Merge pull request #72 from schubergphilis/feat-force-push-option

feat: Add option to disable force push branch protection

README.md

@@ -134,9 +134,9 @@ No modules.
 | <a name="input_archive_on_destroy"></a> [archive\_on\_destroy](#input\_archive\_on\_destroy) | Set to true to archive the repository instead of deleting on destroy | `bool` | `false` | no |
 | <a name="input_archived"></a> [archived](#input\_archived) | Specifies if the repository should be archived | `bool` | `false` | no |
 | <a name="input_auto_init"></a> [auto\_init](#input\_auto\_init) | Disable to not produce an initial commit in the repository | `bool` | `true` | no |
-| <a name="input_branches"></a> [branches](#input\_branches) | An optional map with GitHub branches to create | <pre>map(object({<br>    source_branch         = optional(string)<br>    source_sha            = optional(string)<br>    use_branch_protection = optional(bool, true)<br><br>    branch_protection = optional(object({<br>      enforce_admins         = optional(bool, false)<br>      require_signed_commits = optional(bool, true)<br><br>      required_checks = optional(object({<br>        strict   = optional(bool)<br>        contexts = optional(list(string))<br>      }))<br><br>      restrict_pushes = optional(object({<br>        blocks_creations = optional(bool)<br>        push_allowances  = optional(list(string))<br>      }))<br><br>      required_reviews = optional(object({<br>        dismiss_stale_reviews           = optional(bool, true)<br>        dismissal_restrictions          = optional(list(string))<br>        required_approving_review_count = optional(number, 2)<br>        require_code_owner_reviews      = optional(bool, true)<br>      }))<br>    }), null)<br>  }))</pre> | `{}` | no |
+| <a name="input_branches"></a> [branches](#input\_branches) | An optional map with GitHub branches to create | <pre>map(object({<br>    source_branch         = optional(string)<br>    source_sha            = optional(string)<br>    use_branch_protection = optional(bool, true)<br><br>    branch_protection = optional(object({<br>      allows_force_pushes    = optional(bool, false)<br>      enforce_admins         = optional(bool, false)<br>      require_signed_commits = optional(bool, true)<br><br>      required_checks = optional(object({<br>        strict   = optional(bool)<br>        contexts = optional(list(string))<br>      }))<br><br>      restrict_pushes = optional(object({<br>        blocks_creations = optional(bool)<br>        push_allowances  = optional(list(string))<br>      }))<br><br>      required_reviews = optional(object({<br>        dismiss_stale_reviews           = optional(bool, true)<br>        dismissal_restrictions          = optional(list(string))<br>        required_approving_review_count = optional(number, 2)<br>        require_code_owner_reviews      = optional(bool, true)<br>      }))<br>    }), null)<br>  }))</pre> | `{}` | no |
 | <a name="input_default_branch"></a> [default\_branch](#input\_default\_branch) | Name of the default branch for the GitHub repository | `string` | `"main"` | no |
-| <a name="input_default_branch_protection"></a> [default\_branch\_protection](#input\_default\_branch\_protection) | Default branch protection settings for managed branches | <pre>object({<br>    enforce_admins         = optional(bool, false)<br>    require_signed_commits = optional(bool, true)<br><br>    required_checks = optional(object({<br>      strict   = optional(bool)<br>      contexts = optional(list(string))<br>    }))<br><br>    required_reviews = optional(object({<br>      dismiss_stale_reviews           = optional(bool, true)<br>      dismissal_restrictions          = optional(list(string))<br>      required_approving_review_count = optional(number, 2)<br>      require_code_owner_reviews      = optional(bool, true)<br>    }))<br><br>    restrict_pushes = optional(object({<br>      blocks_creations = optional(bool)<br>      push_allowances  = optional(list(string))<br>    }))<br>  })</pre> | <pre>{<br>  "enforce_admins": false,<br>  "require_signed_commits": true,<br>  "required_reviews": {<br>    "dismiss_stale_reviews": true,<br>    "require_code_owner_reviews": true,<br>    "required_approving_review_count": 2<br>  }<br>}</pre> | no |
+| <a name="input_default_branch_protection"></a> [default\_branch\_protection](#input\_default\_branch\_protection) | Default branch protection settings for managed branches | <pre>object({<br>    allows_force_pushes    = optional(bool, false)<br>    enforce_admins         = optional(bool, false)<br>    require_signed_commits = optional(bool, true)<br><br>    required_checks = optional(object({<br>      strict   = optional(bool)<br>      contexts = optional(list(string))<br>    }))<br><br>    required_reviews = optional(object({<br>      dismiss_stale_reviews           = optional(bool, true)<br>      dismissal_restrictions          = optional(list(string))<br>      required_approving_review_count = optional(number, 2)<br>      require_code_owner_reviews      = optional(bool, true)<br>    }))<br><br>    restrict_pushes = optional(object({<br>      blocks_creations = optional(bool)<br>      push_allowances  = optional(list(string))<br>    }))<br>  })</pre> | <pre>{<br>  "enforce_admins": false,<br>  "require_signed_commits": true,<br>  "required_reviews": {<br>    "dismiss_stale_reviews": true,<br>    "require_code_owner_reviews": true,<br>    "required_approving_review_count": 2<br>  }<br>}</pre> | no |
 | <a name="input_delete_branch_on_merge"></a> [delete\_branch\_on\_merge](#input\_delete\_branch\_on\_merge) | Automatically delete head branch after a pull request is merged | `bool` | `true` | no |
 | <a name="input_description"></a> [description](#input\_description) | A description for the GitHub repository | `string` | `null` | no |
 | <a name="input_environments"></a> [environments](#input\_environments) | An optional map with GitHub environments to configure | <pre>map(object({<br>    secrets    = optional(map(string), {})<br>    variables  = optional(map(string), {})<br>    wait_timer = optional(number, null)<br><br>    deployment_branch_policy = optional(object(<br>      {<br>        branch_patterns        = optional(list(string), [])<br>        custom_branch_policies = optional(bool, false)<br>        protected_branches     = optional(bool, true)<br>      }),<br>      {<br>        custom_branch_policies = false<br>        protected_branches     = true<br>      }<br>    )<br><br>    reviewers = optional(object({<br>      teams = optional(list(string))<br>      users = optional(list(string))<br>    }), null)<br><br>  }))</pre> | `{}` | no |

