From c9686b3e86ce058185e30cff6aac85ea71b09349 Mon Sep 17 00:00:00 2001 From: swisniewski Date: Wed, 21 Dec 2022 16:56:24 -0800 Subject: [PATCH 1/2] Add support for provisioning github orgs to enteprises. 1. Add a "github_enterprise" data source. 2. Add a "github_enterprise_organization" resource. --- github/data_source_github_enterprise.go | 68 ++++ github/data_source_github_enterprise_test.go | 46 +++ github/provider.go | 2 + github/provider_utils.go | 9 + ...resource_github_enterprise_organization.go | 381 ++++++++++++++++++ website/docs/d/enterprise.html.markdown | 27 ++ website/github.erb | 3 + 7 files changed, 536 insertions(+) create mode 100644 github/data_source_github_enterprise.go create mode 100644 github/data_source_github_enterprise_test.go create mode 100644 github/resource_github_enterprise_organization.go create mode 100644 website/docs/d/enterprise.html.markdown diff --git a/github/data_source_github_enterprise.go b/github/data_source_github_enterprise.go new file mode 100644 index 0000000000..1f0b5b54bb --- /dev/null +++ b/github/data_source_github_enterprise.go @@ -0,0 +1,68 @@ +package github + +import ( + "context" + "fmt" + "github.com/hashicorp/terraform-plugin-sdk/helper/schema" + "github.com/shurcooL/githubv4" +) + +func dataSourceGithubEnterprise() *schema.Resource { + return &schema.Resource{ + Read: dataSourceGithubEnterpriseRead, + Schema: map[string]*schema.Schema{ + "slug": { + Type: schema.TypeString, + Required: true, + }, + "name": { + Type: schema.TypeString, + Computed: true, + }, + "description": { + Type: schema.TypeString, + Computed: true, + }, + "created_at": { + Type: schema.TypeString, + Computed: true, + }, + "url": { + Type: schema.TypeString, + Computed: true, + }, + }, + } +} + +func dataSourceGithubEnterpriseRead(data *schema.ResourceData, meta interface{}) error { + var query struct { + Enterprise struct { + ID githubv4.String + Name githubv4.String + Description githubv4.String + CreatedAt githubv4.String + Url githubv4.String + } `graphql:"enterprise(slug: $slug)"` + } + + slug := data.Get("slug").(string) + client := meta.(*Owner).v4client + variables := map[string]interface{}{ + "slug": githubv4.String(slug), + } + err := client.Query(context.Background(), &query, variables) + if err != nil { + return err + } + if query.Enterprise.ID == "" { + return fmt.Errorf("could not find enterprise %v", slug) + } + data.SetId(string(query.Enterprise.ID)) + data.Set("name", query.Enterprise.Name) + data.Set("description", query.Enterprise.Description) + data.Set("created_at", query.Enterprise.CreatedAt) + data.Set("url", query.Enterprise.Url) + + return nil +} diff --git a/github/data_source_github_enterprise_test.go b/github/data_source_github_enterprise_test.go new file mode 100644 index 0000000000..443323c1a4 --- /dev/null +++ b/github/data_source_github_enterprise_test.go @@ -0,0 +1,46 @@ +package github + +import ( + "fmt" + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" + "testing" +) + +func TestAccGithubEnterpriseDataSource(t *testing.T) { + if isEnterprise != "true" { + t.Skip("Skipping because `ENTERPRISE_ACCOUNT` is not set or set to false") + } + + if testEnterprise == "" { + t.Skip("Skipping because `ENTERPRISE_SLUG` is not set") + } + + config := fmt.Sprintf(` + data "github_enterprise" "test" { + slug = "%s" + } + `, + testEnterprise, + ) + + check := resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("data.github_enterprise.test", "slug", testEnterprise), + resource.TestCheckResourceAttrSet("data.github_enterprise.test", "name"), + resource.TestCheckResourceAttrSet("data.github_enterprise.test", "created_at"), + resource.TestCheckResourceAttrSet("data.github_enterprise.test", "url"), + ) + + resource.Test( + t, + resource.TestCase{ + PreCheck: func() { skipUnlessMode(t, enterprise) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: config, + Check: check, + }, + }, + }, + ) +} diff --git a/github/provider.go b/github/provider.go index 405e3eb2ab..e599317aed 100644 --- a/github/provider.go +++ b/github/provider.go @@ -105,6 +105,7 @@ func Provider() terraform.ResourceProvider { "github_dependabot_organization_secret": resourceGithubDependabotOrganizationSecret(), "github_dependabot_organization_secret_repositories": resourceGithubDependabotOrganizationSecretRepositories(), "github_dependabot_secret": resourceGithubDependabotSecret(), + "github_enterprise_organization": resourceGithubEnterpriseOrganization(), "github_emu_group_mapping": resourceGithubEMUGroupMapping(), "github_issue": resourceGithubIssue(), "github_issue_label": resourceGithubIssueLabel(), @@ -151,6 +152,7 @@ func Provider() terraform.ResourceProvider { "github_dependabot_organization_secrets": dataSourceGithubDependabotOrganizationSecrets(), "github_dependabot_public_key": dataSourceGithubDependabotPublicKey(), "github_dependabot_secrets": dataSourceGithubDependabotSecrets(), + "github_enterprise": dataSourceGithubEnterprise(), "github_external_groups": dataSourceGithubExternalGroups(), "github_ip_ranges": dataSourceGithubIpRanges(), "github_membership": dataSourceGithubMembership(), diff --git a/github/provider_utils.go b/github/provider_utils.go index 6c0e418d27..8a585fcc2f 100644 --- a/github/provider_utils.go +++ b/github/provider_utils.go @@ -9,6 +9,7 @@ import ( var testCollaborator string = os.Getenv("GITHUB_TEST_COLLABORATOR") var isEnterprise string = os.Getenv("ENTERPRISE_ACCOUNT") +var testEnterprise string = os.Getenv("ENTERPRISE_SLUG") var testOrganization string = testOrganizationFunc() var testOwner string = os.Getenv("GITHUB_OWNER") var testToken string = os.Getenv("GITHUB_TOKEN") @@ -49,6 +50,13 @@ func skipUnlessMode(t *testing.T, providerMode string) { } else { t.Log("GITHUB_TOKEN environment variable should be empty") } + case enterprise: + if os.Getenv("GITHUB_TOKEN") == "" { + t.Log("GITHUB_TOKEN environment variable should be set") + } else { + return + } + case individual: if os.Getenv("GITHUB_TOKEN") != "" && os.Getenv("GITHUB_OWNER") != "" { return @@ -125,3 +133,4 @@ func testOwnerFunc() string { const anonymous = "anonymous" const individual = "individual" const organization = "organization" +const enterprise = "enterprise" diff --git a/github/resource_github_enterprise_organization.go b/github/resource_github_enterprise_organization.go new file mode 100644 index 0000000000..8e0958b5f4 --- /dev/null +++ b/github/resource_github_enterprise_organization.go @@ -0,0 +1,381 @@ +package github + +import ( + "context" + "errors" + "fmt" + "log" + "strings" + + "github.com/google/go-github/v48/github" + "github.com/hashicorp/terraform-plugin-sdk/helper/schema" + "github.com/shurcooL/githubv4" +) + +func resourceGithubEnterpriseOrganization() *schema.Resource { + return &schema.Resource{ + Create: resourceGithubEnterpriseOrganizationCreate, + Read: resourceGithubEnterpriseOrganizationRead, + Delete: resourceGithubEnterpriseOrganizationDelete, + Update: resourceGithubEnterpriseOrganizationUpdate, + Importer: &schema.ResourceImporter{ + State: resourceGithubEnterpriseOrganizationImport, + }, + Schema: map[string]*schema.Schema{ + "enterprise_id": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + }, + "name": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + }, + "description": { + Type: schema.TypeString, + Optional: true, + }, + "admin_logins": { + Type: schema.TypeSet, + Required: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "billing_email": { + Type: schema.TypeString, + Required: true, + }, + }, + } +} + +func resourceGithubEnterpriseOrganizationCreate(data *schema.ResourceData, meta interface{}) error { + var mutate struct { + CreateEnterpriseOrganization struct { + Organization struct { + ID githubv4.ID + } + } `graphql:"createEnterpriseOrganization(input:$input)"` + } + + owner := meta.