search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.82k stars 9.17k forks source link

[Bug]: aws_codebuild_webhook for GitHub organisation fails with OAuthProviderException #39251

Open brodster2 opened 1 month ago

brodster2 commented 1 month ago

Terraform Core Version

v1.7.5

AWS Provider Version

v5.66.0

Affected Resource(s)

Expected Behavior

The webhook creates successfully

Actual Behavior

Get the error: Error: creating CodeBuild Webhook (github-test): operation error CodeBuild: CreateWebhook, https response error StatusCode: 400, RequestID: bb4afbfb-90fd-4b6a-8275-d3fb43ac850d, OAuthProviderException: Failed to create webhook. GitHub API limit reached. Please try again later.

And this is after re-running several times, and waiting up to 30 minutes between tries.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_codebuild_project" "test" {
  name         = "github-test"
  service_role = aws_iam_role.example.arn
  artifacts {
    type = "NO_ARTIFACTS"
  }
  environment {
    compute_type = "BUILD_GENERAL1_SMALL"
    image        = "aws/codebuild/amazonlinux2-x86_64-standard:4.0"
    type                        = "LINUX_CONTAINER"
    image_pull_credentials_type = "CODEBUILD"
    certificate                 = "${aws_s3_object.cert.bucket}/${aws_s3_object.cert.key}"
  }
  source {
    type     = "GITHUB"
    location = "CODEBUILD_DEFAULT_WEBHOOK_SOURCE_LOCATION"
  }

}

resource "aws_codebuild_webhook" "example" {
  project_name = aws_codebuild_project.test.name
  build_type   = "BUILD"
  filter_group {
    filter {
      type    = "EVENT"
      pattern = "WORKFLOW_JOB_QUEUED"
    }
  }
  scope_configuration {
    name  = "myorg"
    scope = "GITHUB_ORGANIZATION"
  }
}

# resource "terraform_data" "webhook" {
#   input = aws_codebuild_project.test.name

#   provisioner "local-exec" {
#     when    = create
#     command = <<EOF
# aws codebuild create-webhook \
# --project-name ${aws_codebuild_project.test.name} \
# --filter-groups '[[{"pattern":"WORKFLOW_JOB_QUEUED","type":"EVENT"}]]' \
# --scope-configuration '{"name": "myorg", "scope": "GITHUB_ORGANIZATION"}'
#     EOF
#   }

#   provisioner "local-exec" {
#     when    = destroy
#     command = "aws codebuild delete-webhook --project-name ${self.input}"
#   }
# }

Steps to Reproduce

Before applying any Terraform I setup the new GitHub app Oauth authentication method by following https://docs.aws.amazon.com/codebuild/latest/userguide/access-tokens-github-overview.html#connections-github-app and then running the command aws codebuild import-source-credentials --auth-type CODECONNECTIONS --server-type GITHUB --token <connection-arn> to make that connection the default authentication method used by codebuild.

Then once running terraform apply I hit the error. But if I comment out the webhook resource and use the terraform_data instead to run the cli command with the same configuration, the webhook creates no problem.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

Would you like to implement a fix?

None

github-actions[bot] commented 1 month ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue

colyoonamaz commented 4 weeks ago

Could you double check that the permissions configured within the project have sufficient permissions to create an organization webhook i.e. organization admin permissions? In this case, it's possible that the exception message is incorrect and it is really a permissions issue. Additionally, you may want to verify that your authentication method isn't being used somewhere else that is consuming your GitHub limit e.g. you use a PAT that is also being used elsewhere. If you continue to run into issues, please email CodeBuild at codebuild-feedback@amazon.com with the issue details/request ID/request time so that we can look into it deeper

albertocapella commented 3 weeks ago

I had the same issue. Your user must be the owner of an organization to create a webhook under that organization.

creating-an-organization-webhook

brodster2 commented 1 week ago

Could you double check that the permissions configured within the project have sufficient permissions to create an organization webhook i.e. organization admin permissions? In this case, it's possible that the exception message is incorrect and it is really a permissions issue. Additionally, you may want to verify that your authentication method isn't being used somewhere else that is consuming your GitHub limit e.g. you use a PAT that is also being used elsewhere. If you continue to run into issues, please email CodeBuild at codebuild-feedback@amazon.com with the issue details/request ID/request time so that we can look into it deeper

Hi @colyoonamaz,

Sorry for the late reply. I'm using the AWS Connector for GitHub app to do the WebHook creation after setting up the connection to my GitHub organisation:

CodeBuild would be using the same default code connection for both methods (aws_codebuild_webhook or aws codebuild create-webhook) wouldn't it?

justinretzolk commented 1 day ago

Hey @brodster2 👋 Thank you for taking the time to raise this!

CodeBuild would be using the same default code connection for both methods (aws_codebuild_webhook or aws codebuild create-webhook) wouldn't it?

The aws_codebuild_webhook resource will be created using the credentials provided to the Terraform AWS Provider. When using the local-exec provisioner within the terraform_data resource, however, the credentials might be the same (depending on how you're providing credentials to the provider), but aren't necessarily guaranteed to be. It could be that local-exec is picking up different credentials with different permissions based on environment variables, etc.