diff --git a/github/provider.go b/github/provider.go index 2d5d6dc33a..b5375cf240 100644 --- a/github/provider.go +++ b/github/provider.go @@ -203,6 +203,7 @@ func Provider() *schema.Provider { "github_repository_ruleset": resourceGithubRepositoryRuleset(), "github_repository_topics": resourceGithubRepositoryTopics(), "github_repository_webhook": resourceGithubRepositoryWebhook(), + "github_repository_vulnerability_alerts": resourceGithubRepositoryVulnerabilityAlerts(), "github_team": resourceGithubTeam(), "github_team_members": resourceGithubTeamMembers(), "github_team_membership": resourceGithubTeamMembership(), diff --git a/github/resource_github_repository.go b/github/resource_github_repository.go index 2c57b54182..514cbf7305 100644 --- a/github/resource_github_repository.go +++ b/github/resource_github_repository.go @@ -400,12 +400,13 @@ func resourceGithubRepository() *schema.Resource { Optional: true, Computed: true, Description: "Set to 'true' to enable security alerts for vulnerable dependencies. Enabling requires alerts to be enabled on the owner level. (Note for importing: GitHub enables the alerts on all repos by default). Note that vulnerability alerts have not been successfully tested on any GitHub Enterprise instance and may be unavailable in those settings.", + Deprecated: "Use the github_repository_vulnerability_alerts resource instead. This field will be removed in a future version.", }, "ignore_vulnerability_alerts_during_read": { Type: schema.TypeBool, Optional: true, Default: false, - Deprecated: "This is ignored as the provider now handles lack of permissions automatically.", + Deprecated: "This is ignored as the provider now handles lack of permissions automatically. This field will be removed in a future version.", }, "full_name": { Type: schema.TypeString, diff --git a/github/resource_github_repository_vulnerability_alerts.go b/github/resource_github_repository_vulnerability_alerts.go new file mode 100644 index 0000000000..2cf7248db2 --- /dev/null +++ b/github/resource_github_repository_vulnerability_alerts.go @@ -0,0 +1,168 @@ +package github + +import ( + "context" + "strconv" + + "github.com/hashicorp/terraform-plugin-log/tflog" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" +) + +func resourceGithubRepositoryVulnerabilityAlerts() *schema.Resource { + return &schema.Resource{ + CreateContext: resourceGithubRepositoryVulnerabilityAlertsCreate, + ReadContext: resourceGithubRepositoryVulnerabilityAlertsRead, + UpdateContext: resourceGithubRepositoryVulnerabilityAlertsUpdate, + DeleteContext: resourceGithubRepositoryVulnerabilityAlertsDelete, + Importer: &schema.ResourceImporter{ + StateContext: resourceGithubRepositoryVulnerabilityAlertsImport, + }, + + Schema: map[string]*schema.Schema{ + "repository": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + Description: "The repository name to configure vulnerability alerts for.", + }, + "repository_id": { + Type: schema.TypeInt, + Computed: true, + Description: "The ID of the repository to configure vulnerability alerts for.", + }, + // TODO: Uncomment this when we are ready to support owner fields properly. https://github.com/integrations/terraform-provider-github/pull/3166#discussion_r2816053082 + // "owner": { + // Type: schema.TypeString, + // Required: true, + // ForceNew: true, + // Description: "The owner of the repository to configure vulnerability alerts for.", + // }, + "enabled": { + Type: schema.TypeBool, + Optional: true, + Default: true, + Description: "Whether vulnerability alerts are enabled for the repository.", + }, + }, + + CustomizeDiff: diffRepository, + } +} + +func resourceGithubRepositoryVulnerabilityAlertsCreate(ctx context.Context, d *schema.ResourceData, m any) diag.Diagnostics { + meta := m.(*Owner) + client := meta.v3client + + owner := meta.name // TODO: Add owner support // d.Get("owner").(string) + repoName := d.Get("repository").(string) + + vulnerabilityAlertsEnabled := d.Get("enabled").(bool) + repo, _, err := client.Repositories.Get(ctx, owner, repoName) + if err != nil { + return diag.FromErr(err) + } + if repo.GetArchived() { + return diag.Errorf("cannot enable vulnerability alerts on archived repository %s/%s", owner, repoName) + } + if vulnerabilityAlertsEnabled { + _, err := client.Repositories.EnableVulnerabilityAlerts(ctx, owner, repoName) + if err != nil { + return diag.FromErr(err) + } + } else { + _, err := client.Repositories.DisableVulnerabilityAlerts(ctx, owner, repoName) + if err != nil { + return diag.FromErr(err) + } + } + + d.SetId(strconv.Itoa(int(repo.GetID()))) + + if err = d.Set("repository_id", repo.GetID()); err != nil { + return diag.FromErr(err) + } + + return nil +} + +func resourceGithubRepositoryVulnerabilityAlertsRead(ctx context.Context, d *schema.ResourceData, m any) diag.Diagnostics { + meta := m.(*Owner) + client := meta.v3client + + owner := meta.name // TODO: Add owner support // d.Get("owner").(string) + repoName := d.Get("repository").(string) + vulnerabilityAlertsEnabled, _, err := client.Repositories.GetVulnerabilityAlerts(ctx, owner, repoName) + if err != nil { + return diag.Errorf("error reading repository vulnerability alerts: %s", err.Error()) + } + if err = d.Set("enabled", vulnerabilityAlertsEnabled); err != nil { + return diag.FromErr(err) + } + + return nil +} + +func resourceGithubRepositoryVulnerabilityAlertsUpdate(ctx context.Context, d *schema.ResourceData, m any) diag.Diagnostics { + meta := m.