Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]: github_repository: 422 An enforced security configuration prevented modifying advanced security enablement. #2383

Open
1 task done
eherde opened this issue Sep 10, 2024 · 2 comments · May be fixed by #2397
Open
1 task done

[BUG]: github_repository: 422 An enforced security configuration prevented modifying advanced security enablement. #2383

eherde opened this issue Sep 10, 2024 · 2 comments · May be fixed by #2397
Labels
Status: Up for grabs Issues that are ready to be worked on by anyone Type: Bug Something isn't working as documented

Comments

@eherde
Copy link

eherde commented Sep 10, 2024
edited
Loading

Expected Behavior

We have been using the github_repository resource for some time. We recently signed up for GHAS, and enabled enforcement on our repos.

We expect that an apply of a plan like the following should succeed:

terraform apply -target module.repo.github_repository.repo
…
  # module.repo.github_repository.repo will be updated in-place
  ~ resource "github_repository" "repo" {
      ~ allow_rebase_merge          = false -> true
        id                          = "myrepo"
        name                        = "myrepo"
        # (33 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
…

Actual Behavior

The first time the terraform runs with an expected change, we get the following error:

│ Error: PATCH https://api.github.com/repos/groq/myrepo: 422 An enforced security configuration prevented modifying advanced security enablement. Contact your organization owner for details. []

After this run, manual inspection in the UI shows that the change is applied (in this case, allowing rebase and merge). The next run of the terraform rightfully detects that there are no changes:

No changes. Your infrastructure matches the configuration.

Note that if I disabled enforcement of GHAS and run the terraform apply again when there are pending changes (in this example, toggling allow_rebase_merge between true and false), then the apply succeed with no errors.

Terraform Version

Terraform v1.9.3
on darwin_amd64

  • provider registry.terraform.io/buildkite/buildkite v1.10.2
  • provider registry.terraform.io/hashicorp/google v6.0.1
  • provider registry.terraform.io/integrations/github v6.2.3

Affected Resource(s)

  • github_repository

Terraform Configuration Files

No response

Steps to Reproduce

$ terraform apply

Debug Output

No response

Panic Output

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@eherde eherde added Status: Triage This is being looked at and prioritized Type: Bug Something isn't working as documented labels Sep 10, 2024
@kfcampbell kfcampbell added Status: Up for grabs Issues that are ready to be worked on by anyone and removed Status: Triage This is being looked at and prioritized labels Sep 13, 2024
@sgsollie
Copy link

We've also ran into this where we use the terraform provider to create a new repo and add some branch protections.

On adding a new repo with org wide GHAS enforcement on, Terraform exits with the 422 error above having partially done the create repo operation & more concerning, it tainted that particular github_repository resource. Worst case, that could lead to a repo being destroyed and re-created. In our case it was brand new so it was empty anyway, and we block deletes of repos, but this could really be dangerous for some.

@jamestran201
Copy link

jamestran201 commented Sep 20, 2024
edited
Loading

@kfcampbell To avoid this scenario, we can include the security_and_analysis object in the payload only when changes have been made to it. Here's what the change would look like. What do you think about this approach?

@jamestran201 jamestran201 linked a pull request Sep 20, 2024 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Up for grabs Issues that are ready to be worked on by anyone Type: Bug Something isn't working as documented
Projects
None yet
Milestone
No milestone
4 participants
@eherde @kfcampbell @jamestran201 @sgsollie