Add branch protection support for allow_force_push

beekeep · beekeep · commit a073f3615100 · 2022-02-18T17:36:47.000-06:00
Issue 709 requested the `allow_force_push` option to be added to the branch protection resource.  These changes add that feature, along with the appropriate tests.  The API does not support updating the allow force push configuration, so any changes will force a new resource to be created.
diff --git a/docs/resources/branch_protection.md b/docs/resources/branch_protection.md
@@ -21,6 +21,7 @@ resource "gitlab_branch_protection" "BranchProtect" {
   branch                       = "BranchProtected"
   push_access_level            = "developer"
   merge_access_level           = "developer"
+  allow_force_push             = true
   code_owner_approval_required = true
   allowed_to_push {
     user_id = 5
@@ -64,6 +65,7 @@ resource "gitlab_branch_protection" "main" {
 
 ### Optional
 
+- **allow_force_push** (Boolean) Can be set to true to allow users with push access to force push.
 - **allowed_to_merge** (Block Set) Defines permissions for action. (see [below for nested schema](#nestedblock--allowed_to_merge))
 - **allowed_to_push** (Block Set) Defines permissions for action. (see [below for nested schema](#nestedblock--allowed_to_push))
 - **code_owner_approval_required** (Boolean) Can be set to true to require code owner approval before merging.
diff --git a/examples/resources/gitlab_branch_protection/resource.tf b/examples/resources/gitlab_branch_protection/resource.tf
@@ -3,6 +3,7 @@ resource "gitlab_branch_protection" "BranchProtect" {
   branch                       = "BranchProtected"
   push_access_level            = "developer"
   merge_access_level           = "developer"
+  allow_force_push             = true
   code_owner_approval_required = true
   allowed_to_push {
     user_id = 5
diff --git a/internal/provider/resource_gitlab_branch_protection.go b/internal/provider/resource_gitlab_branch_protection.go
@@ -78,6 +78,13 @@ var _ = registerResource("gitlab_branch_protection", func() *schema.Resource {
 				Required:         true,
 				ForceNew:         true,
 			},
+			"allow_force_push": {
+				Description: "Can be set to true to allow users with push access to force push.",
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     false,
+				ForceNew:    true,
+			},
 			"allowed_to_push":  schemaAllowedTo(),
 			"allowed_to_merge": schemaAllowedTo(),
 			"code_owner_approval_required": {
@@ -114,6 +121,7 @@ func resourceGitlabBranchProtectionCreate(ctx context.Context, d *schema.Resourc
 
 	mergeAccessLevel := accessLevelNameToValue[d.Get("merge_access_level").(string)]
 	pushAccessLevel := accessLevelNameToValue[d.Get("push_access_level").(string)]
+	allowForcePush := d.Get("allow_force_push").(bool)
 	codeOwnerApprovalRequired := d.Get("code_owner_approval_required").(bool)
 
 	allowedToPush := expandBranchPermissionOptions(d.Get("allowed_to_push").(*schema.Set).List())
@@ -123,6 +131,7 @@ func resourceGitlabBranchProtectionCreate(ctx context.Context, d *schema.Resourc
 		Name:                      &branch,
 		PushAccessLevel:           &pushAccessLevel,
 		MergeAccessLevel:          &mergeAccessLevel,
+		AllowForcePush:            &allowForcePush,
 		AllowedToPush:             &allowedToPush,
 		AllowedToMerge:            &allowedToMerge,
 		CodeOwnerApprovalRequired: &codeOwnerApprovalRequired,
@@ -174,6 +183,10 @@ func resourceGitlabBranchProtectionRead(ctx context.Context, d *schema.ResourceD
 		}
 	}
 
+	if err := d.Set("allow_force_push", pb.AllowForcePush); err != nil {
+		return diag.Errorf("error setting allow_force_push: %v", err)
+	}
+
 	// lintignore: R004 // TODO: Resolve this tfproviderlint issue
 	if err := d.Set("allowed_to_push", convertAllowedToToBranchAccessDescriptions(pb.PushAccessLevels)); err != nil {
 		return diag.Errorf("error setting allowed_to_push: %v", err)
diff --git a/internal/provider/resource_gitlab_branch_protection_test.go b/internal/provider/resource_gitlab_branch_protection_test.go
@@ -62,6 +62,33 @@ func TestAccGitlabBranchProtection_basic(t *testing.T) {
 					}),
 				),
 			},
+			// Update the Branch Protection with allow force push enabled
+			{
+				Config: testAccGitlabBranchProtectionUpdateConfigAllowForcePushTrue(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionAttributes(&pb, &testAccGitlabBranchProtectionExpectedAttributes{
+						Name:             fmt.Sprintf("BranchProtect-%d", rInt),
+						PushAccessLevel:  accessLevelValueToName[gitlab.DeveloperPermissions],
+						MergeAccessLevel: accessLevelValueToName[gitlab.DeveloperPermissions],
+						AllowForcePush:   true,
+					}),
+				),
+			},
+			// Update the Branch Protection to get back to initial settings
+			{
+				Config: testAccGitlabBranchProtectionConfig(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionAttributes(&pb, &testAccGitlabBranchProtectionExpectedAttributes{
+						Name:             fmt.Sprintf("BranchProtect-%d", rInt),
+						PushAccessLevel:  accessLevelValueToName[gitlab.DeveloperPermissions],
+						MergeAccessLevel: accessLevelValueToName[gitlab.DeveloperPermissions],
+					}),
+				),
+			},
 			// Update the the Branch Protection code owner approval setting
 			{
 				SkipFunc: isRunningInCE,
@@ -180,6 +207,59 @@ func TestAccGitlabBranchProtection_createWithCodeOwnerApproval(t *testing.T) {
 	})
 }
 
+func TestAccGitlabBranchProtection_createWithAllowForcePush(t *testing.T) {
+	var pb gitlab.ProtectedBranch
+	rInt := acctest.RandInt()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t) },
+		ProviderFactories: providerFactories,
+		CheckDestroy:      testAccCheckGitlabBranchProtectionDestroy,
+		Steps: []resource.TestStep{
+			// Start with allow force push disabled
+			{
+				Config: testAccGitlabBranchProtectionConfig(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionAttributes(&pb, &testAccGitlabBranchProtectionExpectedAttributes{
+						Name:             fmt.Sprintf("BranchProtect-%d", rInt),
+						PushAccessLevel:  accessLevelValueToName[gitlab.DeveloperPermissions],
+						MergeAccessLevel: accessLevelValueToName[gitlab.DeveloperPermissions],
+					}),
+				),
+			},
+			// Create a project and Branch Protection with allow force push enabled
+			{
+				Config: testAccGitlabBranchProtectionUpdateConfigAllowForcePushTrue(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionAttributes(&pb, &testAccGitlabBranchProtectionExpectedAttributes{
+						Name:             fmt.Sprintf("BranchProtect-%d", rInt),
+						PushAccessLevel:  accessLevelValueToName[gitlab.DeveloperPermissions],
+						MergeAccessLevel: accessLevelValueToName[gitlab.DeveloperPermissions],
+						AllowForcePush:   true,
+					}),
+				),
+			},
+			// Update the Branch Protection to get back to initial settings
+			{
+				Config: testAccGitlabBranchProtectionConfig(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionAttributes(&pb, &testAccGitlabBranchProtectionExpectedAttributes{
+						Name:             fmt.Sprintf("BranchProtect-%d", rInt),
+						PushAccessLevel:  accessLevelValueToName[gitlab.DeveloperPermissions],
+						MergeAccessLevel: accessLevelValueToName[gitlab.DeveloperPermissions],
+					}),
+				),
+			},
+		},
+	})
+}
+
 func TestAccGitlabBranchProtection_createWithMultipleAccessLevels(t *testing.T) {
 	var pb gitlab.ProtectedBranch
 	rInt := acctest.RandInt()
@@ -258,6 +338,10 @@ func testAccCheckGitlabBranchProtectionPersistsInStateCorrectly(n string, pb *gi
 			return fmt.Errorf("push access level not persisted in state correctly")
 		}
 
+		if rs.Primary.Attributes["allow_force_push"] != strconv.FormatBool(pb.AllowForcePush) {
+			return fmt.Errorf("allow_force_push not persisted in state correctly")
+		}
+
 		if rs.Primary.Attributes["code_owner_approval_required"] != strconv.FormatBool(pb.CodeOwnerApprovalRequired) {
 			return fmt.Errorf("code_owner_approval_required not persisted in state correctly")
 		}
@@ -301,6 +385,7 @@ type testAccGitlabBranchProtectionExpectedAttributes struct {
 	Name                      string
 	PushAccessLevel           string
 	MergeAccessLevel          string
+	AllowForcePush            bool
 	UsersAllowedToPush        []string
 	UsersAllowedToMerge       []string
 	GroupsAllowedToPush       []string
@@ -336,6 +421,10 @@ func testAccCheckGitlabBranchProtectionAttributes(pb *gitlab.ProtectedBranch, wa
 			return fmt.Errorf("got Merge access level %v; want %v", mergeAccessLevel, accessLevelNameToValue[want.MergeAccessLevel])
 		}
 
+		if pb.AllowForcePush != want.AllowForcePush {
+			return fmt.Errorf("got allow_force_push %v; want %v", pb.AllowForcePush, want.AllowForcePush)
+		}
+
 		remainingWantedUserIDsAllowedToPush := map[int]struct{}{}
 		for _, v := range want.UsersAllowedToPush {
 			users, _, err := testGitlabClient.Users.ListUsers(&gitlab.ListUsersOptions{
@@ -448,6 +537,27 @@ resource "gitlab_branch_protection" "branch_protect" {
 	`, rInt)
 }
 
+func testAccGitlabBranchProtectionUpdateConfigAllowForcePushTrue(rInt int) string {
+	return fmt.Sprintf(`
+resource "gitlab_project" "foo" {
+  name = "foo-%[1]d"
+  description = "Terraform acceptance tests"
+
+  # So that acceptance tests can be run in a gitlab organization
+  # with no billing
+  visibility_level = "public"
+}
+
+resource "gitlab_branch_protection" "branch_protect" {
+  project                      = gitlab_project.foo.id
+  branch                       = "BranchProtect-%[1]d"
+  push_access_level            = "developer"
+  merge_access_level           = "developer"
+  allow_force_push             = true
+}
+	`, rInt)
+}
+
 func testAccGitlabBranchProtectionUpdateConfigCodeOwnerTrue(rInt int) string {
 	return fmt.Sprintf(`
 resource "gitlab_project" "foo" {
