github_repository_environment - Provider produced inconsistent result after apply

[giulianozor]

I am on a free github plan, repo is public

Terraform Version

Terraform v1.0.0
on darwin_amd64
+ provider registry.terraform.io/integrations/github v4.12.0

Affected Resource(s)

github_repository_environment

Terraform Configuration Files

locals  {
environments_list_expanded = {
     test1.DEV = {repo ="test1", code="DEV",name="Development"}},
     test1.PROD = {repo ="test1", code="PROD",name="Production"}},
     test2.DEV = {repo ="test2", code="DEV",name="Development"}},
     test2.PROD = {repo ="test2", code="PROD",name="Production"}}
  }
}



resource "github_repository_environment" "environments" {
  for_each = local.environments_list_expanded
  environment   = each.value.name
  repository    = var.repo_name
  wait_timer = 10

  reviewers {
    users = [ var.user_id ]
  }

  deployment_branch_policy {
    protected_branches          = true
    custom_branch_policies      = false
  }
}

Debug Output

│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to
│ github_repository_environment.environments["test2.DEV"], provider
│ "provider[\"registry.terraform.io/integrations/github\"]" produced an
│ unexpected new value: Root resource was present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

Expected Behavior

No error at all

Actual BehaviorUser was added to the reviewers, but terraform exited with the error above

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply (without reviewers) > that runs fine
2. terraform apply (after adding the reviewers in the cconfig) > that gives the error

Update: It seems the error happens only from the 2nd apply. I have to destroy and apply and everything works fine

References

I have seen fixes for other resources in the past, but not tor this resource

[eerkunt]

We are experiencing exactly the same problem. Even after the resource is destroyed by terraform, the problem still occurs.

[JustinYeoh93]

Experiencing the same thing. Specifically at the reviewers argument in the resource github_repository_environment.

Terraform Configuration FIles

resource "github_repository_environment" "production_environment" {
  environment = "Production Environment"
  repository  = github_repository.repository.name
  reviewers {
    teams = var.prod_deploy_review_teams
    users = var.prod_deploy_review_users
  }
  deployment_branch_policy {
    protected_branches     = true
    custom_branch_policies = false
  }
}

After running terraform apply -auto-approve for the first time, terraform says it has successfully created the resources. However, when you check GitHub's environments, the required reviewers is checked but the users and teams are not added to the reveiwers list.

Now, when you run terraform apply -auto-approve the second time, the error as the author post suggested occur.

Error: Provider produced inconsistent result after apply

When applying changes to
module.webapp-repository.github_repository_environment.production_environment,
provider "registry.terraform.io/integrations/github" produced an unexpected
new value: Root resource was present, but now absent.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

However, if you check GitHub again, the reviewers are now properly added into the environment.

Now, if you run terraform apply -auto-approve a third time. No errors occur with a message saying that there are no infrastructure changes.

---

EDIT

If I were to put in the argument depends_on and ensure that the teams that are to review the system be created before adding them as reviewer, then this error would not occur. I'm not sure if this is related to the above.

Essentially, from:

resource "github_repository" "repository" {
  name                   = var.name
  description            = var.description
}

resource "github_team_repository" "repository_teams" {
  repository = github_repository.repository.name
  team_id    = var.team_id
  permission = "push"
}


resource "github_repository_environment" "environment" {
  environment = "some-environment"
  repository  = github_repository.repository.name
  reviewers {
    teams = [github_team_repository.repository_teams.team_id]
  }
  deployment_branch_policy {
    protected_branches     = true
    custom_branch_policies = false
  }
  depends_on = [
    github_team_repository.repository_teams,
  ]
}

I feel this might have some relation, so dropping it here.

EDIT Never mind. Despite my depends_on above, it still fails on me if I were to update an existing resource as per the below comments.

[Irindul]

We are experiencing the same kind of problem. When adding the reviewers, only the first team in our list is added. The subsequent terraform apply produces the error. No matter how many time we call it, we still have the error.

[gilfthde]

With the depends_on workaround mentioned by @JustinYeoh93 it works for me if I create all involved resources at once.

But if I try to add a reviewers team to an existing github_repository_environment it requires two terraform applyruns:

• The first run throws the mentioned error but applies the desired changes.
• The second run then syncs the state with the infrastructure.

However any try to remove a team does not recover. The first terraform apply run again applies the changes but thows the error:

Terraform will perform the following actions:

  # module.repo.github_repository_environment.dev will be updated in-place
  ~ resource "github_repository_environment" "dev" {
        id          = "repo:dev"
        # (2 unchanged attributes hidden)


      - reviewers {
          - teams = [
              - 22,
            ] -> null
          - users = [] -> null
        }
        # (1 unchanged block hidden)
    }

Any subsequent terraform apply run tries to remove the reviewers again and the error persists:

Error: Provider produced inconsistent result after apply

When applying changes to module.repo.github_repository_environment.dev, provider "provider[\"registry.terraform.io/integrations/github\"]" produced an unexpected new value: Root resource was present, but now absent.

[orionCook]

We're also experiencing the same problem. We can't use the workaround with the depends_on at this point in time, so using this provider is blocking our progress.

[sdickhoven]

is this going to get fixed anytime soon?

we've been using the following workaround but that's obviously not great for making changes:

resource "github_repository_environment" "foo" {
  ...
  lifecycle {
    ignore_changes = [reviewers]
  }
}

[github-actions[bot]]

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!

[giulianozor]

After 20 months, I suppose this will never be fixed :(

[giulianozor]

32 months and 2 weeks bump... any news about this ?

thanks

[giulianozor]

happy third anniversary!

[tiagoasousa]

any update on this?

[jmcclell]

Just ran into this issue. 3 years running, nice! 😆 Seems like it isn't a prio for the maintainers – someone from the community is probably going to have to look into it. 🤷🏻‍♂️

[Garethgr]

I've just run into this same problem now myself. Has there been no fixes for this? Terraform looks like its going to add the teams/users as reviewers and the GH interface has none listed at all

[meridius]

It happens intermittently for me too on v6.6.0. Even though i DON'T get the "Provider produced inconsistent result after apply" error.

In my case the Terraform produces the following output when creating the repo and repo env (only relevant lines):

  # module.repository["customer-tracking-service"].github_repository.this will be created
  + resource "github_repository" "this" {
    ...
    }

  # module.repository["customer-tracking-service"].github_repository_environment.this["production"] will be created
  + resource "github_repository_environment" "this" {
      + can_admins_bypass   = true
      + environment         = "production"
      + id                  = (known after apply)
      + prevent_self_review = false
      + repository          = "customer-tracking-service"

      + deployment_branch_policy {
          + custom_branch_policies = true
          + protected_branches     = false
        }

      + reviewers {
          + teams = [
              + 1234,
            ]
        }
    }

Plan: 18 to add, 0 to change, 0 to destroy.

module.repository["customer-tracking-service"].github_repository_environment.this["production"]: Creating...
module.repository["customer-tracking-service"].github_repository_environment.this["production"]: Still creating... [00m10s elapsed]
module.repository["customer-tracking-service"].github_repository_environment.this["production"]: Creation complete after 15s [id=customer-tracking-service:production]

Apply complete! Resources: 18 added, 0 changed, 0 destroyed.

Even after this output the "Required reviewers" checkbox is checked, but there aren't any actual reviewers selected (contrary to what the TF output says).

This is even confirmed by the Audit log when the env was changed by the user afterwards:

approvers     [{"team" => "myorg/customer-tracking_sysowner", "team_id" => 1234}]
approvers_was []