[BUG]: github_repository: 422 An enforced security configuration prevented modifying advanced security enablement.

eherde commented 1 week ago

Expected Behavior

We have been using the github_repository resource for some time. We recently signed up for GHAS, and enabled enforcement on our repos.

We expect that an apply of a plan like the following should succeed:

terraform apply -target module.repo.github_repository.repo
…
  # module.repo.github_repository.repo will be updated in-place
  ~ resource "github_repository" "repo" {
      ~ allow_rebase_merge          = false -> true
        id                          = "myrepo"
        name                        = "myrepo"
        # (33 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
…

Actual Behavior

The first time the terraform runs with an expected change, we get the following error:

│ Error: PATCH https://api.github.com/repos/groq/myrepo: 422 An enforced security configuration prevented modifying advanced security enablement. Contact your organization owner for details. []

After this run, manual inspection in the UI shows that the change is applied (in this case, allowing rebase and merge). The next run of the terraform rightfully detects that there are no changes:

No changes. Your infrastructure matches the configuration.

Note that if I disabled enforcement of GHAS and run the terraform apply again when there are pending changes (in this example, toggling allow_rebase_merge between true and false), then the apply succeed with no errors.

Terraform Version

Terraform v1.9.3 on darwin_amd64

provider registry.terraform.io/buildkite/buildkite v1.10.2
provider registry.terraform.io/hashicorp/google v6.0.1
provider registry.terraform.io/integrations/github v6.2.3

Affected Resource(s)

github_repository

Terraform Configuration Files

No response

Steps to Reproduce

$ terraform apply

Debug Output

No response

Panic Output

No response

Code of Conduct

[X] I agree to follow this project's Code of Conduct

sgsollie commented 4 days ago

We've also ran into this where we use the terraform provider to create a new repo and add some branch protections.

On adding a new repo with org wide GHAS enforcement on, Terraform exits with the 422 error above having partially done the create repo operation & more concerning, it tainted that particular github_repository resource. Worst case, that could lead to a repo being destroyed and re-created. In our case it was brand new so it was empty anyway, and we block deletes of repos, but this could really be dangerous for some.

jamestran201 commented 1 day ago

@kfcampbell To avoid this scenario, we can include the security_and_analysis object in the payload only when changes have been made to it. Here's what the change would look like. What do you think about this approach?

integrations / terraform-provider-github