Replace custom validation with built-in ExactlyOneOf for repo targeting

Add ExactlyOneOf/AtLeastOneOf to repository_property, repository_name,repository_id fields.
Remove manual validation counting in util_ruleset_validation.Add 3 validation tests for single/multiple/missing repo targeting options.
Addresses PR #2356 review feedback - simplifies validation using schema constraints.

Author: Moser-ss

github/resource_github_organization_ruleset.go

@@ -124,10 +124,12 @@ func resourceGithubOrganizationRuleset() *schema.Resource {
 							},
 						},
 						"repository_property": {
-							Type:        schema.TypeList,
-							Optional:    true,
-							MaxItems:    1,
-							Description: "Conditions to target repositories by custom or system properties.",
+							Type:         schema.TypeList,
+							Optional:     true,
+							MaxItems:     1,
+							ExactlyOneOf: []string{"conditions.0.repository_property", "conditions.0.repository_name", "conditions.0.repository_id"},
+							AtLeastOneOf: []string{"conditions.0.repository_property", "conditions.0.repository_name", "conditions.0.repository_id"},
+							Description:  "Conditions to target repositories by custom or system properties.",
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
 									"include": {
@@ -154,7 +156,7 @@ func resourceGithubOrganizationRuleset() *schema.Resource {
 													Optional:     true,
 													Description:  "The source of the repository property. Defaults to 'custom' if not specified. Can be one of: custom, system",
 													Default:      "custom",
-													ValidateFunc: validation.StringInSlice([]string{"custom", "system"}, false),
+													ValidateDiagFunc: validation.ToDiagFunc(validation.StringInSlice([]string{"custom", "system"}, false)),
 												},
 											},
 										},
@@ -183,7 +185,7 @@ func resourceGithubOrganizationRuleset() *schema.Resource {
 													Optional:     true,
 													Description:  "The source of the repository property. Defaults to 'custom' if not specified. Can be one of: custom, system",
 													Default:      "custom",
-													ValidateFunc: validation.StringInSlice([]string{"custom", "system"}, false),
+													ValidateDiagFunc: validation.ToDiagFunc(validation.StringInSlice([]string{"custom", "system"}, false)),
 												},
 											},
 										},
@@ -192,10 +194,12 @@ func resourceGithubOrganizationRuleset() *schema.Resource {
 							},
 						},
 						"repository_name": {
-							Type:        schema.TypeList,
-							Optional:    true,
-							MaxItems:    1,
-							Description: "Targets repositories that match the specified name patterns.",
+							Type:         schema.TypeList,
+							Optional:     true,
+							MaxItems:     1,
+							ExactlyOneOf: []string{"conditions.0.repository_property", "conditions.0.repository_name", "conditions.0.repository_id"},
+							AtLeastOneOf: []string{"conditions.0.repository_property", "conditions.0.repository_name", "conditions.0.repository_id"},
+							Description:  "Targets repositories that match the specified name patterns.",
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
 									"include": {
@@ -224,9 +228,11 @@ func resourceGithubOrganizationRuleset() *schema.Resource {
 							},
 						},
 						"repository_id": {
-							Type:        schema.TypeList,
-							Optional:    true,
-							Description: "The repository IDs that the ruleset applies to. One of these IDs must match for the condition to pass.",
+							Type:         schema.TypeList,
+							Optional:     true,
+							ExactlyOneOf: []string{"conditions.0.repository_property", "conditions.0.repository_name", "conditions.0.repository_id"},
+							AtLeastOneOf: []string{"conditions.0.repository_property", "conditions.0.repository_name", "conditions.0.repository_id"},
+							Description:  "The repository IDs that the ruleset applies to. One of these IDs must match for the condition to pass.",
 							Elem: &schema.Schema{
 								Type: schema.TypeInt,
 							},

github/resource_github_organization_ruleset_test.go

@@ -738,6 +738,120 @@ resource "github_organization_ruleset" "test" {
 		})
 	})
 
