hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.89k stars 9.22k forks source link

[Bug]: GitHub webhook doesn't get deleted when `aws_codebuild_webhook` is destroyed #38455

Open garysassano opened 4 months ago

garysassano commented 4 months ago

Terraform Core Version

1.9.2

AWS Provider Version

5.59.0

Affected Resource(s)

Expected Behavior

Destroying an aws_codebuild_webhook resource results in the deletion of everything it originally created.

Actual Behavior

When deploying an aws_codebuild_webhook, AWS CodeBuild automatically creates a GitHub webhook inside the repository, organization or enterprise.

When destroying an aws_codebuild_webhook, the associated GitHub webhook isn't automatically deleted, requiring user intervention. Instead, Terraform should use the GITHUB_TOKEN permissions to delete the associated webhook it originally created.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

You can deploy this project to reproduce the issue.

Steps to Reproduce

see above

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

github-actions[bot] commented 4 months ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue

garysassano commented 4 months ago

Providing additional information.

When creating an aws_codebuild_webhook resource using Terraform, AWS CodeBuild automatically creates a webhook in GitHub. This webhook should be automatically deleted by Terraform when the resource gets destroyed.

The only exception to this rule is if the user ticked the following option:

image

In that case, the GitHub webhook is managed manually by the user and Terraform doesn't have to care about deleting it when the aws_codebuild_webhook resource is destroyed.

For some reasons, I couldn't find any corresponding argument in aws_codebuild_webhook for the manual creation option which is available in AWS Console.

justinretzolk commented 4 months ago

Hey @garysassano 👋 Thank you for taking the time to raise this! This looks pretty similar to #30551. Can you take a look over that thread and see if you're able to resolve your issue as well?

garysassano commented 4 months ago

The linked issue did not provide a conclusive solution, as the author eventually gave up.

There are several things I would like to see from CodeBuild:

  1. Unified Credential Management with CodeConnections

    • Currently, CodeBuild relies on separate, hidden credentials inaccessible from the AWS Console. This separation from CodeConnections system creates inconsistencies and complicates credential management.
    • Proposed Solution: Allow CodeBuild to utilize CodeConnections for credential storage and retrieval, mirroring CodePipeline's approach. This would enable unified credential management across services, improving consistency and simplifying workflows.
  2. Support Authenticating as a GitHub App installation

    • CodeBuild's OAuth implementation lacks support for GitHub App installation. This forces organizations using GitHub organization webhooks to rely on individual personal accounts for CodeBuild access, creating security concerns and hindering best practices.
    • Proposed Solution: Implement support for GitHub App installation within CodeBuild's OAuth workflow, similarly to CodeConnections. This would allow organizations to leverage GitHub Apps for secure and controlled access to organizational resources, aligning with industry best practices.
  3. Complete Webhook Lifecycle Management

    • Although less critical, CodeBuild can create webhooks but lacks the ability to delete them.
    • Proposed Solution: Extend CodeBuild's capabilities to encompass full webhook lifecycle management, including both creation and deletion. This would ensure a cleaner configuration and prevent potential resource leaks.
dimaman2001 commented 4 months ago

@garysassano - If this is a CodeBuild limitation, there is nothing this provider can do. You feature requests should be submitted to AWS through your assigned TAM.