Merge pull request #65 from mineiros-io/mariux/tf15

feat: add support for terraform v0.15

Author: mariux

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @soerenmartius @mariux

.github/workflows/main.yml

@@ -1,6 +1,12 @@
 name: CI/CD Pipeline
 
-on: push
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
 
 jobs:
   pre-commit:
@@ -21,5 +27,5 @@ jobs:
       - name: Run Unit Tests
         run: make test/unit-tests
         env:
-          GITHUB_ORGANIZATION: ${{ secrets.TEST_GITHUB_ORGANIZATION }}
+          GITHUB_OWNER: ${{ secrets.TEST_GITHUB_ORGANIZATION }}
           GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}

.gitignore

@@ -43,3 +43,6 @@ out/
 
 # local env
 .env
+
+.terraform.lock.hcl
+

.pre-commit-config.yaml

@@ -1,11 +1,13 @@
 repos:
   - repo: https://github.com/mineiros-io/pre-commit-hooks
-    rev: v0.2.2
+    rev: v0.2.3
     hooks:
       - id: terraform-fmt
       - id: terraform-validate
         exclude: ^examples|.terraform/
       - id: tflint
+      - id: gofmt
+      - id: goimports
       - id: golangci-lint
       - id: phony-targets
       - id: markdown-link-check

CHANGELOG.md

@@ -7,6 +7,50 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.9.0]
+
+### Added
+
+- Add support for Terraform v0.15
+
+## [0.8.0]
+
+**_This is a BREAKING RELEASE._**
+
+Branch protection resourcess will be recreated and new fetures are added enforcing security by default.
+
+Please review plans and report regressions and issues asap so we can improve documentation for upgrading.
+
+### Upgrade path/notes:
+
+- Branch protections will be recreated in a compatible way. Alternatively, all branch protections could be manually updated using `terraform state mv` but this is not recommended as it is a manual process that can suffer from human prone errors.
+- If you do not want to archive repositories on deletion set `archive_on_destroy` to false in repository configurations.
+
+#### Expected differences in a plan after upgrading:
+
+- Addition to `module.<NAME>.github_repository.repository`:
+  - Addition or changed default of argument `archive_on_destroy = true`
+- Destruction of `module.<NAME>.github_branch_protection.branch_protection[*]`
+- Creation of `module.<NAME>.github_branch_protection_v3.branch_protection[*]`
+- Replacement of `module.<NAME>.github_team_repository.team_repository_by_slug[<SLUG>]`
+  - Triggered by change in `team_id = "<NUMBER>" -> "<SLUG>"`
+
+### Added
+
+- Add support for Github Provider v4 (Minimal compatible version is v4.5).
+- Add support for `archive_on_destroy` repository flag defaulting to `true`.
+- Add support for `vulnerability_alerts` repository flag.
+- Add security deny list for v4.7.0, v4.8.0, v4.9.0 and v4.9.1 due to a bug setting visibility to public for templated repository creation.
+
+### Changed
+
+- Use [`github_branch_protection_v3`](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection_v3) instead of [`github_branch_protection`](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection) for performance and compatibility reasons. **ATTENTION**: This Change will trigger recreation of all branch protections when upgrading to v0.8.0.
+- Use `github_branch_default` to set default branch of repositories. **ATTENTION**: This Change will trigger creation of new resource when `default_branch` argument is set.
+
+### Removed
+
+- **BREAKING CHANGE**: Removed support for Github Provider before v4.3
+
 ## [0.7.0]
 
 ### Added
@@ -65,7 +109,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Add CONTRIBUTING.md.
 - Add `phony-targets` and `markdown-link-check` hooks.
 
-### Changelog
+### Changed
 
 - Update logo and badges in README.md.
 
@@ -178,7 +222,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
-- Set has_issues default value to `false`.
+- Set `has_issues` default value to `false`.
 
 ## [0.0.2] - 2020-01-06
 
@@ -200,11 +244,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- markdown-link-check-disable -->
 
-[unreleased]: https://github.com/mineiros-io/terraform-github-repository/compare/v0.7.0...HEAD
-[0.7.0]: https://github.com/mineiros-io/terraform-github-repository/compare/v0.6.1...v0.7.0
+[unreleased]: https://github.com/mineiros-io/terraform-github-repository/compare/v0.9.0...HEAD
+[0.9.0]: https://github.com/mineiros-io/terraform-github-repository/compare/v0.8.0...v0.9.0
+[0.8.0]: https://github.com/mineiros-io/terraform-github-repository/compare/v0.7.0...v0.8.0
 
