Skip to content

feat: Add github_organization_security_configuration and github_enterprise_security_configuration resource#3284

Open
sprioriello wants to merge 43 commits into
integrations:mainfrom
sprioriello:feat/organization-security-configuration
Open

feat: Add github_organization_security_configuration and github_enterprise_security_configuration resource#3284
sprioriello wants to merge 43 commits into
integrations:mainfrom
sprioriello:feat/organization-security-configuration

Conversation

@sprioriello

@sprioriello sprioriello commented Mar 16, 2026

Copy link
Copy Markdown

This commit adds a new resource github_organization_security_configuration & github_enterprise_security_configuration to manage Code Security Configurations at the organization & enterprise level respectively. It includes:

  • Resource implementation.
  • Acceptance tests.
  • Documentation.
  • Provider registration.

Resolves #2412


Before the change?

  • Resource not available.

After the change?

  • Implement code security configuration resource on organizational level.

Pull request checklist

  • Schema migrations have been created if needed (example)
  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

  • Yes
  • No

Tests

==> Running acceptance tests on branch: 🌿 feat/organization-security-configuration 🌿...
TF_ACC=1 CGO_ENABLED=0 go test ./github/... -v -run '^TestAcc' -run='TestAccGithubOrganizationSecurityConfiguration'  -timeout 120m -count=1
=== RUN   TestAccGithubOrganizationSecurityConfiguration
=== RUN   TestAccGithubOrganizationSecurityConfiguration/creates_organization_security_configuration_without_error
=== RUN   TestAccGithubOrganizationSecurityConfiguration/imports_organization_security_configuration_without_error
=== RUN   TestAccGithubOrganizationSecurityConfiguration/updates_organization_security_configuration_without_error
=== RUN   TestAccGithubOrganizationSecurityConfiguration/creates_organization_security_configuration_with_options
=== RUN   TestAccGithubOrganizationSecurityConfiguration/creates_organization_security_configuration_with_minimal_config
=== RUN   TestAccGithubOrganizationSecurityConfiguration/creates_organization_security_configuration_with_delegated_bypass_options
--- PASS: TestAccGithubOrganizationSecurityConfiguration (67.76s)
    --- PASS: TestAccGithubOrganizationSecurityConfiguration/creates_organization_security_configuration_without_error (13.93s)
    --- PASS: TestAccGithubOrganizationSecurityConfiguration/imports_organization_security_configuration_without_error (11.92s)
    --- PASS: TestAccGithubOrganizationSecurityConfiguration/updates_organization_security_configuration_without_error (15.15s)
    --- PASS: TestAccGithubOrganizationSecurityConfiguration/creates_organization_security_configuration_with_options (8.70s)
    --- PASS: TestAccGithubOrganizationSecurityConfiguration/creates_organization_security_configuration_with_minimal_config (8.84s)
    --- PASS: TestAccGithubOrganizationSecurityConfiguration/creates_organization_security_configuration_with_delegated_bypass_options (9.21s)
PASS
ok      github.com/integrations/terraform-provider-github/v6/github     68.139s
==> Running acceptance tests on branch: 🌿 feat/organization-security-configuration 🌿...
TF_ACC=1 CGO_ENABLED=0 go test ./github/... -v -run '^TestAcc' -run='TestAccGithubEnterpriseSecurityConfiguration'  -timeout 120m -count=1
=== RUN   TestAccGithubEnterpriseSecurityConfiguration
=== RUN   TestAccGithubEnterpriseSecurityConfiguration/creates_enterprise_security_configuration_without_error
=== RUN   TestAccGithubEnterpriseSecurityConfiguration/imports_enterprise_security_configuration_without_error
=== RUN   TestAccGithubEnterpriseSecurityConfiguration/updates_enterprise_security_configuration_without_error
=== RUN   TestAccGithubEnterpriseSecurityConfiguration/creates_enterprise_security_configuration_with_options
=== RUN   TestAccGithubEnterpriseSecurityConfiguration/creates_enterprise_security_configuration_with_minimal_config
--- PASS: TestAccGithubEnterpriseSecurityConfiguration (53.47s)
    --- PASS: TestAccGithubEnterpriseSecurityConfiguration/creates_enterprise_security_configuration_without_error (11.07s)
    --- PASS: TestAccGithubEnterpriseSecurityConfiguration/imports_enterprise_security_configuration_without_error (10.70s)
    --- PASS: TestAccGithubEnterpriseSecurityConfiguration/updates_enterprise_security_configuration_without_error (14.06s)
    --- PASS: TestAccGithubEnterpriseSecurityConfiguration/creates_enterprise_security_configuration_with_options (8.78s)
    --- PASS: TestAccGithubEnterpriseSecurityConfiguration/creates_enterprise_security_configuration_with_minimal_config (8.85s)
PASS
ok      github.com/integrations/terraform-provider-github/v6/github     53.817s

