feat(repository-environment): support reviewers and deployment policy

Author: posquit0

modules/repository-environment/README.md

@@ -32,6 +32,10 @@ No modules.
 | [github_actions_environment_secret.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
 | [github_actions_environment_variable.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_variable) | resource |
 | [github_repository_environment.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_environment) | resource |
+| [github_repository_environment_deployment_policy.branch](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_environment_deployment_policy) | resource |
+| [github_repository_environment_deployment_policy.tag](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_environment_deployment_policy) | resource |
+| [github_team.this](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/team) | data source |
+| [github_user.this](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/user) | data source |
 
 ## Inputs
 
@@ -41,6 +45,8 @@ No modules.
 | <a name="input_repository"></a> [repository](#input\_repository) | (Required) The repository name which the environment belongs to. | `string` | n/a | yes |
 | <a name="input_allow_admin_to_bypass"></a> [allow\_admin\_to\_bypass](#input\_allow\_admin\_to\_bypass) | (Optional) Whether to allow admins to bypass the wait timer and deployment review. The default value is `true`. | `bool` | `true` | no |
 | <a name="input_allows_self_approval"></a> [allows\_self\_approval](#input\_allows\_self\_approval) | (Optional) Whether to allow users to approve their own deployment. The default value is `false`. | `bool` | `false` | no |
+| <a name="input_deployment_policy"></a> [deployment\_policy](#input\_deployment\_policy) | (Optional) A configuration for deployment policy. `deployment_policy` block as defined below.<br/>    (Optional) `restriction` - The type of deployment restriction. Valid values are `NONE`, `PROTECTED_BRANCH`, or `CUSTOM`. Defaults to `NONE`.<br/>    (Optional) `branches` - A set of branch name patterns to restrict deployments to when the restriction type is `CUSTOM`.<br/>    (Optional) `tags` - A set of tag name patterns to restrict deployments to when the restriction type is `CUSTOM`. | <pre>object({<br/>    restriction = optional(string, "NONE")<br/>    branches    = optional(set(string), [])<br/>    tags        = optional(set(string), [])<br/>  })</pre> | `{}` | no |
+| <a name="input_reviewers"></a> [reviewers](#input\_reviewers) | (Optional) A list of reviewers who may review jobs that reference the environment. Up to 6 reviewers can be added to an environment. Each item of `reviewers` block as defined below.<br/>    (Required) `type` - The type of the reviewer. Valid values are `USER` or `TEAM`.<br/>    (Required) `name` - The username of the reviewer if the type is `USER`, or the team slug if the type is `TEAM`. | <pre>list(object({<br/>    type = string<br/>    name = string<br/>  }))</pre> | `[]` | no |
 | <a name="input_secrets"></a> [secrets](#input\_secrets) | (Optional) A map of GitHub Actions secrets to set for the environment. Currently, all values will be ignored and treated as placeholders. You should mange the secrets manually in GitHub after the environment is created. Defaults to `{}`. | `map(string)` | `{}` | no |
 | <a name="input_variables"></a> [variables](#input\_variables) | (Optional) A map of GitHub Actions variables to set for the environment. Defaults to `{}`. | `map(string)` | `{}` | no |
 | <a name="input_wait_timer"></a> [wait\_timer](#input\_wait\_timer) | (Optional) The amount of time in minutes to wait before allowing deployments to proceed. The default value is `0`. | `number` | `0` | no |
@@ -51,8 +57,10 @@ No modules.
 |------|-------------|
 | <a name="output_allow_admin_to_bypass"></a> [allow\_admin\_to\_bypass](#output\_allow\_admin\_to\_bypass) | Whether to allow admins to bypass the wait timer and deployment review. |
 | <a name="output_allows_self_approval"></a> [allows\_self\_approval](#output\_allows\_self\_approval) | Whether to allow users to approve their own deployment. |
+| <a name="output_deployment_policy"></a> [deployment\_policy](#output\_deployment\_policy) | The configuration for deployment policy of the environment. |
 | <a name="output_name"></a> [name](#output\_name) | The name of the environment. |
 | <a name="output_repository"></a> [repository](#output\_repository) | The repository name which the environment belongs to. |
+| <a name="output_reviewers"></a> [reviewers](#output\_reviewers) | A list of reviewers who may review jobs that reference the environment. |
 | <a name="output_secrets"></a> [secrets](#output\_secrets) | A map of GitHub Actions secrets set for the environment. Currently, all values will be placeholders and you should manage the secrets manually in GitHub after the environment is created. |
 | <a name="output_variables"></a> [variables](#output\_variables) | A map of GitHub Actions variables set for the environment. |
 | <a name="output_wait_timer"></a> [wait\_timer](#output\_wait\_timer) | The amount of time in minutes to wait before allowing deployments to proceed. |

