refactor: move pull_request_creation_policy to a dedicated resource

RoFz · RoFz · commit efeb9d41169f · 2026-04-21T19:49:48.000+01:00
- refactor: extract pull_request_creation_policy into github_repository_pull_request_creation_policy resource
- refactor: revert pull_request_creation_policy field and GraphQL calls from github_repository
- refactor: remove isUnsupportedPullRequestCreationPolicyError; dedicated resource fails loudly on missing API field
- feat: add github_repository_pull_request_creation_policy resource with GraphQL CRUD and import
- test: add acceptance tests for github_repository_pull_request_creation_policy
- docs: add documentation for github_repository_pull_request_creation_policy
diff --git a/github/provider.go b/github/provider.go
@@ -200,6 +200,7 @@ func Provider() *schema.Provider {
 			"github_repository_milestone":                                           resourceGithubRepositoryMilestone(),
 			"github_repository_project":                                             resourceGithubRepositoryProject(),
 			"github_repository_pull_request":                                        resourceGithubRepositoryPullRequest(),
+			"github_repository_pull_request_creation_policy":                        resourceGithubRepositoryPullRequestCreationPolicy(),
 			"github_repository_ruleset":                                             resourceGithubRepositoryRuleset(),
 			"github_repository_topics":                                              resourceGithubRepositoryTopics(),
 			"github_repository_webhook":                                             resourceGithubRepositoryWebhook(),
diff --git a/github/resource_github_repository.go b/github/resource_github_repository.go
@@ -284,13 +284,6 @@ func resourceGithubRepository() *schema.Resource {
 				Default:     false,
 				Description: "Automatically delete head branch after a pull request is merged. Defaults to 'false'.",
 			},
-			"pull_request_creation_policy": {
-				Type:             schema.TypeString,
-				Optional:         true,
-				Computed:         true,
-				ValidateDiagFunc: validation.ToDiagFunc(validation.StringInSlice([]string{"all", "collaborators_only"}, false)),
-				Description:      "Controls who can create pull requests in the repository. Can be `all` or `collaborators_only`.",
-			},
 			"web_commit_signoff_required": {
 				Type:        schema.TypeBool,
 				Optional:    true,
@@ -877,19 +870,6 @@ func resourceGithubRepositoryRead(ctx context.Context, d *schema.ResourceData, m
 		}
 	}
 
-	pullRequestCreationPolicy, err := getRepositoryPullRequestCreationPolicy(ctx, owner, repoName, meta)
-	if err != nil {
-		if isUnsupportedPullRequestCreationPolicyError(err) {
-			log.Printf("[DEBUG] Skipping pull_request_creation_policy read for %s/%s: %s", owner, repoName, err)
-		} else {
-			return diag.Errorf("error reading repository pull request creation policy: %s", err.Error())
-		}
-	} else {
-		if err = d.Set("pull_request_creation_policy", pullRequestCreationPolicy); err != nil {
-			return diag.FromErr(err)
-		}
-	}
-
 	// Set fork information if this is a fork
 	if repo.GetFork() {
 		_ = d.Set("fork", "true")
@@ -1015,19 +995,6 @@ func resourceGithubRepositoryUpdate(ctx context.Context, d *schema.ResourceData,
 		}
 	}
 
