feat: add github_user_ssh_signing_key

feat: add docs for github_user_ssh_signing_key

fix: add github_user_ssh_signing_key to provider.go

fix: add github_user_ssh_signing_key to github.erb

fix: use tflog, context, test-structure

fix: use resource-prefix, sweeper, 404-handling, direct read

Author: simonostendorf

github/acc_test.go

@@ -204,6 +204,11 @@ func configureSweepers() {
 		Name: "teams",
 		F:    sweepTeams,
 	})
+
+	resource.AddTestSweepers("user_ssh_signing_keys", &resource.Sweeper{
+		Name: "user_ssh_signing_keys",
+		F:    sweepUserSSHSigningKeys,
+	})
 }
 
 func sweepTeams(_ string) error {
@@ -276,6 +281,36 @@ func sweepRepositories(_ string) error {
 	return nil
 }
 
+func sweepUserSSHSigningKeys(_ string) error {
+	fmt.Println("sweeping user SSH signing keys")
+
+	meta, err := getTestMeta()
+	if err != nil {
+		return fmt.Errorf("could not get test meta for sweeper: %w", err)
+	}
+
+	client := meta.v3client
+	owner := meta.name
+	ctx := context.Background()
+
+	keys, _, err := client.Users.ListSSHSigningKeys(ctx, owner, nil)
+	if err != nil {
+		return err
+	}
+
+	for _, k := range keys {
+		if title := k.GetTitle(); strings.HasPrefix(title, testResourcePrefix) {
+			fmt.Printf("destroying user SSH signing key %s\n", title)
+
+			if _, err := client.Users.DeleteSSHSigningKey(ctx, k.GetID()); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
 func skipUnauthenticated(t *testing.T) {
 	if testAccConf.authMode == anonymous {
 		t.Skip("Skipping as test mode not authenticated")

github/provider.go

@@ -212,6 +212,7 @@ func Provider() *schema.Provider {
 			"github_user_gpg_key":                                                   resourceGithubUserGpgKey(),
 			"github_user_invitation_accepter":                                       resourceGithubUserInvitationAccepter(),
 			"github_user_ssh_key":                                                   resourceGithubUserSshKey(),
+			"github_user_ssh_signing_key":                                           resourceGithubUserSshSigningKey(),
 			"github_enterprise_organization":                                        resourceGithubEnterpriseOrganization(),
 			"github_enterprise_actions_runner_group":                                resourceGithubActionsEnterpriseRunnerGroup(),
 			"github_enterprise_actions_workflow_permissions":                        resourceGithubEnterpriseActionsWorkflowPermissions(),

github/resource_github_user_ssh_signing_key.go

@@ -0,0 +1,129 @@
+package github
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/google/go-github/v81/github"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func resourceGithubUserSshSigningKey() *schema.Resource {
+	return &schema.Resource{
+		CreateContext: resourceGithubUserSshSigningKeyCreate,
+		ReadContext:   resourceGithubUserSshSigningKeyRead,
+		DeleteContext: resourceGithubUserSshSigningKeyDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"title": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "A descriptive name for the new key.",
+			},
+			"key": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "The public SSH key to add to your GitHub account.",
+				DiffSuppressFunc: func(k, oldV, newV string, d *schema.ResourceData) bool {
+					newTrimmed := strings.TrimSpace(newV)
+					return oldV == newTrimmed
+				},
+			},
+			"etag": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func resourceGithubUserSshSigningKeyCreate(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	client := meta.(*Owner).v3client
+
+	title := d.Get("title").(string)
+	key := d.Get("key").(string)
+
+	userKey, resp, err := client.Users.CreateSSHSigningKey(ctx, &github.Key{
+		Title: github.Ptr(title),
+		Key:   github.Ptr(key),
+	})
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId(strconv.FormatInt(*userKey.ID, 10))
+
+	if err = d.Set("etag", resp.Header.Get("ETag")); err != nil {
+		return diag.FromErr(err)
+	}
+	if err = d.Set("title", userKey.GetTitle()); err != nil {
+		return diag.FromErr(err)
+	}
+	if err = d.Set("key", userKey.GetKey()); err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}
+
+func resourceGithubUserSshSigningKeyRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*Owner).v3client
+
+	id, err := strconv.ParseInt(d.Id(), 10, 64)
+	if err != nil {
+		return diag.Errorf("failed to convert ID %s: %v", d.Id(), err)
+	}
+
+	key, resp, err := client.Users.GetSSHSigningKey(ctx, id)
+	if err != nil {
+		if ghErr, ok := err.(*github.ErrorResponse); ok {
+			if ghErr.Response.StatusCode == http.StatusNotModified {
+				return nil
+			}
+			if ghErr.Response.StatusCode == http.StatusNotFound {
+				tflog.Info(ctx, fmt.Sprintf("Removing user SSH key %s from state because it no longer exists in GitHub", d.Id()), map[string]any{
+					"ssh_signing_key_id": d.Id(),
+				})
+				d.SetId("")
+				return nil
+			}
+		}
+	}
+
+	if err = d.Set("etag", resp.Header.Get("ETag")); err != nil {
+		return diag.FromErr(err)
+	}
+	if err = d.Set("title", key.GetTitle()); err != nil {
+		return diag.FromErr(err)
+	}
+	if err = d.Set("key", key.GetKey()); err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}
+
+func resourceGithubUserSshSigningKeyDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*Owner).v3client
+
+	id, err := strconv.ParseInt(d.Id(), 10, 64)
+	if err != nil {
+		return diag.Errorf("failed to convert ID %s: %v", d.Id(), err)
+	}
+
+	resp, err := client.Users.DeleteSSHSigningKey(ctx, id)
+	if resp.StatusCode == http.StatusNotFound {
+		return nil
+	}
+	return diag.FromErr(err)
+}

