From dddf24273e69da218fd6fb6296c90638754c575b Mon Sep 17 00:00:00 2001
From: mulmuri <gyumin.oh@payhere.in>
Date: Wed, 5 Mar 2025 00:45:46 +0900
Subject: [PATCH 1/2] feat: github team

---
 modules/github/repository/main.tf | 107 ++++++++++---------------
 modules/github/team/main.tf       | 128 ++++++++++++++++++++++++++++++
 projects/github/main.tf           |   8 +-
 projects/github/provider.tf       |  25 ++++--
 4 files changed, 188 insertions(+), 80 deletions(-)
 create mode 100644 modules/github/team/main.tf

diff --git a/modules/github/repository/main.tf b/modules/github/repository/main.tf
index eb65c31..d6f9a75 100644
--- a/modules/github/repository/main.tf
+++ b/modules/github/repository/main.tf
@@ -1,16 +1,15 @@
 locals {
     repositories = [
-        "infrastructure",
-        "manifests",
-        "airflow-pipeline-factory",
-        "fetch-system.worker",
-        "fetch-system.util",
-        "core-system.worker",
-        "hts-connector",
-        ".github",
-        "GoCppLinkingLibrary",
-        "common",
-        "buycycle"
+        {name = "infrastructure",           tags = ["devops"]},
+        {name = "manifests",                tags = ["devops"]},
+        {name = "airflow-pipeline-factory", tags = ["de"]},
+        {name = "fetch-system.worker",      tags = ["backend"]},
+        {name = "fetch-system.util",        tags = ["backend"]},
+        {name = "core-system.worker",       tags = ["backend"]},
+        {name = "hts-connector",            tags = ["backend"]},
+        {name = ".github",                  tags = []},
+        {name = "GoCppLinkingLibrary",      tags = ["ml"]},
+        {name = "common",                   tags = []}
     ]
 
     archived_repositories = [
@@ -30,82 +29,56 @@ locals {
 
 
 resource "github_repository" "repository" {
-    for_each = toset(local.repositories)
+  for_each = { for repo in local.repositories : repo.name => repo }
 
-    name = each.value
-    description = ""
+  name = each.value.name
+  description = ""
 
-    visibility = "public"
-    has_issues = true
+  visibility = "public"
+  has_issues = true
 
-    delete_branch_on_merge = true
-    allow_merge_commit = true
+  delete_branch_on_merge = true
+  allow_merge_commit = true
 }
 
-resource "github_branch_protection" "main_branch_protection" {
-  for_each = toset(local.repositories)
+resource "github_repository_topics" "repository_topic" {
+  for_each = { for repo in local.repositories : repo.name => repo }
 
-  repository_id = github_repository.repository[each.value].node_id
-  
-  pattern = "main"
+  repository = each.value.name
+  topics = each.value.tags
+
+  depends_on = [github_repository.repository]
+}
+
+resource "github_branch_protection_v3" "main_branch_protection" {
+  for_each = { for repo in local.repositories : repo.name => repo }
+
+  repository = each.value.name
+  branch = "main"
+  enforce_admins = true  
   
   required_pull_request_reviews {
     required_approving_review_count = 1
     dismiss_stale_reviews           = false
     require_code_owner_reviews      = false
-    pull_request_bypassers = [
-      "goboolean/devops"
-    ]
+    bypass_pull_request_allowances {
+      teams = ["goboolean/devops"]
+    }
   }
 
   required_status_checks {
     strict   = true
-    contexts = []
   }
 
-  enforce_admins = true  
-  allows_deletions = false
-  allows_force_pushes = false
+  depends_on = [github_repository.repository]
 }
 
 resource "github_repository" "archived" {
-    for_each = { for repo in local.archived_repositories : repo.name => repo }
-
-    name = each.value.name
-    description = ""
-
-    visibility = each.value.visibility
-    archived = true
-}
-
-resource "github_team" "devops" {
-  name        = "devops"
-  description = "DevOps team"
-}
-
-resource "github_team_members" "devops_members" {
-  team_id  = github_team.devops.id
-
-  members {
-    username = "mulmuri"
-    role     = "maintainer"
-  }
-
-  members {
-    username = "ikjeong"
-    role     = "maintainer"
-  }
-
-  members {
-    username = "goboolean-io"
-    role     = "member"
-  }
-}
+  for_each = { for repo in local.archived_repositories : repo.name => repo }
 
-resource "github_team_repository" "devops_access" {
-  for_each = toset(local.repositories)
+  name = each.value.name
+  description = ""
 
