Merge pull request #244 from stephanosio/github-zephyrproject-rtos

terraform: Add github-zephyrproject-rtos manifests

Author: stephanosio

terraform/README.md

@@ -32,3 +32,8 @@ configuration files for the Zephyr infrastructure components.
     * Production Kubernetes cluster for Zephyr infrastructure services.
     * Hosted on Hetzner Rancher Server.
     * Terraform plan and applies are locally executed with Terraform Cloud state backend.
+
+* github-zephyrproject-rtos
+
+    * Defines the GitHub `zephyrproject-rtos` organisation resources.
+    * Terraform plan and applies are remotely executed on the Terraform Cloud.

terraform/github-zephyrproject-rtos/.terraform.lock.hcl

@@ -0,0 +1,48 @@
+# github-zephyrproject-rtos
+
+## Overview
+
+This directory contains the Terraform manifests that define the resources in the
+GitHub `zephyrproject-rtos` organisation.
+
+The resources defined in this directory include GitHub members, repositories and
+teams.
+
+## Modules
+
+### repository
+
+The `repository` module defines the repository configurations and collaborators
+for the managed GitHub repositories in the `zephyrproject-rtos` organisation.
+
+The configurations managed by the `repository` module include:
+
+* Repository name and description
+* Features (issues, discussions, projects, wiki)
+* Default branch
+* Pull request merge methods
+* Repository collaborators
+* Branch protection rules
+* Rulesets
+* Actions permissions
+
+In order to synchronise the repository configurations, run the following
+command:
+
+```
+terraform apply -target=module.repository
+```
+
+### team
+
+The `team` module defines the GitHub teams and their members in the
+`zephyrproject-rtos` organisation.
+
+In order to synchronise the team configurations, run the following command:
+
+```
+terraform apply -taget=module.team
+```
+
+Note that the team members who have not accepted the invitation are considered
+"not-applied" and will show up as required changes during `terraform apply`.

terraform/github-zephyrproject-rtos/README.md

@@ -0,0 +1,20 @@
+# HashiCorp Vault Secrets zephyr-secrets Vault
+data "hcp_vault_secrets_app" "zephyr_secrets" {
+  app_name = "zephyr-secrets"
+}
+
+# GitHub provider
+provider "github" {
+  owner = "zephyrproject-rtos"
+}
+
+# 'team' module defines GitHub teams and their members
+module "team" {
+  source = "./team"
+}
+
+# 'repository' module defines GitHub repository configurations and
+# collaborators
+module "repository" {
+  source = "./repository"
+}

terraform/github-zephyrproject-rtos/main.tf

@@ -0,0 +1,48 @@
+locals {
+  repository_members_path = "repository/repository-members"
+  repository_members_files = {
+    for file in fileset(local.repository_members_path, "*.csv") :
+    trimsuffix(file, ".csv") => csvdecode(file("${local.repository_members_path}/${file}"))
+  }
+  global_teams = [
+    "infrastructure"
+  ]
+}
+
+resource "github_repository_collaborators" "members" {
+  for_each = local.repository_members_files
+
+  repository = each.key
+
+  dynamic "user" {
+    for_each = {
+      for u in local.repository_members_files[each.key] :
+      u.id => u if u.type == "user"
+    }
+
+    content {
+      username = user.value.id
+      permission = user.value.permission
+    }
+  }
+
+  dynamic "team" {
+    for_each = {
+      for t in local.repository_members_files[each.key] :
+      t.id => t if t.type == "team"
+    }
+
+    content {
+      team_id = team.value.id
+      permission = team.value.permission
+    }
+  }
+
+  dynamic "ignore_team" {
+    for_each = local.global_teams
+
+    content {
+      team_id = ignore_team.value
+    }
+  }
+}

terraform/github-zephyrproject-rtos/repository/repository-members.tf

@@ -0,0 +1,6 @@
+type,id,permission
+team,maintainers,triage
+team,release,triage
+team,sdk,push
+user,nashif,admin
+user,stephanosio,admin

