feat: Add `github_actions_enterprise_permissions`

[ErikElkins]

Resolves part of #1199

This adds a new resource github_actions_enterprise_permissions to control GitHub Actions policy on an enterprise.

data "github_enterprise" "example-enterprise" {
  slug = "my-enterprise"
}

data "github_organization" "example-org" {
  name = "my-org"
}

resource "github_actions_enterprise_permissions" "test" {
  enterprise_id = data.github_enterprise.example-enterprise.slug
  allowed_actions = "selected"
  enabled_organizations = "selected"
  allowed_actions_config {
    github_owned_allowed = true 
    patterns_allowed     = ["actions/cache@*", "actions/checkout@*"]
    verified_allowed     = true
  }
  enabled_organizations_config {
    organization_ids = [data.github_organization.example-org.id]
  }
}

Pull request checklist

• [x] Tests for the changes have been added (for bug fixes / features)
• [x] Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

• [ ] Yes
• [x] No

---

[kfcampbell]

When running the new integration tests, I get the following error:

    resource_github_actions_enterprise_permissions_test.go:261: Step 1/1 error: Error running pre-apply refresh: exit status 1

        Error: Could not resolve to a Business with the URL slug of ''.

          with data.github_enterprise.enterprise,
          on terraform_plugin_test.tf line 3, in data "github_enterprise" "enterprise":
           3:           data "github_enterprise" "enterprise" {

Can you reproduce this? Am I missing some kind of setup?

[ErikElkins]

I missed the check on ENTERPRISE_SLUG and ENTERPRISE_ACCOUNT that the other enterprise dependent integration tests do here: https://github.com/integrations/terraform-provider-github/blob/main/github/resource_github_enterprise_organization_test.go#L91

Updated the PR.

[laughedelic]

I don't know if there is a good reason for this, but between this PR and #2158 there is some naming inconsistency: github_enterprise_actions... vs. github_actions_enterprise.... I just noticed it when looking at the PRs list:

[kfcampbell]

@laughedelic good catch. I have a slight preference for github_enterprise_actions... since these are settings that only exist in enterprise, though I'd be happy to hear arguments either way.

[bradam12]

That was my thinking too, though there was only one example (github_enterprise_organization) to go off of. Either way works for me.

[ErikElkins]

I named this after github_actions_organization_permissions. But if we think there will be more enterprise resources, github_enterprise... would be better.

[bradam12]

Works in my enterprise. Import doesn't work, as it always tries to force replacement, but applying without an import seems to be fine, since it's authoritative.

I think that's acceptable tbh.

$ terragrunt import github_enterprise_actions_permissions.enterprise enterprise

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

$ terragrunt plan
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # github_enterprise_actions_permissions.enterprise must be replaced
-/+ resource "github_enterprise_actions_permissions" "enterprise" {
      + enterprise_id         = "enterprise" # forces replacement
      ~ id                    = "enterprise" -> (known after apply)
        # (2 unchanged attributes hidden)

      ~ allowed_actions_config {
          ~ patterns_allowed     = [
              - "test/*",
                # (7 unchanged elements hidden)
            ]
            # (2 unchanged attributes hidden)
        }
    }