-
Notifications
You must be signed in to change notification settings - Fork 771
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create resource to set repository allow list for organisation secret (#…
…882) * Only applicable when secret access is "selected" * Create/update the resource will override secret's existing repository allowlist * Destroy the resource will clear secret's existing repository allowlist * Can be used when secret value is set externally
- Loading branch information
1 parent
653427e
commit d80ff81
Showing
5 changed files
with
275 additions
and
31 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
120 changes: 120 additions & 0 deletions
120
github/resource_github_actions_organization_secret_repositories.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,120 @@ | ||
package github | ||
|
||
import ( | ||
"context" | ||
|
||
"github.com/google/go-github/v38/github" | ||
"github.com/hashicorp/terraform-plugin-sdk/helper/schema" | ||
) | ||
|
||
func resourceGithubActionsOrganizationSecretRepositories() *schema.Resource { | ||
return &schema.Resource{ | ||
Create: resourceGithubActionsOrganizationSecretRepositoriesCreateOrUpdate, | ||
Read: resourceGithubActionsOrganizationSecretRepositoriesRead, | ||
Update: resourceGithubActionsOrganizationSecretRepositoriesCreateOrUpdate, | ||
Delete: resourceGithubActionsOrganizationSecretRepositoriesDelete, | ||
Importer: &schema.ResourceImporter{ | ||
State: schema.ImportStatePassthrough, | ||
}, | ||
|
||
Schema: map[string]*schema.Schema{ | ||
"secret_name": { | ||
Type: schema.TypeString, | ||
Required: true, | ||
ForceNew: true, | ||
ValidateFunc: validateSecretNameFunc, | ||
}, | ||
"selected_repository_ids": { | ||
Type: schema.TypeSet, | ||
Elem: &schema.Schema{ | ||
Type: schema.TypeInt, | ||
}, | ||
Set: schema.HashInt, | ||
Required: true, | ||
}, | ||
}, | ||
} | ||
} | ||
|
||
func resourceGithubActionsOrganizationSecretRepositoriesCreateOrUpdate(d *schema.ResourceData, meta interface{}) error { | ||
client := meta.(*Owner).v3client | ||
owner := meta.(*Owner).name | ||
ctx := context.Background() | ||
|
||
err := checkOrganization(meta) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
secretName := d.Get("secret_name").(string) | ||
selectedRepositories := d.Get("selected_repository_ids") | ||
|
||
selectedRepositoryIDs := []int64{} | ||
|
||
ids := selectedRepositories.(*schema.Set).List() | ||
for _, id := range ids { | ||
selectedRepositoryIDs = append(selectedRepositoryIDs, int64(id.(int))) | ||
} | ||
|
||
_, err = client.Actions.SetSelectedReposForOrgSecret(ctx, owner, secretName, selectedRepositoryIDs) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
d.SetId(secretName) | ||
return resourceGithubActionsOrganizationSecretRepositoriesRead(d, meta) | ||
} | ||
|
||
func resourceGithubActionsOrganizationSecretRepositoriesRead(d *schema.ResourceData, meta interface{}) error { | ||
client := meta.(*Owner).v3client | ||
owner := meta.(*Owner).name | ||
ctx := context.Background() | ||
|
||
err := checkOrganization(meta) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
selectedRepositoryIDs := []int64{} | ||
opt := &github.ListOptions{ | ||
PerPage: maxPerPage, | ||
} | ||
for { | ||
results, resp, err := client.Actions.ListSelectedReposForOrgSecret(ctx, owner, d.Id(), opt) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
for _, repo := range results.Repositories { | ||
selectedRepositoryIDs = append(selectedRepositoryIDs, repo.GetID()) | ||
} | ||
|
||
if resp.NextPage == 0 { | ||
break | ||
} | ||
opt.Page = resp.NextPage | ||
} | ||
|
||
d.Set("selected_repository_ids", selectedRepositoryIDs) | ||
|
||
return nil | ||
} | ||
|
||
func resourceGithubActionsOrganizationSecretRepositoriesDelete(d *schema.ResourceData, meta interface{}) error { | ||
client := meta.(*Owner).v3client | ||
owner := meta.(*Owner).name | ||
ctx := context.WithValue(context.Background(), ctxId, d.Id()) | ||
|
||
err := checkOrganization(meta) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
selectedRepositoryIDs := []int64{} | ||
_, err = client.Actions.SetSelectedReposForOrgSecret(ctx, owner, d.Id(), selectedRepositoryIDs) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
