tf-modules/gitlab-project
2
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

chore: mr approvals

Browse Source
This commit is contained in:
Aleksander Cynarski
2025-11-02 10:45:50 +01:00
parent a281039ae7
commit d0cb8db599
5 changed files with 72 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@@ -20,9 +20,11 @@ No modules.
|------|------| |------|------|
| [gitlab_branch_protection.protected_branches](https://registry.terraform.io/providers/gitlabhq/gitlab/18.0.0/docs/resources/branch_protection) | resource | | [gitlab_branch_protection.protected_branches](https://registry.terraform.io/providers/gitlabhq/gitlab/18.0.0/docs/resources/branch_protection) | resource |
| [gitlab_project.project](https://registry.terraform.io/providers/gitlabhq/gitlab/18.0.0/docs/resources/project) | resource | | [gitlab_project.project](https://registry.terraform.io/providers/gitlabhq/gitlab/18.0.0/docs/resources/project) | resource |
| [gitlab_project_approval_rule.this](https://registry.terraform.io/providers/gitlabhq/gitlab/18.0.0/docs/resources/project_approval_rule) | resource |
| [gitlab_project_custom_attribute.custom_attributes](https://registry.terraform.io/providers/gitlabhq/gitlab/18.0.0/docs/resources/project_custom_attribute) | resource | | [gitlab_project_custom_attribute.custom_attributes](https://registry.terraform.io/providers/gitlabhq/gitlab/18.0.0/docs/resources/project_custom_attribute) | resource |
| [gitlab_project_environment.environments](https://registry.terraform.io/providers/gitlabhq/gitlab/18.0.0/docs/resources/project_environment) | resource | | [gitlab_project_environment.environments](https://registry.terraform.io/providers/gitlabhq/gitlab/18.0.0/docs/resources/project_environment) | resource |
| [gitlab_project_job_token_scopes.ci_token_scope](https://registry.terraform.io/providers/gitlabhq/gitlab/18.0.0/docs/resources/project_job_token_scopes) | resource | | [gitlab_project_job_token_scopes.ci_token_scope](https://registry.terraform.io/providers/gitlabhq/gitlab/18.0.0/docs/resources/project_job_token_scopes) | resource |
| [gitlab_project_level_mr_approvals.settings](https://registry.terraform.io/providers/gitlabhq/gitlab/18.0.0/docs/resources/project_level_mr_approvals) | resource |
| [gitlab_project_push_rules.push_rule](https://registry.terraform.io/providers/gitlabhq/gitlab/18.0.0/docs/resources/project_push_rules) | resource | | [gitlab_project_push_rules.push_rule](https://registry.terraform.io/providers/gitlabhq/gitlab/18.0.0/docs/resources/project_push_rules) | resource |
| [gitlab_project_variable.scoped_variables](https://registry.terraform.io/providers/gitlabhq/gitlab/18.0.0/docs/resources/project_variable) | resource | | [gitlab_project_variable.scoped_variables](https://registry.terraform.io/providers/gitlabhq/gitlab/18.0.0/docs/resources/project_variable) | resource |
| [gitlab_project_variable.variable](https://registry.terraform.io/providers/gitlabhq/gitlab/18.0.0/docs/resources/project_variable) | resource | | [gitlab_project_variable.variable](https://registry.terraform.io/providers/gitlabhq/gitlab/18.0.0/docs/resources/project_variable) | resource |
@@ -38,11 +40,12 @@ No modules.
| <a name="input_allow_merge_on_skipped_pipeline"></a> [allow\_merge\_on\_skipped\_pipeline](#input\_allow\_merge\_on\_skipped\_pipeline) | Set to true if you want to treat skipped pipelines as if they finished with success. | `bool` | `true` | no | | <a name="input_allow_merge_on_skipped_pipeline"></a> [allow\_merge\_on\_skipped\_pipeline](#input\_allow\_merge\_on\_skipped\_pipeline) | Set to true if you want to treat skipped pipelines as if they finished with success. | `bool` | `true` | no |
| <a name="input_allowed_avatar_types_json"></a> [allowed\_avatar\_types\_json](#input\_allowed\_avatar\_types\_json) | Path to allowed avatar types json | `string` | `""` | no | | <a name="input_allowed_avatar_types_json"></a> [allowed\_avatar\_types\_json](#input\_allowed\_avatar\_types\_json) | Path to allowed avatar types json | `string` | `""` | no |
