`github_team` resource fails with `Error: this resource can only be used in the context of an organization, "foo" is a user` in v5.9.2

[chamoisla]

    Still hitting this issue in 5.9.2 for the `github_team` resource.

Originally posted by @chamoisla in https://github.com/integrations/terraform-provider-github/issues/1373#issuecomment-1329370004

Terraform Version 1.1.3

Affected Resource(s) github_team If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

provider "github" {
  token    = var.token
  base_url = var.base_url
  owner    = var.owner
}

resource "github_team" "foo" {
  name           = var.name
  description    =  var.description
  privacy        = var.privacy
}

Debug Output

2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: 2022/11/28 08:54:21 [DEBUG] Github API Request Details:
2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: ---[ REQUEST ]---------------------------------------
2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: GET /api/v3/orgs/myorgname HTTP/1.1
2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: Host: REDACTED
2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: User-Agent: go-github/v48.0.0
2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: Accept: application/vnd.github.surtur-preview+json,application/vnd.github.stone-crop-preview+json
2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: Accept-Encoding: gzip
2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: 
2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: 
2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: -----------------------------------------------------
2022-11-28T08:54:51.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: 2022/11/28 08:54:51 [INFO] Token present; configuring authenticated owner: myorgname
2022-11-28T08:54:51.187-0800 [DEBUG] ReferenceTransformer: "module.foo.github_team.bar" references: []
2022-11-28T08:54:51.206-0800 [ERROR] vertex "module.foo.github_team.bar" error: this resource can only be used in the context of an organization, "myorgname" is a user

Panic Output N/A

Expected Behavior Access should be refreshed, changes should be proposed by terraform plan

Actual Behavior terraform plan errors:

│ Error: this resource can only be used in the context of an organization, "foo" is a user
│ 
│   with module.foo.github_team.bar,
│   on modules/foor/bar.tf line 85, in resource "github_team" "foo":
│   85: resource "github_team" "foo" {

Steps to Reproduce

• Fails with multiple version of Terraform and of the provider plugin.
• Made the following change directly to the provider source code and it works for me locally. github/config.go

func RateLimitedHTTPClient(client *http.Client, writeDelay time.Duration, readDelay time.Duration) *http.Client {

	client.Transport = NewEtagTransport(client.Transport)
	client.Transport = NewRateLimitTransport(client.Transport, WithWriteDelay(writeDelay), WithReadDelay(readDelay))
	client.Transport = logging.NewTransport("Github", client.Transport)
	client.Transport = newPreviewHeaderInjectorTransport(map[string]string{
		// TODO: remove when Stone Crop preview is moved to general availability in the GraphQL API
		"Accept": "application/vnd.github.v3.repository+json", // Replaced the Stone Crop API with GitHub v3
	}, client.Transport)

	return client
}

References

• https://github.com/integrations/terraform-provider-github/issues/1373

[fosterm-mw]

This is a different error than #1373 What permissions does your github token have in the organization? If this is a personal access token, your user needs to have correct privileges on your organization.

[chamoisla]

This is a different error than #1373 What permissions does your github token have in the organization? If this is a personal access token, your user needs to have correct privileges on your organization.

There are other PRs linked in #1373 with the same error. I believe my GitHub token is already over-permissive. Could you clarify minimum permissions required?

[chamoisla]

Working around with the local binary with fix noted above.

[elliottpope]

Looks like this is an issue introduced by a change to the GitHub REST API. The 5.9.1 and 5.9.2 changes did not break this functionality. The downstream go-github library is injecting its own custom header (https://github.com/google/go-github/blob/master/github/orgs.go#L213 and https://github.com/google/go-github/blob/master/github/github.go#L135) to use the surtur preview schema but clearly that preview has ended and users should now use just the vnd.github.v3.repository+json value.

A more general solution here would be for the go-github library to inject the application/vnd.github+json media type to every request (as recommended here) but in the meantime this can also be accomplished using the previewHeaderInjectorTransport

@chamoisla, you should find that

client.Transport = newPreviewHeaderInjectorTransport(map[string]string{
   "Accept": "application/vnd.github.v3.repository+json,application/vnd.github.stone-crop-preview+json", // added both the v3.repository and stone crop schemas
}, client.Transport)

also fixes your problem

If I am understanding GitHub's docs correctly,

client.Transport = newPreviewHeaderInjectorTransport(map[string]string{
   "Accept": "application/vnd.github+json,application/vnd.github.stone-crop-preview+json", // added both general GitHub schema and stone crop schema
}, client.Transport)

is the most general version of the solution

Please comment back here if either/both solution(s) do/do not work as it should inform what form the final fix should take and where it should be fixed

[chamoisla]

Looks like this is an issue introduced by a change to the GitHub REST API. The 5.9.1 and 5.9.2 changes did not break this functionality. The downstream go-github library is injecting its own custom header (https://github.com/google/go-github/blob/master/github/orgs.go#L213 and https://github.com/google/go-github/blob/master/github/github.go#L135) to use the surtur preview schema but clearly that preview has ended and users should now use just the vnd.github.v3.repository+json value.