return nil | ||
} |
79 changes: 79 additions & 0 deletions
79
github/resource_github_actions_organization_secret_repositories_test.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
package github | ||
|
||
import ( | ||
"fmt" | ||
"os" | ||
"testing" | ||
|
||
"github.com/hashicorp/terraform-plugin-sdk/helper/acctest" | ||
"github.com/hashicorp/terraform-plugin-sdk/helper/resource" | ||
) | ||
|
||
func TestAccGithubActionsOrganizationSecretRepositories(t *testing.T) { | ||
|
||
const ORG_SECRET_NAME = "ORG_SECRET_NAME" | ||
randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum) | ||
secret_name, exists := os.LookupEnv(ORG_SECRET_NAME) | ||
|
||
t.Run("set repository allowlist for a organization secret", func(t *testing.T) { | ||
if !exists { | ||
t.Skipf("%s environment variable is missing", ORG_SECRET_NAME) | ||
} | ||
|
||
config := fmt.Sprintf(` | ||
resource "github_repository" "test_repo_1" { | ||
name = "tf-acc-test-%s-1" | ||
visibility = "internal" | ||
vulnerability_alerts = "true" | ||
} | ||
resource "github_repository" "test_repo_2" { | ||
name = "tf-acc-test-%s-2" | ||
visibility = "internal" | ||
vulnerability_alerts = "true" | ||
} | ||
resource "github_actions_organization_secret_repositories" "org_secret_repos" { | ||
secret_name = "%s" | ||
selected_repository_ids = [ | ||
github_repository.test_repo_1.repo_id, | ||
github_repository.test_repo_2.repo_id | ||
] | ||
} | ||
`, randomID, randomID, secret_name) | ||
|
||
check := resource.ComposeTestCheckFunc( | ||
resource.TestCheckResourceAttrSet( | ||
"github_actions_organization_secret_repositories.org_secret_repos", "secret_name", | ||
), | ||
resource.TestCheckResourceAttr( | ||
"github_actions_organization_secret_repositories.org_secret_repos", "selected_repository_ids.#", "2", | ||
), | ||
) | ||
|
||
testCase := func(t *testing.T, mode string) { | ||
resource.Test(t, resource.TestCase{ | ||
PreCheck: func() { skipUnlessMode(t, mode) }, | ||
Providers: testAccProviders, | ||
Steps: []resource.TestStep{ | ||
{ | ||
Config: config, | ||
Check: check, | ||
}, | ||
}, | ||
}) | ||
} | ||
|
||
t.Run("with an anonymous account", func(t *testing.T) { | ||
t.Skip("anonymous account not supported for this operation") | ||
}) | ||
|
||
t.Run("with an individual account", func(t *testing.T) { | ||
t.Skip("individual account not supported for this operation") | ||
}) | ||
|
||
t.Run("with an organization account", func(t *testing.T) { | ||
testCase(t, organization) | ||
}) | ||
}) | ||
} |
41 changes: 41 additions & 0 deletions
41
website/docs/r/actions_organization_secret_repositories.html.markdown
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
--- | ||
layout: "github" | ||
page_title: "GitHub: github_actions_organization_secret_repositories" | ||
description: |- | ||
Manages repository allow list for an Action Secret within a GitHub organization | ||
--- | ||
|
||
# github_actions_organization_secret_repositories | ||
|
||
This resource allows you to manage repository allow list for existing GitHub Actions secrets within your GitHub organization. | ||
You must have write access to an organization secret to use this resource. | ||
|
||
This resource is only applicable when `visibility` of the existing organization secret has been set to `selected`. | ||
|
||
## Example Usage | ||
|
||
```hcl | ||
data "github_repository" "repo" { | ||
full_name = "my-org/repo" | ||
} | ||
resource "github_actions_organization_secret_repositories" "org_secret_repos" { | ||
secret_name = "existing_secret_name" | ||
selected_repository_ids = [data.github_repository.repo.repo_id] | ||
} | ||
``` | ||
|
||
## Argument Reference | ||
|
||
The following arguments are supported: | ||
|
||
* `secret_name` - (Required) Name of the existing secret | ||
* `selected_repository_ids` - (Required) An array of repository ids that can access the organization secret. | ||
|
||
## Import | ||
|
||
This resource can be imported using an ID made up of the secret name: | ||
|
||
``` | ||
$ terraform import github_actions_organization_secret_repositories.test_secret_repos test_secret_name | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters