Open eherde opened 1 week ago
We've also ran into this where we use the terraform provider to create a new repo and add some branch protections.
On adding a new repo with org wide GHAS enforcement on, Terraform exits with the 422
error above having partially done the create repo operation & more concerning, it tainted that particular github_repository
resource. Worst case, that could lead to a repo being destroyed and re-created. In our case it was brand new so it was empty anyway, and we block deletes of repos, but this could really be dangerous for some.
@kfcampbell To avoid this scenario, we can include the security_and_analysis
object in the payload only when changes have been made to it. Here's what the change would look like. What do you think about this approach?
Expected Behavior
We have been using the
github_repository
resource for some time. We recently signed up for GHAS, and enabled enforcement on our repos.We expect that an
apply
of a plan like the following should succeed:Actual Behavior
The first time the terraform runs with an expected change, we get the following error:
After this run, manual inspection in the UI shows that the change is applied (in this case, allowing rebase and merge). The next run of the terraform rightfully detects that there are no changes:
Note that if I disabled enforcement of GHAS and run the
terraform apply
again when there are pending changes (in this example, toggling allow_rebase_merge between true and false), then the apply succeed with no errors.Terraform Version
Terraform v1.9.3 on darwin_amd64
Affected Resource(s)
Terraform Configuration Files
No response
Steps to Reproduce
$ terraform apply
Debug Output
No response
Panic Output
No response
Code of Conduct