[MAINT] Fix github_organization_ruleset and github_repository_ruleset with push target (#2958)

* Update descriptions and validations

Signed-off-by: Timo Sand <[email protected]>

* Add `CustomizeDiff` logic to validate on `plan`

Signed-off-by: Timo Sand <[email protected]>

* Add first validation test

Signed-off-by: Timo Sand <[email protected]>

* Add validation error when `conditions` is missing

Signed-off-by: Timo Sand <[email protected]>

* Add further validation tests

Signed-off-by: Timo Sand <[email protected]>

* Remove unnecessary skip blocks as `individual` and `anonymous` access to org rulesets will never be a thing

Signed-off-by: Timo Sand <[email protected]>

* Switch `ref_name` to `Optional` as `push` doesn't need a `ref_name`

Signed-off-by: Timo Sand <[email protected]>

* Add Debug logging with `tflog` to validation

Signed-off-by: Timo Sand <[email protected]>

* Fix validation as `ref_name`, `repository_name` and `repository_id` are empty lists by default

Signed-off-by: Timo Sand <[email protected]>

* Remove unnecessary panic test

Signed-off-by: Timo Sand <[email protected]>

* Improve validation output messages

Signed-off-by: Timo Sand <[email protected]>

* Fix condition to require only one of `repository_name` or `repository_id`

Signed-off-by: Timo Sand <[email protected]>

* Add validation to `required_workflow.path`

Signed-off-by: Timo Sand <[email protected]>

* Rename test resources for easier debugging

Signed-off-by: Timo Sand <[email protected]>

* Fix linter issues

Signed-off-by: Timo Sand <[email protected]>

* Add validation to ensure `rules.required_status_checks.required_checks.context` is not empty

Signed-off-by: Timo Sand <[email protected]>

* Add test to ensure that `required_checks` is always required

Signed-off-by: Timo Sand <[email protected]>

* Fix tests after rebase

Signed-off-by: Timo Sand <[email protected]>

* Improve legibility of `conditions` description

Signed-off-by: Timo Sand <[email protected]>

* Update descriptions

Signed-off-by: Timo Sand <[email protected]>

* Add Acc test for push ruleset.

This turns out to be failing as there is a bug in our implementation! Unit tests and fix coming up

Signed-off-by: Timo Sand <[email protected]>

* Add failing test for `flattenConditions` with no `ref_name` condition

Signed-off-by: Timo Sand <[email protected]>

* Fix `flattenConditions` to work with `push` rulesets

Signed-off-by: Timo Sand <[email protected]>

* Add more tests for `flattenConditions`

Signed-off-by: Timo Sand <[email protected]>

* Enable debug logging in `flattenConditions`

Signed-off-by: Timo Sand <[email protected]>

* Ensures that `flattenConditions` returns an empty list on empty API response

Signed-off-by: Timo Sand <[email protected]>

* Add validation for `push` `rules`

As they differ from `branch` and `tag` rules

Signed-off-by: Timo Sand <[email protected]>

* Get `TestAccGithubRepositoryRulesets` to work

Signed-off-by: Timo Sand <[email protected]>

* `repository_ruleset`: Add tests for validations

Signed-off-by: Timo Sand <[email protected]>

* `repository_ruleset`: Implement validations for `target`, `conditions` and `rules`

