There're many service providers to use with Terraform. GitHub is one of them, and we'll see how to manage members of an organization, various teams, and control repository access, right from our infrastructure code. That way, we have an automatic history log of who accesses what.
To step through this recipe, you will need the following:
We want to manage a GitHub organization named ACME. Here are the users and their groups:
GitHub username |
GitHub team name |
Membership level |
Team privacy |
---|---|---|---|
John |
Documentation |
member |
closed |
Jane |
Engineering |
admin |
secret |
Here's the policy we decided concerning the Git repository named infrastructure-repository
:
GitHub team name |
Repository permissions |
---|---|
Documentation |
pull |
Engineering |
admin |
Let's start by creating a github
provider, as we used an aws
provider for AWS in the previous recipes. The documentation lists the requirements: an API token and an organization name:
provider "github" { token = "${var.github_token}" organization = "${var.github_organization}" }
Set the generic variables in a variables.tf
file:
variable "github_token" { default = "1a2b3c4d5" description = "GitHub API Token" } variable "github_organization" { default = "ACME Inc." description = "GitHub Organization Name" }
Don't forget to override those variables to fit your own in the terraform.tfvars
file.
We want to add the username john
as a member, and jane
as an admin, in a file you can name github.tf
(feel free to split managed GitHub features in many smaller files as your organization grows):
// john is a simple member of the organization resource "github_membership" "membership_for_john" { username = "john" role = "member" } // jane is an administrator of the organization resource "github_membership" "membership_for_jane" { username = "jane" role = "admin" }
John and Jane are now part of the GitHub organization (they will receive invitations by e-mail).
Let's create our two teams, technical writers and engineering, with their respective privacy settings:
// An engineering team resource "github_team" "engineering" { name = "Engineering Team" description = "Our awesome engineers" privacy = "secret" } // A documentation team resource "github_team" "documentation" { name = "Technical Writers Team" description = "Our awesome technical writers" privacy = "closed" }
Add our two members to their respective teams—Jane in engineering, John in documentation:
// Jane is a member of the engineering team resource "github_team_membership" "eng_membership_jane" { team_id = "${github_team.engineering.id}" username = "jane" role = "member" } // John is a member of the documentation team resource "github_team_membership" "doc_membership_john" { team_id = "${github_team.documentation.id}" username = "john" role = "member" }
The policy we've set is that members of the engineering group are admins of the repository, while technical writers can only pull the code:
// technical writers can pull the repo resource "github_team_repository" "infrastructure_doc" { team_id = "${github_team.documentation.id}" repository = "infrastructure-repository" permission = "pull" } // engineers are admin on the repo resource "github_team_repository" "infrastructure_eng" { team_id = "${github_team.engineering.id}" repository = "infrastructure-repository" permission = "admin" }
You've just set the essentials to manage your GitHub organization right from Terraform!
3.15.34.161