diff --git a/github/data_source_github_actions_organization_oidc_subject_claim_customization_template.go b/github/data_source_github_actions_organization_oidc_subject_claim_customization_template.go new file mode 100644 index 0000000000..3e4fe51627 --- /dev/null +++ b/github/data_source_github_actions_organization_oidc_subject_claim_customization_template.go @@ -0,0 +1,44 @@ +package github + +import ( + "github.com/hashicorp/terraform-plugin-sdk/helper/schema" +) + +func dataSourceGithubActionsOrganizationOIDCSubjectClaimCustomizationTemplate() *schema.Resource { + return &schema.Resource{ + Read: dataSourceGithubActionsOrganizationOIDCSubjectClaimCustomizationTemplateRead, + + Schema: map[string]*schema.Schema{ + "include_claim_keys": { + Type: schema.TypeList, + Computed: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + } +} + +func dataSourceGithubActionsOrganizationOIDCSubjectClaimCustomizationTemplateRead(d *schema.ResourceData, meta interface{}) error { + + client := meta.(*Owner).v3client + orgName := meta.(*Owner).name + ctx := meta.(*Owner).StopContext + + err := checkOrganization(meta) + if err != nil { + return err + } + + template, _, err := client.Actions.GetOrgOIDCSubjectClaimCustomTemplate(ctx, orgName) + + if err != nil { + return err + } + + d.SetId(orgName) + d.Set("include_claim_keys", template.IncludeClaimKeys) + + return nil +} diff --git a/github/data_source_github_actions_organization_oidc_subject_claim_customization_template_test.go b/github/data_source_github_actions_organization_oidc_subject_claim_customization_template_test.go new file mode 100644 index 0000000000..54f77ea4e4 --- /dev/null +++ b/github/data_source_github_actions_organization_oidc_subject_claim_customization_template_test.go @@ -0,0 +1,60 @@ +package github + +import ( + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" +) + +func TestAccGithubActionsOrganizationOIDCSubjectClaimCustomizationTemplateDataSource(t *testing.T) { + + t.Run("get an organization oidc subject claim customization template without error", func(t *testing.T) { + + config := ` + resource "github_actions_organization_oidc_subject_claim_customization_template" "test" { + include_claim_keys = ["actor", "actor_id", "head_ref", "repository"] + } + ` + + config2 := config + ` + data "github_actions_organization_oidc_subject_claim_customization_template" "test" {} + ` + + check := resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("data.github_actions_organization_oidc_subject_claim_customization_template.test", "include_claim_keys.#", "4"), + resource.TestCheckResourceAttr("data.github_actions_organization_oidc_subject_claim_customization_template.test", "include_claim_keys.0", "actor"), + resource.TestCheckResourceAttr("data.github_actions_organization_oidc_subject_claim_customization_template.test", "include_claim_keys.1", "actor_id"), + resource.TestCheckResourceAttr("data.github_actions_organization_oidc_subject_claim_customization_template.test", "include_claim_keys.2", "head_ref"), + resource.TestCheckResourceAttr("data.github_actions_organization_oidc_subject_claim_customization_template.test", "include_claim_keys.3", "repository"), + ) + + testCase := func(t *testing.T, mode string) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { skipUnlessMode(t, mode) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: config, + Check: resource.ComposeTestCheckFunc(), + }, + { + Config: config2, + Check: check, + }, + }, + }) + } + + t.Run("with an anonymous account", func(t *testing.T) { + t.Skip("anonymous account not supported for this operation") + }) + + t.Run("with an individual account", func(t *testing.T) { + t.Skip("individual account not supported for this operation") + }) + + t.Run("with an organization account", func(t *testing.T) { + testCase(t, organization) + }) + }) +} diff --git a/github/data_source_github_actions_repository_oidc_subject_claim_customization_template.go b/github/data_source_github_actions_repository_oidc_subject_claim_customization_template.go new file mode 100644 index 0000000000..3f5adf371b --- /dev/null +++ b/github/data_source_github_actions_repository_oidc_subject_claim_customization_template.go @@ -0,0 +1,47 @@ +package github + +import "github.com/hashicorp/terraform-plugin-sdk/helper/schema" + +func dataSourceGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplate() *schema.Resource { + return &schema.Resource{ + Read: dataSourceGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplateRead, + + Schema: map[string]*schema.Schema{ + "name": { + Type: schema.TypeString, + Required: true, + }, + "use_default": { + Type: schema.TypeBool, + Computed: true, + }, + "include_claim_keys": { + Type: schema.TypeList, + Computed: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + } +} + +func dataSourceGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplateRead(d *schema.ResourceData, meta interface{}) error { + client := meta.(*Owner).v3client + + repository := d.Get("name").(string) + owner := meta.(*Owner).name + ctx := meta.(*Owner).StopContext + + template, _, err := client.Actions.GetRepoOIDCSubjectClaimCustomTemplate(ctx, owner, repository) + + if err != nil { + return err + } + + d.SetId(repository) + d.Set("use_default", template.UseDefault) + d.Set("include_claim_keys", template.IncludeClaimKeys) + + return nil +} diff --git a/github/data_source_github_actions_repository_oidc_subject_claim_customization_template_test.go b/github/data_source_github_actions_repository_oidc_subject_claim_customization_template_test.go new file mode 100644 index 0000000000..fa3f19a6a1 --- /dev/null +++ b/github/data_source_github_actions_repository_oidc_subject_claim_customization_template_test.go @@ -0,0 +1,104 @@ +package github + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/helper/acctest" + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" +) + +func TestAccGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplateDataSource(t *testing.T) { + + randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum) + + t.Run("get an repository oidc subject claim customization template without error", func(t *testing.T) { + + config := fmt.Sprintf(` + resource "github_repository" "test" { + name = "tf-acc-test-%s" + private = true + } + + resource "github_actions_repository_oidc_subject_claim_customization_template" "test" { + repository = github_repository.test.name + use_default = false + include_claim_keys = ["repo", "context", "job_workflow_ref"] + } + `, randomID) + + config2 := config + ` + data "github_actions_repository_oidc_subject_claim_customization_template" "test" { + name = github_repository.test.name + } + ` + + config3 := fmt.Sprintf(` + resource "github_repository" "test" { + name = "tf-acc-test-%s" + private = true + } + + resource "github_actions_repository_oidc_subject_claim_customization_template" "test" { + repository = github_repository.test.name + use_default = true + } + `, randomID) + + config4 := config3 + ` + data "github_actions_repository_oidc_subject_claim_customization_template" "test" { + name = github_repository.test.name + } + ` + + check1 := resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("data.github_actions_repository_oidc_subject_claim_customization_template.test", "use_default", "false"), + resource.TestCheckResourceAttr("data.github_actions_repository_oidc_subject_claim_customization_template.test", "include_claim_keys.