Merge pull request #359 from armsnyder/310-codeowners-approval

armsnyder · web-flow · commit ef97dc93ced6 · 2020-09-09T17:55:22.000-07:00
Add code_owner_approval_required argument to gitlab_branch_protection resource
diff --git a/gitlab/resource_gitlab_branch_protection.go b/gitlab/resource_gitlab_branch_protection.go
@@ -1,6 +1,8 @@
 package gitlab
 
 import (
+	"errors"
+	"fmt"
 	"log"
 
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
@@ -16,6 +18,7 @@ func resourceGitlabBranchProtection() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceGitlabBranchProtectionCreate,
 		Read:   resourceGitlabBranchProtectionRead,
+		Update: resourceGitlabBranchProtectionUpdate,
 		Delete: resourceGitlabBranchProtectionDelete,
 		Schema: map[string]*schema.Schema{
 			"project": {
@@ -40,6 +43,11 @@ func resourceGitlabBranchProtection() *schema.Resource {
 				Required:     true,
 				ForceNew:     true,
 			},
+			"code_owner_approval_required": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
 		},
 	}
 }
@@ -50,11 +58,13 @@ func resourceGitlabBranchProtectionCreate(d *schema.ResourceData, meta interface
 	branch := gitlab.String(d.Get("branch").(string))
 	mergeAccessLevel := accessLevelID[d.Get("merge_access_level").(string)]
 	pushAccessLevel := accessLevelID[d.Get("push_access_level").(string)]
+	codeOwnerApprovalRequired := d.Get("code_owner_approval_required").(bool)
 
 	options := &gitlab.ProtectRepositoryBranchesOptions{
-		Name:             branch,
-		MergeAccessLevel: &mergeAccessLevel,
-		PushAccessLevel:  &pushAccessLevel,
+		Name:                      branch,
+		MergeAccessLevel:          &mergeAccessLevel,
+		PushAccessLevel:           &pushAccessLevel,
+		CodeOwnerApprovalRequired: &codeOwnerApprovalRequired,
 	}
 
 	log.Printf("[DEBUG] create gitlab branch protection on %v for project %s", options.Name, project)
@@ -75,7 +85,17 @@ func resourceGitlabBranchProtectionCreate(d *schema.ResourceData, meta interface
 
 	d.SetId(buildTwoPartID(&project, &bp.Name))
 
-	return resourceGitlabBranchProtectionRead(d, meta)
+	if err := resourceGitlabBranchProtectionRead(d, meta); err != nil {
+		return err
+	}
+
+	// If the GitLab tier does not support the code owner approval feature, the resulting plan will be inconsistent.
+	// We return an error because otherwise Terraform would report this inconsistency as a "bug in the provider" to the user.
+	if codeOwnerApprovalRequired && !d.Get("code_owner_approval_required").(bool) {
+		return errors.New("feature unavailable: code owner approvals")
+	}
+
+	return nil
 }
 
 func resourceGitlabBranchProtectionRead(d *schema.ResourceData, meta interface{}) error {
@@ -98,12 +118,41 @@ func resourceGitlabBranchProtectionRead(d *schema.ResourceData, meta interface{}
 	d.Set("branch", pb.Name)
 	d.Set("merge_access_level", accessLevel[pb.MergeAccessLevels[0].AccessLevel])
 	d.Set("push_access_level", accessLevel[pb.PushAccessLevels[0].AccessLevel])
+	d.Set("code_owner_approval_required", pb.CodeOwnerApprovalRequired)
 
 	d.SetId(buildTwoPartID(&project, &pb.Name))
 
 	return nil
 }
 
+func resourceGitlabBranchProtectionUpdate(d *schema.ResourceData, meta interface{}) error {
+	// NOTE: At the time of writing, the only value that does not force re-creation is code_owner_approval_required,
+	// so therefore that is the only update that needs to be handled.
+
+	client := meta.(*gitlab.Client)
+	project := d.Get("project").(string)
+	branch := d.Get("branch").(string)
+	codeOwnerApprovalRequired := d.Get("code_owner_approval_required").(bool)
+
+	log.Printf("[DEBUG] update gitlab branch protection for project %s, branch %s", project, branch)
+
+	options := &gitlab.RequireCodeOwnerApprovalsOptions{
+		CodeOwnerApprovalRequired: &codeOwnerApprovalRequired,
+	}
+
+	if _, err := client.ProtectedBranches.RequireCodeOwnerApprovals(project, branch, options); err != nil {
+		// The user might be running a version of GitLab that does not support this feature.
+		// We enhance the generic 404 error with a more informative message.
+		if errResponse, ok := err.(*gitlab.ErrorResponse); ok && errResponse.Response.StatusCode == 404 {
+			return fmt.Errorf("feature unavailable: code owner approvals: %w", err)
+		}
+
+		return err
+	}
+
+	return resourceGitlabBranchProtectionRead(d, meta)
+}
+
 func resourceGitlabBranchProtectionDelete(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*gitlab.Client)
 	project := d.Get("project").(string)
@@ -119,7 +168,7 @@ func projectAndBranchFromID(id string) (string, string, error) {
 	project, branch, err := parseTwoPartID(id)
 
