Feature github_repository_tag_protection closes#1250 (#1283)

* Adding github_tag_protection to provider.

* adding loop for tag_protection call to set properties if pattern matches input

* changing resource name from resourceGithubTagProtection to resourceGithubRepositoryTagProtection

* Adding tests for import and delete

* adding documentation

* adding doc lin to github.erb and removing commented out code

Author: kuhlman-labs

github/provider.go

@@ -121,6 +121,7 @@ func Provider() terraform.ResourceProvider {
 			"github_repository_milestone":                        resourceGithubRepositoryMilestone(),
 			"github_repository_project":                          resourceGithubRepositoryProject(),
 			"github_repository_pull_request":                     resourceGithubRepositoryPullRequest(),
+			"github_repository_tag_protection":                   resourceGithubRepositoryTagProtection(),
 			"github_repository_webhook":                          resourceGithubRepositoryWebhook(),
 			"github_team":                                        resourceGithubTeam(),
 			"github_team_members":                                resourceGithubTeamMembers(),

github/resource_github_repository_tag_protection.go

@@ -0,0 +1,117 @@
+package github
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/google/go-github/v47/github"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+)
+
+func resourceGithubRepositoryTagProtection() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceGithubRepositoryTagProtectionCreateOrUpdate,
+		Read:   resourceGithubRepositoryTagProtectionRead,
+		Delete: resourceGithubRepositoryTagProtectionDelete,
+		Importer: &schema.ResourceImporter{
+			State: func(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+				parts := strings.Split(d.Id(), "/")
+				if len(parts) != 2 {
+					return nil, fmt.Errorf("Invalid ID specified. Supplied ID must be written as <repository>/<webhook_id>")
+				}
+				d.Set("repository", parts[0])
+				d.Set("tag_protection_id", parts[1])
+				d.SetId(parts[1])
+				return []*schema.ResourceData{d}, nil
+			},
+		},
+
+		Schema: map[string]*schema.Schema{
+			"repository": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+			"pattern": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+			"tag_protection_id": {
+				Type:     schema.TypeInt,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func resourceGithubRepositoryTagProtectionCreateOrUpdate(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*Owner).v3client
+	ctx := context.Background()
+	owner := meta.(*Owner).name
+	repo := d.Get("repository").(string)
+	pattern := d.Get("pattern").(string)
+	log.Printf("[DEBUG] Creating tag protection for %s/%s with pattern %s", owner, repo, pattern)
+	tagProtection, _, err := client.Repositories.CreateTagProtection(ctx, owner, repo, pattern)
+	if err != nil {
+		return err
+	}
+	d.SetId(strconv.FormatInt(tagProtection.GetID(), 10))
+
+	return resourceGithubRepositoryTagProtectionRead(d, meta)
+}
+
+func resourceGithubRepositoryTagProtectionRead(d *schema.ResourceData, meta interface{}) error {
+
+	ctx := context.WithValue(context.Background(), ctxId, d.Id())
+
+	client := meta.(*Owner).v3client
+	owner := meta.(*Owner).name
+	repo := d.Get("repository").(string)
+
+	id, err := strconv.ParseInt(d.Id(), 10, 64)
+	if err != nil {
+		return err
+	}
+
+	tag_protection, _, err := client.Repositories.ListTagProtection(ctx, owner, repo)
+	if err != nil {
+		if ghErr, ok := err.(*github.ErrorResponse); ok {
+			if ghErr.Response.StatusCode == http.StatusNotModified {
+				return nil
+			}
+			if ghErr.Response.StatusCode == http.StatusNotFound && d.IsNewResource() {
+				return nil
+			}
+			return err
+		}
+		return err
+	}
+	for _, tag := range tag_protection {
+		if tag.GetID() == id {
+			d.Set("pattern", tag.GetPattern())
+		}
+	}
+
+	return nil
+}
+
+func resourceGithubRepositoryTagProtectionDelete(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*Owner).v3client
+	ctx := context.WithValue(context.Background(), ctxId, d.Id())
+	owner := meta.(*Owner).name
+	repo := d.Get("repository").(string)
+	tag_protection_id, err := strconv.ParseInt(d.Id(), 10, 64)
+	if err != nil {
+		return err
+	}
+
+	log.Printf("[DEBUG] Deleting tag protection for %s/%s with id %d", owner, repo, tag_protection_id)
+	_, error := client.Repositories.DeleteTagProtection(ctx, owner, repo, tag_protection_id)
+
+	return error
+}

