Add https_enforced field

Signed-off-by: Timo Sand <timo.sand@f-secure.com>

Author: deiga

github/data_source_github_repository_pages.go

@@ -80,6 +80,11 @@ func dataSourceGithubRepositoryPages() *schema.Resource {
 				Computed:    true,
 				Description: "Whether the GitHub Pages site is publicly visible. If set to `true`, the site is accessible to anyone on the internet. If set to `false`, the site will only be accessible to users who have at least `read` access to the repository that published the site.",
 			},
+			"https_enforced": {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "Whether the rendered GitHub Pages site will only be served over HTTPS.",
+			},
 		},
 	}
 }
@@ -127,6 +132,9 @@ func dataSourceGithubRepositoryPagesRead(ctx context.Context, d *schema.Resource
 	if err := d.Set("public", pages.GetPublic()); err != nil {
 		return diag.FromErr(err)
 	}
+	if err := d.Set("https_enforced", pages.GetHTTPSEnforced()); err != nil {
+		return diag.FromErr(err)
+	}
 	// Set source only for legacy build type
 	if pages.GetBuildType() == "legacy" && pages.GetSource() != nil {
 		source := []map[string]any{

github/data_source_github_repository_pages_test.go

@@ -63,6 +63,7 @@ func TestAccGithubRepositoryPagesDataSource(t *testing.T) {
 						statecheck.ExpectKnownValue("data.github_repository_pages.test", tfjsonpath.New("build_status"), knownvalue.NotNull()),
 						statecheck.CompareValuePairs("data.github_repository_pages.test", tfjsonpath.New("api_url"), "github_repository_pages.test", tfjsonpath.New("api_url"), compare.ValuesSame()),
 						statecheck.ExpectKnownValue("data.github_repository_pages.test", tfjsonpath.New("public"), knownvalue.Bool(testAccConf.authMode != enterprise)),
+						statecheck.CompareValuePairs("data.github_repository_pages.test", tfjsonpath.New("https_enforced"), "github_repository_pages.test", tfjsonpath.New("https_enforced"), compare.ValuesSame()),
 					},
 				},
 			},
@@ -112,6 +113,7 @@ func TestAccGithubRepositoryPagesDataSource(t *testing.T) {
 						statecheck.ExpectKnownValue("data.github_repository_pages.test", tfjsonpath.New("build_status"), knownvalue.NotNull()),
 						statecheck.CompareValuePairs("data.github_repository_pages.test", tfjsonpath.New("api_url"), "github_repository_pages.test", tfjsonpath.New("api_url"), compare.ValuesSame()),
 						statecheck.CompareValuePairs("data.github_repository_pages.test", tfjsonpath.New("public"), "github_repository_pages.test", tfjsonpath.New("public"), compare.ValuesSame()),
+						statecheck.CompareValuePairs("data.github_repository_pages.test", tfjsonpath.New("https_enforced"), "github_repository_pages.test", tfjsonpath.New("https_enforced"), compare.ValuesSame()),
 					},
 				},
 			},

github/resource_github_repository_pages.go

@@ -103,6 +103,13 @@ func resourceGithubRepositoryPages() *schema.Resource {
 				Computed:    true,
 				Description: "Whether the GitHub Pages site is publicly visible. If set to `true`, the site is accessible to anyone on the internet. If set to `false`, the site will only be accessible to users who have at least `read` access to the repository that published the site.",
 			},
+			"https_enforced": {
+				Type:         schema.TypeBool,
+				Optional:     true,
+				Computed:     true,
+				RequiredWith: []string{"cname"},
+				Description:  "Whether the rendered GitHub Pages site will only be served over HTTPS. Requires 'cname' to be set.",
+			},
 		},
 		CustomizeDiff: customdiff.All(resourceGithubRepositoryPagesDiff, diffRepository),
 	}
@@ -168,6 +175,15 @@ func resourceGithubRepositoryPagesCreate(ctx context.Context, d *schema.Resource
 			return diag.FromErr(err)
 		}
 	}
+	httpsEnforced, httpsEnforcedExists := d.GetOkExists("https_enforced") // nolint:staticcheck // SA1019: There is no better alternative for checking if boolean value is set
+	if httpsEnforcedExists && httpsEnforced != nil {
+		shouldUpdatePage = true
+		update.HTTPSEnforced = github.Ptr(httpsEnforced.(bool))
+	} else {
+		if err := d.Set("https_enforced", pages.GetHTTPSEnforced()); err != nil {
+			return diag.FromErr(err)
+		}
+	}
 