(*Owner) + client := meta.v3client + + owner := meta.name // TODO: Add owner support // d.Get("owner").(string) + repoName := d.Get("repository").(string) + + vulnerabilityAlertsEnabled := d.Get("enabled").(bool) + if vulnerabilityAlertsEnabled { + _, err := client.Repositories.EnableVulnerabilityAlerts(ctx, owner, repoName) + if err != nil { + return diag.FromErr(err) + } + } else { + _, err := client.Repositories.DisableVulnerabilityAlerts(ctx, owner, repoName) + if err != nil { + return diag.FromErr(err) + } + } + + return nil +} + +func resourceGithubRepositoryVulnerabilityAlertsDelete(ctx context.Context, d *schema.ResourceData, m any) diag.Diagnostics { + meta := m.(*Owner) + client := meta.v3client + + owner := meta.name // TODO: Add owner support // d.Get("owner").(string) + repoName := d.Get("repository").(string) + _, err := client.Repositories.DisableVulnerabilityAlerts(ctx, owner, repoName) + if err != nil { + return diag.FromErr(handleArchivedRepoDelete(err, "repository vulnerability alerts", d.Id(), owner, repoName)) + } + + return nil +} + +func resourceGithubRepositoryVulnerabilityAlertsImport(ctx context.Context, d *schema.ResourceData, m any) ([]*schema.ResourceData, error) { + tflog.Debug(ctx, "Importing repository vulnerability alerts", map[string]any{"id": d.Id()}) + repoName := d.Id() + // if err := d.Set("owner", repoOwner); err != nil { // TODO: Add owner support + // return nil, err + // } + if err := d.Set("repository", repoName); err != nil { + return nil, err + } + + meta := m.(*Owner) + owner := meta.name + client := meta.v3client + + repo, _, err := client.Repositories.Get(ctx, owner, repoName) + if err != nil { + return nil, err + } + + d.SetId(strconv.Itoa(int(repo.GetID()))) + + if err = d.Set("repository_id", repo.GetID()); err != nil { + return nil, err + } + return []*schema.ResourceData{d}, nil +} diff --git a/github/resource_github_repository_vulnerability_alerts_test.go b/github/resource_github_repository_vulnerability_alerts_test.go new file mode 100644 index 0000000000..d4075693d5 --- /dev/null +++ b/github/resource_github_repository_vulnerability_alerts_test.go @@ -0,0 +1,319 @@ +package github + +import ( + "fmt" + "regexp" + "testing" + + "github.com/hashicorp/terraform-plugin-testing/compare" + "github.com/hashicorp/terraform-plugin-testing/helper/acctest" + "github.com/hashicorp/terraform-plugin-testing/helper/resource" + "github.com/hashicorp/terraform-plugin-testing/knownvalue" + "github.com/hashicorp/terraform-plugin-testing/plancheck" + "github.com/hashicorp/terraform-plugin-testing/statecheck" + "github.com/hashicorp/terraform-plugin-testing/tfjsonpath" +) + +func TestAccGithubRepositoryVulnerabilityAlerts(t *testing.T) { + t.Run("creates_vulnerability_alerts_as_enabled_without_error", func(t *testing.T) { + randomID := acctest.RandString(5) + repoName := fmt.Sprintf("%svuln-alerts-%s", testResourcePrefix, randomID) + + config := fmt.Sprintf(` + resource "github_repository" "test" { + name = "%s" + visibility = "private" + auto_init = true + } + + resource "github_repository_vulnerability_alerts" "test" { + repository = github_repository.test.name + enabled = true + } + `, repoName) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { skipUnauthenticated(t) }, + ProviderFactories: providerFactories, + Steps: []resource.TestStep{ + { + Config: config, + ConfigStateChecks: []statecheck.StateCheck{ + statecheck.ExpectKnownValue("github_repository_vulnerability_alerts.test", tfjsonpath.New("enabled"), knownvalue.Bool(true)), + statecheck.CompareValuePairs("github_repository_vulnerability_alerts.test", tfjsonpath.New("repository"), "github_repository.test", tfjsonpath.New("name"), compare.ValuesSame()), + statecheck.ExpectKnownValue("github_repository_vulnerability_alerts.test", tfjsonpath.New("repository_id"), knownvalue.NotNull()), + }, + }, + }, + }) + }) + + t.Run("creates_vulnerability_alerts_as_disabled_without_error", func(t *testing.T) { + randomID := acctest.RandString(5) + repoName := fmt.Sprintf("%svuln-alerts-%s", testResourcePrefix, randomID) + + config := fmt.Sprintf(` + resource "github_repository" "test" { + name = "%s" + visibility = "private" + auto_init = true + } + + resource "github_repository_vulnerability_alerts" "test" { + repository = github_repository.test.name + enabled = false + } + `, repoName) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { skipUnauthenticated(t) }, + ProviderFactories: providerFactories, + Steps: []resource.TestStep{ + { + Config: config, + ConfigStateChecks: []statecheck.StateCheck{ + statecheck.ExpectKnownValue("github_repository_vulnerability_alerts.test", tfjsonpath.New("enabled"), knownvalue.Bool(false)), + }, + }, + }, + }) + }) + + t.Run("updates_vulnerability_alerts_without_error", func(t *testing.T) { + randomID := acctest.RandString(5) + repoName := fmt.Sprintf("%svuln-alerts-%s", testResourcePrefix, randomID) + + config := ` + resource "github_repository" "test" { + name = "%s" + visibility = "private" + auto_init = true + } + + resource "github_repository_vulnerability_alerts" "test" { + repository = github_repository.test.name + enabled = %t + } + ` + + compareValuesDiffer := statecheck.CompareValue(compare.ValuesDiffer()) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { skipUnauthenticated(t) }, + ProviderFactories: providerFactories, + Steps: []resource.TestStep{ + { + Config: fmt.Sprintf(config, repoName, false), + ConfigStateChecks: []statecheck.StateCheck{ + compareValuesDiffer.AddStateValue("github_repository_vulnerability_alerts.test", tfjsonpath.New("enabled")), + }, + }, + { + Config: fmt.Sprintf(config, repoName, true), + ConfigStateChecks: []statecheck.StateCheck{ + compareValuesDiffer.AddStateValue("github_repository_vulnerability_alerts.test", tfjsonpath.New("enabled")), + }, + }, + { + Config: fmt.Sprintf(config, repoName, false), + ConfigStateChecks: []statecheck.StateCheck{ + compareValuesDiffer.AddStateValue("github_repository_vulnerability_alerts.test", tfjsonpath.New("enabled")), + }, + }, + }, + }) + }) + + t.Run("imports_vulnerability_alerts_without_error", func(t *testing.T) { + randomID := acctest.RandString(5) + repoName := fmt.Sprintf("%svuln-alerts-%s", testResourcePrefix, randomID) + + config := fmt.Sprintf(` + resource "github_repository" "test" { + name = "%s" + visibility = "private" + auto_init = true + } + + resource "github_repository_vulnerability_alerts" "test" { + repository = github_repository.test.name + enabled = true + } + `, repoName) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { skipUnauthenticated(t) }, + ProviderFactories: providerFactories, + Steps: []resource.TestStep{ + { + Config: config, + ConfigStateChecks: []statecheck.StateCheck{ + statecheck.ExpectKnownValue("github_repository_vulnerability_alerts.test", tfjsonpath.New("repository_id"), knownvalue.NotNull()), + }, + }, + { + ResourceName: "github_repository_vulnerability_alerts.test", + ImportState: true, + ImportStateId: repoName, + ImportStateVerify: true, + }, + }, + }) + }) + + t.Run("creates_with_defaults_without_error", func(t *testing.T) { + randomID := acctest.RandString(5) + repoName := fmt.Sprintf("%svuln-alerts-%s", testResourcePrefix, randomID) + + config := fmt.Sprintf(` + resource "github_repository" "test" { + name = "%s" + visibility = "private" + auto_init = true + } + + resource "github_repository_vulnerability_alerts" "test" { + repository = github_repository.test.name + } + `, repoName) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { skipUnauthenticated(t) }, + ProviderFactories: providerFactories, + Steps: []resource.TestStep{ + { + Config: config, + ConfigStateChecks: []statecheck.StateCheck{ + statecheck.ExpectKnownValue("github_repository_vulnerability_alerts.test", tfjsonpath.New("enabled"), knownvalue.Bool(true)), + }, + }, + }, + }) + }) + + t.Run("destroys_from_archived_repository_without_error", func(t *testing.T) { + randomID := acctest.RandString(5) + repoName := fmt.Sprintf("%svuln-alerts-%s", testResourcePrefix, randomID) + + withAlertsConfig := ` + resource "github_repository" "test" { + name = "%s" + visibility = "private" + auto_init = true + archived = %t + } + + resource "github_repository_vulnerability_alerts" "test" { + repository = github_repository.test.name + enabled = true + } + ` + + archivedOnlyConfig := fmt.Sprintf(` + resource "github_repository" "test" { + name = "%s" + visibility = "private" + auto_init = true + archived = true + } + `, repoName) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { skipUnauthenticated(t) }, + ProviderFactories: providerFactories, + Steps: []resource.TestStep{ + { + Config: fmt.Sprintf(withAlertsConfig, repoName, false), + ConfigStateChecks: []statecheck.StateCheck{ + statecheck.ExpectKnownValue("github_repository_vulnerability_alerts.test", tfjsonpath.New("enabled"), knownvalue.Bool(true)), + }, + }, + { + Config: fmt.Sprintf(withAlertsConfig, repoName, true), + ExpectNonEmptyPlan: true, + ConfigStateChecks: []statecheck.StateCheck{ + statecheck.ExpectKnownValue("github_repository.test", tfjsonpath.New("archived"), knownvalue.Bool(true)), + }, + }, + { + Config: archivedOnlyConfig, + ConfigPlanChecks: resource.ConfigPlanChecks{ + PreApply: []plancheck.PlanCheck{ + plancheck.ExpectResourceAction("github_repository_vulnerability_alerts.test", plancheck.ResourceActionDestroy), + }, + }, + }, + }, + }) + }) + + t.Run("creates_on_archived_repository_with_error)", func(t *testing.T) { + randomID := acctest.RandString(5) + repoName := fmt.Sprintf("%svuln-alerts-%s", testResourcePrefix, randomID) + + repoConfig := ` + resource "github_repository" "test" { + name = "%s" + visibility = "private" + auto_init = true + archived = %t + } + %s + ` + + alertsBlock := ` + resource "github_repository_vulnerability_alerts" "test" { + repository = github_repository.test.name + enabled = true + } + ` + + resource.Test(t, resource.TestCase{ + PreCheck: func() { skipUnauthenticated(t) }, + ProviderFactories: providerFactories, + Steps: []resource.TestStep{ + { + Config: fmt.Sprintf(repoConfig, repoName, false, ""), + }, + { + Config: fmt.Sprintf(repoConfig, repoName, true, ""), + }, + { + Config: fmt.Sprintf(repoConfig, repoName, true, alertsBlock), + ExpectError: regexp.MustCompile(`cannot enable vulnerability alerts on archived repository`), + }, + }, + }) + }) + + t.Run("creates_on_public_repo_without_error", func(t *testing.T) { + randomID := acctest.RandString(5) + repoName := fmt.Sprintf("%svuln-alerts-%s", testResourcePrefix, randomID) + + config := fmt.Sprintf(` + resource "github_repository" "test" { + name = "%s" + visibility = "public" + auto_init = true + } + + resource "github_repository_vulnerability_alerts" "test" { + repository = github_repository.test.name + enabled = true + } + `, repoName) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { skipUnauthenticated(t); skipIfEMUEnterprise(t) }, + ProviderFactories: providerFactories, + Steps: []resource.TestStep{ + { + Config: config, + ConfigStateChecks: []statecheck.StateCheck{ + statecheck.ExpectKnownValue("github_repository_vulnerability_alerts.test", tfjsonpath.New("enabled"), knownvalue.Bool(true)), + }, + }, + }, + }) + }) +} diff --git a/website/docs/r/repository.html.markdown b/website/docs/r/repository.html.markdown index 157fd01caa..182e98125d 100644 --- a/website/docs/r/repository.html.markdown +++ b/website/docs/r/repository.html.markdown @@ -63,156 +63,156 @@ resource "github_repository" "forked_repo" { The following arguments are supported: -* `name` - (Required) The name of the repository. +- `name` - (Required) The name of the repository. -* `description` - (Optional) A description of the repository. +- `description` - (Optional) A description of the repository. -* `homepage_url` - (Optional) URL of a page describing the project. +- `homepage_url` - (Optional) URL of a page describing the project. -* `fork` - (Optional) Set to `true` to create a fork of an existing repository. When set to `true`, both `source_owner` and `source_repo` must also be specified. +- `fork` - (Optional) Set to `true` to create a fork of an existing repository. When set to `true`, both `source_owner` and `source_repo` must also be specified. -* `source_owner` - (Optional) The GitHub username or organization that owns the repository being forked. Required when `fork` is `true`. +- `source_owner` - (Optional) The GitHub username or organization that owns the repository being forked. Required when `fork` is `true`. -* `source_repo` - (Optional) The name of the repository to fork. Required when `fork` is `true`. +- `source_repo` - (Optional) The name of the repository to fork. Required when `fork` is `true`. -* `private` - (Optional) Set to `true` to create a private repository. +- `private` - (Optional) Set to `true` to create a private repository. Repositories are created as public (e.g. open source) by default. -* `visibility` - (Optional) Can be `public` or `private`. If your organization is associated with an enterprise account using GitHub Enterprise Cloud or GitHub Enterprise Server 2.20+, visibility can also be `internal`. The `visibility` parameter overrides the `private` parameter. +- `visibility` - (Optional) Can be `public` or `private`. If your organization is associated with an enterprise account using GitHub Enterprise Cloud or GitHub Enterprise Server 2.20+, visibility can also be `internal`. The `visibility` parameter overrides the `private` parameter. -* `has_issues` - (Optional) Set to `true` to enable the GitHub Issues features +- `has_issues` - (Optional) Set to `true` to enable the GitHub Issues features on the repository. -* `has_discussions` - (Optional) Set to `true` to enable GitHub Discussions on the repository. Defaults to `false`. +- `has_discussions` - (Optional) Set to `true` to enable GitHub Discussions on the repository. Defaults to `false`. -* `has_projects` - (Optional) Set to `true` to enable the GitHub Projects features on the repository. Per the GitHub [documentation](https://developer.github.com/v3/repos/#create) when in an organization that has disabled repository projects it will default to `false` and will otherwise default to `true`. If you specify `true` when it has been disabled it will return an error. +- `has_projects` - (Optional) Set to `true` to enable the GitHub Projects features on the repository. Per the GitHub [documentation](https://developer.github.com/v3/repos/#create) when in an organization that has disabled repository projects it will default to `false` and will otherwise default to `true`. If you specify `true` when it has been disabled it will return an error. -* `has_wiki` - (Optional) Set to `true` to enable the GitHub Wiki features on +- `has_wiki` - (Optional) Set to `true` to enable the GitHub Wiki features on the repository. -* `is_template` - (Optional) Set to `true` to tell GitHub that this is a template repository. +- `is_template` - (Optional) Set to `true` to tell GitHub that this is a template repository. -* `allow_merge_commit` - (Optional) Set to `false` to disable merge commits on the repository. +- `allow_merge_commit` - (Optional) Set to `false` to disable merge commits on the repository. -* `allow_squash_merge` - (Optional) Set to `false` to disable squash merges on the repository. +- `allow_squash_merge` - (Optional) Set to `false` to disable squash merges on the repository. -* `allow_rebase_merge` - (Optional) Set to `false` to disable rebase merges on the repository. +- `allow_rebase_merge` - (Optional) Set to `false` to disable rebase merges on the repository. -* `allow_auto_merge` - (Optional) Set to `true` to allow auto-merging pull requests on the repository. +- `allow_auto_merge` - (Optional) Set to `true` to allow auto-merging pull requests on the repository. -* `allow_forking` - (Optional) Configure private forking for organization owned private and internal repositories; set to `true` to enable, `false` to disable, and leave unset for the default behaviour. Configuring this requires that private forking is not being explicitly configured at the organization level. +- `allow_forking` - (Optional) Configure private forking for organization owned private and internal repositories; set