#", "3"), + resource.TestCheckResourceAttr("data.github_actions_repository_oidc_subject_claim_customization_template.test", "include_claim_keys.0", "repo"), + resource.TestCheckResourceAttr("data.github_actions_repository_oidc_subject_claim_customization_template.test", "include_claim_keys.1", "context"), + resource.TestCheckResourceAttr("data.github_actions_repository_oidc_subject_claim_customization_template.test", "include_claim_keys.2", "job_workflow_ref"), + ) + + check2 := resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("data.github_actions_repository_oidc_subject_claim_customization_template.test", "use_default", "true"), + resource.TestCheckNoResourceAttr("data.github_actions_repository_oidc_subject_claim_customization_template.test", "include_claim_keys"), + ) + + testCase := func(t *testing.T, mode string) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { skipUnlessMode(t, mode) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: config, + Check: resource.ComposeTestCheckFunc(), + }, + { + Config: config2, + Check: check1, + }, + { + Config: config3, + Check: resource.ComposeTestCheckFunc(), + }, + { + Config: config4, + Check: check2, + }, + }, + }) + } + + t.Run("with an anonymous account", func(t *testing.T) { + t.Skip("anonymous account not supported for this operation") + }) + + t.Run("with an individual account", func(t *testing.T) { + testCase(t, individual) + }) + + t.Run("with an organization account", func(t *testing.T) { + testCase(t, organization) + }) + }) +} diff --git a/github/provider.go b/github/provider.go index 94bb24b2e5..7b1286917c 100644 --- a/github/provider.go +++ b/github/provider.go @@ -89,95 +89,99 @@ func Provider() terraform.ResourceProvider { }, ResourcesMap: map[string]*schema.Resource{ - "github_actions_environment_secret": resourceGithubActionsEnvironmentSecret(), - "github_actions_organization_permissions": resourceGithubActionsOrganizationPermissions(), - "github_actions_organization_secret": resourceGithubActionsOrganizationSecret(), - "github_actions_organization_secret_repositories": resourceGithubActionsOrganizationSecretRepositories(), - "github_actions_repository_access_level": resourceGithubActionsRepositoryAccessLevel(), - "github_actions_repository_permissions": resourceGithubActionsRepositoryPermissions(), - "github_actions_runner_group": resourceGithubActionsRunnerGroup(), - "github_actions_secret": resourceGithubActionsSecret(), - "github_app_installation_repositories": resourceGithubAppInstallationRepositories(), - "github_app_installation_repository": resourceGithubAppInstallationRepository(), - "github_branch": resourceGithubBranch(), - "github_branch_default": resourceGithubBranchDefault(), - "github_branch_protection": resourceGithubBranchProtection(), - "github_branch_protection_v3": resourceGithubBranchProtectionV3(), - "github_dependabot_organization_secret": resourceGithubDependabotOrganizationSecret(), - "github_dependabot_organization_secret_repositories": resourceGithubDependabotOrganizationSecretRepositories(), - "github_dependabot_secret": resourceGithubDependabotSecret(), - "github_enterprise_organization": resourceGithubEnterpriseOrganization(), - "github_emu_group_mapping": resourceGithubEMUGroupMapping(), - "github_issue": resourceGithubIssue(), - "github_issue_label": resourceGithubIssueLabel(), - "github_membership": resourceGithubMembership(), - "github_organization_block": resourceOrganizationBlock(), - "github_organization_project": resourceGithubOrganizationProject(), - "github_organization_security_manager": resourceGithubOrganizationSecurityManager(), - "github_organization_settings": resourceGithubOrganizationSettings(), - "github_organization_webhook": resourceGithubOrganizationWebhook(), - "github_project_card": resourceGithubProjectCard(), - "github_project_column": resourceGithubProjectColumn(), - "github_release": resourceGithubRelease(), - "github_repository": resourceGithubRepository(), - "github_repository_autolink_reference": resourceGithubRepositoryAutolinkReference(), - "github_repository_collaborator": resourceGithubRepositoryCollaborator(), - "github_repository_deploy_key": resourceGithubRepositoryDeployKey(), - "github_repository_environment": resourceGithubRepositoryEnvironment(), - "github_repository_file": resourceGithubRepositoryFile(), - "github_repository_milestone": resourceGithubRepositoryMilestone(), - "github_repository_project": resourceGithubRepositoryProject(), - "github_repository_pull_request": resourceGithubRepositoryPullRequest(), - "github_repository_tag_protection": resourceGithubRepositoryTagProtection(), - "github_repository_webhook": resourceGithubRepositoryWebhook(), - "github_team": resourceGithubTeam(), - "github_team_members": resourceGithubTeamMembers(), - "github_team_membership": resourceGithubTeamMembership(), - "github_team_repository": resourceGithubTeamRepository(), - "github_team_settings": resourceGithubTeamSettings(), - "github_team_sync_group_mapping": resourceGithubTeamSyncGroupMapping(), - "github_user_gpg_key": resourceGithubUserGpgKey(), - "github_user_invitation_accepter": resourceGithubUserInvitationAccepter(), - "github_user_ssh_key": resourceGithubUserSshKey(), + "github_actions_environment_secret": resourceGithubActionsEnvironmentSecret(), + "github_actions_organization_oidc_subject_claim_customization_template": resourceGithubActionsOrganizationOIDCSubjectClaimCustomizationTemplate(), + "github_actions_organization_permissions": resourceGithubActionsOrganizationPermissions(), + "github_actions_organization_secret": resourceGithubActionsOrganizationSecret(), + "github_actions_organization_secret_repositories": resourceGithubActionsOrganizationSecretRepositories(), + "github_actions_repository_access_level": resourceGithubActionsRepositoryAccessLevel(), + "github_actions_repository_oidc_subject_claim_customization_template": resourceGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplate(), + "github_actions_repository_permissions": resourceGithubActionsRepositoryPermissions(), + "github_actions_runner_group": resourceGithubActionsRunnerGroup(), + "github_actions_secret": resourceGithubActionsSecret(), + "github_app_installation_repositories": resourceGithubAppInstallationRepositories(), + "github_app_installation_repository": resourceGithubAppInstallationRepository(), + "github_branch": resourceGithubBranch(), + "github_branch_default": resourceGithubBranchDefault(), + "github_branch_protection": resourceGithubBranchProtection(), + "github_branch_protection_v3": resourceGithubBranchProtectionV3(), + "github_dependabot_organization_secret": resourceGithubDependabotOrganizationSecret(), + "github_dependabot_organization_secret_repositories": resourceGithubDependabotOrganizationSecretRepositories(), + "github_dependabot_secret": resourceGithubDependabotSecret(), + "github_emu_group_mapping": resourceGithubEMUGroupMapping(), + "github_issue": resourceGithubIssue(), + "github_issue_label": resourceGithubIssueLabel(), + "github_membership": resourceGithubMembership(), + "github_organization_block": resourceOrganizationBlock(), + "github_organization_project": resourceGithubOrganizationProject(), + "github_organization_security_manager": resourceGithubOrganizationSecurityManager(), + "github_organization_settings": resourceGithubOrganizationSettings(), + "github_organization_webhook": resourceGithubOrganizationWebhook(), + "github_project_card": resourceGithubProjectCard(), + "github_project_column": resourceGithubProjectColumn(), + "github_release": resourceGithubRelease(), + "github_repository": resourceGithubRepository(), + "github_repository_autolink_reference": resourceGithubRepositoryAutolinkReference(), + "github_repository_collaborator": resourceGithubRepositoryCollaborator(), + "github_repository_deploy_key": resourceGithubRepositoryDeployKey(), + "github_repository_environment": resourceGithubRepositoryEnvironment(), + "github_repository_file": resourceGithubRepositoryFile(), + "github_repository_milestone": resourceGithubRepositoryMilestone(), + "github_repository_project": resourceGithubRepositoryProject(), + "github_repository_pull_request": resourceGithubRepositoryPullRequest(), + "github_repository_tag_protection": resourceGithubRepositoryTagProtection(), + "github_repository_webhook": resourceGithubRepositoryWebhook(), + "github_team": resourceGithubTeam(), + "github_team_members": resourceGithubTeamMembers(), + "github_team_membership": resourceGithubTeamMembership(), + "github_team_repository": resourceGithubTeamRepository(), + "github_team_settings": resourceGithubTeamSettings(), + "github_team_sync_group_mapping": resourceGithubTeamSyncGroupMapping(), + "github_user_gpg_key": resourceGithubUserGpgKey(), + "github_user_invitation_accepter": resourceGithubUserInvitationAccepter(), + "github_user_ssh_key": resourceGithubUserSshKey(), + "github_enterprise_organization": resourceGithubEnterpriseOrganization(), }, DataSourcesMap: map[string]*schema.Resource{ - "github_actions_organization_registration_token": dataSourceGithubActionsOrganizationRegistrationToken(), - "github_actions_organization_secrets": dataSourceGithubActionsOrganizationSecrets(), - "github_actions_public_key": dataSourceGithubActionsPublicKey(), - "github_actions_registration_token": dataSourceGithubActionsRegistrationToken(), - "github_actions_secrets": dataSourceGithubActionsSecrets(), - "github_app": dataSourceGithubApp(), - "github_branch": dataSourceGithubBranch(), - "github_collaborators": dataSourceGithubCollaborators(), - "github_dependabot_organization_secrets": dataSourceGithubDependabotOrganizationSecrets(), - "github_dependabot_public_key": dataSourceGithubDependabotPublicKey(), - "github_dependabot_secrets": dataSourceGithubDependabotSecrets(), - "github_enterprise": dataSourceGithubEnterprise(), - "github_external_groups": dataSourceGithubExternalGroups(), - "github_ip_ranges": dataSourceGithubIpRanges(), - "github_membership": dataSourceGithubMembership(), - "github_organization": dataSourceGithubOrganization(), - "github_organization_ip_allow_list": dataSourceGithubOrganizationIpAllowList(), - "github_organization_team_sync_groups": dataSourceGithubOrganizationTeamSyncGroups(), - "github_organization_teams": dataSourceGithubOrganizationTeams(), - "github_organization_webhooks": dataSourceGithubOrganizationWebhooks(), - "github_ref": dataSourceGithubRef(), - "github_release": dataSourceGithubRelease(), - "github_repositories": dataSourceGithubRepositories(), - "github_repository": dataSourceGithubRepository(), - "github_repository_branches": dataSourceGithubRepositoryBranches(), - "github_repository_deploy_keys": dataSourceGithubRepositoryDeployKeys(), - "github_repository_file": dataSourceGithubRepositoryFile(), - "github_repository_milestone": dataSourceGithubRepositoryMilestone(), - "github_repository_pull_request": dataSourceGithubRepositoryPullRequest(), - "github_repository_pull_requests": dataSourceGithubRepositoryPullRequests(), - "github_repository_teams": dataSourceGithubRepositoryTeams(), - "github_repository_webhooks": dataSourceGithubRepositoryWebhooks(), - "github_team": dataSourceGithubTeam(), - "github_tree": dataSourceGithubTree(), - "github_user": dataSourceGithubUser(), - "github_users": dataSourceGithubUsers(), + "github_actions_organization_oidc_subject_claim_customization_template": dataSourceGithubActionsOrganizationOIDCSubjectClaimCustomizationTemplate(), + "github_actions_organization_registration_token": dataSourceGithubActionsOrganizationRegistrationToken(), + "github_actions_organization_secrets": dataSourceGithubActionsOrganizationSecrets(), + "github_actions_public_key": dataSourceGithubActionsPublicKey(), + "github_actions_registration_token": dataSourceGithubActionsRegistrationToken(), + "github_actions_repository_oidc_subject_claim_customization_template": dataSourceGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplate(), + "github_actions_secrets": dataSourceGithubActionsSecrets(), + "github_app": dataSourceGithubApp(), + "github_branch": dataSourceGithubBranch(), + "github_collaborators": dataSourceGithubCollaborators(), + "github_dependabot_organization_secrets": dataSourceGithubDependabotOrganizationSecrets(), + "github_dependabot_public_key": dataSourceGithubDependabotPublicKey(), + "github_dependabot_secrets": dataSourceGithubDependabotSecrets(), + "github_external_groups": dataSourceGithubExternalGroups(), + "github_ip_ranges": dataSourceGithubIpRanges(), + "github_membership": dataSourceGithubMembership(), + "github_organization": dataSourceGithubOrganization(), + "github_organization_ip_allow_list": dataSourceGithubOrganizationIpAllowList(), + "github_organization_team_sync_groups": dataSourceGithubOrganizationTeamSyncGroups(), + "github_organization_teams": dataSourceGithubOrganizationTeams(), + "github_organization_webhooks": dataSourceGithubOrganizationWebhooks(), + "github_ref": dataSourceGithubRef(), + "github_release": dataSourceGithubRelease(), + "github_repositories": dataSourceGithubRepositories(), + "github_repository": dataSourceGithubRepository(), + "github_repository_branches": dataSourceGithubRepositoryBranches(), + "github_repository_deploy_keys": dataSourceGithubRepositoryDeployKeys(), + "github_repository_file": dataSourceGithubRepositoryFile(), + "github_repository_milestone": dataSourceGithubRepositoryMilestone(), + "github_repository_pull_request": dataSourceGithubRepositoryPullRequest(), + "github_repository_pull_requests": dataSourceGithubRepositoryPullRequests(), + "github_repository_teams": dataSourceGithubRepositoryTeams(), + "github_repository_webhooks": dataSourceGithubRepositoryWebhooks(), + "github_team": dataSourceGithubTeam(), + "github_tree": dataSourceGithubTree(), + "github_user": dataSourceGithubUser(), + "github_users": dataSourceGithubUsers(), + "github_enterprise": dataSourceGithubEnterprise(), }, } diff --git a/github/resource_github_actions_organization_oidc_subject_claim_customization_template.go b/github/resource_github_actions_organization_oidc_subject_claim_customization_template.go new file mode 100644 index 0000000000..86c0f4a208 --- /dev/null +++ b/github/resource_github_actions_organization_oidc_subject_claim_customization_template.go @@ -0,0 +1,105 @@ +package github + +import ( + "context" + + "github.com/google/go-github/v49/github" + "github.com/hashicorp/terraform-plugin-sdk/helper/schema" +) + +func resourceGithubActionsOrganizationOIDCSubjectClaimCustomizationTemplate() *schema.Resource { + return &schema.Resource{ + Create: resourceGithubActionsOrganizationOIDCSubjectClaimCustomizationTemplateCreateOrUpdate, + Read: resourceGithubActionsOrganizationOIDCSubjectClaimCustomizationTemplateRead, + Update: resourceGithubActionsOrganizationOIDCSubjectClaimCustomizationTemplateCreateOrUpdate, + Delete: resourceGithubActionsOrganizationOIDCSubjectClaimCustomizationTemplateDelete, + Importer: &schema.ResourceImporter{ + State: schema.ImportStatePassthrough, + }, + Schema: map[string]*schema.Schema{ + "include_claim_keys": { + Type: schema.TypeList, + Required: true, + MinItems: 1, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + } +} + +func resourceGithubActionsOrganizationOIDCSubjectClaimCustomizationTemplateCreateOrUpdate(d *schema.ResourceData, meta interface{}) error { + client := meta.(*Owner).v3client + orgName := meta.(*Owner).name + ctx := context.Background() + + err := checkOrganization(meta) + if err != nil { + return err + } + + includeClaimKeys := d.Get("include_claim_keys").([]interface{}) + + claimsStr := make([]string, len(includeClaimKeys)) + + for i, v := range includeClaimKeys { + claimsStr[i] = v.(string) + } + + _, err = client.Actions.SetOrgOIDCSubjectClaimCustomTemplate(ctx, orgName, &github.OIDCSubjectClaimCustomTemplate{ + IncludeClaimKeys: claimsStr, + }) + + if err != nil { + return err + } + + d.SetId(orgName) + return resourceGithubActionsOrganizationOIDCSubjectClaimCustomizationTemplateRead(d, meta) +} + +func resourceGithubActionsOrganizationOIDCSubjectClaimCustomizationTemplateRead(d *schema.ResourceData, meta interface{}) error { + client := meta.(*Owner).v3client + ctx := context.Background() + orgName := meta.(*Owner).name + + err := checkOrganization(meta) + if err != nil { + return err + } + + template, _, err := client.Actions.GetOrgOIDCSubjectClaimCustomTemplate(ctx, orgName) + + if err != nil { + return err + } + + d.Set("include_claim_keys", template.IncludeClaimKeys) + + return nil +} + +func resourceGithubActionsOrganizationOIDCSubjectClaimCustomizationTemplateDelete(d *schema.ResourceData, meta interface{}) error { + + // Sets include_claim_keys back to GitHub's defaults + // https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#resetting-your-customizations + client := meta.(*Owner).v3client + orgName := meta.(*Owner).name + ctx := context.Background() + + err := checkOrganization(meta) + if err != nil { + return err + } + + _, err = client.Actions.SetOrgOIDCSubjectClaimCustomTemplate(ctx, orgName, &github.OIDCSubjectClaimCustomTemplate{ + IncludeClaimKeys: []string{"repo", "context"}, + }) + + if err != nil { + return err + } + + return nil +} diff --git a/github/resource_github_actions_organization_oidc_subject_claim_customization_template_test.go b/github/resource_github_actions_organization_oidc_subject_claim_customization_template_test.go new file mode 100644 index 0000000000..48553dfa04 --- /dev/null +++ b/github/resource_github_actions_organization_oidc_subject_claim_customization_template_test.go @@ -0,0 +1,200 @@ +package github + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" +) + +func TestAccGithubActionsOrganizationOIDCSubjectClaimCustomizationTemplate(t *testing.T) { + t.Run("creates organization oidc subject claim customization template without error", func(t *testing.T) { + + config := ` + resource "github_actions_organization_oidc_subject_claim_customization_template" "test" { + include_claim_keys = ["repo", "context", "job_workflow_ref"] + }` + + check := resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr( + "github_actions_organization_oidc_subject_claim_customization_template.test", + "include_claim_keys.