 	if err != nil {
-		log.Printf("[WARN] cannot get group member id from input: %v", id)
+		log.Printf("[WARN] cannot get branch protection id from input: %v", id)
 	}
 	return project, branch, err
 }
diff --git a/gitlab/resource_gitlab_branch_protection_test.go b/gitlab/resource_gitlab_branch_protection_test.go
@@ -2,6 +2,8 @@ package gitlab
 
 import (
 	"fmt"
+	"regexp"
+	"strconv"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
@@ -24,8 +26,8 @@ func TestAccGitlabBranchProtection_basic(t *testing.T) {
 			{
 				Config: testAccGitlabBranchProtectionConfig(rInt),
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.BranchProtect", &pb),
-					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.BranchProtect", &pb),
+					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.branch_protect", &pb),
 					testAccCheckGitlabBranchProtectionAttributes(&pb, &testAccGitlabBranchProtectionExpectedAttributes{
 						Name:             fmt.Sprintf("BranchProtect-%d", rInt),
 						PushAccessLevel:  accessLevel[gitlab.DeveloperPermissions],
@@ -37,8 +39,8 @@ func TestAccGitlabBranchProtection_basic(t *testing.T) {
 			{
 				Config: testAccGitlabBranchProtectionUpdateConfig(rInt),
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.BranchProtect", &pb),
-					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.BranchProtect", &pb),
+					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.branch_protect", &pb),
 					testAccCheckGitlabBranchProtectionAttributes(&pb, &testAccGitlabBranchProtectionExpectedAttributes{
 						Name:             fmt.Sprintf("BranchProtect-%d", rInt),
 						PushAccessLevel:  accessLevel[gitlab.MasterPermissions],
@@ -50,8 +52,107 @@ func TestAccGitlabBranchProtection_basic(t *testing.T) {
 			{
 				Config: testAccGitlabBranchProtectionConfig(rInt),
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.BranchProtect", &pb),
-					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.BranchProtect", &pb),
+					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionAttributes(&pb, &testAccGitlabBranchProtectionExpectedAttributes{
+						Name:             fmt.Sprintf("BranchProtect-%d", rInt),
+						PushAccessLevel:  accessLevel[gitlab.DeveloperPermissions],
+						MergeAccessLevel: accessLevel[gitlab.DeveloperPermissions],
+					}),
+				),
+			},
+			// Update the the Branch Protection code owner approval setting
+			{
+				SkipFunc: isRunningInCE,
+				Config:   testAccGitlabBranchProtectionUpdateConfigCodeOwnerTrue(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionAttributes(&pb, &testAccGitlabBranchProtectionExpectedAttributes{
+						Name:                      fmt.Sprintf("BranchProtect-%d", rInt),
+						PushAccessLevel:           accessLevel[gitlab.DeveloperPermissions],
+						MergeAccessLevel:          accessLevel[gitlab.DeveloperPermissions],
+						CodeOwnerApprovalRequired: true,
+					}),
+				),
+			},
+			// Attempting to update code owner approval setting on CE should fail safely and with an informative error message
+			{
+				SkipFunc:    isRunningInEE,
+				Config:      testAccGitlabBranchProtectionUpdateConfigCodeOwnerTrue(rInt),
+				ExpectError: regexp.MustCompile("feature unavailable: code owner approvals"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionAttributes(&pb, &testAccGitlabBranchProtectionExpectedAttributes{
+						Name:             fmt.Sprintf("BranchProtect-%d", rInt),
+						PushAccessLevel:  accessLevel[gitlab.DeveloperPermissions],
+						MergeAccessLevel: accessLevel[gitlab.DeveloperPermissions],
+					}),
+				),
+			},
+			// Update the Branch Protection to get back to initial settings
+			{
+				Config: testAccGitlabBranchProtectionConfig(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionAttributes(&pb, &testAccGitlabBranchProtectionExpectedAttributes{
+						Name:             fmt.Sprintf("BranchProtect-%d", rInt),
+						PushAccessLevel:  accessLevel[gitlab.DeveloperPermissions],
+						MergeAccessLevel: accessLevel[gitlab.DeveloperPermissions],
+					}),
+				),
+			},
+		},
+	})
+}
+
+func TestAccGitlabBranchProtection_createWithCodeOwnerApproval(t *testing.T) {
+	var pb gitlab.ProtectedBranch
+	rInt := acctest.RandInt()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckGitlabBranchProtectionDestroy,
+		Steps: []resource.TestStep{
+			// Create a project and Branch Protection with code owner approval enabled
+			{
+				SkipFunc: isRunningInCE,
+				Config:   testAccGitlabBranchProtectionUpdateConfigCodeOwnerTrue(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionAttributes(&pb, &testAccGitlabBranchProtectionExpectedAttributes{
+						Name:                      fmt.Sprintf("BranchProtect-%d", rInt),
+						PushAccessLevel:           accessLevel[gitlab.DeveloperPermissions],
+						MergeAccessLevel:          accessLevel[gitlab.DeveloperPermissions],
+						CodeOwnerApprovalRequired: true,
+					}),
+				),
+			},
+			// Attempting to update code owner approval setting on CE should fail safely and with an informative error message
+			{
+				SkipFunc:    isRunningInEE,
+				Config:      testAccGitlabBranchProtectionUpdateConfigCodeOwnerTrue(rInt),
+				ExpectError: regexp.MustCompile("feature unavailable: code owner approvals"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionAttributes(&pb, &testAccGitlabBranchProtectionExpectedAttributes{
+						Name:             fmt.Sprintf("BranchProtect-%d", rInt),
+						PushAccessLevel:  accessLevel[gitlab.DeveloperPermissions],
+						MergeAccessLevel: accessLevel[gitlab.DeveloperPermissions],
+					}),
+				),
+			},
+			// Update the Branch Protection to get back to initial settings
+			{
+				Config: testAccGitlabBranchProtectionConfig(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.branch_protect", &pb),
 					testAccCheckGitlabBranchProtectionAttributes(&pb, &testAccGitlabBranchProtectionExpectedAttributes{
 						Name:             fmt.Sprintf("BranchProtect-%d", rInt),
 						PushAccessLevel:  accessLevel[gitlab.DeveloperPermissions],
@@ -78,6 +179,10 @@ func testAccCheckGitlabBranchProtectionPersistsInStateCorrectly(n string, pb *gi
 			return fmt.Errorf("push access level not persisted in state correctly")
 		}
 
