Merge pull request #877 from beekeep/feat_branch_protection_force_push

timofurrer · web-flow · commit 3225aaae4948 · 2022-02-20T17:01:40.000+01:00
Add branch protection support for allow_force_push
diff --git a/docs/resources/branch_protection.md b/docs/resources/branch_protection.md
@@ -21,6 +21,7 @@ resource "gitlab_branch_protection" "BranchProtect" {
   branch                       = "BranchProtected"
   push_access_level            = "developer"
   merge_access_level           = "developer"
+  allow_force_push             = true
   code_owner_approval_required = true
   allowed_to_push {
     user_id = 5
@@ -64,6 +65,7 @@ resource "gitlab_branch_protection" "main" {
 
 ### Optional
 
+- **allow_force_push** (Boolean) Can be set to true to allow users with push access to force push.
 - **allowed_to_merge** (Block Set) Defines permissions for action. (see [below for nested schema](#nestedblock--allowed_to_merge))
 - **allowed_to_push** (Block Set) Defines permissions for action. (see [below for nested schema](#nestedblock--allowed_to_push))
 - **code_owner_approval_required** (Boolean) Can be set to true to require code owner approval before merging.
diff --git a/examples/resources/gitlab_branch_protection/resource.tf b/examples/resources/gitlab_branch_protection/resource.tf
@@ -3,6 +3,7 @@ resource "gitlab_branch_protection" "BranchProtect" {
   branch                       = "BranchProtected"
   push_access_level            = "developer"
   merge_access_level           = "developer"
+  allow_force_push             = true
   code_owner_approval_required = true
   allowed_to_push {
     user_id = 5
diff --git a/internal/provider/resource_gitlab_branch_protection.go b/internal/provider/resource_gitlab_branch_protection.go
@@ -78,6 +78,13 @@ var _ = registerResource("gitlab_branch_protection", func() *schema.Resource {
 				Required:         true,
 				ForceNew:         true,
 			},
+			"allow_force_push": {
+				Description: "Can be set to true to allow users with push access to force push.",
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     false,
+				ForceNew:    true,
+			},
 			"allowed_to_push":  schemaAllowedTo(),
 			"allowed_to_merge": schemaAllowedTo(),
 			"code_owner_approval_required": {
@@ -114,6 +121,7 @@ func resourceGitlabBranchProtectionCreate(ctx context.Context, d *schema.Resourc
 
 	mergeAccessLevel := accessLevelNameToValue[d.Get("merge_access_level").(string)]
 	pushAccessLevel := accessLevelNameToValue[d.Get("push_access_level").(string)]
+	allowForcePush := d.Get("allow_force_push").(bool)
 	codeOwnerApprovalRequired := d.Get("code_owner_approval_required").(bool)
 
 	allowedToPush := expandBranchPermissionOptions(d.Get("allowed_to_push").(*schema.Set).List())
@@ -123,6 +131,7 @@ func resourceGitlabBranchProtectionCreate(ctx context.Context, d *schema.Resourc
 		Name:                      &branch,
 		PushAccessLevel:           &pushAccessLevel,
 		MergeAccessLevel:          &mergeAccessLevel,
+		AllowForcePush:            &allowForcePush,
 		AllowedToPush:             &allowedToPush,
 		AllowedToMerge:            &allowedToMerge,
 		CodeOwnerApprovalRequired: &codeOwnerApprovalRequired,
@@ -174,6 +183,10 @@ func resourceGitlabBranchProtectionRead(ctx context.Context, d *schema.ResourceD
 		}
 	}
 
+	if err := d.Set("allow_force_push", pb.AllowForcePush); err != nil {
+		return diag.Errorf("error setting allow_force_push: %v", err)
+	}
+
 	// lintignore: R004 // TODO: Resolve this tfproviderlint issue
 	if err := d.Set("allowed_to_push", convertAllowedToToBranchAccessDescriptions(pb.PushAccessLevels)); err != nil {
 		return diag.Errorf("error setting allowed_to_push: %v", err)
diff --git a/internal/provider/resource_gitlab_branch_protection_test.go b/internal/provider/resource_gitlab_branch_protection_test.go
@@ -62,6 +62,33 @@ func TestAccGitlabBranchProtection_basic(t *testing.T) {
 					}),
 				),
 			},
+			// Update the Branch Protection with allow force push enabled
+			{
+				Config: testAccGitlabBranchProtectionUpdateConfigAllowForcePushTrue(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionAttributes(&pb, &testAccGitlabBranchProtectionExpectedAttributes{
+						Name:             fmt.Sprintf("BranchProtect-%d", rInt),
+						PushAccessLevel:  accessLevelValueToName[gitlab.DeveloperPermissions],
+						MergeAccessLevel: accessLevelValueToName[gitlab.DeveloperPermissions],
+						AllowForcePush:   true,
+					}),
+				),
+			},
+			// Update the Branch Protection to get back to initial settings
+			{
+				Config: testAccGitlabBranchProtectionConfig(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionAttributes(&pb, &testAccGitlabBranchProtectionExpectedAttributes{
+						Name:             fmt.Sprintf("BranchProtect-%d", rInt),
+						PushAccessLevel:  accessLevelValueToName[gitlab.DeveloperPermissions],
+						MergeAccessLevel: accessLevelValueToName[gitlab.DeveloperPermissions],
+					}),
+				),
+			},
 			// Update the the Branch Protection code owner approval setting
 			{
 				SkipFunc: isRunningInCE,
@@ -180,6 +207,59 @@ func TestAccGitlabBranchProtection_createWithCodeOwnerApproval(t *testing.T) {
 	})
 }
 