| <a name="input_allowed_project_types_json"></a> [allowed\_project\_types\_json](#input\_allowed\_project\_types\_json) | Path to allowed project types json | `string` | `""` | no | | <a name="input_allowed_project_types_json"></a> [allowed\_project\_types\_json](#input\_allowed\_project\_types\_json) | Path to allowed project types json | `string` | `""` | no |
| <a name="input_approval_settings"></a> [approval\_settings](#input\_approval\_settings) | Ustawienia zasad approvals na poziomie merge requestów. | <pre>object({<br/> disable_overriding_approvers_per_merge_request = optional(bool, true)<br/> merge_requests_author_approval = optional(bool, false)<br/> merge_requests_disable_committers_approval = optional(bool, true)<br/> reset_approvals_on_push = optional(bool, true)<br/> required_password_to_approve = optional(bool, false)<br/> selective_code_owner_removals = optional(bool, false)<br/> })</pre> | `{}` | no |
| <a name="input_approvals"></a> [approvals](#input\_approvals) | Mapa reguł approval dla projektu. Klucz = nazwa reguły. | <pre>map(object({<br/> approvals_required = number<br/> users = optional(list(number), [])<br/> groups = optional(list(number), [])<br/> applies_to_all_protected_branches = optional(bool, true)<br/> protected_branch_ids = optional(list(number), null)<br/> rule_type = optional(string, "regular") # np. regular | any_approver<br/> report_type = optional(string, null) # np. coverage | scan_finding | license_scanning<br/> disable_importing_default_any_approver_rule_on_create = optional(bool, false)<br/> }))</pre> | `{}` | no |
| <a name="input_archived"></a> [archived](#input\_archived) | Archived project | `bool` | `false` | no | | <a name="input_archived"></a> [archived](#input\_archived) | Archived project | `bool` | `false` | no |
| <a name="input_attributes"></a> [attributes](#input\_attributes) | custom attributes to be set for the project | `map(string)` | `{}` | no | | <a name="input_attributes"></a> [attributes](#input\_attributes) | custom attributes to be set for the project | `map(string)` | `{}` | no |
| <a name="input_auto_cancel_pending_pipelines"></a> [auto\_cancel\_pending\_pipelines](#input\_auto\_cancel\_pending\_pipelines) | Auto-cancel pending pipelines. This isnt a boolean, but enabled/disabled. | `string` | `"enabled"` | no | | <a name="input_auto_cancel_pending_pipelines"></a> [auto\_cancel\_pending\_pipelines](#input\_auto\_cancel\_pending\_pipelines) | Auto-cancel pending pipelines. This isnt a boolean, but enabled/disabled. | `string` | `"enabled"` | no |
| <a name="input_avatar"></a> [avatar](#input\_avatar) | Type of the avatar for the group (default: from type) | `string` | `""` | no | | <a name="input_avatar"></a> [avatar](#input\_avatar) | Type of the avatar for the group (default: from type) | `string` | `""` | no |
| <a name="input_avatars_dir"></a> [avatars\_dir](#input\_avatars\_dir) | Avatars directory png files | `string` | `""` | no |
| <a name="input_build_git_strategy"></a> [build\_git\_strategy](#input\_build\_git\_strategy) | The Git strategy. Defaults to fetch. | `string` | `"clone"` | no | | <a name="input_build_git_strategy"></a> [build\_git\_strategy](#input\_build\_git\_strategy) | The Git strategy. Defaults to fetch. | `string` | `"clone"` | no |
| <a name="input_build_timeout"></a> [build\_timeout](#input\_build\_timeout) | The maximum amount of time, in seconds, that a job can run. | `number` | `3600` | no | | <a name="input_build_timeout"></a> [build\_timeout](#input\_build\_timeout) | The maximum amount of time, in seconds, that a job can run. | `number` | `3600` | no |
| <a name="input_ci_config_path"></a> [ci\_config\_path](#input\_ci\_config\_path) | CI PATH | `string` | `null` | no | | <a name="input_ci_config_path"></a> [ci\_config\_path](#input\_ci\_config\_path) | CI PATH | `string` | `null` | no |