Signed-off-by: Timo Sand <[email protected]>

* Updated ruleset docs

Signed-off-by: Timo Sand <[email protected]>

* Extract validation functions to separate utils file with unit tests

Signed-off-by: Timo Sand <[email protected]>

* Fix push ruleset test config

Signed-off-by: Timo Sand <[email protected]>

* Remove `repository` target after thorough testing that it doesn't do anything

Signed-off-by: Timo Sand <[email protected]>

* Use idiomatic test naming convention

Signed-off-by: Timo Sand <[email protected]>

* Address code structure comment in tests

Signed-off-by: Timo Sand <[email protected]>

* Fix inconsistent logging

Signed-off-by: Timo Sand <[email protected]>

* Refactor to use typed constant string for ruleset `Target`

Signed-off-by: Timo Sand <[email protected]>

* Fix indentation issue with `github_repository_file` and heredocs

Signed-off-by: Timo Sand <[email protected]>

* Rename files to be more sensible

Signed-off-by: Timo Sand <[email protected]>

* Refactor validation functions so that Repo and Org share almost everything

Signed-off-by: Timo Sand <[email protected]>

* Address review comments

Signed-off-by: Timo Sand <[email protected]>

* Use `github.RepositoryRuleType` instead of strings

Signed-off-by: Timo Sand <[email protected]>

* Refactor `flattenRules` and `expandRules` to use context

Signed-off-by: Timo Sand <[email protected]>

* Fix failing validation

Signed-off-by: Timo Sand <[email protected]>

* Refactor to use `ValidateDiagFunc` and `validation.ToDiagFunc` in repo ruleset

Signed-off-by: Timo Sand <[email protected]>

* Use `strings.Join` to make `Description` of `target` dynamic

Signed-off-by: Timo Sand <[email protected]>

* Add validation to `operator` attributes

Signed-off-by: Timo Sand <[email protected]>

* Add missing validations to repo ruleset attributes

Signed-off-by: Timo Sand <[email protected]>

* Refactor to use `ValidateDiagFunc` and `validation.ToDiagFunc` in org ruleset

* Use `strings.Join` to make `Description` of `target` dynamic

* Add validation to `operator` attributes

* Add missing validations to org ruleset attributes

* Ensure attribute names map correctly to rule names

Signed-off-by: Timo Sand <[email protected]>

* Don't ignore errors

Signed-off-by: Timo Sand <[email protected]>

* Address review comments

Signed-off-by: Timo Sand <[email protected]>

---------

Signed-off-by: Timo Sand <[email protected]>

Author: deiga

github/resource_github_organization_ruleset.go

@@ -2,6 +2,7 @@ package github
 
 import (
 	"fmt"
+	"regexp"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
@@ -18,6 +19,19 @@ func TestAccGithubOrganizationRuleset(t *testing.T) {
 		workflowFilePath := ".github/workflows/echo.yaml"
 
 		config := fmt.Sprintf(`
+locals {
+		workflow_content = <<EOT
+name: Echo Workflow
+
+on: [pull_request]
+
+jobs:
+	echo:
+		runs-on: ubuntu-latest
+		steps:
+			- run: echo "Hello, world!"
+EOT
+}
 resource "github_repository" "test" {
 	name = "%s"
 	visibility = "private"
@@ -28,17 +42,7 @@ resource "github_repository_file" "workflow_file" {
 	repository          = github_repository.test.name
 	branch              = "main"
 	file                = "%[3]s"
-	content             = <<EOT
-name: Echo Workflow
-
-on: [pull_request]
-
-jobs:
-  echo:
-    runs-on: linux
-    steps:
-      - run: echo \"Hello, world!\"
-EOT
+	content             = replace(local.workflow_content, "\t", " ") # NOTE: 'content' must be indented with spaces, not tabs
 	commit_message      = "Managed by Terraform"
 	commit_author       = "Terraform User"
 	commit_email        = "[email protected]"
@@ -210,11 +214,6 @@ resource "github_organization_ruleset" "test" {
 			include = ["~ALL"]
 			exclude = []
 		}
-
-		ref_name {
-			include = ["~ALL"]
-			exclude = []
-		}
 	}
 
