fix(repository): migrate vulnerability_alerts to dedicated resource#34
Conversation
The integrations/github provider deprecated the `vulnerability_alerts` attribute on `github_repository` in favor of the `github_repository_vulnerability_alerts` resource, which emitted a "Deprecated value used" warning from the module output. Manage vulnerability alerts through the dedicated resource instead and read the module's `vulnerability_alerts` output from it. The module's public interface (the `vulnerability_alerts` input/output) is unchanged.
There was a problem hiding this comment.
Code Review
This pull request refactors the GitHub repository module to manage vulnerability alerts using a separate github_repository_vulnerability_alerts resource instead of the inline argument on github_repository. However, the new resource does not support an enabled argument or attribute. The feedback suggests conditionally creating the resource using the count meta-argument and updating the output accordingly to prevent Terraform evaluation errors.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| resource "github_repository_vulnerability_alerts" "this" { | ||
| repository = github_repository.this.name | ||
| enabled = var.vulnerability_alerts | ||
| } |
There was a problem hiding this comment.
The github_repository_vulnerability_alerts resource in the GitHub provider does not support an enabled argument. To conditionally enable or disable vulnerability alerts, you should use the count meta-argument to conditionally create the resource based on var.vulnerability_alerts.
resource "github_repository_vulnerability_alerts" "this" {
count = var.vulnerability_alerts ? 1 : 0
repository = github_repository.this.name
}
| output "vulnerability_alerts" { | ||
| description = "Whether the security alerts are enabled for vulnerable dpendencies." | ||
| value = github_repository.this.vulnerability_alerts | ||
| value = github_repository_vulnerability_alerts.this.enabled |
There was a problem hiding this comment.
Since the github_repository_vulnerability_alerts resource does not have an enabled attribute, and should be conditionally created using count, referencing github_repository_vulnerability_alerts.this.enabled directly will result in a Terraform evaluation error. Instead, you can check if the resource is created by checking the length of the resource list.
value = length(github_repository_vulnerability_alerts.this) > 0
…ENDABOT_ALERTS" Replace the dedicated `vulnerability_alerts` boolean variable with a `DEPENDABOT_ALERTS` entry in the `features` set, matching how other repository features (DISCUSSIONS, ISSUES, PROJECTS, WIKI) are toggled. The `github_repository_vulnerability_alerts` resource is now driven by `contains(var.features, "DEPENDABOT_ALERTS")`.
With the toggle folded into the features set, the standalone vulnerability_alerts output is no longer needed.
Summary
The
integrations/githubprovider deprecated thevulnerability_alertsattribute on thegithub_repositoryresource in favor of the dedicatedgithub_repository_vulnerability_alertsresource. Reading it in the module output produced:This PR migrates to the dedicated resource and, while at it, reworks the module input.
Changes
vulnerability_alertsfrom thegithub_repositoryresource.github_repository_vulnerability_alerts.thisresource (manages Dependabot alerts for vulnerable dependencies).vulnerability_alertsinput variable; the toggle is now aDEPENDABOT_ALERTSentry in the existingfeaturesset, consistent with the other feature toggles (DISCUSSIONS,ISSUES,PROJECTS,WIKI). The resource is driven bycontains(var.features, "DEPENDABOT_ALERTS").vulnerability_alertsoutput (now sourced from the new resource'senabled).The
vulnerability_alertsinput is removed. Consumers migrate as:State migration note
Because alerts now live in a separate resource, the next
terraform applydrops the attribute fromgithub_repository.thisand createsgithub_repository_vulnerability_alerts.this— same underlying GitHub setting, no functional change. Optionallyterraform import github_repository_vulnerability_alerts.this <repo-name>to avoid the recreate.terraform validatepasses; the targeted deprecation warning is gone.