terraform-provider-github: [MAINT]: Public Repositories do not play well with Advanced Security settings

Describe the need

First of all, thank you very much for adding the GitHub Advanced Security settings in terraform, see #1104 . This has been a boon to our organization, and we’ve used it to track and add settings to every repository using a common setup module.

Most of our repositories are private, but one of them is public. I’ve tried a dynamic setting to remove the advanced_security block from the public repository, but now, trying to remove it, I get the message 422 Advanced security is always available for public repos [].

I do want to keep other security settings, like “Secret scanning”, without having a required block specifying advanced security for the public repo. Please advise if there’s a better way to go about this, otherwise, let me know if this is something that can be adjusted in the security_and_analysis block.

SDK Version

No response

API Version

No response

Relevant log output

No response

Code of Conduct

I agree to follow this project’s Code of Conduct

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 18
Comments: 22 (15 by maintainers)

Commits related to this issue

Advanced security and analysis (#71) Hitting an issue: https://github.com/integrations/terraform-provider-github/issues/1419 — committed to osinfra-io/github-organization-management by brettcurtis a year ago

Most upvoted comments

Version 5.13.0 works without any issue.

No it doesn’t.

provider "github" {
  token = "foo"
  owner = "bar"
}

terraform {
  required_providers {
    github = {
      source  = "integrations/github"
      version = "5.13.0"
    }
  }
}

resource "github_repository" "repo" {
    name       = "public_security_and_analysis"
    visibility = "public"
    security_and_analysis {
        advanced_security {
            status = "enabled"
        }
        secret_scanning {
            status = "enabled"
        }
        secret_scanning_push_protection {
            status = "disabled"
        }
    }
}

still results in a terraform apply failure of

github_repository.repo: Creating...
╷
│ Error: PATCH https://api.github.com/repos/bar/public_security_and_analysis: 422 Advanced security is always available for public repos []
│ 
│   with github_repository.repo,
│   on main.tf line 18, in resource "github_repository" "repo":
│   18: resource "github_repository" "repo" {
│ 
╵

jtgrohn on Jan 16, 2023

@miotke This PR fixes this issue, do you mind taking a look and giving feedback? https://github.com/integrations/terraform-provider-github/pull/1431

kuhlman-labs on Jan 5, 2023

Version 5.13.0 works without any issue.

gszakonyNitro on Jan 16, 2023

For now, pinning to 5.10 is a workaround, but this is a fairly serious bug as it makes github_repository completely unusable in 5.11 and 5.12 and introduced a breaking change.

Just a small correction: unless I’m mistaken, the change was introduced in 5.9.0, so the workaround should be to pin to 5.8.0. Hope this helps someone, and looking forward to the fix! 🙏

Edit: Actually, pinning 5.8.0 means we lose the fix provided in #1368 (released in 5.9.1 in response to GitHub API breaking changes), which means currently no version of the provider is usable by my team. 😓

usmonster on Dec 20, 2022

Hey @nickfloyd - could we rollback https://github.com/integrations/terraform-provider-github/pull/1304 and release a new version? This unintentionally introduced a breaking change. By sending these values in API calls to public repos, GitHub rejects them.

I think we should only add these fields to the API if they are explicitly supplied, or rollback and explore a different engineering option. For now, pinning to 5.10 is a workaround, but this is a fairly serious bug as it makes github_repository completely unusable in 5.11 and 5.12 and introduced a breaking change.

/cc @marzvrover @kfcampbell

sethvargo on Dec 10, 2022

@bombelme, yes, we saw the same and “just” had to delete & re-import the state for github_repository resources. 🙃 Hope it helps a little while waiting for #1431 to land.

usmonster on Jan 10, 2023

@jtgrohn do you mind creating a new issue with those details? My guess is that we’re missing a migration function, but I’d like to keep that separate from this issue.

kfcampbell on Jan 6, 2023

In addition to the public repo issues everyone has been commenting on, there is another issue for private/internal repos with updating the provider version. If a repo was created at/after the security_and_analysis block was introduced (e.g. at 5.9.0+), without the block explicitly set, and then is updated to a newer version (doesn’t seem to matter which), the plan wants to remove the block. e.g.

Terraform will perform the following actions:

  # github_repository.repo will be updated in-place
  ~ resource "github_repository" "repo" {
        id                          = "security_and_analysis_test"
        name                        = "security_and_analysis_test"
      - vulnerability_alerts        = true -> null
        # (28 unchanged attributes hidden)

      - security_and_analysis {
          - advanced_security {
              - status = "enabled" -> null
            }

          - secret_scanning {
              - status = "enabled" -> null
            }

          - secret_scanning_push_protection {
              - status = "enabled" -> null
            }
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to reproduce

create Terraform config:

provider "github" {
  token = "foo"
  owner = "bar"
}

terraform {

  required_providers {
    github = {
      source  = "integrations/github"
      version = "5.9.0"
    }
  }

  backend "local" {}
}

resource "github_repository" "repo" {
    name       = "security_and_analysis_test"
    visibility = "internal"
}}

apply the config then update provider version in terraform config, so the resulting config is:

provider "github" {
  token = "foo"
  owner = "bar"
}

terraform {
  required_providers {
    github = {
      source  = "integrations/github"
      version = "5.10.0"
    }
  }

  backend "local" {}
}

resource "github_repository" "repo" {
    name       = "security_and_analysis_test"
    visibility = "internal"
}

and plan again the resulting plan tries to remove the security_and_analysis block (see above).

jtgrohn on Jan 6, 2023

@miotke The logic of the PR basically changes the request that is sent to the API based on the repos visibility. Advanced Security is enabled on public repos by default so if you send an API request with that field you will get an error, but you can still control the other aspects of advanced security like push protection and secret scanning on public repos.

kuhlman-labs on Jan 5, 2023