Amplify App sets up deprecated oauth instead of the github app webhook

nitrocode commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Affected Resource(s)

aws_amplify_app (most likely this resource)
aws_amplify_webhook (this resource has to be recreated when the app is migrated)

Terraform Configuration Files

resource "aws_amplify_app" "default" {
  access_token             = var.access_token
  description              = "Amplify App for the github.com/cloudposse/amplify-test2 project."
  enable_basic_auth        = false
  # ...
}

resource "aws_amplify_branch" "default" {
  app_id                  = aws_amplify_app.this.id
  branch_name             = "main"
  display_name            = "main"
  backend_environment_arn = aws_amplify_backend_environment.default[0].arn
}

resource "aws_amplify_webhook" "default" {
  app_id      = aws_amplify_app.default.id
  branch_name = aws_amplify_branch.default.branch_name
  description = "trigger-default-branch"
}

Plan

  # module.amplify.aws_amplify_app.default will be created
  + resource "aws_amplify_app" "default" {
      + access_token             = (sensitive value)
      + arn                      = (known after apply)
      + build_spec               = (known after apply)
      + default_domain           = (known after apply)
      + description              = "Amplify App for the github.com/cloudposse/amplify-test2 project."
      + enable_basic_auth        = false
      + enable_branch_auto_build = true
      + id                       = (known after apply)
      + name                     = "cplive-ue2-sandbox-amplify"
      + platform                 = "WEB"
      + production_branch        = (known after apply)
      + repository               = "https://github.com/cloudposse/amplify-test2"

      + auto_branch_creation_config {
          + basic_auth_credentials        = (sensitive value)
          + build_spec                    = (known after apply)
          + enable_auto_build             = (known after apply)
          + enable_basic_auth             = (known after apply)
          + enable_performance_mode       = (known after apply)
          + enable_pull_request_preview   = (known after apply)
          + environment_variables         = (known after apply)
          + framework                     = (known after apply)
          + pull_request_environment_name = (known after apply)
          + stage                         = (known after apply)
        }
    }

  # module.amplify.aws_amplify_branch.default will be created
  + resource "aws_amplify_branch" "default" {
      + app_id               = (known after apply)
      + arn                  = (known after apply)
      + associated_resources = (known after apply)
      + branch_name          = "main"
      + custom_domains       = (known after apply)
      + destination_branch   = (known after apply)
      + display_name         = "main"
      + enable_auto_build    = true
      + enable_basic_auth    = false
      + id                   = (known after apply)
      + source_branch        = (known after apply)
    }

  # module.amplify.aws_amplify_webhook.default will be created
  + resource "aws_amplify_webhook" "default" {
      + app_id      = (known after apply)
      + arn         = (known after apply)
      + branch_name = "main"
      + description = "trigger-default-branch"
      + id          = (known after apply)
      + url         = (known after apply)
    }

It might have something to do with the default auto_branch_creation_config. I do not have it set so the terraform resource must be setting that with basic_auth_credentials even though I'm using the access_token.

Setting an empty auto_branch_creation_config works but prevents any of the repository settings from getting added.

  auto_branch_creation_config {}

If we try to null each of the block arguments, it says that basic_auth_credentials (and the others is/are) required even though all of these block options are shown as optional in the docs

Debug Output

Panic Output

Expected Behavior

It should create the github web app authentication web hook

Actual Behavior

It creates the oauth web app authentication web hook which then shows a migration button in the UI

Migrate to our GitHub App

Steps to Reproduce

terraform apply

Important Factoids

References

justinretzolk commented 2 years ago

Hey @nitrocode 👋 I took a brief look at this while triaging it and noticed one thing that I figured I'd mention. Based on you not including the auto_branch_creation_config block, am I correct in assuming that you'd prefer that not be added at all? If so, I believe that setting enable_auto_branch_creation to false might be what you're looking for. Full disclosure, this isn't an area of expertise for me, so apologies in advance if that's not helpful 🙂

mattk-ce commented 1 year ago

Can confirm it has nothing to do with auto_branch_creation_config. Every single Amplify app we Terraform has to be manually changed to use the Github App instead of OAuth. Intensely frustrating.

bengiddins commented 1 year ago

aws_amplify_app still does not have a way to configure a GitHub App instead of OAuth for connecting to a repository. Looks like a resource would need to be added that can create the GitHub App as well as they are coupled with callbacks, secrets etc.

plinyrecruit commented 3 months ago

Has anyone had a chance to look into this?

Some of our Amplify apps are now being forced to use GitHub App connections, so means we have to manually switch them every time a dev creates an app using terraform. When clicking reconnect: we have no choice but to swap to GitHub App connections: