[BUG] Creating environments from terraform crashes

[clemenstan]

Hello,

I am trying to run terraform in a github workflow and using a "github app" instead with a personal access token for authorization. The github app works in general fine, but when I try to create repository environments with terraform, the provider crashes.

This is the terraform code, which crashes:

# Create  github environments
resource "github_repository_environment" "repo_environments" {

  # a list of environment names
  for_each = local.listOfEnvironments

  repository  = "owerorganization/reponame"
  environment = each.key
}

and I get the following error (please see below). It might be a permission issues, but I have a hard time to find out, what permission set I have to use?

Thanks for any help!

Error: Plugin did not respond

  with github_repository_environment.repo_environments["staging"],
  on main.tf line 21, in resource "github_repository_environment" "repo_environments":
  21: resource "github_repository_environment" "repo_environments" {

The plugin encountered an error, and failed to respond to the
plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain
more details.

Error: Plugin did not respond

  with github_repository_environment.repo_environments["production"],
  on main.tf line 21, in resource "github_repository_environment" "repo_environments":
  21: resource "github_repository_environment" "repo_environments" {

The plugin encountered an error, and failed to respond to the
plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain
more details.

Error: Plugin did not respond
	google.golang.org/[email protected]/server.go:1714 +0xa1b
google.golang.org/grpc.(*Server).serveStreams.func1.1()
	google.golang.org/[email protected]/server.go:959 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
	google.golang.org/[email protected]/server.go:957 +0x18c

Error: The terraform-provider-github_v5.32.0 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Error: Process completed with exit code 1.

[github-actions]

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

[kfcampbell]

@clemenstan the permissions you need are given here:

You must authenticate using an access token with the repo scope to use this endpoint. GitHub Apps must have the administration:write permission for the repository to use this endpoint.

[clemenstan]

Sorry, I haven't seen your post. Thank you for the hint! It still doesn't work. It really seem like a bug as mentioned here.

[samhine]

+1 on this.

I'm configuring the provider via a GitHub App which has write permissions over repositories, as well as environments.

In some cases, it seems the API request actually successfully applies on the remote resource - but is not stored in state (which seems even more dangerous than complete failure).

Initially I thought this may be because the teams I was hoping to configure were had visibility = "private", however after changing them to closed I'm still facing this issue.

Additionally, once this phantom environment is created, I cannot import it via the normal means

module.repositories.github_repository_environment.manual-publish: Importing from ID "repo_name:manual-publish"...
module.repositories.github_repository_environment.manual-publish: Import prepared!
  Prepared github_repository_environment for import
module.repositories.github_repository_environment.manual-publish: Refreshing state... [id=repo_name:manual-publish]
╷
│ Error: Plugin did not respond
│ 
│ The plugin encountered an error, and failed to respond to the plugin.(*GRPCProvider).ReadResource call. The plugin logs may contain more
│ details.
╵


Stack trace from the terraform-provider-github_v5.34.0 plugin:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x80 pc=0x1c1b1b0]

goroutine 157 [running]:
github.com/integrations/terraform-provider-github/v5/github.resourceGithubRepositoryEnvironmentRead(0xc0006d6fc0, {0x1ccc620?, 0xc00028e540?})
        github.com/integrations/terraform-provider-github/v5/github/resource_github_repository_environment.go:137 +0x4b0
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Resource).RefreshWithoutUpgrade(0xc0004d3400, 0xc000887d60, {0x1ccc620, 0xc00028e540})
        github.com/hashicorp/[email protected]/helper/schema/resource.go:470 +0x1aa
github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin.(*GRPCProviderServer).ReadResource(0xc00000fae0, {0xc0006a2de0?, 0x10b3d26?}, 0xc0006a2de0)
        github.com/hashicorp/[email protected]/internal/helper/plugin/grpc_provider.go:535 +0x34b
github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5._Provider_ReadResource_Handler({0x1ef84c0?, 0xc00000fae0}, {0x22b49f8, 0xc000cfec00}, 0xc0006d69a0, 0x0)
        github.com/hashicorp/[email protected]/internal/tfplugin5/tfplugin5.pb.go:3269 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0003a2000, {0x22b8cb8, 0xc000299860}, 0xc00079f320, 0xc000466db0, 0x2b6b3b0, 0x0)
        google.golang.org/[email protected]/server.go:1337 +0xde3
google.golang.org/grpc.(*Server).handleStream(0xc0003a2000, {0x22b8cb8, 0xc000299860}, 0xc00079f320, 0x0)
        google.golang.org/[email protected]/server.go:1714 +0xa1b
google.golang.org/grpc.(*Server).serveStreams.func1.1()
        google.golang.org/[email protected]/server.go:959 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
        google.golang.org/[email protected]/server.go:957 +0x18c

Error: The terraform-provider-github_v5.34.0 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

[mw8er]

I wanted to create environments via terraform-provider-github_v5.36.0.
Although the creation fails, the environments get created.

