Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed setting visibility=internal on a newly created repo from template #925

Open
damir-dezeljin opened this issue Oct 6, 2021 · 7 comments · May be fixed by #2151
Open

Failed setting visibility=internal on a newly created repo from template #925

damir-dezeljin opened this issue Oct 6, 2021 · 7 comments · May be fixed by #2151
Labels
Status: Pinned A way to keep old or long lived issues around Status: Up for grabs Issues that are ready to be worked on by anyone Type: Bug Something isn't working as documented Visibility

Comments

@damir-dezeljin
Copy link

Hi there,

Terraform Version

1.0.5

Affected Resource(s)

  • github_repository

Terraform Configuration Files

# create github repository for the domain under domain team
resource "github_repository" "domain" {
  name = lower("${var.domain}-domain")

  visibility = "internal"

  template {
    owner      = "our-enterprise-org-id"
    repository = "tf-domain-template"
  }
}

Debug Output

Gist: https://gist.github.com/damir-dezeljin/e9de28e11aa7de8d7a60fc2e123794f6

NOTE: I removed the sensible parts from the logs. Still, I think the logs shows what's the actual issue. Let me recap it here:

  • We're using TF to create a GitHub repo out of a template.
  • The template repo visibility is set to Internal.
  • The newly created repo visibility should be Internal as well.
  • The repo gets created, but it remains Private and the visibility setup phase fails with error 422.

Panic Output

n/a

Expected Behavior

I'd expect a new repo with visibility Internal being created.

Actual Behavior

The terraform apply fails with error code 422 on visibility change step.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. Set org policy to prevent users from changing repos visibility.
  2. Create a template repo with visibility Internal
  3. Use the provided TF code for creating a new repo with visibility Internal out of the template one.
  4. Use a GitHub App identity with scopes listed below.
  5. Run terraform apply.

Important Factoids

  • We're running TF with GitHub Apps credentials with following scopes:
    • Repository access: All repositories
    • Repository permissions:
      • Administration: r/w
      • Contents: r/w
      • Metadata: ro
      • Secrets: r/w
    • Organization permissions:
      • Members: r/w
      • Administration: r/w
  • Our Enterprise has an Org.Policy set that prevents users from creating Public repos, as well only Org.Owners are allowed to change repos visibility.

References

n/a
@erzz
Copy link

erzz commented Oct 13, 2021

Basically a me too post - but just to add that I get the same result from the same TF config using 1.0.7 too

@parviste-fortum
Copy link

The issue seems to be due to a limitation in the Github API which only supports public and private creation from a template: https://docs.github.com/en/rest/reference/repos#create-a-repository-using-a-template

Of course, it might be nice if terraform would give and error or at least warning when trying to set visibility to internal, instead of sillently ignoring it:

terraform-provider-github/github/resource_github_repository.go

Lines 329 to 330 in 98dddd2

if visibility == "private" || visibility == "internal" {
isPrivate = true

@parviste-fortum
Copy link

Seems like the Github GraphQL API does support creating internal repos from templates: https://docs.github.com/en/graphql/reference/input-objects#clonetemplaterepositoryinput

@JafoFett
Copy link

Hoping there is a way to create 'internal' repo's from template repo using Terraform...is there a workaround for the API limitation? Or a flat out no go?

@ericreeves ericreeves mentioned this issue Jun 7, 2022
Closed
@github-actions
Copy link

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!

@github-actions github-actions bot added the Status: Stale Used by stalebot to clean house label Feb 22, 2023
@damir-dezeljin
Copy link
Author

How can I set the Status: Pinned label? I think this is quite a serious flow for Enterprise Cloud customers requiring no repository is set to Public and therefore setting an Org policy for that, but on the other hand wanting all terraformed repositories being accessible to all employees.

I'd appreciate a feedback from GitHub on the matter.

@github-actions github-actions bot removed the Status: Stale Used by stalebot to clean house label Feb 23, 2023
@kfcampbell kfcampbell added Type: Bug Something isn't working as documented Status: Up for grabs Issues that are ready to be worked on by anyone Priority: Normal Status: Pinned A way to keep old or long lived issues around labels Feb 28, 2023
@kfcampbell
Copy link
Member

@damir-dezeljin apologies, the SDK team is spread pretty thin at the moment. We've got a little bit of content here about our prioritization process, but realistically, the best way to address this problem is to submit a PR following our contributing guidelines to this project. We appreciate all contributions!

@littlelionking littlelionking linked a pull request Feb 16, 2024 that will close this issue
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Pinned A way to keep old or long lived issues around Status: Up for grabs Issues that are ready to be worked on by anyone Type: Bug Something isn't working as documented Visibility
Projects
None yet
Milestone
No milestone
7 participants
@nickfloyd @jcudit @kfcampbell @damir-dezeljin @JafoFett @erzz @parviste-fortum