(*Owner) + v3 := owner.v3client + v4 := owner.v4client + + var adminLogins []githubv4.String + for _, v := range data.Get("admin_logins").(*schema.Set).List() { + adminLogins = append(adminLogins, githubv4.String(v.(string))) + } + + input := githubv4.CreateEnterpriseOrganizationInput{ + EnterpriseID: data.Get("enterprise_id"), + Login: githubv4.String(data.Get("name").(string)), + ProfileName: githubv4.String(data.Get("name").(string)), + BillingEmail: githubv4.String(data.Get("billing_email").(string)), + AdminLogins: adminLogins, + } + + err := v4.Mutate(context.Background(), &mutate, input, nil) + if err != nil { + return err + } + data.SetId(fmt.Sprintf("%s", mutate.CreateEnterpriseOrganization.Organization.ID)) + + //We use the V3 api to set the description of the org, because there is no mutator in the V4 API to edit the org's + //description + + //NOTE: There is some odd behavior here when using an EMU with SSO. If the user token has been granted permission to + //ANY ORG in the enterprise, then this works, provided that our token has sufficient permission. If the user token + //has not been added to any orgs, then this will fail. + // + //Unfortunately, there is no way in the api to grant a token permission to access an org. This needs to be done + //via the UI. This means our resource will work fine if the user has sufficient admin permissions and at least one + //org exists. It also means that we can't use terraform to automate creation of the very first org in an enterprise. + //That sucks a little, but seems like a restriction we can live with. + // + //It would be nice if there was an API available in github to enable a token for SSO. + + description := data.Get("description").(string) + if description != "" { + _, _, err = v3.Organizations.Edit( + context.Background(), + data.Get("name").(string), + &github.Organization{ + Description: github.String(description), + }, + ) + return err + } + return nil + +} + +func resourceGithubEnterpriseOrganizationRead(data *schema.ResourceData, meta interface{}) error { + var query struct { + Node struct { + Organization struct { + ID githubv4.ID + Name githubv4.String + Description githubv4.String + OrganizationBillingEmail githubv4.String + MembersWithRole struct { + Edges []struct { + User struct { + Login githubv4.String + } `graphql:"node"` + Role githubv4.String + } `graphql:"edges"` + PageInfo PageInfo + } `graphql:"membersWithRole(first:100, after:$cursor)"` + } `graphql:"... on Organization"` + } `graphql:"node(id: $id)"` + } + + variables := map[string]interface{}{ + "id": data.Id(), + "cursor": (*githubv4.String)(nil), + } + + var adminLogins []interface{} + + for { + v4 := meta.(*Owner).v4client + err := v4.Query(context.Background(), &query, variables) + if err != nil { + if strings.Contains(err.Error(), "Could not resolve to a node with the global id") { + log.Printf("[INFO] Removing organization (%s) from state because it no longer exists in GitHub", data.Id()) + data.SetId("") + return nil + } + return err + } + + for _, v := range query.Node.Organization.MembersWithRole.Edges { + if v.Role == "ADMIN" { + adminLogins = append(adminLogins, string(v.User.Login)) + } + } + + if !query.Node.Organization.MembersWithRole.PageInfo.HasNextPage { + break + } + + variables["cursor"] = githubv4.NewString(query.Node.Organization.MembersWithRole.PageInfo.EndCursor) + } + + err := data.Set("admin_logins", schema.NewSet(schema.HashString, adminLogins)) + if err != nil { + return err + } + + err = data.Set("name", query.Node.Organization.Name) + if err != nil { + return err + } + + err = data.Set("billing_email", query.Node.Organization.OrganizationBillingEmail) + if err != nil { + return err + } + + err = data.Set("description", query.Node.Organization.Description) + return err +} + +func resourceGithubEnterpriseOrganizationDelete(data *schema.ResourceData, meta interface{}) error { + return errors.New("deleting organizations is not supported programmatically by github, and hence is not supported by the provider. You will need to remove the org in the github ui, then use `terraform state rm` to remove the org from the state file") +} + +func resourceGithubEnterpriseOrganizationImport(data *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { + return nil, errors.New("support for import is not yet implemented") +} + +func updateDescription(ctx context.Context, data *schema.ResourceData, v3 *github.Client) error { + orgName := data.Get("name").(string) + oldDesc, newDesc := stringChanges(data.GetChange("description")) + + if oldDesc != newDesc { + _, _, err := v3.Organizations.Edit( + ctx, + orgName, + &github.Organization{ + Description: github.String(data.Get("description").(string)), + }, + ) + return err + } + return nil +} + +func removeUsers(ctx context.Context, v3 *github.Client, v4 *githubv4.Client, toRemove []interface{}, orgName string) error { + for _, user := range toRemove { + err := removeUser(ctx, v3, v4, user.(string), orgName) + if err != nil { + return err + } + } + return nil +} + +func removeUser(ctx context.Context, v3 *github.Client, v4 *githubv4.Client, user string, orgName string) error { + //How we remove an admin user from an enterprise organization depends on if the user is a member of any teams. + //If they are a member of any teams, we shouldn't delete them, instead we edit their membership role to be + //'MEMBER' instead of 'ADMIN'. If the user is not a member of any teams, then we remove from the org. + + //First, use the v4 API to count how many teams the user is in + var query struct { + Organization struct { + Teams struct { + TotalCount githubv4.Int + } `graphql:"teams(first:1, userLogins:[$user])"` + } `graphql:"organization(login: $org)"` + } + + err := v4.Query( + ctx, + &query, + map[string]interface{}{ + "org": githubv4.String(orgName), + "user": githubv4.String(user), + }, + ) + if err != nil { + return err + } + + if query.Organization.Teams.TotalCount == 0 { + _, err = v3.Organizations.RemoveOrgMembership(ctx, user, orgName) + return err + } + + membership, _, err := v3.Organizations.GetOrgMembership(ctx, user, orgName) + if err != nil { + return err + } + + membership.Role = github.String("member") + _, _, err = v3.Organizations.EditOrgMembership(ctx, user, orgName, membership) + return err +} + +func updateAdminList(ctx context.Context, data *schema.ResourceData, orgName string, v3 *github.Client, v4 *githubv4.Client) error { + oldSet, newSet := setChanges(data.GetChange("admin_logins")) + toRemove := oldSet.Difference(newSet).List() + toAdd := newSet.Difference(oldSet).List() + + err := addUsers(ctx, data, v4, toAdd) + if err != nil { + return err + } + + return removeUsers(ctx, v3, v4, toRemove, orgName) +} + +func addUsers(ctx context.Context, data *schema.ResourceData, v4 *githubv4.Client, toAdd []interface{}) error { + if len(toAdd) != 0 { + var mutate struct { + AddEnterpriseOrganizationMember struct { + Ignored string `graphql:"clientMutationId"` + } `graphql:"addEnterpriseOrganizationMember(input: $input)"` + } + + adminRole := githubv4.OrganizationMemberRoleAdmin + userIds, err := getUserIds(v4, toAdd) + if err != nil { + return err + } + + input := githubv4.AddEnterpriseOrganizationMemberInput{ + EnterpriseID: data.Get("enterprise_id"), + OrganizationID: data.Id(), + UserIDs: userIds, + Role: &adminRole, + } + + err = v4.Mutate(ctx, &mutate, input, nil) + if err != nil { + return err + } + } + + return nil +} + +func updateBillingEmail(ctx context.Context, data *schema.ResourceData, orgName string, v3 *github.Client) error { + oldBilling, newBilling := stringChanges(data.GetChange("billing_email")) + if oldBilling != newBilling { + _, _, err := v3.Organizations.Edit( + ctx, + orgName, + &github.Organization{ + BillingEmail: &newBilling, + }, + ) + if err != nil { + return err + } + } + return nil +} + +func resourceGithubEnterpriseOrganizationUpdate(data *schema.ResourceData, meta interface{}) error { + v3 := meta.(*Owner).v3client + v4 := meta.(*Owner).v4client + ctx := context.Background() + + err := updateDescription(ctx, data, v3) + if err != nil { + return err + } + + orgName := data.Get("name").(string) + err = updateAdminList(ctx, data, orgName, v3, v4) + if err != nil { + return err + } + + return updateBillingEmail(ctx, data, orgName, v3) +} + +func getUserIds(v4 *githubv4.Client, loginNames []interface{}) ([]githubv4.ID, error) { + var query struct { + User struct { + ID githubv4.String + } `graphql:"user(login: $login)"` + } + + var ret []githubv4.ID + + for _, l := range loginNames { + err := v4.Query(context.Background(), &query, map[string]interface{}{"login": githubv4.String(l.(string))}) + if err != nil { + return nil, err + } + ret = append(ret, query.User.ID) + } + return ret, nil +} + +func stringChanges(oldValue interface{}, newValue interface{}) (string, string) { + oldString, _ := oldValue.(string) + newString, _ := newValue.(string) + + return oldString, newString +} + +func setChanges(oldValue interface{}, newValue interface{}) (*schema.Set, *schema.Set) { + oldSet, _ := oldValue.(*schema.Set) + newSet, _ := newValue.(*schema.Set) + + if oldSet == nil { + oldSet = schema.NewSet(schema.HashString, nil) + } + + if newSet == nil { + newSet = schema.NewSet(schema.HashString, nil) + } + + return oldSet, newSet +} diff --git a/website/docs/d/enterprise.html.markdown b/website/docs/d/enterprise.html.markdown new file mode 100644 index 0000000000..5a069bf55a --- /dev/null +++ b/website/docs/d/enterprise.html.markdown @@ -0,0 +1,27 @@ +--- +layout: "github" +page_title: "Github: github_enterprise" +description: |- + Get an enterprise. +--- + +# github_enterprise + +Use this data source to retrieve basic information about a GitHub enterprise. + +## Example Usage + +``` +data "github_enteprise" "example" { + slug = "example-co" +} +``` + +## Attributes Reference + +* `id` - The ID of the enterprise. +* `slug` - The URL slug identifying the enterprise. +* `name` - The name of the enteprise. +* `description` - The description of the enterpise. +* `created_at` - The time the enterprise was created. +* `url` - The url for the enterprise. diff --git a/website/github.erb b/website/github.erb index 72fdd07f0e..1c01ae6b61 100644 --- a/website/github.erb +++ b/website/github.erb @@ -43,6 +43,9 @@
  • dependabot_secrets
  • +
  • + github_enteprise +
  • github_external_groups
  • From 4ee09d4475a3ef50e113bd835448f4dd1f5bc727 Mon Sep 17 00:00:00 2001 From: Scott Wisniewski Date: Tue, 10 Jan 2023 16:05:24 -0800 Subject: [PATCH 2/2] Update v3 client reference to /v49 from /v48 --- github/resource_github_enterprise_organization.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/github/resource_github_enterprise_organization.go b/github/resource_github_enterprise_organization.go index 8e0958b5f4..326f61cee8 100644 --- a/github/resource_github_enterprise_organization.go +++ b/github/resource_github_enterprise_organization.go @@ -7,7 +7,7 @@ import ( "log" "strings" - "github.com/google/go-github/v48/github" + "github.com/google/go-github/v49/github" "github.com/hashicorp/terraform-plugin-sdk/helper/schema" "github.com/shurcooL/githubv4" )