@github-actions

Copy link
Copy Markdown

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

@github-actions github-actions Bot added the Type: Feature New feature or request label Mar 16, 2026
@sprioriello sprioriello changed the title feat: Add github_organization_security_configuration and github_enter… feat: Add github_organization_security_configuration and github_enterprise_security_configuration resource Mar 16, 2026
sprioriello and others added 4 commits March 17, 2026 19:31
…prise_security_configuration resources

Adds two new resources to manage Code Security Configurations:

- github_organization_security_configuration: manages code security
  configurations at the organization level
- github_enterprise_security_configuration: manages code security
  configurations at the enterprise level

Both resources include:
- Full CRUD operations using GitHub's Code Security Configurations API
- Composite IDs (org/enterprise + config ID)
- 404-tolerant delete
- tflog structured logging throughout
- All optional fields use GetOk to avoid sending unset values
- Custom import support
- Shared expandCodeSecurityConfigurationCommon helper to avoid duplication
- All 4 delegated fields on enterprise: code_scanning_delegated_alert_dismissal,
  secret_scanning_delegated_bypass, secret_scanning_delegated_bypass_options,
  secret_scanning_delegated_alert_dismissal
- Fix flattenCodeScanningDefaultSetupOptions runner_type empty string drift

Acceptance tests (5 per resource):
- creates without error (with import verification)
- updates without error
- creates with nested options (runner, autosubmit)
- creates with minimal config (with import verification)
- creates with delegated bypass options

Documentation added for both resources.

Resolves integrations#2412

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ppers

- Add setCodeSecurityConfigurationState() to util_security_configuration.go,
  replacing ~83 identical d.Set() lines duplicated across both Read functions
- Remove expandCodeSecurityConfiguration() and expandEnterpriseCodeSecurityConfiguration()
  one-liner wrappers; callers now call expandCodeSecurityConfigurationCommon() directly

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove fmt.Sprintf from all tflog calls; use static messages with
  structured fields map for dynamic data (28 instances fixed)
- Add configuration_id Computed field to both resources so the numeric
  config ID is stored separately in state
- Update/Delete now read enterprise_slug and configuration_id from
  state via d.Get() instead of parsing the composite ID
- Update enterprise docs with configuration_id attribute

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…n_id

- Add missing organization_security_configuration documentation
- Fix enterprise docs: description is Optional not Required
- Add configuration_id assertions to both test files

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sprioriello sprioriello force-pushed the feat/organization-security-configuration branch from 8b5e69b to 20f4c17 Compare March 17, 2026 08:38
…view feedback

- Upgrade go-github imports from v83 to v84 across all feature files
- Remove secret_scanning_delegated_bypass from enterprise resource (org-only API)
- Fix reviewer_type enum casing to TEAM/ROLE to match GitHub API
- Wire expandSecretScanningDelegatedBypass into org Create/Update
- Remove hardcoded "disabled" defaults for code_security/secret_protection
- Use GetOk for description field in expand (consistency with other Optional fields)
- Add unit tests for all flatten utility functions (deiga requested)
- Add missing ImportState steps to acceptance tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sprioriello

sprioriello commented Mar 17, 2026

Copy link
Copy Markdown
Author

@deiga ready for review. Thanks for your patience!

I have allowed edits by maintainers.

@deiga deiga left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Partial review.