 	if shouldUpdatePage {
 		_, err = client.Repositories.UpdatePages(ctx, owner, repoName, update)
@@ -225,6 +241,9 @@ func resourceGithubRepositoryPagesRead(ctx context.Context, d *schema.ResourceDa
 	if err := d.Set("public", pages.GetPublic()); err != nil {
 		return diag.FromErr(err)
 	}
+	if err := d.Set("https_enforced", pages.GetHTTPSEnforced()); err != nil {
+		return diag.FromErr(err)
+	}
 
 	// Set source only for legacy build type
 	if pages.GetBuildType() == "legacy" && pages.GetSource() != nil {
@@ -269,6 +288,13 @@ func resourceGithubRepositoryPagesUpdate(ctx context.Context, d *schema.Resource
 		}
 	}
 
+	if d.HasChange("https_enforced") {
+		httpsEnforced, ok := d.Get("https_enforced").(bool)
+		if ok {
+			update.HTTPSEnforced = github.Ptr(httpsEnforced)
+		}
+	}
+
 	if d.HasChange("build_type") {
 		buildType := d.Get("build_type").(string)
 		update.BuildType = github.Ptr(buildType)

github/resource_github_repository_pages_test.go

@@ -218,6 +218,36 @@ source {
 		})
 	})
 
+	t.Run("errors_when_https_enforced_without_cname", func(t *testing.T) {
+		randomID := acctest.RandString(5)
+		repoName := fmt.Sprintf("%spages-%s", testResourcePrefix, randomID)
+
+		config := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name       = "%s"
+				visibility = "%s"
+				auto_init  = true
+			}
+
+			resource "github_repository_pages" "test" {
+				repository     = github_repository.test.name
+				build_type     = "workflow"
+				https_enforced = true
+			}
+		`, repoName, baseRepoVisibility)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnauthenticated(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config:      config,
+					ExpectError: regexp.MustCompile(`all of .cname,https_enforced. must be specified`),
+				},
+			},
+		})
+	})
+
 	t.Run("imports_pages_configuration", func(t *testing.T) {
 		randomID := acctest.RandString(5)
 		repoName := fmt.Sprintf("%spages-%s", testResourcePrefix, randomID)

website/docs/d/repository_pages.html.markdown

@@ -43,6 +43,8 @@ The following attributes are exported:
 
 - `public` - Whether the GitHub Pages site is public.
 
+- `https_enforced` - Whether HTTPS is enforced for the GitHub Pages site. This setting only applies when a custom domain is configured.
+
 ### Source
 
 The `source` block contains:

website/docs/r/repository_pages.html.markdown

@@ -80,7 +80,8 @@ resource "github_repository" "example" {
 resource "github_repository_pages" "example" {
   repository = github_repository.example.name
   build_type = "legacy"
-  cname      = "example.com"
+  cname          = "example.com"
+  https_enforced = true
 
   source {
     branch = "main"
@@ -103,6 +104,8 @@ The following arguments are supported:
 
 - `public` - (Optional) Whether the GitHub Pages site is public.
 
+- `https_enforced` - (Optional) Whether HTTPS is enforced for the GitHub Pages site. GitHub Pages sites serve over HTTPS by default; this setting only applies when a custom domain (`cname`) is configured. Requires `cname` to be set.
+
 ### Source
 
 The `source` block supports the following: