Skip to content

benoitblais-hashicorp-demo/terraform-tfe-modulesfactory

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

61 Commits
.github
.github
 
 
docs
docs
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
providers.tf
providers.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

Repository files navigation

Modules Factory Terraform Module

Modules Factory module which manages configuration and life-cycle of your Terraform modules.

Permissions

GitHub Permissions

To manage the GitHub resources, provide a token from an account or a GitHub App with appropriate permissions. It should have:

  • Read access to metadata
  • Read and write access to administration, code, and secrets

HCP Terraform Permissions

To manage resources, provide a user token from an account with appropriate permissions. This user should have the Manage modules permission. Alternatively, you can use a token from a team instead of a user token.

Authentication

GitHub Authentication

The GitHub provider requires a GitHub token or GitHub App installation in order to manage resources.

There are several ways to provide the required token:

  • Set the token argument in the provider configuration. You can set the token argument in the provider configuration. Use an input variable for the token.
  • Set the GITHUB_TOKEN environment variable. The provider can read the GITHUB_TOKEN environment variable and the token stored there to authenticate.

There are several ways to provide the required GitHub App installation:

  • Set the app_auth argument in the provider configuration. You can set the app_auth argument with the id, installation_id and pem_file in the provider configuration. The owner parameter is also required in this situation.
  • Set the GITHUB_APP_ID, GITHUB_APP_INSTALLATION_ID and GITHUB_APP_PEM_FILE environment variables. The provider can read the GITHUB_APP_ID, GITHUB_APP_INSTALLATION_ID and GITHUB_APP_PEM_FILE environment variables to authenticate.

Because strings with new lines is not support:
use "\\n" within the pem_file argument to replace new line
use "\n" within the GITHUB_APP_PEM_FILE environment variables to replace new line

HCP Terraform Authentication

The HCP Terraform provider requires a HCP Terraform/Terraform Enterprise API token in order to manage resources.

There are several ways to provide the required token:

  • Set the token argument in the provider configuration. You can set the token argument in the provider configuration. Use an input variable for the token.
  • Set the TFE_TOKEN environment variable. The provider can read the TFE_TOKEN environment variable and the token stored there to authenticate.

Features

  • Create and manage repositories within your GitHub organization or personal account for your Terraform modules.
    • Configure branch protection.
    • Configure teams access.
  • Publish module inside the private registry of your HCP Terraform organization.
    • Enable no-code feature when specified.

Usage example

module "repository" {
  source  = "app.terraform.io/<organization>/modulesfactory/tfe"
  version = "0.0.0"
  module_name     = "test"
  module_provider = "tfe"
}

Documentation

Requirements

The following requirements are needed by this module:

Modules

No modules.

Required Inputs

The following input variables are required:

module_name

Description: (Required) The name the Terraform module.

Type: string

module_provider

Description: (Required) The main provider the module uses

Type: string

Optional Inputs

The following input variables are optional (have default values):

allow_auto_merge

Description: (Optional) Set to true to allow auto-merging pull requests on the repository.

Type: bool

Default: false

allow_merge_commit

Description: (Optional) Set to false to disable merge commits on the repository.

Type: bool

Default: true

allow_rebase_merge

Description: (Optional) Set to false to disable rebase merges on the repository.

Type: bool

Default: true

allow_squash_merge

Description: (Optional) Set to false to disable squash merges on the repository.

Type: bool

Default: true

allow_update_branch

Description: (Optional) Set to true to always suggest updating pull request branches.

Type: bool

Default: false

archive_on_destroy

Description: (Optional) Set to true to archive the repository instead of deleting on destroy.

Type: bool

Default: false

archived

Description: (Optional) Specifies if the repository should be archived. NOTE Currently, the API does not support unarchiving.

Type: bool

Default: false

auto_init

Description: (Optional) Set to true to produce an initial commit in the repository.

