Merge pull request #4 from FociSolutions/custom-roles

Adds custom repository roles to organization layer

organizations/README.md

@@ -39,7 +39,7 @@ Before this layer can be run to manage github resources under your organization(
 The recommended file and folder structure for this layer is as follows:
 
 * **organizations**
-    * **terragrunt.hcl** - Terragrunt configuration that makes use of the `organization_settings` module to manage an organizations settings
+    * **terragrunt.hcl** - Terragrunt configuration that makes use of the `organization_settings` module to manage an organization
 * **projects**
     * **PROJECT_NAME**
         * **Org1**

organizations/modules/organization_settings/README.md → organizations/modules/organization/README.md

@@ -20,12 +20,20 @@ No modules.
 | Name | Type |
 |------|------|
 | [github_organization_block.blocked_user](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/organization_block) | resource |
+| [github_organization_custom_role.community_manager_role](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/organization_custom_role) | resource |
+| [github_organization_custom_role.contractor_role](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/organization_custom_role) | resource |
+| [github_organization_custom_role.custom_repository_role](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/organization_custom_role) | resource |
+| [github_organization_custom_role.security_engineer_role](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/organization_custom_role) | resource |
 | [github_organization_settings.organization_settings](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/organization_settings) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_custom_repository_roles"></a> [custom\_repository\_roles](#input\_custom\_repository\_roles) | n/a | <pre>map(object({<br>    description = string<br>    base_role   = string<br>    permissions = list(string)<br>  }))</pre> | n/a | yes |
+| <a name="input_enable_community_manager_role"></a> [enable\_community\_manager\_role](#input\_enable\_community\_manager\_role) | If `true` will create a custom repository role for community managers. Defaults to `false`. If `true` the maximum number of `custom_repository_roles` that can be defined will be reduced by one. | `bool` | `false` | no |
+| <a name="input_enable_contractor_role"></a> [enable\_contractor\_role](#input\_enable\_contractor\_role) | If `true` will create a custom repository role for contractors. Defaults to `false`. If `true` the maximum number of `custom_repository_roles` that can be defined will be reduced by one. | `bool` | `false` | no |
+| <a name="input_enable_security_engineer_role"></a> [enable\_security\_engineer\_role](#input\_enable\_security\_engineer\_role) | If `true` will create a custom repository role for security engineers. Defaults to `false`. If `true` the maximum number of `custom_repository_roles` that can be defined will be reduced by one. | `bool` | `false` | no |
 | <a name="input_github_organization_billing_email"></a> [github\_organization\_billing\_email](#input\_github\_organization\_billing\_email) | The billing email to set for the organization. | `string` | n/a | yes |
 | <a name="input_github_organization_blocked_users"></a> [github\_organization\_blocked\_users](#input\_github\_organization\_blocked\_users) | A list of usernames to block from the organization. Defaults to `[]`. | `list(string)` | `[]` | no |
 | <a name="input_github_organization_blog"></a> [github\_organization\_blog](#input\_github\_organization\_blog) | Url to organization blog. Defaults to `''`. | `string` | `""` | no |
@@ -46,4 +54,8 @@ No modules.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_ghas_enabled"></a> [ghas\_enabled](#output\_ghas\_enabled) | n/a |
+| <a name="output_community_manager_role_id"></a> [community\_manager\_role\_id](#output\_community\_manager\_role\_id) | The id of the community manager custom role. |
+| <a name="output_contractor_role_id"></a> [contractor\_role\_id](#output\_contractor\_role\_id) | The id of the contractor custom role. |
+| <a name="output_custom_role_ids"></a> [custom\_role\_ids](#output\_custom\_role\_ids) | A map of custom role names to custom role ids. |
+| <a name="output_ghas_enabled"></a> [ghas\_enabled](#output\_ghas\_enabled) | A boolean value indicating if GitHub Advanced Security is enabled for new repositories in the organization. |
+| <a name="output_security_engineer_role_id"></a> [security\_engineer\_role\_id](#output\_security\_engineer\_role\_id) | The id of the security engineer custom role. |

organizations/modules/organization/outputs.tf

@@ -0,0 +1,26 @@
+output "ghas_enabled" {
+  value = github_organization_settings.organization_settings.advanced_security_enabled_for_new_repositories
+  description = "A boolean value indicating if GitHub Advanced Security is enabled for new repositories in the organization."
+}
+
+output "custom_role_ids" {
+  value = {
+    for role in github_organization_custom_role.custom_repository_role : role.name => role.id
+  }
+  description = "A map of custom role names to custom role ids."
+}
+
+output "security_engineer_role_id" {
+  value = length(github_organization_custom_role.security_engineer_role) > 0 ? github_organization_custom_role.security_engineer_role[0].id : null
+  description = "The id of the security engineer custom role."
+}
+
+output "contractor_role_id" {
+  value = length(github_organization_custom_role.contractor_role) > 0 ? github_organization_custom_role.contractor_role[0].id : null
+  description = "The id of the contractor custom role."
+}
+
+output "community_manager_role_id" {
+  value = length(github_organization_custom_role.community_manager_role) > 0 ? github_organization_custom_role.community_manager_role[0].id : null
+  description = "The id of the community manager custom role."
+}

organizations/modules/organization/roles.tf

@@ -0,0 +1,57 @@
+resource "github_organization_custom_role" "custom_repository_role" {
+  for_each    = var.custom_repository_roles
+  name        = each.key
+  description = each.value.description
+  base_role   = each.value.base_role
+  permissions = each.value.permissions
+
+  lifecycle {
+    precondition {
+      condition     = length(var.custom_repository_roles) <= 5 - (var.enable_security_engineer_role ? 1 : 0) - (var.enable_contractor_role ? 1 : 0) - (var.enable_community_manager_role ? 1 : 0)
+      error_message = "To many custom repository roles defined, an orrganization's maximum is 5. This limit is reduced by one for each of the following variables that are set to true: `enable_security_engineer_role`, `enable_contractor_role`, `enable_community_manager_role`."
+    }
+  }
+}
+
+resource "github_organization_custom_role" "security_engineer_role" {
+  count       = var.enable_security_engineer_role ? 1 : 0
+  name        = "Security Engineer"
+  description = "Security Engineers have maintainer permissions and are able to contribute code and maintain the security pipeline."
+  base_role   = "maintain"
+  permissions = [
+    "delete_alerts_code_scanning",
+    "write_code_scanning"
+  ]
+}
+
+resource "github_organization_custom_role" "contractor_role" {
+  count       = var.enable_contractor_role ? 1 : 0
+  name        = "Contractor"
+  description = "Contractors have write permissions and are able to develop webhooks integrations."
+  base_role   = "write"
+  permissions = [
+    "manage_webhooks"
+  ]
+}
+
+resource "github_organization_custom_role" "community_manager_role" {
+  count       = var.enable_community_manager_role ? 1 : 0
+  name        = "Community Manager"
+  description = "Community Managers have read permissions and are able to handle all the community interactions without being able to contribute code."
+  base_role   = "read"
+  permissions = [
+    "mark_as_duplicate",
+    "manage_settings_pages",
+    "manage_settings_wiki",
+    "set_social_preview",
+    "edit_repo_metadata",
+    "edit_discussion_category",
+    "create_discussion_category",
+    "edit_category_on_discussion",
+    "toggle_discussion_answer",
+    "convert_issues_to_discussions",
+    "close_discussion",
+    "reopen_discussion",
+    "delete_discussion_comment"
+  ]
+}

organizations/modules/organization_settings/variables.tf → organizations/modules/organization/variables.tf

@@ -98,4 +98,30 @@ variable "github_organization_location" {
   type        = string
   default     = ""
   description = "Organization location. Defaults to `''`."
-}
+}
+
+variable "enable_security_engineer_role" {
+  type        = bool
+  default     = false
+  description = "If `true` will create a custom repository role for security engineers. Defaults to `false`. If `true` the maximum number of `custom_repository_roles` that can be defined will be reduced by one."
+}
+
+variable "enable_contractor_role" {
+  type        = bool
+  default     = false
+  description = "If `true` will create a custom repository role for contractors. Defaults to `false`. If `true` the maximum number of `custom_repository_roles` that can be defined will be reduced by one."
+}
+
+variable "enable_community_manager_role" {
+  type        = bool
+  default     = false
+  description = "If `true` will create a custom repository role for community managers. Defaults to `false`. If `true` the maximum number of `custom_repository_roles` that can be defined will be reduced by one."
+}
+
+variable "custom_repository_roles" {
+  type = map(object({
+    description = string
+    base_role   = string
+    permissions = list(string)
+  }))
+}

organizations/tools/gh_foundations/cmd/import/import.go

@@ -37,7 +37,7 @@ to quickly create a Cobra application.`,
 		}
 		defer planArchive.Cleanup()
 
-		resources, err := functions.GetAddressesForPlannedResourceCreates(planArchive)
+		resources, err := functions.GetPlannedResourceCreations(planArchive)
 		if err != nil {
 			log.Fatal(err)
 			os.Exit(2)
@@ -46,10 +46,17 @@ to quickly create a Cobra application.`,
 	},
 }
 
-func renderImportUi(archive types.TerragruntPlanArchive, resources []string) {
+func renderImportUi(archive types.TerragruntPlanArchive, resources []types.TerragruntPlanOutputResourceChange) {
+	addressToResourceMap := make(map[string]types.TerragruntPlanOutputResourceChange)
+	resourceAddresses := make([]string, len(resources))
+	for i := range resources {
+		resourceAddresses[i] = resources[i].Address
+		addressToResourceMap[resources[i].Address] = resources[i]
+	}
+
 	l := widgets.NewList()
 	l.Title = "Resources to Import"
-	l.Rows = resources
+	l.Rows = resourceAddresses
 	l.TextStyle = ui.NewStyle(ui.ColorWhite)
 	l.SelectedRowStyle = ui.NewStyle(ui.ColorGreen)
 	l.SelectedRow = 0
@@ -77,6 +84,14 @@ func renderImportUi(archive types.TerragruntPlanArchive, resources []string) {
 				l.SelectedRow = max(l.SelectedRow-1, 0)
 				ui.Render(l)
 			case "<Enter>":
+				idResolver := functions.CreateImportIdResolver(addressToResourceMap[resourceAddresses[l.SelectedRow]])
+				if idResolver != nil {
+					id, err := idResolver.ResolveImportId()
+					if err == nil {
+						t.Text = id
+					}
+					//TODO on error we might want to display something to the user.
+				}
 				showImportIdBox = true
 				ui.Render(t)
 			}
@@ -85,7 +100,7 @@ func renderImportUi(archive types.TerragruntPlanArchive, resources []string) {
 			case "<C-c>":
 				return
 			case "<Enter>":
-				err := functions.RunImportCommand(archive, resources[l.SelectedRow], t.Text)
+				err := functions.RunImportCommand(archive, resourceAddresses[l.SelectedRow], t.Text)
 				if err != nil {
 					log.Fatal(err)
 					os.Exit(2)

organizations/tools/gh_foundations/cmd/root.go

@@ -1,7 +1,6 @@
 package cmd
 
 import (
-	"gh_foundations/cmd/gen"
 	import_cmd "gh_foundations/cmd/import"
 	"os"
 
@@ -43,6 +42,5 @@ func init() {
 	// when this action is called directly.
 	rootCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle")
 
-	rootCmd.AddCommand(gen.GenCmd)
 	rootCmd.AddCommand(import_cmd.ImportCmd)
 }

organizations/tools/gh_foundations/go.mod

@@ -9,19 +9,24 @@ require (
 
 require (
 	github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/gruntwork-io/go-commons v0.17.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/nsf/termbox-go v0.0.0-20190121233118-02980233997d // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/posener/complete v1.2.3 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/stretchr/objx v0.5.0 // indirect
+	github.com/stretchr/testify v1.8.4 // indirect
 	github.com/urfave/cli/v2 v2.25.5 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
 require (

organizations/tools/gh_foundations/go.sum

@@ -45,8 +45,13 @@ github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyh
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/urfave/cli/v2 v2.25.5 h1:d0NIAyhh5shGscroL7ek/Ya9QYQE0KNabJgiUinIQkc=