github/resource_github_repository_tag_protection_test.go

@@ -0,0 +1,151 @@
+package github
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+)
+
+func TestAccGithubRepositoryTagProtection(t *testing.T) {
+	randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+	t.Run("creates tag protection without error", func(t *testing.T) {
+
+		config := fmt.Sprintf(`
+			resource "github_repository" "test" {
+			  name         = "tf-acc-test-%s"
+			  auto_init    = true
+			}
+
+			resource "github_repository_tag_protection" "test" {
+				depends_on = ["github_repository.test"]
+			  	repository = github_repository.test.name
+				pattern    = "v*"
+			}
+		`, randomID)
+
+		check := resource.ComposeTestCheckFunc(
+			resource.TestCheckResourceAttr(
+				"github_repository_tag_protection.test", "pattern", "v*",
+			),
+		)
+
+		testCase := func(t *testing.T, mode string) {
+			resource.Test(t, resource.TestCase{
+				PreCheck:  func() { skipUnlessMode(t, mode) },
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config: config,
+						Check:  check,
+					},
+				},
+			})
+		}
+		t.Run("run with an anonymous account", func(t *testing.T) {
+			t.Skip("anonymous account not supported for this operation")
+		})
+		t.Run("run with an individual account", func(t *testing.T) {
+			testCase(t, individual)
+		})
+		t.Run("run with an organization account", func(t *testing.T) {
+			testCase(t, organization)
+		})
+
+	})
+	t.Run("imports tag protection without error", func(t *testing.T) {
+
+		config := fmt.Sprintf(`
+			resource "github_repository" "test" {
+			  name         = "tf-acc-test-%s"
+			  auto_init    = true
+			}
+
+			resource "github_repository_tag_protection" "test" {
+				depends_on = ["github_repository.test"]
+			  	repository = github_repository.test.name
+			  	pattern    = "v*"
+			}
+		`, randomID)
+
+		check := resource.ComposeTestCheckFunc(
+			resource.TestCheckResourceAttr(
+				"github_repository_tag_protection.test", "pattern", "v*",
+			),
+			resource.TestCheckResourceAttrSet(
+				"github_repository_tag_protection.test", "id",
+			),
+		)
+
+		testCase := func(t *testing.T, mode string) {
+			resource.Test(t, resource.TestCase{
+				PreCheck:  func() { skipUnlessMode(t, mode) },
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config: config,
+						Check:  check,
+					},
+					{
+						ResourceName:        "github_repository_tag_protection.test",
+						ImportState:         true,
+						ImportStateIdPrefix: fmt.Sprintf("tf-acc-test-%s/", randomID),
+						ImportStateVerify:   true,
+					},
+				},
+			})
+		}
+		t.Run("run with an anonymous account", func(t *testing.T) {
+			t.Skip("anonymous account not supported for this operation")
+		})
+		t.Run("run with an individual account", func(t *testing.T) {
+			testCase(t, individual)
+		})
+		t.Run("run with an organization account", func(t *testing.T) {
+			testCase(t, organization)
+		})
+	})
+	t.Run("deletes tag protection without error", func(t *testing.T) {
+
+		config := fmt.Sprintf(`
+				resource "github_repository" "test" {
+					name = "tf-acc-test-%s"
+					auto_init = true
+				}
+
+				resource "github_repository_tag_protection" "test" {
+					depends_on = ["github_repository.test"]
+					repository       = github_repository.test.name
+					pattern          = "v*"
+				}
+			`, randomID)
+
+		testCase := func(t *testing.T, mode string) {
+			resource.Test(t, resource.TestCase{
+				PreCheck:  func() { skipUnlessMode(t, mode) },
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config:  config,
+						Destroy: true,
+					},
+				},
+			})
+		}
+
+		t.Run("run with an anonymous account", func(t *testing.T) {
+			t.Skip("anonymous account not supported for this operation")
+		})
+
+		t.Run("run with an individual account", func(t *testing.T) {
+			testCase(t, individual)
+		})
+
+		t.Run("run with an organization account", func(t *testing.T) {
+			testCase(t, organization)
+		})
+
+	})
+
+}

website/docs/r/repository_tag_protection.html.markdown

@@ -0,0 +1,42 @@
+---
+layout: "github"
+page_title: "GitHub: repository_tag_protection"
+description: |-
+  Creates and manages repository tag protection within GitHub organizations or personal accounts
+---
+
+# github_repository_tag_protection
+
+This resource allows you to create and manage a repository tag protection for repositories within your GitHub organization or personal account.
+
+## Example Usage
+
+```hcl
+resource "github_repository_tag_protection" "example" {
+    repository      = "example-repository"
+    pattern         = "v*"
+}
+```
+
+## Argument Reference
+
+* `repository` - (Required) Name of the repository to add the tag protection to.
+
+* `pattern` - (Required) The pattern of the tag to protect.
+
+## Attributes Reference
+
+The following additional attributes are exported:
+
+* `id` - The ID of the tag protection.
+
+## Import
+
+Repository tag protections can be imported using the `name` of the repository, combined with the `id` of the tag protection, separated by a `/` character.
+The `id` of the tag protection can be found using the [GitHub API](https://docs.github.com/en/rest/repos/tags#list-tag-protection-states-for-a-repository).
+
+Importing uses the name of the repository, as well as the ID of the webhook, e.g.
+
+```
+$ terraform import github_repository_tag_protection.terraform my-repo/31077
+```

website/github.erb

@@ -160,6 +160,9 @@
             <li>
               <a href="/docs/providers/github/r/repository_project.html">github_repository_project</a>
             </li>
+            <li>
+              <a href="/docs/providers/github/r/repository_tag_protection.html">github_repository_tag_protection</a>
+            </li>
             <li>
               <a href="/docs/providers/github/r/repository_webhook.html">github_repository_webhook</a>
             </li>