chore: add terraform scripts for membership management

.editorconfig

@@ -0,0 +1,24 @@
+# http://editorconfig.org
+
+root = true
+
+[*]
+charset = utf-8
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[Makefile]
+indent_style = tab
+indent_size = 4
+
+[*.{html,tmpl,py,go}]
+indent_style = tab
+indent_size = 4
+
+[*.{yml,yaml,toml,json,css,less,js,vue,rb,nix}]
+indent_style = space
+indent_size = 2
+
+[*.sh]
+indent_style = space
+indent_size = 4

.github/settings.yml

@@ -88,6 +88,7 @@ branches:
       restrictions:
         apps:
           - renovate
+          - promhippie
         users: []
         teams:
           - admins

.github/workflows/general.yml

@@ -0,0 +1,67 @@
+---
+name: general
+
+"on":
+  workflow_dispatch:
+  schedule:
+    - cron: "0 5 * * *"
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  terraform:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout source
+        id: source
+        uses: actions/checkout@v3
+
+      - name: Setup terraform
+        id: terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: latest
+
+      - name: Terraform format
+        id: fmt
+        run: bin/terraform fmt -no-color -check
+
+      - name: Terraform init
+        id: init
+        env:
+          GITHUB_TOKEN: ${{ secrets.INFRA_TOKEN }}
+          AWS_ACCESS_KEY_ID:  ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY:  ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        run: bin/terraform init -no-color -input=false
+
+      - name: Terraform validate
+        id: validate
+        env:
+          GITHUB_TOKEN: ${{ secrets.INFRA_TOKEN }}
+          AWS_ACCESS_KEY_ID:  ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY:  ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        run: bin/terraform validate -no-color
+
+      - name: Terraform plan
+        id: plan
+        env:
+          GITHUB_TOKEN: ${{ secrets.INFRA_TOKEN }}
+          AWS_ACCESS_KEY_ID:  ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY:  ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        run: bin/terraform plan -no-color -input=false
+
+      - name: Terraform apply
+        id: apply
+        env:
+          GITHUB_TOKEN: ${{ secrets.INFRA_TOKEN }}
+          AWS_ACCESS_KEY_ID:  ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY:  ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        if: github.ref == 'refs/heads/master' && github.event_name != 'pull_request'
+        run: bin/terraform apply -no-color -input=false -auto-approve
+
+...

.gitignore

@@ -1 +1,5 @@
 .direnv
+.terraform
+
+*.retry
+*.tfvars

.terraform-version

@@ -0,0 +1 @@
+1.5.4

Gemfile

@@ -1,3 +1,10 @@
-source "https://rubygems.org"
-gem "octokit", "~> 7.0"
-gem "faraday-retry", "~> 2.2"
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+gem 'faraday-retry', '~> 2.2'
+gem 'octokit', '~> 7.0'
+
+group :development, :test do
+  gem 'rake', '~> 13.0'
+  gem 'rubocop', '~> 1.28'
+end

README.md

@@ -1,11 +1,32 @@
 # Promhippie
 
+[![General Workflow](https://github.com/promhippie/.github/actions/workflows/general.yml/badge.svg)](https://github.com/promhippie/.github/actions/workflows/general.yml) [![Join the Matrix chat at https://matrix.to/#/#webhippie:matrix.org](https://img.shields.io/badge/matrix-%23webhippie%3Amatrix.org-7bc9a4.svg)](https://matrix.to/#/#webhippie:matrix.org)
+
 TBD
 
+## Development
+
+TBD
+
+## Security
+
+If you find a security issue please contact
+[[email protected]](mailto:[email protected]) first.
+
+## Contributing
+
+Fork -> Patch -> Push -> Pull Request
+
+## Authors
+
+*   [Thomas Boerger](https://github.com/tboerger)
+
 ## License
 
-MIT
+Apache-2.0
 
-## Author
+## Copyright
 
-[Thomas Boerger](https://github.com/tboerger)
+```console
+Copyright (c) 2018 Thomas Boerger <[email protected]>
+```

Rakefile

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+require 'rubocop/rake_task'
+RuboCop::RakeTask.new(:rubocop)
+
+task default: %i[rubocop]

bin/terraform

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+if [ -L "$0" ]; then
+    ROOT=$(cd "$(dirname "$(readlink -e "$0")")/../terraform" || exit; pwd)
+else
+    ROOT=$(cd "$(dirname "$0")/../terraform" || exit; pwd)
+fi
+
+if ! which terraform >/dev/null; then
+    echo "Failed to detect terraform!"
+    exit 1
+fi
+
+terraform -chdir="${ROOT}" "$@"

flake.nix

@@ -19,7 +19,9 @@
       {
         devShell = pkgs.mkShell {
           buildInputs = with pkgs; [
+            terraform
             ruby_3_2
+            shellcheck
           ];
         };
       }

terraform/members.tf

@@ -0,0 +1,6 @@
+resource "github_membership" "general" {
+  for_each = { for row in var.members : row.name => row }
+
+  username = each.value.name
+  role     = each.value.role
+}

terraform/repositories.tf

@@ -0,0 +1,28 @@
+data "github_repositories" "available" {
+  query = "org:promhippie"
+}
+
+locals {
+  repository_labels = flatten([
+    for repository in data.github_repositories.available.names : [
+      for index, label in var.labels : [
+        {
+          name        = "${repository}-${label.name}"
+          repository  = repository
+          label       = label.name
+          description = label.description
+          color       = label.color
+        }
+      ]
+    ]
+  ])
+}
+
+resource "github_issue_label" "general" {
+  for_each = { for row in local.repository_labels : row.name => row }
+
+  repository  = each.value.repository
+  name        = each.value.label
+  description = each.value.description
+  color       = each.value.color
+}

terraform/teams.tf

@@ -0,0 +1,43 @@
+locals {
+  team_repositories = flatten([
+    for repository in data.github_repositories.available.names : [
+      for index, team in var.teams : [
+        {
+          name       = "${team.name}-${repository}"
+          team       = team.name
+          repository = repository
+          permission = team.permission
+        }
+      ]
+    ]
+  ])
+}
+
+resource "github_team" "general" {
+  for_each = { for row in var.teams : row.name => row }
+
+  name    = each.value.name
+  privacy = each.value.privacy
+}
+
+resource "github_team_members" "general" {
+  for_each = { for row in var.teams : row.name => row }
+  team_id  = github_team.general[each.value.name].id
+
+  dynamic "members" {
+    for_each = each.value.members
+
+    content {
+      username = members.value.name
+      role     = members.value.role
+    }
+  }
+}
+
+resource "github_team_repository" "general" {
+  for_each = { for row in local.team_repositories : row.name => row }
+
+  team_id    = github_team.general[each.value.team].id
+  repository = each.value.repository
+  permission = each.value.permission
+}

terraform/terraform.tf

@@ -0,0 +1,20 @@
+terraform {
+  backend "s3" {
+    bucket = "promhippie-terraform"
+    key    = "github"
+    region = "eu-central-1"
+  }
+
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "~> 5.32.0"
+    }
+  }
+
+  required_version = ">= 1.0"
+}
+
+provider "github" {
+  owner = "promhippie"
+}