Error: This resource can only be used in the context of an organization, "foo" is a user

[wsams]

Terraform Version

0.14.1

Affected Resource(s)

• github_team_repository

Terraform Configuration Files

# root module main.tf

terraform {
  required_version = "= 0.14.1"

  backend "s3" {
    bucket   = "terraform-snd"
    key      = "terraform.tfstate"
    endpoint = "https://example.com"
    region                      = "us-east-1"
    workspace_key_prefix        = "github/workspace"
    skip_credentials_validation = true
    skip_metadata_api_check     = true
    force_path_style            = true
  }

  required_providers {
    github = {
      source  = "integrations/github"
      version = "4.9.2"
    }
  }
}

provider "github" {
  alias    = "ex"
  base_url = "https://github.enterprise.example.com/"
}

# repository.demo.tf

module "demo_repo" {
  source             = "./modules/repository"
  repo_name          = "demo-repo"
  repo_desc          = "A repo for testing creating repos with TF"
  gitignore_template = "Terraform"
  providers = {
    github = github.ex
  }
}

resource "github_team_repository" "demo_repo" {
  team_id    = 4590
  repository = module.demo_repo.name
  permission = "push"
}

# modules/repository/main.tf

terraform {
  required_providers {
    github = {
      source  = "integrations/github"
      version = "4.9.2"
    }
  }
}

resource "github_repository" "repo" {
  name                   = var.repo_name
  description            = var.repo_desc
  visibility             = var.visibility
  gitignore_template     = var.gitignore_template
  allow_merge_commit     = var.allow_merge_commit
  allow_rebase_merge     = var.allow_rebase_merge
  allow_squash_merge     = var.allow_squash_merge
  has_issues             = var.has_issues
  has_projects           = var.has_projects
  has_wiki               = var.has_wiki
  delete_branch_on_merge = var.delete_branch_on_merge
}

Debug Output

https://gist.github.com/wsams/e8ef1b5335ab09c988e609c0cdf61053

Panic Output

N/A

Expected Behavior

The team with id 4950 should be added to the repository demo-repo. The provider should acknowledge my-org as an organization and not a user.

Actual Behavior

The resource errors with the following:

github_team_repository.demo_repo: Creating...

Error: This resource can only be used in the context of an organization, "my-org" is a user.

  on repository.demo.tf line 11, in resource "github_team_repository" "demo_repo":
  11: resource "github_team_repository" "demo_repo" {

Steps to Reproduce

1. terraform apply

Important Factoids

I don't think so. I'm trying to apply this config on a GitHub Enterprise instance v2.22.5

References

• This issue is similar #501

[jcudit]

Possibly related to the bug described in https://github.com/integrations/terraform-provider-github/pull/735:

From high to low precedence, the order is:

• setting organization in the provider configuration
• setting the GITHUB_ORGANIZATION environment variable
• setting the GITHUB_OWNER environment variable
• setting owner in the provider configuration

That is, organization overrides GITHUB_ORGANIZATION (as I'd expect), but GITHUB_OWNER overrides owner (that seems backwards).

Would it be possible to try again while explicitly configuring an organization with the above precedence in mind?

[wsams]

Hello @jcudit , thanks for your quick reply. After quite a bit of testing I identified the issue, and it appears to have been a misconfiguration of the github provider.

I believe the issue was due to resource "github_team_repository" "demo_repo" { being defined in the module but no default github provider in the root module. Only the one with the ex alias. Because of that, I don't think that resource was using a configured provider.

I now have this root module provider configuration:

provider "github" {
  base_url = "https://github.enterprise.example.com/"
  owner = "my-org"
}

And I removed the providers block from module "demo_repo" {

The token is set by the GITHUB_TOKEN environment variable.

Does that sound about right to you @jcudit ?

Thanks, Weldon

[jcudit]

Yes, this sounds like a common way that others have been tripped up as well. The next major release hopes to clean this up. Apologies for the friction!

[vishnureddy-blink]

Hi

I'm also facing the same issue, I tried with the new version 0.9.0 as well as, still no luck. Any update on this ?

