There're many service providers to use with Terraform. GitHub is one of them, and we'll see how to manage members of an organization, various teams, and control repository access, right from our infrastructure code. That way, we have an automatic history log of who accesses what.
To step through this recipe, you will need the following:
- A working Terraform installation
- A GitHub account (with an API token)
- An Internet connection
We want to manage a GitHub organization named ACME. Here are the users and their groups:
|
GitHub username |
GitHub team name |
Membership level |
Team privacy |
|---|---|---|---|
|
John |
Documentation |
member |
closed |
|
Jane |
Engineering |
admin |
secret |
Here's the policy we decided concerning the Git repository named infrastructure-repository:
|
GitHub team name |
Repository permissions |
|---|---|
|
Documentation |
pull |
|
Engineering |
admin |
Let's start by creating a github provider, as we used an aws provider for AWS in the previous recipes. The documentation lists the requirements: an API token and an organization name:
provider "github" {
token = "${var.github_token}"
organization = "${var.github_organization}"
}Set the generic variables in a variables.tf file:
variable "github_token" {
default = "1a2b3c4d5"
description = "GitHub API Token"
}
variable "github_organization" {
default = "ACME Inc."
description = "GitHub Organization Name"
}Don't forget to override those variables to fit your own in the terraform.tfvars file.
We want to add the username john as a member, and jane as an admin, in a file you can name github.tf (feel free to split managed GitHub features in many smaller files as your organization grows):
// john is a simple member of the organization
resource "github_membership" "membership_for_john" {
username = "john"
role = "member"
}
// jane is an administrator of the organization
resource "github_membership" "membership_for_jane" {
username = "jane"
role = "admin"
}John and Jane are now part of the GitHub organization (they will receive invitations by e-mail).
Let's create our two teams, technical writers and engineering, with their respective privacy settings:
// An engineering team
resource "github_team" "engineering" {
name = "Engineering Team"
description = "Our awesome engineers"
privacy = "secret"
}
// A documentation team
resource "github_team" "documentation" {
name = "Technical Writers Team"
description = "Our awesome technical writers"
privacy = "closed"
}Add our two members to their respective teams—Jane in engineering, John in documentation:
// Jane is a member of the engineering team
resource "github_team_membership" "eng_membership_jane" {
team_id = "${github_team.engineering.id}"
username = "jane"
role = "member"
}
// John is a member of the documentation team
resource "github_team_membership" "doc_membership_john" {
team_id = "${github_team.documentation.id}"
username = "john"
role = "member"
}The policy we've set is that members of the engineering group are admins of the repository, while technical writers can only pull the code:
// technical writers can pull the repo
resource "github_team_repository" "infrastructure_doc" {
team_id = "${github_team.documentation.id}"
repository = "infrastructure-repository"
permission = "pull"
}
// engineers are admin on the repo
resource "github_team_repository" "infrastructure_eng" {
team_id = "${github_team.engineering.id}"
repository = "infrastructure-repository"
permission = "admin"
}You've just set the essentials to manage your GitHub organization right from Terraform!