variables.tf

variable "description" {
  description = "Description of the repository"
  type        = string
  default     = null
}

variable "visibility" {
  description = "Visibility of the repository. Must be public, private, or internal."
  type        = string
  default     = "public"

  validation {
    condition     = contains(["public", "private", "internal"], var.visibility)
    error_message = "Repository visibility must be public, private or internal"
  }
}

variable "homepage_url" {
  description = "Homepage URL of the repository"
  type        = string
  default     = null
}

variable "template" {
  description = "Template repository"
  type = object({
    owner                = string
    name                 = string
    include_all_branches = optional(bool, false)
  })
  default = null
}

variable "fork" {
  description = "Configuration for forking an existing repository"
  type = object({
    source_owner = string
    source_repo  = string
  })
  default = null
}

variable "archived" {
  description = "Whether the repository is archived"
  type        = bool
  default     = false
}

variable "has_issues" {
  description = "Whether the repository has issues enabled"
  type        = bool
  default     = false
}

variable "has_projects" {
  description = "Whether the repository has projects enabled"
  type        = bool
  default     = false
}

variable "has_discussions" {
  description = "Whether the repository has discussions enabled"
  type        = bool
  default     = false
}

variable "has_wiki" {
  description = "Whether the repository has wiki enabled"
  type        = bool
  default     = false
}

variable "is_template" {
  description = "Whether the repository is a template"
  type        = bool
  default     = false
}

variable "allow_auto_merge" {
  description = "Allow auto merge"
  type        = bool
  default     = false
}

variable "allow_squash_merge" {
  description = "Allow squash merge"
  type        = bool
  default     = true
}

variable "squash_merge_commit_title" {
  description = "Squash merge commit title. Must be PR_TITLE or COMMIT_OR_PR_TITLE."
  type        = string
  default     = "PR_TITLE"

  validation {
    condition     = contains(["PR_TITLE", "COMMIT_OR_PR_TITLE"], var.squash_merge_commit_title)
    error_message = "Repository squash merge commit title must be PR_TITLE, COMMIT_OR_PR_TITLE"
  }
}

variable "squash_merge_commit_message" {
  description = "Squash merge commit message. Must be PR_BODY, COMMIT_MESSAGES or BLANK."
  type        = string
  default     = "COMMIT_MESSAGE"

  validation {
    condition     = contains(["PR_BODY", "COMMIT_MESSAGES", "BLANK"], var.squash_merge_commit_message)
    error_message = "Repository squash merge commit message must be PR_BODY, COMMIT_MESSAGES or BLANK"
  }
}

variable "allow_merge_commit" {
  description = "Allow merge commit"
  type        = bool
  default     = true
}

variable "merge_commit_title" {
  description = "Merge commit title. Must be PR_TITLE or MERGE_MESSAGE."
  type        = string
  default     = "PR_TITLE"

  validation {
    condition     = contains(["PR_TITLE", "MERGE_MESSAGE"], var.merge_commit_title)
    error_message = "Repository merge commit title must be PR_TITLE, MERGE_MESSAGE"
  }
}

variable "merge_commit_message" {
  description = "Merge commit message. Must be PR_BODY, PR_TITLE or BLANK."
  type        = string
  default     = "PR_BODY"

  validation {
    condition     = contains(["PR_BODY", "PR_TITLE", "BLANK"], var.merge_commit_message)
    error_message = "Repository merge commit message must be PR_BODY, PR_TITLE or BLANK"
  }
}

variable "allow_rebase_merge" {
  description = "Allow rebase merge"
  type        = bool
  default     = true
}

variable "delete_branch_on_merge" {
  description = "Delete branch on merge"
  type        = bool
  default     = false
}

variable "default_branch" {
  description = "Default branch name"
  type        = string
  default     = "main"
}

variable "web_commit_signoff_required" {
  description = "Require signoff on web commits"
  type        = bool
  default     = false
}

variable "topics" {
  description = "List of repository topics"
  type        = list(string)
  default     = []
}

variable "license_template" {
  description = "License template"
  type        = string
  default     = null
}

variable "gitignore_template" {
  description = "Gitignore template"
  type        = string
  default     = null
}

variable "auto_init" {
  description = "Auto-initialize the repository"
  type        = bool
  default     = false
}

