feat(permissions): actions permissions, organization blocks, and root module updates

README.md

@@ -26,7 +26,11 @@ No providers.
 | Name | Source | Version |
 |------|--------|---------|
 | actions_runner_group | ./modules/actions_runner_group | n/a |
+| organization_block | ./modules/organization_block | n/a |
+| organization_ruleset | ./modules/organization_ruleset | n/a |
+| organization_secret | ./modules/actions_organization_secret | n/a |
 | organization_settings | ./modules/organization_settings | n/a |
+| organization_variable | ./modules/actions_organization_variable | n/a |
 
 ## Resources
 
@@ -36,9 +40,11 @@ No resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| actions_runner_groups | A map of actions runner groups to create in your GitHub organization. Map key is the name of the runner group. | ```map(object({ restricted_to_workflows = optional(list(string)) selected_repository_ids = optional(list(string)) selected_workflows = optional(list(string)) visibility = optional(string) allows_public_repositories = optional(bool) }))``` | `{}` | no |
 | advanced_security_enabled_for_new_repositories | Whether or not advanced security is enabled for new repositories. Defaults to false. | `bool` | `null` | no |
 | allows_public_repositories | Whether public repositories can be added to the runner group | `bool` | `null` | no |
 | billing_email | The billing email address for the organization. | `string` | n/a | yes |
+| blocked_usernames | A list of usernames to block from your GitHub organization. | `list(string)` | `[]` | no |
 | blog | The blog URL for the organization. | `string` | `null` | no |
 | company | The company name for the organization. | `string` | `null` | no |
 | default_repository_permission | The default permission for organization members to create new repositories. Can be one of read, write, admin, or none. Defaults to read. | `string` | `null` | no |
@@ -59,6 +65,9 @@ No resources.
 | members_can_create_repositories | Whether or not organization members can create new repositories. Defaults to true. | `bool` | `null` | no |
 | members_can_fork_private_repositories | Whether or not organization members can fork private repositories. Defaults to false. | `bool` | `null` | no |
 | organization_name | The name for the organization. | `string` | `null` | no |
+| organization_rulesets | A map of organization rulesets to create. The map key is the name of the ruleset. | ```map(object({ enforcement = string rules = list(object({ # Enterprise only! Use `conditions` block for matching branches. branch_name_pattern = optional(list(object({ operator = string pattern = string name = optional(string) negate = optional(bool) })), []) # Enterprise only! commit_author_email_pattern = optional(list(object({ operator = string pattern = string name = optional(string) negate = optional(bool) })), []) # Enterprise only! commit_message_pattern = optional(list(object({ operator = string pattern = string name = optional(string) negate = optional(bool) })), []) # Enterprise only! committer_email_pattern = optional(list(object({ operator = string pattern = string name = optional(string) negate = optional(bool) })), []) creation = optional(bool) deletion = optional(bool) non_fast_forward = optional(bool) pull_request = optional(list(object({ dismiss_stale_reviews_on_push = optional(bool) require_code_owner_review = optional(bool) require_last_push_approval = optional(bool) required_approving_review_count = optional(number) required_review_thread_resolution = optional(bool) })), []) required_linear_history = optional(bool) required_signatures = optional(bool) required_status_checks = optional(list(object({ required_check = list(object({ context = string integration_id = optional(number) })) strict_required_status_checks_policy = optional(bool) })), []) required_workflows = optional(list(object({ required_workflow = list(object({ repository_id = number path = string ref = optional(string) })) })), []) tag_name_pattern = optional(list(object({ operator = string pattern = string name = optional(string) negate = optional(bool) })), []) update = optional(bool) })) target = string bypass_actors = optional(list(object({ actor_id = number actor_type = string bypass_mode = optional(string) })), []) }))``` | n/a | yes |
+| organization_secrets | A map of organization secrets to create. The map key is the secret name. | ```map(object({ encrypted_value = optional(string) plaintext_value = optional(string) visibility = string selected_repository_ids = optional(list(string)) }))``` | `{}` | no |
+| organization_variables | n/a | ```map(object({ value = string visibility = string selected_repository_ids = optional(list(string)) }))``` | n/a | yes |
 | restricted_to_workflows | If true, the runner group will be restricted to running only the workflows specified in the selected_workflows array. Defaults to false. | `bool` | `null` | no |
 | runner_group_name | Name of the runner group | `string` | n/a | yes |
 | secret_scanning_enabled_for_new_repositories | Whether or not secret scanning is enabled for new repositories. Defaults to false. | `bool` | `null` | no |