modules/repository-environment/main.tf

@@ -1,3 +1,24 @@
+data "github_team" "this" {
+  for_each = toset([
+    for reviewer in var.reviewers :
+    reviewer.name
+    if reviewer.type == "TEAM"
+  ])
+
+  slug = each.value
+}
+
+data "github_user" "this" {
+  for_each = toset([
+    for reviewer in var.reviewers :
+    reviewer.name
+    if reviewer.type == "USER"
+  ])
+
+  username = each.value
+}
+
+
 ###################################################
 # Environment of GitHub Repository
 ###################################################
@@ -10,6 +31,45 @@ resource "github_repository_environment" "this" {
   wait_timer          = var.wait_timer
   can_admins_bypass   = var.allow_admin_to_bypass
   prevent_self_review = !var.allows_self_approval
+
+  reviewers {
+    teams = values(data.github_team.this)[*].id
+    users = values(data.github_user.this)[*].id
+  }
+
+  deployment_branch_policy {
+    protected_branches     = var.deployment_policy.restriction == "PROTECTED_BRANCHES"
+    custom_branch_policies = var.deployment_policy.restriction == "CUSTOM"
+  }
+}
+
+
+###################################################
+# Deployment Policy for Repository Environment
+###################################################
+
+resource "github_repository_environment_deployment_policy" "branch" {
+  for_each = (var.deployment_policy.restriction == "CUSTOM"
+    ? var.deployment_policy.branches
+    : []
+  )
+
+  repository  = var.repository
+  environment = github_repository_environment.this.environment
+
+  branch_pattern = each.value
+}
+
+resource "github_repository_environment_deployment_policy" "tag" {
+  for_each = (var.deployment_policy.restriction == "CUSTOM"
+    ? var.deployment_policy.tags
+    : []
+  )
+
+  repository  = var.repository
+  environment = github_repository_environment.this.environment
+
+  tag_pattern = each.value
 }
 
 

modules/repository-environment/outputs.tf

@@ -23,6 +23,33 @@ output "allows_self_approval" {
   value       = !github_repository_environment.this.prevent_self_review
 }
 
+output "reviewers" {
+  description = "A list of reviewers who may review jobs that reference the environment."
+  value = concat(
+    [
+      for team in data.github_team.this :
+      {
+        type = "TEAM"
+        id   = team.id
+        name = team.slug
+      }
+    ],
+    [
+      for user in data.github_user.this :
+      {
+        type = "USER"
+        id   = user.id
+        name = user.username
+      }
+    ]
+  )
+}
+
+output "deployment_policy" {
+  description = "The configuration for deployment policy of the environment."
+  value       = var.deployment_policy
+}
+
 output "variables" {
   description = "A map of GitHub Actions variables set for the environment."
   value = {

