Initial commit

.github/dependabot.yml

@@ -0,0 +1,9 @@
+# Set update schedule for GitHub Actions
+
+version: 2
+updates:
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    # Check for updates to GitHub Actions every week
+    interval: "weekly"

.github/workflows/pre-commit.yaml

@@ -0,0 +1,21 @@
+name: pre-commit
+
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-python@v5
+      with:
+        python-version: "3.13"
+    - uses: opentofu/setup-opentofu@v1
+      with:
+        tofu_wrapper: false
+    - uses: pre-commit/action@v3.0.1
+      with:
+        extra_args: --all-files

.gitignore

@@ -0,0 +1,4 @@
+.terraform
+terraform.tfstate
+terraform.tfstate.backup
+.env

.pre-commit-config.yaml

@@ -0,0 +1,29 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v5.0.0
+  hooks:
+    - id: trailing-whitespace
+    - id: check-merge-conflict
+    - id: end-of-file-fixer
+    - id: check-added-large-files
+    - id: check-case-conflict
+    - id: check-json
+    - id: check-symlinks
+    - id: detect-private-key
+
+- repo: https://github.com/adrienverge/yamllint.git
+  rev: v1.35.1
+  hooks:
+    - id: yamllint
+      files: \.(yaml|yml)$
+      types: [file, yaml]
+      entry: yamllint --strict
+
+- repo: local
+  hooks:
+  - id: tofu-fmt
+    pass_filenames: false
+    name: tofu-fmt
+    language: script
+    files: \.tf$
+    entry: ./ci/tofu-fmt.sh

.yamllint.yaml

@@ -0,0 +1,10 @@
+extends: default
+rules:
+  line-length: disable
+  document-start: disable
+  indentation:
+    indent-sequences: whatever
+  hyphens:
+    max-spaces-after: 4
+  truthy:
+    check-keys: false

README.md

@@ -0,0 +1,93 @@
+# OCP-on-NERC Github configuration
+
+This repository contains [OpenTofu] plan to manage the [OCP-on-NERC] GitHub organization.
+
+
+[ocp-on-nerc]: https://github.com/ocp-on-nerc
+[opentofu]: https://opentofu.org/
+
+## How does it work?
+
+When a commit is pushed to the `main` branch (e.g., when a pull request merges), that triggers the `.github/workflows/apply.yaml` workflow. This workflow acquires necessary credentials from GithHub secrets and from the "Org Config Management" GitHub app, and then uses [OpenTofu] to apply the requested configuration.
+
+## How do I...
+
+### Add a new organization member?
+
+1. Open `members.csv`
+1. Add a new row of the form `<username>,<role>`, where `<role>` in almost all cases should be `member`.
+
+### Add a new team?
+
+1. Open `teams.csv`
+1. Add a new row of the form `<team_name>,<description>,<privacy>`, where `<privacy>` can be either `closed` (visible to all members of the organization) or `secret` (visible to organization owners and members of this team)
+
+### Add an organization member to a team?
+
+1. Open `team-members/<team>.csv`
+1. Add a new line of the form `<username>,<role>`, where `<role>` should be `member`.
+
+### Add a new repository?
+
+1. Open `repositories.tf`
+1. Add a new block of the form:
+
+    ```
+    module "repo_<repository_name_slug>" {
+      source      = "./modules/common_repository"
+      name        = "<repository_name>"
+      description = "<repository_description"
+    }
+    ```
+
+### Add a new label to all managed repositories?
+
+1. Open `modules/common_repository/labels.csv`
+
+2. Add a new line of the form `<name>,<color>,<description>`
+
+Where `<repository_name_slug>` is `<repository_name>` transformed to be a valid identifier in most common languages: a single word consisting of only alphanumerics and underscores. So e.g. `github-config` would become `github_config`, and `.gitjub` would become something like `dotgithub` (`_github` would also work).
+
+## The common_repository module
+
+This module will create:
+
+- A repository with issues enabled and wikis and projects disabled
+- Branch protection rules for the `main` branch requiring at least 2 approvals for pull requests and restricting force pushes to members of the `nerc-org-admins` team
+- A standard set of labels
+
+See the [README file for the common_repository module][common_repository] for more information about customizing repository configuration (including how to make a repository private and how to add collaborators).
+
+[common_repository]: ./modules/common_repository/
+
+## Suggested local pre-commit checks
+
+You should ensure that you run `tofu fmt` before submitting a pull request. The easiest way of doing this is by installing the `pre-commit` tool on your local system and then running `pre-commit install`. This will configure `.git/hooks/pre-commit` to run the `pre-commit` tool whenever you create a new commit. If there are formatting changes, this will abort the commit and apply the necessary changes to your files. You can then add the modified files and update the commit.
+
+## Prerequisites for applying the configuration
+
+In general, you won't need to do this: the configuration is applied when a pull request merges to the `main` branch. These instructions will be useful if is necessary to apply changes manually (this can happen, for example, if someone makes changes to the organization through the GitHub web UI rather than through this repository).
+
+1. Ensure that you have either Terraform or OpenTofu installed. There are packages for both available on Fedora:
+
+    ```
+    dnf install opentofu
+    ```
+
+1. Acquire S3 credentials.
+
+    OpenTofu maintains state information about the target infrastructure; you need this state in order to plan and apply the configuration. We store this information in an S3 bucket provided by the [NERC]. You need appropriate AWS credentials in order for OpenTofu to access the cached state. These should be provided in the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables.
+
+1. Acquire GitHub credentials.
+
+    In order to apply the configuration, OpenTofu needs administrative access to our organization. You will need a token with at least `admin:org` and `repo` privileges for the `innabox` organization. This should be provided in the `GITHUB_TOKEN` environment variable.
+
+[nerc]: https://nerc.mghpcc.org/
+
+## Additional documentation
+
+- OpenTofu [introductory documentation](https://opentofu.org/docs/intro/).
+
+- The OpenTofu [github provider](https://search.opentofu.org/provider/opentofu/github/v6.3.0).
+
+  This includes documentation for most of the resource types used in this repository.