main.tf

@@ -49,87 +49,18 @@ module "organization_block" {
 }
 
 module "organization_ruleset" {
+  source = "./modules/organization_ruleset"
+
   for_each = var.organization_rulesets
-}
 
-variable "organization_rulesets" {
-  description = "A map of organization rulesets to create. The map key is the name of the ruleset."
-  type = map(object({
-    enforcement = string
-    rules = list(object({
-      # Enterprise only! Use `conditions` block for matching branches.
-      branch_name_pattern = optional(list(object({
-        operator = string
-        pattern  = string
-        name     = optional(string)
-        negate   = optional(bool)
-      })), [])
-      # Enterprise only!
-      commit_author_email_pattern = optional(list(object({
-        operator = string
-        pattern  = string
-        name     = optional(string)
-        negate   = optional(bool)
-      })), [])
-      # Enterprise only!
-      commit_message_pattern = optional(list(object({
-        operator = string
-        pattern  = string
-        name     = optional(string)
-        negate   = optional(bool)
-      })), [])
-      # Enterprise only!
-      committer_email_pattern = optional(list(object({
-        operator = string
-        pattern  = string
-        name     = optional(string)
-        negate   = optional(bool)
-      })), [])
-      creation         = optional(bool)
-      deletion         = optional(bool)
-      non_fast_forward = optional(bool)
-      pull_request = optional(list(object({
-        dismiss_stale_reviews_on_push     = optional(bool)
-        require_code_owner_review         = optional(bool)
-        require_last_push_approval        = optional(bool)
-        required_approving_review_count   = optional(number)
-        required_review_thread_resolution = optional(bool)
-      })), [])
-      required_linear_history = optional(bool)
-      required_signatures     = optional(bool)
-      required_status_checks = optional(list(object({
-        required_check = list(object({
-          context        = string
-          integration_id = optional(number)
-        }))
-        strict_required_status_checks_policy = optional(bool)
-      })), [])
-      required_workflows = optional(list(object({
-        required_workflow = list(object({
-          repository_id = number
-          path          = string
-          ref           = optional(string)
-        }))
-      })), [])
-      tag_name_pattern = optional(list(object({
-        operator = string
-        pattern  = string
-        name     = optional(string)
-        negate   = optional(bool)
-      })), [])
-      update = optional(bool)
-    }))
-    target = string
-    bypass_actors = optional(list(object({
-      actor_id    = number
-      actor_type  = string
-      bypass_mode = optional(string)
-    })), [])
-  }))
+  name          = each.key
+  enforcement   = each.value.enforcement
+  rules         = each.value.rules
+  target        = each.value.target
+  bypass_actors = each.value.bypass_actors
 }
-
 module "organization_secret" {
-  source   = "./modules/actions_organization_secrets"
+  source   = "./modules/actions_organization_secret"
   for_each = var.organization_secrets
 
   secret_name             = each.key
@@ -138,3 +69,13 @@ module "organization_secret" {
   visibility              = each.value.visibility
   selected_repository_ids = each.value.selected_repository_ids
 }
+
+module "organization_variable" {
+  source   = "./modules/actions_organization_variable"
+  for_each = var.organization_variables
+
+  variable_name           = each.key
+  value                   = each.value.value
+  visibility              = each.value.visibility
+  selected_repository_ids = each.value.selected_repository_ids
+}