-  team_id    = github_team.devops.id
-  repository = each.value
-  permission = "push"
+  visibility = each.value.visibility
+  archived = true
 }
diff --git a/modules/github/team/main.tf b/modules/github/team/main.tf
new file mode 100644
index 0000000..9515b25
--- /dev/null
+++ b/modules/github/team/main.tf
@@ -0,0 +1,128 @@
+#Active Users
+resource "github_team" "active_users" {
+    name = "Active Users"
+    description = "Active Users"
+}
+
+resource "github_team_members" "active_users" {
+  team_id  = github_team.active_users.id
+
+  members {
+    username = "mulmuri"
+    role     = "member"
+  }
+
+  members {
+    username = "ikjeong"
+    role     = "member"
+  }
+
+  members {
+    username = "goboolean-io"
+    role     = "member"
+  }
+
+  members {
+    username = "dawit0905"
+    role     = "member"
+  }
+}
+
+
+#DevOps
+resource "github_team" "devops" {
+  name        = "DevOps"
+  description = "DevOps team"
+}
+
+resource "github_team_members" "devops_members" {
+  team_id  = github_team.devops.id
+
+  members {
+    username = "mulmuri"
+    role     = "maintainer"
+  }
+
+  members {
+    username = "ikjeong"
+    role     = "maintainer"
+  }
+
+  members {
+    username = "goboolean-io"
+    role     = "maintainer"
+  }
+}
+
+data "github_repositories" "infra_repos" {
+  query = "topic:devops org:goboolean"
+}
+
+resource "github_team_repository" "devops_access" {
+  for_each = toset(data.github_repositories.infra_repos.names)
+
+  team_id    = github_team.devops.id
+  repository = each.value
+  permission = "push"
+}
+
+
+#DE
+resource "github_team" "de" {
+  name = "DE"
+  description = "DevOps"
+}
+
+resource "github_team_members" "de_members" {
+  team_id  = github_team.de.id
+
+  members {
+    username = "mulmuri"
+    role     = "maintainer"
+  }
+
+  members {
+    username = "dawit0905"
+    role     = "maintainer"
+  }
+}
+
+data "github_repositories" "de_repos" {
+  query = "topic:de org:goboolean"
+}
+
+resource "github_team_repository" "de_access" {
+  for_each = toset(data.github_repositories.de_repos.names)
+
+  team_id    = github_team.de.id
+  repository = each.value
+  permission = "push"
+}
+
+
+#Backend
+resource "github_team" "backend" {
+  name = "Backend"
+  description = "Backend team"
+}
+
+resource "github_team_members" "backend_members" {
+  team_id  = github_team.backend.id
+
+  members {
+    username = "mulmuri"
+    role     = "maintainer"
+  }
+}
+
+data "github_repositories" "backend_repos" {
+  query = "topic:backend org:goboolean"
+}
+
+resource "github_team_repository" "backend_access" {
+  for_each = toset(data.github_repositories.backend_repos.names)
+
+  team_id    = github_team.backend.id
+  repository = each.value
+  permission = "push"
+}
diff --git a/projects/github/main.tf b/projects/github/main.tf
index b2c2b63..49cd2e3 100644
--- a/projects/github/main.tf
+++ b/projects/github/main.tf
@@ -38,9 +38,7 @@ module "github_secret" {
   registry_password = local.harbor_password
 }
 
-provider "github" {
-  owner = "goboolean"
-  token = local.github_token
+module "team" {
+  source = "../../modules/github/team"
+  depends_on = [module.repository]
 }
-
-
diff --git a/projects/github/provider.tf b/projects/github/provider.tf
index 72d53d0..8a9df94 100644
--- a/projects/github/provider.tf
+++ b/projects/github/provider.tf
@@ -3,21 +3,30 @@ provider "google" {
   region = var.region
 }
 
-data "google_secret_manager_secret_version" "vault_role_id" {
-  secret = "vault_role_id"
-}
+ephemeral "google_service_account_jwt" "vault_jwt" {
+  target_service_account = "atlantis@${var.project_id}.iam.gserviceaccount.com"
+
+  payload = jsonencode({
+    sub: "atlantis@${var.project_id}.iam.gserviceaccount.com",
+    aud: "vault/terraform",
+  })
 
-data "google_secret_manager_secret_version" "vault_secret_id" {
-  secret = "vault_secret_id"
+  expires_in = 1800
 }
 
 provider "vault" {
   address = "https://vault.goboolean.io"
+  
   auth_login {
-    path = "auth/approle/login"
+    path = "auth/gcp/login"
     parameters = {
-      role_id   = data.google_secret_manager_secret_version.vault_role_id.secret_data
-      secret_id = data.google_secret_manager_secret_version.vault_secret_id.secret_data
+      jwt  = ephemeral.google_service_account_jwt.vault_jwt.jwt
+      role = "terraform"
     }
   }
 }
+
+provider "github" {
+  owner = "goboolean"
+  token = local.github_token
+}

From 536db39b60c041bed44adf29bc84ba7266436f6d Mon Sep 17 00:00:00 2001
From: mulmuri <gyumin.oh@payhere.in>
Date: Wed, 5 Mar 2025 00:56:16 +0900
Subject: [PATCH 2/2] feat: enable devops bypass

---
 modules/github/repository/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/github/repository/main.tf b/modules/github/repository/main.tf
index d6f9a75..3be0c3f 100644
--- a/modules/github/repository/main.tf
+++ b/modules/github/repository/main.tf
@@ -62,7 +62,7 @@ resource "github_branch_protection_v3" "main_branch_protection" {
     dismiss_stale_reviews           = false
     require_code_owner_reviews      = false
     bypass_pull_request_allowances {
-      teams = ["goboolean/devops"]
+      teams = ["goboolean/DevOps"]
     }
   }