-	if d.IsNewResource() || d.HasChange("pull_request_creation_policy") {
-		if v, ok := d.GetOk("pull_request_creation_policy"); ok {
-			repositoryID, err := getRepositoryID(repo.GetName(), meta)
-			if err != nil {
-				return diag.Errorf("error resolving repository id for pull request creation policy update: %s", err.Error())
-			}
-
-			if err := updateRepositoryPullRequestCreationPolicy(ctx, repositoryID, v.(string), meta); err != nil {
-				return diag.Errorf("error updating repository pull request creation policy: %s", err.Error())
-			}
-		}
-	}
-
 	if d.IsNewResource() || d.HasChange("vulnerability_alerts") {
 		if v, ok := d.GetOkExists("vulnerability_alerts"); ok { //nolint:staticcheck // SA1019 // We sometimes need to use GetOkExists for booleans
 			if val, ok := v.(bool); ok {
diff --git a/github/resource_github_repository_pull_request_creation_policy.go b/github/resource_github_repository_pull_request_creation_policy.go
@@ -0,0 +1,120 @@
+package github
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+)
+
+func resourceGithubRepositoryPullRequestCreationPolicy() *schema.Resource {
+	return &schema.Resource{
+		Description:   "Manages the pull request creation policy for a repository.",
+		CreateContext: resourceGithubRepositoryPullRequestCreationPolicyCreate,
+		ReadContext:   resourceGithubRepositoryPullRequestCreationPolicyRead,
+		UpdateContext: resourceGithubRepositoryPullRequestCreationPolicyUpdate,
+		DeleteContext: resourceGithubRepositoryPullRequestCreationPolicyDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: resourceGithubRepositoryPullRequestCreationPolicyImport,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"repository": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "The name of the GitHub repository.",
+			},
+			"policy": {
+				Type:             schema.TypeString,
+				Required:         true,
+				Description:      "Controls who can create pull requests for the repository. Can be `all` or `collaborators_only`.",
+				ValidateDiagFunc: validation.ToDiagFunc(validation.StringInSlice([]string{"all", "collaborators_only"}, false)),
+			},
+		},
+	}
+}
+
+func resourceGithubRepositoryPullRequestCreationPolicyCreate(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	repoName := d.Get("repository").(string)
+	policy := d.Get("policy").(string)
+
+	nodeID, err := getRepositoryID(repoName, meta)
+	if err != nil {
+		return diag.Errorf("error resolving repository node ID for %s: %s", repoName, err)
+	}
+
+	if err := updateRepositoryPullRequestCreationPolicy(ctx, nodeID, policy, meta); err != nil {
+		return diag.Errorf("error setting pull request creation policy for %s: %s", repoName, err)
+	}
+
+	d.SetId(repoName)
+	return resourceGithubRepositoryPullRequestCreationPolicyRead(ctx, d, meta)
+}
+
+func resourceGithubRepositoryPullRequestCreationPolicyRead(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	owner := meta.(*Owner).name
+	repoName := d.Id()
+
+	policy, err := getRepositoryPullRequestCreationPolicy(ctx, owner, repoName, meta)
+	if err != nil {
+		return diag.Errorf("error reading pull request creation policy for %s/%s: %s", owner, repoName, err)
+	}
+
+	if err := d.Set("policy", policy); err != nil {
+		return diag.FromErr(err)
+	}
+	if err := d.Set("repository", repoName); err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}
+
+func resourceGithubRepositoryPullRequestCreationPolicyUpdate(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	repoName := d.Id()
+	policy := d.Get("policy").(string)
+
+	nodeID, err := getRepositoryID(repoName, meta)
+	if err != nil {
+		return diag.Errorf("error resolving repository node ID for %s: %s", repoName, err)
+	}
+
+	if err := updateRepositoryPullRequestCreationPolicy(ctx, nodeID, policy, meta); err != nil {
+		return diag.Errorf("error updating pull request creation policy for %s: %s", repoName, err)
+	}
+
+	return resourceGithubRepositoryPullRequestCreationPolicyRead(ctx, d, meta)
+}
+
+func resourceGithubRepositoryPullRequestCreationPolicyDelete(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	repoName := d.Id()
+
+	nodeID, err := getRepositoryID(repoName, meta)
+	if err != nil {
+		return diag.Errorf("error resolving repository node ID for %s: %s", repoName, err)
+	}
+
+	if err := updateRepositoryPullRequestCreationPolicy(ctx, nodeID, "all", meta); err != nil {
+		return diag.Errorf("error resetting pull request creation policy for %s: %s", repoName, err)
+	}
+
+	return nil
+}
+
+func resourceGithubRepositoryPullRequestCreationPolicyImport(ctx context.Context, d *schema.ResourceData, meta any) ([]*schema.ResourceData, error) {
+	repoName := d.Id()
+
+	if err := d.Set("repository", repoName); err != nil {
+		return nil, err
+	}
+
+	diags := resourceGithubRepositoryPullRequestCreationPolicyRead(ctx, d, meta)
+	if diags.HasError() {
+		return nil, fmt.Errorf("%s", diags[0].Summary)
+	}
+
+	return []*schema.ResourceData{d}, nil
+}
diff --git a/github/resource_github_repository_pull_request_creation_policy_test.go b/github/resource_github_repository_pull_request_creation_policy_test.go
@@ -0,0 +1,100 @@
+package github
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+)
+
+func TestAccGithubRepositoryPullRequestCreationPolicy(t *testing.T) {
+	t.Run("sets policy without error", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		repoName := fmt.Sprintf("%srepo-pr-policy-%s", testResourcePrefix, randomID)
+		initial := `policy = "collaborators_only"`
+		updated := `policy = "all"`
+
+		config := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name       = "%s"
+				visibility = "private"
+				auto_init  = true
+			}
+
+			resource "github_repository_pull_request_creation_policy" "test" {
+				repository = github_repository.test.name
+				%%s
+			}
+		`, repoName)
+
+		checks := map[string]resource.TestCheckFunc{
+			"before": resource.ComposeTestCheckFunc(
+				resource.TestCheckResourceAttr(
+					"github_repository_pull_request_creation_policy.test", "policy",
+					"collaborators_only",
+				),
+			),
+			"after": resource.ComposeTestCheckFunc(
+				resource.TestCheckResourceAttr(
+					"github_repository_pull_request_creation_policy.test", "policy",
+					"all",
+				),
+			),
+		}
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnauthenticated(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: fmt.Sprintf(config, initial),
+					Check:  checks["before"],
+				},
+				{
+					Config: fmt.Sprintf(config, updated),
+					Check:  checks["after"],
+				},
+			},
+		})
+	})
+
+	t.Run("imports without error", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		repoName := fmt.Sprintf("%srepo-pr-policy-%s", testResourcePrefix, randomID)
+
+		config := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name       = "%s"
+				visibility = "private"
+				auto_init  = true
+			}
+
+			resource "github_repository_pull_request_creation_policy" "test" {
+				repository = github_repository.test.name
+				policy     = "collaborators_only"
+			}
+		`, repoName)
+
+		check := resource.ComposeTestCheckFunc(
+			resource.TestCheckResourceAttrSet("github_repository_pull_request_creation_policy.test", "repository"),
+			resource.TestCheckResourceAttr("github_repository_pull_request_creation_policy.test", "policy", "collaborators_only"),
+		)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnauthenticated(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: config,
+					Check:  check,
+				},
+				{
+					ResourceName:      "github_repository_pull_request_creation_policy.test",
+					ImportState:       true,
+					ImportStateVerify: true,
+				},
+			},
+		})
+	})
+}
diff --git a/github/resource_github_repository_test.go b/github/resource_github_repository_test.go
@@ -1334,43 +1334,6 @@ resource "github_repository" "test" {
 		})
 	})
 
