github_repository_environment : Not using the owner value to generate PUT url

[Xusifob]

Terraform Version

v1.2.6

Affected Resource(s)

• github_repository
• github_repository_environment

Terraform Configuration Files

resource "github_repository_environment" "repo_environment" {
  repository       = "my-org/repo"
  environment      = "example_environment"
}

resource "github_actions_environment_secret" "test_secret" {
  repository       = "my-org/repo"
  environment      = github_repository_environment.repo_environment.environment
  secret_name      = "test_secret_name"
  plaintext_value  = "%s"
}

My provider is parametered with the following :

provider "github" {
  token   = xxxx
  owner = "my-org"
}

Debug Output

Please provide a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

Expected Behavior

It should have worked for the 'plan' phase

Actual Behavior

It crashes creating the url, "https://api.github.com/repos//my-org/repo/environments/staging". It looks like it does not load the organisation name inside the url (as you can see a double slash"

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. Copy and paste the code from the documentation "Exemple usage" : https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret
2. terraform plan

Important Factoids

I copy pasted the code from the documentation, it should have crashed later, during the "apply" phase, not during the plan

[lukas-schmitt-otto]

is there any update on this?

[Xusifob]

I've got to try it with the latest version, but I did not get any news from this so far

[sandrom]

this still doesnt work and makes this function pretty much unusable. any update on when this may be fixed?

[kfcampbell]

@sandrom unfortunately our SDK team doesn't have the bandwidth at the moment to take up this work, though PRs are always appreciated!

[Xusifob]

Hi there, any news on this issue ?

[BenJackGill]

I also ran into this today when running locally on my machine. My error is similar, but this time it repeats the org.

Using this:

# Create a Github Environment
resource "github_repository_environment" "main" {
  provider    = github
  repository  = "my-org/my-repo"
  environment = var.environment_name

  deployment_branch_policy {
    protected_branches     = true
    custom_branch_policies = false
  }
}

Will result in this error:

│ Error: PUT https://api.github.com/repos/my-org/my-org/my-repo/environments/staging: 404 Not Found []
│
│   with module.github.github_repository_environment.main,
│   on github/main.tf line 11, in resource "github_repository_environment" "main":
│   11: resource "github_repository_environment" "main" {

Notice that the org is included twice in the URL.

To avoid repeating the org I changed the repository argument from my-org/my-repo to my-repo and that works. But it does not follow what I expected is required of the repository argument.

The above was run locally on my own machine.

[BenJackGill]

Ran into this again today, this time in a Github Actions CI/CD workflow.

Error: PUT https://api.github.com/repos//my-org/my-repo/environments/staging: 404 Not Found []

So it seems that when running locally it will add too many orgs and when running in Github Actions CI/CD it doesn't load the org name correctly (double slash) as first pointed out by @Xusifob .

I already gave a workaround for local runs in my last update but does anyone have a workaround for Github Actions CI/CD?

[BenJackGill]

Found a workaround!

For the example below imagine your repo's full name is my-org/my-repo.

1. The provider must have owner field set to my-org

provider "github" {
  token = var.github_token
  owner = "my-org"
}

2. The github_repository_environment should only use my-repo. Do not use the normal my-org/my-repo format.

resource "github_repository_environment" "main" {
  repository  = "my-repo"
  environment = "staging"
}

3. The github_actions_environment_secret should only use my-repo. Do not use the normal my-org/my-repo format.

resource "github_actions_environment_secret" "main" {
  repository       = "my-repo"
  environment      = github_repository_environment.main.environment
  secret_name      = "test_secret_name"
  plaintext_value  = "test_secret_value"
}

This should produce a URL such as https://api.github.com/repos/my-org/my-repo/environments/staging.

Note: This is clearly a bug that still needs addressing but I hope the above works for now.

[kir4h]

TL;DR

Current version of the provider is functional, its behaviour matches the documentation; so IMO no longer a bug (cc @kfcampbell ).

Explanation

I was confused by @BenJackGill ´s workaround, as I initially tried that and it didn´t work (produced the double slash in path described).

So I gave it another go, and the "workaround" didn´t work for me initially. I upgraded the provider version (v5.29 to the latest v5.x) and it worked as expected.

