Add vulnerability_alerts attribute for repositories #444
Conversation
ghost
added
size/L
Type: Documentation
|
Yay I am excited to see this, its something I have been looking forward to adding to our internal module for a while and I am currently relying on manually managing these on the core repos in my org. Clearly far from ideal as we know there are new projects being created daily. I think we should consider having this default with a I would prefer we follow the upstream defaults and encourage organizations to have their own module encapsulating their own opinions, standards, etc. |
|
🤔 I just realized we currently have documented that we support terraform |
|
hi @jtsaito, should we add this field to the data source as well? |
|
@majormoses Thank you for your feedback! Regarding the
As long as the attribute is a boolean the default is either Forcing users to set the value according to the diff is actually helpful because they can be sure their infrastructure as code reflects the state of the API. This precludes ambiguity about the click-opsed state. Setting the actual value based on the diff requires minimal effort even for hundreds of repos a simple script or editor macro should do the job. The default Please llet me know what you think. |
|
@anGie44 Sure, if this PR get's accepted I will gladly create another adding the attribute for the datasource! |
github/resource_github_repository.go
Outdated
| @@ -374,6 +405,18 @@ func resourceGithubRepositoryUpdate(d *schema.ResourceData, meta interface{}) er | |||
| } | |||
| } | |||
|
|
|||
| if d.HasChange("vulnerability_alerts") { | |||
There was a problem hiding this comment.
my only suggestion here could be to save an API call after creation of a resource by adding the!d.IsNewResource() since Update immediately follows Create
github/resource_github_repository.go
Outdated
| "vulnerability_alerts": { | ||
| Type: schema.TypeBool, | ||
| Optional: true, | ||
| Default: false, |
There was a problem hiding this comment.
my concern here is, as stated, this default value is only applicable to private repos as initially defined by the API, and a user may unintentionally disable alerts for a public repo by omitting this attribute in a config and making it through the apply step..could we consider leaving this w/o a default or, given the feedback in the original issue, is the general user experience better with having this value in place?
There was a problem hiding this comment.
could we consider leaving this w/o a default
👍 my vote goes to removing the default.
| @@ -557,6 +631,33 @@ func testAccCheckGithubRepositoryTemplateRepoAttribute(n string, repo *github.Re | |||
| } | |||
| } | |||
|
|
|||
| func testAccCheckGithubVulnerabilityAlerts(n string, expected bool) resource.TestCheckFunc { | |||
| return func(s *terraform.State) error { | |||
| rs, ok := s.RootModule().Resources[n] | |||
There was a problem hiding this comment.
it may be redundant to check w/in the state here as a call to this function in the acceptance tests is preceded by testAccCheckGithubRepositoryExists which checks this for us, so alternatively the logic here can be omitted and the repoName can be determined by the repo object set in the Exists function
| has_downloads = true | ||
| auto_init = false | ||
|
|
||
| vulnerability_alerts = true |
There was a problem hiding this comment.
Nit: can be aligned by using terrafmt
| has_downloads = true | ||
| auto_init = false | ||
|
|
||
| vulnerability_alerts = false |
|
@jtsaito sorry for the delayed response. AFAIK we can use |
github/resource_github_repository.go
Outdated
| "vulnerability_alerts": { | ||
| Type: schema.TypeBool, | ||
| Optional: true, | ||
| Default: false, |
There was a problem hiding this comment.
could we consider leaving this w/o a default
👍 my vote goes to removing the default.
|
@anGie44 Thanks for the review! Sorry, I did not get around to fixing this earlier. I'll have time to fix this by the end of the week and will remove the default. |
|
@anGie44 Sorry again for the delay. I hope to now have incorporated all your corrections and suggestions. Please check the latest commits and let me know if I should squash all commits into one. |
There was a problem hiding this comment.
no worries @jtsaito, thanks for pushing your latest changes!
I ran into this test failure:
TestAccGithubRepository_vulnerabilityAlerts: testing.go:654: Step 0 error: Check failed: Check 3/3 error: Unexpected vulnerability alerts, got: false
But a change in the test's check function as commented below should be the fix
| @@ -83,6 +83,7 @@ func TestAccGithubRepository_basic(t *testing.T) { | |||
| DefaultBranch: "master", | |||
| Archived: false, | |||
| }), | |||
| testAccCheckGithubVulnerabilityAlerts(rn, false), | |||
There was a problem hiding this comment.
in calls to testAccCheckGithubVulnerabilityAlerts, we'll want to send the repo name (in this case stored in the repo variable) as needed for the github API method; alternatively you could pass the whole repo object and extract the name inside the testAccCheckGithubVulnerabilityAlerts method
| @@ -101,6 +102,7 @@ func TestAccGithubRepository_basic(t *testing.T) { | |||
| HasProjects: false, | |||
| Archived: false, | |||
| }), | |||
| testAccCheckGithubVulnerabilityAlerts(rn, false), | |||
|
I wanted to also note @jtsaito, this feature request https://github.com/terraform-providers/terraform-provider-github/issues/390 brought to light a side-effect of enabling vulnerability alerts via the API as the dependency_graph is also enabled (https://developer.github.com/v3/repos/#enable-vulnerability-alerts). In this case, I think we should document this in website docs as well. |
|
Hi @jtsaito, we are eagerly waiting for this feature to turn on security checking via terraform - is there any way we can help you to finish this PR and get it merged? :) Thank you! |
|
Looks like recent updates to the branch protection plumbing has added conflicts to this PR. I've got this queued to address this week, but welcome anyone else jumping in to remove conflicts. |
|
Conflicting tests have been removed and will be re-added in a follow-up commit. |
* Add vulnerability_alerts attribute for repositories * Check change of vulnerability alerts only if new resource * No default value for vulnerability alerts * Remove redundant test code * Update website on repository vulnerability alerts * Add newline * Update website/docs/r/repository.html.markdown Co-authored-by: Jeremy Udit <jcudit@github.com>
Add support for new attribute
vulnerability_alertsforgithub_repository. GitHub calls this feature asvulnearability-alertsin the API,Security Alertsin the web console, and "security alerts for vulnerable dependencies" in the documentation.The PR follows up on https://github.com/terraform-providers/terraform-provider-github/pull/382 and addresses https://github.com/terraform-providers/terraform-provider-github/issues/238.
This would introduce changes for some existing repos with vulnerabilities alerts enabled and show a diff accordingly. To address fix the diff, adding
vulnerability_alerts = truesuffices.What's slightly weird is that by default GitHub enables this feature on public repos but disables it on private repos.
References
Acc tests
I ran
make testaccbut only for the new and the basic repo test.Also manually tested for private repos and that worked as well.