modules/repository-environment/variables.tf

@@ -31,6 +31,53 @@ variable "allows_self_approval" {
   nullable    = false
 }
 
+variable "reviewers" {
+  description = <<EOF
+  (Optional) A list of reviewers who may review jobs that reference the environment. Up to 6 reviewers can be added to an environment. Each item of `reviewers` block as defined below.
+    (Required) `type` - The type of the reviewer. Valid values are `USER` or `TEAM`.
+    (Required) `name` - The username of the reviewer if the type is `USER`, or the team slug if the type is `TEAM`.
+  EOF
+  type = list(object({
+    type = string
+    name = string
+  }))
+  default  = []
+  nullable = false
+
+  validation {
+    condition = alltrue([
+      for reviewer in var.reviewers :
+      contains(["USER", "TEAM"], reviewer.type)
+    ])
+    error_message = "Valid values for `type` are `USER` or `TEAM`."
+  }
+  validation {
+    condition     = length(var.reviewers) <= 6
+    error_message = "Up to 6 reviewers can be added to an environment."
+  }
+}
+
+variable "deployment_policy" {
+  description = <<EOF
+  (Optional) A configuration for deployment policy. `deployment_policy` block as defined below.
+    (Optional) `restriction` - The type of deployment restriction. Valid values are `NONE`, `PROTECTED_BRANCH`, or `CUSTOM`. Defaults to `NONE`.
+    (Optional) `branches` - A set of branch name patterns to restrict deployments to when the restriction type is `CUSTOM`.
+    (Optional) `tags` - A set of tag name patterns to restrict deployments to when the restriction type is `CUSTOM`.
+  EOF
+  type = object({
+    restriction = optional(string, "NONE")
+    branches    = optional(set(string), [])
+    tags        = optional(set(string), [])
+  })
+  default  = {}
+  nullable = false
+
+  validation {
+    condition     = contains(["NONE", "PROTECTED_BRANCH", "CUSTOM"], var.deployment_policy.restriction)
+    error_message = "Valid values for `restriction` are `NONE`, `PROTECTED_BRANCH`, or `CUSTOM`."
+  }
+}
+
 variable "variables" {
   description = "(Optional) A map of GitHub Actions variables to set for the environment. Defaults to `{}`."
   type        = map(string)