variable "enable_vulnerability_alerts" {
  description = "Enable vulnerability alerts"
  type        = bool
  default     = true
}

variable "allow_update_branch" {
  description = "Allow updating the branch"
  type        = bool
  default     = false
}

variable "security_and_analysis" {
  description = "Security and analysis settings"
  type = object({
    advanced_security                     = optional(bool, false)
    code_security                         = optional(bool, false)
    secret_scanning                       = optional(bool, false)
    secret_scanning_push_protection       = optional(bool, false)
    secret_scanning_ai_detection          = optional(bool, false)
    secret_scanning_non_provider_patterns = optional(bool, false)
  })
  default = null
}

variable "pages" {
  description = "GitHub Pages configuration for the repository"
  type = object({
    source = optional(object({
      branch = string
      path   = optional(string, "/")
    }), null)
    build_type = optional(string, "workflow")
    cname      = optional(string, null)
  })
  default = null

  validation {
    condition     = var.pages == null || try(contains(["legacy", "workflow"], var.pages.build_type), true)
    error_message = "Pages build_type must be 'legacy' or 'workflow'"
  }
}

variable "archive_on_destroy" {
  description = "Archive the repository on destroy"
  type        = bool
  default     = false
}

variable "autolink_references" {
  description = "Autolink references"
  type = map(object({
    key_prefix          = string
    target_url_template = string
    is_alphanumeric     = optional(bool, false)
  }))
  default  = {}
  nullable = false

  validation {
    condition     = alltrue([for k, v in var.autolink_references : can(regex("^http(s)?://", v.target_url_template))])
    error_message = "Autolink reference target URL template must start with http:// or https://"
  }

  validation {
    condition     = alltrue([for k, v in var.autolink_references : can(strcontains(v.key_prefix, "<num>"))])
    error_message = "Autolink reference key prefix must contain <num>"
  }
}

variable "custom_properties" {
  description = "Custom properties for the repository"
  type = map(object({
    string        = optional(string, null)
    boolean       = optional(bool, null)
    single_select = optional(string, null)
    multi_select  = optional(list(string), null)
  }))
  default  = {}
  nullable = false

  validation {
    condition     = alltrue([for k, v in var.custom_properties : length([for n, i in v : n if i != null]) == 1])
    error_message = "Custom property must have only one of the following: string, boolean, single_select, multi_select"
  }
}

variable "environments" {
  description = "Environments for the repository. Enviroment secrets should be encrypted using the GitHub public key in Base64 format if prefixed with nacl:. Read more: https://docs.github.com/en/actions/security-for-github-actions/encrypted-secrets"
  type = map(object({
    wait_timer          = optional(number, 0)
    can_admins_bypass   = optional(bool, false)
    prevent_self_review = optional(bool, false)
    reviewers = optional(object({
      teams = optional(list(string), [])
      users = optional(list(string), [])
    }), null)
    deployment_branch_policy = optional(object({
      protected_branches = optional(bool, false)
      custom_branches = optional(object({
        branches = optional(list(string), null)
        tags     = optional(list(string), null)
      }), null)
    }), null)
    variables = optional(map(string), null)
    secrets   = optional(map(string), null)
  }))
  default   = {}
  sensitive = true
  nullable  = false

  validation {
    condition     = alltrue([for k, v in var.environments : try(length(v.reviewers.teams) <= 6, true)])
    error_message = "Environment reviewers can not have more than 6 teams"
  }

  validation {
    condition     = alltrue([for k, v in var.environments : try(length(v.reviewers.users) <= 6, true)])
    error_message = "Environment reviewers can not have more than 6 users"
  }

  validation {
    condition     = alltrue([for k, v in var.environments : try(v.deployment_branch_policy.protected_branches == true || v.deployment_branch_policy.custom_branches != null, true)])
    error_message = "Environment deployment branch policy should have protected_branches set to true or custom_branches specified"
  }

  validation {
    condition     = alltrue([for k, v in var.environments : try(alltrue([for k, v in v.variables : can(regex("^[a-zA-Z0-9_]+$", k))]), true)])
    error_message = "Environment variables must be alphanumeric and underscores only, can not start with a number"
  }