#", "3", + ), + resource.TestCheckResourceAttr( + "github_actions_organization_oidc_subject_claim_customization_template.test", + "include_claim_keys.0", "repo", + ), + resource.TestCheckResourceAttr( + "github_actions_organization_oidc_subject_claim_customization_template.test", + "include_claim_keys.1", "context", + ), + resource.TestCheckResourceAttr( + "github_actions_organization_oidc_subject_claim_customization_template.test", + "include_claim_keys.2", "job_workflow_ref", + ), + ) + testCase := func(t *testing.T, mode string) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { skipUnlessMode(t, mode) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: config, + Check: check, + }, + }, + }) + } + t.Run("run with an anonymous account", func(t *testing.T) { + t.Skip("anonymous account not supported for this operation") + }) + t.Run("run with an individual account", func(t *testing.T) { + t.Skip("individual account not supported for this operation") + }) + t.Run("run with an organization account", func(t *testing.T) { + testCase(t, organization) + }) + }) + + t.Run("updates organization oidc subject claim customization template without error", func(t *testing.T) { + + resourceTemplate := ` + resource "github_actions_organization_oidc_subject_claim_customization_template" "test" { + include_claim_keys = %s + }` + + claims := `["repository_owner_id", "run_id", "workflow"]` + updatedClaims := `["actor", "actor_id", "head_ref", "repository"]` + + configs := map[string]string{ + "before": fmt.Sprintf(resourceTemplate, claims), + + "after": fmt.Sprintf(resourceTemplate, updatedClaims), + } + checks := map[string]resource.TestCheckFunc{ + "before": resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr( + "github_actions_organization_oidc_subject_claim_customization_template.test", + "include_claim_keys.#", "3", + ), + resource.TestCheckResourceAttr( + "github_actions_organization_oidc_subject_claim_customization_template.test", + "include_claim_keys.0", "repository_owner_id", + ), + resource.TestCheckResourceAttr( + "github_actions_organization_oidc_subject_claim_customization_template.test", + "include_claim_keys.1", "run_id", + ), + resource.TestCheckResourceAttr( + "github_actions_organization_oidc_subject_claim_customization_template.test", + "include_claim_keys.2", "workflow", + ), + ), + "after": resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr( + "github_actions_organization_oidc_subject_claim_customization_template.test", + "include_claim_keys.#", "4", + ), + resource.TestCheckResourceAttr( + "github_actions_organization_oidc_subject_claim_customization_template.test", + "include_claim_keys.0", "actor", + ), + resource.TestCheckResourceAttr( + "github_actions_organization_oidc_subject_claim_customization_template.test", + "include_claim_keys.1", "actor_id", + ), + resource.TestCheckResourceAttr( + "github_actions_organization_oidc_subject_claim_customization_template.test", + "include_claim_keys.2", "head_ref", + ), + resource.TestCheckResourceAttr( + "github_actions_organization_oidc_subject_claim_customization_template.test", + "include_claim_keys.3", "repository", + ), + ), + } + testCase := func(t *testing.T, mode string) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { skipUnlessMode(t, mode) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: configs["before"], + Check: checks["before"], + }, + { + Config: configs["after"], + Check: checks["after"], + }, + }, + }) + } + + t.Run("with an anonymous account", func(t *testing.T) { + t.Skip("anonymous account not supported for this operation") + }) + + t.Run("with an individual account", func(t *testing.T) { + t.Skip("individual account not supported for this operation") + }) + + t.Run("with an organization account", func(t *testing.T) { + testCase(t, organization) + }) + }) + + t.Run("imports organization oidc subject claim customization template without error", func(t *testing.T) { + config := ` + resource "github_actions_organization_oidc_subject_claim_customization_template" "test" { + include_claim_keys = ["repository_owner_id", "run_id", "workflow"] + }` + + check := resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr( + "github_actions_organization_oidc_subject_claim_customization_template.test", + "include_claim_keys.#", "3", + ), + resource.TestCheckResourceAttr( + "github_actions_organization_oidc_subject_claim_customization_template.test", + "include_claim_keys.0", "repository_owner_id", + ), + resource.TestCheckResourceAttr( + "github_actions_organization_oidc_subject_claim_customization_template.test", + "include_claim_keys.1", "run_id", + ), + resource.TestCheckResourceAttr( + "github_actions_organization_oidc_subject_claim_customization_template.test", + "include_claim_keys.2", "workflow", + ), + ) + + testCase := func(t *testing.T, mode string) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { skipUnlessMode(t, mode) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: config, + Check: check, + }, + { + ResourceName: "github_actions_organization_oidc_subject_claim_customization_template.test", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) + } + t.Run("with an anonymous account", func(t *testing.T) { + t.Skip("anonymous account not supported for this operation") + }) + + t.Run("with an individual account", func(t *testing.T) { + t.Skip("individual account not supported for this operation") + }) + + t.Run("with an organization account", func(t *testing.T) { + testCase(t, organization) + }) + }) +} diff --git a/github/resource_github_actions_repository_oidc_subject_claim_customization_template.go b/github/resource_github_actions_repository_oidc_subject_claim_customization_template.go new file mode 100644 index 0000000000..b8c01935f5 --- /dev/null +++ b/github/resource_github_actions_repository_oidc_subject_claim_customization_template.go @@ -0,0 +1,125 @@ +package github + +import ( + "context" + "errors" + + "github.com/google/go-github/v49/github" + "github.com/hashicorp/terraform-plugin-sdk/helper/schema" + "github.com/hashicorp/terraform-plugin-sdk/helper/validation" +) + +func resourceGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplate() *schema.Resource { + return &schema.Resource{ + Create: resourceGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplateCreateOrUpdate, + Read: resourceGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplateRead, + Update: resourceGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplateCreateOrUpdate, + Delete: resourceGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplateDelete, + Importer: &schema.ResourceImporter{ + State: schema.ImportStatePassthrough, + }, + Schema: map[string]*schema.Schema{ + "repository": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringLenBetween(1, 100), + }, + "use_default": { + Type: schema.TypeBool, + Required: true, + }, + "include_claim_keys": { + Type: schema.TypeList, + Optional: true, + MinItems: 1, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + } +} + +func resourceGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplateCreateOrUpdate(d *schema.ResourceData, meta interface{}) error { + + client := meta.(*Owner).v3client + + repository := d.Get("repository").(string) + owner := meta.(*Owner).name + + useDefault := d.Get("use_default").(bool) + includeClaimKeys, hasClaimKeys := d.GetOk("include_claim_keys") + + if useDefault && hasClaimKeys { + return errors.New("include_claim_keys cannot be set when use_default is true") + } + + customOIDCSubjectClaimTemplate := &github.OIDCSubjectClaimCustomTemplate{ + UseDefault: &useDefault, + } + + if includeClaimKeys != nil { + + includeClaimKeysVal := includeClaimKeys.([]interface{}) + + claimsStr := make([]string, len(includeClaimKeysVal)) + + for i, v := range includeClaimKeysVal { + claimsStr[i] = v.(string) + } + + customOIDCSubjectClaimTemplate.IncludeClaimKeys = claimsStr + } + + ctx := context.Background() + _, err := client.Actions.SetRepoOIDCSubjectClaimCustomTemplate(ctx, owner, repository, customOIDCSubjectClaimTemplate) + + if err != nil { + return err + } + + d.SetId(repository) + return resourceGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplateRead(d, meta) +} + +func resourceGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplateRead(d *schema.ResourceData, meta interface{}) error { + client := meta.(*Owner).v3client + + repository := d.Id() + owner := meta.