Add most Premium features for gitlab_branch_protection (#556)

* Rebase and update go.mod

Signed-off-by: Sune Keller <[email protected]>

* Add most Premium features for gitlab_branch_protection

Signed-off-by: Sune Keller <[email protected]>

* Re-work modified schema for gitlab_branch_protection, and update docs

Signed-off-by: Sune Keller <[email protected]>

* Accommodate to name changes from library maintainer

Signed-off-by: Sune Keller <[email protected]>

* Remove invalid check for CE

Signed-off-by: Sune Keller <[email protected]>

* Revert back how merge_access_level and push_access_level are created

Signed-off-by: Sune Keller <[email protected]>

* Simplify expansion of arguments

Signed-off-by: Sune Keller <[email protected]>

* Remove several obsolete functions and make acceptance tests independent of implementation functions

Signed-off-by: Sune Keller <[email protected]>

Author: sirlatrom

docs/resources/branch_protection.md

@@ -1,15 +1,30 @@
-# gitlab\_branch_protection
+# gitlab\_branch\_protection
 
-This resource allows you to protect a specific branch by an access level so that the user with less access level cannot Merge/Push to the branch. GitLab EE features to protect by group or user are not supported.
+This resource allows you to protect a specific branch by an access level so that the user with less access level cannot Merge/Push to the branch.
+
+-> The `allowed_to_push`, `allowed_to_merge` and `code_owner_approval_required` arguments require a GitLab Premium account or above.
 
 ## Example Usage
 
 ```hcl
 resource "gitlab_branch_protection" "BranchProtect" {
-  project = "12345"
-  branch = "BranchProtected"
-  push_access_level = "developer"
-  merge_access_level = "developer"
+  project                      = "12345"
+  branch                       = "BranchProtected"
+  push_access_level            = "developer"
+  merge_access_level           = "developer"
+  code_owner_approval_required = true
+  allowed_to_push {
+    user_id = 5
+  }
+  allowed_to_push {
+    user_id = 521
+  }
+  allowed_to_merge {
+    user_id = 15
+  }
+  allowed_to_merge {
+    user_id = 37
+  }
 }
 ```
 
@@ -21,8 +36,34 @@ The following arguments are supported:
 
 * `branch` - (Required) Name of the branch.
 
-* `push_access_level` - (Required) One of five levels of access to the project.
+* `push_access_level` - (Optional) One of five levels of access to the project. Valid values are: `no one`, `developer`, `maintainer`, `admin`.
+
+* `merge_access_level` - (Optional) One of five levels of access to the project. Valid values are: `no one`, `developer`, `maintainer`, `admin`.
 
-* `merge_access_level` - (Required) One of five levels of access to the project.
+* `allowed_to_push`, `allowed_to_merge` - (Optional) One or more `allowed_to_push`, `allowed_to_merge` blocks as defined below. 
 
 * `code_owner_approval_required` (Optional) Bool, defaults to false. Can be set to true to require code owner approval before merging.
+
+---
+
+An `allowed_to_push` or `allowed_to_merge` block supports the following arguments:
+
+* `user_id` - (Required) The ID of a GitLab user allowed to perform the relevant action. Mutually exclusive with `group_id`.
+
+* `group_id` - (Required) The ID of a GitLab group allowed to perform the relevant action. Mutually exclusive with `user_id`.
+
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* The `allowed_to_push` and `allowed_to_merge` blocks export the `access_level_description` field, which contains a textual description of the access level, user or group allowed to perform the relevant action.
+
+## Import
+
+GitLab project freeze periods can be imported using an id made up of `project_id:branch`, e.g.
+
+
+```
+$ terraform import gitlab_branch_protection.BranchProtect "12345:main"
+```

gitlab/resource_gitlab_branch_protection.go

@@ -1,14 +1,37 @@
 package gitlab
 
 import (
-	"errors"
 	"fmt"
 	"log"
+	"net/http"
 
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 	gitlab "github.com/xanzy/go-gitlab"
 )
 
+var (
+	allowedToElem = &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			"access_level": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"access_level_description": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"user_id": {
+				Type:     schema.TypeInt,
+				Optional: true,
+			},
+			"group_id": {
+				Type:     schema.TypeInt,
+				Optional: true,
+			},
+		},
+	}
+)
+
 func resourceGitlabBranchProtection() *schema.Resource {
 	acceptedAccessLevels := make([]string, 0, len(accessLevelID))
 