  validation {
    condition     = alltrue([for k, v in var.environments : try(alltrue([for k, v in v.secrets : can(regex("^[a-zA-Z0-9_]+$", k))]), true)])
    error_message = "Environment secrets must be alphanumeric and underscores only, can not start with a number"
  }
}


variable "variables" {
  description = "Environment variables for the repository"
  type        = map(string)
  default     = {}
  nullable    = false

  validation {
    condition     = var.variables == null || alltrue([for k, v in var.variables : can(regex("^[a-zA-Z0-9_]+$", k))])
    error_message = "Variable names must be alphanumeric and underscores only, can not start with a number"
  }
}

variable "secrets" {
  description = "Secrets for the repository (if prefixed with nacl: it should be encrypted value using the GitHub public key in Base64 format. Read more: https://docs.github.com/en/actions/security-for-github-actions/encrypted-secrets)"
  type        = map(string)
  default     = {}
  sensitive   = true
  nullable    = false

  validation {
    condition     = var.secrets == null || alltrue([for k, v in var.secrets : can(regex("^[a-zA-Z0-9_]+$", k))])
    error_message = "Secret names must be alphanumeric and underscores only, can not start with a number"
  }
}

variable "deploy_keys" {
  description = "Deploy keys for the repository"
  type = map(object({
    title     = string
    key       = string
    read_only = optional(bool, false)
  }))
  default  = {}
  nullable = false
}

// https://docs.github.com/en/webhooks/webhook-events-and-payloads
variable "webhooks" {
  description = "A map of webhooks to configure for the repository"
  type = map(object({
    active       = optional(bool, true)
    events       = list(string)
    url          = string
    content_type = optional(string, "json")
    insecure_ssl = optional(bool, false)
    secret       = optional(string, null)
  }))
  default  = {}
  nullable = false

  validation {
    condition     = alltrue([for k, v in var.webhooks : can(regex("^http(s)?://", v.url))])
    error_message = "Webhook URL must start with http:// or https://"
  }

  validation {
    condition     = alltrue([for k, v in var.webhooks : contains(["json", "form"], v.content_type)])
    error_message = "Webhook content type must be json or form"
  }
}

variable "labels" {
  description = "A map of labels to configure for the repository"
  type = map(object({
    color       = string
    description = string
  }))
  default  = {}
  nullable = false
}

variable "teams" {
  description = "A map of teams and their permissions for the repository. This will create github_repository_collaborators resources for each team "
  type        = map(string)
  default     = {}
  nullable    = false
}

variable "team_repository" {
  description = "A map of permissions and their teams for the repository. This will create github_team_repository resources for each team. Format: { permission = [list of teams] }"
  type        = map(list(string))
  default     = {}
  nullable    = false

  validation {
    condition     = alltrue([for permission, teams in var.team_repository : contains(["pull", "triage", "push", "maintain", "admin"], permission)])
    error_message = "Team repository permissions must be one of: pull, triage, push, maintain, admin"
  }
}

variable "users" {
  description = "A map of users and their permissions for the repository"
  type        = map(string)
  default     = {}
  nullable    = false
}

variable "organization_repository_roles_enabled" {
  description = "Whether to use organization repository roles."
  type        = bool
  default     = false
}

