search

integrations / terraform-provider-github

Terraform GitHub provider
https://www.terraform.io/docs/providers/github/
MIT License
904 stars 743 forks source link

`vulnerability_alerts` set to true does not enable "Dependabot security updates" #588

Open blt opened 3 years ago

blt commented 3 years ago

Terraform Version

terraform -v
Terraform v0.12.25
+ provider.github v3.1.0
+ provider.google v3.33.0
+ provider.google-beta v3.33.0
+ provider.random v2.3.1
+ provider.template v2.2.0

Your version of Terraform is out of date! The latest version
is 0.13.5. You can update by downloading from https://www.terraform.io/downloads.html

Affected Resource(s)

Please list the resources as a list, for example:

Terraform Configuration Files

resource "github_repository" "repo" {
  name        = var.repo_name
  description = var.repo_description
  visibility  = "private"

  has_issues    = false
  has_projects  = false
  has_wiki      = false
  has_downloads = false

  delete_branch_on_merge = true
  allow_merge_commit     = false
  is_template            = var.template
  vulnerability_alerts   = true

  auto_init      = var.repo_auto_init
  default_branch = var.repo_default_branch 

  dynamic "template" {
    for_each = var.repo_template != "" ? [1] : []
    content {
      repository = var.repo_template
      owner      = "goodwatercap"
    }
  }
}

Expected Behavior

When flagging vulnerability_alerts to true we expect the following to be enabled:

Actual Behavior

When flagged vulnerability_alerts to true and only the following were enabled:

Steps to Reproduce

  1. Flag a github_repository with vulnerability_alerts to true.
  2. terraform apply
  3. Confirm at https://github.com/ORG/REPO/settings/security_analysis that "Dependabot security udpates" is not enabled.

Important Factoids

Nothing unusual.

References

None.

SanderKnape commented 3 years ago

I just ran into this issue as well, though what I'm seeing is slightly different from what blt is reporting.

Creating a new repository with vulnerability_alerts: true will only enable Dependabot security updates. The other two options are not enabled.

Running Terraform again will show vulnerability_alerts = false -> true. After applying this, all three options are enabled.

What makes it more interesting is that we enabled these settings on the organization level. So I would expect these settings to be enabled regardless from what I specify in Terraform (see screenshot below).

I'm testing this with private repositories.

image

gionn commented 3 years ago

What makes it more interesting is that we enabled these settings on the organization level. So I would expect these settings to be enabled regardless from what I specify in Terraform (see screenshot below).

the option states for new repositories, so it serve as a default value for new repositories and not an override for the existing ones.

SanderKnape commented 3 years ago

Correct. I'm testing this on a newly-created repository through this Terraform provider. So I expect the setting to be enabled.

jspiro commented 3 years ago

I am seeing the same. If you re-apply it will correct the bug-induced drift. Not ideal, but at least eventually consistent.

kfcampbell commented 3 years ago

I've looked at this a tiny bit and I believe that setting is applied by this API. There's a helper function to set that vendored into this project, but it's currently unreferenced. I haven't tested calling that yet.

Perhaps it'd be appropriate to add this as a new feature with its own syntax, separate from vulnerability_alerts? I wonder how/if that'd conflict with organization settings to enable it by default.

charmingnewt commented 2 years ago

Hey @kfcampbell - I was poking around this one and it seems there's a missing "Check if automated security fixes are enabled for a repository" API, analogous to this one for vulnerability alerts. Any thoughts on that? I'm looking to contribute here (and also to google/go-github) but hit a wall on the GitHub API. Thanks.

kfcampbell commented 2 years ago

@will-bluem-olo that's a great question. The GET 404s, which is too bad. I've asked internally about it and I'll post again here if I learn something useful.

charmingnewt commented 2 years ago

Hi @kfcampbell - not sure if you ever found anything interesting here, but we'd still be interested in this functionality if it could be added to the API.

kfcampbell commented 2 years ago

Ahh thanks for reminding me! I did not hear anything back, and just bumped the question again.

kfcampbell commented 2 years ago

Alright, there's an internal issue created to track this and the team seems receptive. I'm uncertain of the priority but it seems low at this point. :crossed_fingers: :crossed_fingers: :crossed_fingers: they jump on it!

bahag-klickst commented 1 year ago

@kfcampbell Any news on this

kfcampbell commented 1 year ago

@bahag-klickst I unfortunately do not have any updates.

GMZwinge commented 9 months ago

With the latest Terraform 1.6.6 and GitHub provider 5.43.0, a terraform apply -refresh-only doesn't seem to update the field vulnerability_alerts in the .tfstate file with the state in the UI.

coriolinus commented 8 months ago

@kfcampbell any progress to report? My team would also appreciate a fix for this.

kfcampbell commented 8 months ago

I wish I had an update, sorry! You might consider asking your GitHub rep (if you're an enterprise customer) or posting here asking for API coverage.

thomaslagies commented 6 months ago

Any updates on this so far?