Please take some time and look at lately merged PRs to understand what kind of structures we are looking for.
I don't have the energy to review thousands of lines of code, when you haven't put in the work to adhere to the standards of the repo

Comment thread github/resource_github_organization_security_configuration_test.go Outdated
Comment thread github/resource_github_organization_security_configuration_test.go
Comment thread github/resource_github_organization_security_configuration_test.go Outdated
Comment thread github/resource_github_organization_security_configuration.go Outdated
Comment thread github/resource_github_organization_security_configuration.go Outdated
Comment thread github/resource_github_organization_security_configuration.go Outdated
Comment thread github/resource_github_organization_security_configuration.go Outdated
…nventions

- Add custom importer functions so Read doesn't parse from ID
- Read fetches org/enterprise and configuration_id from state
- Create/Update return nil instead of calling Read directly
- Use diags.HasError() instead of diags != nil
- Use testResourcePrefix in all test resource names
- Extract import tests into separate t.Run blocks
- Inline test HCL templates instead of shared tmpl variables
… Read

Create and Update functions now set state directly from the API response
via setCodeSecurityConfigurationState, rather than only setting
configuration_id. Enterprise Update also captures the API response
instead of discarding it.
…escription

- Add CheckDestroy functions to all acceptance tests for both org and
  enterprise security configuration resources
- Cast configuration.GetID() to int to match schema.TypeInt
- Fix redundant "code security configuration for the code security
  configuration" description on the code_security field
@sprioriello

sprioriello commented Mar 23, 2026

Copy link
Copy Markdown
Author

Reviewed and looking at the recent PRs to add in the changes the maintainers are implementing to try and make it consistent. I hope we are much closer this time.

@sprioriello sprioriello requested a review from deiga March 25, 2026 21:43
Comment thread github/resource_github_enterprise_security_configuration_test.go Outdated
Comment thread github/resource_github_organization_security_configuration.go Outdated
Comment thread github/util_security_configuration_test.go
Use single template string in enterprise update test, remove superfluous
buildID/SetId in import functions, refactor util tests to table-driven arrays.
@sprioriello sprioriello requested a review from deiga March 26, 2026 22:12
Adds table-driven tests for expandCodeSecurityConfigurationCommon and
expandSecretScanningDelegatedBypass, covering minimal input, all string
fields, nested block options, and delegated bypass with reviewers.
Comment thread github/resource_github_organization_security_configuration.go Outdated
Drop the org name from the compound resource ID since it was never used —
Read/Update/Delete all get the org from meta.(*Owner).name. This aligns
with the convention used by other org-scoped resources (organization_ruleset,
organization_webhook, organization_custom_role, etc.).
@sprioriello sprioriello requested a review from deiga April 11, 2026 11:17
@sprioriello

Copy link
Copy Markdown
Author

@deiga Thank you for taking the time to review this PR and for the detailed feedback across each round. All comments have been addressed. Looking forward to getting this feature out for the GitHub community!

@deiga deiga added this to the v6.13.0 Release milestone Apr 14, 2026
…pwell-review

Address @stevehipwell review: code idioms, lint, docs
@sprioriello

sprioriello commented Jun 24, 2026

Copy link
Copy Markdown
Author

@sprioriello I've opened sprioriello/terraform-provider-github#4 against your branch addressing @stevehipwell's review — ready for your review/merge when you get a chance.

It covers:

  • Docs callouts — dropped the **Note:** prefix
  • Import {} block examples added alongside the terraform import command (both resources)
  • Resource-code idioms across all CRUD in both resources — m any + meta, _ := m.(*Owner), comma-ok d.Get, single-line tflog, and errors.AsType[*github.ErrorResponse]
  • Renamed util_security_configuration.gosecurity_configuration.go (drops the generic util_ prefix per go.instructions.md)

One judgment call worth flagging for both of you: for the two comments about colocating expandCodeSecurityConfigurationCommon / setCodeSecurityConfigurationState into the resource files, I kept them shared (just renamed out of util_) rather than duplicating ~200 lines + their table-driven unit tests across both resources, since the enterprise config is the org config minus delegated bypass. Happy to fully inline into each resource file if @stevehipwell prefers — called out in the PR description. And agreed that matching data sources make sense as a separate follow-up.

go build / go vet / golangci-lint (0 issues) / gofmt / tfplugindocs validate all clean, and the full org acceptance suite passes 6/6 against a real GHAS org.

Thank you again @casey-robertson-paypal for your work helping with this PR. I have approved and merged the PR now.

The judgement call is up to @stevehipwell and the conventions they want to use for the maturing repo.

@stevehipwell stevehipwell left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking through this PR I don't think Optional & Computed is required on the config attributes. Either just Optional or Optional & Default would reduce the complexity of the logic and also reduce churn. I think I'm leaning towards just Optional.

Also as mentioned in my previous review, any shared state get/set logic should live with and be scoped to the resource code as it's fundamental to the resource logic.

