NTC Github Administration
Description​
NTC GitHub Administration simplifies the management of GitHub organizations through infrastructure-as-code. This building block automates the configuration of organization settings, teams, members, repositories, and security policies, ensuring consistent and secure GitHub environments. With support for branch protection rulesets, secrets management, and repository templates, NTC GitHub Administration provides a comprehensive solution for scaling GitHub operations across teams and projects.
Whether you are managing organization-wide security policies, standardizing repository configurations, or automating team and member provisioning, NTC GitHub Administration ensures reliable and consistent GitHub management aligned with best practices.
Usage​
| Latest Release | 1.0.0 |
|---|
Requirements​
The following requirements are needed by this module:
-
terraform (>= 1.3.0)
-
github (>= 6.0, != 6.6.0, != 6.5.0)
Providers​
The following providers are used by this module:
- github (>= 6.0, != 6.6.0, != 6.5.0)
Modules​
The following Modules are called:
ntc_github_repositories​
Source: ./modules/repository
Version:
Resources​
The following resources are used by this module:
- github_actions_organization_secret.ntc_gh_org (resource)
- github_actions_organization_variable.ntc_gh_org (resource)
- github_membership.ntc_gh_org (resource)
- github_organization_ruleset.ntc_gh_org (resource)
- github_organization_settings.ntc_gh_org (resource)
- github_team.ntc_gh_org (resource)
- github_team_membership.ntc_gh_org (resource)
- github_app.ntc_existing_apps (data source)
- github_team.ntc_existing_teams (data source)
Required Inputs​
No required inputs.
Optional Inputs​
The following input variables are optional (have default values):
organization_members​
Description: List of organization members to manage.
Type:
list(object({
username = string
role = optional(string, "member")
}))
Default: []
organization_repositories​
Description: A list of github repositories to create in current organization.
Type:
list(object({
name = string
description = optional(string, "")
visibility = optional(string, "private")
topics = optional(list(string), [])
template = optional(object({
template_repository = optional(string, "")
repository_owner = optional(string, "")
include_all_branches = optional(bool, true)
}), {})
settings = optional(object({
create_readme = optional(bool, true)
is_template = optional(bool, false)
has_issues = optional(bool, true)
has_discussions = optional(bool, true)
has_projects = optional(bool, true)
has_wiki = optional(bool, true)
allow_merge_commit = optional(bool, true)
allow_squash_merge = optional(bool, true)
allow_rebase_merge = optional(bool, true)
allow_auto_merge = optional(bool, false)
delete_branch_on_merge = optional(bool, false)
web_commit_signoff_required = optional(bool, false)
allow_update_branch = optional(bool, false)
archive_on_destroy = optional(bool, false)
vulnerability_alerts = optional(bool, false)
ignore_vulnerability_alerts_during_read = optional(bool, false)
gitignore_template = optional(string, null)
license_template = optional(string, null)
}), {})
branch_protection_rules = optional(list(object({
pattern = optional(string, "main")
enforce_admins = optional(bool, false)
allows_deletions = optional(bool, false)
require_conversation_resolution = optional(bool, false)
require_signed_commits = optional(bool, false)
required_linear_history = optional(bool, false)
allows_force_pushes = optional(bool, false)
required_status_checks = optional(object({
strict = optional(bool, true)
contexts = optional(list(string), [])
}), {})
restrict_pushes = optional(object({
blocks_creations = optional(bool, true)
push_allowances = optional(list(string), [])
}), {})
required_pull_request_reviews = optional(object({
dismiss_stale_reviews = optional(bool, false)
restrict_dismissals = optional(bool, false)
dismissal_restrictions = optional(list(string), [])
require_code_owner_reviews = optional(bool, false)
required_approving_review_count = optional(number, 0)
}), {})
force_push_bypassers = optional(list(string), [])
lock_branch = optional(bool, false)
})), [])
managed_files = optional(list(object({
file = string
content = string
overwrite_on_create = optional(bool, true)
ignore_lifecycle = optional(bool, false)
branch = optional(string, null)
commit_message = optional(string, null)
commit_author = optional(string, null)
commit_email = optional(string, null)
})), [])
collaborators = optional(list(object({
username = string
permission = optional(string, "pull")
})), [])
teams = optional(list(object({
team_name = string
permission = optional(string, "pull")
})), [])
}))
Default: []
organization_rulesets​
Description: List of organization rulesets to create for branch protection and other repository rules.
Type:
list(object({
name = string
target = optional(string, "branch")
enforcement = optional(string, "active")
include_refs = optional(list(string), ["~DEFAULT_BRANCH"])
exclude_refs = optional(list(string), [])
include_repos = optional(list(string), ["~ALL"])
exclude_repos = optional(list(string), [])
bypass_actors = optional(list(object({
actor_name = string
actor_type = string
bypass_mode = optional(string, "always")
})), [])
required_checks = optional(list(string), [])
required_workflows = optional(list(string), [])
required_code_scanning = optional(list(string), [])
restrict_creations = optional(bool, false)
restrict_updates = optional(bool, false)
restrict_deletions = optional(bool, false)
restrict_force_pushes = optional(bool, true)
required_linear_history = optional(bool, false)
required_signatures = optional(bool, false)
pull_request = optional(object({
required = optional(bool, false)
dismiss_stale_reviews_on_push = optional(bool, false)
require_code_owner_review = optional(bool, false)
require_last_push_approval = optional(bool, false)
required_approving_review_count = optional(number, 1)
required_review_thread_resolution = optional(bool, false)
}))
}))
Default: []
organization_secrets​
Description: List of organization-level secrets to create.
Type:
list(object({
name = string
value = string
visibility = optional(string, "all")
type = optional(string, "github_actions")
}))
Default: []
organization_settings​
Description: Configuration settings for the GitHub organization.
Type:
object({
update_settings = optional(bool, false)
display_name = optional(string, "")
description = optional(string, "")
company = optional(string, "")
location = optional(string, "")
blog = optional(string, "")
email = optional(string, "")
billing_email = optional(string, "")
has_organization_projects = optional(bool, true)
has_repository_projects = optional(bool, true)
default_repository_permission = optional(string, "read")
web_commit_signoff_required = optional(bool, false)
advanced_security_enabled_for_new_repositories = optional(bool, false)
dependabot_alerts_enabled_for_new_repositories = optional(bool, false)
dependabot_security_updates_enabled_for_new_repositories = optional(bool, false)
dependency_graph_enabled_for_new_repositories = optional(bool, false)
secret_scanning_enabled_for_new_repositories = optional(bool, false)
secret_scanning_push_protection_enabled_for_new_repositories = optional(bool, false)
members_can_create_pages = optional(bool, true)
members_can_create_public_pages = optional(bool, true)
members_can_create_private_pages = optional(bool, true)
members_can_fork_private_repositories = optional(bool, true)
members_can_create_public_repositories = optional(bool, true)
members_can_create_private_repositories = optional(bool, true)
members_can_create_internal_repositories = optional(bool, true)
members_can_create_repositories = optional(bool, true)
})
Default: {}
organization_teams​
Description: List of organization teams to create and manage.
Type:
list(object({
name = string
description = optional(string, "")
privacy = optional(string, "closed")
members = optional(list(object({
username = string
role = optional(string, "member")
})), [])
}))
Default: []
organization_variables​
Description: List of organization-level variables to create.
Type:
list(object({
name = string
value = string
visibility = optional(string, "all")
type = optional(string, "github_actions")
}))
Default: []
Outputs​
The following outputs are exported:
organization_repositories​
Description: All created GitHub repositories with their complete attributes.