✨ Add force_refresh bool to Github Resource (#305)

* Add force_replace bool to github resource

* Run generate to update docs and update example resource

* Add some tests for the github resource

* make token less "real" so we don't trigger github security

* Fix typo

* Attempt to fix test without triggering token leak bot

* Fix mismatch

Author: claytoncasey01

docs/resources/integration_github.md

@@ -41,6 +41,9 @@ resource "mondoo_integration_github" "gh_integration" {
     k8s_manifests = true
   }
 
+  # To rotate credentials or explicitly refresh an unreadable token, uncomment on the next apply:
+  # force_replace = true
+
   credentials = {
     token = var.github_token
   }
@@ -59,6 +62,7 @@ resource "mondoo_integration_github" "gh_integration" {
 ### Optional
 
 - `discovery` (Attributes) (see [below for nested schema](#nestedatt--discovery))
+- `force_replace` (Boolean) Set to true to force replacement on next apply, useful to refresh credentials when the current value cannot be read.
 - `repository` (String) GitHub repository.
 - `repository_allow_list` (List of String) List of GitHub repositories to scan.
 - `repository_deny_list` (List of String) List of GitHub repositories to exclude from scanning.

examples/resources/mondoo_integration_github/resource.tf

@@ -26,6 +26,9 @@ resource "mondoo_integration_github" "gh_integration" {
     k8s_manifests = true
   }
 
+  # To rotate credentials or explicitly refresh an unreadable token, uncomment on the next apply:
+  # force_replace = true
+
   credentials = {
     token = var.github_token
   }

internal/provider/gql.go

@@ -677,6 +677,8 @@ type GithubConfigurationOptions struct {
 	Organization   string `graphql:"githubOrganization: organization"`
 	ReposAllowList []string
 	ReposDenyList  []string
+	DiscoverTerraform    bool `graphql:"githubDiscoverTerraform: discoverTerraform"`
+	DiscoverK8sManifests bool `graphql:"githubDiscoverK8sManifests: discoverK8sManifests"`
 }
 
 type GcsBucketConfigurationOptions struct {

internal/provider/integration_github_resource.go

@@ -10,6 +10,8 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/booldefault"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/boolplanmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
@@ -38,6 +40,9 @@ type integrationGithubResourceModel struct {
 	Mrn  types.String `tfsdk:"mrn"`
 	Name types.String `tfsdk:"name"`
 
+	// force replacement on next apply to refresh credentials
+	ForceReplace types.Bool `tfsdk:"force_replace"`
+
 	Owner      types.String `tfsdk:"owner"`
 	Repository types.String `tfsdk:"repository"`
 
@@ -130,6 +135,15 @@ func (r *integrationGithubResource) Schema(ctx context.Context, req resource.Sch
 					stringvalidator.LengthAtMost(250),
 				},
 			},
+			"force_replace": schema.BoolAttribute{
+				MarkdownDescription: "Set to true to force replacement on next apply, useful to refresh credentials when the current value cannot be read.",
+				Optional:            true,
+				Computed:            true,
+				Default:             booldefault.StaticBool(false),
+				PlanModifiers: []planmodifier.Bool{
+					boolplanmodifier.RequiresReplace(),
+				},
+			},
 			"owner": schema.StringAttribute{
 				MarkdownDescription: "GitHub owner.",
 				Required:            true,
@@ -356,8 +370,8 @@ func (r *integrationGithubResource) ImportState(ctx context.Context, req resourc
 		RepositoryAllowList: allowList,
 		RepositoryDenyList:  denyList,
 		Discovery: &integrationGithubDiscoveryModel{
-			Terraform:    types.BoolValue(integration.ConfigurationOptions.GitlabConfigurationOptions.DiscoverTerraform),
-			K8sManifests: types.BoolValue(integration.ConfigurationOptions.GitlabConfigurationOptions.DiscoverK8sManifests),
+			Terraform:    types.BoolValue(integration.ConfigurationOptions.GithubConfigurationOptions.DiscoverTerraform),
+			K8sManifests: types.BoolValue(integration.ConfigurationOptions.GithubConfigurationOptions.DiscoverK8sManifests),
 		},
 		Credential: &integrationGithubCredentialModel{
 			Token: types.StringPointerValue(nil),

internal/provider/integration_github_resource_test.go

@@ -0,0 +1,107 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package provider
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+)
+
+func TestAccGithubResource(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			// Create and Read testing with space on resource
+			{
+				Config: testAccGithubResourceConfig(accSpace.ID(), "one", "lunalectric", false),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("mondoo_integration_github.test", "name", "one"),
+					resource.TestCheckResourceAttr("mondoo_integration_github.test", "owner", "lunalectric"),
+					resource.TestCheckResourceAttr("mondoo_integration_github.test", "space_id", accSpace.ID()),
+					resource.TestCheckResourceAttr("mondoo_integration_github.test", "discovery.terraform", "true"),
+				),
+			},
+			// Update and Read testing with space in provider and explicit token
+			{
+				Config: testAccGithubResourceWithSpaceInProviderConfig(accSpace.ID(), "two", "lunalectric", fakeGithubClassicToken()),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("mondoo_integration_github.test", "name", "two"),
+					resource.TestCheckResourceAttr("mondoo_integration_github.test", "owner", "lunalectric"),
+					resource.TestCheckResourceAttr("mondoo_integration_github.test", "space_id", accSpace.ID()),
+					resource.TestCheckResourceAttrSet("mondoo_integration_github.test", "credentials.token"),
+				),
+			},
+			// Plan-only step: setting force_replace should cause a non-empty plan (replacement)
+			{
+				PlanOnly:           true,
+				ExpectNonEmptyPlan: true,
+				Config:             testAccGithubResourceConfig(accSpace.ID(), "two", "lunalectric", true),
+			},
+			// Revert to previous config (without force_replace)
+			{
+				Config: testAccGithubResourceConfig(accSpace.ID(), "two", "lunalectric", false),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("mondoo_integration_github.test", "name", "two"),
+					resource.TestCheckResourceAttr("mondoo_integration_github.test", "owner", "lunalectric"),
+					resource.TestCheckResourceAttr("mondoo_integration_github.test", "space_id", accSpace.ID()),
+				),
+			},
+			// Delete testing automatically occurs in TestCase
+		},
+	})
+}
+
+// fakeGithubClassicToken constructs a valid-looking classic token without embedding the literal pattern in source.
+func fakeGithubClassicToken() string {
+	return "gh" + "p_" + strings.Repeat("A", 36)
+}
+
+func testAccGithubResourceConfig(spaceID, intName, owner string, forceReplace bool) string {
+	forceReplaceLine := ""
+	if forceReplace {
+		forceReplaceLine = "\n\tforce_replace = true"
+	}
+	tok := fakeGithubClassicToken()
+	return fmt.Sprintf(`
+resource "mondoo_integration_github" "test" {
+  space_id = %q
+  name  = %q
+  owner = %q
+
+  discovery = {
+    terraform     = true
+    k8s_manifests = true
+  }%s
+
+  credentials = {
+    token = %q
+  }
+}
+`, spaceID, intName, owner, forceReplaceLine, tok)
+}
+
+func testAccGithubResourceWithSpaceInProviderConfig(spaceID, intName, owner, token string) string {
+	return fmt.Sprintf(`
+provider "mondoo" {
+  space = %q
+}
+resource "mondoo_integration_github" "test" {
+  name  = %q
+  owner = %q
+
+  discovery = {
+    terraform     = true
+    k8s_manifests = true
+  }
+
+  credentials = {
+    token = %q
+  }
+}
+`, spaceID, intName, owner, token)
+}