 <!-- markdown-link-check-enable -->
 
+[0.7.0]: https://github.com/mineiros-io/terraform-github-repository/compare/v0.6.1...v0.7.0
 [0.6.1]: https://github.com/mineiros-io/terraform-github-repository/compare/v0.6.0...v0.6.1
 [0.6.0]: https://github.com/mineiros-io/terraform-github-repository/compare/v0.5.1...v0.6.0
 [0.5.1]: https://github.com/mineiros-io/terraform-github-repository/compare/v0.5.0...v0.5.1

CODEOWNERS

@@ -1,11 +1,10 @@
 # Set default shell to bash
 SHELL := /bin/bash -o pipefail
 
-BUILD_TOOLS_VERSION      ?= v0.7.0
+BUILD_TOOLS_VERSION      ?= v0.11.0
 BUILD_TOOLS_DOCKER_REPO  ?= mineiros/build-tools
 BUILD_TOOLS_DOCKER_IMAGE ?= ${BUILD_TOOLS_DOCKER_REPO}:${BUILD_TOOLS_VERSION}
 
-#
 # Some CI providers such as GitHub Actions, CircleCI, and TravisCI are setting
 # the CI environment variable to a non-empty value by default to indicate that
 # the current workflow is running in a Continuous Integration environment.
@@ -18,53 +17,83 @@ BUILD_TOOLS_DOCKER_IMAGE ?= ${BUILD_TOOLS_DOCKER_REPO}:${BUILD_TOOLS_VERSION}
 # https://www.gnu.org/software/automake/manual/html_node/Debugging-Make-Rules.html
 #
 ifdef CI
-	TF_IN_AUTOMATION ?= 1
-	export TF_IN_AUTOMATION
+  TF_IN_AUTOMATION ?= yes
+  export TF_IN_AUTOMATION
 
-	V ?= 1
+  V ?= 1
 endif
 
 ifndef NOCOLOR
-	GREEN  := $(shell tput -Txterm setaf 2)
-	YELLOW := $(shell tput -Txterm setaf 3)
-	WHITE  := $(shell tput -Txterm setaf 7)
-	RESET  := $(shell tput -Txterm sgr0)
+  GREEN  := $(shell tput -Txterm setaf 2)
+  YELLOW := $(shell tput -Txterm setaf 3)
+  WHITE  := $(shell tput -Txterm setaf 7)
+  RESET  := $(shell tput -Txterm sgr0)
 endif
 
+GIT_TOPLEVEl = $(shell git rev-parse --show-toplevel)
+
+# generic docker run flags
+DOCKER_RUN_FLAGS += -v ${GIT_TOPLEVEl}:/build
 DOCKER_RUN_FLAGS += --rm
-DOCKER_RUN_FLAGS += -v ${PWD}:/app/src
 DOCKER_RUN_FLAGS += -e TF_IN_AUTOMATION
-DOCKER_RUN_FLAGS += -e USER_UID=$(shell id -u)
 
-DOCKER_GITHUB_FLAGS += -e GITHUB_TOKEN
-DOCKER_GITHUB_FLAGS += -e GITHUB_ORGANIZATION
+# if SSH_AUTH_SOCK is defined we are likely referencing private repositories
+# for depending terrfaorm modules or other depdendencies
+# so we pass credentials to the docker container when running tests or pre-commit hooks
+ifdef SSH_AUTH_SOCK
+  DOCKER_SSH_FLAGS += -e SSH_AUTH_SOCK=/ssh-agent
+  DOCKER_SSH_FLAGS += -v ${SSH_AUTH_SOCK}:/ssh-agent
+endif
 
-DOCKER_FLAGS   += ${DOCKER_RUN_FLAGS}
-DOCKER_RUN_CMD  = docker run ${DOCKER_FLAGS} ${BUILD_TOOLS_DOCKER_IMAGE}
+# if AWS_ACCESS_KEY_ID is defined we are likely running inside an AWS provider module
+# so we pass credentials to the docker container when running tests
+ifdef AWS_ACCESS_KEY_ID
+  DOCKER_AWS_FLAGS += -e AWS_ACCESS_KEY_ID
+  DOCKER_AWS_FLAGS += -e AWS_SECRET_ACCESS_KEY
+  DOCKER_AWS_FLAGS += -e AWS_SESSION_TOKEN
+endif
+
+# if GITHUB_OWNER is defined we are running inside a github provider module
+# so we pass credentials to the docker container when running tests
+ifdef GITHUB_OWNER
+  DOCKER_GITHUB_FLAGS += -e GITHUB_TOKEN
+  DOCKER_GITHUB_FLAGS += -e GITHUB_OWNER
+endif
 
