feat: Refactor module to single-repo pattern with configurable branch protection, and autolink support (#7)

* feat: Refactor module to single-repo pattern with configurable branch protection, and autolink support

* chore: Remove unnecessary args in pre-commit-config

Author: melissathai

README.md

@@ -1,64 +1,80 @@
 # Terraform GitHub Repository
 
-Creates a GitHub repository.
+Creates a GitHub repository with strong, opinionated branch protection for the default branch.
 
-This module is very opinionated and possibly not suitable for other use cases.
+By default, this module:
 
-It creates one or more GitHub repositories with a ruleset protecting the main branch.
+- Blocks force pushes and branch deletions
+- Requires a linear commit history and signed commits
+- Optionally enforces pull request reviews (see variables)
+
+If your use case requires custom or no branch protection, set `enable_default_ruleset = false` and use the [`github_repository_ruleset`](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_ruleset) resource directly in your configuration.
 
 ## Usage
 
 ```hcl
-module "repositories" {
+module "repository" {
   source = "terraform-github-repository"
+  name   = "example-repo"
 
-  repositories = [
-    {
-      name = "test"
-    },
-    {
-      name = "test2"
-      repo_visibility = "public"
-    }
-  ]
+  pr_require_code_owner_review       = true
+  pr_required_approving_review_count = 1
 }
-
 ```
 
+**Note:** If you set `pr_require_code_owner_review = true`, you must add a `CODEOWNERS` file to your repository or PR merges will be blocked.
+
 <!-- BEGIN_TF_DOCS -->
 ***
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| repo_name | Name of repository. | `string` | n/a | yes |
-| allow_auto_merge | value | `bool` | `false` | no |
-| allow_merge_commit | value | `bool` | `false` | no |
-| allow_rebase_merge | value | `bool` | `false` | no |
-| allow_squash_merge | value | `bool` | `true` | no |
-| allow_update_branch | value | `bool` | `true` | no |
-| archived | value | `bool` | `false` | no |
-| auto_init | value | `bool` | `false` | no |
-| default_branch_name | Name of default branch. | `string` | `"main"` | no |
-| delete_branch_on_merge | value | `bool` | `true` | no |
-| has_discussions | value | `bool` | `false` | no |
-| has_downloads | value | `bool` | `false` | no |
-| has_issues | value | `bool` | `true` | no |
-| has_projects | value | `bool` | `false` | no |
-| has_wiki | value | `bool` | `false` | no |
-| is_template | value | `bool` | `false` | no |
-| repo_description | Description of the repository. Displayed in right-hand column on repo home page. | `string` | `""` | no |
-| repo_visibility | Whether repo should be `public` or `private`. | `string` | `"private"` | no |
-| vulnerability_alerts | value | `bool` | `true` | no |
-| web_commit_signoff_required | value | `bool` | `false` | no |
+| name | Name of the repository. | `string` | n/a | yes |
+| allow_auto_merge | Whether auto-merge is allowed. | `bool` | `false` | no |
+| allow_merge_commit | Whether merge commits are allowed. | `bool` | `false` | no |
+| allow_rebase_merge | Whether rebase merges are allowed. | `bool` | `false` | no |
+| allow_squash_merge | Whether squash merges are allowed. | `bool` | `true` | no |
+| allow_update_branch | Whether branches can be updated automatically. | `bool` | `true` | no |
+| archived | Whether the repository is archived. | `bool` | `false` | no |
+| auto_init | Whether an initial commit is automatically produced in the repository. | `bool` | `false` | no |
+| autolink_reference_prefix | This prefix appended by a number generates a link any time it is found in an issue, PR, or commit. Required if `autolink_reference_url_template` is set. | `string` | `""` | no |
+| autolink_reference_url_template | The target URL template for the autolink reference. Use `<num>` as a placeholder for the number. Required if `autolink_reference_prefix` is set. | `string` | `""` | no |
+| default_branch_name | Name of the default branch. | `string` | `"main"` | no |
+| delete_branch_on_merge | Whether to delete branch on merge. | `bool` | `true` | no |
+| description | Description of the repository. | `string` | `""` | no |
+| enable_default_ruleset | Whether to create a secure default branch protection ruleset. | `bool` | `true` | no |
+| has_discussions | Whether the repository has discussions enabled. | `bool` | `false` | no |
+| has_downloads | Whether the repository has downloads enabled. | `bool` | `false` | no |
+| has_issues | Whether the repository has issues enabled. | `bool` | `true` | no |
+| has_projects | Whether the repository has projects enabled. | `bool` | `false` | no |
+| has_wiki | Whether the repository has wiki enabled. | `bool` | `false` | no |
+| is_template | Whether the repository is a template. | `bool` | `false` | no |
+| pr_dismiss_stale_reviews_on_push | Whether to dismiss stale reviews on a PR when new commits are pushed. | `bool` | `true` | no |
+| pr_require_code_owner_review | Whether to require code owner review on a PR before merging. | `bool` | `false` | no |
+| pr_require_last_push_approval | Whether the most recent pusher to a PR must approve the PR. | `bool` | `false` | no |
+| pr_required_approving_review_count | Number of required PR approving reviews. | `number` | `0` | no |
+| pr_required_review_thread_resolution | Whether to require all review threads on a PR to be resolved before merging. | `bool` | `false` | no |
+| rules_creation | If true, only allows users with bypass permission to create matching refs. | `bool` | `false` | no |
+| rules_deletion | If true, only allows users with bypass permissions to delete matching refs. | `bool` | `true` | no |
+| rules_non_fast_forward | If true, prevents users with push access from force pushing to branches. | `bool` | `true` | no |
+| rules_required_linear_history | If true, prevents merge commits from being pushed to matching branches. In other words, any PRs merged into the branch must use a squash merge or a rebase merge. | `bool` | `true` | no |
+| rules_required_signatures | If true, commits pushed to matching branches must have verified signatures. | `bool` | `true` | no |
+| rules_update | If true, only allows users with bypass permission to update matching refs. | `bool` | `false` | no |
+| rules_update_allows_fetch_and_merge | If true, the branch can pull changes from its upstream repository. This is only applicable to forked repositories. Requires `update` to be set to true. | `bool` | `false` | no |
+| topics | A list of topics for the repository. | `list(string)` | `[]` | no |
+| visibility | Repository visibility: private, public, or internal. | `string` | `"private"` | no |
+| vulnerability_alerts | Whether to enable vulnerability alerts. | `bool` | `true` | no |
+| web_commit_signoff_required | Whether contributor signoff is required on web commits. | `bool` | `false` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| kms_key_arn | The ARN for the CMK KMS key used for CloudWatch encryption. |
-| log_group_arns | The ARN for each Log Group |
+| repository_id | Repository ID |
+| repository_name | Repository name |
+| repository_url | Repository URL |
 