modules/repository/README.md

@@ -64,7 +64,7 @@ This module creates following resources.
 | <a name="input_delete_branch_on_merge"></a> [delete\_branch\_on\_merge](#input\_delete\_branch\_on\_merge) | (Optional) Automatically delete head branch after a pull request is merged. Defaults to `true`. | `bool` | `true` | no |
 | <a name="input_deploy_keys"></a> [deploy\_keys](#input\_deploy\_keys) | (Optional) A list of deploy keys to grant access to the repository. A deploy key is a SSH key. Each item of `deploy_keys` block as defined below.<br/>    (Optional) `name` - A name of deploy key.<br/>    (Required) `key` - A SSH key. Begins with 'ssh-rsa', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521', 'ssh-ed25519', 'sk-ecdsa-sha2-nistp256@openssh.com', or 'sk-ssh-ed25519@openssh.com'.<br/>    (Optional) `writable` - Whether to allow write access to the repository. The key can be used to push to the repository if enabled. Defaults to `false`. | <pre>list(object({<br/>    name     = optional(string)<br/>    key      = string<br/>    writable = optional(bool, false)<br/>  }))</pre> | `[]` | no |
 | <a name="input_description"></a> [description](#input\_description) | (Optional) A description of the repository. | `string` | `"Managed by Terraform."` | no |
-| <a name="input_environments"></a> [environments](#input\_environments) | (Optional) A list of environments for the repository. Each item of `environments` block as defined below.<br/>    (Required) `name` - The name of the environment.<br/>    (Optional) `wait_timer` - The amount of time in minutes to wait before allowing deployments to proceed. The default value is `0`.<br/>    (Optional) `allow_admin_to_bypass` - Whether to allow admins to bypass the wait timer and deployment review. The default value is `true`.<br/>    (Optional) `allows_self_approval` - Whether to allow users to approve their own deployment. The default value is `false`.<br/>    (Optional) `variables` - A map of GitHub Actions variables to set for the environment. Defaults to `{}`.<br/>    (Optional) `secrets` - A map of GitHub Actions secrets to set for the environment. Defaults to `{}`. | <pre>list(object({<br/>    name                  = string<br/>    wait_timer            = optional(number, 0)<br/>    allow_admin_to_bypass = optional(bool, true)<br/>    allows_self_approval  = optional(bool, false)<br/><br/>    variables = optional(map(string), {})<br/>    secrets   = optional(map(string), {})<br/>  }))</pre> | `[]` | no |
+| <a name="input_environments"></a> [environments](#input\_environments) | (Optional) A list of environments for the repository. Each item of `environments` block as defined below.<br/>    (Required) `name` - The name of the environment.<br/>    (Optional) `wait_timer` - The amount of time in minutes to wait before allowing deployments to proceed. The default value is `0`.<br/>    (Optional) `allow_admin_to_bypass` - Whether to allow admins to bypass the wait timer and deployment review. The default value is `true`.<br/>    (Optional) `allows_self_approval` - Whether to allow users to approve their own deployment. The default value is `false`.<br/>    (Optional) `reviewers` - A list of reviewers who may review jobs that reference the environment. Each item of `reviewers` block as defined below.<br/>      (Required) `type` - The type of the reviewer. Valid values are `USER` or `TEAM`.<br/>      (Required) `name` - The name of the reviewer. For a user reviewer, the value should be the user's username. For a team reviewer, the value should be the team's slug.<br/>    (Optional) `deployment_policy` - A configuration for deployment policy of the environment. `deployment_policy` block as defined below.<br/>      (Optional) `restriction` - The type of deployment restriction. Valid values are `NONE`, `PROTECTED_BRANCH`, or `CUSTOM`. Defaults to `NONE`.<br/>      (Optional) `branches` - A set of branch name patterns to restrict deployments to when the restriction type is `CUSTOM`.<br/>      (Optional) `tags` - A set of tag name patterns to restrict deployments to when the restriction type is `CUSTOM`.<br/>    (Optional) `variables` - A map of GitHub Actions variables to set for the environment. Defaults to `{}`.<br/>    (Optional) `secrets` - A map of GitHub Actions secrets to set for the environment. Defaults to `{}`. | <pre>list(object({<br/>    name                  = string<br/>    wait_timer            = optional(number, 0)<br/>    allow_admin_to_bypass = optional(bool, true)<br/>    allows_self_approval  = optional(bool, false)<br/><br/>    reviewers = optional(list(object({<br/>      type = string<br/>      name = string<br/>    })), [])<br/>    deployment_policy = optional(object({<br/>      restriction = optional(string, "NONE")<br/>      branches    = optional(set(string), [])<br/>      tags        = optional(set(string), [])<br/>    }), {})<br/><br/>    variables = optional(map(string), {})<br/>    secrets   = optional(map(string), {})<br/>  }))</pre> | `[]` | no |
 | <a name="input_features"></a> [features](#input\_features) | (Optional) A list of enabled features on the repository. Available features: `DISCUSSIONS`, `ISSUES`, `PROJECTS`, `WIKI`. Defaults to `["ISSUES"]` | `set(string)` | <pre>[<br/>  "ISSUES"<br/>]</pre> | no |
 | <a name="input_files"></a> [files](#input\_files) | (Optional) A list of files to create and manage within the repository. Each item of `files` block as defined below.<br/>    (Required) `file` - A `file` block as defined below.<br/>      (Required) `path` - The path of the file to manage.<br/>      (Required) `content` - The file content.<br/>    (Optional) `commit` - A `commit` block as defined below.<br/>      (Optional) `author` - Committer author name to use. NOTE: GitHub app users may omit author and email information so GitHub can verify commits as the GitHub App. This maybe useful when a branch protection rule requires signed commits.<br/>      (Optional) `email` - Committer email address to use. NOTE: GitHub app users may omit author and email information so GitHub can verify commits as the GitHub App. This may be useful when a branch protection rule requires signed commits.<br/>      (Optional) `message` - The commit message when creating, updating or deleting the managed file. Defaults to `chore: managed by Terraform.`.<br/>    (Optional) `overwrite_on_create` - Enable overwriting existing files. If set to true it will overwrite an existing file with the same name. If set to false it will fail if there is an existing file with the same name. Defaults to `true`. | <pre>list(object({<br/>    file = object({<br/>      path    = string<br/>      content = string<br/>    })<br/>    commit = optional(object({<br/>      author  = optional(string)<br/>      email   = optional(string)<br/>      message = optional(string, "chore: managed by Terraform.")<br/>    }), {})<br/>    overwrite_on_create = optional(bool, true)<br/>  }))</pre> | `[]` | no |
 | <a name="input_homepage"></a> [homepage](#input\_homepage) | (Optional) A URL of website describing the repository. | `string` | `""` | no |

