Merge pull request #10 from Homebrew/fix/emails/fix_email_overrides

fix: allow email overrides
Homebrew · Jul 15, 2024 · b662b4a · b662b4a
2 parents 489609e + c754f55
commit b662b4a
Show file tree

Hide file tree

Showing 8 changed files with 27 additions and 26 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -46,7 +46,10 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.TF_GH_TOKEN }}
           DNSIMPLE_ACCOUNT: ${{ secrets.TF_DNSIMPLE_ACCOUNT }}
           DNSIMPLE_TOKEN: ${{ secrets.TF_DNSIMPLE_TOKEN }}
-        run: tofu plan -no-color -var-file .tfvars -detailed-exitcode
+        run: |
+          tofu plan -no-color -detailed-exitcode \
+                    -var-file .tfvars \
+                    -var='email_overrides=${{ secrets.email_overrides }}'
 
   trivy:
     name: Trivy

diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/.tfvars b/.tfvars
@@ -115,6 +115,7 @@ teams = {
       "fxcoudert",
       "nandahkrishna",
       "p-linnane",
+      "SMillerDev"
     ],
     tsc = [
       "Bo98",
@@ -123,6 +124,11 @@ teams = {
       "fxcoudert",
       "iMichka",
     ],
+    analytics = [
+      "SMillerDev",
+      "Bo98",
+      "MikeMcQuaid",
+    ]
   },
   taps = {
     bundle = [

diff --git a/README.md b/README.md
@@ -14,6 +14,16 @@ User management for the Homebrew organisation using OpenTofu
 - `tofu init`
 - `tofu plan -var-file .tfvars`
 
+### Secrets
+
+CI requires the following secrets:
+
+- `amazon_role`: The ARN of the AWS role to use for OIDC auth.
+- `email_overrides`: Map of GitHub usernames with emails for people who want a different email for tools from their GH email
+- `TF_GH_TOKEN`: GitHub token with permissions to manage org teams, users and repo permissions
+- `TF_DNSIMPLE_ACCOUNT`: Account ID for DNSimple
+- `TF_DNSIMPLE_TOKEN`: Token to authenticate to DNSimple
+
 ## TODO
 
 - Google workspace management for brew.sh

diff --git a/github/membership.tf b/github/membership.tf
@@ -21,7 +21,7 @@ data "github_organization" "homebrew" {
 }
 
 locals {
-  member_emails = tomap({ for key, value in data.github_organization.homebrew.users : key => value.email })
+  member_emails = tomap({ for key, value in data.github_organization.homebrew.users : value.login => sensitive(value.email) })
 }
 
 output "member_emails" {

diff --git a/github/vars.tf b/github/vars.tf
@@ -12,6 +12,7 @@ variable "teams" {
       ops              = list(string)
       formulae_brew_sh = list(string)
       ci-orchestrator  = list(string)
+      analytics        = list(string)
     })
     taps = object({
       bundle               = list(string)

diff --git a/main.tf b/main.tf
@@ -16,7 +16,7 @@ terraform {
 }
 
 locals {
-  # these people can't have their membership managed by OpenTofu becuase they are Billing Managers in GitHub
+  # these people can't have their membership managed by OpenTofu because they are Billing Managers in GitHub
   unmanagable_members = ["p-linnane", "issyl0", "colindean", "MikeMcQuaid", "BrewSponsorsBot"]
 }
 

diff --git a/vars.tf b/vars.tf
@@ -12,6 +12,7 @@ variable "teams" {
       ops              = list(string)
       formulae_brew_sh = list(string)
       ci-orchestrator  = list(string)
+      analytics        = list(string)
     })
     taps = object({
       bundle               = list(string)
@@ -27,6 +28,7 @@ variable "github_admins" {
 }
 
 variable "email_overrides" {
-  type    = map(string)
-  default = {}
+  type      = map(string)
+  sensitive = true
+  default   = {}
 }