Infra as Code for GitHub and GitLab with Terraform - Thu, May 25, 2023
An strategy about how to write Infrastructure as Code for managing your organization GitHub or GitLab. It helps you with Access Control and Repositories management with Terraform.
Repositories
- git-access-control (users and teams)
- git-repositories (repos and groups)
Why separate repos
- Separation of concerns principle.
- Least Privilege principle.
- Terraform works faster.
- A few rules/scenarios:
- An user can be a member of more than one team
GitLab Permissions and Roles
- Reference: https://docs.gitlab.com/ee/user/permissions.html#project-members-permissions
- I recommend giving the developer access because otherwise the next role would be maintainer and they can delete things, manage users, edit project settings, edit branch protection and manage gitlab pages (domains and certificates)
GitLab Modules Example
# repo: git-access-control
module "team_example" {
source = "./modules/team_gitlab"
team_name = "Team Example"
team_path = "team-example"
members = {
# username and role
"john-doe" = "developer"
"jim-ross" = "developer"
}
groups = {
# group name and access level
"/organization/billing" = "developer"
}
repositories = {
# repo name and access level
"/ops/infra/nginx-proxy" = "developer"
"/ops/infra/gitlab-runner" = "developer"
}
}
# repo: git-repositories
module "operations" {
source = "./modules/group_with_subgroups"
name = "Operations"
path = "ops"
groups = {
Infrastructure = "infra"
}
repos = {
Infrastructure = [
"nginx-proxy",
"gitlab-runner",
]
}
}
GitHub Team Module Example
# repo: git-access-control
module "team_example" {
source = "./modules/team_github"
team_name = "Team Example"
members = {
# username and role
"john-doe" = "maintainer"
"jim-ross" = "member"
}
repositories = {
# repo name and permission
"billing-api" = "push"
}
}