Fix(): Set tflock db write capacity default (#51)

* fix(): tflock db write capacity default

* chore(): variable name update

* chore(): added variables to customize org and bootstrap repo name for az and gcp oidc setup

* terraform-docs: automated action

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: TylerMizuyabu

modules/github-aws-oidc/README.md

@@ -35,15 +35,15 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | The name of the s3 bucket that will store terraform state. | `string` | `"GithubFoundationState"` | no |
-| <a name="input_github_repo_owner"></a> [github\_repo\_owner](#input\_github\_repo\_owner) | The owner of the github foundations organizations repository. This value should be whatever github account you plan to make the repository under. | `string` | n/a | yes |
+| <a name="input_github_foundations_organization_name"></a> [github\_foundations\_organization\_name](#input\_github\_foundations\_organization\_name) | The owner of the github foundations organizations repository. This value should be whatever github account you plan to make the repository under. | `string` | n/a | yes |
 | <a name="input_github_thumbprints"></a> [github\_thumbprints](#input\_github\_thumbprints) | A list of top intermediate certifact authority thumbprints to use for setting up an openid connect provider with github. Info on how to obtain thumbprints here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html | `list(string)` | n/a | yes |
 | <a name="input_organizations_repo_name"></a> [organizations\_repo\_name](#input\_organizations\_repo\_name) | The name of the github foundations organizations repository. Defaults to `organizations` | `string` | `"organizations"` | no |
 | <a name="input_organizations_role_name"></a> [organizations\_role\_name](#input\_organizations\_role\_name) | The name of the role that will be assummed by the github runner for the organizations repository. | `string` | `"GhFoundationsOrganizationsAction"` | no |
 | <a name="input_rg_name"></a> [rg\_name](#input\_rg\_name) | The name of the AWS resource group to create for github foundation resources. | `string` | `"GithubFoundationResources"` | no |
 | <a name="input_tflock_db_billing_mode"></a> [tflock\_db\_billing\_mode](#input\_tflock\_db\_billing\_mode) | The billing mode to use for the dynamodb table storing lock file ids. Defaults to `PROVISIONED`. | `string` | `"PROVISIONED"` | no |
 | <a name="input_tflock_db_name"></a> [tflock\_db\_name](#input\_tflock\_db\_name) | The name of the dynamodb table that will store lock file ids. | `string` | `"TFLockIds"` | no |
 | <a name="input_tflock_db_read_capacity"></a> [tflock\_db\_read\_capacity](#input\_tflock\_db\_read\_capacity) | The read capacity to set for the dynamodb table storing lock file ids. Only required if billing mode is `PROVISIONED`. Defaults to 20. | `number` | `20` | no |
-| <a name="input_tflock_db_write_capacity"></a> [tflock\_db\_write\_capacity](#input\_tflock\_db\_write\_capacity) | The write capacity to set for the dynamodb table storing lock file ids. Only required if billing mode is `PROVISIONED`. Defaults to 20. | `number` | n/a | yes |
+| <a name="input_tflock_db_write_capacity"></a> [tflock\_db\_write\_capacity](#input\_tflock\_db\_write\_capacity) | The write capacity to set for the dynamodb table storing lock file ids. Only required if billing mode is `PROVISIONED`. Defaults to 20. | `number` | `20` | no |
 
 ## Outputs
 

modules/github-aws-oidc/oidc.tf

@@ -28,7 +28,7 @@ resource "aws_iam_role" "organizations_role" {
                 },
                 "StringLike" = {
                     "token.actions.githubusercontent.com:sub": [
-                        "repo:${var.github_repo_owner}/${var.organizations_repo_name}:*"
+                        "repo:${var.github_foundations_organization_name}/${var.organizations_repo_name}:*"
                     ]
                 }
             }

modules/github-aws-oidc/variables.tf

@@ -28,6 +28,7 @@ variable "tflock_db_read_capacity" {
 variable "tflock_db_write_capacity" {
   type = number
   description = "The write capacity to set for the dynamodb table storing lock file ids. Only required if billing mode is `PROVISIONED`. Defaults to 20."
+  default = 20
 }
 
 variable "tflock_db_billing_mode" {
@@ -53,7 +54,7 @@ variable "organizations_role_name" {
   default = "GhFoundationsOrganizationsAction"
 }
 