to `true` to enable, `false` to disable, and leave unset for the default behaviour. Configuring this requires that private forking is not being explicitly configured at the organization level. -* `squash_merge_commit_title` - (Optional) Can be `PR_TITLE` or `COMMIT_OR_PR_TITLE` for a default squash merge commit title. Applicable only if `allow_squash_merge` is `true`. +- `squash_merge_commit_title` - (Optional) Can be `PR_TITLE` or `COMMIT_OR_PR_TITLE` for a default squash merge commit title. Applicable only if `allow_squash_merge` is `true`. -* `squash_merge_commit_message` - (Optional) Can be `PR_BODY`, `COMMIT_MESSAGES`, or `BLANK` for a default squash merge commit message. Applicable only if `allow_squash_merge` is `true`. +- `squash_merge_commit_message` - (Optional) Can be `PR_BODY`, `COMMIT_MESSAGES`, or `BLANK` for a default squash merge commit message. Applicable only if `allow_squash_merge` is `true`. -* `merge_commit_title` - Can be `PR_TITLE` or `MERGE_MESSAGE` for a default merge commit title. Applicable only if `allow_merge_commit` is `true`. +- `merge_commit_title` - Can be `PR_TITLE` or `MERGE_MESSAGE` for a default merge commit title. Applicable only if `allow_merge_commit` is `true`. -* `merge_commit_message` - Can be `PR_BODY`, `PR_TITLE`, or `BLANK` for a default merge commit message. Applicable only if `allow_merge_commit` is `true`. +- `merge_commit_message` - Can be `PR_BODY`, `PR_TITLE`, or `BLANK` for a default merge commit message. Applicable only if `allow_merge_commit` is `true`. -* `delete_branch_on_merge` - (Optional) Automatically delete head branch after a pull request is merged. Defaults to `false`. +- `delete_branch_on_merge` - (Optional) Automatically delete head branch after a pull request is merged. Defaults to `false`. -* `web_commit_signoff_required` - (Optional) Require contributors to sign off on web-based commits. See more [here](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-the-commit-signoff-policy-for-your-repository). +- `web_commit_signoff_required` - (Optional) Require contributors to sign off on web-based commits. See more in the [GitHub documentation](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-the-commit-signoff-policy-for-your-repository). -* `has_downloads` - (**DEPRECATED**) (Optional) Set to `true` to enable the (deprecated) downloads features on the repository. This attribute is no longer in use, but it hasn't been removed yet. It will be removed in a future version. See [this discussion](https://github.com/orgs/community/discussions/102145#discussioncomment-8351756). +- `has_downloads` - (**DEPRECATED**) (Optional) Set to `true` to enable the (deprecated) downloads features on the repository. This attribute is no longer in use, but it hasn't been removed yet. It will be removed in a future version. See [this discussion](https://github.com/orgs/community/discussions/102145#discussioncomment-8351756). -* `auto_init` - (Optional) Set to `true` to produce an initial commit in the repository. +- `auto_init` - (Optional) Set to `true` to produce an initial commit in the repository. -* `gitignore_template` - (Optional) Use the [name of the template](https://github.com/github/gitignore) without the extension. For example, "Haskell". +- `gitignore_template` - (Optional) Use the [name of the template](https://github.com/github/gitignore) without the extension. For example, "Haskell". -* `license_template` - (Optional) Use the [name of the template](https://github.com/github/choosealicense.com/tree/gh-pages/_licenses) without the extension. For example, "mit" or "mpl-2.0". +- `license_template` - (Optional) Use the [name of the template](https://github.com/github/choosealicense.com/tree/gh-pages/_licenses) without the extension. For example, "mit" or "mpl-2.0". -* `default_branch` - (Optional) (Deprecated: Use `github_branch_default` resource instead) The name of the default branch of the repository. **NOTE:** This can only be set after a repository has already been created, +- `default_branch` - (Optional) (Deprecated: Use `github_branch_default` resource instead) The name of the default branch of the repository. **NOTE:** This can only be set after a repository has already been created, and after a correct reference has been created for the target branch inside the repository. This means a user will have to omit this parameter from the initial repository creation and create the target branch inside of the repository prior to setting this attribute. -* `archived` - (Optional) Specifies if the repository should be archived. Defaults to `false`. **NOTE** Currently, the API does not support unarchiving. +- `archived` - (Optional) Specifies if the repository should be archived. Defaults to `false`. **NOTE** Currently, the API does not support unarchiving. -* `archive_on_destroy` - (Optional) Set to `true` to archive the repository instead of deleting on destroy. +- `archive_on_destroy` - (Optional) Set to `true` to archive the repository instead of deleting on destroy. -* `pages` - (Optional) The repository's GitHub Pages configuration. See [GitHub Pages Configuration](#github-pages-configuration) below for details. +- `pages` - (Optional) The repository's GitHub Pages configuration. See [GitHub Pages Configuration](#github-pages-configuration) below for details. -* `security_and_analysis` - (Optional) The repository's [security and