feat: custom roles, secrets, dependabot secrets, variables

Victor M. Varela · Victor M. Varela · commit aec54f0e0f91 · 2025-03-19T20:33:23.000Z
diff --git a/README.md b/README.md
@@ -41,12 +41,16 @@ No modules.
 |------|------|
 | [github_actions_organization_secret.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_secret) | resource |
 | [github_actions_organization_variable.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
+| [github_actions_runner_group.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_runner_group) | resource |
 | [github_dependabot_organization_secret.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/dependabot_organization_secret) | resource |
-| [github_membership.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/membership) | resource |
 | [github_organization_block.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/organization_block) | resource |
+| [github_organization_custom_role.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/organization_custom_role) | resource |
+| [github_organization_ruleset.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/organization_ruleset) | resource |
 | [github_organization_settings.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/organization_settings) | resource |
 | [github_organization_webhook.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/organization_webhook) | resource |
-| [github_repository.this](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |
+| [github_organization.this](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/organization) | data source |
+| [github_organization_teams.this](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/organization_teams) | data source |
+| [github_repositories.this](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repositories) | data source |
 
 ## Inputs
 
@@ -56,14 +60,20 @@ No modules.
 | <a name="input_blocked"></a> [blocked](#input\_blocked) | (Optional) allows you to create and manage blocks for GitHub organizations. | `set(string)` | `null` | no |
 | <a name="input_blog"></a> [blog](#input\_blog) | (Optional) URL of organization blog | `string` | `null` | no |
 | <a name="input_company"></a> [company](#input\_company) | (Optional) The company name. | `string` | `null` | no |
+| <a name="input_custom_roles"></a> [custom\_roles](#input\_custom\_roles) | (Optional) The list of custom roles of the organization (key: role\_name) | <pre>map(object({<br/>    description = optional(string)<br/>    base_role   = string<br/>    permissions = set(string)<br/>  }))</pre> | `null` | no |
 | <a name="input_default_repository_permission"></a> [default\_repository\_permission](#input\_default\_repository\_permission) | (Optional) Default permission level members have for organization repositories. Can be one of `read`, `write`, `admin`, or `none`. | `string` | `null` | no |
 | <a name="input_dependabot_secrets"></a> [dependabot\_secrets](#input\_dependabot\_secrets) | (Optional) The list of dependabot secrets configuration of the organization (key: secret\_name) | <pre>map(object({<br/>    encrypted_value = optional(string, null)<br/>    plaintext_value = optional(string, null)<br/>    visibility      = optional(string, null)<br/>    repositories    = optional(set(string), [])<br/>  }))</pre> | `{}` | no |
 | <a name="input_description"></a> [description](#input\_description) | (Optional) The description of the company. The maximum size is 160 characters. | `string` | `null` | no |
 | <a name="input_email"></a> [email](#input\_email) | (Optional) The publicly visible email address. | `string` | `null` | no |
+| <a name="input_enable_advanced_security"></a> [enable\_advanced\_security](#input\_enable\_advanced\_security) | (Optional) Use to enable or disable GitHub Advanced Security for new repositories. | `bool` | `null` | no |
+| <a name="input_enable_dependabot_security_updates"></a> [enable\_dependabot\_security\_updates](#input\_enable\_dependabot\_security\_updates) | (Optional) Set to `true` to enable the automated security fixes for new repositories. | `bool` | `null` | no |
+| <a name="input_enable_secret_scanning"></a> [enable\_secret\_scanning](#input\_enable\_secret\_scanning) | (Optional) Use to enable or disable secret scanning for new repositories. | `bool` | `null` | no |
+| <a name="input_enable_secret_scanning_push_protection"></a> [enable\_secret\_scanning\_push\_protection](#input\_enable\_secret\_scanning\_push\_protection) | (Optional) Use to enable or disable secret scanning push protection for new repositories. If set to `true`, the repository's visibility must be `public` or `enable_advanced_security` must also be `true`. | `bool` | `null` | no |
+| <a name="input_enable_vulnerability_alerts"></a> [enable\_vulnerability\_alerts](#input\_enable\_vulnerability\_alerts) | (Optional) Either `true` to enable vulnerability alerts, or `false` to disable vulnerability alerts for new repositories. | `bool` | `null` | no |
+| <a name="input_enterprise"></a> [enterprise](#input\_enterprise) | (Optional) True if the organization is associated with an enterprise account. | `bool` | `false` | no |
 | <a name="input_has_organization_projects"></a> [has\_organization\_projects](#input\_has\_organization\_projects) | (Optional) Whether an organization can use organization projects. | `bool` | `null` | no |
 | <a name="input_has_repository_projects"></a> [has\_repository\_projects](#input\_has\_repository\_projects) | (Optional) Whether repositories that belong to the organization can use repository projects. | `bool` | `null` | no |
 | <a name="input_location"></a> [location](#input\_location) | (Optional) The location. | `string` | `null` | no |
-| <a name="input_members"></a> [members](#input\_members) | (Optional) allows you to add/remove users from your organization. When applied, an invitation will be sent to the user to become part of the organization. When destroyed, either the invitation will be cancelled or the user will be removed. | `map(string)` | `null` | no |
 | <a name="input_members_can_create_internal_repositories"></a> [members\_can\_create\_internal\_repositories](#input\_members\_can\_create\_internal\_repositories) | (Optional) Whether organization members can create internal repositories, which are visible to all enterprise members. You can only allow members to create internal repositories if your organization is associated with an enterprise account using GitHub Enterprise Cloud or GitHub Enterprise Server 2.20+. | `bool` | `null` | no |
 | <a name="input_members_can_create_pages"></a> [members\_can\_create\_pages](#input\_members\_can\_create\_pages) | (Optional) Whether organization members can create GitHub Pages sites. Existing published sites will not be impacted. | `bool` | `null` | no |
 | <a name="input_members_can_create_private_pages"></a> [members\_can\_create\_private\_pages](#input\_members\_can\_create\_private\_pages) | (Optional) Whether organization members can create private GitHub Pages sites. Existing published sites will not be impacted. | `bool` | `null` | no |
@@ -73,7 +83,9 @@ No modules.
 | <a name="input_members_can_create_repositories"></a> [members\_can\_create\_repositories](#input\_members\_can\_create\_repositories) | (Optional) Whether of non-admin organization members can create repositories. | `bool` | `null` | no |
 | <a name="input_members_can_fork_private_repositories"></a> [members\_can\_fork\_private\_repositories](#input\_members\_can\_fork\_private\_repositories) | (Optional) Whether organization members can fork private organization repositories. | `bool` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | (Optional) The shorthand name of the company. | `string` | `null` | no |
-| <a name="input_rulesets"></a> [rulesets](#input\_rulesets) | (Optional) Organization rules | <pre>map(object({<br/>    enforcement                          = optional(string, "active")<br/>    target                               = optional(string, "branch")<br/>    include                              = optional(set(string), [])<br/>    exclude                              = optional(set(string), [])<br/>    repositories_include                 = optional(set(string), [])<br/>    repositories_exclude                 = optional(set(string), [])<br/>    bypass_mode                          = optional(string, "always")<br/>    bypass_organization_admin            = optional(bool)<br/>    bypass_roles                         = optional(set(string))<br/>    bypass_teams                         = optional(set(string))<br/>    bypass_integration                   = optional(set(string))<br/>    regex_branch_name                    = optional(string)<br/>    regex_tag_name                       = optional(string)<br/>    regex_commit_author_email            = optional(string)<br/>    regex_committer_email                = optional(string)<br/>    regex_commit_message                 = optional(string)<br/>    forbidden_creation                   = optional(bool)<br/>    forbidden_deletion                   = optional(bool)<br/>    forbidden_update                     = optional(bool)<br/>    forbidden_fast_forward               = optional(bool)<br/>    dismiss_pr_stale_reviews_on_push     = optional(bool)<br/>    required_pr_code_owner_review        = optional(bool)<br/>    required_pr_last_push_approval       = optional(bool)<br/>    required_pr_approving_review_count   = optional(number)<br/>    required_pr_review_thread_resolution = optional(bool)<br/>    required_workflows                   = optional(set(string), [])<br/>    required_linear_history              = optional(bool)<br/>    required_signatures                  = optional(bool)<br/>    required_checks                      = optional(set(string))<br/>    required_code_scanning = optional(map(object({ # index is name of tool<br/>      alerts_threshold          = optional(string)<br/>      security_alerts_threshold = optional(string)<br/>    })))<br/>  }))</pre> | `null` | no |
+| <a name="input_organization"></a> [organization](#input\_organization) | (Required) Org name. | `string` | `false` | no |
+| <a name="input_rulesets"></a> [rulesets](#input\_rulesets) | (Optional) Organization rules | <pre>map(object({<br/>    enforcement = optional(string, "active")<br/>    rules = optional(object({<br/>      branch_name_pattern = optional(object({<br/>        operator = optional(string)<br/>        pattern  = optional(string)<br/>        name     = optional(string)<br/>        negate   = optional(bool)<br/>      }))<br/>      commit_author_email_pattern = optional(object({<br/>        operator = optional(string)<br/>        pattern  = optional(string)<br/>        name     = optional(string)<br/>        negate   = optional(bool)<br/>      }))<br/>      commit_message_pattern = optional(object({<br/>        operator = optional(string)<br/>        pattern  = optional(string)<br/>        name     = optional(string)<br/>        negate   = optional(bool)<br/>      }))<br/>      committer_email_pattern = optional(object({<br/>        operator = optional(string)<br/>        pattern  = optional(string)<br/>        name     = optional(string)<br/>        negate   = optional(bool)<br/>      }))<br/>      creation         = optional(bool)<br/>      deletion         = optional(bool)<br/>      non_fast_forward = optional(bool)<br/>      pull_request = optional(object({<br/>        dismiss_stale_reviews_on_push     = optional(bool)<br/>        require_code_owner_review         = optional(bool)<br/>        require_last_push_approval        = optional(bool)<br/>        required_approving_review_count   = optional(number)<br/>        required_review_thread_resolution = optional(bool)<br/>      }))<br/>      required_workflows = optional(list(object({<br/>        repository = string<br/>        path       = string<br/>        ref        = optional(string)<br/>      })))<br/>      required_linear_history              = optional(bool)<br/>      required_signatures                  = optional(bool)<br/>      required_status_checks               = optional(map(string))<br/>      strict_required_status_checks_policy = optional(bool)<br/>      tag_name_pattern = optional(object({<br/>        operator = optional(string)<br/>        pattern  = optional(string)<br/>        name     = optional(string)<br/>        negate   = optional(bool)<br/>      }))<br/>      update = optional(bool)<br/>    }))<br/>    target = optional(string, "branch")<br/>    bypass_actors = optional(map(object({<br/>      actor_type  = string<br/>      bypass_mode = string<br/>    })))<br/>    include      = optional(list(string), [])<br/>    exclude      = optional(list(string), [])<br/>    repositories = optional(list(string))<br/>  }))</pre> | `{}` | no |
+| <a name="input_runner_groups"></a> [runner\_groups](#input\_runner\_groups) | (Optional) The list of runner groups of the organization (key: runner\_group\_name) | <pre>map(object({<br/>    visibility                = optional(string, null)<br/>    workflows                 = optional(set(string))<br/>    repositories              = optional(set(string), [])<br/>    allow_public_repositories = optional(bool)<br/>  }))</pre> | `{}` | no |
 | <a name="input_secrets"></a> [secrets](#input\_secrets) | (Optional) The list of secrets configuration of the organization (key: secret\_name) | <pre>map(object({<br/>    encrypted_value = optional(string, null)<br/>    plaintext_value = optional(string, null)<br/>    visibility      = optional(string, null)<br/>    repositories    = optional(set(string), [])<br/>  }))</pre> | `{}` | no |
 | <a name="input_twitter_username"></a> [twitter\_username](#input\_twitter\_username) | (Optional) The Twitter username of the company. | `string` | `null` | no |
 | <a name="input_variables"></a> [variables](#input\_variables) | (Optional) The list of variables configuration of the organization (key: variable\_name) | <pre>map(object({<br/>    value        = optional(string, null)<br/>    visibility   = optional(string, null)<br/>    repositories = optional(set(string), [])<br/>  }))</pre> | `{}` | no |
@@ -85,7 +97,9 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_id"></a> [id](#output\_id) | Github Organization ID |
-| <a name="output_used"></a> [used](#output\_used) | Recovered repository IDs |
+| <a name="output_organization"></a> [organization](#output\_organization) | Organization data |
+| <a name="output_repositories"></a> [repositories](#output\_repositories) | All repository IDs |
+| <a name="output_teams"></a> [teams](#output\_teams) | Team data |
 <!-- END_TF_DOCS -->
 