terraform/github-zephyrproject-rtos/repository/repository-members/sdk-ng.csv

@@ -0,0 +1,177 @@
+resource "github_repository" "sdk-ng" {
+  name = "sdk-ng"
+  description = "Zephyr SDK (Toolchains, Development Tools)"
+
+  has_issues = true
+  has_discussions = true
+  has_projects = true
+  has_wiki = true
+  has_downloads = true
+
+  allow_merge_commit = false
+  allow_squash_merge = false
+  allow_rebase_merge = true
+  allow_auto_merge = false
+  allow_update_branch = true
+}
+
+# Default branch
+resource "github_branch_default" "sdk-ng" {
+  repository = github_repository.sdk-ng.name
+  branch = github_branch.sdk-ng-main.branch
+}
+
+# Actions
+resource "github_actions_repository_permissions" "sdk-ng" {
+  allowed_actions = "all"
+  repository = github_repository.sdk-ng.name
+}
+
+# Branches
+resource "github_branch" "sdk-ng-main" {
+  branch = "main"
+  repository = github_repository.sdk-ng.name
+}
+
+# Branch Protection Rules
+resource "github_branch_protection" "sdk-ng-main" {
+  pattern = "main"
+
+  enforce_admins = false
+
+  require_conversation_resolution = false
+  require_signed_commits = false
+  required_linear_history = true
+  lock_branch = false
+
+  allows_force_pushes = false
+  allows_deletions = false
+
+  required_pull_request_reviews {
+    required_approving_review_count = 1
+    dismiss_stale_reviews = false
+    require_code_owner_reviews = false
+    require_last_push_approval = false
+  }
+
+  required_status_checks {
+    strict = false
+    contexts = ["Test Result"]
+  }
+
+  restrict_pushes {
+    blocks_creations = true
+    push_allowances = [
+      # Only allow users with "Maintain" access level to push.
+    ]
+  }
+
+  repository_id = github_repository.sdk-ng.node_id
+}
+
+resource "github_branch_protection" "sdk-ng-vx-branch" {
+  pattern = "v*-branch"
+
+  require_conversation_resolution = false
+  require_signed_commits = false
+  required_linear_history = true
+  lock_branch = false
+  enforce_admins = false
+
+  allows_force_pushes = false
+  allows_deletions = false
+
+  required_pull_request_reviews {
+    required_approving_review_count = 1
+    dismiss_stale_reviews = false
+    require_code_owner_reviews = false
+    require_last_push_approval = false
+  }
+
+  required_status_checks {
+    strict = false
+    contexts = ["Test Result"]
+  }
+
+  restrict_pushes {
+    blocks_creations = true
+    push_allowances = [
+      # Only allow users with "Maintain" access level to push.
+    ]
+  }
+
+  repository_id = github_repository.sdk-ng.node_id
+}
+
+# Rulesets
+resource "github_repository_ruleset" "sdk-ng-block-release-tag-modification" {
+  name = "Block release tag modification"
+  target = "tag"
+  enforcement = "active"
+
+  conditions {
+    ref_name {
+      include = ["refs/tags/v*"]
+      exclude = []
+    }
+  }
+
+  rules {
+    # Restrict creations
+    creation = false
+    # Restrict updates
+    update = true
+    # Restrict deletions
+    deletion = true
+    # Require linear history
+    required_linear_history = false
+    # Require signed commits
+    required_signatures = false
+    # Block force pushes
+    non_fast_forward = true
+  }
+
+  repository = github_repository.sdk-ng.name
+}
+
+resource "github_repository_ruleset" "sdk-ng-restrict-release-tag-creation" {
+  name = "Restrict release tag creation"
+  target = "tag"
+  enforcement = "active"
+
+  conditions {
+    ref_name {
+      include = ["refs/tags/v*"]
+      exclude = []
+    }
+  }
+
+  rules {
+    # Restrict creations
+    creation = true
+    # Restrict updates
+    update = false
+    # Restrict deletions
+    deletion = false
+    # Require linear history
+    required_linear_history = false
+    # Require signed commits
+    required_signatures = false
+    # Block force pushes
+    non_fast_forward = false
+  }
+
+  bypass_actors {
+    actor_type = "RepositoryRole"
+    actor_id = "2" # Maintain
+    bypass_mode = "always"
+  }
+
+  bypass_actors {
+    actor_type = "RepositoryRole"
+    actor_id = "5" # Repository admin
+    bypass_mode = "always"
+  }
+
+  repository = github_repository.sdk-ng.name
+}

terraform/github-zephyrproject-rtos/repository/repository-sdk-ng.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 0.14.0"
+
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "~> 6.0"
+    }
+  }
+}