 ## Providers
 
@@ -77,23 +93,22 @@ module "repositories" {
 
 | Name | Type |
 |------|------|
-| [github_branch.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch) | resource |
-| [github_branch_default.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_default) | resource |
-| [github_repository.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
-| [github_repository_ruleset.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_ruleset) | resource |
+| [github_repository.repository](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
+| [github_repository_autolink_reference.autolink_reference](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_autolink_reference) | resource |
+| [github_repository_ruleset.ruleset](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_ruleset) | resource |
 
 ***
 <!-- END_TF_DOCS -->
 
-### Developer Setup
+## Developer Setup
 
 - [Pre-Commit](https://pre-commit.com/)
 - [TFenv](https://github.com/tfutils/tfenv)
 - [Terraform-Docs](https://terraform-docs.io/)
 - [TFLint](https://github.com/terraform-linters/tflint)
 - [Trivy](https://trivy.dev/)
 
-Install dependencies (macOS)
+### Install Dependencies
 
 ```shell
 brew install pre-commit tfenv terraform-docs tflint trivy

main.tf

@@ -1,43 +1,48 @@
-resource "github_repository" "repository" {
-  for_each = { for repo in var.repositories : repo.name => repo }
+locals {
+  github_repository_role = {
+    org_admin = 1
+    maintain  = 2
+    write     = 4
+    admin     = 5
+  }
+}
 
-  allow_auto_merge            = each.value.allow_auto_merge
-  allow_merge_commit          = each.value.allow_merge_commit
-  allow_rebase_merge          = each.value.allow_rebase_merge
-  allow_squash_merge          = each.value.allow_squash_merge
-  allow_update_branch         = each.value.allow_update_branch
-  archived                    = each.value.archived
-  auto_init                   = each.value.auto_init
-  delete_branch_on_merge      = each.value.delete_branch_on_merge
-  description                 = each.value.repo_description
-  has_discussions             = each.value.has_discussions
-  has_downloads               = each.value.has_downloads
-  has_issues                  = each.value.has_issues
-  has_projects                = each.value.has_projects
-  has_wiki                    = each.value.has_wiki
-  is_template                 = each.value.is_template
-  merge_commit_message        = "PR_BODY"
-  merge_commit_title          = "PR_TITLE"
-  name                        = each.value.name
-  squash_merge_commit_message = "COMMIT_MESSAGES"
-  squash_merge_commit_title   = "PR_TITLE"
-  topics                      = []
-  visibility                  = each.value.repo_visibility
-  vulnerability_alerts        = each.value.vulnerability_alerts
-  web_commit_signoff_required = each.value.web_commit_signoff_required
+resource "github_repository" "repository" {
+  allow_auto_merge            = var.allow_auto_merge
+  allow_merge_commit          = var.allow_merge_commit
+  allow_rebase_merge          = var.allow_rebase_merge
+  allow_squash_merge          = var.allow_squash_merge
+  allow_update_branch         = var.allow_update_branch
+  archived                    = var.archived
+  auto_init                   = var.auto_init
+  delete_branch_on_merge      = var.delete_branch_on_merge
+  description                 = var.description
+  has_discussions             = var.has_discussions
+  has_downloads               = var.has_downloads
+  has_issues                  = var.has_issues
+  has_projects                = var.has_projects
+  has_wiki                    = var.has_wiki
+  is_template                 = var.is_template
+  merge_commit_message        = var.allow_merge_commit ? "PR_BODY" : null
+  merge_commit_title          = var.allow_merge_commit ? "PR_TITLE" : null
+  name                        = var.name