FYI security_configuration.go needs to be renamed to util_security_configuration.go for consistency.

Comment thread github/resource_github_enterprise_security_configuration.go Outdated
- Restore util_ filename: security_configuration.go -> util_security_configuration.go
  (maintainer asked for util_ for consistency with the repo's other util_ files).
- Colocate state get/set logic into the resource files: each resource now has its
  own resourceGithub<Org|Enterprise>SecurityConfiguration{SetState,Expand}; the
  shared util_ file keeps only the pure flatten helpers. Org variants include the
  org-only delegated-bypass fields; enterprise variants are common-only.
- Schema: make 'description' Optional only (drop Computed). Verified against the
  GitHub API that an omitted description is returned null (not server-defaulted),
  so Computed is unnecessary and Optional causes no drift. The enum config
  attributes keep Optional+Computed because GitHub server-assigns values to them
  when omitted, so dropping Computed there would cause perpetual diffs.
@casey-robertson-paypal

Copy link
Copy Markdown

@sprioriello sprioriello/terraform-provider-github#5 is ready for review/merge — it addresses @stevehipwell's round-2 feedback:

  • util_ filename — reverted security_configuration.goutil_security_configuration.go for consistency.
  • Colocated state logicSetState/Expand now live in each resource file (resourceGithubOrganizationSecurityConfiguration{SetState,Expand} and the enterprise equivalents); util_security_configuration.go keeps only the pure flatten* helpers.
  • descriptionOptional (dropped Computed) — verified against the live API that an omitted description comes back null, so Computed isn't needed.

On the broader Optional/Computed point, @stevehipwell — I kept Optional + Computed on the enum config attributes deliberately: testing showed GitHub server-assigns values to those when omitted (dependency_graphenabled, enforcementenforced, the rest→disabled), so Optional-only would create a perpetual diff and a static Default couldn't match the (policy-dependent) values. Replied inline with the specifics — happy to revisit if you see it differently.

Verified: go build / go vet / golangci-lint (0 issues) / gofmt clean, and the full org acceptance suite passes 6/6 against a real GHAS org with a clean post-apply plan. (PR #5 is a clean diff of just these changes; the out-of-date-with-main notice here is separate — clearable via the "Update branch" button.)

@casey-robertson-paypal

casey-robertson-paypal commented Jun 24, 2026

Copy link
Copy Markdown

Acceptance test results (real GHAS org)

Since the acceptance suite only runs in CI under the acctest label, here's a consolidated report from running it against a real GitHub Enterprise Cloud org with GitHub Advanced Security enabled.

TestAccGithubOrganizationSecurityConfiguration — 6/6 passing, clean post-apply plan, no leftover resources:

Sub-test Exercises
creates …without_error create → read → destroy; core attributes
imports …without_error ImportState + ImportStateVerify (simple config)
updates …without_error in-place update; asserts configuration_id is unchanged across applies (not a destroy/recreate)
…with_options all three nested option blocks: dependency_graph_autosubmit_action_options, code_scanning_default_setup_options, code_scanning_options
…with_minimal_config minimal (name-only) config
…with_delegated_bypass_options secret_scanning_delegated_bypass_options.reviewers (provisions a real github_team); also verifies the nested blocks round-trip through import

Toolchain: go build / go vet / golangci-lint (0 issues) / gofmt / tfplugindocs validate all clean.

Coverage caveat — enterprise resource

The enterprise acceptance tests (TestAccGithubEnterpriseSecurityConfiguration) were not run live: the only enterprise available to me is a production one, and I didn't want to create/update/delete enterprise-level configurations against it. They compile and mirror the org tests, and the data-shaping logic is shared with the org resource (which the passing org suite exercises), but the enterprise-specific API calls and composite-ID import are validated only by build + unit tests here — live enterprise coverage is best left to maintainer CI, which has an enterprise configured.

Notes

The org create-with-delegated-bypass-reviewers path hits a GitHub REST API bug (POST …/code-security/configurations with secret_scanning_delegated_bypass_options.reviewers returns HTTP 500 while still creating the config). The resource works around it (create, then set reviewers via update); I'll file the 500 with GitHub separately so the simpler create-time path can be restored once it's fixed.

@casey-robertson-paypal

Copy link
Copy Markdown

@stevehipwell on your data-sources question — opened #3505 to track matching data sources for both configurations as a separate follow-up, keeping this PR focused on the resources. Happy to pick up the implementation once these land.

