Merge pull request #301 from cloudskiff/add_github_branch_protection

Add github_branch_protection
snyk · Mar 2, 2021 · 05b53ae · 05b53ae
2 parents fcc17eb + 1c34d86
commit 05b53ae
Show file tree

Hide file tree

Showing 32 changed files with 9,276 additions and 7 deletions.
diff --git a/doc/LIMITATIONS.md b/doc/LIMITATIONS.md
@@ -18,3 +18,14 @@
 - aws_security_group and aws_security_group_rule:
 
 For security group that has in-line egress or ingress rules, driftctl will output an alert message at the end of the scan to warn you that those rules are falsely unmanaged. The explanation is that we can't distinct, based only on the Terraform state, rules created in the console and rules created in-line in either egress or ingress blocks.
+
+### Github
+- github_branch_protection_v3:
+  - This resource is not supported and will probably never be as it overlaps with github_branch_protection.
+    `github_branch_protection` is more suitable for performance purpose.
+    We cannot support these two resources as we don't have any way to discriminate them by enumerating resources from
+    remote side. They represent the same notion but are from two different APIs (REST vs GraphQL).
+    driftctl team recommends you to use the newer `github_branch_protection`, or at least ignore all your `github_branch_protection_v3` in driftignore.
+- github_branch_protection:
+  - Branch protection resources are not returned as unmanaged if the branch protection pattern does not match at least one branch.
+  - We cannot show the related repository name in driftctl output as the terraform provider does not retrieve this information.
diff --git a/doc/cmd/scan/supported_resources/github.md b/doc/cmd/scan/supported_resources/github.md
@@ -25,3 +25,4 @@ read:org # Used to list your organization teams
 - [x] github_team
 - [x] github_membership
 - [x] github_team_membership
+- [x] github_branch_protection
diff --git a/pkg/iac/deserializers.go b/pkg/iac/deserializers.go
@@ -64,5 +64,6 @@ func Deserializers() []deserializer.CTYDeserializer {
 		ghdeserializer.NewGithubTeamDeserializer(),
 		ghdeserializer.NewGithubMembershipDeserializer(),
 		ghdeserializer.NewGithubTeamMembershipDeserializer(),
+		ghdeserializer.NewGithubBranchProtectionDeserializer(),
 	}
 }
diff --git a/pkg/iac/terraform/state/terraform_state_reader_test.go b/pkg/iac/terraform/state/terraform_state_reader_test.go
@@ -160,6 +160,7 @@ func TestTerraformStateReader_Github_Resources(t *testing.T) {
 		{name: "github team", dirName: "github_team", wantErr: false},
 		{name: "github membership", dirName: "github_membership", wantErr: false},
 		{name: "github team membership", dirName: "github_team_membership", wantErr: false},
+		{name: "github branch protection", dirName: "github_branch_protection", wantErr: false},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/pkg/iac/terraform/state/test/github_branch_protection/result.golden.json b/pkg/iac/terraform/state/test/github_branch_protection/result.golden.json
@@ -0,0 +1,90 @@
+[
+ {
+  "AllowsDeletions": true,
+  "AllowsForcePushes": true,
+  "EnforceAdmins": true,
+  "Id": "MDIwOkJyYW5jaFByb3RlY3Rpb25SdWxlMTk1NDg0NzI=",
+  "Pattern": "main",
+  "PushRestrictions": [
+   "MDQ6VXNlcjYxNTQ5ODc="
+  ],
+  "RepositoryId": "MDEwOlJlcG9zaXRvcnkzNDI1MzIzNzE=",
+  "RequireSignedCommits": false,
+  "RequiredPullRequestReviews": [
+   {
+    "DismissStaleReviews": true,
+    "DismissalRestrictions": [
+     "MDQ6VXNlcjYxNTQ5ODc="
+    ],
+    "RequireCodeOwnerReviews": false,
+    "RequiredApprovingReviewCount": 1
+   }
+  ],
+  "RequiredStatusChecks": [
+   {
+    "Contexts": [
+     "ci/travis"
+    ],
+    "Strict": false
+   }
+  ]
+ },
+ {
+  "AllowsDeletions": true,
+  "AllowsForcePushes": true,
+  "EnforceAdmins": true,
+  "Id": "MDIwOkJyYW5jaFByb3RlY3Rpb25SdWxlMTk1NDg0NzQ=",
+  "Pattern": "main",
+  "PushRestrictions": [
+   "MDQ6VXNlcjYxNTQ5ODc="
+  ],
+  "RepositoryId": "MDEwOlJlcG9zaXRvcnkzNDI1MzIzODI=",
+  "RequireSignedCommits": false,
+  "RequiredPullRequestReviews": [
+   {
+    "DismissStaleReviews": true,
+    "DismissalRestrictions": [
+     "MDQ6VXNlcjYxNTQ5ODc="
+    ],
+    "RequireCodeOwnerReviews": false,
+    "RequiredApprovingReviewCount": 1
+   }
+  ],
+  "RequiredStatusChecks": [
+   {
+    "Contexts": [
+     "ci/travis"
+    ],
+    "Strict": false
+   }
+  ]
+ },
+ {
+  "AllowsDeletions": true,
+  "AllowsForcePushes": true,
+  "EnforceAdmins": true,
+  "Id": "MDIwOkJyYW5jaFByb3RlY3Rpb25SdWxlMTk1NDg0NzE=",
+  "Pattern": "main",
+  "PushRestrictions": null,
+  "RepositoryId": "MDEwOlJlcG9zaXRvcnkzNDI1MzIzOTE=",
+  "RequireSignedCommits": false,
+  "RequiredPullRequestReviews": [
+   {
+    "DismissStaleReviews": true,
+    "DismissalRestrictions": [
+     "MDQ6VXNlcjYxNTQ5ODc="
+    ],
+    "RequireCodeOwnerReviews": false,
+    "RequiredApprovingReviewCount": 1
+   }
+  ],
+  "RequiredStatusChecks": [
+   {
+    "Contexts": [
+     "ci/travis"
+    ],
+    "Strict": false
+   }
+  ]
+ }
+]