Move terraform-bastion to the Admins team

MoteHue · Alex-Welsh · commit 7234e9626a93 · 2026-04-29T11:56:58.000+01:00
diff --git a/ansible/inventory/group_vars/all/source-repositories b/ansible/inventory/group_vars/all/source-repositories
@@ -26,6 +26,8 @@ ansible_workflows:
     - publish-role
 community_files:
   codeowners:
+    admins: |
+      * @stackhpc/admins
     ansible: |
       * @stackhpc/ansible
     batch: |
@@ -412,6 +414,14 @@ source_repositories:
       - codeowners:
           content: "{{ community_files.codeowners.openstack }}"
           dest: ".github/CODEOWNERS"
+  # Admins team
+  terraform-bastion:
+    repository_type: "single-branch"
+    workflows: []
+    community_files:
+      - codeowners:
+          content: "{{ community_files.codeowners.admins }}"
+          dest: ".github/CODEOWNERS"
   # Ansible team
   ansible-role-libvirt-host:
     repository_type: "ansible"
@@ -735,10 +745,3 @@ source_repositories:
       - codeowners:
           content: "{{ community_files.codeowners.sms_lab }}"
           dest: ".github/CODEOWNERS"
-  terraform-bastion:
-    repository_type: "single-branch"
-    workflows: []
-    community_files:
-      - codeowners:
-          content: "{{ community_files.codeowners.sms_lab }}"
-          dest: ".github/CODEOWNERS"
diff --git a/scripts/validate-source-repos.py b/scripts/validate-source-repos.py
@@ -38,11 +38,11 @@ def _extract_group_from_community_files(files):
             return content.strip('{ }').replace('_', '').split('.')[-1]
 
 
-def _sort_ans_repos_by_group(ans_repos):
+def _group_ans_repos_by_group(ans_repos):
     ans_repos_by_group = {}
     for repo in ans_repos:
-        files = ans_repos[repo]['community_files']
-        group = _extract_group_from_community_files(files)
+        group = _extract_group_from_community_files(
+            ans_repos[repo]['community_files'])
         if group in ans_repos_by_group:
             ans_repos_by_group[group].append(repo)
         else:
@@ -51,7 +51,7 @@ def _sort_ans_repos_by_group(ans_repos):
 
 
 def get_mismatched_repos(tf_repos, ans_repos, repos_missing):
-    ans_repos_new = _sort_ans_repos_by_group(ans_repos)
+    ans_repos_new = _group_ans_repos_by_group(ans_repos)
     tf_repos_new = {k.lower(): v for k, v in tf_repos.items()}
 
     mismatched_repos = []
@@ -77,10 +77,11 @@ def main():
                                             repos_missing)
 
     print('The following repos are assigned to different codeowner groups in '
-         'the Ansible source-repositories and the Terraform tfvars: '
-         f'{mismatched_repos}')
+          'the Ansible source-repositories and the Terraform tfvars: '
+          f'{mismatched_repos}')
 
     return len(repos_missing) > 0 or len(mismatched_repos) > 0
 
+
 if __name__ == "__main__":
     sys.exit(main())
diff --git a/terraform/github/branches.tf b/terraform/github/branches.tf
@@ -1,3 +1,35 @@
+resource "github_branch_protection" "admins_branch_protection" {
+  for_each      = toset(var.repositories["Admins"])
+  repository_id = data.github_repository.repositories[each.key].node_id
+
+  pattern                         = "master"
+  require_conversation_resolution = true
+  allows_deletions                = false
+  allows_force_pushes             = false
+
+  required_pull_request_reviews {
+    dismiss_stale_reviews           = true
+    require_code_owner_reviews      = true
+    required_approving_review_count = 1
+  }
+
+  restrict_pushes {
+    blocks_creations = false
+    push_allowances = [
+      resource.github_team.organisation_teams["Developers"].node_id
+    ]
+  }
+
+  required_status_checks {
+    contexts = lookup(var.required_status_checks, each.key, { "default" : [] }).default
+    strict   = false
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
 resource "github_branch_protection" "ansible_branch_protection" {
   for_each      = toset(var.repositories["Ansible"])
   repository_id = data.github_repository.repositories[each.key].node_id
diff --git a/terraform/github/terraform.tfvars.json b/terraform/github/terraform.tfvars.json
@@ -1,6 +1,9 @@
 {
   "owner": "stackhpc",
   "repositories": {
+    "Admins": [
+      "terraform-bastion"
+    ],
     "Ansible": [
       "ansible-role-libvirt-host",
       "ansible-role-libvirt-vm",
@@ -89,8 +92,7 @@
     "SMSLab": [
       "smslab-azimuth-config",
       "smslab-config",
-      "smslab-kayobe-config",
-      "terraform-bastion"
+      "smslab-kayobe-config"
     ]
   },
   "teams": {
