[FEAT]: Allow creating deployment policies that match tags

daniel-jimenezgarcia-ow commented 12 months ago

Describe the need

Deployment policies now allows creating policies that match either branches or tags: https://github.blog/changelog/2023-10-06-actions-secure-deployment-rollouts-to-protected-environments-based-on-select-tag-patterns/

However in Terraform we only have the github_repository_deployment_branch_policy available, which creates policies that match branches.

We need the ability to create policies that match tags (In the UX, you select a "ref type" when creating the policy). This could either be via a new ref_type parameter in the existing resource or a new resource like github_repository_deployment_tag_policy

Note I haven't seen this exposed in github's REST API. It might take some time for this new feature to be exposed in the API, and from there in the go-github client! I thought it would be helpful to have this item, even if in a "blocked" state, but you might disagree and prefer to close it, which I also understand.

SDK Version

No response

API Version

No response

Relevant log output

No response

Code of Conduct

[X] I agree to follow this project's Code of Conduct

george-zubrienko commented 12 months ago

This is needed in order to update repos after the security fix which broke the old way of doing tag-based deployment protection.

https://github.blog/changelog/2023-10-06-actions-secure-deployment-rollouts-to-protected-environments-based-on-select-tag-patterns/

george-zubrienko commented 11 months ago

Has the work started on this? Or should we do the scriptops again? :)

daniel-jimenezgarcia-ow commented 11 months ago

Worth noting this is now added to the REST API, as well as v56 version of go-github client (which added a new Type parameter for the DeploymentBranchPolicy and DeploymentBranchPolicyRequest types)

kfcampbell commented 11 months ago

@george-zubrienko it has not; PRs are very welcome!

tjespers commented 10 months ago

Hi 👋

We're currently migrating to became a Terraform managed GitHub organization. This feature is something that would benefit us greatly so if i've dug a bit into the implementation of this resource.

I'm entirely new to writing terraform providers so please correct me when i got things at the wrong end here, but the way i see it there are roughly 2 ways to implement this:

rename the branch_pattern property to something like pattern and adding a secondary option to control the type to match (branches / tags).
- pros: provides a clean and simple API to work with, follows the github API spec more closely
- cons: Introduces a breaking change requiring this to be a major version bump
making the property branch_pattern optional and putting a tag_pattern to sit as it's counterpart.
- pros: Does not introduce a breaking change
- cons: Introduces 2 attributes that are mutually exclusive possibly requiring a more complex implementation, also i'm not sure if this is something that is common / good practice to do when writing terraform providers?

I was wondering if there is a best-practice / general consensus on what would be the preferred approach to a problem like this when it comes to TF providers?

mcevoypeter commented 10 months ago

FYI: I implemented the first approach in the comment above for the github_repository_environment_deployment_policy resource in https://github.com/integrations/terraform-provider-github/pull/2050 and am awaiting feedback. The implementation should be simple to apply to the github_repository_deployment_branch_policy as well.

anfigueroa commented 3 months ago

This is becoming an issue in our organization, we need to be able to manage this through IaC. How come this has been implemented since Dec 2023 but nothing has advanced since then? Is there a way to help this move forward?

mmadhur-cops commented 2 months ago

+1

integrations / terraform-provider-github