 ## Authors
diff --git a/data.tf b/data.tf
@@ -1,9 +1,14 @@
-data "github_repository" "this" {
-  for_each = toset(setunion(
-    flatten([for k, config in var.variables : config.repositories if length(config.repositories) > 0]),
-    flatten([for k, config in var.secrets : config.repositories if length(config.repositories) > 0]),
-    flatten([for k, config in var.dependabot_secrets : config.repositories if length(config.repositories) > 0]),
-    flatten([for k, config in var.rulesets : [for r in config.required_workflows : regex("^([^/]+)", r) if length(config.required_workflows) > 0]])
-  ))
-  name = each.key
+data "github_repositories" "this" {
+  query           = "org:${var.organization}"
+  include_repo_id = true
+}
+
+# teams
+data "github_organization" "this" {
+  name = var.organization
+}
+
+# teams
+data "github_organization_teams" "this" {
+  summary_only = true
 }
diff --git a/examples/simple/README.md b/examples/simple/README.md
@@ -32,7 +32,9 @@ No inputs.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_used"></a> [used](#output\_used) | Recovered repository IDs |
+| <a name="output_members_count"></a> [members\_count](#output\_members\_count) | Number of members |
+| <a name="output_repositories_count"></a> [repositories\_count](#output\_repositories\_count) | Number of repositories |
+| <a name="output_teams_count"></a> [teams\_count](#output\_teams\_count) | Number of teams |
 <!-- END_TF_DOCS -->
 