Type: bool

Default: true

branch_protections

Description: pattern : (Required) Identifies the protection rule pattern.
enforce_admins : (Optional) Boolean, setting this to true enforces status checks for repository administrators.
require_signed_commits : (Optional) Boolean, setting this to true requires all commits to be signed with GPG.
required_linear_history : (Optional) Boolean, setting this to true enforces a linear commit Git history, which prevents anyone from pushing merge commits to a branch.
require_conversation_resolution : (Optional) Boolean, setting this to true requires all conversations on code must be resolved before a pull request can be merged.
required_status_checks : (Optional) The required_status_checks block supports the following:
strict : (Optional) Require branches to be up to date before merging.
contexts : (Optional) The list of status checks to require in order to merge into this branch. No status checks are required by default.
required_pull_request_reviews : (Optional) The required_pull_request_reviews block supports the following:
dismiss_stale_reviews : (Optional) Dismiss approved reviews automatically when a new commit is pushed.
restrict_dismissals : (Optional) Restrict pull request review dismissals.
dismissal_restrictions : (Optional) The list of actor Names/IDs with dismissal access. If not empty, restrict_dismissals is ignored. Actor names must either begin with a "/" for users or the organization name followed by a "/" for teams.
pull_request_bypassers : (Optional) The list of actor Names/IDs that are allowed to bypass pull request requirements. Actor names must either begin with a "/" for users or the organization name followed by a "/" for teams.
require_code_owner_reviews : (Optional) Require an approved review in pull requests including files with a designated code owner.
required_approving_review_count : (Optional) Require x number of approvals to satisfy branch protection requirements. If this is specified it must be a number between 0-6.
require_last_push_approval : (Optional) Require that The most recent push must be approved by someone other than the last pusher.
restrict_pushes : (Optional) The restrict_pushes block supports the following:
blocks_creations : (Optional) Optional) Boolean, setting this to false allows people, teams, or apps to create new branches matching this rule.
push_allowances : (Optional) The list of actor Names/IDs that may push to the branch. Actor names must either begin with a "/" for users or the organization name followed by a "/" for teams.
force_push_bypassers : (Optional) The list of actor Names/IDs that are allowed to bypass force push restrictions. Actor names must either begin with a "/" for users or the organization name followed by a "/" for teams.
allows_deletions : (Optional) Boolean, setting this to true to allow the branch to be deleted.
allows_force_pushes : (Optional) Boolean, setting this to true to allow force pushes on the branch.
lock_branch : (Optional) Boolean, Setting this to true will make the branch read-only and preventing any pushes to it.

Type:

list(object({
    pattern                         = string
    enforce_admins                  = optional(bool, false)
    require_signed_commits          = optional(bool, false)
    required_linear_history         = optional(bool, false)
    require_conversation_resolution = optional(bool, false)
    required_status_checks = optional(object({
      strict   = optional(bool, false)
      contexts = optional(list(string), [])
    }), null)
    required_pull_request_reviews = optional(object({
      dismiss_stale_reviews           = optional(bool, false)
      restrict_dismissals             = optional(bool, false)
      dismissal_restrictions          = optional(list(string), [])
      pull_request_bypassers          = optional(list(string), [])
      require_code_owner_reviews      = optional(bool, false)
      required_approving_review_count = optional(string, null)
      require_last_push_approval      = optional(bool, false)
    }), null)
    restrict_pushes = optional(object({
      blocks_creations = optional(bool, false)
      push_allowances  = optional(list(string), [])
    }))
    force_push_bypassers = optional(list(string), [])
    allows_deletions     = optional(bool, false)
    allows_force_pushes  = optional(bool, false)
    lock_branch          = optional(bool, false)
  }))

Default:

[
  {
    "allows_deletions": false,
    "allows_force_pushes": false,
    "blocks_creations": false,
    "enforce_admins": true,
    "force_push_bypassers": null,
    "lock_branch": false,
    "pattern": "main",
    "push_restrictions": null,
    "require_conversation_resolution": true,
    "require_signed_commits": false,
    "required_linear_history": false,
    "required_pull_request_reviews": {
      "dismiss_stale_reviews": true,
      "dismissal_restrictions": null,
      "pull_request_bypassers": null,
      "require_code_owner_reviews": true,
      "require_last_push_approval": false,
      "required_approving_review_count": "0",
      "restrict_dismissals": null
    },
    "required_status_checks": null
  }
]

delete_branch_on_merge

Description: (Optional) Automatically delete head branch after a pull request is merged.

Type: bool

Default: true

github_teams

Description: (Optional) The github_teams block supports the following:
name : (Required) The name of the team.
permission : (Optional) The permissions of team members regarding the repository. Must be one of pull, triage, push, maintain, admin or the name of an existing custom repository role within the organisation.

Type:

list(object({
    name       = string
    permission = optional(string, "pull")
  }))

Default: []

gitignore_template

Description: (Optional) Use the name of the template without the extension. For example, "Haskell".

Type: string

Default: null

has_discussions

Description: (Optional) Set to true to enable GitHub Discussions on the repository.

Type: bool

Default: false

has_issues

Description: (Optional) Set to true to enable the GitHub Issues features on the repository.

Type: bool

Default: true

has_projects

Description: (Optional) Set to true to enable the GitHub Projects features on the repository. Per the GitHub documentation when in an organization that has disabled repository projects it will default to false and will otherwise default to true. If you specify true when it has been disabled it will return an error.

Type: bool

Default: true

has_wiki

Description: (Optional) Set to true to enable the GitHub Wiki features on the repository.

Type: bool

Default: true

homepage_url

Description: (Optional) URL of a page describing the project.

Type: string

Default: null

ignore_vulnerability_alerts_during_read

Description: (Optional) Set to true to not call the vulnerability alerts endpoint so the resource can also be used without admin permissions during read.

Type: bool

Default: false

is_template

Description: (Optional) Set to true to tell GitHub that this is a template repository.

Type: bool

Default: false

license_template

Description: (Optional) Use the name of the template without the extension. For example, "mit" or "mpl-2.0".

Type: string

Default: null

merge_commit_message

Description: Can be PR_BODY, PR_TITLE, or BLANK for a default merge commit message. Applicable only if allow_merge_commit is true.

Type: string

Default: "PR_TITLE"

merge_commit_title

Description: Can be PR_TITLE or MERGE_MESSAGE for a default merge commit title. Applicable only if allow_merge_commit is true.

Type: string

Default: "MERGE_MESSAGE"

no_code_module

Description: (Optional) Whether this module will be a no-code module.

Type: bool

Default: false

oauth_client_name

Description: (Optional) Name of the OAuth client.

Type: string

Default: null

organization

Description: (Optional) HCP Terraform organization name.

Type: string

Default: null

pages

Description: (Optional) The pages block supports the following:
source : (Optional) The source block supports the following:
branch : (Required) The repository branch used to publish the site's source files. (i.e. main or gh-pages.
path : (Optional) The repository directory from which the site publishes (Default: /).
build_type : (Optional) The type of GitHub Pages site to build. Can be legacy or workflow. If you use legacy as build type you need to set the option source.
cname : (Optional) The custom domain for the repository. This can only be set after the repository has been created.

Type:

object({
    source = optional(object({
      branch = string
      path   = optional(string, "/")
    }))
    build_type = optional(string, null)
    cname      = optional(string, null)
  })

Default: null

security_and_analysis

Description: (Optional) The security_and_analysis block supports the following:
advanced_security : (Optional) The advanced_security block supports the following:
status : (Required) Set to enabled to enable advanced security features on the repository. Can be enabled or disabled.
secret_scanning : (Optional) The secret_scanning block supports the following:
status : (Required) Set to enabled to enable secret scanning on the repository. Can be enabled or disabled. If set to enabled, the repository's visibility must be public or security_and_analysis[0].advanced_security[0].status must also be set to enabled.
secret_scanning_push_protection : (Optional) The secret_scanning block supports the following:
status : (Required) Set to enabled to enable secret scanning push protection on the repository. Can be enabled or disabled. If set to enabled, the repository's visibility must be public or security_and_analysis[0].advanced_security[0].status must also be set to enabled.