analysis](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository) configuration. See [Security and Analysis Configuration](#security-and-analysis-configuration) below for details. +- `security_and_analysis` - (Optional) The repository's [security and analysis](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository) configuration. See [Security and Analysis Configuration](#security-and-analysis-configuration) below for details. -* `topics` - (Optional) The list of topics of the repository. +- `topics` - (Optional) The list of topics of the repository. ~> Note: This attribute is not compatible with the `github_repository_topics` resource. Use one of them. `github_repository_topics` is only meant to be used if the repository itself is not handled via terraform, for example if it's only read as a datasource (see [issue #1845](https://github.com/integrations/terraform-provider-github/issues/1845)). -* `template` - (Optional) Use a template repository to create this resource. See [Template Repositories](#template-repositories) below for details. +- `template` - (Optional) Use a template repository to create this resource. See [Template Repositories](#template-repositories) below for details. -* `vulnerability_alerts` - (Optional) Configure [Dependabot security alerts](https://help.github.com/en/github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies) for vulnerable dependencies; set to `true` to enable, set to `false` to disable, and leave unset for the default behavior. Configuring this requires that alerts are not being explicitly configured at the organization level. +- `vulnerability_alerts` - (Optional) (**DEPRECATED**) Configure [Dependabot security alerts](https://help.github.com/en/github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies) for vulnerable dependencies; set to `true` to enable, set to `false` to disable, and leave unset for the default behavior. Configuring this requires that alerts are not being explicitly configured at the organization level. This field will be removed in a future version. Use the `github_repository_vulnerability_alerts` resource instead. -* `ignore_vulnerability_alerts_during_read` (**DEPRECATED**) (Optional) - This is ignored as the provider now handles lack of permissions automatically. +- `ignore_vulnerability_alerts_during_read` (**DEPRECATED**) (Optional) - This is ignored as the provider now handles lack of permissions automatically. This field will be removed in a future version. -* `allow_update_branch` (Optional) - Set to `true` to always suggest updating pull request branches. +- `allow_update_branch` (Optional) - Set to `true` to always suggest updating pull request branches. ### GitHub Pages Configuration The `pages` block supports the following: -* `source` - (Optional) The source branch and directory for the rendered Pages site. See [GitHub Pages Source](#github-pages-source) below for details. +- `source` - (Optional) The source branch and directory for the rendered Pages site. See [GitHub Pages Source](#github-pages-source) below for details. -* `build_type` - (Optional) The type of GitHub Pages site to build. Can be `legacy` or `workflow`. If you use `legacy` as build type you need to set the option `source`. +- `build_type` - (Optional) The type of GitHub Pages site to build. Can be `legacy` or `workflow`. If you use `legacy` as build type you need to set the option `source`. -* `cname` - (Optional) The custom domain for the repository. This can only be set after the repository has been created. +- `cname` - (Optional) The custom domain for the repository. This can only be set after the repository has been created. #### GitHub Pages Source The `source` block supports the following: -* `branch` - (Required) The repository branch used to publish the site's source files. (i.e. `main` or `gh-pages`. +- `branch` - (Required) The repository branch used to publish the site's source files. (i.e. `main` or `gh-pages`. -* `path` - (Optional) The repository directory from which the site publishes (Default: `/`). +- `path` - (Optional) The repository directory from which the site publishes (Default: `/`). ### Security and Analysis Configuration The `security_and_analysis` block supports the following: -* `advanced_security` - (Optional) The advanced security configuration for the repository. See [Advanced Security Configuration](#advanced-security-configuration) below for details. If a repository's visibility is `public`, advanced security is always enabled and cannot be changed, so this setting cannot be supplied. +- `advanced_security` - (Optional) The advanced security configuration for the repository. See [Advanced Security Configuration](#advanced-security-configuration) below for details. If a repository's visibility is `public`, advanced security is always enabled and cannot be changed, so this setting cannot be supplied. -* `code_security` - (Optional) The code security configuration for the repository. See [Code Security](#code-security-configuration) below for details. +- `code_security` - (Optional) The code security configuration for the repository. See [Code Security](#code-security-configuration) below for details. -* `secret_scanning` - (Optional) The secret scanning configuration for the repository. See [Secret Scanning Configuration](#secret-scanning-configuration) below for details. +- `secret_scanning` - (Optional) The secret scanning configuration for the