fix module-repo-setup

Signed-off-by: Andre Licht <[email protected]> Signed-off-by: Andre Licht <[email protected]>
cloudeteer · Nov 28, 2024 · aff2ec6 · aff2ec6
1 parent 669b71b
commit aff2ec6
Show file tree

Hide file tree

Showing 7 changed files with 69 additions and 46 deletions.
diff --git a/...roubleshoot - Terraform module-repo-setup is tainted, so it must be replaced.md b/...roubleshoot - Terraform module-repo-setup is tainted, so it must be replaced.md
@@ -41,7 +41,17 @@ OpenTofu planned the following actions, but then encountered a problem:
 ╵
 ```
 
-## Solution
+## Solution 1 - state untaint
+
+The Repository is already created in Github and the Terraform state is not in sync with the actual state of the repository.
+
+This may occur if terraform apply was interrupted or failed while creating the repository.
+
+```bash
+tofu untaint "module.github_repository[\"terraform-azurerm-avd\"].github_repository.repository"
+```
+
+## Solution 2 - remove and re-add
 
 <!--
 Provide steps that the user can take to solve the problem. For example "The
@@ -62,7 +72,7 @@ To resolve this issue first cleanup the tainted resource, by
    1. remove topic "auto-terraform-governance" from repository
 2. adhoc modify current terraform state
    ```bash
-   tofu state remove "module.github_repository[\"terraform-azurerm-avd\"]" -dry-run
+   tofu state remove -dry-run "module.github_repository[\"terraform-azurerm-avd\"]"
    ```
    > [!NOTE]
    > always use `-dry-run` first to verify the changes, then remove the flag to apply the changes
@@ -71,7 +81,7 @@ To resolve this issue first cleanup the tainted resource, by
 ---
 After that you can re-add the repository to the configuration by following the Solution steps in the [Troubleshoot - Terraform module-repo-setup could not clone][related-troubleshoot].
 
-### Solution Note
+### Solution 2 - Note
 
 In Terraform this can be solved in removed blocks, but the [lifecycle block is not supported by OpenTofu][open-tofu-removed-block].
 

diff --git a/terraform/module-repo-setup.tf b/terraform/module-repo-setup.tf
@@ -1,10 +1,4 @@
 terraform {
-  required_providers {
-    github = {
-      source  = "integrations/github"
-      version = "~> 6.0"
-    }
-  }
   backend "azurerm" {
     subscription_id      = "a78e11bf-66d8-4aae-b171-cc43ced4e6ca"
     resource_group_name  = "rg-terraform-governance"
@@ -15,9 +9,10 @@ terraform {
 }
 
 provider "azurerm" {
-  features {}
-  skip_provider_registration = true
-  partner_id                 = "1782f57c-edb6-4bf8-bd26-c7e0ef75c1e8"
+  features {
+    provider_registration = false
+  }
+  partner_id = "1782f57c-edb6-4bf8-bd26-c7e0ef75c1e8"
 }
 
 provider "github" {
@@ -45,8 +40,8 @@ module "github_repository" {
   ))
   repository_name = each.value
   actions_secrets = {
-    ARM_CLIENT_ID: var.ARM_CLIENT_ID
-    ARM_SUBSCRIPTION_ID: var.ARM_SUBSCRIPTION_ID
-    ARM_TENANT_ID: var.ARM_TENANT_ID
+    ARM_CLIENT_ID       = var.ARM_CLIENT_ID
+    ARM_SUBSCRIPTION_ID = var.ARM_SUBSCRIPTION_ID
+    ARM_TENANT_ID       = var.ARM_TENANT_ID
   }
 }
diff --git a/terraform/modules/github_repository/main.tf b/terraform/modules/github_repository/main.tf
@@ -1,29 +1,3 @@
-variable "repository_name" {
-  description = "Name of the repository"
-  type        = string
-}
-
-variable "actions_secrets" {
-  description = "GitHub Actions evnrionment secrets to create."
-  type        = map(string)
-  default     = {}
-  sensitive   = true
-}
-
-terraform {
-  required_providers {
-    github = {
-      source  = "integrations/github"
-      version = "~> 6.0"
-    }
-  }
-}
-
-data "github_repository" "existing_repo" {
-  count     = 1
-  full_name = "cloudeteer/${var.repository_name}"
-}
-
 locals {
   provider = split("-", var.repository_name)[2]
