terraform-provider-github icon indicating copy to clipboard operation
terraform-provider-github copied to clipboard
verified publisher icon integrations

[BUG]: 422 Validation Failed [] on api.github.com/organizations/XXX/team/XXX/repos/XXX/YYY

Open aamkye opened this issue 1 year ago • 5 comments

Expected Behavior

The resource creation/modification would complete w/o error.

Actual Behavior

Returns: Error: PUT https://api.github.com/organizations/XXX/team/XXX/repos/XXX/YYY: 422 Validation Failed [] without any further information.

While doing plan, this appears:

Terraform will perform the following actions:

  # github_team_repository.repository["devops.YYY"] will be updated in-place
  ~ resource "github_team_repository" "repository" {
        id         = "1234567:YYY"
      ~ permission = "read" -> "write"
        # (3 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

and then:

│ Error: PUT https://api.github.com/organizations/XXX/team/XXX/repos/XXX/YYY: 422 Validation Failed []
│
│   with github_team_repository.repository["devops.YYY"],
│   on main.tf line 124, in resource "github_team_repository" "repository":
│  124: resource "github_team_repository" "repository" {
│

but second run shows no errors, like the state has been updated, but real resource remain unchanged.

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no
changes are needed.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Terraform Version

Terraform v1.7.4 and v1.7.5 on darwin_arm64

  • provider registry.terraform.io/integrations/github v6.1.0

Affected Resource(s)

  • github_team_repository
  • github_repository_collaborator

Terraform Configuration Files

---
teams:
  devops:
    name: DevOps
    privacy: closed
    parent_team_id: NULL
    repositories:
      YYY:
        role: write

users:
  XXX:
    username: xxx
    role: member
    teams:
      devops:
        role: member
    repositories:
      YYY:
        role: maintain

repositories:
  YYY:
    name: YYY
    visibility: public

---

locals {
  values = yamldecode(file("values.yaml"))
}

resource "github_repository" "repository" {
  for_each = local.values.repositories

  name            = each.key
  description     = try(each.value.description, null)
  topics          = try(each.value.topics, null)
  visibility      = try(each.value.visibility, local.values.default_repository_values.visibility)
}

resource "github_team_repository" "repository" {
  for_each = {
    for _repository in flatten([
      for team, team_details in local.values.teams : [
        for repository, repository_details in team_details.repositories : {
          repository = github_repository.repository[repository]
          team       = github_team.team[team]
          permission = repository_details.role
        }
      ]
      if lookup(team_details, "repositories", null) != null
      ]
    ) :
    "${_repository.team.slug}.${_repository.repository.name}" => _repository
  }

  team_id    = each.value.team.id
  repository = each.value.repository.name
  permission = each.value.permission

  depends_on = [ github_team.team, github_repository.repository ]
}

resource "github_repository_collaborator" "collaborator" {
  for_each = {
    for _repository in flatten([
      for user, user_details in local.values.users : [
        for repository, repository_details in user_details.repositories : {
          repository = github_repository.repository[repository]
          user       = github_membership.user[user]
          permission = repository_details.role
        }
      ]
      if lookup(user_details, "repositories", null) != null
      ]
    ) :
    "${_repository.user.username}.${_repository.repository.name}" => _repository
  }

  repository = each.value.repository.name
  username   = each.value.user.username
  permission = each.value.permission

  depends_on = [ github_membership.user, github_repository.repository ]
}

Steps to Reproduce

terraform apply

Debug Output

(...)
2024-03-14T22:51:19.940+0100 [INFO]  Starting apply for github_team_repository.repository["YYY"]
2024-03-14T22:51:19.940+0100 [DEBUG] github_team_repository.repository["YYY"]: applying the planned Update change
2024-03-14T22:51:20.199+0100 [ERROR] provider.terraform-provider-github_v6.1.0: Response contains error diagnostic: @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/diag/diagnostics.go:58 tf_rpc=ApplyResourceChange @module=sdk.proto diagnostic_detail="" tf_req_id=c09ef4d2-cb12-5584-f621-85b635c0e177 tf_resource_type=github_team_repository diagnostic_severity=ERROR diagnostic_summary="PUT https://api.github.com/organizations/XXX/team/XXX/repos/XXX/YYY: 422 Validation Failed []" tf_proto_version=5.4 tf_provider_addr=provider timestamp="2024-03-14T22:51:20.199+0100"
2024-03-14T22:51:20.199+0100 [DEBUG] State storage *cloud.State declined to persist a state snapshot
2024-03-14T22:51:20.200+0100 [ERROR] vertex "github_team_repository.repository[\"YYY\"]" error: PUT https://api.github.com/organizations/XXX/team/XXX/repos/XXX/YYY: 422 Validation Failed []
2024-03-14T22:51:20.200+0100 [DEBUG] cloud/state: state read serial is: 88; serial is: 88
2024-03-14T22:51:20.200+0100 [DEBUG] cloud/state: state read lineage is: 0b65673b-dd96-3503-729c-7452b1fe1445; lineage is: 0b65673b-dd96-3503-729c-7452b1fe1445
2024-03-14T22:51:21.850+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-03-14T22:51:21.852+0100 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/integrations/github/6.1.0/darwin_arm64/terraform-provider-github_v6.1.0 pid=97342
2024-03-14T22:51:21.852+0100 [DEBUG] provider: plugin exited

Panic Output

No response

Code of Conduct

  • [X] I agree to follow this project's Code of Conduct

aamkye avatar Mar 14 '24 22:03 aamkye

Hey @aamkye thanks for tracking this down. Let us know if you'd be interested in fixing the issue and submitting a PR. For now I have labeled this as "Up For Grabs" so that the community can take a stab at getting this fixed as well. ❤️

nickfloyd avatar Mar 15 '24 15:03 nickfloyd

I'm willing to be a testing ground guy for such PR, 😀 unfortunately, my Golang and Terraform engine knowledge is quite limited. But, I can provide all the necessary details if guided 💪!

aamkye avatar Mar 17 '24 22:03 aamkye

For anyone finding this bug, we got the same problem. However we noticed there is another resource that has the same functionality called github_repository_collaborators. It uses a block to apply team permissions, so a dynamic is required for multiple team permissions. However the CRUD operations were successful and we don't see the same 422 error with this resource, so worth a try if you need a workaround.

jaredfholgate avatar Sep 18 '24 13:09 jaredfholgate

@aamkye did you try with these values? https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#add-or-update-team-repository-permissions

"write" is not a valid one, the valid values are not the same you see via the UI

image

osvald-fn avatar Jan 10 '25 22:01 osvald-fn

As @osvald-fn mentioned, I can confirm using the permissions mapping as documented in the /teams API did the trick.

Also, as pointed out by @jaredfholgate , using collaborators sidesteps this issue as read is automatically translated to pull, etc.

Both work for the purposes described here.

jdsalaro avatar May 23 '25 14:05 jdsalaro