-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.tf
More file actions
171 lines (138 loc) · 5.75 KB
/
main.tf
File metadata and controls
171 lines (138 loc) · 5.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
locals {
enabled = module.this.enabled
}
module "repository" {
source = "cloudposse/repository/github"
version = "1.6.0"
enabled = local.enabled
name = var.repository.name
regex_replace_chars = "/[^a-zA-Z0-9.-]/"
description = var.repository.description
visibility = var.repository.visibility
template = var.template
homepage_url = var.repository.homepage_url
topics = var.repository.topics
archived = var.repository.archived
archive_on_destroy = var.repository.archive_on_destroy
is_template = var.repository.is_template
has_discussions = var.repository.has_discussions
has_issues = var.repository.has_issues
has_projects = var.repository.has_projects
has_wiki = var.repository.has_wiki
allow_squash_merge = var.repository.allow_squash_merge
allow_merge_commit = var.repository.allow_merge_commit
allow_rebase_merge = var.repository.allow_rebase_merge
squash_merge_commit_title = var.repository.squash_merge_commit_title
squash_merge_commit_message = var.repository.squash_merge_commit_message
allow_auto_merge = var.repository.allow_auto_merge
merge_commit_title = var.repository.merge_commit_title
merge_commit_message = var.repository.merge_commit_message
allow_update_branch = var.repository.allow_update_branch
delete_branch_on_merge = var.repository.delete_branch_on_merge
auto_init = var.repository.auto_init
gitignore_template = var.repository.gitignore_template
license_template = var.repository.license_template
web_commit_signoff_required = var.repository.web_commit_signoff_required
default_branch = var.repository.default_branch
enable_vulnerability_alerts = var.repository.enable_vulnerability_alerts
security_and_analysis = var.repository.security_and_analysis
autolink_references = var.autolink_references
custom_properties = var.custom_properties
environments = local.environments
variables = local.variables
secrets = local.secrets
deploy_keys = var.deploy_keys
webhooks = var.webhooks
labels = var.labels
teams = var.teams
users = var.users
organization_repository_roles_enabled = var.organization_repository_roles_enabled
rulesets = var.rulesets
}
locals {
secrets = sensitive({
for k, v in coalesce(var.secrets, {}) : k => (
startswith(v, "ssm://") ? data.aws_ssm_parameter.default[v].value :
startswith(v, "asm://") ? data.aws_secretsmanager_secret_version.default[v].secret_string : v
)
})
variables = {
for k, v in try(var.variables, {}) : k => (
startswith(v, "ssm://") ? nonsensitive(data.aws_ssm_parameter.default[v].value) :
startswith(v, "asm://") ? nonsensitive(data.aws_secretsmanager_secret_version.default[v].secret_string) : v
)
}
environments = {
for k, v in coalesce(var.environments, {}) : k => {
wait_timer = v.wait_timer
can_admins_bypass = v.can_admins_bypass
prevent_self_review = v.prevent_self_review
reviewers = v.reviewers
deployment_branch_policy = v.deployment_branch_policy
variables = {
for name, variable in coalesce(v.variables, {}) : name => (
startswith(variable, "ssm://") ? nonsensitive(data.aws_ssm_parameter.default[variable].value) :
startswith(variable, "asm://") ? nonsensitive(data.aws_secretsmanager_secret_version.default[variable].secret_string) : variable
)
}
secrets = {
for name, secret in coalesce(v.secrets, {}) : name => (
startswith(secret, "ssm://") ? nonsensitive(data.aws_ssm_parameter.default[secret].value) :
startswith(secret, "asm://") ? nonsensitive(data.aws_secretsmanager_secret_version.default[secret].secret_string) : secret
)
}
}
}
ssm_parameters = merge(flatten([
[
{
for k, v in coalesce(var.variables, {}) : v => trimprefix(v, "ssm://") if startswith(v, "ssm://")
},
{
for k, v in coalesce(var.secrets, {}) : v => trimprefix(v, "ssm://") if startswith(v, "ssm://")
},
],
[
for k, v in coalesce(var.environments, {}) : {
for name, variable in coalesce(v.variables, {}) : variable => trimprefix(variable, "ssm://") if startswith(variable, "ssm://")
}
],
[
for k, v in coalesce(var.environments, {}) : {
for name, secret in coalesce(v.secrets, {}) : secret => trimprefix(secret, "ssm://") if startswith(secret, "ssm://")
}
]
])...)
sm_parameters = merge(flatten([
[
{
for k, v in coalesce(var.variables, {}) : v => trimprefix(v, "asm://") if startswith(v, "asm://")
},
{
for k, v in coalesce(var.secrets, {}) : v => trimprefix(v, "asm://") if startswith(v, "asm://")
},
],
[
for k, v in coalesce(var.environments, {}) : {
for name, variable in coalesce(v.variables, {}) : variable => trimprefix(variable, "asm://") if startswith(variable, "asm://")
}
],
[
for k, v in coalesce(var.environments, {}) : {
for name, secret in coalesce(v.secrets, {}) : secret => trimprefix(secret, "asm://") if startswith(secret, "asm://")
}
]
])...)
}
data "aws_ssm_parameter" "default" {
for_each = nonsensitive(local.ssm_parameters)
name = each.value
}
data "aws_secretsmanager_secret" "default" {
for_each = nonsensitive(local.sm_parameters)
name = each.value
}
data "aws_secretsmanager_secret_version" "default" {
for_each = nonsensitive(local.sm_parameters)
secret_id = data.aws_secretsmanager_secret.default[each.key].id
}