   provider_formatted = (local.provider == "azurerm" ? "AzureRM" :
@@ -35,7 +9,13 @@ locals {
     coalesce(data.github_repository.existing_repo[0].topics, []),
     ["cloudeteer", "terraform", "terraform-module", "auto-terraform-governance"]
   )
-  homepage_url = coalesce(data.github_repository.existing_repo[0].homepage_url, "https://www.cloudeteer.de")
+  homepage_url                    = coalesce(data.github_repository.existing_repo[0].homepage_url, "https://www.cloudeteer.de")
+  is_template                     = data.github_repository.existing_repo[0].is_template
+}
+
+data "github_repository" "existing_repo" {
+  count     = 1
+  full_name = "cloudeteer/${var.repository_name}"
 }
 
 # https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository
@@ -52,11 +32,14 @@ resource "github_repository" "repository" {
   allow_merge_commit          = false
   allow_rebase_merge          = false
   allow_squash_merge          = true
+  allow_update_branch         = true
   topics                      = local.combined_topics
   homepage_url                = local.homepage_url
   vulnerability_alerts        = true
+  # may cause "Commit signoff is enforced by the organization and cannot be disabled" https://github.com/integrations/terraform-provider-github/issues/2077
   web_commit_signoff_required = true
   delete_branch_on_merge      = true
+  is_template                 = local.is_template
   # https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository#template-repositories
   template {
     owner      = "cloudeteer"
@@ -76,11 +59,11 @@ resource "github_repository_collaborators" "admins" {
   # get id: $ gh api /orgs/cloudeteer/teams/service-accounts | jq '.id'
   team {
     permission = "admin"
-    team_id    = "service-accounts" # id: 6206668
+    team_id    = "6206668" # team-slug: service-accounts
   }
   team {
     permission = "admin"
-    team_id    = "chapter-operations-engineering" # id: 5433329
+    team_id    = "5433329" # team-slug: chapter-operations-engineering
   }
   # Do not delete "cloudeteerbot" as admin even it is part of "service-accounts",
   # because there is a race-condition in the deployment situation.
@@ -118,8 +101,8 @@ resource "github_branch_protection" "ruleset_branch_default_protect" {
   //target      = "branch"
   repository_id                   = github_repository.repository.name
   pattern                         = "main"
-  required_linear_history         = true
   require_conversation_resolution = true
+  required_linear_history         = true
   required_status_checks {
     strict = true
   }

diff --git a/terraform/modules/github_repository/terraform.tf b/terraform/modules/github_repository/terraform.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = "~> 1.8.4"
+
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "~> 6.0"
+    }
+  }
+}
diff --git a/terraform/modules/github_repository/variables.tf b/terraform/modules/github_repository/variables.tf
@@ -0,0 +1,11 @@
+variable "repository_name" {
+  description = "Name of the repository"
+  type        = string
+}
+
+variable "actions_secrets" {
+  description = "GitHub Actions evnrionment secrets to create."
+  type        = map(string)
+  default     = {}
+  sensitive   = true
+}
diff --git a/terraform/terraform.tf b/terraform/terraform.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_version = "~> 1.8.4"
+
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "~> 6.0"
+    }
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 4.1"
+    }
+  }
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -5,7 +5,7 @@ variable "create_repo" {
 }
 
 variable "actions_secrets" {
-  description = "GitHub Actions evnrionment secrets to create."
+  description = "GitHub Actions environment secrets to create."
   type        = map(string)
   default     = {}
 }