(*Owner).name + + ctx := context.Background() + template, _, err := client.Actions.GetRepoOIDCSubjectClaimCustomTemplate(ctx, owner, repository) + + if err != nil { + return err + } + + d.Set("repository", repository) + d.Set("use_default", template.UseDefault) + d.Set("include_claim_keys", template.IncludeClaimKeys) + + return nil +} + +func resourceGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplateDelete(d *schema.ResourceData, meta interface{}) error { + // Reset the repository to use the default claims + // https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#using-the-default-subject-claims + client := meta.(*Owner).v3client + + repository := d.Get("repository").(string) + owner := meta.(*Owner).name + + customOIDCSubjectClaimTemplate := &github.OIDCSubjectClaimCustomTemplate{ + UseDefault: github.Bool(true), + } + + ctx := context.Background() + _, err := client.Actions.SetRepoOIDCSubjectClaimCustomTemplate(ctx, owner, repository, customOIDCSubjectClaimTemplate) + + if err != nil { + return err + } + + return nil +} diff --git a/github/resource_github_actions_repository_oidc_subject_claim_customization_template_test.go b/github/resource_github_actions_repository_oidc_subject_claim_customization_template_test.go new file mode 100644 index 0000000000..96b89e5981 --- /dev/null +++ b/github/resource_github_actions_repository_oidc_subject_claim_customization_template_test.go @@ -0,0 +1,264 @@ +package github + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/helper/acctest" + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" +) + +func TestAccGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplate(t *testing.T) { + + randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum) + + t.Run("creates repository oidc subject claim customization template without error", func(t *testing.T) { + + config := fmt.Sprintf(` + resource "github_repository" "test" { + name = "tf-acc-test-%s" + private = true + } + + resource "github_actions_repository_oidc_subject_claim_customization_template" "test" { + repository = github_repository.test.name + use_default = false + include_claim_keys = ["repo", "context", "job_workflow_ref"] + }`, randomID) + + check := resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "use_default", "false"), + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "include_claim_keys.#", "3", + ), + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "include_claim_keys.0", "repo", + ), + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "include_claim_keys.1", "context", + ), + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "include_claim_keys.2", "job_workflow_ref", + ), + ) + testCase := func(t *testing.T, mode string) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { skipUnlessMode(t, mode) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: config, + Check: check, + }, + }, + }) + } + t.Run("run with an anonymous account", func(t *testing.T) { + t.Skip("anonymous account not supported for this operation") + }) + t.Run("run with an individual account", func(t *testing.T) { + testCase(t, individual) + }) + t.Run("run with an organization account", func(t *testing.T) { + testCase(t, organization) + }) + }) + + t.Run("updates repository oidc subject claim customization template without error", func(t *testing.T) { + + configTemplate := ` + resource "github_repository" "test" { + name = "tf-acc-test-%s" + private = true + } + + resource "github_actions_repository_oidc_subject_claim_customization_template" "test" { + repository = github_repository.test.name + use_default = %t + include_claim_keys = %s + }` + + claims := `["repository_owner_id", "run_id", "workflow"]` + updatedClaims := `["actor", "actor_id", "head_ref", "repository"]` + + resetToDefaultConfigTemplate := ` + resource "github_repository" "test" { + name = "tf-acc-test-%s" + private = true + } + + resource "github_actions_repository_oidc_subject_claim_customization_template" "test" { + repository = github_repository.test.name + use_default = true + } +` + + configs := map[string]string{ + "before": fmt.Sprintf(configTemplate, randomID, false, claims), + + "after": fmt.Sprintf(configTemplate, randomID, false, updatedClaims), + + "reset_to_default": fmt.Sprintf(resetToDefaultConfigTemplate, randomID), + } + checks := map[string]resource.TestCheckFunc{ + "before": resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "use_default", "false"), + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "include_claim_keys.#", "3", + ), + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "include_claim_keys.0", "repository_owner_id", + ), + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "include_claim_keys.1", "run_id", + ), + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "include_claim_keys.2", "workflow", + ), + ), + "after": resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "use_default", "false"), + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "include_claim_keys.#", "4", + ), + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "include_claim_keys.0", "actor", + ), + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "include_claim_keys.1", "actor_id", + ), + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "include_claim_keys.2", "head_ref", + ), + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "include_claim_keys.3", "repository", + ), + ), + "reset_to_default": resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "use_default", "true"), + resource.TestCheckNoResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "include_claim_keys", + ), + ), + } + testCase := func(t *testing.T, mode string) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { skipUnlessMode(t, mode) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: configs["before"], + Check: checks["before"], + }, + { + Config: configs["after"], + Check: checks["after"], + }, + { + Config: configs["reset_to_default"], + Check: checks["reset_to_default"], + }, + }, + }) + } + + t.Run("with an anonymous account", func(t *testing.T) { + t.Skip("anonymous account not supported for this operation") + }) + + t.Run("with an individual account", func(t *testing.T) { + testCase(t, individual) + }) + + t.Run("with an organization account", func(t *testing.T) { + testCase(t, organization) + }) + }) + + t.Run("imports repository oidc subject claim customization template without error", func(t *testing.T) { + config := fmt.Sprintf(` + resource "github_repository" "test" { + name = "tf-acc-test-%s" + private = true + } + resource "github_actions_repository_oidc_subject_claim_customization_template" "test" { + repository = github_repository.test.name + use_default = false + include_claim_keys = ["repository_owner_id", "run_id", "workflow"] + }`, randomID) + + check := resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "use_default", "false", + ), + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "include_claim_keys.#", "3", + ), + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "include_claim_keys.0", "repository_owner_id", + ), + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "include_claim_keys.1", "run_id", + ), + resource.TestCheckResourceAttr( + "github_actions_repository_oidc_subject_claim_customization_template.test", + "include_claim_keys.2", "workflow", + ), + ) + + testCase := func(t *testing.T, mode string) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { skipUnlessMode(t, mode) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: config, + Check: check, + }, + { + ResourceName: "github_actions_repository_oidc_subject_claim_customization_template.test", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) + } + t.Run("with an anonymous account", func(t *testing.T) { + t.Skip("anonymous account not supported for this operation") + }) + + t.Run("with an individual account", func(t *testing.T) { + testCase(t, individual) + }) + + t.Run("with an organization account", func(t *testing.T) { + testCase(t, organization) + }) + }) +} diff --git a/go.mod b/go.mod index ac3a2c5490..c3ca5a51ab 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.17 require ( github.com/client9/misspell v0.3.4 github.com/golangci/golangci-lint v1.41.1 - github.com/google/go-github/v49 v49.0.0 + github.com/google/go-github/v49 v49.1.0 github.com/hashicorp/terraform-plugin-sdk v1.17.2 github.com/shurcooL/githubv4 v0.0.0-20221126192849-0b5c4c7994eb golang.org/x/crypto v0.5.0 diff --git a/go.sum b/go.sum index 0593498bdd..1aeb3375f0 100644 --- a/go.sum +++ b/go.sum @@ -395,6 +395,12 @@ github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-github/v49 v49.0.0 h1:vSz1fnOeGztFxDe48q0RCOrd8Cg4o8INcZBPVpGPNaY= github.com/google/go-github/v49 