Taking a look at the docs, the documentation uses github_repository_.example.name which represents the repository name without the org. This means that the behaviour matches the docs and this is no longer a bug on current version (was fixed at some point between 5.29 and 5.45, I haven´t digged deeper into it)

resource "github_repository" "example" {
  name         = "A Repository Project"
  description  = "My awesome codebase"
}

resource "github_repository_environment" "example" {
  environment  = "example"
  repository   = github_repository.example.name
  reviewers {
    users = [data.github_user.current.id]
  }
  deployment_branch_policy {
    protected_branches          = true
    custom_branch_policies = false
  }
}

[kfcampbell]

Hmm...I haven't found a commit that looks like it could explain this in my brief sleuthing so far. @kir4h thanks for the investigation, I'll close this for now. Please let me know if you do find a smoking gun or if this reoccurs, I'm interested!

[Xusifob]

I still have the same issue on my tests.

This is my code :

data "github_repository" "repo" {
  full_name = "${local.organization}/${local.repository}"
}

resource "github_repository_environment" "repo_environment" {
  repository  = data.github_repository.repo.name
  environment = local.environment
}

resource "github_actions_environment_secret" "environment_secret" {
  for_each        = local.secrets
  repository      = data.github_repository.repo.name
  environment     = github_repository_environment.repo_environment.environment
  secret_name     = each.key
  plaintext_value = each.value
}

resource "github_actions_environment_variable" "environment_variable" {
  for_each        = local.secrets
  repository      = data.github_repository.repo.name
  environment     = github_repository_environment.repo_environment.environment
  value           = each.value
  variable_name   = each.key
}

I think the issue comes from this part :

data "github_repository" "repo" {
  full_name = "${local.organization}/${local.repository}"
}

As this is my error : with module.webapp.module.secret_keys.github_repository_environment.repo_environment, │ on ../../components/github_secrets/main.tf line 6, in resource "github_repository_environment" "repo_environment": │ 6: repository = data.github_repository.repo.name │ │ The argument "repository" is required, but no definition was found.

[kir4h]

I still have the same issue on my tests.

I copy pasted your code, filling it with the missing locals

locals {
  organization = "kir4h"
  repository = "test-github-terraform"
  environment = "test"
  secrets = {
    myvar1 = "myvalue1"
  }
}

data "github_repository" "repo" {
  full_name = "${local.organization}/${local.repository}"
}

resource "github_repository_environment" "repo_environment" {
  repository  = data.github_repository.repo.name
  environment = local.environment
}

resource "github_actions_environment_secret" "environment_secret" {
  for_each        = local.secrets
  repository      = data.github_repository.repo.name
  environment     = github_repository_environment.repo_environment.environment
  secret_name     = each.key
  plaintext_value = each.value
}

resource "github_actions_environment_variable" "environment_variable" {
  for_each        = local.secrets
  repository      = data.github_repository.repo.name
  environment     = github_repository_environment.repo_environment.environment
  value           = each.value
  variable_name   = each.key
}

Apply worked as expected

data.github_repository.repo: Refreshing state...

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # github_actions_environment_secret.environment_secret["myvar1"] will be created
  + resource "github_actions_environment_secret" "environment_secret" {
      + created_at      = (known after apply)
      + environment     = "test"
      + id              = (known after apply)
      + plaintext_value = (sensitive value)
      + repository      = "test-github-terraform"
      + secret_name     = "myvar1"
      + updated_at      = (known after apply)
    }

  # github_actions_environment_variable.environment_variable["myvar1"] will be created
  + resource "github_actions_environment_variable" "environment_variable" {
      + created_at    = (known after apply)
      + environment   = "test"
      + id            = (known after apply)
      + repository    = "test-github-terraform"
      + updated_at    = (known after apply)
      + value         = "myvalue1"
      + variable_name = "myvar1"
    }

  # github_repository_environment.repo_environment will be created
  + resource "github_repository_environment" "repo_environment" {
      + can_admins_bypass   = true
      + environment         = "test"
      + id                  = (known after apply)
      + prevent_self_review = false
      + repository          = "test-github-terraform"
    }

Plan: 3 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

github_repository_environment.repo_environment: Creating...
github_repository_environment.repo_environment: Creation complete after 1s [id=test-github-terraform:test]
github_actions_environment_secret.environment_secret["myvar1"]: Creating...
github_actions_environment_variable.environment_variable["myvar1"]: Creating...
github_actions_environment_variable.environment_variable["myvar1"]: Creation complete after 4s [id=test-github-terraform:test:myvar1]
github_actions_environment_secret.environment_secret["myvar1"]: Creation complete after 4s [id=test-github-terraform:test:myvar1]

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

Tried with current provider version and with a 5.x one just in case, both are ok.

$ tf version

Terraform v1.7.5
on linux_amd64
+ provider registry.terraform.io/hashicorp/github v6.2.1

This is a test to a personal public repo I just created for the test though (so not an organization linked to a GH enterprise account, not sure if it makes any diff).