main.tf

@@ -72,9 +72,11 @@ resource "github_branch_protection" "default" {
 
   for_each = { for k, v in local.branches : k => v if v.branch_protection != null || v.use_branch_protection == true }
 
-  enforce_admins         = each.value.branch_protection != null ? try(each.value.branch_protection.enforce_admins, null) : var.default_branch_protection.enforce_admins
-  pattern                = each.key
-  repository_id          = github_repository.default.name
+  allows_force_pushes = each.value.branch_protection != null ? try(each.value.branch_protection.allows_force_pushes, null) : var.default_branch_protection.allows_force_pushes
+  enforce_admins      = each.value.branch_protection != null ? try(each.value.branch_protection.enforce_admins, null) : var.default_branch_protection.enforce_admins
+  pattern             = each.key
+  repository_id       = github_repository.default.name
+
   require_signed_commits = each.value.branch_protection != null ? each.value.branch_protection.require_signed_commits : var.default_branch_protection.require_signed_commits
 
   dynamic "required_pull_request_reviews" {

variables.tf

@@ -64,6 +64,7 @@ variable "branches" {
     use_branch_protection = optional(bool, true)
 
     branch_protection = optional(object({
+      allows_force_pushes    = optional(bool, false)
       enforce_admins         = optional(bool, false)
       require_signed_commits = optional(bool, true)
 
@@ -97,6 +98,7 @@ variable "default_branch" {
 
 variable "default_branch_protection" {
   type = object({
+    allows_force_pushes    = optional(bool, false)
     enforce_admins         = optional(bool, false)
     require_signed_commits = optional(bool, true)