A more general solution here would be for the go-github library to inject the application/vnd.github+json media type to every request (as recommended here) but in the meantime this can also be accomplished using the previewHeaderInjectorTransport

@chamoisla, you should find that

client.Transport = newPreviewHeaderInjectorTransport(map[string]string{
   "Accept": "application/vnd.github.v3.repository+json,application/vnd.github.stone-crop-preview+json", // added both the v3.repository and stone crop schemas
}, client.Transport)

also fixes your problem

If I am understanding GitHub's docs correctly,

client.Transport = newPreviewHeaderInjectorTransport(map[string]string{
   "Accept": "application/vnd.github+json,application/vnd.github.stone-crop-preview+json", // added both general GitHub schema and stone crop schema
}, client.Transport)

is the most general version of the solution

Please comment back here if either/both solution(s) do/do not work as it should inform what form the final fix should take and where it should be fixed

Thanks @elliottpope it looks like the comma separated list also works for me locally.

[zukwung]

@chamoisla is it possible to reopen this issue since it wasn't updated in the main branch so this is on the maintainers' radar? really appreciate you and @elliottpope putting in the elbow grease for the rest of us :)

[elliottpope]

@chamoisla and @zukwung the fix should ultimately be made on the go-github project (anything else would be a temporary workaround). You could make a corresponding issue on that project and link it here

After a fix is made on that project, then this issue would be closed by updating the dependency version

[vegardx]

I had similar issues with github_membership, using 5.11.0.

Quick workaround, just stick with an older version until this is fixed, unless you need resources recently introduced. Seems like the issues was introduced after 5.9.x, so I'm just pinning below that for now.

terraform {
  required_providers {
    github = {
      source  = "integrations/github"
      version = ">= 5.8, < 5.9"
    }
  }
}

[kfcampbell]

@elliottpope or @chamoisla, do either of you have interest in opening up a PR to fix this behavior for the provider until a google/go-github fix is made?

[thetimbecker]

BEWARE: this error is very misleading. For us, it turns out our Personal Access Token just stopped working for some reason. We made a new token and everything started working again.

Seems like this has come up a lot: https://github.com/integrations/terraform-provider-github/search?q=in+the+context+of+an+organization+is+a+user&type=issues

Maybe this can be added to the README or something as a troubleshooting step?

[davidham]

I saw this just now, I have a module that creates a Github team. I was getting the this resource can only be used in the context of an organization, "foo" is a user error, but I was able to get past it by adding a required_providers block to the module. Hope this works for others!

[kfcampbell]

@davidham that can happen sometimes! Hopefully our documentation here is enough to point others in the right direction when that happens:

You must add a required_providers block to every module that will create resources with this provider. If you do not explicitly require integrations/github in a submodule, your terraform run may break in hard-to-troubleshoot ways.

[niels-s]

In my case, I regenerated my PAT Token, which magically fixed it, even though my existing one hadn't expired. I didn't need to edit the permissions of the token either. A simple regeneration was sufficient. 🤷‍♂️

The error message for this scenario is quite strange.

[ojintoad]

Edit: I think this may be misplaced but leaving it here for now. I realize now this bug I'm commenting on has a similar message but is related to a particular header issue. I will try to find a better home for this, possibly a new issue entirely.

---

We experienced this recently in a very particular way.

We have 7 organizations. Each is currently managed slightly differently by legacy owners, though we are trying to reduce that.

One of them had a policy enacted that said PATs with age greater than 365 days can not access the organization.

For most organizations, operations on teams worked. For this organization, operations failed with the reported message.

We had to debug the code to recreate the rest call which populates IsOrganization here:

https://github.com/integrations/terraform-provider-github/blob/6e5ef36ba78dccf4bfed8dcb5cc5ad188b1fb861/github/config.go#L127-L133

The response we got was:

{
    "message": "The '<REDACTED>' organization forbids access via a personal access tokens (classic) if the token's lifetime is greater than 366 days. Please adjust your token's lifetime at the following URL: https://github.com/settings/tokens/<REDACTED>",
    "documentation_url": "https://docs.github.com/rest/orgs/orgs#get-an-organization",
    "status": "403"
}

We can see that code is ignoring any errors returned by the call.

The pain point here isn't necessarily this enforcement - it absolutely makes sense to have this enforcement. The pain point is working out the failure of the org call which is silently swallowed.

To put this into bug reproduction language:

1. Create organization
2. Create policy for token that forbids organization access via a PAT if lifetime greater than 366 days
3. Create PAT with lifetime greater than 366 days
4. Set up terraform that access organization properties.

Expected behavior: Root rest call failure for org info is evidenced to the end user Observed behavior: Root rest call failure is ignored, instead "Error: this resource can only be used in the context of an organization, "foo" is a user" is provided.

I can think of a few different better ways to handle this, in order of preference:

1. At the time of the error getting swallowed, a warning output is produced explaining which REST call produced the error and how to recreate it or with the error output. Later messages could indicate you should look for this potential warning.
2. At the time of the error getting swallowed, instead it fails fast depending on whether someone declares that the provider should expect to manage organization tokens
3. At the time of the errors in generating the plan, an explanation of the REST call to recreate is provided.

Basically anything is better than the current story of:

1. Experience error
2. Go to GitHub Issues for terraform-provider-github and search the error message
3. Go through the many possible reasons this is caused to determine your particular root cause

In my case I don't think anyone in particular had reported this root cause so it was especially challenging, hoping this saves others effort.

Happy to discuss further!

[github-actions[bot]]

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!