0
data/allowed_project_types.json → data/defaults.json
View File

32
locals.tf
View File

@@ -1,18 +1,16 @@
locals { locals {
avatars_dir = var.avatars_dir == "" ? "${path.root}/images" : var.avatars_dir avatars_dir = "${path.root}/images"
allowed_avatar_types_json = var.allowed_avatar_types_json == "" ? "${path.root}/data/allowed_avatar_project_types.json" : var.allowed_avatar_types_json allowed_avatar_types_json = var.allowed_avatar_types_json == "" ? "${path.root}/data/allowed_avatar_project_types.json" : var.allowed_avatar_types_json
allowed_avatar_types = jsondecode(file("${local.allowed_avatar_types_json}")) allowed_avatar_types = jsondecode(file("${local.allowed_avatar_types_json}"))
allowed_project_types_json = var.allowed_avatar_types_json == "" ? "${path.root}/data/allowed_project_types.json" : var.allowed_project_types_json allowed_project_types_json = var.allowed_avatar_types_json == "" ? "${path.root}/data/defaults.json" : var.allowed_project_types_json
allowed_project_types = jsondecode(try(file("${local.allowed_project_types_json}"), null) == null ? file("${path.module}/data/allowed_project_types.json") : file(local.allowed_project_types_json)) allowed_project_types = jsondecode(try(file("${local.allowed_project_types_json}"), null) == null ? file("${path.module}/data/defaults.json") : file(local.allowed_project_types_json))
# Define the allowed project types as a map # Define the allowed project types as a map
avatar_project = local.allowed_project_types[var.project_type].avatar == "" ? null : "${local.avatars_dir}/${local.allowed_project_types[var.project_type].avatar}.png" avatar_project = local.allowed_project_types[var.project_type].avatar == "" ? null : "${local.avatars_dir}/${local.allowed_project_types[var.project_type].avatar}.png"
avatar_path = var.avatar == "" ? local.avatar_project : "${local.avatars_dir}/${var.avatar}.png" avatar_path = var.avatar == "" ? local.avatar_project : "${local.avatars_dir}/${var.avatar}.png"
avatar = try(file("${local.avatar_path}"), null) == null ? "${local.avatar_path}" : null avatar = try(file("${local.avatar_path}"), null) == null ? "${local.avatar_path}" : null
token_scope_group_ids = [for g in values(data.gitlab_group.token_scope_groups) : g.id] token_scope_group_ids = [for g in values(data.gitlab_group.token_scope_groups) : g.id]
token_scope_project_ids = [for p in values(data.gitlab_project.token_scope_projects) : p.id] token_scope_project_ids = [for p in values(data.gitlab_project.token_scope_projects) : p.id]
@@ -34,24 +32,6 @@ locals {
value = var.project_type value = var.project_type
protected = "false" protected = "false"
masked = "false" masked = "false"
},
IS_ENABLED_CHECKMARX = {
description = "Enabled CheckMarx scan"
value = var.is_enabled_checkmarx == true ? "true" : "false"
protected = "false"
masked = "false"
},
IS_ENABLED_SONARQUBE = {
description = "Enabled SonarQube scan"
value = var.is_enabled_sonarqube == true ? "true" : "false"
protected = "false"
masked = "false"
},
SIB_APLIKACJA = {
description = "[UPW] ID Aplikacji zasobów SIB"
value = var.sib_aplikacja
protected = "false"
masked = "false"
} }
}, },
var.ci_variables var.ci_variables

31
main.tf
View File

@@ -96,3 +96,34 @@ resource "gitlab_project_job_token_scopes" "ci_token_scope" {
target_group_ids = local.token_scope_group_ids target_group_ids = local.token_scope_group_ids
target_project_ids = local.token_scope_project_ids target_project_ids = local.token_scope_project_ids
} }
# Reguły approvals per projekt
resource "gitlab_project_approval_rule" "this" {
for_each = var.approvals
project = gitlab_project.project.id
name = each.key
approvals_required = each.value.approvals_required
user_ids = try(each.value.users, [])
group_ids = try(each.value.groups, [])
applies_to_all_protected_branches = try(each.value.applies_to_all_protected_branches, true)
protected_branch_ids = try(each.value.protected_branch_ids, null)
rule_type = try(each.value.rule_type, "regular")
report_type = try(each.value.report_type, null)
disable_importing_default_any_approver_rule_on_create = try(each.value.disable_importing_default_any_approver_rule_on_create, false)
}
# Globalne ustawienia approvals dla MR-ów w projekcie
resource "gitlab_project_level_mr_approvals" "settings" {
project = gitlab_project.project.id
disable_overriding_approvers_per_merge_request = try(var.approval_settings.disable_overriding_approvers_per_merge_request, true)
merge_requests_author_approval = try(var.approval_settings.merge_requests_author_approval, false)
merge_requests_disable_committers_approval = try(var.approval_settings.merge_requests_disable_committers_approval, true)
reset_approvals_on_push = try(var.approval_settings.reset_approvals_on_push, true)
selective_code_owner_removals = try(var.approval_settings.selective_code_owner_removals, false)
}

36
variable.tf
View File

@@ -182,12 +182,6 @@ variable "attributes" {
description = "custom attributes to be set for the project" description = "custom attributes to be set for the project"
} }
variable "avatars_dir" {
description = "Avatars directory png files"
type = string
default = ""
}
variable "only_allow_merge_if_pipeline_succeeds" { variable "only_allow_merge_if_pipeline_succeeds" {
description = "Set to true if you want allow merges only if a pipeline succeeds." description = "Set to true if you want allow merges only if a pipeline succeeds."
type = bool type = bool
@@ -235,3 +229,33 @@ variable "token_scope_repositories" {
type = list(string) type = list(string)
default = [] default = []
} }
# Zbiór reguł approvals (project-level)
variable "approvals" {
description = "Mapa reguł approval dla projektu. Klucz = nazwa reguły."
type = map(object({
approvals_required = number
users = optional(list(number), [])
groups = optional(list(number), [])
applies_to_all_protected_branches = optional(bool, true)
protected_branch_ids = optional(list(number), null)
rule_type = optional(string, "regular") # np. regular | any_approver
report_type = optional(string, null) # np. coverage | scan_finding | license_scanning
disable_importing_default_any_approver_rule_on_create = optional(bool, false)
}))
default = {}
}
# Ustawienia zachowania approvals (MR-level settings)
variable "approval_settings" {
description = "Ustawienia zasad approvals na poziomie merge requestów."
type = object({
disable_overriding_approvers_per_merge_request = optional(bool, true)
merge_requests_author_approval = optional(bool, false)
merge_requests_disable_committers_approval = optional(bool, true)
reset_approvals_on_push = optional(bool, true)
required_password_to_approve = optional(bool, false)
selective_code_owner_removals = optional(bool, false)
})
default = {}
}