v49.0.0/go.mod h1:MUUzHPrhGniB6vUKa27y37likpipzG+BXXJbG04J334= +github.com/google/go-github/v49 v49.0.1-0.20230105125346-93166f499694 h1:EWMr9C+5q3I7R8WuvSgsdTH5vAmRgiqVVCV4DaZ9H0Q= +github.com/google/go-github/v49 v49.0.1-0.20230105125346-93166f499694/go.mod h1:MUUzHPrhGniB6vUKa27y37likpipzG+BXXJbG04J334= +github.com/google/go-github/v49 v49.0.1-0.20230110035759-e4ff2a27f769 h1:PrCIEYuWAbS0jcxn1oT/icE1XZ6hJdPHP7NLsUjEarU= +github.com/google/go-github/v49 v49.0.1-0.20230110035759-e4ff2a27f769/go.mod h1:MUUzHPrhGniB6vUKa27y37likpipzG+BXXJbG04J334= +github.com/google/go-github/v49 v49.1.0 h1:LFkMgawGQ8dfzWLH/rNE0b3u1D3n6/dw7ZmrN3b+YFY= +github.com/google/go-github/v49 v49.1.0/go.mod h1:MUUzHPrhGniB6vUKa27y37likpipzG+BXXJbG04J334= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= diff --git a/vendor/github.com/google/go-github/v49/github/actions_cache.go b/vendor/github.com/google/go-github/v49/github/actions_cache.go new file mode 100644 index 0000000000..9592d9ab62 --- /dev/null +++ b/vendor/github.com/google/go-github/v49/github/actions_cache.go @@ -0,0 +1,235 @@ +// Copyright 2022 The go-github AUTHORS. All rights reserved. +// +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package github + +import ( + "context" + "fmt" +) + +// ActionsCache represents a GitHub action cache. +// +// GitHub API docs: https://docs.github.com/en/rest/actions/cache?apiVersion=2022-11-28#about-the-cache-api +type ActionsCache struct { + ID *int64 `json:"id,omitempty" url:"-"` + Ref *string `json:"ref,omitempty" url:"ref"` + Key *string `json:"key,omitempty" url:"key"` + Version *string `json:"version,omitempty" url:"-"` + LastAccessedAt *Timestamp `json:"last_accessed_at,omitempty" url:"-"` + CreatedAt *Timestamp `json:"created_at,omitempty" url:"-"` + SizeInBytes *int64 `json:"size_in_bytes,omitempty" url:"-"` +} + +// ActionsCacheList represents a list of GitHub actions Cache. +// +// GitHub API docs: https://docs.github.com/en/rest/actions/cache?apiVersion=2022-11-28#list-github-actions-caches-for-a-repository +type ActionsCacheList struct { + TotalCount int `json:"total_count"` + ActionsCaches []*ActionsCache `json:"actions_caches,omitempty"` +} + +// ActionsCacheUsage represents a GitHub Actions Cache Usage object. +// +// GitHub API docs: https://docs.github.com/en/rest/actions/cache?apiVersion=2022-11-28#get-github-actions-cache-usage-for-a-repository +type ActionsCacheUsage struct { + FullName string `json:"full_name"` + ActiveCachesSizeInBytes int64 `json:"active_caches_size_in_bytes"` + ActiveCachesCount int `json:"active_caches_count"` +} + +// ActionsCacheUsageList represents a list of repositories with GitHub Actions cache usage for an organization. +// +// GitHub API docs: https://docs.github.com/en/rest/actions/cache?apiVersion=2022-11-28#get-github-actions-cache-usage-for-a-repository +type ActionsCacheUsageList struct { + TotalCount int `json:"total_count"` + RepoCacheUsage []*ActionsCacheUsage `json:"repository_cache_usages,omitempty"` +} + +// TotalCacheUsage represents total GitHub actions cache usage of an organization or enterprise. +// +// GitHub API docs: https://docs.github.com/en/rest/actions/cache?apiVersion=2022-11-28#get-github-actions-cache-usage-for-an-enterprise +type TotalCacheUsage struct { + TotalActiveCachesUsageSizeInBytes int64 `json:"total_active_caches_size_in_bytes"` + TotalActiveCachesCount int `json:"total_active_caches_count"` +} + +// ActionsCacheListOptions represents a list of all possible optional Query parameters for ListCaches method. +// +// GitHub API docs: https://docs.github.com/en/rest/actions/cache?apiVersion=2022-11-28#list-github-actions-caches-for-a-repository +type ActionsCacheListOptions struct { + ListOptions + // The Git reference for the results you want to list. + // The ref for a branch can be formatted either as refs/heads/ + // or simply . To reference a pull request use refs/pull//merge + Ref *string `url:"ref,omitempty"` + Key *string `url:"key,omitempty"` + // Can be one of: "created_at", "last_accessed_at", "size_in_bytes". Default: "last_accessed_at" + Sort *string `url:"sort,omitempty"` + // Can be one of: "asc", "desc" Default: desc + Direction *string `url:"direction,omitempty"` +} + +// ListCaches lists the GitHub Actions caches for a repository. +// You must authenticate using an access token with the repo scope to use this endpoint. +// +// Permissions: must have the actions:read permission to use this endpoint. +// +// GitHub API docs: https://docs.github.com/en/rest/actions/cache?apiVersion=2022-11-28#list-github-actions-caches-for-a-repository +func (s *ActionsService) ListCaches(ctx context.Context, owner, repo string, opts *ActionsCacheListOptions) (*ActionsCacheList, *Response, error) { + u := fmt.Sprintf("repos/%v/%v/actions/caches", owner, repo) + u, err := addOptions(u, opts) + if err != nil { + return nil, nil, err + } + + req, err := s.client.NewRequest("GET", u, nil) + if err != nil { + return nil, nil, err + } + + actionCacheList := new(ActionsCacheList) + resp, err := s.client.Do(ctx, req, actionCacheList) + if err != nil { + return nil, resp, err + } + + return actionCacheList, resp, nil +} + +// DeleteCachesByKey deletes one or more GitHub Actions caches for a repository, using a complete cache key. +// By default, all caches that match the provided key are deleted, but you can optionally provide +// a Git ref to restrict deletions to caches that match both the provided key and the Git ref. +// The ref for a branch can be formatted either as "refs/heads/" or simply "". +// To reference a pull request use "refs/pull//merge". If you don't want to use ref just pass nil in parameter. +// +// Permissions: You must authenticate using an access token with the repo scope to use this endpoint. GitHub Apps must have the actions:write permission to use this endpoint. +// +// GitHub API docs: https://docs.github.com/en/rest/actions/cache?apiVersion=2022-11-28#delete-github-actions-caches-for-a-repository-using-a-cache-key +func (s *ActionsService) DeleteCachesByKey(ctx context.Context, owner, repo, key string, ref *string) (*Response, error) { + u := fmt.Sprintf("repos/%v/%v/actions/caches", owner, repo) + u, err := addOptions(u, ActionsCache{Key: &key, Ref: ref}) + if err != nil { + return nil, err + } + + req, err := s.client.NewRequest("DELETE", u, nil) + if err != nil { + return nil, err + } + + return s.client.Do(ctx, req, nil) +} + +// DeleteCachesByID deletes a GitHub Actions cache for a repository, using a cache ID. +// +// Permissions: You must authenticate using an access token with the repo scope to use this endpoint. GitHub Apps must have the actions:write permission to use this endpoint. +// +// GitHub API docs: https://docs.github.com/en/rest/actions/cache?apiVersion=2022-11-28#delete-a-github-actions-cache-for-a-repository-using-a-cache-id +func (s *ActionsService) DeleteCachesByID(ctx context.Context, owner, repo string, cacheID int64) (*Response, error) { + u := fmt.Sprintf("repos/%v/%v/actions/caches/%v", owner, repo, cacheID) + req, err := s.client.NewRequest("DELETE", u, nil) + if err != nil { + return nil, err + } + + return s.client.Do(ctx, req, nil) +} + +// GetCacheUsageForRepo gets GitHub Actions cache usage for a repository. The data fetched using this API is refreshed approximately every 5 minutes, +// so values returned from this endpoint may take at least 5 minutes to get updated. +// +// Permissions: Anyone with read access to the repository can use this endpoint. If the repository is private, you must use an +// access token with the repo scope. GitHub Apps must have the actions:read permission to use this endpoint. +// +// GitHub API docs: https://docs.github.com/en/rest/actions/cache?apiVersion=2022-11-28#get-github-actions-cache-usage-for-a-repository +func (s *ActionsService) GetCacheUsageForRepo(ctx context.Context, owner, repo string) (*ActionsCacheUsage, *Response, error) { + u := fmt.Sprintf("repos/%v/%v/actions/cache/usage", owner, repo) + req, err := s.client.NewRequest("GET", u, nil) + if err != nil { + return nil, nil, err + } + + cacheUsage := new(ActionsCacheUsage) + res, err := s.client.Do(ctx, req, cacheUsage) + if err != nil { + return nil, res, err + } + + return cacheUsage, res, err +} + +// ListCacheUsageByRepoForOrg lists repositories and their GitHub Actions cache usage for an organization. The data fetched using this API is +// refreshed approximately every 5 minutes, so values returned from this endpoint may take