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x80 pc=0x10223b0]

goroutine 69 [running]:
github.com/integrations/terraform-provider-github/v5/github.resourceGithubRepositoryEnvironmentRead(0xc0005de4d0, {0x10de340?, 0xc000742100?})
        github.com/integrations/terraform-provider-github/v5/github/resource_github_repository_environment.go:137 +0x4b0
github.com/integrations/terraform-provider-github/v5/github.resourceGithubRepositoryEnvironmentCreate(0x117c940?, {0x10de340?, 0xc000742100})
        github.com/integrations/terraform-provider-github/v5/github/resource_github_repository_environment.go:107 +0x2e5
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Resource).Apply(0xc00034bae0, 0xc0008c8a00, 0xc00065ace0, {0x10de340, 0xc000742100})
        github.com/hashicorp/[email protected]/helper/schema/resource.go:320 +0x438
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Provider).Apply(0xc00031ad00, 0xc0005558d0, 0x1365ee0?, 0xf?)
        github.com/hashicorp/[email protected]/helper/schema/provider.go:294 +0x70
github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin.(*GRPCProviderServer).ApplyResourceChange(0xc000308a68, {0xc000581ea0?, 0x4b87a6?}, 0xc000581ea0)
        github.com/hashicorp/[email protected]/internal/helper/plugin/grpc_provider.go:895 +0x7c5
github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x13093c0?, 0xc000308a68}, {0x16c9298, 0xc0008cf2c0}, 0xc000581e30, 0x0)
        github.com/hashicorp/[email protected]/internal/tfplugin5/tfplugin5.pb.go:3305 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0000001e0, {0x16cd4d8, 0xc0006829c0}, 0xc0008d1560, 0xc0005316b0, 0x1f812a0, 0x0)
        google.golang.org/[email protected]/server.go:1337 +0xde3
google.golang.org/grpc.(*Server).handleStream(0xc0000001e0, {0x16cd4d8, 0xc0006829c0}, 0xc0008d1560, 0x0)
        google.golang.org/[email protected]/server.go:1714 +0xa1b
google.golang.org/grpc.(*Server).serveStreams.func1.1()
        google.golang.org/[email protected]/server.go:959 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
        google.golang.org/[email protected]/server.go:957 +0x18c

Error: The terraform-provider-github_v5.36.0 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Update: adding a wait_timer, I get the following

│ Error: PUT https://api.github.com/repos/<org>/<repo>/environments/<env>: 422 Failed to create the environment protection rule. Please ensure the billing plan supports the required reviewers protection rule. []
│ 
│   with module.environment[<key>].github_repository_environment.this,
│   on ../../terraform/modules/github_environment/main.tf line 1, in resource "github_repository_environment" "this":
│    1: resource "github_repository_environment" "this" {

[j-martin]

We are also facing a similar issue (SIGSEGV)

[clarkritchie]

This seems to still be an issue in 5.38.0.

[j-martin]

We dug a bit further, and it seems to be an issue with the token used. A token with a lot of permissions works perfectly.

Strangely enough, even with the limited access token we were using, the environment would get created, but the provider would fail to read it.

I'll update this message once we identify the exact permissions we need.

[alexstojda]

Knowing that the issue is a permission issue, since a classic PAT with full permissions works perfectly as @j-martin mentioned, I dug a bit deeper into this.

In our case, the missing permission was actions:read

Which, as per the docs here, includes the permission for the GET /repos/{owner}/{repo}/environments. This correlates to the nil pointer dereference at resource_github_repository_environment.go:137 since env is likely nil due to the failed GetEnvironments call.

It seems the error handling here is broken, as this permission issue should be caught and returned to the user instead of the panic.

[muawiakh]

Fixed in 5.40.0: #1932

Provider returns:

403 Resource not accessible by integration []

[greg-leocare]

Erratum : I finally can use the ".github_repository_environment.environment" by adding the actions:read right on the authApp

I have the same result with the 5.44.0 the environments was created but that return again an error
`403 Resource not accessible by integration []`

[OJFord]

I would be good if the error message pointed to the missing permission.

Anyone know what it is for PUT /repos/:owner/:repo/environments/:env? I've tried adding (all of, together):

• actions:write
• contents:write
• deployments:write

in addition to those already there:

• id-token:write
• issues:write
• pull-requests:write
• repository-projects:write

what else does it need?

[OJFord]

what else does it need?

Turns out nothing worked, it needs an app token: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow