chore: repo init

Signed-off-by: Mateusz Urbanek <[email protected]>

.editorconfig

@@ -0,0 +1,13 @@
+# EditorConfig helps developers define and maintain consistent
+# coding styles between different editors and IDEs
+# editorconfig.org
+
+root = true
+
+[*]
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+indent_style = space
+indent_size = 2

.github/workflows/linters.yaml

@@ -0,0 +1,23 @@
+name: linters
+
+on:
+  pull_request:
+    branches: [ '*' ]
+
+permissions:
+  contents: read
+
+jobs:
+  tf-linters:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: opentofu/setup-opentofu@v1
+      - run: |
+          tofu fmt -check -diff -recursive .
+
+  shell-linter:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ludeeus/action-shellcheck@master

.github/workflows/semantic-pr.yaml

@@ -0,0 +1,23 @@
+name: semantic-pr
+
+on:
+  pull_request_target:
+    types:
+    - opened
+    - reopened
+    - edited
+    - synchronize
+
+permissions:
+  pull-requests: read
+
+jobs:
+  pr-title:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: amannn/action-semantic-pull-request@v5
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        requireScope: true
+        subjectPattern: ^(?![A-Z]).+$

.github/workflows/tofu.yaml

@@ -0,0 +1,30 @@
+name: tofu
+
+on:
+  push:
+    branches:
+      - "main"
+  schedule:
+    - cron: "0 4 * * *"
+
+concurrency:
+  group: ${{ github.workflow }}
+
+jobs:
+  org:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: opentofu/setup-opentofu@v1
+      - uses: bitwarden/sm-action@v2
+        with:
+          access_token: ${{ secrets.BW_ACCESS_TOKEN }}
+          base_url: https://vault.bitwarden.com
+          secrets: |
+            b7d22a8b-8185-4d62-8bf6-b1d400b87552 > PG_CONN_STR
+            a288b2ae-a336-4425-9b07-b1f100cd05ec > TF_VAR_gh_token
+      - run: |
+          tofu init -upgrade
+      - run: |
+          GITHUB_TOKEN="${TF_VAR_gh_token}" tofu \
+            apply -auto-approve -input=false -lock=true -no-color

.gitignore

@@ -0,0 +1,40 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# MacOS attributes files
+.DS_Store
+
+# Brew bundle lock
+Brewfile.lock.json

Brewfile

@@ -0,0 +1 @@
+brew "opentofu"

README.md

@@ -0,0 +1,3 @@
+# Organization management
+
+Managing organization with GitOps via OpenTofu!

members.tf

@@ -0,0 +1,26 @@
+module "shanduur" {
+  source   = "./modules/member"
+  username = "shanduur"
+  role     = "admin"
+}
+
+module "shanduur_auto" {
+  source   = "./modules/member"
+  username = "shanduur-auto"
+  role     = "admin"
+}
+
+module "niesmaczne" {
+  source   = "./modules/member"
+  username = "niesmaczne"
+}
+
+module "team_core" {
+  source = "./modules/team"
+  name   = "core"
+  members = [
+    { username = module.shanduur.username, role = "maintainer" },
+    { username = module.shanduur_auto.username, role = "maintainer" },
+    { username = module.niesmaczne.username },
+  ]
+}

modules/member/main.tf

@@ -0,0 +1,4 @@
+resource "github_membership" "member" {
+  username = var.username
+  role     = var.role
+}

modules/member/outputs.tf

@@ -0,0 +1,3 @@
+output "username" {
+  value = github_membership.member.username
+}

modules/member/providers.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    github = {}
+  }
+}
+
+provider "github" {
+  owner = "anza-labs"
+}

modules/member/variables.tf

@@ -0,0 +1,9 @@
+variable "username" {
+  type = string
+}
+
+variable "role" {
+  type        = string
+  description = "Role assigned to the user"
+  default     = "member"
+}

modules/repository/main.tf

@@ -0,0 +1,78 @@
+resource "github_repository" "repo" {
+  name         = var.name
+  description  = var.description
+  visibility   = var.is_public ? "public" : "private"
+  archived     = var.archived
+  topics       = var.topics
+  homepage_url = var.homepage_url
+
+  archive_on_destroy = true
+  has_discussions    = false
+  has_issues         = true
+  has_wiki           = false
+  has_projects       = true
+
+  allow_update_branch         = true
+  allow_auto_merge            = true
+  allow_squash_merge          = true
+  allow_merge_commit          = false
+  allow_rebase_merge          = false
+  delete_branch_on_merge      = true
+  web_commit_signoff_required = true
+
+  squash_merge_commit_title   = "PR_TITLE"
+  squash_merge_commit_message = "PR_BODY"
+
+  dynamic "pages" {
+    for_each = var.enable_pages ? [1] : []
+    content {
+      source {
+        branch = "gh-pages"
+        path   = "/"
+      }
+    }
+  }
+}
+
+resource "github_issue_labels" "labels" {
+  repository = github_repository.repo.name
+
+  dynamic "label" {
+    for_each = var.labels
+    content {
+      name        = label.value.name
+      description = label.value.description
+      color       = label.value.color
+    }
+  }
+}
+
+resource "github_branch_protection_v3" "protection" {
+  count      = var.is_public ? 1 : 0
+  repository = github_repository.repo.name
+  branch     = "main"
+
+  enforce_admins                  = false
+  require_signed_commits          = true
+  require_conversation_resolution = true
+
+  required_status_checks {
+    strict = true
+    checks = var.required_status_checks
+  }
+
+  required_pull_request_reviews {
+    required_approving_review_count = 1
+    dismiss_stale_reviews           = true
+    require_code_owner_reviews      = false
+    require_last_push_approval      = false
+  }
+}
+
+resource "github_repository_milestone" "milestone" {
+  for_each = var.milestones
+
+  owner      = "anza-labs"
+  repository = github_repository.repo.name
+  title      = each.value
+}

modules/repository/providers.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    github = {}
+  }
+}
+
+provider "github" {
+  owner = "anza-labs"
+}