integrations
[BUG]: Repository 'security_and_analysis' settings are being sent even if they are unset, unchanged, or part of 'lifecycle.ignore_changes'
Expected Behavior
If the 'security_and_analysis' block is either unset, unchanged, or ignored by Terraform by using the ignore_changes list in the lifecycle block of a github_repository, then terraform apply should not send that block to the GitHub API.
Actual Behavior
The block above is sent to the GitHub API, which causes an issue even if it isn't a change.
This becomes an issue if/when the repository has an enterprise policy that prevents modifying the advanced security enablement:
│ Error: PATCH https://api.github.com/repos/$ORG_REDACTED/$REPO_REDACTED: 422 An enterprise policy prevented modifying advanced security enablement. Contact your enterprise owner for details. [] │ │ with github_repository.all['$REPO_REDACTED'], │ on main.tf line 1, in resource "github_repository" "all": │ 1: resource "github_repository" "all" {
Terraform Version
Terraform v1.8.2 on darwin_arm64
- provider registry.terraform.io/hashicorp/aws v5.48.0
- provider registry.terraform.io/integrations/github v6.2.1
Affected Resource(s)
github_repository
Terraform Configuration Files
resource "github_repository" "all" {
for_each = var.REPOSITORIES
name = each.key
description = each.value.description
lifecycle {
ignore_changes = [
# Cannot control these: "An enterprise policy prevented modifying advanced security enablement."
security_and_analysis
]
}
Steps to Reproduce
No response
Debug Output
2024-05-03T16:11:08.912-0700 [ERROR] provider.terraform-provider-github_v6.2.1: Response contains error diagnostic: @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/diag/diagnostics.go:58 tf_req_id=b55abc6e-0f96-7365-adb8-1979a52d852e tf_rpc=ApplyResourceChange tf_resource_type=github_repository @module=sdk.proto diagnostic_detail="" diagnostic_severity=ERROR diagnostic_summary="PATCH https://api.github.com/repos/$ORG_REDACTED/$REPO_REDACTED: 422 An enterprise policy prevented modifying advanced security enablement. Contact your enterprise owner for details. []" tf_proto_version=5.4 tf_provider_addr=provider timestamp=2024-05-03T16:11:08.912-0700
Panic Output
No response
Code of Conduct
- [X] I agree to follow this project's Code of Conduct
curl -L \ -X PATCH \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer $GH_TOKEN" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/$ORG/$REPO \ -d '{"security_and_analysis":{"advanced_security":{"status":"enabled"}}}'
This is the equivalent cURL, and if an enterprise policy prohibits setting this, it will fail with a HTTP 422 even if the "new" setting matches the extant setting
We are also seeing this issue when destroying a github_repository resource with archive_on_destroy set to true.
We are seeing this issue arise when running a terraform apply that requires modification to the repositories. Weirdly, running the apply again seems to bypass the issue.
We are seeing this issue arise when running a
terraform applythat requires modification to the repositories. Weirdly, running the apply again seems to bypass the issue.
If the resource (repository) is up to date, no change is sent, so it won't complain. It only complains when the repository itself is updated, because it tacks on the extra bit.
There is a PR that will fix this issue, and it has been available for over 5 weeks without any input from the maintainers.