 .PHONY: default
 default: help
 
-## Run pre-commit hooks in build-tools docker container.
+# Not exposed as a callable target by `make help`, since this is a one-time shot to simplify the development of this module.
+.PHONY: template/adjust
+template/adjust: FILTER = -path ./.git -prune -a -type f -o -type f -not -name Makefile
+template/adjust:
+	@find . $(FILTER) -exec sed -i -e "s,terraform-module-template,$${PWD##*/},g" {} \;
+
+## Run pre-commit hooks inside a build-tools docker container.
 .PHONY: test/pre-commit
-test/pre-commit: DOCKER_FLAGS += ${DOCKER_GITHUB_FLAGS}
+test/pre-commit: DOCKER_FLAGS += ${DOCKER_SSH_FLAGS}
 test/pre-commit:
 	$(call docker-run,pre-commit run -a)
 
 ## Run all Go tests inside a build-tools docker container. This is complementary to running 'go test ./test/...'.
 .PHONY: test/unit-tests
+test/unit-tests: DOCKER_FLAGS += ${DOCKER_SSH_FLAGS}
 test/unit-tests: DOCKER_FLAGS += ${DOCKER_GITHUB_FLAGS}
+test/unit-tests: DOCKER_FLAGS += ${DOCKER_AWS_FLAGS}
+test/unit-tests: TEST ?= "TestUnit"
 test/unit-tests:
 	@echo "${YELLOW}[TEST] ${GREEN}Start Running Go Tests in Docker Container.${RESET}"
-	$(call go-test,./test/...)
+	$(call go-test,./test -run $(TEST))
 
 ## Clean up cache and temporary files
 .PHONY: clean
 clean:
 	$(call rm-command,.terraform)
+	$(call rm-command,.terraform.lock.hcl)
 	$(call rm-command,*.tfplan)
-	$(call rm-command,examples/*/.terraform)
-	$(call rm-command,examples/*/*.tfplan)
+	$(call rm-command,*/*/.terraform)
+	$(call rm-command,*/*/*.tfplan)
+	$(call rm-command,*/*/.terraform.lock.hcl)
 
 ## Display help for all targets
 .PHONY: help
@@ -80,6 +109,9 @@ help:
 	{ lastLine = $$0 }' $(MAKEFILE_LIST)
 
 # define helper functions
+DOCKER_FLAGS   += ${DOCKER_RUN_FLAGS}
+DOCKER_RUN_CMD  = docker run ${DOCKER_FLAGS} ${BUILD_TOOLS_DOCKER_IMAGE}
+
 quiet-command = $(if ${V},${1},$(if ${2},@echo ${2} && ${1}, @${1}))
 docker-run    = $(call quiet-command,${DOCKER_RUN_CMD} ${1} | cat,"${YELLOW}[DOCKER RUN] ${GREEN}${1}${RESET}")
 go-test       = $(call quiet-command,${DOCKER_RUN_CMD} go test -v -count 1 -timeout 45m -parallel 128 ${1} | cat,"${YELLOW}[TEST] ${GREEN}${1}${RESET}")

Makefile

@@ -10,8 +10,13 @@
 
 A [Terraform] module for creating a public or private repository on [Github].
 
-*This module supports Terraform v0.14, v0.13 as well as v0.12.9 and above
-and is compatible with the Terraform Github Provider v3 as well as v2.6 and above.*
+_This module supports Terraform v0.15, v0.14, v0.13 as well as v0.12.9 and above and is compatible with the Terraform Github Provider v4._
+
+_The latest version being compatible with the Terraform Github Provider v3 as well as v2 was v0.7.0 of this module._
+
+_Security related notice: Versions 4.7.0, 4.8.0, 4.9.0 and 4.9.1 of the Terraform Github Provider are deny-listed in version constraints as a regression introduced in 4.7.0 and fixed in 4.9.2 creates public repositories from templates even if visibility is set to private._
+
+_Version `>= 0.8.0` of this module is compatible with `mineiros-io/team/github >= 0.4.0` and `mineiros-io/organization/github >= 0.4.0`_
 