[dmitry-mightydevops]

on my side that error

│ Error: this resource can only be used in the context of an organization, "" is a user

belongs to the use of github_team_repository resource

so I had to

• remove any mention of that resource from the state
• comment tf code creating github_team_repository resources

my provider is latest 5.9.0, terraform 1.3.4

Terraform v1.3.4
on linux_amd64
+ provider registry.terraform.io/cyrilgdn/postgresql v1.17.1
+ provider registry.terraform.io/gavinbunney/kubectl v1.14.0
+ provider registry.terraform.io/hashicorp/aws v4.40.0
+ provider registry.terraform.io/hashicorp/github v5.9.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.16.0
+ provider registry.terraform.io/hashicorp/local v2.2.3
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/random v3.4.3
+ provider registry.terraform.io/hashicorp/tls v4.0.4
+ provider registry.terraform.io/integrations/github v5.9.0
+ provider registry.terraform.io/scottwinkler/shell v1.7.10
+ provider registry.terraform.io/winebarrel/mysql v1.10.6

provider "github" {

  owner = var.github_organization
  app_auth {
    id              = var.github_app_auth_id
    installation_id = var.github_app_auth_installation_id
    pem_file        = file(var.github_app_auth_pem_file)
  }
}

All resources are authenticated just fine, except for the team permissions.

I have selected the following Permissions for the github app:

Repository permissions

• Administration (read and write)
• Checks (read and write)
• Commit statuses (read and write)
• Contents (read and write)
• Discussions (read and write)
• Issues (read and write)
• Metadata (read-only)
• Pages (read and write)
• Projects (read and write)

Organization permissions

• Administration (read and write)
• Members (read and write)
• Team Discussions (read and write)

Seems that should be a sufficient for github_team_repository, but it still fails.

Interesting thing is that the association (i.e. team_repository) is created successfully, but then still fails with the error message,

As reported here: https://github.com/integrations/terraform-provider-github/issues/1373

[steinheber]

Hi All,

may be the following helps somebody wasting less time on the error message than i did. Regardless of any combination of organization owner GITHUB_ORGANIZATIONor GITHUB_OWNER, for me the fact that by access token did expire led to the above error message.

So to me it appears as if:

1. if authentication fails - e.g. due to token being expired
2. "gracefully" fall back to assuming that the caller does not act on behalf or in the context of an organization
3. bailing out because i was using a resource (github_team_repository ) that is not supported in the context of a "user organization"

Does that resonate ?

[nexocentric]

I am hitting the same issue. I don't know how to resolve it.

[dmitry-mightydevops]

@nexocentric

I am hitting the same issue. I don't know how to resolve it.

Update version of the github terraform provider

this is mine:

terraform {
  required_version = ">= 1.3.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.45"
    }
    null       = "~> 3.2"
    kubernetes = "~> 2.16"
    random     = "~> 3.4"

    postgresql = {
      source  = "cyrilgdn/postgresql"
      version = "~> 1.18"
    }

    shell = {
      source  = "scottwinkler/shell"
      version = "~> 1.7"
    }

    kubectl = {
      source  = "gavinbunney/kubectl"
      version = "~> 1.14"
    }

    mysql = {
      source  = "winebarrel/mysql"
      version = "~> 1.10"
    }

    github = {
      source  = "integrations/github"
      version = "5.11.0"
    }
  }
}

#############################################################
# Github Provider
#############################################################

provider "github" {
  owner = var.github_organization
  app_auth {
    id              = var.github_app_auth_id
    installation_id = var.github_app_auth_installation_id
    pem_file        = file(var.github_app_auth_pem_file)
  }
}

I'm using oauth app for the authentication, but it's optional.

[bizonek27]

Hi

I had a similar problem. I used a variable to set this token.

Try in this way terraform import -var-file=_github.tfvars -var=github_token="ghp_TOKEN" module.team-**** *ID* terraform apply -var-file=_github.tfvars -var=github_token="ghp_TOKEN" -target=module.team-*** My _github.tfvars github_organization = "*ORG_ID*" github_token = ""

[lexton]

This error masks the fact that our token had expired. This is described in the comment above.

Rotating the token solved for us - but it is still very opaque error messaging.

[suresh-target]

I got this error while migrating the github provider version from 2.4.1 to 5.28.0 (during the tf migration) Since the latest version of github provider is already adding api/v3/ to baseurl we had to remove that part from the variable definition and that solved the problem Before base_url = "https://our.giturl.com/api/v3/"

Modified as below to fix the problem

base_url = "https://our.giturl.com/"

[stephanebruckert]

Error disappeared using version 6.0.0-rc2 while still broken on latest v5 (5.45.0).

If using modules, don't forget to also set that rc2 to your required_providers as per https://github.com/integrations/terraform-provider-github/issues/501#issuecomment-1879486590

[ljw4010]

Hi All, please review my comment:https://github.com/integrations/terraform-provider-github/issues/2280#issuecomment-2144301894 we can avoid this issue temporarily by this way：

1. if the org is not existed，please create it with github_enterprise_organization，this step should put in a Independent module
2. if the org is existed，make sure your token can access this org
3. then you can setup the org with github_organization_settings，but the settings step should be in Independent module with a provider config whcih owner is above org id