+  squash_merge_commit_message = var.allow_squash_merge ? "COMMIT_MESSAGES" : null
+  squash_merge_commit_title   = var.allow_squash_merge ? "PR_TITLE" : null
+  topics                      = var.topics
+  visibility                  = var.visibility
+  vulnerability_alerts        = var.vulnerability_alerts
+  web_commit_signoff_required = var.web_commit_signoff_required
 }
 
 resource "github_repository_ruleset" "ruleset" {
-  for_each    = { for repo in var.repositories : repo.name => repo }
+  count       = var.enable_default_ruleset ? 1 : 0
   enforcement = "active"
   name        = var.default_branch_name
-  repository  = github_repository.repository[each.key].name
+  repository  = github_repository.repository.name
   target      = "branch"
 
-  # https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_ruleset#bypass_actors
-  # Org Admin = 1, maintain = 2, write = 4, admin = 5
   bypass_actors {
-    actor_id    = 5
+    actor_id    = local.github_repository_role.admin
     actor_type  = "RepositoryRole"
     bypass_mode = "always"
   }
@@ -51,21 +56,30 @@ resource "github_repository_ruleset" "ruleset" {
     }
   }
 
+  # Available rules for rulesets:
+  # https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets
   rules {
-    creation                      = false
-    deletion                      = true
-    non_fast_forward              = true
-    required_linear_history       = true
-    required_signatures           = true
-    update                        = false
-    update_allows_fetch_and_merge = false
+    creation                      = var.rules_creation
+    deletion                      = var.rules_deletion
+    non_fast_forward              = var.rules_non_fast_forward
+    required_linear_history       = var.rules_required_linear_history
+    required_signatures           = var.rules_required_signatures
+    update                        = var.rules_update
+    update_allows_fetch_and_merge = var.rules_update_allows_fetch_and_merge
 
     pull_request {
-      dismiss_stale_reviews_on_push     = true
-      require_code_owner_review         = false
-      require_last_push_approval        = false
-      required_approving_review_count   = 0
-      required_review_thread_resolution = false
+      dismiss_stale_reviews_on_push     = var.pr_dismiss_stale_reviews_on_push
+      require_code_owner_review         = var.pr_require_code_owner_review
+      require_last_push_approval        = var.pr_require_last_push_approval
+      required_approving_review_count   = var.pr_required_approving_review_count
+      required_review_thread_resolution = var.pr_required_review_thread_resolution
     }
   }
 }
+
+resource "github_repository_autolink_reference" "autolink_reference" {
+  count               = var.autolink_reference_prefix != "" && var.autolink_reference_url_template != "" ? 1 : 0
+  repository          = github_repository.repository.name
+  key_prefix          = var.autolink_reference_prefix
+  target_url_template = var.autolink_reference_url_template
+}

outputs.tf

@@ -1,14 +1,14 @@
 output "repository_name" {
-  description = "Map of repository names"
-  value       = { for key, repo in github_repository.repository : key => repo.name }
+  description = "Repository name"
+  value       = github_repository.repository.name
 }
 
-output "repository_urls" {
-  description = "Map of repository URLs"
-  value       = { for key, repo in github_repository.repository : key => repo.html_url }
+output "repository_url" {
+  description = "Repository URL"
+  value       = github_repository.repository.html_url
 }
 
-output "repository_ids" {
-  description = "Map of repository IDs"
-  value       = { for key, repo in github_repository.repository : key => repo.id }
+output "repository_id" {
+  description = "Repository ID"
+  value       = github_repository.repository.id
 }