Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] terraform plan is not empty when using github_branch_protection with actor names #1555

Closed
iAmoric opened this issue Feb 17, 2023 · 1 comment · Fixed by #1711
Closed

[BUG] terraform plan is not empty when using github_branch_protection with actor names #1555

iAmoric opened this issue Feb 17, 2023 · 1 comment · Fixed by #1711
Labels
Status: Up for grabs Issues that are ready to be worked on by anyone Type: Bug Something isn't working as documented

Comments

@iAmoric
Copy link

iAmoric commented Feb 17, 2023
edited
Loading

Context

When using the github_branch_protection resource with actor names instead of actor IDs, the terraform plan after a terraform apply is not empty and wants to remove the actor IDs, even though it has not been used.

Example:

resource "github_branch_protection" "branch_protection" {
    required_pull_request_reviews {
        pull_request_bypassers = [
            "/iAmoric",
        ]
    }
}

First terraform apply:

$ terraform apply 
~ resource "github_branch_protection" "branch_protection" {
      ~ required_pull_request_reviews {
          ~ pull_request_bypassers          = [
              + "/iAmoric",        <== This is correct
            ]
        }
    }

Second terraform apply, done right after the first one:

$ terraform apply
~ resource "github_branch_protection" "branch_protection" {
      ~ required_pull_request_reviews {
          ~ pull_request_bypassers          = [
              - "MDQ6VXNlcjE0NTU1NjIx",        <== This is NOT correct
            ]
        }
    }

Expected behavior

Terraform plan should be empty when the first one was applied

Actual behavior

Terraform plan is not empty and wants to remove the actor ID

Steps to reproduce:

Run two times in a row terraform apply with the resource github_branch_protection using actor name

Additional context:

Full terraform code to easily reproduce the error: 
  
  terraform {
    required_version = "1.3.1"
    required_providers {
      github = {
        source  = "integrations/github"
        version = "5.17.0"
      }
    }
  }

  provider "github" {
    token = "XXXXXX"
    owner = "XXXXXX"
  }

  data "github_team" "team" {
    slug = "my_team"
  }

  resource "github_repository" "repo" {
     name      = "test-branch-protection"
    auto_init = true
  }

  resource "github_branch_default" "default" {
    repository = github_repository.repo.name
    branch     = "main"

    depends_on = [github_repository.repo]
  }

  resource "github_team_repository" "team" {
    repository = github_repository.repo.name
    team_id    = data.github_team.team.id
    permission = "admin"
  }

  resource "github_branch_protection" "branch_protection" {
    repository_id = github_repository.repo.node_id
    pattern       = "main"

    enforce_admins = true

    required_pull_request_reviews {
      required_approving_review_count = 1
      pull_request_bypassers = [
        "/iAmoric",
      ]
    }

    push_restrictions = [
      data.github_team.team.node_id
    ]
  }
@Esysc
Copy link

Esysc commented Feb 17, 2023
edited
Loading

Here is some debug logs.

[DEBUG] Problem setting 'require_last_push_approval' in <repo name> <branch> branch protection (< the ID>)
[WARN]  Provider "registry.terraform.io/integrations/github" produced an unexpected new value for module.github.github_branch_protection.settings["<repo name>:<branch>"] during refresh.
      - .required_pull_request_reviews[0].pull_request_bypassers: actual set element cty.StringVal("<User ID>") does not correlate with any element in plan
      - .required_pull_request_reviews[0].pull_request_bypassers: length changed from 1 to 2

that comes from

terraform-provider-github/github/resource_github_branch_protection.go

Line 314 in 9cf65a4

err = d.Set(PROTECTION_REQUIRES_LAST_PUSH_APPROVAL, protection.RequireLastPushApproval)

@kfcampbell kfcampbell added Type: Bug Something isn't working as documented Status: Up for grabs Issues that are ready to be worked on by anyone Priority: Normal labels Feb 17, 2023
@kfcampbell kfcampbell moved this from 🆕 Triage to 🔥 Backlog in 🧰 Octokit Active Feb 17, 2023
bpaquet added a commit to bpaquet/terraform-provider-github that referenced this issue Jun 3, 2023
@bpaquet
Fix integrations#1555: Avoid duplication of pull reqyuest bypasser
8948e66
@bpaquet bpaquet mentioned this issue Jun 3, 2023
Merged
kfcampbell added a commit that referenced this issue Jun 22, 2023
@bpaquet @kfcampbell
Fix #1555: Avoid duplication of pull reqyuest bypasser (#1711)
be7cfe8 
Co-authored-by: Keegan Campbell <me@kfcampbell.com>
@github-project-automation github-project-automation bot moved this from 🔥 Backlog to ✅ Done in 🧰 Octokit Active Jun 22, 2023
avidspartan1 pushed a commit to avidspartan1/terraform-provider-github that referenced this issue Feb 5, 2024
@bpaquet @kfcampbell
Fix integrations#1555: Avoid duplication of pull reqyuest bypasser (i…
6b06d13 
…ntegrations#1711)

Co-authored-by: Keegan Campbell <me@kfcampbell.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Up for grabs Issues that are ready to be worked on by anyone Type: Bug Something isn't working as documented
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #1555: Avoid duplication of pull request bypasser bpaquet/terraform-provider-github
3 participants
@kfcampbell @Esysc @iAmoric