at least 5 minutes to get updated. +// +// Permissions: You must authenticate using an access token with the read:org scope to use this endpoint. +// GitHub Apps must have the organization_admistration:read permission to use this endpoint. +// +// GitHub API docs: https://docs.github.com/en/rest/actions/cache?apiVersion=2022-11-28#list-repositories-with-github-actions-cache-usage-for-an-organization +func (s *ActionsService) ListCacheUsageByRepoForOrg(ctx context.Context, org string, opts *ListOptions) (*ActionsCacheUsageList, *Response, error) { + u := fmt.Sprintf("orgs/%v/actions/cache/usage-by-repository", org) + u, err := addOptions(u, opts) + if err != nil { + return nil, nil, err + } + + req, err := s.client.NewRequest("GET", u, nil) + if err != nil { + return nil, nil, err + } + + cacheUsage := new(ActionsCacheUsageList) + res, err := s.client.Do(ctx, req, cacheUsage) + if err != nil { + return nil, res, err + } + + return cacheUsage, res, err +} + +// GetTotalCacheUsageForOrg gets the total GitHub Actions cache usage for an organization. The data fetched using this API is refreshed approximately every +// 5 minutes, so values returned from this endpoint may take at least 5 minutes to get updated. +// +// Permissions: You must authenticate using an access token with the read:org scope to use this endpoint. +// GitHub Apps must have the organization_admistration:read permission to use this endpoint. +// +// GitHub API docs: https://docs.github.com/en/rest/actions/cache?apiVersion=2022-11-28#get-github-actions-cache-usage-for-an-organization +func (s *ActionsService) GetTotalCacheUsageForOrg(ctx context.Context, org string) (*TotalCacheUsage, *Response, error) { + u := fmt.Sprintf("orgs/%v/actions/cache/usage", org) + req, err := s.client.NewRequest("GET", u, nil) + if err != nil { + return nil, nil, err + } + + cacheUsage := new(TotalCacheUsage) + res, err := s.client.Do(ctx, req, cacheUsage) + if err != nil { + return nil, res, err + } + + return cacheUsage, res, err +} + +// GetTotalCacheUsageForEnterprise gets the total GitHub Actions cache usage for an enterprise. The data fetched using this API is refreshed approximately every 5 minutes, +// so values returned from this endpoint may take at least 5 minutes to get updated. +// +// Permissions: You must authenticate using an access token with the "admin:enterprise" scope to use this endpoint. +// +// GitHub API docs: https://docs.github.com/en/rest/actions/cache?apiVersion=2022-11-28#get-github-actions-cache-usage-for-an-enterprise +func (s *ActionsService) GetTotalCacheUsageForEnterprise(ctx context.Context, enterprise string) (*TotalCacheUsage, *Response, error) { + u := fmt.Sprintf("enterprises/%v/actions/cache/usage", enterprise) + req, err := s.client.NewRequest("GET", u, nil) + if err != nil { + return nil, nil, err + } + + cacheUsage := new(TotalCacheUsage) + res, err := s.client.Do(ctx, req, cacheUsage) + if err != nil { + return nil, res, err + } + + return cacheUsage, res, err +} diff --git a/vendor/github.com/google/go-github/v49/github/actions_oidc.go b/vendor/github.com/google/go-github/v49/github/actions_oidc.go new file mode 100644 index 0000000000..b7f2d26ae9 --- /dev/null +++ b/vendor/github.com/google/go-github/v49/github/actions_oidc.go @@ -0,0 +1,73 @@ +// Copyright 2023 The go-github AUTHORS. All rights reserved. +// +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package github + +import ( + "context" + "fmt" +) + +// OIDCSubjectClaimCustomTemplate represents an OIDC subject claim customization template. +type OIDCSubjectClaimCustomTemplate struct { + UseDefault *bool `json:"use_default,omitempty"` + IncludeClaimKeys []string `json:"include_claim_keys,omitempty"` +} + +// GetOrgOIDCSubjectClaimCustomTemplate gets the subject claim customization template for an organization. +// +// GitHub API docs: https://docs.github.com/en/rest/actions/oidc#get-the-customization-template-for-an-oidc-subject-claim-for-an-organization +func (s *ActionsService) GetOrgOIDCSubjectClaimCustomTemplate(ctx context.Context, org string) (*OIDCSubjectClaimCustomTemplate, *Response, error) { + u := fmt.Sprintf("orgs/%v/actions/oidc/customization/sub", org) + return s.getOIDCSubjectClaimCustomTemplate(ctx, u) +} + +// GetRepoOIDCSubjectClaimCustomTemplate gets the subject claim customization template for a repository. +// +// GitHub API docs: https://docs.github.com/en/rest/actions/oidc#get-the-customization-template-for-an-oidc-subject-claim-for-a-repository +func (s *ActionsService) GetRepoOIDCSubjectClaimCustomTemplate(ctx context.Context, owner, repo string) (*OIDCSubjectClaimCustomTemplate, *Response, error) { + u := fmt.Sprintf("repos/%v/%v/actions/oidc/customization/sub", owner, repo) + return s.getOIDCSubjectClaimCustomTemplate(ctx, u) +} + +func (s *ActionsService) getOIDCSubjectClaimCustomTemplate(ctx context.Context, url string) (*OIDCSubjectClaimCustomTemplate, *Response, error) { + req, err := s.client.NewRequest("GET", url, nil) + if err != nil { + return nil, nil, err + } + + tmpl := new(OIDCSubjectClaimCustomTemplate) + resp, err := s.client.Do(ctx, req, tmpl) + if err != nil { + return nil, resp, err + } + + return tmpl, resp, nil +} + +// SetOrgOIDCSubjectClaimCustomTemplate sets the subject claim customization for an organization. +// +// GitHub API docs: https://docs.github.com/en/rest/actions/oidc#set-the-customization-template-for-an-oidc-subject-claim-for-an-organization +func (s *ActionsService) SetOrgOIDCSubjectClaimCustomTemplate(ctx context.Context, org string, template *OIDCSubjectClaimCustomTemplate) (*Response, error) { + u := fmt.Sprintf("orgs/%v/actions/oidc/customization/sub", org) + return s.setOIDCSubjectClaimCustomTemplate(ctx, u, template) +} + +// SetRepoOIDCSubjectClaimCustomTemplate sets the subject claim customization for a repository. +// +// GitHub API docs: https://docs.github.com/en/rest/actions/oidc#set-the-customization-template-for-an-oidc-subject-claim-for-a-repository +func (s *ActionsService) SetRepoOIDCSubjectClaimCustomTemplate(ctx context.Context, owner, repo string, template *OIDCSubjectClaimCustomTemplate) (*Response, error) { + u := fmt.Sprintf("repos/%v/%v/actions/oidc/customization/sub", owner, repo) + return s.setOIDCSubjectClaimCustomTemplate(ctx, u, template) +} + +func (s *ActionsService) setOIDCSubjectClaimCustomTemplate(ctx context.Context, url string, template *OIDCSubjectClaimCustomTemplate) (*Response, error) { + req, err := s.client.NewRequest("PUT", url, template) + if err != nil { + return nil, err + } + + return s.client.Do(ctx, req, nil) +} diff --git a/vendor/github.com/google/go-github/v49/github/github-accessors.go b/vendor/github.com/google/go-github/v49/github/github-accessors.go index 422d8bc0d3..1813988b56 100644 --- a/vendor/github.com/google/go-github/v49/github/github-accessors.go +++ b/vendor/github.com/google/go-github/v49/github/github-accessors.go @@ -38,6 +38,94 @@ func (a *ActionsAllowed) GetVerifiedAllowed() bool { return *a.VerifiedAllowed } +// GetCreatedAt returns the CreatedAt field if it's non-nil, zero value otherwise. +func (a *ActionsCache) GetCreatedAt() Timestamp { + if a == nil || a.CreatedAt == nil { + return Timestamp{} + } + return *a.CreatedAt +} + +// GetID returns the ID field if it's non-nil, zero value otherwise. +func (a *ActionsCache) GetID() int64 { + if a == nil || a.ID == nil { + return 0 + } + return *a.ID +} + +// GetKey returns the Key field if it's non-nil, zero value otherwise. +func (a *ActionsCache) GetKey() string { + if a == nil || a.Key == nil { + return "" + } + return *a.Key +} + +// GetLastAccessedAt returns the LastAccessedAt field if it's non-nil, zero value otherwise. +func (a *ActionsCache) GetLastAccessedAt() Timestamp { + if a == nil || a.LastAccessedAt == nil { + return Timestamp{} + } + return *a.LastAccessedAt +} + +// GetRef returns the Ref field if it's non-nil, zero value otherwise. +func (a *ActionsCache) GetRef() string { + if a == nil || a.Ref == nil { + return "" + } + return *a.Ref +} + +// GetSizeInBytes returns the SizeInBytes field if it's non-nil, zero value otherwise. +func (a *ActionsCache) GetSizeInBytes() int64 { + if a == nil || a.SizeInBytes == nil { + return 0 + } + return *a.SizeInBytes +} + +// GetVersion returns the Version field if it's non-nil, zero value otherwise. +func (a *ActionsCache) GetVersion() string { + if a == nil || a.Version == nil { + return "" + } + return *a.Version +} + +// GetDirection returns the Direction field if it's non-nil, zero value