feat: use workspaces, file as an input, and test data

bruzina · bruzina · commit c0af300371ae · 2025-03-05T18:44:08.000+01:00
diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml
@@ -16,6 +16,8 @@ env:
   GITHUB_APP_ID: ${{ vars.APP_ID }}
   GITHUB_APP_INSTALLATION_ID: ${{ vars.APP_INSTALLATION_ID }}
   GITHUB_APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }}
+  TF_WORKSPACE: ${{ vars.OWNER }}
+  TF_VAR_path: test.yaml
 
 jobs:
   terraform:
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # GitHub Organization as Code
 
-Manage your GitHub organization repositories with GitOps principles using YAML configuration, GitHub Actions, AWS S3 storage, and GitHub App integration—powered by Terraform.
+Manage your GitHub organization's repositories using GitOps principles with a YAML-based configuration, GitHub Actions with reusable workflows, AWS S3 for storage, and GitHub App integration.
 
 ## Features
 
@@ -16,8 +16,31 @@ This repository was automatically created and is continuously managed using the
 
 ## Installation and Configuration
 
+- Configure an AWS S3 bucket to store Terraform state files.
+- Set up a GitHub App and its installation to handle authentication and authorization for your GitHub Organization.
+- Implement GitOps by setting up a GitHub repository with:
+  - YAML-based configuration
+  - GitHub workflows
+  - Repository variables and secrets
+
+> [!caution]
+> The GitHub App PEM file, S3 API credentials, Terraform state, GitHub repository secrets, and configuration code are key security elements.
+
+### Set Up AWS S3 Bucket
+
 Set up an AWS S3 bucket or a compatible storage service.
 
+> [!important]
+> Ensure you have the following details ready:
+>
+> - Bucket Name
+> - Access Key ID
+> - Secret Access Key
+> - Region
+> - S3 Endpoint URL (only required for non-AWS S3-compatible services)
+
+### Set Up GitHub Organizations
+
 Create a GitHub App:
 
 - GitHub / *Organization* / Settings / Developer Settings / GitHub Apps / **New GitHub App**
@@ -48,6 +71,37 @@ Get the GitHub App credentials:
 
 - GitHub / *Organization* / Settings / Developer Settings / GitHub Apps / *Your GitHub App name* / General / Private keys / **Generate a private key**
 
+> [!important]
+> Ensure you have the following details ready:
+>
+> - GitHub Owner
+> - GitHub App ID
+> - GitHub App Installation ID
+> - GitHub App PEM File
+
+### Set Up GitHub Repository for GitHub Organization Management
+
+Create GitHub organization YAML configuration file. See [GitHub Organization YAML](#github-organization-yaml) below.
+
+For example:
+
+```yaml
+---
+repositories:
+  - name: .github
+    description: The organization profile.
+    topics:
+      - github-organization-profile
+      - github-profile
+      - github-profile-readme
+```
+
+Create GitHub workflow planning and applying configuration changes to the GitHub Organization:
+
+```yaml
+#TODO
+```
+
 Set up GitHub actions, variables and secrets:
 
 - GitHub / *Repository* / Settings
@@ -67,12 +121,14 @@ Set up GitHub actions, variables and secrets:
         - `AWS_REGION`
         - `OWNER` (`GITHUB_OWNER`)
 
-> [!caution]
-> The GitHub App PEM file, S3 API credentials, Terraform state, GitHub repository secrets, and configuration code are key security elements.
-
 ## Usage
 
-Edit the GitHub organization YAML configuration [`gh-org.yaml`](gh-org.yaml):
+The GitHub organization YAML configuration post a Terraform plan as a pull request comment whenever a pull request to the main branch is created or whenever a new commit to the pull request is pushed. Once the pull request is merged into `main`, the plan is applied automatically.
+
+> [!note]
+> The state is stored as JSON object `github/<github owner>/terraform.tfstate` in the bucket.
+
+### GitHub Organization YAML
 
 ```yaml
 ---
@@ -96,7 +152,7 @@ repositories:
 
 Defaults are the same as in the Terraform provider `github` resource `github_repository`, see [Terraform Registry / Providers / integrations / github / resources / github_repository](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository#argument-reference).
 
-Modify the Terraform backend configuration in [`config.tf`](config.tf) as needed.
+### Local Usage
 
 Apply the configuration using Terraform:
 
@@ -111,11 +167,20 @@ export GITHUB_APP_ID=<app-id>
 export GITHUB_APP_INSTALLATION_ID=<app-installation-id>
 export GITHUB_APP_PEM_FILE=$(cat <app-private-key.pem>)
 
+export TF_WORKSPACE="$GITHUB_OWNER"
+export TF_VAR_path="test.yaml"
+
 terraform init
 terraform plan
 terraform apply
 ```
 
+## Testing
+
+This repository is tested using [`test.yaml`](test.yaml) as the configuration file for the [Xebis Test GitHub Organization](https://github.com/xebis-test) settings and repositories.
+
+The workflow is designed to post a Terraform plan as a pull request comment whenever a pull request to the main branch is created or whenever a new commit to the pull request is pushed. Once the pull request is merged into `main`, the plan is applied automatically.
+
 ## Credits and Acknowledgments
 
 - Martin Bružina - Author
diff --git a/config.tf b/config.tf
@@ -8,9 +8,10 @@ terraform {
   }
 
   backend "s3" {
-    bucket       = "xebis-terraform"
-    key          = "github-xebis"
-    use_lockfile = true # Set to false only for non-AWS S3 compatible APIs without "conditional object PUTs" capability
+    bucket               = "xebis-terraform"
+    key                  = "terraform.tfstate"
+    workspace_key_prefix = "github"
+    use_lockfile         = true # Set to false only for non-AWS S3 compatible APIs without "conditional object PUTs" capability
 
     # Only for non-AWS S3 compatible APIs
     skip_credentials_validation = true
diff --git a/gh-org.yaml b/gh-org.yaml
diff --git a/input.tf b/input.tf
@@ -0,0 +1,8 @@
+variable "path" {
+  type        = string
+  description = "GitHub Organization configuration YAML"
+  validation {
+    condition     = fileexists(var.path)
+    error_message = "File ${var.path} doesn't exist."
+  }
+}
diff --git a/main.tf b/main.tf
@@ -1,5 +1,5 @@
 locals {
-  config             = yamldecode(file("gh-org.yaml"))
+  config             = yamldecode(file(var.path))
   default_properties = try(local.config.default-properties, null)
   repositories       = local.config.repositories
 }
diff --git a/test.yaml b/test.yaml
@@ -0,0 +1,8 @@
+---
+repositories:
+  - name: .github
+    description: Xebis Test organization profile.
+    topics:
+      - github-organization-profile
+      - github-profile
+      - github-profile-readme

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`locals {`
`2`		`- config = yamldecode(file("gh-org.yaml"))`
	`2`	`+ config = yamldecode(file(var.path))`
`3`	`3`	`default_properties = try(local.config.default-properties, null)`
`4`	`4`	`repositories = local.config.repositories`
`5`	`5`	`}`