+func TestAccGitlabBranchProtection_createWithAllowForcePush(t *testing.T) {
+	var pb gitlab.ProtectedBranch
+	rInt := acctest.RandInt()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t) },
+		ProviderFactories: providerFactories,
+		CheckDestroy:      testAccCheckGitlabBranchProtectionDestroy,
+		Steps: []resource.TestStep{
+			// Start with allow force push disabled
+			{
+				Config: testAccGitlabBranchProtectionConfig(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionAttributes(&pb, &testAccGitlabBranchProtectionExpectedAttributes{
+						Name:             fmt.Sprintf("BranchProtect-%d", rInt),
+						PushAccessLevel:  accessLevelValueToName[gitlab.DeveloperPermissions],
+						MergeAccessLevel: accessLevelValueToName[gitlab.DeveloperPermissions],
+					}),
+				),
+			},
+			// Create a project and Branch Protection with allow force push enabled
+			{
+				Config: testAccGitlabBranchProtectionUpdateConfigAllowForcePushTrue(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionAttributes(&pb, &testAccGitlabBranchProtectionExpectedAttributes{
+						Name:             fmt.Sprintf("BranchProtect-%d", rInt),
+						PushAccessLevel:  accessLevelValueToName[gitlab.DeveloperPermissions],
+						MergeAccessLevel: accessLevelValueToName[gitlab.DeveloperPermissions],
+						AllowForcePush:   true,
+					}),
+				),
+			},
+			// Update the Branch Protection to get back to initial settings
+			{
+				Config: testAccGitlabBranchProtectionConfig(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabBranchProtectionExists("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionPersistsInStateCorrectly("gitlab_branch_protection.branch_protect", &pb),
+					testAccCheckGitlabBranchProtectionAttributes(&pb, &testAccGitlabBranchProtectionExpectedAttributes{
+						Name:             fmt.Sprintf("BranchProtect-%d", rInt),
+						PushAccessLevel:  accessLevelValueToName[gitlab.DeveloperPermissions],
+						MergeAccessLevel: accessLevelValueToName[gitlab.DeveloperPermissions],
+					}),
+				),
+			},
+		},
+	})
+}
+
 func TestAccGitlabBranchProtection_createWithMultipleAccessLevels(t *testing.T) {
 	var pb gitlab.ProtectedBranch
 	rInt := acctest.RandInt()
@@ -258,6 +338,10 @@ func testAccCheckGitlabBranchProtectionPersistsInStateCorrectly(n string, pb *gi
 			return fmt.Errorf("push access level not persisted in state correctly")
 		}
 
+		if rs.Primary.Attributes["allow_force_push"] != strconv.FormatBool(pb.AllowForcePush) {
+			return fmt.Errorf("allow_force_push not persisted in state correctly")
+		}
+
 		if rs.Primary.Attributes["code_owner_approval_required"] != strconv.FormatBool(pb.CodeOwnerApprovalRequired) {
 			return fmt.Errorf("code_owner_approval_required not persisted in state correctly")
 		}
@@ -301,6 +385,7 @@ type testAccGitlabBranchProtectionExpectedAttributes struct {
 	Name                      string
 	PushAccessLevel           string
 	MergeAccessLevel          string
+	AllowForcePush            bool
 	UsersAllowedToPush        []string
 	UsersAllowedToMerge       []string
 	GroupsAllowedToPush       []string
@@ -336,6 +421,10 @@ func testAccCheckGitlabBranchProtectionAttributes(pb *gitlab.ProtectedBranch, wa
 			return fmt.Errorf("got Merge access level %v; want %v", mergeAccessLevel, accessLevelNameToValue[want.MergeAccessLevel])
 		}
 
+		if pb.AllowForcePush != want.AllowForcePush {
+			return fmt.Errorf("got allow_force_push %v; want %v", pb.AllowForcePush, want.AllowForcePush)
+		}
+
 		remainingWantedUserIDsAllowedToPush := map[int]struct{}{}
 		for _, v := range want.UsersAllowedToPush {
 			users, _, err := testGitlabClient.Users.ListUsers(&gitlab.ListUsersOptions{
@@ -448,6 +537,27 @@ resource "gitlab_branch_protection" "branch_protect" {
 	`, rInt)
 }
 
+func testAccGitlabBranchProtectionUpdateConfigAllowForcePushTrue(rInt int) string {
+	return fmt.Sprintf(`
+resource "gitlab_project" "foo" {
+  name = "foo-%[1]d"
+  description = "Terraform acceptance tests"
+
+  # So that acceptance tests can be run in a gitlab organization
+  # with no billing
+  visibility_level = "public"
+}
+
+resource "gitlab_branch_protection" "branch_protect" {
+  project                      = gitlab_project.foo.id
+  branch                       = "BranchProtect-%[1]d"
+  push_access_level            = "developer"
+  merge_access_level           = "developer"
+  allow_force_push             = true
+}
+	`, rInt)
+}
+
 func testAccGitlabBranchProtectionUpdateConfigCodeOwnerTrue(rInt int) string {
 	return fmt.Sprintf(`
 resource "gitlab_project" "foo" {