@casey-robertson-paypal

Copy link
Copy Markdown

Filed the GitHub API 500 (delegated-bypass create) upstream: https://github.com/orgs/community/discussions/200071 — for tracking once GitHub fixes it and the create-time path can be restored.

…lean

Address @stevehipwell round-2 review: colocate state logic, util_ filename, description Optional
@sprioriello sprioriello requested a review from stevehipwell June 25, 2026 00:12
@sprioriello

Copy link
Copy Markdown
Author

@sprioriello sprioriello/terraform-provider-github#5 is ready for review/merge — it addresses @stevehipwell's round-2 feedback:

  • util_ filename — reverted security_configuration.goutil_security_configuration.go for consistency.
  • Colocated state logicSetState/Expand now live in each resource file (resourceGithubOrganizationSecurityConfiguration{SetState,Expand} and the enterprise equivalents); util_security_configuration.go keeps only the pure flatten* helpers.
  • descriptionOptional (dropped Computed) — verified against the live API that an omitted description comes back null, so Computed isn't needed.

On the broader Optional/Computed point, @stevehipwell — I kept Optional + Computed on the enum config attributes deliberately: testing showed GitHub server-assigns values to those when omitted (dependency_graphenabled, enforcementenforced, the rest→disabled), so Optional-only would create a perpetual diff and a static Default couldn't match the (policy-dependent) values. Replied inline with the specifics — happy to revisit if you see it differently.

Verified: go build / go vet / golangci-lint (0 issues) / gofmt clean, and the full org acceptance suite passes 6/6 against a real GHAS org with a clean post-apply plan. (PR #5 is a clean diff of just these changes; the out-of-date-with-main notice here is separate — clearable via the "Update branch" button.)

Approved and merged

@stevehipwell

Copy link
Copy Markdown
Collaborator

On the broader Optional/Computed point, @stevehipwell — I kept Optional + Computed on the enum config attributes deliberately: testing showed GitHub server-assigns values to those when omitted (dependency_graph→enabled, enforcement→enforced, the rest→disabled), so Optional-only would create a perpetual diff and a static Default couldn't match the (policy-dependent) values. Replied inline with the specifics — happy to revisit if you see it differently.

@casey-robertson-paypal I think the issue here is that the logic to handle Optional + Computed is significantly more complex than just for Optional; especially in this case where the computed values aren't a function of the resource inputs. By removing Computed the logic can be that we only manage values with a non-empty string representation, otherwise we need to constantly look back to the raw config to check the user intent. If a user isn't setting a value then they should use the data source to look it up as this will cause less churn.

…values

Per @stevehipwell's review: remove Computed from the optional config attributes so
they are Optional only (configuration_id and target_type stay Computed).

To avoid perpetual diffs (GitHub server-assigns a value to every attribute even when
omitted), setState now only writes attributes the user manages — a non-empty value in
config on create/update, or in prior state on read (via d.Get). Unmanaged values are
not tracked in state and can be read with the data source instead.

Import consequence: with no config present, import populates the identifying fields
(configuration_id, name, target_type); attributes are then declared in config. Tests
adjusted accordingly (import test uses a name-only config; the delegated-bypass
nested-block import step is removed, as unmanaged/nested values don't round-trip in
this model).

Verified: org acceptance suite 6/6 with clean post-apply plans; go build / vet /
golangci-lint / gofmt all clean.
@casey-robertson-paypal

casey-robertson-paypal commented Jun 26, 2026

Copy link
Copy Markdown

Makes sense @stevehipwell — conceding the point. Implemented in sprioriello/terraform-provider-github#6 (for @sprioriello to merge): Computed dropped from the config attributes (Optional only; configuration_id/target_type stay Computed).

To keep plans clean without Computed — since GitHub server-assigns a value to every attribute even when omitted — setState now writes only the attributes the user manages (non-empty in config on create/update, or prior state on read), so unmanaged values stay out of state and are read via the data source instead. Org acceptance suite is 6/6 with clean post-apply plans.

One thing I'd value your steer on: with no config during import, there's no user intent to read, so I had import populate the identifying fields (configuration_id, name, target_type) and left the rest to be declared in config (tests adjusted to match). If you'd prefer import to populate the full resource instead, that's an easy change — just let me know which you'd like.

I'm going to be on vacation through July 5th but I'll check back in the following week. Thanks for the reviews and the guidance!