-	t.Run("check_pull_request_creation_policy", func(t *testing.T) {
-		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
-		testRepoName := fmt.Sprintf("%spr-policy-%s", testResourcePrefix, randomID)
-		config := `
-			resource "github_repository" "test" {
-				name                         = "%s"
-				visibility                   = "%s"
-				pull_request_creation_policy = "%s"
-			}
-		`
-
-		resource.Test(t, resource.TestCase{
-			PreCheck:          func() { skipUnauthenticated(t) },
-			ProviderFactories: providerFactories,
-			Steps: []resource.TestStep{
-				{
-					Config: fmt.Sprintf(config, testRepoName, testAccConf.testRepositoryVisibility, "collaborators_only"),
-					Check: resource.ComposeTestCheckFunc(
-						resource.TestCheckResourceAttr("github_repository.test", "pull_request_creation_policy", "collaborators_only"),
-					),
-				},
-				{
-					Config: fmt.Sprintf(config, testRepoName, testAccConf.testRepositoryVisibility, "all"),
-					Check: resource.ComposeTestCheckFunc(
-						resource.TestCheckResourceAttr("github_repository.test", "pull_request_creation_policy", "all"),
-					),
-				},
-				{
-					ResourceName:            "github_repository.test",
-					ImportState:             true,
-					ImportStateVerify:       true,
-					ImportStateVerifyIgnore: []string{"auto_init", "vulnerability_alerts", "ignore_vulnerability_alerts_during_read"},
-				},
-			},
-		})
-	})
-
 	t.Run("check_web_commit_signoff_required_organization_enabled_but_not_set", func(t *testing.T) {
 		t.Skip("This test should be run manually after confirming that the test organization has 'Require contributors to sign off on web-based commits' enabled under Organizations -> Settings -> Repository -> Repository defaults.")
 
diff --git a/github/util_v4_repository.go b/github/util_v4_repository.go
@@ -5,7 +5,6 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
-	"strings"
 
 	"github.com/shurcooL/githubv4"
 )
@@ -110,21 +109,6 @@ func expandPullRequestCreationPolicy(policy string) (PullRequestCreationPolicy,
 	}
 }
 
-func isUnsupportedPullRequestCreationPolicyError(err error) bool {
-	if err == nil {
-		return false
-	}
-
-	message := strings.ToLower(err.Error())
-
-	return strings.Contains(message, "pullrequestcreationpolicy") &&
-		(strings.Contains(message, "doesn't exist") ||
-			strings.Contains(message, "does not exist") ||
-			strings.Contains(message, "undefined field") ||
-			strings.Contains(message, "unknown argument") ||
-			strings.Contains(message, "cannot query field"))
-}
-
 func getRepositoryPullRequestCreationPolicy(ctx context.Context, owner, name string, meta any) (string, error) {
 	var query struct {
 		Repository struct {
diff --git a/github/util_v4_repository_test.go b/github/util_v4_repository_test.go
diff --git a/website/docs/r/repository.html.markdown b/website/docs/r/repository.html.markdown
diff --git a/website/docs/r/repository_pull_request_creation_policy.html.markdown b/website/docs/r/repository_pull_request_creation_policy.html.markdown