modules/actions_organization_permissions/README.md

@@ -0,0 +1,60 @@
+#
+
+<!-- BEGIN_TF_DOCS -->
+<!-- prettier-ignore-start -->
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >=1.3 |
+| github | >= 6.2.3 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| github | >= 6.2.3 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [github_actions_organization_permissions.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_permissions) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| allowed_actions | The permissions policy that controls the actions that are allowed to run. Can be one of: `all`, `local_only`, or `selected`. | `string` | `null` | no |
+| allowed_actions_config | Sets the actions that are allowed in an organization. Only available when allowed_actions = selected. See https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_permissions#allowed-actions-config for details. {   github_owned_allowed: (Required, bool) Whether GitHub-owned actions are allowed in the organization.   patterns_allowed: (Optional, list(string)) Specifies a list of string-matching patterns to allow specific action(s). Wildcards, tags, and SHAs are allowed. For example, monalisa/octocat@, monalisa/octocat@v2, monalisa/."   verified_allowed: (Optional, bool) Whether actions in GitHub Marketplace from verified creators are allowed. Set to true to allow all GitHub Marketplace actions by verified creators. } | ```object({ github_owned_allowed = bool patterns_allowed = optional(list(string)) verified_allowed = optional(bool) })``` | `null` | no |
+| enabled_repositories | The permissions policy that controls which repositories can run actions. Can be one of: `all`, `local_only`, or `selected`. | `list(string)` | n/a | yes |
+| enabled_repositories_config | Sets the list of selected repositories that are enabled for GitHub Actions in an organization. Only available when enabled_repositories = selected. See https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_permissions#enabled-repositories-config for details. {   repository_ids: (Required, list(string)) A list of repository IDs that are allowed to run actions. } | ```list(object({ repository_ids = list(string) }))``` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| github_actions_allowed | n/a |
+
+
+## Contributing
+
+Contributions are welcome and appreciated!
+
+Found an issue or want to request a feature? [Open an issue](TODO)
+
+Want to fix a bug you found or add some functionality? Fork, clone, commit, push, and PR and we'll check it out.
+
+If you have any issues or are waiting a long time for a PR to get merged then feel free to ping us at [hello@masterpoint.io](mailto:hello@masterpoint.io).
+
+## Built By
+
+[![Masterpoint Logo](https://i.imgur.com/RDLnuQO.png)](https://masterpoint.io)
+
+<!-- prettier-ignore-end -->
+<!-- END_TF_DOCS -->

modules/actions_organization_permissions/main.tf

@@ -0,0 +1,21 @@
+resource "github_actions_organization_permissions" "this" {
+  allowed_actions = var.allowed_actions
+
+  dynamic "allowed_actions_config" {
+    for_each = var.allowed_actions_config == null ? [] : [var.allowed_actions_config]
+    content {
+      github_owned_allowed = allowed_actions_config.value.github_owned_allowed
+      patterns_allowed     = allowed_actions_config.value.patterns_allowed
+      verified_allowed     = allowed_actions_config.value.verified_allowed
+    }
+  }
+
+  enabled_repositories = var.enabled_repositories
+
+  dynamic "enabled_repositories_config" {
+    for_each = var.enabled_repositories_config
+    content {
+      repository_ids = enabled_repositories_config.value.repository_ids
+    }
+  }
+}

modules/actions_organization_permissions/outputs.tf

@@ -0,0 +1,3 @@
+output "github_actions_allowed" {
+  value = github_actions_organization_permissions.this.allowed_actions_config.github_owned_allowed
+}