 ## Authors
diff --git a/examples/simple/main.tf b/examples/simple/main.tf
@@ -15,10 +15,6 @@ module "org" {
   members_can_create_public_repositories  = false
   members_can_create_repositories         = false
 
-  members = {
-    vmvarela = "admin"
-  }
-
   blocked = [
     "vmvarela-clb_prisa"
   ]
@@ -65,6 +61,13 @@ module "org" {
       ]
       forbidden_deletion = true
     }
+  }
 
+  custom_roles = {
+    "myrole" = {
+      description = "My custom role"
+      base_role   = "write"
+      permissions = ["remove_assignee"]
+    }
   }
 }
diff --git a/examples/simple/outputs.tf b/examples/simple/outputs.tf
@@ -1,6 +1,14 @@
-#
+output "repositories_count" {
+  description = "Number of repositories"
+  value       = length(module.org.repositories.names)
+}
+
+output "teams_count" {
+  description = "Number of teams"
+  value       = length(module.org.teams.teams)
+}
 
-output "used" {
-  description = "Recovered repository IDs"
-  value       = module.org.used
+output "members_count" {
+  description = "Number of members"
+  value       = length(module.org.organization.users)
 }
diff --git a/locals.tf b/locals.tf
@@ -0,0 +1,6 @@
+locals {
+  # reposity id from a repository name
+  repository_id = { for r in data.github_repositories.this.names :
+    r => element(data.github_repositories.this.repo_ids, index(data.github_repositories.this.names, r))
+  }
+}
diff --git a/main.tf b/main.tf
diff --git a/outputs.tf b/outputs.tf
diff --git a/variables.tf b/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -15,10 +15,6 @@ module "org" {`
`15`	`15`	`members_can_create_public_repositories = false`
`16`	`16`	`members_can_create_repositories = false`
`17`	`17`
`18`		`- members = {`
`19`		`- vmvarela = "admin"`
`20`		`- }`
`21`		`-`
`22`	`18`	`blocked = [`
`23`	`19`	`"vmvarela-clb_prisa"`
`24`	`20`	`]`
`@@ -65,6 +61,13 @@ module "org" {`
`65`	`61`	`]`
`66`	`62`	`forbidden_deletion = true`
`67`	`63`	`}`
	`64`	`+ }`
`68`	`65`
	`66`	`+ custom_roles = {`
	`67`	`+ "myrole" = {`
	`68`	`+ description = "My custom role"`
	`69`	`+ base_role = "write"`
	`70`	`+ permissions = ["remove_assignee"]`
	`71`	`+ }`
`69`	`72`	`}`
`70`	`73`	`}`