initial commit

Co-authored-by: Issy Long <issy@brew.sh>

Author: SMillerDev

.github/dependabot.yml

@@ -0,0 +1,8 @@
+---
+version: 2
+
+updates:
+ - package-ecosystem: "terraform"
+   directory: "/"
+   schedule:
+     interval: "daily"

.github/workflows/ci.yml

@@ -0,0 +1,84 @@
+name: Check
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  opentofu:
+    name: OpenTofu
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    env:
+      TFC_AWS_RUN_ROLE_ARN: ${{ secrets.amazon_role }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: opentofu/setup-opentofu@v1
+
+      - name: OpenTofu fmt
+        id: fmt
+        run: tofu fmt -check
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-1
+          role-to-assume: ${{ secrets.amazon_role }}
+
+      - name: OpenTofu Init
+        id: init
+        run: tofu init
+
+      - name: OpenTofu Validate
+        id: validate
+        run: tofu validate -no-color
+
+      - name: OpenTofu Plan
+        env:
+          GITHUB_TOKEN: ${{ secrets.TF_GH_TOKEN }}
+        run: tofu plan -no-color -var-file .tfvars -detailed-exitcode 
+
+  trivy:
+    name: Trivy
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+      pull-requests: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner in IaC mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: config
+          format: table
+          hide-progress: true
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
+          output: trivy.txt
+          exit-code: '1'
+
+      - name: Publish Trivy Output to Summary
+        if: always()
+        run: |
+          if [[ -s trivy.txt ]]; then
+            {
+              echo "### Security Output"
+              echo "<details><summary>Click to expand</summary>"
+              echo ""
+              echo '```terraform'
+              cat trivy.txt
+              echo '```'
+              echo "</details>"
+            } >> $GITHUB_STEP_SUMMARY
+          fi

.gitignore

@@ -0,0 +1,27 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

.terraform.lock.hcl

@@ -0,0 +1,146 @@
+teams = {
+  members = [
+    "DomT4",
+    "danielnachun",
+    "dawidd6",
+    "gromgit",
+    "johndbritton",
+    "lembacon",
+    "maxim-belkin",
+    "mistydemeo",
+    "scpeters",
+    "singingwolfboy",
+    "sjackman",
+    "victorpopkov",
+    "vitorgalvao",
+    "whoiswillma",
+    "xu-cheng",
+  ],
+  plc = [
+    "MikeMcQuaid",
+    "colindean",
+    "issyl0",
+    "mozzadrella",
+    "p-linnane",
+  ],
+  security = [
+    "MikeMcQuaid",
+    "p-linnane",
+    "woodruffw",
+  ],
+  bots = [
+    "BrewTestBot",
+    "BrewSponsorsBot",
+  ],
+  maintainers = {
+    brew = [
+      "Bo98",
+      "EricFromCanada",
+      "MikeMcQuaid",
+      "Rylan12",
+      "SMillerDev",
+      "ZhongRuoyu",
+      "apainintheneck",
+      "bayandin",
+      "carlocab",
+      "cho-m",
+      "dduugg",
+      "iMichka",
+      "issyl0",
+      "miccal",
+      "nandahkrishna",
+      "p-linnane",
+      "reitermarkus",
+      "samford",
+      "woodruffw",
+    ],
+    cask = [
+      "Bo98",
+      "Rylan12",
+      "SMillerDev",
+      "alebcay",
+      "bevanjkay",
+      "chenrui333",
+      "cho-m",
+      "khipp",
+      "krehel",
+      "miccal",
+      "p-linnane",
+      "razvanazamfirei",
+      "reitermarkus",
+      "samford",
+    ],
+    ci-orchestrator = [
+      "Bo98",
+      "carlocab",
+    ],
+    core = [
+      "Bo98",
+      "EricFromCanada",
+      "MikeMcQuaid",
+      "Moisan",
+      "Rylan12",
+      "SMillerDev",
+      "ZhongRuoyu",
+      "alebcay",
+      "bayandin",
+      "bevanjkay",
+      "branchvincent",
+      "carlocab",
+      "chenrui333",
+      "cho-m",
+      "dtrodrigues",
+      "fxcoudert",
+      "iMichka",
+      "issyl0",
+      "krehel",
+      "miccal",
+      "nandahkrishna",
+      "p-linnane",
+      "samford",
+      "stefanb",
+      "timsutton",
+      "woodruffw",
+    ],
+    formulae-web = [
+      "EricFromCanada",
+      "MikeMcQuaid",
+      "Rylan12",
+      "SMillerDev",
+    ],
+    ops = [
+      "Bo98",
+      "Rylan12",
+      "carlocab",
+      "fxcoudert",
+      "nandahkrishna",
+      "p-linnane",
+    ],
+    tsc = [
+      "Bo98",
+      "MikeMcQuaid",
+      "Rylan12",
+      "fxcoudert",
+      "iMichka",
+    ],
+  },
+  taps = {
+    bundle = [
+      "EricFromCanada",
+      "jacobbednarz",
+      "MikeMcQuaid",
+    ],
+    linux-fonts = [
+      "tani",
+    ],
+    pip = [
+    "alex",
+    "woodruffw",
+    ],
+    services = [
+      "SMillerDev",
+    ],
+  },
+}
+
+github_admins = [ "issyl0", "p-linnane", "Bo98", "MikeMcQuaid" ]

.tfvars

@@ -0,0 +1,25 @@
+BSD 2-Clause License
+
+Copyright (c) 2009-present, Homebrew contributors
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

LICENSE.txt

@@ -0,0 +1,20 @@
+# terraform-user-management
+
+User management for the Homebrew organisation using Terraform
+
+## Requirements
+
+- This project uses OpenTofu, not Terraform
+
+## Usage
+
+- Set `GITHUB_TOKEN` to a token with sufficient permissions before usage.
+- Use `aws configure sso` to log into the Homebrew AWS org.
+- Set `AWS_PROFILE` to the resulting profile.
+- `tofu init`
+- `tofu plan -var-file .tfvars`
+
+## TODO
+
+- Google workspace management for brew.sh
+- Google Cloud manangement for self-hosted workers

README.md

@@ -0,0 +1,4 @@
+data "github_team" "main_teams" {
+  for_each = toset([for team in keys(var.teams) : team if contains(["bots", "taps"], team) == false])
+  slug     = each.key
+}