Drop Computed from config attributes (Optional only), per @stevehipwell

@stevehipwell stevehipwell left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the code can be simplified further now the inputs are optional and no longer computed. I've only reviewed the enterprise resource, but the comments apply to both.

Comment thread github/resource_github_enterprise_security_configuration.go Outdated
Comment thread github/resource_github_enterprise_security_configuration.go Outdated
Comment thread github/resource_github_enterprise_security_configuration.go Outdated
Comment thread github/resource_github_enterprise_security_configuration.go Outdated
Comment thread github/resource_github_enterprise_security_configuration.go Outdated
Per @stevehipwell's round-4 review:
- Optional (non-computed) attributes are persisted from config by the SDK, so Create
  only writes the computed values (configuration_id, target_type) inline, and Update
  writes nothing back.
- Read is the only place that reconciles state with the API: inlined, using d.GetOk
  as the primary filter so only managed attributes are refreshed (the removed
  resourceGithub*SetState helper is no longer needed).
- Make the sole bool in each optional block (labeled_runners, allow_advanced)
  Required rather than Optional, since optional bools are problematic.

Org acceptance suite 6/6; go build / vet / golangci-lint / gofmt clean; docs regenerated.
@casey-robertson-paypal

Copy link
Copy Markdown

@sprioriello sprioriello/terraform-provider-github#7 is up for merge — it implements @stevehipwell's round-4 simplification (applied to both resources): Create writes only the computed values, Update writes nothing back, Read reconciles via d.GetOk (the SetState helper is gone), and the sole bool on each optional block is now Required. Net less code, as expected. Org acceptance suite 6/6; build/vet/golangci(0)/gofmt clean; docs regenerated. Replied inline on each thread.

The enterprise import test set a description; under the Optional-only model import
does not round-trip unmanaged attributes, so ImportStateVerify would fail. Mirror
the org import test (identifying fields only). Enterprise acc tests skip without a
live enterprise, so this only surfaced in review.
Simplify CRUD now that config attributes are Optional-only (@stevehipwell round 4)
@sprioriello sprioriello requested a review from stevehipwell July 7, 2026 00:01
@sprioriello

Copy link
Copy Markdown
Author

@stevehipwell thanks to the work of @casey-robertson-paypal your last comments have been addressed and ready for another review. Looking forward to getting merged and released.

@stevehipwell stevehipwell left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is looking good, I've added some comments and please apply them across all of the code not just the instances I commented on.

Comment on lines +19 to +26
Description: "Manages a code security configuration for a GitHub Enterprise.",
CreateContext: resourceGithubEnterpriseSecurityConfigurationCreate,
ReadContext: resourceGithubEnterpriseSecurityConfigurationRead,
UpdateContext: resourceGithubEnterpriseSecurityConfigurationUpdate,
DeleteContext: resourceGithubEnterpriseSecurityConfigurationDelete,
Importer: &schema.ResourceImporter{
StateContext: resourceGithubEnterpriseSecurityConfigurationImport,
},

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Description: "Manages a code security configuration for a GitHub Enterprise.",
CreateContext: resourceGithubEnterpriseSecurityConfigurationCreate,
ReadContext: resourceGithubEnterpriseSecurityConfigurationRead,
UpdateContext: resourceGithubEnterpriseSecurityConfigurationUpdate,
DeleteContext: resourceGithubEnterpriseSecurityConfigurationDelete,
Importer: &schema.ResourceImporter{
StateContext: resourceGithubEnterpriseSecurityConfigurationImport,
},
CreateContext: resourceGithubEnterpriseSecurityConfigurationCreate,
ReadContext: resourceGithubEnterpriseSecurityConfigurationRead,
UpdateContext: resourceGithubEnterpriseSecurityConfigurationUpdate,
DeleteContext: resourceGithubEnterpriseSecurityConfigurationDelete,
Importer: &schema.ResourceImporter{
StateContext: resourceGithubEnterpriseSecurityConfigurationImport,
},
Description: "Resource to manage a GitHub code security configuration for an enterprise.",

Type: schema.TypeString,
Required: true,
ForceNew: true,
Description: "The slug of the enterprise.",

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Description: "The slug of the enterprise.",
Description: "Enterprise slug.",

The repetition of "The ..." in descriptions is best avoided if possible.

