[FEAT]: Add Support for GitHub Enterprise Rulesets

[Ravio1i]

Resolves #2666

---

Before the change?

No possibility to create or fetch rulesets at enterprise level

After the change?

• Create rulesets with resource
• Fetch rulesets with datasource

Pull request checklist

• Schema migrations have been created if needed (example)
• Tests for the changes have been added (for bug fixes / features)
• Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

• Yes
• No

Notes

• Tested with own GitHub Enterprise Cloud Instance
• Currently there is a race condition in the test testAccGithubEnterpriseRuleset_required_workflows: Error running post-test destroy, there may be dangling resources for vulnerability-alerts`. The test still works but the vulnerabtily alert seems to be not finished in time. Happy to hear feedback about this

---

[deiga]

Initial pass. Not a complete review.

Please see if there are other parts of the PR where my comments might be applicable :)

[deiga]

You're doing good work!

I'm wondering if there are patterns from #2958 you should be copying here (for example the conditions and rules validation)

[Ravio1i]

You're doing good work!

Thanks! although I wasted a lot of time today being utterly confused of what is actually implemented and exposed in the API/golang sdk. E.g there are parts in the go sdk, which indicate that a ruleset can use the new repository_properties, organization_properties or merge_queue, but the actual API of the Enterprise Cloud is not supporting it 🔥

I'm wondering if there are patterns from #2958 you should be copying here (for example the conditions and rules validation)

I can check it out and see if I can adjust it !

#3110 (comment)

For the importer feature: I left it out intentionally as I was under the impression it is a feature used only in UI. Not sure who actually would use it with terraform/tofu to import json in hcl.

[Ravio1i]

I'm wondering if there are patterns from #2958 you should be copying here (for example the conditions and rules validation)

Similar to the the CustomizeDiff in #2958 I've added the util_ruleset_enterprise_validation.go to validate that:

• ref_name is required for branch/tag, but forbidden for push/repository
• creation, deletion, update, required_linear_history, required_signatures, pull_request, required_status_checks,
  non_fast_forward, commit_message_pattern, commit_author_email_pattern, committer_email_pattern, branch_name_pattern,
  tag_name_pattern, required_workflows, required_code_scanning, copilot_code_review rules are only valid for branch/tag
  targets
• file_path_restriction, max_file_size, max_file_path_length, file_extension_restriction rules are only valid for push
  target
• repository_creation, repository_deletion, repository_transfer, repository_name, repository_visibility rules are only
  valid for repository target

[deiga]

The Importer is functionality to enable terraform import or the import block inside the config, so that existing resources can be added to state

[Ravio1i]

The Importer is functionality to enable terraform import or the import block inside the config, so that existing resources can be added to state

Oh nevermind, yes that I will most definitely add!

I thought you were referring to the importer functionality in GitHub rulesets. Oops

[Ravio1i]

The Importer is functionality to enable terraform import or the import block inside the config, so that existing resources can be added to state

7dd2b13

Added the importer functionality + test

TF_CLI_CONFIG_FILE=../dev.tfrc terraform import github_enterprise_ruleset.imported siemens:440187
github_enterprise_ruleset.imported: Importing from ID "siemens:440187"...
github_enterprise_ruleset.imported: Import prepared!
  Prepared github_enterprise_ruleset for import
github_enterprise_ruleset.imported: Refreshing state... [id=440187]

Import successful!

[stevehipwell]

Thanks for the PR @Ravio1i.

[stevehipwell]

Please change the signature of this as the type isn't a bool.

[Ravio1i]

The org bool parameter on expandConditions/flattenConditions/expandRules/flattenRules is a shared utility across all three resource types (repo, org, enterprise). It controls whether org-level fields (like organization_name, organization_id, repository_property) are included.

I agree, changing this to a more descriptive type (e.g. an enum like RulesetLevel) would be a good improvement but affects all three resource files and their tests. Should this be done as a separate refactoring PR to keep the scope of this PR focused?

[stevehipwell]

It needs fixing in this PR as before this PR a bool can represent the supported states.

[Ravio1i]

I addded RulesetLevel instad of the bool now

2a59f50

Please check if this is how you would do it or you want to handle it differently :)

[deiga]

Discussion: What if we split conditions into target_organizations and target_repositories or some similar naming? Similar to what it is like in the UI.

This could make the code for handling and validating these simpler and it could make the config UX clearer too.

@stevehipwell @nickfloyd thoughts?

[stevehipwell]

I'd hold off on this for now.

[deiga]

Discussion:
On the shoulders of https://github.com/integrations/terraform-provider-github/pull/3110/changes#r2827158611: What if we split the rules into separate lists based on which target they work with?

That would enable us to remove the rules validation for "is this target allowed to set this rule" and replace it with simpler built-in validators.
It would make the UX for our users nicer since they don't have to trial-and-error the rules.

@stevehipwell @nickfloyd thoughts?

[stevehipwell]

I'd suggest opening an issue to discuss or creating a PR to demonstrate a POC.