-variable "github_repo_owner" {
+variable "github_foundations_organization_name" {
   type = string
   description = "The owner of the github foundations organizations repository. This value should be whatever github account you plan to make the repository under."
 }

modules/github-azure-oidc/README.md

@@ -41,10 +41,12 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_bootstrap_repo_name"></a> [bootstrap\_repo\_name](#input\_bootstrap\_repo\_name) | The name of the github foundations bootstrap repository. Defaults to `bootstrap` | `string` | `"bootstrap"` | no |
 | <a name="input_drift_detection_branch_name"></a> [drift\_detection\_branch\_name](#input\_drift\_detection\_branch\_name) | The name of the branch to use for drift detection. | `string` | n/a | yes |
 | <a name="input_github_foundations_organization_name"></a> [github\_foundations\_organization\_name](#input\_github\_foundations\_organization\_name) | The name of the organization that the github foundation repos will be under. | `string` | n/a | yes |
 | <a name="input_kv_name"></a> [kv\_name](#input\_kv\_name) | The name of the key vault to use for github foundation secrets. If storing secrets to authenticate against github in a different way then this does not need to be set. (Optional) | `string` | `""` | no |
 | <a name="input_kv_resource_group"></a> [kv\_resource\_group](#input\_kv\_resource\_group) | The name of the resource group that the key vault is in. If empty it will default to the github foundations resource group. | `string` | n/a | yes |
+| <a name="input_organizations_repo_name"></a> [organizations\_repo\_name](#input\_organizations\_repo\_name) | The name of the github foundations organizations repository. Defaults to `organizations` | `string` | `"organizations"` | no |
 | <a name="input_rg_create"></a> [rg\_create](#input\_rg\_create) | Create the resource group. When set to false it uses the `rg_name` input to reference an existing resource group. Defaults to true. | `bool` | `true` | no |
 | <a name="input_rg_location"></a> [rg\_location](#input\_rg\_location) | The location of the resource group to create the github foundation azure resources in. | `string` | n/a | yes |
 | <a name="input_rg_name"></a> [rg\_name](#input\_rg\_name) | The name of the resource group to create the github foundation azure resources in. | `string` | n/a | yes |

modules/github-azure-oidc/oidc.tf

@@ -2,9 +2,6 @@ locals {
   default_audience_name = "api://AzureADTokenExchange"
   github_issuer_url     = "https://token.actions.githubusercontent.com"
 
-  bootstrap_repo_name     = "bootstrap"
-  organizations_repo_name = "organizations"
-
   state_file_access_roles = {
     "container-${local.tf_state_container.name}-write" = {
       scope                = "${local.tf_state_container.resource_manager_id}"
@@ -49,7 +46,7 @@ data "azurerm_key_vault" "key_vault" {
 resource "azurerm_user_assigned_identity" "bootstrap_identity" {
   location            = local.github_foundations_rg.location
   resource_group_name = local.github_foundations_rg.name
-  name                = "${local.bootstrap_repo_name}-identity"
+  name                = "${var.bootstrap_repo_name}-identity"
 }
 
 resource "azurerm_role_assignment" "bootstrap_role_assignment" {
@@ -62,7 +59,7 @@ resource "azurerm_role_assignment" "bootstrap_role_assignment" {
 resource "azurerm_user_assigned_identity" "organization_identity" {
   location            = local.github_foundations_rg.location
   resource_group_name = local.github_foundations_rg.name
-  name                = "${local.organizations_repo_name}-identity"
+  name                = "${var.organizations_repo_name}-identity"
 }
 
 resource "azurerm_role_assignment" "organization_role_assignment" {
@@ -73,37 +70,37 @@ resource "azurerm_role_assignment" "organization_role_assignment" {
 }
 
 resource "azurerm_federated_identity_credential" "bootstrap_pull_request_credentials" {
-  name                = "${var.github_foundations_organization_name}-${local.bootstrap_repo_name}-pr-credentials"
+  name                = "${var.github_foundations_organization_name}-${var.bootstrap_repo_name}-pr-credentials"
   resource_group_name = local.github_foundations_rg.name
   audience            = [local.default_audience_name]
   issuer              = local.github_issuer_url
   parent_id           = azurerm_user_assigned_identity.bootstrap_identity.id
-  subject             = "repo:${var.github_foundations_organization_name}/${local.bootstrap_repo_name}:pull_request"
+  subject             = "repo:${var.github_foundations_organization_name}/${var.bootstrap_repo_name}:pull_request"
 }
 
