terraform-provider-github icon indicating copy to clipboard operation
terraform-provider-github copied to clipboard

Published 20 hours ago verified publisher icon integrations

`vulnerability_alerts` set to true does not enable "Dependabot security updates"

Open blt opened this issue 4 years ago • 15 comments

Terraform Version

terraform -v
Terraform v0.12.25
+ provider.github v3.1.0
+ provider.google v3.33.0
+ provider.google-beta v3.33.0
+ provider.random v2.3.1
+ provider.template v2.2.0

Your version of Terraform is out of date! The latest version
is 0.13.5. You can update by downloading from https://www.terraform.io/downloads.html

Affected Resource(s)

Please list the resources as a list, for example:

  • github_repository

Terraform Configuration Files

resource "github_repository" "repo" {
  name        = var.repo_name
  description = var.repo_description
  visibility  = "private"

  has_issues    = false
  has_projects  = false
  has_wiki      = false
  has_downloads = false

  delete_branch_on_merge = true
  allow_merge_commit     = false
  is_template            = var.template
  vulnerability_alerts   = true

  auto_init      = var.repo_auto_init
  default_branch = var.repo_default_branch 

  dynamic "template" {
    for_each = var.repo_template != "" ? [1] : []
    content {
      repository = var.repo_template
      owner      = "goodwatercap"
    }
  }
}

Expected Behavior

When flagging vulnerability_alerts to true we expect the following to be enabled:

  • Dependency graph
  • Dependabot alerts
  • Dependabot security updates

Actual Behavior

When flagged vulnerability_alerts to true and only the following were enabled:

  • Dependency graph
  • Dependabot alerts

Steps to Reproduce

  1. Flag a github_repository with vulnerability_alerts to true.
  2. terraform apply
  3. Confirm at https://github.com/ORG/REPO/settings/security_analysis that "Dependabot security udpates" is not enabled.

Important Factoids

Nothing unusual.

References

None.

blt avatar Nov 05 '20 17:11 blt

I just ran into this issue as well, though what I'm seeing is slightly different from what blt is reporting.

Creating a new repository with vulnerability_alerts: true will only enable Dependabot security updates. The other two options are not enabled.

Running Terraform again will show vulnerability_alerts = false -> true. After applying this, all three options are enabled.

What makes it more interesting is that we enabled these settings on the organization level. So I would expect these settings to be enabled regardless from what I specify in Terraform (see screenshot below).

I'm testing this with private repositories.

image

SanderKnape avatar Jan 21 '21 09:01 SanderKnape

What makes it more interesting is that we enabled these settings on the organization level. So I would expect these settings to be enabled regardless from what I specify in Terraform (see screenshot below).

the option states for new repositories, so it serve as a default value for new repositories and not an override for the existing ones.

gionn avatar Mar 08 '21 14:03 gionn

Correct. I'm testing this on a newly-created repository through this Terraform provider. So I expect the setting to be enabled.

SanderKnape avatar Mar 08 '21 15:03 SanderKnape

I am seeing the same. If you re-apply it will correct the bug-induced drift. Not ideal, but at least eventually consistent.

jspiro avatar Mar 18 '21 08:03 jspiro

I've looked at this a tiny bit and I believe that setting is applied by this API. There's a helper function to set that vendored into this project, but it's currently unreferenced. I haven't tested calling that yet.

Perhaps it'd be appropriate to add this as a new feature with its own syntax, separate from vulnerability_alerts? I wonder how/if that'd conflict with organization settings to enable it by default.

kfcampbell avatar Apr 27 '21 18:04 kfcampbell

Hey @kfcampbell - I was poking around this one and it seems there's a missing "Check if automated security fixes are enabled for a repository" API, analogous to this one for vulnerability alerts. Any thoughts on that? I'm looking to contribute here (and also to google/go-github) but hit a wall on the GitHub API. Thanks.

charmingnewt avatar May 11 '22 18:05 charmingnewt

@will-bluem-olo that's a great question. The GET 404s, which is too bad. I've asked internally about it and I'll post again here if I learn something useful.

kfcampbell avatar May 27 '22 22:05 kfcampbell

Hi @kfcampbell - not sure if you ever found anything interesting here, but we'd still be interested in this functionality if it could be added to the API.

charmingnewt avatar Oct 27 '22 15:10 charmingnewt

Ahh thanks for reminding me! I did not hear anything back, and just bumped the question again.

kfcampbell avatar Oct 31 '22 18:10 kfcampbell

Alright, there's an internal issue created to track this and the team seems receptive. I'm uncertain of the priority but it seems low at this point. :crossed_fingers: :crossed_fingers: :crossed_fingers: they jump on it!

kfcampbell avatar Nov 03 '22 17:11 kfcampbell

@kfcampbell Any news on this

bahag-klickst avatar Apr 21 '23 09:04 bahag-klickst

@bahag-klickst I unfortunately do not have any updates.

kfcampbell avatar May 01 '23 21:05 kfcampbell

With the latest Terraform 1.6.6 and GitHub provider 5.43.0, a terraform apply -refresh-only doesn't seem to update the field vulnerability_alerts in the .tfstate file with the state in the UI.

GMZwinge avatar Jan 11 '24 23:01 GMZwinge

@kfcampbell any progress to report? My team would also appreciate a fix for this.

coriolinus avatar Feb 26 '24 16:02 coriolinus

I wish I had an update, sorry! You might consider asking your GitHub rep (if you're an enterprise customer) or posting here asking for API coverage.

kfcampbell avatar Mar 04 '24 18:03 kfcampbell

Any updates on this so far?

thomaslagies avatar Apr 26 '24 13:04 thomaslagies