terraform-provider-github/examples/enterprise_rulesets/push_rulesets.tf at f23df92f97bb23e3ef76de5c2af17d46959b2631 · integrations/terraform-provider-github · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# Example: Push target ruleset for file and content restrictions
# This ruleset applies to all pushes across the enterprise

resource "github_enterprise_ruleset" "push_restrictions" {
  enterprise_slug = "your-enterprise"
  name            = "push-restrictions-ruleset"
  target          = "push"
  enforcement     = "active"

  # Allow deploy keys and organization admins to bypass
  bypass_actors {
    actor_type  = "DeployKey"
    bypass_mode = "always"
  }

  bypass_actors {
    actor_id    = 1
    actor_type  = "OrganizationAdmin"
    bypass_mode = "always"
  }

  # Conditions define which organizations and repositories this ruleset applies to
  # Note: ref_name is NOT used for push target
  conditions {
    # Target all organizations
    organization_name {
      include = ["~ALL"]
      exclude = []
    }

    # Target all repositories
    repository_name {
      include = ["~ALL"]
      exclude = ["sandbox-*"]
    }
  }

  # Rules that apply to all pushes
  rules {
    # Restrict specific file paths from being pushed
    file_path_restriction {
      restricted_file_paths = [
        "secrets.txt",
        "*.key",
        "*.pem",
        ".env",
        "credentials/*"
      ]
    }

    # Limit maximum file size to prevent large files
    max_file_size {
      max_file_size = 100 # Max 100 MB
    }

    # Limit maximum file path length
    max_file_path_length {
      max_file_path_length = 255
    }

    # Restrict specific file extensions
    file_extension_restriction {
      restricted_file_extensions = [
        "*.exe",
        "*.dll",
        "*.so",
        "*.dylib",
        "*.zip",
        "*.tar.gz"
      ]
    }

    # Commit message pattern
    commit_message_pattern {
      name     = "Valid Commit Message"
      operator = "regex"
      pattern  = "^(feat|fix|docs|style|refactor|test|chore)(\\(.+\\))?: .+"
      negate   = false
    }

    # Commit author email pattern
    commit_author_email_pattern {
      name     = "Corporate Email"
      operator = "ends_with"
      pattern  = "@your-company.com"
      negate   = false
    }

    # Committer email pattern
    committer_email_pattern {
      name     = "Corporate Email"
      operator = "ends_with"
      pattern  = "@your-company.com"
      negate   = false
    }
  }
}

# Example: Security-focused push ruleset
resource "github_enterprise_ruleset" "security_push_restrictions" {
  enterprise_slug = "your-enterprise"
  name            = "security-push-restrictions"
  target          = "push"
  enforcement     = "active"

  conditions {
    organization_name {
      include = ["~ALL"]
      exclude = []
    }

    repository_name {
      include = ["*-prod", "*-production"]
      exclude = []
    }
  }

  rules {
    # Block common secret file patterns
    file_path_restriction {
      restricted_file_paths = [
        "*.pem",
        "*.key",
        "*.cert",
        "*.p12",
        "*.pfx",
        ".env",
        ".env.*",
        "secrets.yml",
        "credentials.json"
      ]
    }

    # Strict file size limits for production
    max_file_size {
      max_file_size = 50 # Max 50 MB
    }

    # Block executable and archive files
    file_extension_restriction {
      restricted_file_extensions = [
        "*.exe",
        "*.dll",
        "*.so",
        "*.dylib",
        "*.bin",
        "*.dmg"
      ]
    }

    # Require signed commits
    required_signatures = true
  }
}