diff --git a/.tfvars b/.tfvars index 1eaaba9..6cd9364 100644 --- a/.tfvars +++ b/.tfvars @@ -102,7 +102,7 @@ teams = { "timsutton", "woodruffw", ], - formulae-web = [ + formulae_brew_sh = [ "EricFromCanada", "MikeMcQuaid", "Rylan12", @@ -130,10 +130,10 @@ teams = { "jacobbednarz", "MikeMcQuaid", ], - linux-fonts = [ + homebrew-linux-fonts = [ "tani", ], - pip = [ + brew-pip-audit = [ "alex", "woodruffw", ], diff --git a/README.md b/README.md index 095a235..4ea3128 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -# terraform-user-management +# homebrew-user-management -User management for the Homebrew organisation using Terraform +User management for the Homebrew organisation using OpenTofu ## Requirements @@ -18,3 +18,4 @@ User management for the Homebrew organisation using Terraform - Google workspace management for brew.sh - Google Cloud manangement for self-hosted workers +- Add DNSSimple diff --git a/github/groups.tf b/github/groups.tf new file mode 100644 index 0000000..5919760 --- /dev/null +++ b/github/groups.tf @@ -0,0 +1,62 @@ +locals { + teams = concat( + [for team in keys(var.teams) : team if !contains(["bots", "taps"], team)], + keys(tomap(var.teams.maintainers)), + keys(tomap(var.teams.taps)) + ) +} + +resource "github_team" "main" { + name = each.key + privacy = "closed" + + for_each = { for team in keys(var.teams) : team => team if !contains(["bots", "taps"], team) } + + lifecycle { + ignore_changes = [description] + } +} + +resource "github_team" "maintainers" { + name = replace(each.key, "_", ".") + privacy = "closed" + parent_team_id = github_team.main["maintainers"].id + + for_each = { for team in keys(var.teams.maintainers) : team => team } + + lifecycle { + ignore_changes = [description] + } +} + +resource "github_team" "taps" { + name = replace(each.key, "_", ".") + privacy = "closed" + + for_each = { for team in keys(var.teams.taps) : team => team } + + lifecycle { + ignore_changes = [description] + } +} + +resource "github_team_membership" "ops_membership" { + for_each = toset(var.teams.maintainers.ops) + team_id = github_team.maintainers["ops"].id + username = each.key + role = contains(var.admins, each.key) ? "maintainer" : "member" +} + +resource "github_team_membership" "plc_membership" { + for_each = toset(var.teams.plc) + team_id = github_team.main["plc"].id + username = each.key + role = contains(var.admins, each.key) ? "maintainer" : "member" +} + +resource "github_team_membership" "tsc_membership" { + for_each = toset(var.teams.maintainers.tsc) + team_id = github_team.maintainers["tsc"].id + username = each.key + role = contains(var.admins, each.key) ? "maintainer" : "member" +} \ No newline at end of file diff --git a/github/main_groups.tf b/github/main_groups.tf deleted file mode 100644 index 724f3d5..0000000 --- a/github/main_groups.tf +++ /dev/null @@ -1,4 +0,0 @@ -data "github_team" "main_teams" { - for_each = toset([for team in keys(var.teams) : team if contains(["bots", "taps"], team) == false]) - slug = each.key -} \ No newline at end of file diff --git a/github/membership.tf b/github/membership.tf index f32e1b9..9886c08 100644 --- a/github/membership.tf +++ b/github/membership.tf @@ -11,7 +11,7 @@ locals { } resource "github_membership" "general" { - for_each = toset([ for member in local.members: member if !contains(var.unmanagable_members, member)]) + for_each = toset([for member in local.members : member if !contains(var.unmanagable_members, member)]) username = each.key role = contains(var.admins, each.key) ? "admin" : "member" } diff --git a/github/ops.tf b/github/ops.tf deleted file mode 100644 index 552d2d1..0000000 --- a/github/ops.tf +++ /dev/null @@ -1,10 +0,0 @@ -data "github_team" "ops" { - slug = "ops" -} - -resource "github_team_membership" "ops_membership" { - for_each = toset(var.teams.maintainers.ops) - team_id = data.github_team.ops.id - username = each.key - role = contains(var.admins, each.key) ? "maintainer" : "member" -} \ No newline at end of file diff --git a/github/plc.tf b/github/plc.tf deleted file mode 100644 index 7d9e670..0000000 --- a/github/plc.tf +++ /dev/null @@ -1,10 +0,0 @@ -data "github_team" "plc" { - slug = "plc" -} - -resource "github_team_membership" "plc_membership" { - for_each = toset(var.teams.plc) - team_id = data.github_team.plc.id - username = each.key - role = contains(var.admins, each.key) ? "maintainer" : "member" -} \ No newline at end of file diff --git a/github/tsc.tf b/github/tsc.tf deleted file mode 100644 index 12f9899..0000000 --- a/github/tsc.tf +++ /dev/null @@ -1,10 +0,0 @@ -data "github_team" "tsc" { - slug = "tsc" -} - -resource "github_team_membership" "tsc_membership" { - for_each = toset(var.teams.maintainers.tsc) - team_id = data.github_team.tsc.id - username = each.key - role = contains(var.admins, each.key) ? "maintainer" : "member" -} \ No newline at end of file diff --git a/github/vars.tf b/github/vars.tf index 9532721..1d2b7ac 100644 --- a/github/vars.tf +++ b/github/vars.tf @@ -5,19 +5,19 @@ variable "teams" { bots = list(string) members = list(string) maintainers = object({ - cask = list(string) - brew = list(string) - core = list(string) - tsc = list(string) - ops = list(string) - formulae-web = list(string) - ci-orchestrator = list(string) + cask = list(string) + brew = list(string) + core = list(string) + tsc = list(string) + ops = list(string) + formulae_brew_sh = list(string) + ci-orchestrator = list(string) }) taps = object({ - bundle = list(string) - pip = list(string) - linux-fonts = list(string) - services = list(string) + bundle = list(string) + brew-pip-audit = list(string) + homebrew-linux-fonts = list(string) + services = list(string) }) }) } diff --git a/import.tf b/import.tf index 441ae18..2319de7 100644 --- a/import.tf +++ b/import.tf @@ -32,4 +32,22 @@ import { for_each = toset([for member in local.members : member if !contains(local.unmanagable_members, member)]) to = module.github.github_membership.general[each.key] id = "Homebrew:${each.key}" +} + +import { + for_each = { for team in keys(var.teams) : team => team if !contains(["bots", "taps"], team) } + to = module.github.github_team.main[each.key] + id = each.key +} + +import { + for_each = { for team in keys(var.teams.taps) : team => team } + to = module.github.github_team.taps[each.key] + id = replace(each.key, "_", "-") +} + +import { + for_each = { for team in keys(var.teams.maintainers) : team => team } + to = module.github.github_team.maintainers[each.key] + id = replace(each.key, "_", "-") } \ No newline at end of file diff --git a/main.tf b/main.tf index 8529d1b..9b9f1a1 100644 --- a/main.tf +++ b/main.tf @@ -6,6 +6,15 @@ terraform { } } +terraform { + required_providers { + github = { + source = "integrations/github" + version = "~> 6.0" + } + } +} + locals { # these people can't have their membership managed by OpenTofu becuase they are Billing Managers in GitHub unmanagable_members = ["p-linnane", "issyl0", "colindean", "MikeMcQuaid", "BrewSponsorsBot"] diff --git a/vars.tf b/vars.tf index a9e7f9b..b1ce445 100644 --- a/vars.tf +++ b/vars.tf @@ -5,19 +5,19 @@ variable "teams" { bots = list(string) members = list(string) maintainers = object({ - cask = list(string) - brew = list(string) - core = list(string) - tsc = list(string) - ops = list(string) - formulae-web = list(string) - ci-orchestrator = list(string) + cask = list(string) + brew = list(string) + core = list(string) + tsc = list(string) + ops = list(string) + formulae_brew_sh = list(string) + ci-orchestrator = list(string) }) taps = object({ - bundle = list(string) - pip = list(string) - linux-fonts = list(string) - services = list(string) + bundle = list(string) + brew-pip-audit = list(string) + homebrew-linux-fonts = list(string) + services = list(string) }) }) }