+	t.Run("validates_conditions_require_exactly_one_repository_targeting", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		resourceName := "test-multiple-repo-targeting"
+		config := fmt.Sprintf(`
+			resource "github_organization_ruleset" "%s" {
+				name        = "test-multiple-targeting-%s"
+				target      = "branch"
+				enforcement = "active"
+
+				conditions {
+					ref_name {
+						include = ["~ALL"]
+						exclude = []
+					}
+					repository_name {
+						include = ["~ALL"]
+						exclude = []
+					}
+					repository_id = [123]
+				}
+
+				rules {
+					creation = true
+				}
+			}
+		`, resourceName, randomID)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessHasPaidOrgs(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config:      config,
+					ExpectError: regexp.MustCompile("only one of `conditions.0.repository_id,conditions.0.repository_name,conditions.0.repository_property` can be specified"),
+				},
+			},
+		})
+	})
+
+	t.Run("validates_conditions_require_at_least_one_repository_targeting", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		resourceName := "test-no-repo-targeting"
+		config := fmt.Sprintf(`
+			resource "github_organization_ruleset" "%s" {
+				name        = "test-no-targeting-%s"
+				target      = "branch"
+				enforcement = "active"
+
+				conditions {
+					ref_name {
+						include = ["~ALL"]
+						exclude = []
+					}
+				}
+
+				rules {
+					creation = true
+				}
+			}
+		`, resourceName, randomID)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessHasPaidOrgs(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config:      config,
+					ExpectError: regexp.MustCompile("one of `conditions.0.repository_id,conditions.0.repository_name,conditions.0.repository_property` must be specified"),
+				},
+			},
+		})
+	})
+
+	t.Run("validates_repository_property_works_as_single_targeting_option", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		resourceName := "test-repo-property-targeting"
+		config := fmt.Sprintf(`
+			resource "github_organization_ruleset" "%s" {
+				name        = "test-property-targeting-%s"
+				target      = "branch"
+				enforcement = "active"
+
+				conditions {
+					ref_name {
+						include = ["~ALL"]
+						exclude = []
+					}
+					repository_property {
+						include {
+							name            = "environment"
+							property_values = ["production"]
+							source          = "custom"
+						}
+					}
+				}
+
+				rules {
+					creation = true
+				}
+			}
+		`, resourceName, randomID)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessHasPaidOrgs(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config:      config,
+					ExpectError: nil, // This should succeed
+				},
+			},
+		})
+	})
+
 	t.Run("creates_push_ruleset", func(t *testing.T) {
 		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
 		rulesetName := fmt.Sprintf("%stest-push-%s", testResourcePrefix, randomID)

github/util_ruleset_validation.go

@@ -172,27 +172,8 @@ func validateConditionsFieldForBranchAndTagTargets(ctx context.Context, target g
 	}
 
 	// Repository rulesets don't have repository_name, repository_id, or repository_property - only org rulesets do.
-	if isOrg {
-		hasRepoName := conditions["repository_name"] != nil && len(conditions["repository_name"].([]any)) > 0
-		hasRepoId := conditions["repository_id"] != nil && len(conditions["repository_id"].([]any)) > 0
-		hasRepoProp := conditions["repository_property"] != nil && len(conditions["repository_property"].([]any)) > 0
-
-		repoTargetingCount := 0
-		if hasRepoName {
-			repoTargetingCount++
-		}
-		if hasRepoId {
-			repoTargetingCount++
-		}
-		if hasRepoProp {
-			repoTargetingCount++
-		}
-
-		if repoTargetingCount != 1 {
-			tflog.Debug(ctx, fmt.Sprintf("Invalid repository targeting for %s target", target), map[string]any{"target": target})
-			return fmt.Errorf("exactly one of repository_name, repository_id, or repository_property must be set for %s target", target)
-		}
-	}
+	// Note: The built-in ExactlyOneOf/AtLeastOneOf schema validation already ensures exactly one
+	// repository targeting option is set, so no additional validation is needed here.
 	tflog.Debug(ctx, fmt.Sprintf("Conditions validation passed for %s target", target))
 	return nil
 }