[BUG]: integration_id value returns difference that can't be ignored

[strachg]

Expected Behavior

When using the github_repository_ruleset and enabling the required_status_checks with a required_check config block, the integration_id is an optional value. When a required_check is configured with only the context value provided, the integration_id should be ignored.

    required_status_checks {
      required_check {
        context        = "context1"
      }
    }
  }

Actual Behavior

When using the github_repository_ruleset and enabling the required_status_checks, if the integration_id is not supplied, once the value is updated on the github side (if you have something like Github Advanced Security), the terraform plan results show that the integration_id has been updated. Limitation in Lifecycle ignore_changes means that this value can't be ignored without ignoring all required_check blocks that have been configured.

      ~ rules {
            # (7 unchanged attributes hidden)

          ~ required_status_checks {
                # (1 unchanged attribute hidden)

              - required_check {
                  - context        = "CodeQL" -> null
                  - integration_id = 57789 -> null
                }
              + required_check {
                  + context        = "CodeQL"
                  + integration_id = 0
                }
            }

            # (1 unchanged block hidden)
        }

        # (2 unchanged blocks hidden)

If the value returned on subsequent terraform plan executions is used initially, when creating the required_check, the following error is returned.

module.[redacted].github_repository_ruleset.main[0]: Modifying... [id=1154071]
╷
│ Error: PUT https://api.github.com/repos/[org]/[redacted]/rulesets/1154071: 422 Validation Failed [{Resource: Field: Code: Message:Invalid rules: 'Required status checks'}]
│ 
│   with module.[redacted].github_repository_ruleset.main[0],
│   on modules/github-repository/main.tf line 48, in resource "github_repository_ruleset" "main":
│   48: resource "github_repository_ruleset" "main" {
│ 
╵

Terraform Version

Terraform v1.9.2 on darwin_arm64

• provider registry.terraform.io/hashicorp/aws v5.51.1
• provider registry.terraform.io/integrations/github v6.2.1

Affected Resource(s)

• github_repository, github_repository_ruleset.required_status_checks

Terraform Configuration Files

variable "branch_protection_required_status_checks" {
  type        = map(string)
  description = "List of strings mapping to status checks that must pass for a protected branch merge"
  default = {
    CodeQL = 0
  }
}

variable "branch_protection_enabled" {
  type        = bool
  description = "Protects the main branch from a number of possible sources of corruption"
  default     = false
}

resource "github_repository" "main" {
  name                   = var.name
  description            = var.description
  visibility             = "private"
  delete_branch_on_merge = var.delete_branch_on_merge
  vulnerability_alerts   = true
  has_downloads          = false // Deprecated
  has_issues             = var.has_issues
  has_projects           = var.has_projects
  has_wiki               = var.has_wiki
}

resource "github_repository_ruleset" "main" {
  count       = var.branch_protection_enabled ? 1 : 0
  name        = "main-branch-protection"
  repository  = github_repository.main.name
  target      = "branch"
  enforcement = "active"

  conditions {
    ref_name {
      include = ["~DEFAULT_BRANCH"]
      exclude = []
    }
  }

  bypass_actors {
    actor_id    =[redacted]
    actor_type  = "Team"
    bypass_mode = "always"
  }

  rules {
    creation                = true
    non_fast_forward        = true
    update                  = false
    deletion                = true
    required_linear_history = true
    required_signatures     = true

    pull_request {
      dismiss_stale_reviews_on_push     = false
      require_code_owner_review         = false
      require_last_push_approval        = false
      required_approving_review_count   = 1
      required_review_thread_resolution = true
    }

    required_status_checks {
      strict_required_status_checks_policy = true

      dynamic "required_check" {
        for_each = var.branch_protection_required_status_checks
        content {
          context        = required_check.key
          integration_id = required_check.value
        }
      }
    }
  }

}

Steps to Reproduce

No response

Debug Output

No response

Panic Output

No response

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[leonfibal]

I have a problem which seems to be connected with yours. I can't apply a plan with integration_id other than 0, because of the same error (422 error code). Were you able to use non-0 integration_id @strachg?