This repository contains OpenTofu plan to manage the OCP-on-NERC GitHub organization.
When a commit is pushed to the main branch (e.g., when a pull request merges), that triggers the .github/workflows/apply.yaml workflow. This workflow acquires necessary credentials from GithHub secrets and from the "Org Config Management" GitHub app, and then uses OpenTofu to apply the requested configuration.
- Open
members.csv - Add a new row of the form
<username>,<role>, where<role>in almost all cases should bemember.
- Open
teams.csv - Add a new row of the form
<team_name>,<description>,<privacy>, where<privacy>can be eitherclosed(visible to all members of the organization) orsecret(visible to organization owners and members of this team)
- Open
team-members/<team>.csv - Add a new line of the form
<username>,<role>, where<role>should bemember.
-
Open
repositories.tf -
Add a new block of the form:
module "repo_<repository_name_slug>" { source = "./modules/common_repository" name = "<repository_name>" description = "<repository_description" }
-
Open
modules/common_repository/labels.csv -
Add a new line of the form
<name>,<color>,<description>
Where <repository_name_slug> is <repository_name> transformed to be a valid identifier in most common languages: a single word consisting of only alphanumerics and underscores. So e.g. github-config would become github_config, and .gitjub would become something like dotgithub (_github would also work).
This module will create:
- A repository with issues enabled and wikis and projects disabled
- Branch protection rules for the
mainbranch requiring at least 2 approvals for pull requests and restricting force pushes to members of thenerc-org-adminsteam - A standard set of labels
See the README file for the common_repository module for more information about customizing repository configuration (including how to make a repository private and how to add collaborators).
You should ensure that you run tofu fmt before submitting a pull request. The easiest way of doing this is by installing the pre-commit tool on your local system and then running pre-commit install. This will configure .git/hooks/pre-commit to run the pre-commit tool whenever you create a new commit. If there are formatting changes, this will abort the commit and apply the necessary changes to your files. You can then add the modified files and update the commit.
In general, you won't need to do this: the configuration is applied when a pull request merges to the main branch. These instructions will be useful if is necessary to apply changes manually (this can happen, for example, if someone makes changes to the organization through the GitHub web UI rather than through this repository).
-
Ensure that you have either Terraform or OpenTofu installed. There are packages for both available on Fedora:
dnf install opentofu -
Acquire S3 credentials.
OpenTofu maintains state information about the target infrastructure; you need this state in order to plan and apply the configuration. We store this information in an S3 bucket provided by the NERC. You need appropriate AWS credentials in order for OpenTofu to access the cached state. These should be provided in the
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYenvironment variables. -
Acquire GitHub credentials.
In order to apply the configuration, OpenTofu needs administrative access to our organization. You will need a token with at least
admin:organdrepoprivileges for theinnaboxorganization. This should be provided in theGITHUB_TOKENenvironment variable.
-
OpenTofu introductory documentation.
-
The OpenTofu github provider.
This includes documentation for most of the resource types used in this repository.