+		if rs.Primary.Attributes["code_owner_approval_required"] != strconv.FormatBool(pb.CodeOwnerApprovalRequired) {
+			return fmt.Errorf("code_owner_approval_required not persisted in state correctly")
+		}
+
 		return nil
 	}
 }
@@ -110,9 +215,10 @@ func testAccCheckGitlabBranchProtectionExists(n string, pb *gitlab.ProtectedBran
 }
 
 type testAccGitlabBranchProtectionExpectedAttributes struct {
-	Name             string
-	PushAccessLevel  string
-	MergeAccessLevel string
+	Name                      string
+	PushAccessLevel           string
+	MergeAccessLevel          string
+	CodeOwnerApprovalRequired bool
 }
 
 func testAccCheckGitlabBranchProtectionAttributes(pb *gitlab.ProtectedBranch, want *testAccGitlabBranchProtectionExpectedAttributes) resource.TestCheckFunc {
@@ -129,6 +235,10 @@ func testAccCheckGitlabBranchProtectionAttributes(pb *gitlab.ProtectedBranch, wa
 			return fmt.Errorf("got Merge access levels %q; want %q", pb.MergeAccessLevels[0].AccessLevel, accessLevelID[want.MergeAccessLevel])
 		}
 
+		if pb.CodeOwnerApprovalRequired != want.CodeOwnerApprovalRequired {
+			return fmt.Errorf("got code_owner_approval_required %v; want %v", pb.CodeOwnerApprovalRequired, want.CodeOwnerApprovalRequired)
+		}
+
 		return nil
 	}
 }
@@ -168,8 +278,8 @@ resource "gitlab_project" "foo" {
   visibility_level = "public"
 }
 
-resource "gitlab_branch_protection" "BranchProtect" {
-  project = "${gitlab_project.foo.id}"
+resource "gitlab_branch_protection" "branch_protect" {
+  project = gitlab_project.foo.id
   branch = "BranchProtect-%d"
   push_access_level = "developer"
   merge_access_level = "developer"
@@ -188,11 +298,32 @@ resource "gitlab_project" "foo" {
   visibility_level = "public"
 }
 
-resource "gitlab_branch_protection" "BranchProtect" {
-	project = "${gitlab_project.foo.id}"
+resource "gitlab_branch_protection" "branch_protect" {
+	project = gitlab_project.foo.id
 	branch = "BranchProtect-%d"
 	push_access_level = "maintainer"
 	merge_access_level = "maintainer"
 }
 	`, rInt, rInt)
 }
+
+func testAccGitlabBranchProtectionUpdateConfigCodeOwnerTrue(rInt int) string {
+	return fmt.Sprintf(`
+resource "gitlab_project" "foo" {
+  name = "foo-%d"
+  description = "Terraform acceptance tests"
+
+  # So that acceptance tests can be run in a gitlab organization
+  # with no billing
+  visibility_level = "public"
+}
+
+resource "gitlab_branch_protection" "branch_protect" {
+  project = gitlab_project.foo.id
+  branch = "BranchProtect-%d"
+  push_access_level = "developer"
+  merge_access_level = "developer"
+  code_owner_approval_required = true
+}
+	`, rInt, rInt)
+}
diff --git a/website/docs/r/branch_protection.html.markdown b/website/docs/r/branch_protection.html.markdown
@@ -31,4 +31,6 @@ The following arguments are supported:
 
 * `push_access_level` - (Required) One of five levels of access to the project.
 
-* `merge_access_level` - (Required) One of five levels of access to the project.
+* `merge_access_level` - (Required) One of five levels of access to the project.
+
+* `code_owner_approval_required` (Optional) Bool, defaults to false. Can be set to true to require code owner approval before merging.