 	rules {
@@ -499,6 +498,317 @@ resource "github_organization_ruleset" "test" {
 			},
 		})
 	})
+
+	t.Run("validates_branch_target_requires_ref_name_condition", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		config := fmt.Sprintf(`
+			resource "github_organization_ruleset" "test" {
+				name        = "test-validation-%s"
+				target      = "branch"
+				enforcement = "active"
+
+				conditions {
+					repository_name {
+						include = ["~ALL"]
+						exclude = []
+					}
+				}
+
+				rules {
+					creation = true
+				}
+			}
+		`, randomID)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessHasPaidOrgs(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config:      config,
+					ExpectError: regexp.MustCompile("ref_name must be set for branch target"),
+				},
+			},
+		})
+	})
+
+	t.Run("validates_tag_target_requires_ref_name_condition", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		config := fmt.Sprintf(`
+			resource "github_organization_ruleset" "test" {
+				name        = "test-tag-no-conditions-%s"
+				target      = "tag"
+				enforcement = "active"
+
+				conditions {
+					repository_name {
+						include = ["~ALL"]
+						exclude = []
+					}
+				}
+
+				rules {
+					creation = true
+				}
+			}
+		`, randomID)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessHasPaidOrgs(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config:      config,
+					ExpectError: regexp.MustCompile("ref_name must be set for tag target"),
+				},
+			},
+		})
+	})
+
+	t.Run("validates_push_target_rejects_ref_name_condition", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		resourceName := "test-push-reject-ref-name"
+		config := fmt.Sprintf(`
+			resource "github_organization_ruleset" "%s" {
+				name        = "test-push-with-ref-%s"
+				target      = "push"
+				enforcement = "active"
+
+				conditions {
+					ref_name {
+						include = ["~ALL"]
+						exclude = []
+					}
+					repository_name {
+						include = ["~ALL"]
+						exclude = []
+					}
+				}
+
+				rules {
+					# Push rulesets only support push-specific rules
+					max_file_size {
+						max_file_size = 100
+					}
+				}
+			}
+		`, resourceName, randomID)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessHasPaidOrgs(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config:      config,
+					ExpectError: regexp.MustCompile("ref_name must not be set for push target"),
+				},
+			},
+		})
+	})
+
+	t.Run("validates_push_target_rejects_branch_or_tag_rules", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		resourceName := "test-push-reject-branch-rules"
+		config := fmt.Sprintf(`
+			resource "github_organization_ruleset" "%s" {
+				name        = "test-push-branch-rule-%s"
+				target      = "push"
+				enforcement = "active"
+
+				conditions {
+					repository_name {
+						include = ["~ALL"]
+						exclude = []
+					}
+				}
+
+				rules {
+					# 'creation' is a branch/tag rule, not valid for push target
+					creation = true
+				}
+			}
+		`, resourceName, randomID)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessHasPaidOrgs(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config:      config,
+					ExpectError: regexp.MustCompile("rule .* is not valid for push target"),
+				},
+			},
+		})
+	})
+
+	t.Run("validates_branch_target_rejects_push-only_rules", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		resourceName := "test-branch-reject-push-rules"
+		config := fmt.Sprintf(`
+			resource "github_organization_ruleset" "%s" {
+				name        = "test-branch-push-rule-%s"
+				target      = "branch"
+				enforcement = "active"
+
+				conditions {
+					ref_name {
+						include = ["~ALL"]
+						exclude = []
+					}
+					repository_name {
+						include = ["~ALL"]
+						exclude = []
+					}
+				}
+
+				rules {
+					# 'max_file_size' is a push-only rule, not valid for branch target
+					max_file_size {
+						max_file_size = 100
+					}
+				}
+			}
+		`, resourceName, randomID)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessHasPaidOrgs(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config:      config,
