terraform-provider-tfe icon indicating copy to clipboard operation
terraform-provider-tfe copied to clipboard
verified publisher icon hashicorp

create tfe_workspace 'repository doesn't exist or isn't accessible' error (vcs github app use)

Open itjobs-levi opened this issue 2 years ago • 5 comments

Terraform Cloud/Enterprise version

tfe - 0.43.0

Terraform version

1.4.5

Terraform Configuration Files

resource "tfe_workspace" "workspace" {
  name         = "test"
  description  = "test"
  organization = "test"
  auto_apply   = false
  execution_mode = "remote"
  file_triggers_enabled = true
  global_remote_state = false
  project_id = "test"
  queue_all_runs = true
  speculative_enabled = false
  structured_run_output_enabled = true
  terraform_version = "1.4.5"
  working_directory = "test/"
  vcs_repo {
    identifier = "team/repo"
    branch = "main"
    github_app_installation_id = "ghain-blahblah"
  }
  force_delete = false
}

Debug Output

2023-04-19T13:30:00.656Z [DEBUG] provider.terraform-provider-tfe_v0.43.0_x5: {
2023-04-19T13:30:00.656Z [DEBUG] provider.terraform-provider-tfe_v0.43.0_x5:  "errors": [
2023-04-19T13:30:00.656Z [DEBUG] provider.terraform-provider-tfe_v0.43.0_x5:   {
2023-04-19T13:30:00.656Z [DEBUG] provider.terraform-provider-tfe_v0.43.0_x5:    "status": "422",
2023-04-19T13:30:00.656Z [DEBUG] provider.terraform-provider-tfe_v0.43.0_x5:    "title": "invalid attribute",
2023-04-19T13:30:00.656Z [DEBUG] provider.terraform-provider-tfe_v0.43.0_x5:    "detail": "Repository doesn't exist or isn't accessible",
2023-04-19T13:30:00.656Z [DEBUG] provider.terraform-provider-tfe_v0.43.0_x5:    "source": {
2023-04-19T13:30:00.656Z [DEBUG] provider.terraform-provider-tfe_v0.43.0_x5:     "pointer": "/data/attributes/repository"
2023-04-19T13:30:00.656Z [DEBUG] provider.terraform-provider-tfe_v0.43.0_x5:    }
2023-04-19T13:30:00.656Z [DEBUG] provider.terraform-provider-tfe_v0.43.0_x5:   }
2023-04-19T13:30:00.656Z [DEBUG] provider.terraform-provider-tfe_v0.43.0_x5:  ]
2023-04-19T13:30:00.656Z [DEBUG] provider.terraform-provider-tfe_v0.43.0_x5: }
2023-04-19T13:30:00.656Z [DEBUG] provider.terraform-provider-tfe_v0.43.0_x5: -----------------------------------------------------
2023-04-19T13:30:00.656Z [TRACE] provider.terraform-provider-tfe_v0.43.0_x5: Called downstream: tf_resource_type=tfe_workspace @caller=github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:838 tf_req_id=9669d159-5d55-a4dc-4a23-9a4405f135ee @module=sdk.helper_schema tf_provider_addr=registry.terraform.io/hashicorp/tfe tf_rpc=ApplyResourceChange timestamp=2023-04-19T13:30:00.655Z
2023-04-19T13:30:00.656Z [TRACE] provider.terraform-provider-tfe_v0.43.0_x5: Received downstream response: @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/tf5serverlogging/downstream_request.go:37 diagnostic_error_count=1 diagnostic_warning_count=0 tf_proto_version=5.3 tf_provider_addr=registry.terraform.io/hashicorp/tfe tf_req_duration_ms=98 tf_resource_type=tfe_workspace @module=sdk.proto tf_req_id=9669d159-5d55-a4dc-4a23-9a4405f135ee tf_rpc=ApplyResourceChange timestamp=2023-04-19T13:30:00.655Z
2023-04-19T13:30:00.656Z [ERROR] provider.terraform-provider-tfe_v0.43.0_x5: Response contains error diagnostic: tf_proto_version=5.3 tf_provider_addr=registry.terraform.io/hashicorp/tfe @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/diag/diagnostics.go:55 diagnostic_detail= diagnostic_severity=ERROR tf_rpc=ApplyResourceChange @module=sdk.proto diagnostic_summary="Error creating workspace audit-prod-secportal for organization blahblah: invalid attribute

