[Bug]: GitHub webhook doesn't get deleted when `aws_codebuild_webhook` is destroyed

[garysassano]

Terraform Core Version

1.9.2

AWS Provider Version

5.59.0

Affected Resource(s)

• aws_codebuild_webhook

Expected Behavior

Destroying an aws_codebuild_webhook resource results in the deletion of everything it originally created.

Actual Behavior

When deploying an aws_codebuild_webhook, AWS CodeBuild automatically creates a GitHub webhook inside the repository, organization or enterprise.

When destroying an aws_codebuild_webhook, the associated GitHub webhook isn't automatically deleted, requiring user intervention. Instead, Terraform should use the GITHUB_TOKEN permissions to delete the associated webhook it originally created.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

You can deploy this project to reproduce the issue.

Steps to Reproduce

see above

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[garysassano]

Providing additional information.

When creating an aws_codebuild_webhook resource using Terraform, AWS CodeBuild automatically creates a webhook in GitHub. This webhook should be automatically deleted by Terraform when the resource gets destroyed.

The only exception to this rule is if the user ticked the following option:

In that case, the GitHub webhook is managed manually by the user and Terraform doesn't have to care about deleting it when the aws_codebuild_webhook resource is destroyed.

For some reasons, I couldn't find any corresponding argument in aws_codebuild_webhook for the manual creation option which is available in AWS Console.

[justinretzolk]

Hey @garysassano 👋 Thank you for taking the time to raise this! This looks pretty similar to #30551. Can you take a look over that thread and see if you're able to resolve your issue as well?

[garysassano]

The linked issue did not provide a conclusive solution, as the author eventually gave up.

There are several things I would like to see from CodeBuild:

1. Unified Credential Management with CodeConnections

   • Currently, CodeBuild relies on separate, hidden credentials inaccessible from the AWS Console. This separation from CodeConnections system creates inconsistencies and complicates credential management.
   • Proposed Solution: Allow CodeBuild to utilize CodeConnections for credential storage and retrieval, mirroring CodePipeline's approach. This would enable unified credential management across services, improving consistency and simplifying workflows.

2. Support Authenticating as a GitHub App installation

   • CodeBuild's OAuth implementation lacks support for GitHub App installation. This forces organizations using GitHub organization webhooks to rely on individual personal accounts for CodeBuild access, creating security concerns and hindering best practices.
   • Proposed Solution: Implement support for GitHub App installation within CodeBuild's OAuth workflow, similarly to CodeConnections. This would allow organizations to leverage GitHub Apps for secure and controlled access to organizational resources, aligning with industry best practices.

3. Complete Webhook Lifecycle Management

   • Although less critical, CodeBuild can create webhooks but lacks the ability to delete them.
   • Proposed Solution: Extend CodeBuild's capabilities to encompass full webhook lifecycle management, including both creation and deletion. This would ensure a cleaner configuration and prevent potential resource leaks.

[dimaman2001]

@garysassano - If this is a CodeBuild limitation, there is nothing this provider can do. You feature requests should be submitted to AWS through your assigned TAM.