+					ExpectError: regexp.MustCompile("rule .* is not valid for branch target"),
+				},
+			},
+		})
+	})
+
+	t.Run("creates_push_ruleset", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		rulesetName := fmt.Sprintf("%stest-push-%s", testResourcePrefix, randomID)
+		resourceName := "test-push-ruleset"
+		resourceFullName := fmt.Sprintf("github_organization_ruleset.%s", resourceName)
+		config := fmt.Sprintf(`
+			resource "github_organization_ruleset" "%s" {
+				name        = "%s"
+				target      = "push"
+				enforcement = "active"
+
+				conditions {
+					repository_name {
+						include = ["~ALL"]
+						exclude = []
+					}
+				}
+
+				rules {
+					# Push rulesets only support push-specific rules:
+					# file_path_restriction, max_file_path_length, file_extension_restriction, max_file_size
+					max_file_size {
+						max_file_size = 100
+					}
+				}
+			}
+		`, resourceName, rulesetName)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessHasPaidOrgs(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: config,
+					Check: resource.ComposeTestCheckFunc(
+						resource.TestCheckResourceAttr(resourceFullName, "name", rulesetName),
+						resource.TestCheckResourceAttr(resourceFullName, "target", "push"),
+						resource.TestCheckResourceAttr(resourceFullName, "enforcement", "active"),
+						resource.TestCheckResourceAttr(resourceFullName, "rules.0.max_file_size.0.max_file_size", "100"),
+					),
+				},
+			},
+		})
+	})
+
+	t.Run("validates_rules__required_status_checks_block", func(t *testing.T) {
+		t.Run("required_check__context_block_should_not_be_empty", func(t *testing.T) {
+			resourceName := "test-required-status-checks-context-is-not-empty"
+			randomID := acctest.RandString(5)
+			config := fmt.Sprintf(`
+			resource "github_organization_ruleset" "%s" {
+				name        = "test-context-is-not-empty-%s"
+				target      = "branch"
+				enforcement = "active"
+
+				conditions {
+					ref_name {
+						include = ["~ALL"]
+						exclude = []
+					}
+					repository_name {
+						include = ["~ALL"]
+						exclude = []
+					}
+				}
+
+				rules {
+					required_status_checks {
+						required_check {
+							context = ""
+						}
+					}
+				}
+			}
+		`, resourceName, randomID)
+
+			resource.Test(t, resource.TestCase{
+				PreCheck:          func() { skipUnlessHasPaidOrgs(t) },
+				ProviderFactories: providerFactories,
+				Steps: []resource.TestStep{
+					{
+						Config:      config,
+						ExpectError: regexp.MustCompile("expected \"context\" to not be an empty string"),
+					},
+				},
+			})
+		})
+		t.Run("required_check_should_be_required_when_strict_required_status_checks_policy_is_set", func(t *testing.T) {
+			resourceName := "test-required-check-is-required"
+			randomID := acctest.RandString(5)
+			config := fmt.Sprintf(`
+			resource "github_organization_ruleset" "%s" {
+				name        = "test-required-with-%s"
+				target      = "branch"
+				enforcement = "active"
+
+				conditions {
+					ref_name {
+						include = ["~ALL"]
+						exclude = []
+					}
+					repository_name {
+						include = ["~ALL"]
+						exclude = []
+					}
+				}
+
+				rules {
+					required_status_checks {
+						strict_required_status_checks_policy = true
+					}
+				}
+			}
+		`, resourceName, randomID)
+
+			resource.Test(t, resource.TestCase{
+				PreCheck:          func() { skipUnlessHasPaidOrgs(t) },
+				ProviderFactories: providerFactories,
+				Steps: []resource.TestStep{
+					{
+						Config:      config,
+						ExpectError: regexp.MustCompile("Insufficient required_check blocks"),
+					},
+				},
+			})
+		})
+	})
 }
 
 func TestOrganizationPushRulesetSupport(t *testing.T) {
@@ -578,7 +888,7 @@ func TestOrganizationPushRulesetSupport(t *testing.T) {
 	}
 
 	// Test flatten functionality (organization rulesets use org=true)
-	flattenedResult := flattenRules(expandedRules, true)
+	flattenedResult := flattenRules(t.Context(), expandedRules, true)
 
 	if len(flattenedResult) != 1 {
 		t.Fatalf("Expected 1 flattened result, got %d", len(flattenedResult))