modules/repository/actions.tf

@@ -18,6 +18,19 @@ module "environment" {
   allow_admin_to_bypass = each.value.allow_admin_to_bypass
   allows_self_approval  = each.value.allows_self_approval
 
+  reviewers = [
+    for reviewer in each.value.reviewers :
+    {
+      type = reviewer.type
+      name = reviewer.name
+    }
+  ]
+  deployment_policy = {
+    restriction = each.value.deployment_policy.restriction
+    branches    = each.value.deployment_policy.branches
+    tags        = each.value.deployment_policy.tags
+  }
+
 
   ## Variables & Secrets
   variables = each.value.variables

modules/repository/variables.tf

@@ -271,6 +271,13 @@ variable "environments" {
     (Optional) `wait_timer` - The amount of time in minutes to wait before allowing deployments to proceed. The default value is `0`.
     (Optional) `allow_admin_to_bypass` - Whether to allow admins to bypass the wait timer and deployment review. The default value is `true`.
     (Optional) `allows_self_approval` - Whether to allow users to approve their own deployment. The default value is `false`.
+    (Optional) `reviewers` - A list of reviewers who may review jobs that reference the environment. Each item of `reviewers` block as defined below.
+      (Required) `type` - The type of the reviewer. Valid values are `USER` or `TEAM`.
+      (Required) `name` - The name of the reviewer. For a user reviewer, the value should be the user's username. For a team reviewer, the value should be the team's slug.
+    (Optional) `deployment_policy` - A configuration for deployment policy of the environment. `deployment_policy` block as defined below.
+      (Optional) `restriction` - The type of deployment restriction. Valid values are `NONE`, `PROTECTED_BRANCH`, or `CUSTOM`. Defaults to `NONE`.
+      (Optional) `branches` - A set of branch name patterns to restrict deployments to when the restriction type is `CUSTOM`.
+      (Optional) `tags` - A set of tag name patterns to restrict deployments to when the restriction type is `CUSTOM`.
     (Optional) `variables` - A map of GitHub Actions variables to set for the environment. Defaults to `{}`.
     (Optional) `secrets` - A map of GitHub Actions secrets to set for the environment. Defaults to `{}`.
   EOF
@@ -280,6 +287,16 @@ variable "environments" {
     allow_admin_to_bypass = optional(bool, true)
     allows_self_approval  = optional(bool, false)
 
+    reviewers = optional(list(object({
+      type = string
+      name = string
+    })), [])
+    deployment_policy = optional(object({
+      restriction = optional(string, "NONE")
+      branches    = optional(set(string), [])
+      tags        = optional(set(string), [])
+    }), {})
+
     variables = optional(map(string), {})
     secrets   = optional(map(string), {})
   }))