PLT-878 - Add support for rulesets

* ruleset allow you to set bypasses for pull requests and status checks like branch protection, but with ruleset you can still enforce rules in an extra ruleset for the bypasser like deletion protection and other
Flaconi · Jul 22, 2024 · 2993be4 · 2993be4
1 parent 934a7ba
commit 2993be4
Show file tree

Hide file tree

Showing 2 changed files with 100 additions and 0 deletions.
diff --git a/main.tf b/main.tf
@@ -261,3 +261,66 @@ resource "github_repository_webhook" "this" {
     insecure_ssl = each.value["configuration"]["insecure_ssl"]
   }
 }
+
+resource "github_repository_ruleset" "this" {
+  for_each = var.rulesets != null ? var.rulesets : {  }
+  name        = each.key
+  repository  = github_repository.this.name
+  target      = each.value.target
+  enforcement = each.value.enforcement
+
+  conditions {
+    ref_name {
+      include = each.value.includes
+      exclude = each.value.excludes
+    }
+  }
+
+  dynamic "bypass_actors" {
+    iterator = actors
+    for_each = each.value.bypass_actors
+    content {
+      actor_id = actors.value.actor_id
+      actor_type  = actors.value.actor_type
+      bypass_mode = actors.value.bypass_mode
+    }
+  }
+
+  rules {
+    creation                = each.value.creation
+    update                  = each.value.update
+    deletion                = each.value.deletion
+    non_fast_forward = each.value.non_fast_forward
+    required_linear_history = each.value.required_linear_history
+    required_signatures = each.value.required_signatures
+
+    dynamic "pull_request" {
+      for_each = each.value.pull_request.enabled ? [each.value.pull_request] : []
+      iterator = reviews
+      content {
+        dismiss_stale_reviews_on_push = reviews.value["dismiss_stale_reviews_on_push"]
+        require_code_owner_review = reviews.value["require_code_owner_review"]
+        required_approving_review_count = reviews.value["required_approving_review_count"]
+        required_review_thread_resolution = reviews.value["required_review_thread_resolution"]
+        require_last_push_approval = reviews.value["require_last_push_approval"]
+      }
+    }
+
+    dynamic "required_status_checks" {
+      for_each =  each.value.required_status_checks != null ? each.value.required_status_checks.enabled ? [each.value.required_status_checks] : [] : []
+      iterator = checks
+        content {
+
+          dynamic "required_check" {
+            for_each = checks.value.contexts
+            iterator = contexts
+            content {
+              context = contexts.value.context
+              integration_id = contexts.value.integration_id
+            }
+          }
+          strict_required_status_checks_policy = checks.value.strict_required_status_checks_policy
+        }
+    }
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -245,6 +245,43 @@ variable "default_branch_protection_enabled" {
   description = "Set to `false` if you want to disable branch protection for default branch"
 }
 
+variable "rulesets" {
+  type = map(object({
+    required_linear_history = optional(bool, true)
+    deletion = optional(bool, true)
+    creation = optional(bool, true)
+    update = optional(bool, false)
+    target = optional(string, "branch")
+    enforcement = optional(string, "active")
+    includes = optional(list(string), ["~DEFAULT_BRANCH"])
+    excludes = optional(list(string), [])
+    non_fast_forward = optional(bool, true)
+    required_signatures = optional(bool, true)
+    bypass_actors = optional(map(object({
+      actor_id = number
+      actor_type = string
+      bypass_mode = optional(string, "always")
+    })), {})
+    pull_request = optional(object({
+      enabled = optional(bool, true)
+      dismiss_stale_reviews_on_push = optional(bool, true)
+      require_code_owner_review = optional(bool, true)
+      required_approving_review_count = optional(number, 1)
+      required_review_thread_resolution = optional(bool, true)
+      require_last_push_approval = optional(bool, true)
+    }), {})
+    required_status_checks = optional(object({
+      enabled = optional(bool, true)
+      strict_required_status_checks_policy = optional(bool, false)
+      contexts = optional(list(object({
+        integration_id = optional(number, 0)
+        context = string
+      })), [])
+    }))
+}))
+  default = {}
+}
+
 variable "default_branch_protection" {
   type = object({
     enforce_admins                  = optional(bool, true)