-
Notifications
You must be signed in to change notification settings - Fork 769
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add vulnerability_alerts attribute for repositories #444
Add vulnerability_alerts attribute for repositories #444
Conversation
Yay I am excited to see this, its something I have been looking forward to adding to our internal module for a while and I am currently relying on manually managing these on the core repos in my org. Clearly far from ideal as we know there are new projects being created daily. I think we should consider having this default with a I would prefer we follow the upstream defaults and encourage organizations to have their own module encapsulating their own opinions, standards, etc. |
🤔 I just realized we currently have documented that we support terraform |
hi @jtsaito, should we add this field to the data source as well? |
@majormoses Thank you for your feedback! Regarding the
As long as the attribute is a boolean the default is either Forcing users to set the value according to the diff is actually helpful because they can be sure their infrastructure as code reflects the state of the API. This precludes ambiguity about the click-opsed state. Setting the actual value based on the diff requires minimal effort even for hundreds of repos a simple script or editor macro should do the job. The default Please llet me know what you think. |
@anGie44 Sure, if this PR get's accepted I will gladly create another adding the attribute for the datasource! |
github/resource_github_repository.go
Outdated
@@ -374,6 +405,18 @@ func resourceGithubRepositoryUpdate(d *schema.ResourceData, meta interface{}) er | |||
} | |||
} | |||
|
|||
if d.HasChange("vulnerability_alerts") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
my only suggestion here could be to save an API call after creation of a resource by adding the!d.IsNewResource()
since Update
immediately follows Create
github/resource_github_repository.go
Outdated
"vulnerability_alerts": { | ||
Type: schema.TypeBool, | ||
Optional: true, | ||
Default: false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
my concern here is, as stated, this default value is only applicable to private
repos as initially defined by the API, and a user may unintentionally disable alerts for a public
repo by omitting this attribute in a config and making it through the apply
step..could we consider leaving this w/o a default or, given the feedback in the original issue, is the general user experience better with having this value in place?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we consider leaving this w/o a default
👍 my vote goes to removing the default.
@@ -557,6 +631,33 @@ func testAccCheckGithubRepositoryTemplateRepoAttribute(n string, repo *github.Re | |||
} | |||
} | |||
|
|||
func testAccCheckGithubVulnerabilityAlerts(n string, expected bool) resource.TestCheckFunc { | |||
return func(s *terraform.State) error { | |||
rs, ok := s.RootModule().Resources[n] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it may be redundant to check w/in the state here as a call to this function in the acceptance tests is preceded by testAccCheckGithubRepositoryExists
which checks this for us, so alternatively the logic here can be omitted and the repoName can be determined by the repo object set in the Exists function
has_downloads = true | ||
auto_init = false | ||
|
||
vulnerability_alerts = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: can be aligned by using terrafmt
has_downloads = true | ||
auto_init = false | ||
|
||
vulnerability_alerts = false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same nit as above
@jtsaito sorry for the delayed response. AFAIK we can use |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good overall! Excited to see this ship after the remaining discussion items are resolved.
github/resource_github_repository.go
Outdated
"vulnerability_alerts": { | ||
Type: schema.TypeBool, | ||
Optional: true, | ||
Default: false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we consider leaving this w/o a default
👍 my vote goes to removing the default.
@anGie44 Thanks for the review! Sorry, I did not get around to fixing this earlier. I'll have time to fix this by the end of the week and will remove the default. |
@anGie44 Sorry again for the delay. I hope to now have incorporated all your corrections and suggestions. Please check the latest commits and let me know if I should squash all commits into one. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no worries @jtsaito, thanks for pushing your latest changes!
I ran into this test failure:
TestAccGithubRepository_vulnerabilityAlerts: testing.go:654: Step 0 error: Check failed: Check 3/3 error: Unexpected vulnerability alerts, got: false
But a change in the test's check function as commented below should be the fix
@@ -83,6 +83,7 @@ func TestAccGithubRepository_basic(t *testing.T) { | |||
DefaultBranch: "master", | |||
Archived: false, | |||
}), | |||
testAccCheckGithubVulnerabilityAlerts(rn, false), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in calls to testAccCheckGithubVulnerabilityAlerts
, we'll want to send the repo name (in this case stored in the repo
variable) as needed for the github API method; alternatively you could pass the whole repo
object and extract the name inside the testAccCheckGithubVulnerabilityAlerts
method
@@ -101,6 +102,7 @@ func TestAccGithubRepository_basic(t *testing.T) { | |||
HasProjects: false, | |||
Archived: false, | |||
}), | |||
testAccCheckGithubVulnerabilityAlerts(rn, false), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
similar comment as above
I wanted to also note @jtsaito, this feature request https://github.com/terraform-providers/terraform-provider-github/issues/390 brought to light a side-effect of enabling vulnerability alerts via the API as the dependency_graph is also enabled (https://developer.github.com/v3/repos/#enable-vulnerability-alerts). In this case, I think we should document this in website docs as well. |
Hi @jtsaito, we are eagerly waiting for this feature to turn on security checking via terraform - is there any way we can help you to finish this PR and get it merged? :) Thank you! |
Looks like recent updates to the branch protection plumbing has added conflicts to this PR. I've got this queued to address this week, but welcome anyone else jumping in to remove conflicts. |
Conflicting tests have been removed and will be re-added in a follow-up commit. |
* Add vulnerability_alerts attribute for repositories * Check change of vulnerability alerts only if new resource * No default value for vulnerability alerts * Remove redundant test code * Update website on repository vulnerability alerts * Add newline * Update website/docs/r/repository.html.markdown Co-authored-by: Jeremy Udit <jcudit@github.com>
Add support for new attribute
vulnerability_alerts
forgithub_repository
. GitHub calls this feature asvulnearability-alerts
in the API,Security Alerts
in the web console, and "security alerts for vulnerable dependencies" in the documentation.The PR follows up on https://github.com/terraform-providers/terraform-provider-github/pull/382 and addresses https://github.com/terraform-providers/terraform-provider-github/issues/238.
This would introduce changes for some existing repos with vulnerabilities alerts enabled and show a diff accordingly. To address fix the diff, adding
vulnerability_alerts = true
suffices.What's slightly weird is that by default GitHub enables this feature on public repos but disables it on private repos.
References
Acc tests
I ran
make testacc
but only for the new and the basic repo test.Also manually tested for private repos and that worked as well.