 resource "azurerm_federated_identity_credential" "bootstrap_drift_credentials" {
-  name                = "${var.github_foundations_organization_name}-${local.bootstrap_repo_name}-drift-credentials"
+  name                = "${var.github_foundations_organization_name}-${var.bootstrap_repo_name}-drift-credentials"
   resource_group_name = local.github_foundations_rg.name
   audience            = [local.default_audience_name]
   issuer              = local.github_issuer_url
   parent_id           = azurerm_user_assigned_identity.bootstrap_identity.id
-  subject             = "repo:${var.github_foundations_organization_name}/${local.bootstrap_repo_name}:ref:refs/heads/${var.drift_detection_branch_name}"
+  subject             = "repo:${var.github_foundations_organization_name}/${var.bootstrap_repo_name}:ref:refs/heads/${var.drift_detection_branch_name}"
 }
 
 resource "azurerm_federated_identity_credential" "organization_pull_request_credentials" {
-  name                = "${var.github_foundations_organization_name}-${local.organizations_repo_name}-pr-credentials"
+  name                = "${var.github_foundations_organization_name}-${var.organizations_repo_name}-pr-credentials"
   resource_group_name = local.github_foundations_rg.name
   audience            = [local.default_audience_name]
   issuer              = local.github_issuer_url
   parent_id           = azurerm_user_assigned_identity.organization_identity.id
-  subject             = "repo:${var.github_foundations_organization_name}/${local.organizations_repo_name}:pull_request"
+  subject             = "repo:${var.github_foundations_organization_name}/${var.organizations_repo_name}:pull_request"
 }
 
 resource "azurerm_federated_identity_credential" "organization_drift_credentials" {
-  name                = "${var.github_foundations_organization_name}-${local.organizations_repo_name}-drift-credentials"
+  name                = "${var.github_foundations_organization_name}-${var.organizations_repo_name}-drift-credentials"
   resource_group_name = local.github_foundations_rg.name
   audience            = [local.default_audience_name]
   issuer              = local.github_issuer_url
   parent_id           = azurerm_user_assigned_identity.organization_identity.id
-  subject             = "repo:${var.github_foundations_organization_name}/${local.organizations_repo_name}:ref:refs/heads/${var.drift_detection_branch_name}"
+  subject             = "repo:${var.github_foundations_organization_name}/${var.organizations_repo_name}:ref:refs/heads/${var.drift_detection_branch_name}"
 }

modules/github-azure-oidc/variables.tf

@@ -92,3 +92,15 @@ variable "drift_detection_branch_name" {
   type        = string
   description = "The name of the branch to use for drift detection."
 }
+
+variable "organizations_repo_name" {
+  type = string
+  description = "The name of the github foundations organizations repository. Defaults to `organizations`"
+  default = "organizations"
+}
+
+variable "bootstrap_repo_name" {
+  type = string
+  description = "The name of the github foundations bootstrap repository. Defaults to `bootstrap`"
+  default = "bootstrap"
+}

