caution
Status: Work in Progress
Having Github managed as code for an entire organisation has several benefits:
- You can define a set of guidelines for creating new resources based on Github best practices. (see resources section)
- Configuration can be as generic or specific as you need for the case.
- Implementation is declaritive and transparent.
- Largely self-service environment reduces TOIL.
The target of this implementation is large enterprise implementations of Github Enterprise.
Module/Abstraction Use Cases
- Organisation group/user management (membership)
- Handle sync groups or static groups
- Configure admins
- Repository configuration
Creating Organisations
Creating organisations is not available via the Terraform provider.
This has to be done via the API.
curl \
-X POST \
-H "Accept: application/vnd.github.v3+json" \
http(s)://{hostname}/api/v3/admin/organizations \
-d '{"login":"login","admin":"admin"}'
Success Response: Status: 201 Created
User / Group Management
Users and group can be synced from azure-ad or configured statically.
Creating org admins
resource "github_membership" "membership_for_some_user" {
username = "SomeUser"
role = "admin"
}
Blocking Users
Whilst uncommon it might be required to occasionally block members.
resource "github_organization_block" "example" {
username = "paultyng"
}
Repository Management
A repository module should be used to ensure that repository best practices are being adhered to.
Use repository templates to consume best practice repos, potentially including things like doc templates and Codeowners.
The option to destroy repositories should be very carefully restricted, probably disallowed entirely via (make destroyed archived).
Template repositories can be managed via code as well.
Enterprise Code Directory Structures
Separate Orgs
Pros
- Ideal for improving separation between organisations.
- Reduces risk of impacting another organisation.
- All resources defined in Terraform files can be easier to read.
Cons
- Is not DRY - lots of code duplication for each organisation.
- Can be difficult to maintain.
- Ambiguous as to who's responsibility it is to maintain the directory (i.e. Github team that own this repo or the organisation owners)
Structure
.
├── CODEOWNERS
├── modules
│ └── membership
│ ├── examples
│ │ ├── common-org
│ │ │ ├── main.tf
│ │ │ └── versions.tf
│ │ └── edge-case-org
│ │ ├── main.tf
│ │ └── versions.tf
│ ├── main.tf
│ ├── test
│ │ ├── terraform_common_org_test.go
│ │ └── terraform_edge_case_org_test.go
│ ├── variable.tf
│ └── variables.tf
├── orgs
│ ├── github-management
│ │ ├── members.tf
│ │ ├── repositories.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── org-2
│ │ ├── members.tf
│ │ ├── repositories.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ └── orgs
└── pipelines
├── support-import-resources.yaml
├── cd-new-org.yaml
├── cd-org-management.yaml
├── ci-new-org.yaml
└── ci-org-management.yaml
CI / CD
Pipeline Practices
Should use a Terraform version greater than 0.13 as it supports Terraform Variable validation out of the box.
Pipeline Authentication
Use a token instead of a Github app to authenticate.
This is because Github Apps have limitations around access-management & team membership that requires manual intervention by a organisation admin.
provider "github" {
token = var.token # or `GITHUB_TOKEN`
}
or
provider "github" {
app_auth {} # When using `GITHUB_APP_XXX` environment variables
}