search

integrations / terraform-provider-github

Terraform GitHub provider
https://www.terraform.io/docs/providers/github/
MIT License
900 stars 741 forks source link

`github_team` resource fails with `Error: this resource can only be used in the context of an organization, "foo" is a user` in v5.9.2 #1391

Open chamoisla opened 1 year ago

chamoisla commented 1 year ago 
    Still hitting this issue in 5.9.2 for the `github_team` resource.

Originally posted by @chamoisla in https://github.com/integrations/terraform-provider-github/issues/1373#issuecomment-1329370004

Terraform Version 1.1.3

Affected Resource(s) github_team If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

provider "github" {
  token    = var.token
  base_url = var.base_url
  owner    = var.owner
}

resource "github_team" "foo" {
  name           = var.name
  description    =  var.description
  privacy        = var.privacy
}

Debug Output

2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: 2022/11/28 08:54:21 [DEBUG] Github API Request Details:
2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: ---[ REQUEST ]---------------------------------------
2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: GET /api/v3/orgs/myorgname HTTP/1.1
2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: Host: REDACTED
2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: User-Agent: go-github/v48.0.0
2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: Accept: application/vnd.github.surtur-preview+json,application/vnd.github.stone-crop-preview+json
2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: Accept-Encoding: gzip
2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: 
2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: 
2022-11-28T08:54:21.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: -----------------------------------------------------
2022-11-28T08:54:51.183-0800 [DEBUG] provider.terraform-provider-github_v5.9.2: 2022/11/28 08:54:51 [INFO] Token present; configuring authenticated owner: myorgname
2022-11-28T08:54:51.187-0800 [DEBUG] ReferenceTransformer: "module.foo.github_team.bar" references: []
2022-11-28T08:54:51.206-0800 [ERROR] vertex "module.foo.github_team.bar" error: this resource can only be used in the context of an organization, "myorgname" is a user

Panic Output N/A

Expected Behavior Access should be refreshed, changes should be proposed by terraform plan

Actual Behavior terraform plan errors:

│ Error: this resource can only be used in the context of an organization, "foo" is a user
│ 
│   with module.foo.github_team.bar,
│   on modules/foor/bar.tf line 85, in resource "github_team" "foo":
│   85: resource "github_team" "foo" {

Steps to Reproduce

References

fosterm-mw commented 1 year ago

This is a different error than #1373 What permissions does your github token have in the organization? If this is a personal access token, your user needs to have correct privileges on your organization.

chamoisla commented 1 year ago

This is a different error than #1373 What permissions does your github token have in the organization? If this is a personal access token, your user needs to have correct privileges on your organization.

There are other PRs linked in #1373 with the same error. I believe my GitHub token is already over-permissive. Could you clarify minimum permissions required?

chamoisla commented 1 year ago

Working around with the local binary with fix noted above.

elliottpope commented 1 year ago

Looks like this is an issue introduced by a change to the GitHub REST API. The 5.9.1 and 5.9.2 changes did not break this functionality. The downstream go-github library is injecting its own custom header (https://github.com/google/go-github/blob/master/github/orgs.go#L213 and https://github.com/google/go-github/blob/master/github/github.go#L135) to use the surtur preview schema but clearly that preview has ended and users should now use just the vnd.github.v3.repository+json value.

A more general solution here would be for the go-github library to inject the application/vnd.github+json media type to every request (as recommended here) but in the meantime this can also be accomplished using the previewHeaderInjectorTransport

