github_team_repository not persisted to state?

[hashibot]

This issue was originally opened by @publysher as hashicorp/terraform#9149. It was migrated here as part of the provider split. The original body of the issue is below.

---

My github_team_repository resources do not show up in terraform show. Whenever I create a fresh plan, they are indicated as new.

Terraform Version

Terraform v0.7.4

Affected Resource(s)

• github_team_repository

  Terraform Configuration Files

resource "github_team" "frontend" {
  name    = "Frontend"
  privacy = "closed"
}

resource "github_team_repository" "frontend_frontend" {
  team_id    = "${github_team.frontend.id}"
  repository = "frontend"
  permission = "push"
}

Expected Behavior

The first time, terraform plan should show:

+ github_team.frontend
+ github_team_repository.frontend_frontend

After applying, terraform plan should indicate that everything is in sync.

After applying, terraform show | grep frontend_frontend should show the github_team_repository resource.

Actual Behavior

After applying, terraform plan shows:

+ github_team_repository.frontend_frontend

terraform apply will re-create the resource.

terraform show does not show the resource.

[razorsedge]

I am seeing this too.

[radeksimko]

Hi folks, I'm afraid this is an effect of eventually consistent nature of the API, or more likely storage GitHub uses internally to back the API. I can certainly see regular intermittent test failures resulting from this.

When I inspected the debug log and followed sequence of API calls, I can tell that these are issued as expected (e.g. POST -> GET), but the API sometimes decides to respond 404 to GET right after previous successful creation (201) call.

This unfortunately affects the whole API and would be quite tricky, if not impossible to address reliably. We could add retries where possible (e.g. when we're sure that a resource should really exist in a given sequence of calls, e.g. right after creation), but it's going to be a what-a-mole game. This also affects updates, where you can get old values from GET right after issuing successful PATCH request.

[razorsedge]

@radeksimko I don't understand what eventual consistency has to do with resources that I built over a year ago always being "created" every time I do a terraform apply. They simply never make it into the state file.

[radeksimko]

@razorsedge That's a very useful and important detail (so far not mentioned in this thread), which indeed puts the issue in a different perspective. Thank you for the update. 👍

Do you mind providing a debug log from terraform commands you ran (minus any secrets)? This would allow us to investigate further what's happening behind the scenes, esp. between Terraform and the API.

If you fancy you can also encrypt the log using our GPG key.

Thanks.

[razorsedge]

In attempting to simplify the code and get the debug log, I picked a single github_team_repository and ... It Worked. The github_team was added to the repo, it was in the statefile, and subsequent plan/apply stated there were no changes.

So I picked another repo and it failed to add it to the catalog. This got me to thinking about the difference between the two repos: the successful one is public and the failed one is private.

... Which got me wondering about access token scope. What is needed in order for Terraform to work with GitHub?

Debug logs to follow...

[razorsedge]

https://gist.github.com/razorsedge/8c0d018009e70858c8ac33bc0f24951a

[razorsedge]

Adding repo:all to my token's scope has fixed it. I am not sure if only repo:status, repo_deployment, public_repo, or repo:invite will do the trick.

[github-actions[bot]]

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!