`allow_merge_commit`, `allow_rebase_merge`, `allow_squash_merge` fields ignored

[Anton-Shutik]

Hi there,

Terraform Version

Terraform v0.14.5
provider registry.terraform.io/integrations/github v4.3.1

Affected Resource(s)

• github_repository

Terraform Configuration Files

resource "github_repository" "rebrand" {
  name                = "rebrand"
  visibility          = "public"
  has_issues          = true
  has_projects        = true
  has_wiki            = true
  has_downloads       = true
  allow_merge_commit  = true
  allow_squash_merge  = true
  allow_rebase_merge  = true
}

Expected Behavior

terraform state show github_repository.rebrand

resource "github_repository" "rebrand" {
    allow_merge_commit     = true
    allow_rebase_merge     = true
    allow_squash_merge     = true
# all the rest fields
}

Actual Behavior

resource "github_repository" "rebrand" {
    allow_merge_commit     = false
    allow_rebase_merge     = false
    allow_squash_merge     = false
# all the rest fields
}

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform import github_repository.rebrand rebrand

Important Factoids

I'm trying to import github resources that already exist on GH and the issue is that it ignores allow_merge_commit, allow_rebase_merge, allow_squash_merge fields and sets them with false, while they explicitly set to true in the config

[tibbes]

Hi @Anton-Shutik, I'm having trouble reproducing this problem. Are you running against github.com or GitHub Enterprise? If GitHub Enterprise, which version?

Also, what level of access does the user have to the repository? (the user associated with the GITHUB_TOKEN you are using with terraform, that is)

[Anton-Shutik]

Hi, I'm running against github.com. The user has read/write permissions.

[majormoses]

I suspect you need to run this as a repository admin at the minimum here and in most cases it really needs to be an org admin. At my org we do scope down the oauth token to prevent certain actions via automation that we deem undesirable from a bug perspective (such as deleting repositories) and require a manual process around that to ensure that we make sure its intended, not in use (checking references) and a backup/archive before we actually clean it up.

As a security engineer there are few times I recommend running systems with admin tokens. The one place we generally need to accept that is in our automation pipelines as they perform actions traditionally performed manually by admins. This usually also has the effect of reducing the number of people who have admin permissions, by having self service automation (with the appropriate reviews and controls). At my org I was able to reduce the number of folks with admin permissions in github by over 2/3's and that number is still shrinking rather than growing despite the opposite trend in comparison with org size. The trade off is worth the risk IMO and the question becomes how do we protect this users credentials, ci system, etc.

[docent-net]

Just for reference - I just hit this problem, but under a little different circumstances. We use Github apps for our automation (so basically appId, installationAppID and certificate, not API tokens). The main difference also is that Github apps have separated permissions.

So I tried to import repositories and banged m head against the wall many times last days, as those mentioned allow_merge_commit, allow_squash_merge and allow_rebase_merge were still importing incorrectly (set to false instead of true). What was also interesting - when I run "apply", nothing actually changed. So probably Github app was lacking some permissions, but TF module didn't issue any warning about that.

So the solution was to increase permission of this Github app a bit.

[01f-nobot]

I currently experience the same issue with v 4.12.2, app authentication and Github-Enterprise-Version: 3.0.8

After having a look at the DEBUG logs the Problem seems to be that the GET repo Response (https://docs.github.com/en/[email protected]/rest/reference/repos#get-a-repository) doesn´t contain for example allow_squash_merge and delete_branch_on_merge, but the GET repo response is used to fill the repo resource object. As these values are non-existing, they are set to false, as this is the default value.

In case of an apply, the corresponding PATCH responds with these values, that caused my initial confusion.

I also tried it with my personal token, in this case these values (allow_squash_merge and delete_branch_on_merge) were included in the GET response. More concrete:

"temp_clone_token":
"allow_squash_merge": 
"allow_merge_commit": 
"allow_rebase_merge": 
"delete_branch_on_merge": 

are not included in the GET repo reponse when used with an app token instead of a personal token.

To fix this issue I added Content rw and Pull request rw permissions for the app, now the mentioned values are included in the get repository response.

From my point of view this is very strange behaviour, maybe even a bug.

edit: investigated the problem

[jspiro]

Seeing this after switching to app auth as well. We need a definitive list of necessary permissions for these apps.

[01f-nobot]

I described the issue in the Github Support forum (https://github.community/t/unexpected-behaviour-get-repo-response-differs-depending-on-other-app-permissions/190392) . Maybe someone can explain why this is intended behaviour or maybe it is added as a bug and fixed one day :)

[jspiro]

Perhaps we could get a few more ♥️s on https://github.community/t/unexpected-behaviour-get-repo-response-differs-depending-on-other-app-permissions/190392 ?

[github-actions[bot]]

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!

[JonathanSerafini]

just ran into this as well while trying to run terraform with a GithubApp installation token and different permissions between main and non-main branches.

without contents:write the repo GET request does not contain some attributes such as allow_squash_merge

[kfcampbell]

Oh interesting! That's something we should probably document at the provider level at least. Would you be interested in opening up a PR to do so?

[moritzschmitz-oviva]

just ran into this as well while trying to run terraform with a GithubApp installation token and different permissions between main and non-main branches.

without contents:write the repo GET request does not contain some attributes such as allow_squash_merge

If this was only mentioned in the docs... Well done though. Thanks for sharing!

[kfcampbell]

I've created #1727 to note this on the resource documentation. Follow-up PRs are welcome to modify the wording!

[bisgardo]

I just ran into a similar situation with fine-grained access tokens.

Using a "classic" token with scope "repo" works fine, but having to use credentials with write permissions to run terraform plan sucks.

For allow_squash_merge etc. to be included in the API call that apparently is used when managing github_repository resources, both of the following permissions are needed when using fine-grained tokens:

• Administration (repository creation, deletion, settings, teams, and collaborators): Read-only
• Contents (repository contents, commits, branches, downloads, releases, and merges): Read and write

[itamar-smirra-port]

I just ran into a similar situation with fine-grained access tokens.

Using a "classic" token with scope "repo" works fine, but having to use credentials with write permissions to run terraform plan sucks.

For allow_squash_merge etc. to be included in the API call that apparently is used when managing github_repository resources, both of the following permissions are needed when using fine-grained tokens:

• Administration (repository creation, deletion, settings, teams, and collaborators): Read-only
• Contents (repository contents, commits, branches, downloads, releases, and merges): Read and write

I have also facing this issue, I can add that even after adding the needed permissions as mentioned (Administration - Read-only & Contents - Read and write) the allow_squash_merge is only included in a single repository get request - GET /repos/{owner}/{repo}, and not included in a list repositories get request - GET /user/repos. In my case it causes my to run through the returned repositories and send request for each one retrieving the whole data which has extremely increased my script run time.

[ntfc]

just ran into this as well while trying to run terraform with a GithubApp installation token and different permissions between main and non-main branches.

without contents:write the repo GET request does not contain some attributes such as allow_squash_merge

When using a GH app, where does one set contents:write? The GH app already has "Repository > Contents > Read and Write` but I don't see any place to set permissions for GET requests individually.

[github-actions[bot]]

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!