@@ -20,6 +43,9 @@ func resourceGitlabBranchProtection() *schema.Resource {
 		Read:   resourceGitlabBranchProtectionRead,
 		Update: resourceGitlabBranchProtectionUpdate,
 		Delete: resourceGitlabBranchProtectionDelete,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
 		Schema: map[string]*schema.Schema{
 			"project": {
 				Type:     schema.TypeString,
@@ -43,6 +69,8 @@ func resourceGitlabBranchProtection() *schema.Resource {
 				Required:     true,
 				ForceNew:     true,
 			},
+			"allowed_to_push":  schemaAllowedTo(),
+			"allowed_to_merge": schemaAllowedTo(),
 			"code_owner_approval_required": {
 				Type:     schema.TypeBool,
 				Optional: true,
@@ -55,47 +83,46 @@ func resourceGitlabBranchProtection() *schema.Resource {
 func resourceGitlabBranchProtectionCreate(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*gitlab.Client)
 	project := d.Get("project").(string)
-	branch := gitlab.String(d.Get("branch").(string))
+	branch := d.Get("branch").(string)
+
+	log.Printf("[DEBUG] create gitlab branch protection on branch %q for project %s", branch, project)
+
+	if d.IsNewResource() {
+		existing, resp, err := client.ProtectedBranches.GetProtectedBranch(project, branch)
+		if err != nil && resp.StatusCode != http.StatusNotFound {
+			return fmt.Errorf("error looking up protected branch %q on project %q: %v", branch, project, err)
+		}
+		if resp.StatusCode != http.StatusNotFound {
+			return fmt.Errorf("protected branch %q on project %q already exists: %+v", branch, project, *existing)
+		}
+	}
+
 	mergeAccessLevel := accessLevelID[d.Get("merge_access_level").(string)]
 	pushAccessLevel := accessLevelID[d.Get("push_access_level").(string)]
 	codeOwnerApprovalRequired := d.Get("code_owner_approval_required").(bool)
 
-	options := &gitlab.ProtectRepositoryBranchesOptions{
-		Name:                      branch,
-		MergeAccessLevel:          &mergeAccessLevel,
+	allowedToPush := expandBranchPermissionOptions(d.Get("allowed_to_push").(*schema.Set).List())
+	allowedToMerge := expandBranchPermissionOptions(d.Get("allowed_to_merge").(*schema.Set).List())
+
+	pb, _, err := client.ProtectedBranches.ProtectRepositoryBranches(project, &gitlab.ProtectRepositoryBranchesOptions{
+		Name:                      &branch,
 		PushAccessLevel:           &pushAccessLevel,
+		MergeAccessLevel:          &mergeAccessLevel,
+		AllowedToPush:             allowedToPush,
+		AllowedToMerge:            allowedToMerge,
 		CodeOwnerApprovalRequired: &codeOwnerApprovalRequired,
-	}
-
-	log.Printf("[DEBUG] create gitlab branch protection on %v for project %s", options.Name, project)
-
-	bp, _, err := client.ProtectedBranches.ProtectRepositoryBranches(project, options)
+	})
 	if err != nil {
-		// Remove existing branch protection
-		_, err = client.ProtectedBranches.UnprotectRepositoryBranches(project, *branch)
-		if err != nil {
-			return err
-		}
-		// Reprotect branch with updated values
-		bp, _, err = client.ProtectedBranches.ProtectRepositoryBranches(project, options)
-		if err != nil {
-			return err
-		}
+		return fmt.Errorf("error protecting branch %q on project %q: %v", branch, project, err)
 	}
 
-	d.SetId(buildTwoPartID(&project, &bp.Name))
-
-	if err := resourceGitlabBranchProtectionRead(d, meta); err != nil {
-		return err
+	if !pb.CodeOwnerApprovalRequired && codeOwnerApprovalRequired {
+		return fmt.Errorf("feature unavailable: code owner approvals")
 	}
 
-	// If the GitLab tier does not support the code owner approval feature, the resulting plan will be inconsistent.
-	// We return an error because otherwise Terraform would report this inconsistency as a "bug in the provider" to the user.
-	if codeOwnerApprovalRequired && !d.Get("code_owner_approval_required").(bool) {
-		return errors.New("feature unavailable: code owner approvals")
-	}
+	d.SetId(buildTwoPartID(&project, &pb.Name))
 
-	return nil
+	return resourceGitlabBranchProtectionRead(d, meta)
 }
 
 func resourceGitlabBranchProtectionRead(d *schema.ResourceData, meta interface{}) error {
@@ -107,6 +134,7 @@ func resourceGitlabBranchProtectionRead(d *schema.ResourceData, meta interface{}
 
 	log.Printf("[DEBUG] read gitlab branch protection for project %s, branch %s", project, branch)
 
+	// Get protected branch by project ID/path and branch name
 	pb, _, err := client.ProtectedBranches.GetProtectedBranch(project, branch)
 	if err != nil {
 		log.Printf("[DEBUG] failed to read gitlab branch protection for project %s, branch %s: %s", project, branch, err)
@@ -116,9 +144,31 @@ func resourceGitlabBranchProtectionRead(d *schema.ResourceData, meta interface{}
 
 	d.Set("project", project)
 	d.Set("branch", pb.Name)
-	d.Set("merge_access_level", accessLevel[pb.MergeAccessLevels[0].AccessLevel])
-	d.Set("push_access_level", accessLevel[pb.PushAccessLevels[0].AccessLevel])
-	d.Set("code_owner_approval_required", pb.CodeOwnerApprovalRequired)
+
+	pushAccessLevels := convertAllowedAccessLevelsToBranchAccessDescriptions(pb.PushAccessLevels)
+	if len(pushAccessLevels) > 0 {
+		if err := d.Set("push_access_level", pushAccessLevels[0].AccessLevel); err != nil {
+			return fmt.Errorf("error setting push_access_level: %v", err)
+		}
+	}
+
+	mergeAccessLevels := convertAllowedAccessLevelsToBranchAccessDescriptions(pb.MergeAccessLevels)
+	if len(mergeAccessLevels) > 0 {
+		if err := d.Set("merge_access_level", mergeAccessLevels[0].AccessLevel); err != nil {
+			return fmt.Errorf("error setting merge_access_level: %v", err)
+		}
+	}
+
+	if err := d.Set("allowed_to_push", convertAllowedToToBranchAccessDescriptions(pb.PushAccessLevels)); err != nil {
+		return fmt.Errorf("error setting allowed_to_push: %v", err)
+	}
+	if err := d.Set("allowed_to_merge", convertAllowedToToBranchAccessDescriptions(pb.MergeAccessLevels)); err != nil {
+		return fmt.Errorf("error setting allowed_to_merge: %v", err)
+	}
+
+	if err := d.Set("code_owner_approval_required", pb.CodeOwnerApprovalRequired); err != nil {
+		return fmt.Errorf("error setting code_owner_approval_required: %v", err)
+	}
 
 	d.SetId(buildTwoPartID(&project, &pb.Name))
 
@@ -172,3 +222,68 @@ func projectAndBranchFromID(id string) (string, string, error) {
 	}
 	return project, branch, err
 }
+
+func expandBranchPermissionOptions(allowedTo []interface{}) []*gitlab.BranchPermissionOptions {
+	result := make([]*gitlab.BranchPermissionOptions, 0)
+	for _, v := range allowedTo {
+		opt := &gitlab.BranchPermissionOptions{}
+		if userID, ok := v.(map[string]interface{})["user_id"]; ok && userID != 0 {
+			opt.UserID = gitlab.Int(userID.(int))
+		}
+		if groupID, ok := v.(map[string]interface{})["group_id"]; ok && groupID != 0 {
+			opt.GroupID = gitlab.Int(groupID.(int))
+		}
+		result = append(result, opt)
+	}
+	return result
+}
+
+func schemaAllowedTo() *schema.Schema {
+	return &schema.Schema{
+		Type:     schema.TypeSet,
+		Optional: true,
+		ForceNew: true,
+		Elem:     allowedToElem,
+	}
+}
+
+type stateBranchAccessDescription struct {
+	AccessLevel            string `mapstructure:"access_level"`
+	AccessLevelDescription string `mapstructure:"access_level_description"`
+	GroupID                int    `mapstructure:"group_id,omitempty"`
+	UserID                 int    `mapstructure:"user_id,omitempty"`
+}
+
+func convertAllowedAccessLevelsToBranchAccessDescriptions(descriptions []*gitlab.BranchAccessDescription) []stateBranchAccessDescription {
+	result := make([]stateBranchAccessDescription, 0)
+
+	for _, description := range descriptions {
+		if description.UserID != 0 || description.GroupID != 0 {
+			continue
+		}
+		result = append(result, stateBranchAccessDescription{
+			AccessLevel:            accessLevel[description.AccessLevel],
+			AccessLevelDescription: description.AccessLevelDescription,
+		})
+	}
+
+	return result
+}
+
+func convertAllowedToToBranchAccessDescriptions(descriptions []*gitlab.BranchAccessDescription) []stateBranchAccessDescription {
+	result := make([]stateBranchAccessDescription, 0)
+
+	for _, description := range descriptions {
+		if description.UserID == 0 && description.GroupID == 0 {
+			continue
+		}
+		result = append(result, stateBranchAccessDescription{
+			AccessLevel:            accessLevel[description.AccessLevel],
+			AccessLevelDescription: description.AccessLevelDescription,
+			UserID:                 description.UserID,
+			GroupID:                description.GroupID,
+		})
+	}
+
+	return result
+}