variable "rulesets" {
  description = "A map of rulesets to configure for the repository"
  type = map(object({
    name = string
    // disabled, active, evaluate
    enforcement = string
    // branch, tag, push
    target = string
    bypass_actors = optional(list(object({
      // always, pull_request, exempt
      bypass_mode = string
      actor_id    = optional(string, null)
      // RepositoryRole, Team, Integration, OrganizationAdmin, DeployKey
      actor_type = string
    })), [])
    // conditions is required for branch and tag rulesets, but not supported for push rulesets
    conditions = optional(object({
      ref_name = object({
        // Supports ~DEFAULT_BRANCH or ~ALL
        include = optional(list(string), [])
        exclude = optional(list(string), [])
      })
    }), null)
    rules = object({
      branch_name_pattern = optional(object({
        // starts_with, ends_with, contains, regex
        operator = string
        pattern  = string
        name     = optional(string, null)
        negate   = optional(bool, false)
      }), null),
      commit_author_email_pattern = optional(object({
        // starts_with, ends_with, contains, regex
        operator = string
        pattern  = string
        name     = optional(string, null)
        negate   = optional(bool, false)
      }), null),
      creation                      = optional(bool, false),
      deletion                      = optional(bool, false),
      non_fast_forward              = optional(bool, false),
      required_linear_history       = optional(bool, false),
      required_signatures           = optional(bool, false),
      update                        = optional(bool, false),
      update_allows_fetch_and_merge = optional(bool, false),
      required_pull_request_reviews = optional(object({
        dismiss_stale_reviews           = bool
        required_approving_review_count = number
      }), null),
      commit_message_pattern = optional(object({
        // starts_with, ends_with, contains, regex
        operator = string
        pattern  = string
        name     = optional(string, null)
        negate   = optional(bool, false)
      }), null),
      committer_email_pattern = optional(object({
        // starts_with, ends_with, contains, regex
        operator = string
        pattern  = string
        name     = optional(string, null)
        negate   = optional(bool, false)
      }), null),
      merge_queue = optional(object({
        check_response_timeout_minutes = optional(number, 60)
        // ALLGREEN, HEADGREEN
        grouping_strategy    = string
        max_entries_to_build = optional(number, 5)
        max_entries_to_merge = optional(number, 5)
        // MERGE, SQUASH, REBASE
        merge_method                      = optional(string, "MERGE")
        min_entries_to_merge              = optional(number, 1)
        min_entries_to_merge_wait_minutes = optional(number, 5)
      }), null),
      pull_request = optional(object({
        dismiss_stale_reviews_on_push     = optional(bool, false)
        require_code_owner_review         = optional(bool, false)
        require_last_push_approval        = optional(bool, false)
        required_approving_review_count   = optional(number, 0)
        required_review_thread_resolution = optional(bool, false)
      }), null),
      required_deployments = optional(object({
        required_deployment_environments = optional(list(string), [])
      }), null),
      required_status_checks = optional(object({
        required_check = list(object({
          context        = string
          integration_id = optional(number, null)
        }))
        strict_required_status_checks_policy = optional(bool, false)
        do_not_enforce_on_create             = optional(bool, false)
      }), null),
      tag_name_pattern = optional(object({
        // starts_with, ends_with, contains, regex
        operator = string
        pattern  = string
        name     = optional(string, null)
        negate   = optional(bool, false)
      }), null),
      required_code_scanning = optional(object({
        required_code_scanning_tool = list(object({
          // none, errors, errors_and_warnings, all
          alerts_threshold = string
          // none, critical, high_or_higher, medium_or_higher, all
          security_alerts_threshold = string
          tool                      = string
        }))
      }), null),
      copilot_code_review = optional(object({
        review_on_push             = optional(bool, false)
        review_draft_pull_requests = optional(bool, false)
      }), null),
      // Push ruleset rules (only valid when target = "push")
      file_path_restriction = optional(object({
        restricted_file_paths = list(string)
      }), null),
      max_file_size = optional(object({
        // 1-100 MB
        max_file_size = number
      }), null),
      max_file_path_length = optional(object({
        max_file_path_length = number
      }), null),
      file_extension_restriction = optional(object({
        restricted_file_extensions = list(string)
      }), null),
    }),
  }))
  default = {}

