[BUG]: Terraform apply fails for creating GitHub resources via app_auth by error: 403 Resource not accessible by integration []

[MinaFarrokhnia-BYM]

Expected Behavior

github_repository.github_repository: Creation complete

Actual Behavior

github_repository.github_repository: Creating...
╷
│ Error: POST https://api.github.com/orgs/MY-ORG/repos: 403 Resource not accessible by integration []

Terraform Version

Terraform v1.8.5 on darwin_arm64

• provider registry.terraform.io/hashicorp/aws v5.53.0
• provider registry.terraform.io/hashicorp/external v2.3.3
• provider registry.terraform.io/integrations/github v6.2.1

Affected Resource(s)

• github_repository
• github_team

Terraform Configuration Files

terraform {
  backend "s3" {
    key = "github/repository/terraform.tfstate"
  }
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
    github = {
      source  = "integrations/github"
      version = "~> 6.0"
    }
  }
  required_version = ">= 1.8.3"
}

provider "aws" {
  region  = var.region
  profile = var.aws_profile
  default_tags {
    tags = module.tags.tags
  }
}

provider "github" {
  owner = "MY-ORG"
  app_auth {
    id              = "56789"
    installation_id = "12345"
    pem_file        = file("private-key.pem")
  }
}

resource "github_repository" "github_repository" {
  name        = "github_app_example"
  description = "A repository created using GitHub App authentication"
}

I have tried using environment variable as well by adding these variables under GitHub action pipeline however I got the same error:

terraform:

provider "github" {
  owner = "MY-ORG"
  app_auth {
  }
}

Workflow:

jobs:
  plan:
    name: Terraform Apply
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
      pull-requests: write
    env:
      GITHUB_APP_ID: ${{ secrets.APP_ID_GITHUB }}
      GITHUB_APP_INSTALLATION_ID: ${{ secrets.APP_INSTALLATION_ID_GITHUB }}
      GITHUB_APP_PEM_FILE: ${{ secrets.APP_PEM_FILE_GITHUB }}
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      GIT_SSH_KEY: ${{ secrets.AWS_GIT_ACTION_SSH_KEY }}
    steps:

Steps to Reproduce

GitHub App has these permission to create repository, teams, users, branch_protection and etc:

Repository Permissions:
Repository administration: read & write (for creating and managing repositories)
Contents: read & write (for initializing repositories)

Organization Permissions:
Members: read (for accessing team information)
Administration: read & write 

however it fails on apply.

$ terraform apply

Debug Output

github_repository.github_repository: Creating...
╷
│ Error: POST https://api.github.com/orgs/MY-ORG/repos: 403 Resource not accessible by integration []

Panic Output

No response

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[nnellanspdl]

What if you try to use the GITHUB_APP_PEM_FILE environment variable instead of the pem_file setting under the provider block?

Check #2242 , I know they're using a different type of auth (token), but setting the value via env var seemed to fix it for them.

[MinaFarrokhnia-BYM]

What if you try to use the GITHUB_APP_PEM_FILE environment variable instead of the pem_file setting under the provider block?

Check #2242 , I know they're using a different type of auth (token), but setting the value via env var seemed to fix it for them.

Thanks for the comment. I have tried it using environment variable but got the same error message. The token works fine for me, however I would like to make use of GitHub App instead.

[nnellanspdl]

I would also like to transition to App auth, so I will be following this thread.

[nnellanspdl]

Thanks for the comment. I have tried it using environment variable but got the same error message. The token works fine for me, however I would like to make use of GitHub App instead.

2 more things I'm curious about:

Can you try setting GITHUB_OWNER env var?

For the App Installation ID that you're using ... it's installed to repos in the same org where you're trying to create a new repo, right?