repository. See [Secret Scanning Configuration](#secret-scanning-configuration) below for details. -* `secret_scanning_push_protection` - (Optional) The secret scanning push protection configuration for the repository. See [Secret Scanning Push Protection Configuration](#secret-scanning-push-protection-configuration) below for details. +- `secret_scanning_push_protection` - (Optional) The secret scanning push protection configuration for the repository. See [Secret Scanning Push Protection Configuration](#secret-scanning-push-protection-configuration) below for details. -* `secret_scanning_ai_detection` - (Optional) The secret scanning ai detection configuration for the repository. See [Secret Scanning AI Detection Configuration](#secret-scanning-ai-detection-configuration) below for details. +- `secret_scanning_ai_detection` - (Optional) The secret scanning ai detection configuration for the repository. See [Secret Scanning AI Detection Configuration](#secret-scanning-ai-detection) below for details. -* `secret_scanning_non_provider_patterns` - (Optional) The secret scanning non-provider patterns configuration for this repository. See [Secret Scanning Non-Provider Patterns Configuration](#secret-scanning-non-provider-patterns-configuration) below for more details. +- `secret_scanning_non_provider_patterns` - (Optional) The secret scanning non-provider patterns configuration for this repository. See [Secret Scanning Non-Provider Patterns Configuration](#secret-scanning-non-provider-patterns) below for more details. #### Advanced Security Configuration The `advanced_security` block supports the following: -* `status` - (Required) Set to `enabled` to enable advanced security features on the repository. Can be `enabled` or `disabled`. +- `status` - (Required) Set to `enabled` to enable advanced security features on the repository. Can be `enabled` or `disabled`. #### Code Security Configuration -* `status` - (Required) Set to `enabled` to enable GitHub Code Security on the repository. Can be `enabled` or `disabled`. If set to `enabled`, the repository's visibility must be `public`, `security_and_analysis[0].advanced_security[0].status` must also be set to `enabled`, or your Organization must have split licensing for Advanced security. +- `status` - (Required) Set to `enabled` to enable GitHub Code Security on the repository. Can be `enabled` or `disabled`. If set to `enabled`, the repository's visibility must be `public`, `security_and_analysis[0].advanced_security[0].status` must also be set to `enabled`, or your Organization must have split licensing for Advanced security. #### Secret Scanning Configuration -* `status` - (Required) Set to `enabled` to enable secret scanning on the repository. Can be `enabled` or `disabled`. If set to `enabled`, the repository's visibility must be `public`, `security_and_analysis[0].advanced_security[0].status` must also be set to `enabled`, or your Organization must have split licensing for Advanced security. +- `status` - (Required) Set to `enabled` to enable secret scanning on the repository. Can be `enabled` or `disabled`. If set to `enabled`, the repository's visibility must be `public`, `security_and_analysis[0].advanced_security[0].status` must also be set to `enabled`, or your Organization must have split licensing for Advanced security. #### Secret Scanning Push Protection Configuration -* `status` - (Required) Set to `enabled` to enable secret scanning push protection on the repository. Can be `enabled` or `disabled`. If set to `enabled`, the repository's visibility must be `public`, `security_and_analysis[0].advanced_security[0].status` must also be set to `enabled`, or your Organization must have split licensing for Advanced security. +- `status` - (Required) Set to `enabled` to enable secret scanning push protection on the repository. Can be `enabled` or `disabled`. If set to `enabled`, the repository's visibility must be `public`, `security_and_analysis[0].advanced_security[0].status` must also be set to `enabled`, or your Organization must have split licensing for Advanced security. #### Secret Scanning AI Detection -* `status` - (Required) Set to `enabled` to enable secret scanning AI detection on the repository. Can be `enabled` or `disabled`. If set to `enabled`, the repository's visibility must be `public`, `security_and_analysis[0].advanced_security[0].status` must also be set to `enabled`, or your Organization must have split licensing for Advanced security. +- `status` - (Required) Set to `enabled` to enable secret scanning AI detection on the repository. Can be `enabled` or `disabled`. If set to `enabled`, the repository's visibility must be `public`, `security_and_analysis[0].advanced_security[0].status` must also be set to `enabled`, or your Organization must have split licensing for Advanced security. #### Secret Scanning Non-Provider Patterns -* `status` - (Required) Set to `enabled` to enable secret scanning non-provider patterns on the repository. Can be `enabled` or `disabled`. If set to `enabled`, the repository's visibility must be `public`, `security_and_analysis[0].advanced_security[0].status` must also be set to `enabled`, or your Organization must have split licensing for Advanced security. +- `status` - (Required) Set to `enabled` to enable secret scanning non-provider patterns on the repository. Can be `enabled` or `disabled`. If set to `enabled`, the