modules/github-gcloud-oidc/README.md

@@ -43,6 +43,7 @@
 | <a name="input_auto_create_network"></a> [auto\_create\_network](#input\_auto\_create\_network) | Whether to create the default network for the project. | `bool` | `false` | no |
 | <a name="input_autoclass"></a> [autoclass](#input\_autoclass) | Enable autoclass to automatically transition objects to appropriate storage classes based on their access pattern. If set to true, storage\_class must be set to STANDARD. Defaults to false. | `bool` | `false` | no |
 | <a name="input_billing_account"></a> [billing\_account](#input\_billing\_account) | Billing account id. | `string` | `null` | no |
+| <a name="input_bootstrap_repo_name"></a> [bootstrap\_repo\_name](#input\_bootstrap\_repo\_name) | The name of the github foundations bootstrap repository. Defaults to `bootstrap` | `string` | `"bootstrap"` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Bucket name | `string` | n/a | yes |
 | <a name="input_cors"></a> [cors](#input\_cors) | CORS configuration for the bucket. Defaults to null. | <pre>object({<br>    origin          = optional(list(string))<br>    method          = optional(list(string))<br>    response_header = optional(list(string))<br>    max_age_seconds = optional(number)<br>  })</pre> | `null` | no |
 | <a name="input_custom_placement_config"></a> [custom\_placement\_config](#input\_custom\_placement\_config) | The bucket's custom location configuration, which specifies the individual regions that comprise a dual-region bucket. If the bucket is designated as REGIONAL or MULTI\_REGIONAL, the parameters are empty. | `list(string)` | `null` | no |
@@ -58,6 +59,7 @@
 | <a name="input_lifecycle_rules"></a> [lifecycle\_rules](#input\_lifecycle\_rules) | Bucket lifecycle rule. | <pre>map(object({<br>    action = object({<br>      type          = string<br>      storage_class = optional(string)<br>    })<br>    condition = object({<br>      age                        = optional(number)<br>      created_before             = optional(string)<br>      custom_time_before         = optional(string)<br>      days_since_custom_time     = optional(number)<br>      days_since_noncurrent_time = optional(number)<br>      matches_prefix             = optional(list(string))<br>      matches_storage_class      = optional(list(string)) # STANDARD, MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE, DURABLE_REDUCED_AVAILABILITY<br>      matches_suffix             = optional(list(string))<br>      noncurrent_time_before     = optional(string)<br>      num_newer_versions         = optional(number)<br>      with_state                 = optional(string) # "LIVE", "ARCHIVED", "ANY"<br>    })<br>  }))</pre> | `{}` | no |
 | <a name="input_location"></a> [location](#input\_location) | Bucket location. | `string` | n/a | yes |
 | <a name="input_logging_config"></a> [logging\_config](#input\_logging\_config) | Bucket logging configuration. | <pre>object({<br>    log_bucket        = string<br>    log_object_prefix = optional(string)<br>  })</pre> | `null` | no |
+| <a name="input_organizations_repo_name"></a> [organizations\_repo\_name](#input\_organizations\_repo\_name) | The name of the github foundations organizations repository. Defaults to `organizations` | `string` | `"organizations"` | no |
 | <a name="input_parent"></a> [parent](#input\_parent) | Parent in folders/folder\_id or organizations/org\_id format. | `string` | `null` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | Optional prefix used to generate project id and name. | `string` | `null` | no |
 | <a name="input_project_create"></a> [project\_create](#input\_project\_create) | Create project. When set to false, uses a data source to reference existing project. | `bool` | `true` | no |

modules/github-gcloud-oidc/oidc.tf

@@ -2,9 +2,6 @@ locals {
   pool_id     = "pool-oidc-github-foundation"
   provider_id = "provider-oidc-github-foundation"
 
-  bootstrap_repo_name     = "bootstrap"
-  organizations_repo_name = "organizations"
-
   state_file_access_roles = tolist(["roles/storage.objectAdmin", "roles/storage.admin"])
 
   bootstrap_project_roles = local.state_file_access_roles
@@ -25,7 +22,7 @@ locals {
 
 resource "google_service_account" "bootstrap_sa" {
   project    = google_project.project[0].project_id
-  account_id = "${local.bootstrap_repo_name}-sa"
+  account_id = "${var.bootstrap_repo_name}-sa"
 }
 
 resource "google_project_iam_member" "bootstrap_project_member" {
@@ -37,7 +34,7 @@ resource "google_project_iam_member" "bootstrap_project_member" {
 
 resource "google_service_account" "organizations_sa" {
   project    = google_project.project[0].project_id
-  account_id = "${local.organizations_repo_name}-sa"
+  account_id = "${var.organizations_repo_name}-sa"
 }
 
 resource "google_project_iam_member" "organizations_member" {
@@ -60,11 +57,11 @@ module "oidc" {
   sa_mapping = {
     (google_service_account.bootstrap_sa.account_id) = {
       sa_name   = google_service_account.bootstrap_sa.name
-      attribute = "attribute.repository/${var.github_foundations_organization_name}/${local.bootstrap_repo_name}"
+      attribute = "attribute.repository/${var.github_foundations_organization_name}/${var.bootstrap_repo_name}"
     },
     (google_service_account.organizations_sa.account_id) = {
       sa_name   = google_service_account.organizations_sa.name
-      attribute = "attribute.repository/${var.github_foundations_organization_name}/${local.organizations_repo_name}"
+      attribute = "attribute.repository/${var.github_foundations_organization_name}/${var.organizations_repo_name}"
     }
   }
 }

modules/github-gcloud-oidc/variables.tf

@@ -272,3 +272,15 @@ variable "github_foundations_organization_name" {
   type        = string
   description = "The name of the organization that the github foundation repos will be under."
 }
+
+variable "organizations_repo_name" {
+  type = string
+  description = "The name of the github foundations organizations repository. Defaults to `organizations`"
+  default = "organizations"
+}
+
+variable "bootstrap_repo_name" {
+  type = string
+  description = "The name of the github foundations bootstrap repository. Defaults to `bootstrap`"
+  default = "bootstrap"
+}