otherwise. +func (a *ActionsCacheListOptions) GetDirection() string { + if a == nil || a.Direction == nil { + return "" + } + return *a.Direction +} + +// GetKey returns the Key field if it's non-nil, zero value otherwise. +func (a *ActionsCacheListOptions) GetKey() string { + if a == nil || a.Key == nil { + return "" + } + return *a.Key +} + +// GetRef returns the Ref field if it's non-nil, zero value otherwise. +func (a *ActionsCacheListOptions) GetRef() string { + if a == nil || a.Ref == nil { + return "" + } + return *a.Ref +} + +// GetSort returns the Sort field if it's non-nil, zero value otherwise. +func (a *ActionsCacheListOptions) GetSort() string { + if a == nil || a.Sort == nil { + return "" + } + return *a.Sort +} + // GetAllowedActions returns the AllowedActions field if it's non-nil, zero value otherwise. func (a *ActionsPermissions) GetAllowedActions() string { if a == nil || a.AllowedActions == nil { @@ -9990,6 +10078,14 @@ func (o *OAuthAPP) GetURL() string { return *o.URL } +// GetUseDefault returns the UseDefault field if it's non-nil, zero value otherwise. +func (o *OIDCSubjectClaimCustomTemplate) GetUseDefault() bool { + if o == nil || o.UseDefault == nil { + return false + } + return *o.UseDefault +} + // GetAdvancedSecurityEnabledForNewRepos returns the AdvancedSecurityEnabledForNewRepos field if it's non-nil, zero value otherwise. func (o *Organization) GetAdvancedSecurityEnabledForNewRepos() bool { if o == nil || o.AdvancedSecurityEnabledForNewRepos == nil { diff --git a/vendor/github.com/google/go-github/v49/github/github.go b/vendor/github.com/google/go-github/v49/github/github.go index d5aa1c6870..e97e31f2f5 100644 --- a/vendor/github.com/google/go-github/v49/github/github.go +++ b/vendor/github.com/google/go-github/v49/github/github.go @@ -27,7 +27,7 @@ import ( ) const ( - Version = "v49.0.0" + Version = "v49.1.0" defaultAPIVersion = "2022-11-28" defaultBaseURL = "https://api.github.com/" diff --git a/vendor/modules.txt b/vendor/modules.txt index 5a05ca0f22..22f91a86a1 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -293,7 +293,7 @@ github.com/google/go-cmp/cmp/internal/diff github.com/google/go-cmp/cmp/internal/flags github.com/google/go-cmp/cmp/internal/function github.com/google/go-cmp/cmp/internal/value -# github.com/google/go-github/v49 v49.0.0 +# github.com/google/go-github/v49 v49.1.0 ## explicit; go 1.17 github.com/google/go-github/v49/github # github.com/google/go-querystring v1.1.0 diff --git a/website/docs/d/actions_organization_oidc_subject_claim_customization_template.html.markdown b/website/docs/d/actions_organization_oidc_subject_claim_customization_template.html.markdown new file mode 100644 index 0000000000..30da16efd7 --- /dev/null +++ b/website/docs/d/actions_organization_oidc_subject_claim_customization_template.html.markdown @@ -0,0 +1,23 @@ +--- +layout: "github" +page_title: "GitHub: actions_organization_oidc_subject_claim_customization_template" +description: |- + Get a GitHub Actions organization OpenID Connect customization template +--- + +# actions_organization_oidc_subject_claim_customization_template + +Use this data source to retrieve the OpenID Connect subject claim customization template for an organization + +## Example Usage + +```hcl +data "github_actions_organization_oidc_subject_claim_customization_template" "example" { +} +``` + +## Argument Reference + +## Attributes Reference + + * `include_claim_keys` - The list of OpenID Connect claim keys. diff --git a/website/docs/d/actions_repository_oidc_subject_claim_customization_template.html.markdown b/website/docs/d/actions_repository_oidc_subject_claim_customization_template.html.markdown new file mode 100644 index 0000000000..7dfefdec32 --- /dev/null +++ b/website/docs/d/actions_repository_oidc_subject_claim_customization_template.html.markdown @@ -0,0 +1,27 @@ +--- +layout: "github" +page_title: "GitHub: actions_repository_oidc_subject_claim_customization_template" +description: |- + Get a GitHub Actions repository's OpenID Connect customization template +--- + +# actions_repository_oidc_subject_claim_customization_template + +Use this data source to retrieve the OpenID Connect subject claim customization template for a repository + +## Example Usage + +```hcl +data "github_actions_repository_oidc_subject_claim_customization_template" "example" { + name = "example_repository" +} +``` + +## Argument Reference + +* `name` - (Required) Name of the repository to get the OpenID Connect subject claim customization template for. + +## Attributes Reference + + * `use_default` - Whether the repository uses the default template. + * `include_claim_keys` - The list of OpenID Connect claim keys. diff --git a/website/docs/r/actions_organization_oidc_subject_claim_customization_template.html.markdown b/website/docs/r/actions_organization_oidc_subject_claim_customization_template.html.markdown new file mode 100644 index 0000000000..abbd3841c8 --- /dev/null +++ b/website/docs/r/actions_organization_oidc_subject_claim_customization_template.html.markdown @@ -0,0 +1,36 @@ +--- +layout: "github" +page_title: "GitHub: github_actions_organization_oidc_subject_claim_customization_template" +description: |- +Creates and manages an OpenID Connect subject claim customization template for an organization +--- + +# github_actions_organization_oidc_subject_claim_customization_template + +This resource allows you to create and manage an OpenID Connect subject claim customization template within a GitHub +organization. + +More information on integrating GitHub with cloud providers using OpenID Connect and a list of available claims is +available in the [Actions documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect). + +## Example Usage + +```hcl +resource "github_actions_organization_oidc_subject_claim_customization_template" "example_template" { + include_claim_keys = ["actor", "context", "repository_owner"] +} +``` + +## Argument Reference + +The following arguments are supported: + +* `include_claim_keys` - (Required) A list of OpenID Connect claims. + +## Import + +This resource can be imported using the organization's name. + +``` +$ terraform import github_actions_organization_oidc_subject_claim_customization_template.test example_organization +``` \ No newline at end of file diff --git a/website/docs/r/actions_repository_oidc_subject_claim_customization_template.html.markdown b/website/docs/r/actions_repository_oidc_subject_claim_customization_template.html.markdown new file mode 100644 index 0000000000..bf9b28b1d2 --- /dev/null +++ b/website/docs/r/actions_repository_oidc_subject_claim_customization_template.html.markdown @@ -0,0 +1,52 @@ +--- +layout: "github" +page_title: "GitHub: github_actions_repository_oidc_subject_claim_customization_template" +description: |- +Creates and manages an OpenID Connect subject claim customization template for a repository +--- + +# github_actions_repository_oidc_subject_claim_customization_template + +This resource allows you to create and manage an OpenID Connect subject claim customization template for a GitHub +repository. + +More information on integrating GitHub with cloud providers using OpenID Connect and a list of available claims is +available in the [Actions documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect). + +The following table lists the behaviour of `use_default`: + +| `use_default` | `include_claim_keys` | Template used | +|---------------|----------------------|-----------------------------------------------------------| +| `true` | Unset | GitHub's default | +| `false` | Set | `include_claim_keys` | +| `false` | Unset | Organization's default if set, otherwise GitHub's default | + +## Example Usage + +```hcl +resource "github_repository" "example" { + name = "example-repository" +} + +resource "github_actions_repository_oidc_subject_claim_customization_template" "example_template" { + repository = github_repository.example.name + use_default = false + include_claim_keys = ["actor", "context", "repository_owner"] +} +``` + +## Argument Reference + +The following arguments are supported: + +* `use_default` - (Required) Whether to use the default template or not. If `true`, `include_claim_keys` must not +be set. +* `include_claim_keys` - (Optional) A list of OpenID Connect claims. + +## Import + +This resource can be imported using the repository's name. + +``` +$ terraform import github_actions_repository_oidc_subject_claim_customization_template.test example_repository +``` \ No newline at end of file