{"enforcement", configuration.GetEnforcement()},
}
for _, attr := range managed {
if _, ok := d.GetOk(attr.key); !ok {

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a comment here to the effect that this pattern does not support bool types as d.GetOk for a bool field will always return true.

Comment on lines +18 to +19
func TestAccGithubEnterpriseSecurityConfiguration(t *testing.T) {
t.Run("creates enterprise security configuration without error", func(t *testing.T) {

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
func TestAccGithubEnterpriseSecurityConfiguration(t *testing.T) {
t.Run("creates enterprise security configuration without error", func(t *testing.T) {
func TestAccGithubEnterpriseSecurityConfiguration(t *testing.T) {
t.Parallel()
skipUnlessEnterprise(t)
t.Run("creates enterprise security configuration without error", func(t *testing.T) {
t.Parallel()

The test code pattern has been updated so please make the tests parallel. Also please remove any shared skips from the PreCheck and set them at the top of the root test.

Comment on lines +47 to +56
statecheck.ExpectKnownValue("github_enterprise_security_configuration.test",
tfjsonpath.New("name"), knownvalue.StringExact(configName)),
statecheck.ExpectKnownValue("github_enterprise_security_configuration.test",
tfjsonpath.New("description"), knownvalue.StringExact("Test configuration")),
statecheck.ExpectKnownValue("github_enterprise_security_configuration.test",
tfjsonpath.New("advanced_security"), knownvalue.StringExact("enabled")),
statecheck.ExpectKnownValue("github_enterprise_security_configuration.test",
tfjsonpath.New("enforcement"), knownvalue.StringExact("enforced")),
statecheck.ExpectKnownValue("github_enterprise_security_configuration.test",
tfjsonpath.New("configuration_id"), knownvalue.NotNull()),

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please don't split lines.

Comment on lines +24 to +37
resource "github_enterprise_security_configuration" "test" {
enterprise_slug = "%s"
name = "%s"
description = "Test configuration"
advanced_security = "enabled"
dependency_graph = "enabled"
dependabot_alerts = "enabled"
dependabot_security_updates = "enabled"
code_scanning_default_setup = "enabled"
secret_scanning = "enabled"
secret_scanning_push_protection = "enabled"
private_vulnerability_reporting = "enabled"
enforcement = "enforced"
}`, testAccConf.enterpriseSlug, configName)

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
resource "github_enterprise_security_configuration" "test" {
enterprise_slug = "%s"
name = "%s"
description = "Test configuration"
advanced_security = "enabled"
dependency_graph = "enabled"
dependabot_alerts = "enabled"
dependabot_security_updates = "enabled"
code_scanning_default_setup = "enabled"
secret_scanning = "enabled"
secret_scanning_push_protection = "enabled"
private_vulnerability_reporting = "enabled"
enforcement = "enforced"
}`, testAccConf.enterpriseSlug, configName)
resource "github_enterprise_security_configuration" "test" {
enterprise_slug = "%s"
name = "%s"
description = "Test configuration"
advanced_security = "enabled"
dependency_graph = "enabled"
dependabot_alerts = "enabled"
dependabot_security_updates = "enabled"
code_scanning_default_setup = "enabled"
secret_scanning = "enabled"
secret_scanning_push_protection = "enabled"
private_vulnerability_reporting = "enabled"
enforcement = "enforced"
}`, testAccConf.enterpriseSlug, configName)

Please use Terraform formatting (2-space) not Go formatting.

Comment on lines +95 to +103
tmpl := `
resource "github_enterprise_security_configuration" "test" {
enterprise_slug = "%s"
name = "%s"
description = "%s"
advanced_security = "%s"
}`
configBefore := fmt.Sprintf(tmpl, testAccConf.enterpriseSlug, configName, "Test configuration", "disabled")
configAfter := fmt.Sprintf(tmpl, testAccConf.enterpriseSlug, configNameUpdated, "Test configuration updated", "enabled")

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests are easier to reason about if config is pre-rendered with the fixed values (%v) while keeping placeholders (%%v) so Config: fmt.Sprintf(config, myValue),.


// configuration_id must be identical across both steps, proving the change is an
// in-place update rather than a destroy-and-recreate.
configurationIDUnchanged := statecheck.CompareValue(compare.ValuesSame())

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use ConfigPlanChecks to check the resource action rather than checking the ID isn;t changed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

New resource Type: Feature New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[FEAT]: Code Security Configuration

4 participants