feat(teams): allow multiple team associations

* feat(teams): allow assigning multiple teams, given a permission * feat(dev): switch to just from make * docs: update README * docs: update README * docs(teams): update description of var.teams * fix(teams): update default for var.teams to {} instead of null * feat(ci): move check to just for local testing, use in ci * fix(teams): use count.index to find the correct team id
ALT-F4-LLC · Jan 5, 2024 · 2f65ea6 · 2f65ea6
1 parent b241234
commit 2f65ea6
Show file tree

Hide file tree

Showing 7 changed files with 36 additions and 13 deletions.
diff --git a/.github/workflows/flake.yaml b/.github/workflows/flake.yaml
@@ -14,4 +14,4 @@ jobs:
  - uses: DeterminateSystems/nix-installer-action@v4
  - uses: DeterminateSystems/magic-nix-cache-action@v2
  - run: nix flake check
- - run: nix build --json --no-link --print-build-logs
+ - run: nix develop -c just check
diff --git a/README.md b/README.md
@@ -46,7 +46,7 @@ No modules.
 | <a name="input_name"></a> [name](#input\_name) | The name of the repository | `string` | n/a | yes |
 | <a name="input_owner"></a> [owner](#input\_owner) | The name of the repository | `string` | n/a | yes |
 | <a name="input_required_status_checks_contexts"></a> [required\_status\_checks\_contexts](#input\_required\_status\_checks\_contexts) | The list of status checks to require in order to merge into this branch | `list(string)` | `[]` | no |
-| <a name="input_team_slug"></a> [team\_slug](#input\_team\_slug) | The slug of the team to grant access to | `string` | `null` | no |
+| <a name="input_teams"></a> [teams](#input\_teams) | The teams to grant access to, and their permission levels | `map(string)` | `{}` | no |
 | <a name="input_topics"></a> [topics](#input\_topics) | The topics of the repository | `list(string)` | `[]` | no |
 | <a name="input_visibility"></a> [visibility](#input\_visibility) | The visibility of the repository | `string` | `"private"` | no |
 | <a name="input_vulnerability_alerts"></a> [vulnerability\_alerts](#input\_vulnerability\_alerts) | Whether the repository has vulnerability alerts enabled | `bool` | `false` | no |
@@ -63,4 +63,4 @@ No modules.
 | <a name="output_repo_id"></a> [repo\_id](#output\_repo\_id) | The ID of the repository. |
 | <a name="output_ssh_clone_url"></a> [ssh\_clone\_url](#output\_ssh\_clone\_url) | The SSH URL of the repository. |
 | <a name="output_svn_url"></a> [svn\_url](#output\_svn\_url) | The SVN URL of the repository. |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->
diff --git a/data.tf b/data.tf
@@ -1,5 +1,5 @@
 data "github_team" "self" {
- count = var.team_slug != null ? 1 : 0
+ count = length(keys(var.teams))
 
- slug = var.team_slug
+ slug = keys(var.teams)[count.index]
 }
diff --git a/flake.nix b/flake.nix
@@ -8,6 +8,7 @@
  systems = [ "x86_64-linux" "aarch64-darwin" "x86_64-darwin" ];
  perSystem = { config, self', inputs', pkgs, system, ... }:
  let
+ inherit (pkgs) just terraform terraform-docs;
  terraform-github = pkgs.terraform-providers.mkProvider {
  homepage = "https://registry.terraform.io/providers/integrations/github";
  owner = "integrations";
@@ -42,7 +43,8 @@
 
  devShells = {
  default = pkgs.mkShell {
- buildInputs = with pkgs; [
+ buildInputs = [
+ just
  terraform
  terraform-docs
  ];

diff --git a/makefile → justfile b/makefile → justfile
@@ -1,3 +1,6 @@
+check:
+ nix build --json --no-link --print-build-logs
+
 docs:
  terraform-docs markdown table \
  --output-file README.md \

diff --git a/main.tf b/main.tf
@@ -1,9 +1,9 @@
 resource "github_team_repository" "self" {
- count = var.team_slug != null ? 1 : 0
+ count = length(keys(var.teams))
 
- permission = "admin"
+ permission = var.teams[keys(var.teams)[count.index]]
  repository = github_repository.self.name
- team_id = data.github_team.self[0].id
+ team_id = data.github_team.self[count.index].id
 }
 
 resource "github_repository" "self" {

diff --git a/variables.tf b/variables.tf
@@ -85,10 +85,28 @@ variable "required_status_checks_contexts" {
  type = list(string)
 }
 
-variable "team_slug" {
- default = null
- description = "The slug of the team to grant access to"
- type = string
+variable "teams" {
+ default = {}
+ description = "The teams to grant access to, and their permission levels"
+ type = map(string)
+
+ validation {
+ condition = alltrue([
+ for value in var.teams : contains(
+ [
+ // https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team_repository#permission
+ "pull",
+ "triage",
+ "push",
+ "maintain",
+ "admin"
+ ],
+ value
+ )
+ ])
+
+ error_message = "Team permissions must be one of 'pull', 'triage', 'push', 'maintain', 'admin'."
+ }
 }
 
 variable "topics" {