Repository doesn't exist or isn't accessible" tf_req_id=9669d159-5d55-a4dc-4a23-9a4405f135ee tf_resource_type=tfe_workspace timestamp=2023-04-19T13:30:00.655Z
2023-04-19T13:30:00.657Z [TRACE] provider.terraform-provider-tfe_v0.43.0_x5: Served request: tf_proto_version=5.3 tf_resource_type=tfe_workspace tf_rpc=ApplyResourceChange @module=sdk.proto tf_provider_addr=registry.terraform.io/hashicorp/tfe tf_req_id=9669d159-5d55-a4dc-4a23-9a4405f135ee @caller=github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:831 timestamp=2023-04-19T13:30:00.655Z
2023-04-19T13:30:00.657Z [TRACE] maybeTainted: module.audit-prod-secportal.tfe_workspace.workspace encountered an error during creation, so it is now marked as tainted
2023-04-19T13:30:00.657Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for module.audit-prod-secportal.tfe_workspace.workspace
2023-04-19T13:30:00.657Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: removing state object for module.audit-prod-secportal.tfe_workspace.workspace
2023-04-19T13:30:00.657Z [TRACE] evalApplyProvisioners: module.audit-prod-secportal.tfe_workspace.workspace is tainted, so skipping provisioning
2023-04-19T13:30:00.657Z [TRACE] maybeTainted: module.audit-prod-secportal.tfe_workspace.workspace was already tainted, so nothing to do
2023-04-19T13:30:00.657Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for module.audit-prod-secportal.tfe_workspace.workspace
2023-04-19T13:30:00.657Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: removing state object for module.audit-prod-secportal.tfe_workspace.workspace
2023-04-19T13:30:00.657Z [ERROR] vertex "module.audit-prod-secportal.tfe_workspace.workspace" error: Error creating workspace audit-prod-secportal for organization blahblah: invalid attribute

Repository doesn't exist or isn't accessible

Expected Behavior

A workspace should be created with the github repository connected.

Actual Behavior

error...

Additional Context

I'm now guessing the cause of the problem is as below.
Currently I am using github_app_installation_id .
When creating a workspace using github app vcs, it seems that github connection cannot be made. Please let me know if this feature is not supported!

I'm trying to connect vcs with github oauth below.
oauth_token_id

itjobs-levi avatar Apr 19 '23 13:04 itjobs-levi

I am part of the github team and have access to the terraform repository. There seems to be no problem with vcs integration through the Github app. (There is no problem in creating the vcs workspace in the web ui)

itjobs-levi avatar Apr 19 '23 14:04 itjobs-levi

We have been experiencing the same issue in recent days.

  • We are NOT using the OAuth based VCS connection approach (oauth_token_id)
  • We are using the Hashicorp/Terraform GitHub app to handle auth on behalf of the org via the github_app_installation_id.

We use Agents for our runs and have AllowListed all of our agents that handle runs. This is working perfectly fine for existing workspaces; it just seems to be affecting NEW workspace creations. This is only happening in recent days wince we updated to the 0.43.0 version of TFE terraform provider.

I filed a separate bug with more color for our situation, which differs a bit: https://github.com/hashicorp/terraform-provider-tfe/issues/854

wchrisjohnson avatar Apr 19 '23 15:04 wchrisjohnson

#854 had the fix for me too. Reposting @wchrisjohnson here because I think it's not clear from the provider documentation how to properly use the github_app_installation_id and what that ID represents to TFC.

I had mistakenly set an Owner team token here. The way the new Terraform GitHub app works, the permissions of an individual user are passed thru when TFC talks to GitHub. This token needs to be associated with a user, any user, that has rights to interact with whatever GitHub repo(s) necessary for the Terraform in this repo to function. Once I updated this token to a fresh personal token from my TFC account, it worked.

The key is that when using the API, the API controller looks up the github app installation ID as a resource constrained to the user authorized by the API token. A different User token won't work, nor will an Owner token. You must find the github app installation ID on the User Settings > Tokens page and create a User token on that same page, and provide both credentials to tfe provider and the tfe_workspace resource respectively.

Or else you get the useless API response that the repo doesn't exist, not the true information that it doesn't have permission to read the referenced github app installation record in terraform cloud.

edit for emphasis

To manage the full selection of resources, provide a user token from an account with appropriate permissions. This user should belong to the "owners" team of every organization you wish to manage.

This part of the documentation may be unclear. It is unclear because it is not only necessary to provide such an 'owner's user token, but also that selfsame user must have the github_app_installation_id which you intend to use on your tfe_workspace resource on their User Settings > Tokens page.

carl-reverb avatar May 12 '23 14:05 carl-reverb

@itjobs-levi perhaps the documentation should clarify that the VCS repository must exist and be accessible prior to the workspace creation ?

FlorentATo avatar May 18 '23 16:05 FlorentATo

The documentation was adequate, but the error message didn't make sense to me :) I am using it through github oauth app just fine. When using the github app, it was very difficult to track down why the problem occurred.

itjobs-levi avatar May 19 '23 01:05 itjobs-levi