  validation {
    condition     = alltrue([for k, v in var.rulesets : can(regex("^[a-zA-Z0-9_]+$", k))])
    error_message = "Ruleset names must be alphanumeric and underscores only, can not start with a number"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : contains(["disabled", "active", "evaluate"], v.enforcement)])
    error_message = "Ruleset enforcement must be disabled, active, or evaluate"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : contains(["branch", "tag", "push"], v.target)])
    error_message = "Ruleset target must be branch, tag, or push"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : try(contains(["always", "pull_request", "exempt"], v.bypass_actors.bypass_mode), true)])
    error_message = "Ruleset bypass mode must be always, pull_request, or exempt"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : try(contains(["RepositoryRole", "Team", "Integration", "OrganizationAdmin", "DeployKey"], v.bypass_actors.actor_type), true)])
    error_message = "Ruleset actor type must be RepositoryRole, Team, Integration, OrganizationAdmin, or DeployKey"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : try(contains(["starts_with", "ends_with", "contains", "regex"], v.rules.branch_name_pattern.operator), true)])
    error_message = "Ruleset branch name pattern operator must be starts_with, ends_with, contains or regex"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : v.target == "branch" || try(v.rules.branch_name_pattern == null, true)])
    error_message = "Ruleset branch name pattern can be specified only for branch rulesets"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : try(contains(["starts_with", "ends_with", "contains", "equals", "regex"], v.rules.commit_author_email_pattern.operator), true)])
    error_message = "Ruleset commit author email pattern operator must be starts_with, ends_with, contains, equals or regex"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : try(contains(["starts_with", "ends_with", "contains", "equals", "regex"], v.rules.commit_message_pattern.operator), true)])
    error_message = "Ruleset commit message pattern operator must be starts_with, ends_with, contains, equals or regex"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : try(contains(["starts_with", "ends_with", "contains", "equals", "regex"], v.rules.committer_email_pattern.operator), true)])
    error_message = "Ruleset committer email pattern operator must be starts_with, ends_with, contains, equals or regex"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : try(contains(["ALLGREEN", "HEADGREEN"], v.rules.merge_queue.grouping_strategy), true)])
    error_message = "Ruleset merge queue grouping strategy must be ALLGREEN or HEADGREEN"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : try(contains(["MERGE", "SQUASH", "REBASE"], v.rules.merge_queue.merge_method), true)])
    error_message = "Ruleset merge queue merge method must be MERGE, SQUASH or REBASE"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : v.rules.merge_queue == null || alltrue([for c in v.conditions.ref_name.include : can(!strcontains(c, "*") && !strcontains(c, "~ALL"))])])
    error_message = "Ruleset merge queue condition mush point to specific branch"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : try(contains(["starts_with", "ends_with", "contains", "regex"], v.rules.tag_name_pattern.operator), true)])
    error_message = "Ruleset branch name pattern operator must be starts_with, ends_with, contains or regex"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : v.target == "tag" || try(v.rules.tag_name_pattern == null, true)])
    error_message = "Ruleset tag name pattern can be specified only for tag rulesets"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : v.target == "push" || v.conditions != null])
    error_message = "Ruleset conditions with ref_name is required for branch and tag rulesets"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : v.target != "push" || v.conditions == null])
    error_message = "Ruleset conditions with ref_name is not supported for push rulesets"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : v.target == "push" || try(v.rules.file_path_restriction == null, true)])
    error_message = "Ruleset file_path_restriction can be specified only for push rulesets"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : v.target == "push" || try(v.rules.max_file_size == null, true)])
    error_message = "Ruleset max_file_size can be specified only for push rulesets"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : v.target == "push" || try(v.rules.max_file_path_length == null, true)])
    error_message = "Ruleset max_file_path_length can be specified only for push rulesets"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : v.target == "push" || try(v.rules.file_extension_restriction == null, true)])
    error_message = "Ruleset file_extension_restriction can be specified only for push rulesets"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : try(v.rules.max_file_size.max_file_size >= 1 && v.rules.max_file_size.max_file_size <= 100, true)])
    error_message = "Ruleset max_file_size must be between 1 and 100 MB"
  }

  validation {
    condition     = alltrue([for k, v in var.rulesets : !v.rules.update_allows_fetch_and_merge || v.rules.update])
    error_message = "Ruleset update_allows_fetch_and_merge requires update to be true"
  }

  validation {
    condition = alltrue([for k, v in var.rulesets : try(alltrue([
      for tool in v.rules.required_code_scanning.required_code_scanning_tool :
      contains(["none", "errors", "errors_and_warnings", "all"], tool.alerts_threshold)
    ]), true)])
    error_message = "Ruleset required_code_scanning alerts_threshold must be none, errors, errors_and_warnings, or all"
  }

  validation {
    condition = alltrue([for k, v in var.rulesets : try(alltrue([
      for tool in v.rules.required_code_scanning.required_code_scanning_tool :
      contains(["none", "critical", "high_or_higher", "medium_or_higher", "all"], tool.security_alerts_threshold)
    ]), true)])
    error_message = "Ruleset required_code_scanning security_alerts_threshold must be none, critical, high_or_higher, medium_or_higher, or all"
  }
}