" {
+    for_each = var.restrict_pushes != {} ? [var.restrict_pushes] : []
+    content {
+      push_allowances = restrict_pushes.push_allowances
+    }
+  }
+}

github/branch-protection/gh-branch-protection.tf

@@ -0,0 +1,15 @@
+locals {
+  # tflint-ignore: terraform_unused_declarations
+  interpolated_tags = merge({
+    "Name"           = var.name,
+    "Customer"       = var.customer,
+    "Environment"    = var.environment,
+    "ManagedBy"      = "Terraform",
+    "LastModifiedAt" = time_static.last_update.rfc3339,
+    },
+    var.tags
+  )
+}
+
+resource "time_static" "last_update" {
+}

github/branch-protection/main.tf

@@ -0,0 +1,16 @@
+terraform {
+  required_version = "~> 1.3"
+  required_providers {
+    time = {
+      source  = "hashicorp/time",
+      version = "~> 0.9.1"
+    }
+    github = {
+      source  = "integrations/github"
+      version = "~> 6.0"
+    }
+  }
+}
+
+provider "github" {
+}

github/branch-protection/outputs.tf

@@ -0,0 +1,100 @@
+variable "name" {
+  description = "The name of the branch protection rule"
+  type        = string
+}
+
+variable "customer" {
+  description = "Customer for the current deployment"
+  type        = string
+  default     = ""
+}
+
+variable "environment" {
+  description = "Environment for the current deployment"
+  type        = string
+  default     = ""
+}
+
+variable "tags" {
+  description = "Default tags to add to resources"
+  type        = map(any)
+  default     = {}
+}
+
+# module specific variables
+variable "repository_id" {
+  description = "Name or id of the GitHub repository to protect"
+  type        = string
+}
+
+variable "branch_pattern" {
+  description = "Branch name pattern to protect"
+  type        = string
+  default     = "main"
+}
+
+variable "enforce_admins" {
+  description = "Enforce required status checks for repository administrators"
+  type        = bool
+  default     = true
+}
+
+variable "required_status_checks" {
+  description = "Require status checks to pass before merging"
+  type        = any
+  default     = {}
+}
+
+variable "required_pull_request_reviews" {
+  description = "Require pull request reviews before merging"
+  type        = any
+  default     = {}
+}
+
+variable "restrict_pushes" {
+  description = "Restrict who can push to the branch"
+  type        = any
+  default     = {}
+}
+
+variable "force_push_bypassers" {
+  description = "List of actor IDs that can bypass force push restrictions"
+  type        = any
+  default     = []
+}
+
+variable "require_signed_commits" {
+  description = "Require commits to be signed"
+  type        = bool
+  default     = true
+}
+
+variable "required_linear_history" {
+  description = "Enforce a linear commit history"
+  type        = bool
+  default     = true
+}
+
+variable "require_conversation_resolution" {
+  description = "Require conversation resolution before merging"
+  type        = bool
+  default     = true
+}
+
+variable "allows_deletions" {
+  description = "Allow branch deletions"
+  type        = bool
+  default     = false
+}
+
+variable "allows_force_pushes" {
+  description = "Allow force pushes"
+  type        = bool
+  default     = false
+}
+
+variable "lock_branch" {
+  description = "Lock the branch"
+  type        = bool
+  default     = false
+}