[BUG]: github_repository_collaborators - Permission replacement where in-place modification would be sufficient

[benlangfeld]

trafficstars

Describe the need

I have a resource defined like so:

resource "github_repository_collaborators" "collaborators" {
  repository = github_repository.repo.name

  team {
    team_id    = "everyone"
    permission = var.everyone_can_write ? "push" : "pull"
  }

  team {
    team_id    = "robots"
    permission = "push"
  }

  ...
}

So far, everyone_can_write was set to false. When I set it to true, the behaviour of terraform plan is to specify replacement of the relevant team, rather than its in-place replacement.

What I saw in plan output:

  # module.foobar.github_repository_collaborators.collaborators will be updated in-place
  ~ resource "github_repository_collaborators" "collaborators" {
        id             = "foobar"
        # (2 unchanged attributes hidden)

      - team {
          - permission = "pull" -> null
          - team_id    = "everyone" -> null
        }
      + team {
          + permission = "push"
          + team_id    = "********"
        }

        # (2 unchanged blocks hidden)
    }

Instead I expected to see:

  # module.foobar.github_repository_collaborators.collaborators will be updated in-place
  ~ resource "github_repository_collaborators" "collaborators" {
        id             = "foobar"
        # (2 unchanged attributes hidden)

      ~ team {
          ~ permission = "pull" -> "push"
            team_id    = "everyone"
        }

        # (2 unchanged blocks hidden)
    }

This is problematic because when access to a repo is withdrawn and then re-created, any assignments of PRs to members of the relevant team are removed.

SDK Version

No response

API Version

No response

Relevant log output

No response

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[kfcampbell]

The github_repository_collaborators (plural) resource is intended to be authoritative. Perhaps using github_repository_collaborator (singular), which does additive permissions, would work for your use case?

[benlangfeld]

The github_repository_collaborators (plural) resource is intended to be authoritative. Perhaps using github_repository_collaborator (singular), which does additive permissions, would work for your use case?

No, I specifically need the authoritative version, and I don't believe the authoritative nature of the resource is an explanation for this behaviour. I still believe this resource, whose purpose I understand well, should behave as I described here.

[benlangfeld]

@maroux Are you able to provide any pointers on how I might prepare a fix for this?

[maroux]

Yeah I can take a look at this

[benlangfeld]

Yeah I can take a look at this

@maroux Hey, do you have any hints for where I should look to make a change? It's not immediate clear where the problem comes from.

[maroux]

Hey @benlangfeld I did spend some time investigating, but no conclusion yet. I suspect it's something in terraform land but I can't find what configuration needs to be set for this to work correctly. There's a high chance we may have to live with this 😕

[github-actions[bot]]

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!

[benlangfeld]

I think this should be pinned because it's an active issue that has not been resolved.

[github-actions[bot]]

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!

[benlangfeld]

@kfcampbell Please pin.