github/resource_github_user_ssh_signing_key_test.go

@@ -0,0 +1,85 @@
+package github
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"fmt"
+	"regexp"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"golang.org/x/crypto/ssh"
+)
+
+func TestAccGithubUserSshSigningKey(t *testing.T) {
+	t.Run("creates and destroys a user SSH signing key without error", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		name := fmt.Sprintf(`%s-%s`, testResourcePrefix, randomID)
+		testKey := newTestSigningKey()
+
+		config := fmt.Sprintf(`
+			resource "github_user_ssh_signing_key" "test" {
+				title = "%[1]s"
+				key   = "%[2]s"
+			}
+		`, name, testKey)
+
+		check := resource.ComposeTestCheckFunc(
+			resource.TestMatchResourceAttr("github_user_ssh_signing_key.test", "title", regexp.MustCompile(randomID)),
+			resource.TestMatchResourceAttr("github_user_ssh_signing_key.test", "key", regexp.MustCompile("^ssh-rsa ")),
+		)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnauthenticated(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: config,
+					Check:  check,
+				},
+			},
+		})
+	})
+
+	t.Run("imports an individual account SSH signing key without error", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		name := fmt.Sprintf(`%s-%s`, testResourcePrefix, randomID)
+		testKey := newTestSigningKey()
+
+		config := fmt.Sprintf(`
+			resource "github_user_ssh_signing_key" "test" {
+				title = "%[1]s"
+				key   = "%[2]s"
+			}
+		`, name, testKey)
+
+		check := resource.ComposeTestCheckFunc(
+			resource.TestCheckResourceAttrSet("github_user_ssh_signing_key.test", "title"),
+			resource.TestCheckResourceAttrSet("github_user_ssh_signing_key.test", "key"),
+		)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnauthenticated(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: config,
+					Check:  check,
+				},
+				{
+					ResourceName:      "github_user_ssh_signing_key.test",
+					ImportState:       true,
+					ImportStateVerify: true,
+				},
+			},
+		})
+	})
+}
+
+func newTestSigningKey() string {
+	privateKey, _ := rsa.GenerateKey(rand.Reader, 1024)
+	publicKey, _ := ssh.NewPublicKey(&privateKey.PublicKey)
+	return strings.TrimRight(string(ssh.MarshalAuthorizedKey(publicKey)), "\n")
+}

website/docs/r/user_ssh_signing_key.html.markdown

@@ -0,0 +1,42 @@
+---
+layout: "github"
+page_title: "GitHub: github_user_ssh_signing_key"
+description: |-
+  Provides a GitHub user's SSH signing key resource.
+---
+
+# github_user_ssh_signing_key
+
+Provides a GitHub user's SSH signing key resource.
+
+This resource allows you to add/remove SSH signing keys from your user account.
+
+## Example Usage
+
+```hcl
+resource "github_user_ssh_signing_key" "example" {
+  title = "example title"
+  key   = file("~/.ssh/id_rsa.pub")
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `title` - (Required) A descriptive name for the new key. e.g. `Personal MacBook Air`
+* `key` - (Required) The public SSH signing key to add to your GitHub account.
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `id` - The ID of the SSH signing key
+
+## Import
+
+SSH signing keys can be imported using their ID e.g.
+
+```
+$ terraform import github_user_ssh_signing_key.example 1234567
+```

website/github.erb

@@ -451,6 +451,9 @@
             <li>
               <a href="/docs/providers/github/r/user_ssh_key.html">github_user_ssh_key</a>
             </li>
+            <li>
+              <a href="/docs/providers/github/r/user_ssh_signing_key.html">github_user_ssh_signing_key</a>
+            </li>
           </ul>
         </li>
       </ul>