@@ -4,9 +4,11 @@ import (
44 "context"
55 "fmt"
66 "log"
7+ "slices"
78 "strconv"
89
910 "github.com/google/go-github/v82/github"
11+ "github.com/hashicorp/terraform-plugin-log/tflog"
1012 "github.com/hashicorp/terraform-plugin-sdk/v2/diag"
1113 "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
1214)
@@ -53,6 +55,8 @@ func resourceGithubOrganizationRepositoryRole() *schema.Resource {
5355 MinItems : 1 ,
5456 },
5557 },
58+
59+ CustomizeDiff : resourceGithubOrganizationRepositoryRoleCustomizeDiff ,
5660 }
5761}
5862
@@ -214,3 +218,75 @@ func resourceGithubOrganizationRepositoryRoleDelete(ctx context.Context, d *sche
214218
215219 return nil
216220}
221+
222+ // Snapshot of the response to https://docs.github.com/en/enterprise-cloud@latest/rest/orgs/custom-roles?apiVersion=2022-11-28#list-repository-fine-grained-permissions-for-an-organization
223+ // The endpoint isn't covered in the SDK yet.
224+ var validRolePermissions = []string {
225+ "add_assignee" ,
226+ "add_label" ,
227+ "bypass_branch_protection" ,
228+ "close_discussion" ,
229+ "close_issue" ,
230+ "close_pull_request" ,
231+ "convert_issues_to_discussions" ,
232+ "create_discussion_category" ,
233+ "create_solo_merge_queue_entry" ,
234+ "create_tag" ,
235+ "delete_alerts_code_scanning" ,
236+ "delete_discussion" ,
237+ "delete_discussion_comment" ,
238+ "delete_issue" ,
239+ "delete_tag" ,
240+ "edit_category_on_discussion" ,
241+ "edit_discussion_category" ,
242+ "edit_discussion_comment" ,
243+ "edit_repo_custom_properties_values" ,
244+ "edit_repo_metadata" ,
245+ "edit_repo_protections" ,
246+ "jump_merge_queue" ,
247+ "manage_deploy_keys" ,
248+ "manage_settings_merge_types" ,
249+ "manage_settings_pages" ,
250+ "manage_settings_projects" ,
251+ "manage_settings_wiki" ,
252+ "manage_webhooks" ,
253+ "mark_as_duplicate" ,
254+ "push_protected_branch" ,
255+ "read_code_quality" ,
256+ "read_code_scanning" ,
257+ "reopen_discussion" ,
258+ "reopen_issue" ,
259+ "reopen_pull_request" ,
260+ "request_pr_review" ,
261+ "resolve_dependabot_alerts" ,
262+ "resolve_secret_scanning_alerts" ,
263+ "set_interaction_limits" ,
264+ "set_issue_type" ,
265+ "set_milestone" ,
266+ "set_social_preview" ,
267+ "toggle_discussion_answer" ,
268+ "toggle_discussion_comment_minimize" ,
269+ "view_dependabot_alerts" ,
270+ "view_secret_scanning_alerts" ,
271+ "write_code_quality" ,
272+ "write_code_scanning" ,
273+ "write_repository_actions_environments" ,
274+ "write_repository_actions_runners" ,
275+ "write_repository_actions_secrets" ,
276+ "write_repository_actions_settings" ,
277+ "write_repository_actions_variables" ,
278+ }
279+
280+ func resourceGithubOrganizationRepositoryRoleCustomizeDiff (ctx context.Context , d * schema.ResourceDiff , m any ) error {
281+ tflog .Debug (ctx , "Customizing diff for GitHub organization repository role" , map [string ]any {"permissionsChanged" : d .HasChange ("permissions" )})
282+ if d .HasChange ("permissions" ) {
283+ newPermissions := d .Get ("permissions" ).(* schema.Set ).List ()
284+ tflog .Debug (ctx , "Validating permissions values" , map [string ]any {"newPermissions" : newPermissions })
285+ for _ , permission := range newPermissions {
286+ if ! slices .Contains (validRolePermissions , permission .(string )) {
287+ return fmt .Errorf ("invalid permission: %+v" , permission )
288+ }
289+ }
290+ }
291+ return nil
292+ }
0 commit comments