terraform-provider-github icon indicating copy to clipboard operation
terraform-provider-github copied to clipboard
verified publisher icon integrations

[BUG] data github_repository: Owner not being respected when authenticated user belongs to a different organization

Open devinnasar opened this issue 2 years ago • 1 comments

Use Case/Problem

We are scaffolding alerts in New Relic where the best source of truth for some required data are yaml files stored within this repository: https://github.com/newrelic/entity-definitions. We are attempting to use the terraform github provider to pull this data directly from where New Relic commits it, and then consume it into our own Terraform via yamldecode(). Our Github service user for terraform processes belongs to our company's Github Enterprise organization. The repository we need to read from belongs to New Relic's organization. Currently the provider will not retrieve the data when authenticated with our service user's token. I believe that this is due to the provider searching within our company's GHE tenant for the target repository.

Scenario

Github provider is passed a token parameter from a user belonging to organization 'xcompany'. Github provider is passed a base_url of ghe.xcompany.com Github provider is passed an owner parameter of 'newrelic' Terraform is trying to use a github_repository or github_repository_file data source targeting a repository belonging to organization 'newrelic'

Terraform configuration

provider.tf

provider "github" {
  token = "ghp_xxxxx" # user belongs to X Company
  base_url = "https://ghe.xcompany.com/"
  owner = "newrelic" # the repo we want to read data from is a public repo belonging to newrelic
}

data.tf

data "github_repository" "entity_definitions"{
  full_name = "newrelic/entity-definitions"
}

data "github_repository_file" "infra_awslambdafunction_golden_metrics" {
  repository = data.github_repository.entity_definitions.full_name
  file = "definitions/infra-awslambdafunction/golden_metrics.yml" # https://github.com/newrelic/entity-definitions/blob/main/definitions/infra-awslambdafunction/golden_metrics.yml
}

outputs.tf


output "gh_repo" {
  value = yamldecode(data.github_repository.entity_definitions)
}

output "gh_infra_awslambdafunction_golden_metrics" {
  value = data.github_repository_file.infra_awslambdafunction_golden_metrics
}

terraform plan ...

Changes to Outputs:
  + module_gh_repo = {
    + allow_auto_merge            = null
    + allow_merge_commit          = null
    + allow_rebase_merge          = null
    + allow_squash_merge          = null
    + archived                    = null
    + default_branch              = null
    + description                 = null
    + fork                        = null
    + full_name                   = null
    + git_clone_url               = null
    + has_discussions             = null
    + has_downloads               = null
    + has_issues                  = null
    + has_projects                = null
    + has_wiki                    = null
    + homepage_url                = null
    + html_url                    = null
    + http_clone_url              = null
    + id                          = null
    + is_template                 = null
    + merge_commit_message        = null
    + merge_commit_title          = null
    + name                        = null
    + node_id                     = null
    + pages                       = null
    + private                     = null
    + repo_id                     = null
    + squash_merge_commit_message = null
    + squash_merge_commit_title   = null
    + ssh_clone_url               = null
    + svn_url                     = null
    + template                    = null
    + topics                      = null
    + visibility                  = null
  }
  + gh_infra_awslambdafunction_golden_metrics = {
    + branch         = null
    + commit_author  = null
    + commit_email   = null
    + commit_message = null
    + commit_sha     = null
    + content        = null
    + file           = null
    + id             = null
    + ref            = null
    + repository     = null
    + sha            = null
  }

I've tried:

  • Skipping looking up the repo and passing "newrelic/entity-definitions" directly to data.github_repository_file.infra_awslambdafunction_golden_metrics
  • Removing owner from provider.tf and specifying the full_name of the repository
  • Removing authentication data entirely from provider. This DOES work, however I immediately hit the 60 requests/hour for unauthenticated requests

devinnasar avatar May 16 '23 19:05 devinnasar

I came across this issue when trying to create a repo in an org I own. The only way I was able to get the repo to be created in the correct org was to use the GITHUB_OWNER env var when running terraform apply. I have tried various incantations of both fine-grained PATs and regular PATs including ones attached to the org. I kept getting a 403:

 Error: POST https://api.github.com/user/repos: 403 Resource not accessible by personal access token []

drichelson avatar May 19 '24 23:05 drichelson

We are still seeing this issue with the latest version. moving away from using the data for now.

themarmack avatar Dec 05 '24 18:12 themarmack

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!

github-actions[bot] avatar Sep 02 '25 02:09 github-actions[bot]