modules/actions_organization_permissions/variables.tf

@@ -0,0 +1,52 @@
+variable "allowed_actions" {
+  type        = string
+  description = "The permissions policy that controls the actions that are allowed to run. Can be one of: `all`, `local_only`, or `selected`."
+  validation {
+    condition     = var.allowed_actions == "all" || var.allowed_actions == "local_only" || var.allowed_actions == "selected"
+    error_message = "Allowed actions must be either 'all', 'local_only', or 'selected'."
+  }
+  default = null
+}
+
+variable "allowed_actions_config" {
+  type = object({
+    github_owned_allowed = bool
+    patterns_allowed     = optional(list(string))
+    verified_allowed     = optional(bool)
+  })
+  description = <<-EOT
+    Sets the actions that are allowed in an organization.
+    Only available when allowed_actions = selected.
+    See https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_permissions#allowed-actions-config for details.
+    {
+      github_owned_allowed: (Required, bool) Whether GitHub-owned actions are allowed in the organization.
+      patterns_allowed: (Optional, list(string)) Specifies a list of string-matching patterns to allow specific action(s). Wildcards, tags, and SHAs are allowed. For example, monalisa/octocat@, monalisa/octocat@v2, monalisa/."
+      verified_allowed: (Optional, bool) Whether actions in GitHub Marketplace from verified creators are allowed. Set to true to allow all GitHub Marketplace actions by verified creators.
+    }
+  EOT
+  default     = null
+}
+
+variable "enabled_repositories" {
+  type        = list(string)
+  description = "The permissions policy that controls which repositories can run actions. Can be one of: `all`, `local_only`, or `selected`."
+  validation {
+    condition     = var.enabled_repositories == "all" || var.enabled_repositories == "local_only" || var.enabled_repositories == "selected"
+    error_message = "Enabled repositories must be either 'all', 'local_only', or 'selected'."
+  }
+}
+
+variable "enabled_repositories_config" {
+  type = list(object({
+    repository_ids = list(string)
+  }))
+  description = <<-EOT
+    Sets the list of selected repositories that are enabled for GitHub Actions in an organization.
+    Only available when enabled_repositories = selected.
+    See https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_permissions#enabled-repositories-config for details.
+    {
+      repository_ids: (Required, list(string)) A list of repository IDs that are allowed to run actions.
+    }
+  EOT
+  default     = null
+}

modules/actions_organization_permissions/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">=1.3"
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = ">= 6.2.3"
+    }
+  }
+}

modules/actions_organization_secrets/README.md → modules/actions_organization_secret/README.md

@@ -1,3 +1,5 @@
+# github_actions_organization_secret
+
 <!-- BEGIN_TF_DOCS -->
 <!-- prettier-ignore-start -->
 

modules/actions_organization_variable/README.md

@@ -1,3 +1,5 @@
+# github_actions_organization_variable
+
 <!-- BEGIN_TF_DOCS -->
 <!-- prettier-ignore-start -->
 

modules/organization_block/README.md

@@ -0,0 +1,57 @@
+# github_organization_block
+
+<!-- BEGIN_TF_DOCS -->
+<!-- prettier-ignore-start -->
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| github | >= 6.2.3 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| github | >= 6.2.3 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [github_organization_block.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/organization_block) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| username | The name of the user to block. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| blocked_user | n/a |
+
+
+## Contributing
+
+Contributions are welcome and appreciated!
+
+Found an issue or want to request a feature? [Open an issue](TODO)
+
+Want to fix a bug you found or add some functionality? Fork, clone, commit, push, and PR and we'll check it out.
+
+If you have any issues or are waiting a long time for a PR to get merged then feel free to ping us at [hello@masterpoint.io](mailto:hello@masterpoint.io).
+
+## Built By
+
+[![Masterpoint Logo](https://i.imgur.com/RDLnuQO.png)](https://masterpoint.io)
+
+<!-- prettier-ignore-end -->
+<!-- END_TF_DOCS -->

modules/organization_block/main.tf

@@ -0,0 +1,3 @@
+resource "github_organization_block" "this" {
+  username = var.username
+}

modules/organization_block/outputs.tf

@@ -0,0 +1,3 @@
+output "blocked_user" {
+  value = github_organization_block.this.username
+}

modules/organization_block/variables.tf

@@ -0,0 +1,4 @@
+variable "username" {
+  type        = string
+  description = "The name of the user to block."
+}

modules/organization_block/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = ">= 6.2.3"
+    }
+  }
+}