repository's visibility must be `public`, `security_and_analysis[0].advanced_security[0].status` must also be set to `enabled`, or your Organization must have split licensing for Advanced security. ### Template Repositories `template` supports the following arguments: -* `owner`: The GitHub organization or user the template repository is owned by. -* `repository`: The name of the template repository. -* `include_all_branches`: Whether the new repository should include all the branches from the template repository (defaults to false, which includes only the default branch from the template). +- `owner`: The GitHub organization or user the template repository is owned by. +- `repository`: The name of the template repository. +- `include_all_branches`: Whether the new repository should include all the branches from the template repository (defaults to false, which includes only the default branch from the template). ~> **Note on `internal` visibility with templates**: When creating a repository from a template with `visibility = "internal"`, the provider uses a two-step process due to GitHub API limitations. The template creation API only supports a `private` boolean parameter. Therefore, repositories with `visibility = "internal"` are initially created as private and then immediately updated to internal visibility. This ensures internal repositories are never exposed publicly during creation. @@ -220,28 +220,28 @@ The `advanced_security` block supports the following: The following additional attributes are exported: -* `full_name` - A string of the form "orgname/reponame". +- `full_name` - A string of the form "orgname/reponame". -* `html_url` - URL to the repository on the web. +- `html_url` - URL to the repository on the web. -* `ssh_clone_url` - URL that can be provided to `git clone` to clone the repository via SSH. +- `ssh_clone_url` - URL that can be provided to `git clone` to clone the repository via SSH. -* `http_clone_url` - URL that can be provided to `git clone` to clone the repository via HTTPS. +- `http_clone_url` - URL that can be provided to `git clone` to clone the repository via HTTPS. -* `git_clone_url` - URL that can be provided to `git clone` to clone the repository anonymously via the git protocol. +- `git_clone_url` - URL that can be provided to `git clone` to clone the repository anonymously via the git protocol. -* `svn_url` - URL that can be provided to `svn checkout` to check out the repository via GitHub's Subversion protocol emulation. +- `svn_url` - URL that can be provided to `svn checkout` to check out the repository via GitHub's Subversion protocol emulation. -* `node_id` - GraphQL global node id for use with v4 API +- `node_id` - GraphQL global node id for use with v4 API -* `repo_id` - GitHub ID for the repository +- `repo_id` - GitHub ID for the repository -* `primary_language` - The primary language used in the repository. +- `primary_language` - The primary language used in the repository. -* `pages` - The block consisting of the repository's GitHub Pages configuration with the following additional attributes: -* `custom_404` - Whether the rendered GitHub Pages site has a custom 404 page. -* `html_url` - The absolute URL (including scheme) of the rendered GitHub Pages site e.g. `https://username.github.io`. -* `status` - The GitHub Pages site's build status e.g. `building` or `built`. +- `pages` - The block consisting of the repository's GitHub Pages configuration with the following additional attributes: +- `custom_404` - Whether the rendered GitHub Pages site has a custom 404 page. +- `html_url` - The absolute URL (including scheme) of the rendered GitHub Pages site e.g. `https://username.github.io`. +- `status` - The GitHub Pages site's build status e.g. `building` or `built`. ## Import diff --git a/website/docs/r/repository_vulnerability_alerts.html.markdown b/website/docs/r/repository_vulnerability_alerts.html.markdown new file mode 100644 index 0000000000..cb047819d0 --- /dev/null +++ b/website/docs/r/repository_vulnerability_alerts.html.markdown @@ -0,0 +1,49 @@ +--- +layout: "github" +page_title: "GitHub: github_repository_vulnerability_alerts" +description: |- + Manages vulnerability alerts for a GitHub repository +--- + +# github_repository_vulnerability_alerts + +This resource allows you to manage vulnerability alerts for a GitHub repository. See the +[documentation](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) +for details of usage and how this will impact your repository. + +## Example Usage + +```hcl +resource "github_repository" "example" { + name = "my-repo" + description = "GitHub repo managed by Terraform" + visibility = "private" +} + +resource "github_repository_vulnerability_alerts" "example" { + repository = github_repository.example.name + enabled = true +} +``` + +## Argument Reference + +The following arguments are supported: + +- `repository` - (Required) The name of the repository to configure vulnerability alerts for. + +- `enabled` - (Optional) Whether vulnerability alerts are enabled for the repository. Defaults to `true`. + +## Attribute Reference + +In addition to the above arguments, the following attributes are exported: + +- `repository_id` - The ID of the repository. + +## Import + +Repository vulnerability alerts can be imported using the `repository_name`: + +```sh +terraform import github_repository_vulnerability_alerts.example my-repo +```