 - [Module Features](#module-features)
 - [Getting Started](#getting-started)
@@ -87,7 +92,7 @@ Most basic usage creating a new private github repository.
 ```hcl
 module "repository" {
   source  = "mineiros-io/repository/github"
-  version = "~> 0.6.0"
+  version = "~> 0.9.0"
 
   name               = "terraform-github-repository"
   license_template   = "apache-2.0"
@@ -157,7 +162,7 @@ See [variables.tf] and [examples/] for details and use-cases.
 
 - ~`private`~: _(Optional `bool`)_
 
-  DEPRICATED. Please use `visibility` instead and update your code. parameter will be removed in a future version
+  **_DEPRECATED_**: Please use `visibility` instead and update your code. parameter will be removed in a future version
 
 - **`visibility`**: _(Optional `string`)_
 
@@ -219,6 +224,15 @@ See [variables.tf] and [examples/] for details and use-cases.
   should be extended with more topics.
   Default is `[]`.
 
+- **`vulnerability_alerts`**: _(Optional `bool`)_
+
+  Set to `false` to disable security alerts for vulnerable dependencies.
+  Enabling requires alerts to be enabled on the owner level.
+
+- **`archive_on_destroy`**: _(Optional `bool`)_
+
+  Set to `false` to not archive the repository instead of deleting on destroy.
+
 #### Repository Creation Configuration
 
 The following four arguments can only be set at repository creation and
@@ -346,12 +360,18 @@ removed thislimitation.
 
 #### Branch Protections Configuration
 
-- **[`branch_protections`](#branch_protection-object-attributes)**: _(Optional `list(branch_protection)`)_
+- **[`branch_protections_v3`](#branch_protection-object-attributes)**: _(Optional `list(branch_protection)`)_
 
   This resource allows you to configure branch protection for repositories in your organization.
   When applied, the branch will be protected from forced pushes and deletion.
   Additional constraints, such as required status checks or restrictions on users and teams,
   can also be configured.
+  Default is `[]` unless `branch_protections` is used.
+
+- **[`branch_protections`](#branch_protection-object-attributes)**: **_(DEPRECATED)_**
+
+  **_DEPRECATED_** To ensure compatibility with future versions of this module, please use `branch_protections_v3`.
+  This argument is ignored if `branch_protections_v3` is used.
   Default is `[]`.
 
 #### Issue Labels Configuration
@@ -401,13 +421,15 @@ removed thislimitation.
 
   This map allows you to create and manage secrets for repositories in your organization.
   Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding secret in plain text:
+
   ```
   plaintext_secrets = {
     SECRET_NAME_1 = "secret_value_1"
     SECRET_NAME_2 = "secret_value_2"
     ...
   }
   ```
+
   When applied, a secret with the given key and value will be created in the repositories.
   The value of the secrets must be given in plain text, github provider is in charge of encrypting it.
   **Attention:** You might want to get secrets via a data source from a secure vault and not add them in plain text to your source files; so you do not commit plaintext secrets into the git repository managing your github account.
@@ -746,9 +768,9 @@ Copyright © 2020 [Mineiros GmbH][homepage]
 [badge-build]: https://github.com/mineiros-io/terraform-github-repository/workflows/CI/CD%20Pipeline/badge.svg
 [badge-semver]: https://img.shields.io/github/v/tag/mineiros-io/terraform-github-repository.svg?label=latest&sort=semver
 [badge-license]: https://img.shields.io/badge/license-Apache%202.0-brightgreen.svg
-[badge-terraform]: https://img.shields.io/badge/terraform-0.14%20|%200.13%20|%200.12.20+-623CE4.svg?logo=terraform
+[badge-terraform]: https://img.shields.io/badge/terraform-0.15%20|0.14%20|%200.13%20|%200.12.20+-623CE4.svg?logo=terraform
 [badge-slack]: https://img.shields.io/badge/[email protected]?logo=slack
-[badge-tf-gh]: https://img.shields.io/badge/GH-3%20and%202.6+-F8991D.svg?logo=terraform
+[badge-tf-gh]: https://img.shields.io/badge/GH-4-F8991D.svg?logo=terraform
 [releases-github-provider]: https://github.com/terraform-providers/terraform-provider-github/releases
 [build-status]: https://github.com/mineiros-io/terraform-github-repository/actions
 [releases-github]: https://github.com/mineiros-io/terraform-github-repository/releases

README.md

@@ -15,7 +15,7 @@ branch protection.
 ```hcl
 module "repository" {
   source  = "mineiros-io/repository/github"
-  version = "~> 0.7.0"
+  version = "~> 0.9.0"
 
   module_depends_on = [
     github_team.team

examples/public-repository/README.md

@@ -7,7 +7,7 @@
 
 module "repository" {
   source  = "mineiros-io/repository/github"
-  version = "~> 0.6.0"
+  version = "~> 0.9.0"
 
   module_depends_on = [
     github_team.team