feat: added security_and_analysis block support

gaima8 · gaima8 · commit e375c890d3c1 · 2025-12-07T12:37:16.000Z
diff --git a/README.md b/README.md
@@ -18,6 +18,7 @@ A [Terraform] module for creating a public or private repository on [Github].
     - [Resources](#resources)
     - [Inputs](#inputs)
     - [Outputs](#outputs)
+    - [Security And Analysis Configuration](#security-and-analysis-configuration)
   - [External Documentation](#external-documentation)
     - [Terraform Github Provider Documentation](#terraform-github-provider-documentation)
   - [Module Versioning](#module-versioning)
@@ -178,6 +179,7 @@ See [variables.tf] and [examples/] for details and use-cases.
 | <a name="input_push_team_ids"></a> [push\_team\_ids](#input\_push\_team\_ids) | (Optional) A list of teams (by id) to grant push (read-write) permission to. | `list(string)` | `[]` | no |
 | <a name="input_push_teams"></a> [push\_teams](#input\_push\_teams) | (Optional) A list of teams (by name/slug) to grant push (read-write) permission to. | `list(string)` | `[]` | no |
 | <a name="input_rulesets"></a> [rulesets](#input\_rulesets) | (Optional) A list of branch rulesets to apply to the repository. Default is [].<br/><br/>It is very likely removal of any section will require setting it to an empty list/map.<br/>This is due to limitations in the API whereby components are not destroyed upon removal. | <pre>list(<br/>    object({<br/>      enforcement = string<br/>      name        = string<br/>      target      = string<br/><br/>      rules = list(<br/>        object({<br/>          creation                      = optional(bool)<br/>          deletion                      = optional(bool)<br/>          non_fast_forward              = optional(bool)<br/>          required_signatures           = optional(bool)<br/>          required_linear_history       = optional(bool)<br/>          update                        = optional(bool)<br/>          update_allows_fetch_and_merge = optional(bool)<br/><br/>          branch_name_pattern = optional(<br/>            object({<br/>              operator = string<br/>              pattern  = string<br/>              name     = optional(string)<br/>              negate   = optional(bool)<br/>            })<br/>          )<br/><br/>          commit_author_email_pattern = optional(<br/>            object({<br/>              operator = string<br/>              pattern  = string<br/>              name     = optional(string)<br/>              negate   = optional(bool)<br/>            })<br/>          )<br/><br/>          commit_message_pattern = optional(<br/>            object({<br/>              operator = string<br/>              pattern  = string<br/>              name     = optional(string)<br/>              negate   = optional(bool)<br/>            })<br/>          )<br/><br/>          committer_email_pattern = optional(<br/>            object({<br/>              operator = string<br/>              pattern  = string<br/>              name     = optional(string)<br/>              negate   = optional(bool)<br/>            })<br/>          )<br/><br/>          tag_name_pattern = optional(<br/>            object({<br/>              operator = string<br/>              pattern  = string<br/>              name     = optional(string)<br/>              negate   = optional(bool)<br/>            })<br/>          )<br/><br/>          required_status_checks = optional(<br/>            object({<br/>              strict_required_status_checks_policy = optional(bool)<br/>              do_not_enforce_on_create             = optional(bool)<br/>              required_check = list(<br/>                object({<br/>                  context        = string<br/>                  integration_id = optional(number)<br/>                })<br/>              )<br/>            })<br/>          )<br/><br/>          pull_request = optional(<br/>            object({<br/>              dismiss_stale_reviews_on_push     = optional(bool)<br/>              require_code_owner_review         = optional(bool)<br/>              require_last_push_approval        = optional(bool)<br/>              required_approving_review_count   = optional(number)<br/>              required_review_thread_resolution = optional(bool)<br/>            })<br/>          )<br/><br/>          required_workflows = optional(<br/>            object({<br/>              required_workflow = list(<br/>                object({<br/>                  repository_id = number<br/>                  ref           = string<br/>                  path          = string<br/>                })<br/>              )<br/>            })<br/>          )<br/><br/>          required_deployments = optional(<br/>            object({<br/>              required_deployment_environments = list(string)<br/>            })<br/>          )<br/><br/>          required_code_scanning = optional(<br/>            object({<br/>              required_code_scanning_tool = list(<br/>                object({<br/>                  tool                      = string<br/>                  alerts_threshold          = string<br/>                  security_alerts_threshold = string<br/>                })<br/>              )<br/>            })<br/>          )<br/><br/>          merge_queue = optional(<br/>            object({<br/>              check_response_timeout_minutes    = optional(number)<br/>              grouping_strategy                 = optional(string)<br/>              max_entries_to_build              = optional(number)<br/>              max_entries_to_merge              = optional(number)<br/>              merge_method                      = optional(string)<br/>              min_entries_to_merge              = optional(number)<br/>              min_entries_to_merge_wait_minutes = optional(number)<br/>            })<br/>          )<br/>        })<br/>      )<br/><br/>      bypass_actors = optional(<br/>        list(<br/>          object({<br/>            actor_id    = optional(number)<br/>            actor_type  = string<br/>            bypass_mode = optional(string)<br/>          })<br/>        )<br/>      )<br/><br/>      conditions = optional(<br/>        object({<br/>          ref_name = object({<br/>            include = list(string)<br/>            exclude = list(string)<br/>          })<br/>        })<br/>      )<br/>    })<br/>  )</pre> | `[]` | no |
+| <a name="input_security_and_analysis"></a> [security\_and\_analysis](#input\_security\_and\_analysis) | (Optional) Security and analysis configuration block | <pre>object({<br/>    advanced_security               = optional(string, "disabled")<br/>    secret_scanning                 = optional(string, "disabled")<br/>    secret_scanning_push_protection = optional(string, "disabled")<br/>  })</pre> | `{}` | no |
 | <a name="input_squash_merge_commit_message"></a> [squash\_merge\_commit\_message](#input\_squash\_merge\_commit\_message) | (Optional) Can be `PR_BODY`, `COMMIT_MESSAGES`, or `BLANK` for a default squash merge commit message. | `string` | `"COMMIT_MESSAGES"` | no |
 | <a name="input_squash_merge_commit_title"></a> [squash\_merge\_commit\_title](#input\_squash\_merge\_commit\_title) | (Optional) Can be `PR_BODY`, `COMMIT_MESSAGES`, or `BLANK` for a default squash merge commit message. | `string` | `"COMMIT_OR_PR_TITLE"` | no |
 | <a name="input_template"></a> [template](#input\_template) | (Optional) Template repository to use. (Default: {}) | <pre>object({<br/>    owner      = string<br/>    repository = string<br/>  })</pre> | `null` | no |
@@ -210,6 +212,35 @@ See [variables.tf] and [examples/] for details and use-cases.
 | <a name="output_webhooks"></a> [webhooks](#output\_webhooks) | All attributes and arguments as returned by the github\_repository\_webhook resource. |
 <!-- END_TF_DOCS -->
 
+### Security And Analysis Configuration
+
+- [**`security_and_analysis`**](#var-security_and_analysis): *(Optional `object(security_and_analysis)`)*<a name="var-security_and_analysis"></a>
+
+  (Optional) The repository's [security and analysis](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository) configuration.
+  See [Security and Analysis Configuration](#security-and-analysis-configuration) below for details.
+
+  Default is `{}`.
+
+  The `security_and_analysis` object accepts the following attributes:
+
+  - [**`advanced_security`**](#attr-security_and_analysis-advanced_security): *(**Required** `string`)*<a name="attr-security_and_analysis-advanced_security"></a>
+
+    The advanced security configuration for the repository. See [Advanced Security Configuration](#advanced-security-configuration) below for details.
+
+    Default is `"disabled"`.
+
+  - [**`secret_scanning`**](#attr-security_and_analysis-secret_scanning): *(**Required** `string`)*<a name="attr-security_and_analysis-secret_scanning"></a>
+
+    The secret scanning configuration for the repository. See [Secret Scanning Configuration](#secret-scanning-configuration) below for details.
+
+    Default is `"disabled"`.
+
+  - [**`secret_scanning_push_protection`**](#attr-security_and_analysis-secret_scanning_push_protection): *(**Required** `string`)*<a name="attr-security_and_analysis-secret_scanning_push_protection"></a>
+
+    The secret scanning push protection configuration for the repository. See [Secret Scanning Push Protection Configuration](#secret-scanning-push-protection-configuration) below for details.
+
+    Default is `"disabled"`.
+
 ## External Documentation
 
 ### Terraform Github Provider Documentation
diff --git a/main.tf b/main.tf
@@ -153,6 +153,22 @@ resource "github_repository" "repository" {
     }
   }
 
+  dynamic "security_and_analysis" {
+    for_each = var.security_and_analysis != null ? [true] : []
+
+    content {
+      advanced_security {
+        status = var.security_and_analysis.advanced_security
+      }
+      secret_scanning {
+        status = var.security_and_analysis.secret_scanning
+      }
+      secret_scanning_push_protection {
+        status = var.security_and_analysis.secret_scanning_push_protection
+      }
+    }
+  }
+
   lifecycle {
     ignore_changes = [
       auto_init,
diff --git a/variables.tf b/variables.tf
@@ -398,6 +398,27 @@ variable "branch_protections_v4" {
   }
 }
 
+variable "security_and_analysis" {
+  description = "(Optional) Security and analysis configuration block"
+  type = object({
+    advanced_security               = optional(string, "disabled")
+    secret_scanning                 = optional(string, "disabled")
+    secret_scanning_push_protection = optional(string, "disabled")
+  })
+  default = {}
+  validation {
+    condition = alltrue(
+      [
+        for key, value in var.security_and_analysis : contains(["enabled", "disabled"], value)
+      ]
+    )
+    error_message = <<EOF
+Allowed values for security_and_analysis.advanced_security, security_and_analysis.secret_scanning,
+security_and_analysis.secret_scanning_push_protection are "disabled" and "enabled"
+EOF
+  }
+}
+
 variable "issue_labels_merge_with_github_labels" {
   description = "(Optional) Specify if you want to merge and control githubs default set of issue labels."
   type        = bool