Type:

object({
    advanced_security = optional(object({
      status = string
    }), null)
    secret_scanning = optional(object({
      status = string
    }), null)
    secret_scanning_push_protection = optional(object({
      status = string
    }), null)
  })

Default:

{
  "secret_scanning": {
    "status": "enabled"
  },
  "secret_scanning_push_protection": {
    "status": "enabled"
  }
}

squash_merge_commit_message

Description: (Optional) Can be PR_BODY, COMMIT_MESSAGES, or BLANK for a default squash merge commit message. Applicable only if allow_squash_merge is true.

Type: string

Default: "COMMIT_MESSAGES"

squash_merge_commit_title

Description: (Optional) Can be PR_TITLE or COMMIT_OR_PR_TITLE for a default squash merge commit title. Applicable only if allow_squash_merge is true.

Type: string

Default: "COMMIT_OR_PR_TITLE"

template

Description: (Optional) The template block supports the following:
owner : (Required) The GitHub organization or user the template repository is owned by.
repository : (Required) The name of the template repository.
include_all_branches : (Optional) Whether the new repository should include all the branches from the template repository (defaults to false, which includes only the default branch from the template).

Type:

object({
    owner                = string
    repository           = string
    include_all_branches = optional(bool, false)
  })

Default: null

tfe_token

Description: (Optional) The TFE_TOKEN secret value to be created in the GitHub repository to allow the module to publish itself into the private registry.

Type: string

Default: null

topics

Description: (Optional) The list of topics of the repository.

Type: list(string)

Default: []

visibility

Description: (Optional) Can be public or private. If your organization is associated with an enterprise account using GitHub Enterprise Cloud or GitHub Enterprise Server 2.20+, visibility can also be internal.

Type: string

Default: "public"

vulnerability_alerts

Description: (Optional) Set to true to enable security alerts for vulnerable dependencies. Enabling requires alerts to be enabled on the owner level. (Note for importing: GitHub enables the alerts on public repos but disables them on private repos by default.) See GitHub Documentation for details. Note that vulnerability alerts have not been successfully tested on any GitHub Enterprise instance and may be unavailable in those settings.

Type: bool

Default: true

Resources

The following resources are used by this module:

Outputs

The following outputs are exported:

branch_protection

Description: GitHub branch protection within your GitHub repository.

full_name

Description: A string of the form "orgname/reponame".

git_clone_url

Description: URL that can be provided to git clone to clone the repository anonymously via the git protocol.

html_url

Description: URL to the repository on the web.

http_clone_url

Description: URL that can be provided to git clone to clone the repository via HTTPS.

node_id

Description: GraphQL global node id for use with v4 API.

pages

Description: The block consisting of the repository's GitHub Pages configuration with the following additional attributes:
custom_404 : Whether the rendered GitHub Pages site has a custom 404 page.
html_url : The absolute URL (including scheme) of the rendered GitHub Pages site e.g. https://username.github.io.
status : The GitHub Pages site's build status e.g. building or built.

primary_language

Description: The primary language used in the repository.

registry_module_id

Description: The ID of the registry module.

registry_module_module_provider

Description: The Terraform provider that this module is used for.

registry_module_name

Description: The name of registry module.

repo_id

Description: GitHub ID for the repository.

repository

Description: Repositories within your GitHub organization.

ssh_clone_url

Description: URL that can be provided to git clone to clone the repository via SSH.

svn_url

Description: URL that can be provided to svn checkout to check out the repository via GitHub's Subversion protocol emulation.

About

Terraform module to manage tfe resources.

Topics

factory terraform terraform-module terraform-managed

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 9

v1.0.8 Latest
Nov 7, 2025
+ 8 releases

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages