search

integrations / terraform-provider-github

Terraform GitHub provider
https://www.terraform.io/docs/providers/github/
MIT License
896 stars 741 forks source link

[MAINT]: plugin crashes trying to create actions runner group #1633

Closed jkruse14 closed 3 months ago

jkruse14 commented 1 year ago

Describe the need

I am trying to create an actions runner group using a GitHub App Token with Org Admin write permission:

provider "github" {
  owner = var.organization
  app_auth {
    id = var.github_app_id
    installation_id = var.github_installation_id
    pem_file = base64decode(jsondecode(data.aws_secretsmanager_secret_version.github_app_private_key.secret_string)["privateKey"])
  }
}

data "github_repository" "terraform_aws_github_self_hosted_runners" {
  full_name = "my-repo"
}

resource "github_actions_runner_group" "team_groups" {
  name       = "DI_OPERATIONS"
  visibility = "selected"
  selected_repository_ids = [data.github_repository.terraform_aws_github_self_hosted_runners.repo_id]
}

This results in:

╷
│ Error: Plugin did not respond
│ 
│   with github_actions_runner_group.team_groups,
│   on main.tf line 128, in resource "github_actions_runner_group" "team_groups":
│  128: resource "github_actions_runner_group" "team_groups" {
│ 
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may
│ contain more details.
╵

Stack trace from the terraform-provider-github_v5.18.3 plugin:

panic: interface conversion: interface {} is []interface {}, not []string

goroutine 31 [running]:
github.com/integrations/terraform-provider-github/v5/github.resourceGithubActionsRunnerGroupCreate(0x1086bc0?, {0xff4b60?, 0xc00028ad40})
    github.com/integrations/terraform-provider-github/v5/github/resource_github_actions_runner_group.go:103 +0x9ca
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Resource).Apply(0xc0006fd220, 0xc00093bc70, 0xc000947020, {0xff4b60, 0xc00028ad40})
    github.com/hashicorp/terraform-plugin-sdk@v1.17.2/helper/schema/resource.go:320 +0x438
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Provider).Apply(0xc00004aa00, 0xc0008938c8, 0x123e0ca?, 0xf?)
    github.com/hashicorp/terraform-plugin-sdk@v1.17.2/helper/schema/provider.go:294 +0x70
github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin.(*GRPCProviderServer).ApplyResourceChange(0xc00000ec30, {0xc00094ad20?, 0x4b8786?}, 0xc00094ad20)
    github.com/hashicorp/terraform-plugin-sdk@v1.17.2/internal/helper/plugin/grpc_provider.go:895 +0x7c5
github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x11e7880?, 0xc00000ec30}, {0x1583180, 0xc0009639b0}, 0xc00094acb0, 0x0)
    github.com/hashicorp/terraform-plugin-sdk@v1.17.2/internal/tfplugin5/tfplugin5.pb.go:3305 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0000001e0, {0x1586d48, 0xc0002991e0}, 0xc0009667e0, 0xc000375050, 0x1d72c40, 0x0)
    google.golang.org/grpc@v1.50.1/server.go:1340 +0xd13
google.golang.org/grpc.(*Server).handleStream(0xc0000001e0, {0x1586d48, 0xc0002991e0}, 0xc0009667e0, 0x0)
    google.golang.org/grpc@v1.50.1/server.go:1713 +0xa1b
google.golang.org/grpc.(*Server).serveStreams.func1.2()
    google.golang.org/grpc@v1.50.1/server.go:965 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
    google.golang.org/grpc@v1.50.1/server.go:963 +0x28a

Error: The terraform-provider-github_v5.18.3 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Operation failed: failed running terraform apply (exit 1)
Error: Terraform exited with code 1.
Error: Process completed with exit code 1.

SDK Version

terraform-provider-github_v5.18.3

API Version

No response

Relevant log output

╷
│ Error: Plugin did not respond
│ 
│   with github_actions_runner_group.team_groups,
│   on main.tf line 128, in resource "github_actions_runner_group" "team_groups":
│  128: resource "github_actions_runner_group" "team_groups" {
│ 
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may
│ contain more details.
╵

Stack trace from the terraform-provider-github_v5.18.3 plugin:

panic: interface conversion: interface {} is []interface {}, not []string

goroutine 31 [running]:
github.com/integrations/terraform-provider-github/v5/github.resourceGithubActionsRunnerGroupCreate(0x1086bc0?, {0xff4b60?, 0xc00028ad40})
    github.com/integrations/terraform-provider-github/v5/github/resource_github_actions_runner_group.go:103 +0x9ca
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Resource).Apply(0xc0006fd220, 0xc00093bc70, 0xc000947020, {0xff4b60, 0xc00028ad40})
    github.com/hashicorp/terraform-plugin-sdk@v1.17.2/helper/schema/resource.go:320 +0x438
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Provider).Apply(0xc00004aa00, 0xc0008938c8, 0x123e0ca?, 0xf?)
    github.com/hashicorp/terraform-plugin-sdk@v1.17.2/helper/schema/provider.go:294 +0x70
github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin.(*GRPCProviderServer).ApplyResourceChange(0xc00000ec30, {0xc00094ad20?, 0x4b8786?}, 0xc00094ad20)
    github.com/hashicorp/terraform-plugin-sdk@v1.17.2/internal/helper/plugin/grpc_provider.go:895 +0x7c5
github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x11e7880?, 0xc00000ec30}, {0x1583180, 0xc0009639b0}, 0xc00094acb0, 0x0)
    github.com/hashicorp/terraform-plugin-sdk@v1.17.2/internal/tfplugin5/tfplugin5.pb.go:3305 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0000001e0, {0x1586d48, 0xc0002991e0}, 0xc0009667e0, 0xc000375050, 0x1d72c40, 0x0)
    google.golang.org/grpc@v1.50.1/server.go:1340 +0xd13
google.golang.org/grpc.(*Server).handleStream(0xc0000001e0, {0x1586d48, 0xc0002991e0}, 0xc0009667e0, 0x0)
    google.golang.org/grpc@v1.50.1/server.go:1713 +0xa1b
google.golang.org/grpc.(*Server).serveStreams.func1.2()
    google.golang.org/grpc@v1.50.1/server.go:965 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
    google.golang.org/grpc@v1.50.1/server.go:963 +0x28a

Error: The terraform-provider-github_v5.18.3 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Operation failed: failed running terraform apply (exit 1)
Error: Terraform exited with code 1.
Error: Process completed with exit code 1.

Code of Conduct

michaelb38 commented 1 year ago

We are also facing this blocking issue with version 5.22.0 .

EDIT : after better analyze, the issue we face is in fact https://github.com/integrations/terraform-provider-github/issues/1524 . As a temporary workaround, we had to downgrade to release 5.14.0

Stack trace from the terraform-provider-github_v5.22.0 plugin:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x48 pc=0xf6586d]

goroutine 32 [running]:
github.com/integrations/terraform-provider-github/v5/github.resourceGithubActionsRunnerGroupRead(0xc0007ca8c0, {0x1049ee0?, 0xc000550980?})
    github.com/integrations/terraform-provider-github/v5/github/resource_github_actions_runner_group.go:210 +0x82d
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Resource).RefreshWithoutUpgrade(0xc000549400, 0xc000892c80, {0x1049ee0, 0xc000550980})
    github.com/hashicorp/terraform-plugin-sdk@v1.17.2/helper/schema/resource.go:470 +0x1aa
github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin.(*GRPCProviderServer).ReadResource(0xc00000e998, {0xc000114960?, 0x4b8786?}, 0xc000114960)
    github.com/hashicorp/terraform-plugin-sdk@v1.17.2/internal/helper/plugin/grpc_provider.go:535 +0x34b
github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5._Provider_ReadResource_Handler({0x12437c0?, 0xc00000e998}, {0x15e9260, 0xc000a68ba0}, 0xc0007ca3f0, 0x0)
    github.com/hashicorp/terraform-plugin-sdk@v1.17.2/internal/tfplugin5/tfplugin5.pb.go:3269 +0x[170](https://github.enterprise.xxx/organization/repository/runs/903513?check_suite_focus=true#step:8:171)
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0001ca000, {0x15ed128, 0xc000029380}, 0xc00056d7a0, 0xc0002056e0, 0x1e095d0, 0x0)
    google.golang.org/grpc@v1.50.1/server.go:1340 +0xd13
google.golang.org/grpc.(*Server).handleStream(0xc0001ca000, {0x15ed128, 0xc000029380}, 0xc00056d7a0, 0x0)
    google.golang.org/grpc@v1.50.1/server.go:[171](https://github.enterprise.xxx/organization/repository/runs/903513?check_suite_focus=true#step:8:172)3 +0xa1b
google.golang.org/grpc.(*Server).serveStreams.func1.2()
    google.golang.org/grpc@v1.50.1/server.go:965 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
    google.golang.org/grpc@v1.50.1/server.go:963 +0x28a

Error: The terraform-provider-github_v5.22.0 plugin crashed!
kfcampbell commented 1 year ago

Could you please provide a small reproductive example?

jkruse14 commented 1 year ago

This should get you what you need.

provider "github" {
  owner = var.organization
  app_auth {
    id = var.github_app_id
    installation_id = var.github_installation_id
    pem_file = var.pem_file_content
  }
}

data "github_repository" "terraform_aws_github_self_hosted_runners" {
  full_name = var.repo_name
}

resource "github_actions_runner_group" "team_groups" {
  name       = var.runner_group_name
  visibility = "selected"
  selected_repository_ids = [data.github_repository.terraform_aws_github_self_hosted_runners.repo_id]
}

Can you confirm permissions needed by the GITHUB_TOKEN to create a runner group? Maybe I didn't set that correctly?

kfcampbell commented 1 year ago

Thank you. According to these docs, the required permissions scope is manage_runners:enterprise.

Regardless, it would be nice if the provider could handle these situations more gracefully.

jkruse14 commented 1 year ago

Thank you. According to these docs, the required permissions scope is manage_runners:enterprise.

Regardless, it would be nice if the provider could handle these situations more gracefully.

What does that translate to in the permissions for the token on the runner set in the permissions block of the action yaml? The permissions I'm referring to can be found here

kfcampbell commented 1 year ago

The default token on the runner does not have enterprise scopes available. In order to manipulate enterprise-level resources, you'll need a personal access token or a GitHub App.

jkruse14 commented 1 year ago

The default token on the runner does not have enterprise scopes available. In order to manipulate enterprise-level resources, you'll need a personal access token or a GitHub App.

But these runners are at the Org level

kfcampbell commented 1 year ago

Oh, my mistake. In that case, the required permissions are admin:org.

jkruse14 commented 1 year ago

Perhaps I was thinking about this incorrectly. I'm using app_auth with the github terraform integration. The app has the following permissions:

Repositories: Actions: read meta-data: read

Organizations

am I missing something here?

jkruse14 commented 1 year ago

oh, i just saw that apps don't support all endpoints. It looks like runner groups is not supported, unless i missed it here

kfcampbell commented 1 year ago

Oh gosh, you're right, that's obnoxious. Perhaps we should document that in the provider as well in the hope of reducing confusion.

jkruse14 commented 1 year ago

I've confirmed this works when using a fine grained access token!

github-actions[bot] commented 4 months ago

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!