backend.tf

@@ -0,0 +1,16 @@
+# Define where terraform will store the shared state.
+terraform {
+  backend "s3" {
+    endpoints = {
+      s3 = "https://stack.nerc.mghpcc.org:13808"
+    }
+    bucket                      = "tfstate"
+    key                         = "ocp-on-nerc.tfstate"
+    region                      = "main"
+    skip_credentials_validation = true
+    skip_requesting_account_id  = true
+    skip_metadata_api_check     = true
+    skip_region_validation      = true
+    use_path_style              = true
+  }
+}

ci/markup-tofu-errors.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+sed '
+/./,$!d
+/^Error/ i\
+\
+> [!WARNING]\
+>
+
+s/^  /    /
+s/^/> /
+'

ci/run-tofu-cmd.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+tmpout=$(mktemp applyoutXXXXXX)
+tmperr=$(mktemp applyerrXXXXXX)
+trap 'rm -f "$tmpout" "$tmperr"' EXIT
+
+tofu "$@" > "$tmpout" 2> "$tmperr"
+exitcode=$?
+
+if [[ -n "$GITHUB_ACTION" ]]; then
+  echo "::group::stdout-${RANDOM}"
+  cat "$tmpout"
+  echo "::endgroup"
+
+  echo "::group::stderr-${RANDOM}"
+  cat "$tmperr"
+  echo "::endgroup"
+  if grep -q '^Error:' "$tmperr"; then
+      {
+        printf "## Errors\n"
+        ./ci/markup-tofu-errors.sh < "$tmperr"
+      } >> "$GITHUB_STEP_SUMMARY"
+  fi
+else
+  cat "$tmpout"
+  cat "$tmperr" >&2
+fi
+
+exit "$exitcode"

ci/tofu-fmt.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+tmpout=$(mktemp applyoutXXXXXX)
+tmperr=$(mktemp applyerrXXXXXX)
+trap 'rm -f "$tmpout" "$tmperr"' EXIT
+
+if ! tofu fmt -check -diff -no-color -recursive > "$tmpout" 2> "$tmperr"; then
+  if [[ -n "$GITHUB_ACTION" ]]; then
+    if [[ -s "$tmperr" ]]; then
+      {
+      printf "## Errors\n"
+      ./ci/markup-tofu-errors.sh < "$tmperr"
+      } >> "$GITHUB_STEP_SUMMARY"
+    fi
+    if [[ -s "$tmpout" ]]; then
+      {
+      printf "## Changes\n"
+      printf "> [!WARNING]\n> There are formatting problems that must be addressed.\n\n"
+      echo '```'
+      cat "$tmpout"
+      echo '```'
+      } >> "$GITHUB_STEP_SUMMARY"
+    fi
+  fi
+  tofu fmt -diff -recursive
+  exit 1
+fi

locals.tf

@@ -0,0 +1,32 @@
+# Populate variables with contents from local .csv files.
+
+locals {
+  # Parse team member files
+  team_members_path = "team-members"
+  team_members_files = {
+    for file in fileset(local.team_members_path, "*.csv") :
+    trimsuffix(file, ".csv") => csvdecode(file("${local.team_members_path}/${file}"))
+  }
+
+  # Create temp object that has team ID and CSV contents
+  team_members_temp = flatten([
+    for team, members in local.team_members_files : [
+      {
+        slug    = team
+        members = members
+      }
+    ]
+  ])
+
+  # Create object for each team-user relationship
+  team_members = flatten([
+    for team in local.team_members_temp : [
+      for member in team.members : {
+        name     = "${team.slug}-${member.username}"
+        team_id  = team.slug
+        username = member.username
+        role     = member.role
+      }
+    ]
+  ])
+}

main.tf

@@ -0,0 +1,3 @@
+provider "github" {
+  owner = "ocp-on-nerc"
+}

members.csv

@@ -0,0 +1,68 @@
+username,role
+aabaris,admin
+bhanvimenghani,member
+bharathappali,member
+BillWeaver,member
+bnshr,member
+computate,member
+cooktheryan,member
+culbert,member
+cybette,member
+DanNiESh,member
+dheerajodha,member
+dinogun,member
+dystewart,member
+EldritchJS,member
+erikerlandson,member
+gagansk,member
+Gregory-Pereira,member
+griffinandrew,member
+hakasapl,member
+harshil-codes,member
+hemajv,member
+hpdempsey,admin
+ilya-kolchinsky,member
+IsaiahStapleton,member
+jappavoo,member
+jas-li,member
+jbasu01,member
+joachimweyl,admin
+jon-stumpf,member
+jtriley,admin
+JudeNiroshan,member
+khansaad,member
+knikolla,member
+kusumachalasani,member
+larsks,admin
+LaVLaS,member
+leseb,member
+lesleychou,member
+memalhot,member
+MichaelClifford,member
+Milstein,admin
+msdisme,member
+nathanweeks,member
+naved001,admin
+piCounter,member
+pjd-nu,member
+QuanMPhm,member
+rebeccaSimmonds19,member
+RH-csaggin,member
+rohankumar-1,member
+sallyom,member
+sauagarwa,member
+schwesig,member
+shekhar316,member
+shreyabiradar07,member
+Shreyanand,member
+skanthed,member
+srampal,member
+StHeck,member
+syedmohdqasim,member
+syockel,member
+tssala23,member
+tumido,member
+tzumainn,member
+vbelouso,member
+zaoxing,member
+Zongshun96,member