-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathchecks.tf
More file actions
65 lines (59 loc) · 1.78 KB
/
checks.tf
File metadata and controls
65 lines (59 loc) · 1.78 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
locals {
# Create a set of organization owners from organization users
org_owners = toset([
for user in data.github_organization.current.users :
user.login if user.role == "admin"
])
# Create a list of invalid memberships for error message
invalid_memberships = [
for key, membership in local.memberships_map :
{
username = membership.username
team = split(":", key)[0]
}
if contains(local.org_owners, membership.username) && membership.role != "maintainer"
]
# Collect all usernames from all sources
all_usernames = distinct(concat(
# Organization members
[for member in var.organization_memberships : member.username],
# Repository collaborators
flatten([
for collaborators in var.repository_collaborators : [
for collab in collaborators : collab.username
]
])
))
}
data "github_organization" "current" {
name = var.github_organization
}
data "github_users" "all_users" {
usernames = local.all_usernames
}
check "github_team_org_owners_role" {
assert {
condition = alltrue([
for membership in local.memberships_map :
!contains(local.org_owners, membership.username) || membership.role == "maintainer"
])
error_message = join("\n",
concat(
["Organization owners must be set as 'maintainer' in teams. Found owners with 'member' role:"],
[
for invalid in local.invalid_memberships :
" - Username: ${invalid.username}, Team: ${invalid.team}"
]
)
)
}
}
check "validate_users_exist" {
assert {
condition = length(data.github_users.all_users.unknown_logins) == 0
error_message = format(
"The following users do not exist in GitHub: %s",
join(", ", data.github_users.all_users.unknown_logins)
)
}
}