@chamoisla, you should find that 

client.Transport = newPreviewHeaderInjectorTransport(map[string]string{
   "Accept": "application/vnd.github.v3.repository+json,application/vnd.github.stone-crop-preview+json", // added both the v3.repository and stone crop schemas
}, client.Transport)

also fixes your problem

If I am understanding GitHub's docs correctly, 

client.Transport = newPreviewHeaderInjectorTransport(map[string]string{
   "Accept": "application/vnd.github+json,application/vnd.github.stone-crop-preview+json", // added both general GitHub schema and stone crop schema
}, client.Transport)

is the most general version of the solution

Please comment back here if either/both solution(s) do/do not work as it should inform what form the final fix should take and where it should be fixed

chamoisla commented 1 year ago

Looks like this is an issue introduced by a change to the GitHub REST API. The 5.9.1 and 5.9.2 changes did not break this functionality. The downstream go-github library is injecting its own custom header (https://github.com/google/go-github/blob/master/github/orgs.go#L213 and https://github.com/google/go-github/blob/master/github/github.go#L135) to use the surtur preview schema but clearly that preview has ended and users should now use just the vnd.github.v3.repository+json value.

A more general solution here would be for the go-github library to inject the application/vnd.github+json media type to every request (as recommended here) but in the meantime this can also be accomplished using the previewHeaderInjectorTransport

@chamoisla, you should find that

client.Transport = newPreviewHeaderInjectorTransport(map[string]string{
   "Accept": "application/vnd.github.v3.repository+json,application/vnd.github.stone-crop-preview+json", // added both the v3.repository and stone crop schemas
}, client.Transport)

also fixes your problem

If I am understanding GitHub's docs correctly,

client.Transport = newPreviewHeaderInjectorTransport(map[string]string{
   "Accept": "application/vnd.github+json,application/vnd.github.stone-crop-preview+json", // added both general GitHub schema and stone crop schema
}, client.Transport)

is the most general version of the solution

Please comment back here if either/both solution(s) do/do not work as it should inform what form the final fix should take and where it should be fixed

Thanks @elliottpope it looks like the comma separated list also works for me locally.

zukwung commented 1 year ago

@chamoisla is it possible to reopen this issue since it wasn't updated in the main branch so this is on the maintainers' radar? really appreciate you and @elliottpope putting in the elbow grease for the rest of us :)

elliottpope commented 1 year ago

@chamoisla and @zukwung the fix should ultimately be made on the go-github project (anything else would be a temporary workaround). You could make a corresponding issue on that project and link it here

After a fix is made on that project, then this issue would be closed by updating the dependency version

vegardx commented 1 year ago

I had similar issues with github_membership, using 5.11.0.

Quick workaround, just stick with an older version until this is fixed, unless you need resources recently introduced. Seems like the issues was introduced after 5.9.x, so I'm just pinning below that for now. 

terraform {
  required_providers {
    github = {
      source  = "integrations/github"
      version = ">= 5.8, < 5.9"
    }
  }
}
kfcampbell commented 1 year ago

@elliottpope or @chamoisla, do either of you have interest in opening up a PR to fix this behavior for the provider until a google/go-github fix is made?

thetimbecker commented 1 year ago

BEWARE: this error is very misleading. For us, it turns out our Personal Access Token just stopped working for some reason. We made a new token and everything started working again.

Seems like this has come up a lot: https://github.com/integrations/terraform-provider-github/search?q=in+the+context+of+an+organization+is+a+user&type=issues

Maybe this can be added to the README or something as a troubleshooting step?

davidham commented 9 months ago

I saw this just now, I have a module that creates a Github team. I was getting the this resource can only be used in the context of an organization, "foo" is a user error, but I was able to get past it by adding a required_providers block to the module. Hope this works for others!

kfcampbell commented 9 months ago

@davidham that can happen sometimes! Hopefully our documentation here is enough to point others in the right direction when that happens:

You must add a required_providers block to every module that will create resources with this provider. If you do not explicitly require integrations/github in a submodule, your terraform run may break in hard-to-troubleshoot ways.

niels-s commented 3 months ago

In my case, I regenerated my PAT Token, which magically fixed it, even though my existing one hadn't expired. I didn't need to edit the permissions of the token either. A simple regeneration was sufficient. 🤷‍♂️

The error message for this scenario is quite strange.