-
Notifications
You must be signed in to change notification settings - Fork 763
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
configuring GitHub org in provider declaration doesn't work #697
Comments
Any updates on the project's stance on this? There does not seem to be a supported path beyond "use environment variables" which is a significant breaking change and is holding up an upgrade from
The ENV requirement breaks some use cases such as managing resources in multiple github resources from different authenticated contexts (via provider The issue with Environment Variables being newly required instead of
Due to the length of time it's been active and the simplicity in triggering it it feels like at the very least documentation should be updated to indicate a lack of support for provider configuration, and the breaking change should be identified on the changelog, since this spans multiple major revisions at this point. Then once current behavior is documented we can work towards |
Hey, I recall some of the old conversations around this when we were looking to make changes. It looks like at least the first major related change to this shipped in #255 and were largely based on the discussions and work in #191. I am curious to checkout a few things as we are still configuring the following in our org and it's working with the latest release: provider "github" {
version = "~> 4.2"
token = var.github_token
organization = var.github_organization
}
variable "github_organization" {
description = "The github org you want to manage"
default = "REDACTED"
}
variable "github_token" {
description = "export TF_VAR_github_token=$MY_TOKEN"
} It sounds like we are silently swallowing that config and perhaps we already have |
Just to throw my two cents in, I'm also having this problem, but only intermittently. Sometimes it works completely, sometimes it seems to pick up There's no rhyme nor reason to it, as I have five identical environments that all use the same config, and it completely worked in one, but the other four had various issues. I don't have any of the GITHUB environment variables set, but I might have to add them to work around this. |
🤔 that/this is odd indeed. I locally ensured that no env vars set, it forced a prompt. I could not replicate this with a number of states in my org. I checked our CI and we are not deploying an env var named
I am unfortunately unable to replicate this behavior and tried multiple sets of configuration options such as hardcoding the values directly in the provider config and using terraform variables. I tested using env vars, local The error you are seeing is being triggered here: terraform-provider-github/github/util.go Lines 19 to 22 in 48af43e
The owner object is defined here: terraform-provider-github/github/config.go Lines 25 to 32 in 48af43e
My ability to grok past that is limited, maybe someone who is more knowledgeable than myself in this matter might be helped by testing and investigation. |
The only insight I can add there is that this seems to be limited to a number of resources (and presumably API calls). Anecdotally it seems related to I'm not really au fait with the Go internals of terraform but I'm going to try and come back with a reproduction case based on a synthetic setup with 2 orgs/org + personal and use of |
I don't think this is a bug in the provider. I've spent hours trying to reproduce this, and I can only trigger the error message that @thekbb is seeing with a configuration that uses both the @thekbb, @rogersd, @tobypinder, here is the setup I've created that triggers this problem. Please can you compare this to your terraform configurations where you see this issue? I suspect it's possible to trigger this in other ways and I'd like to know how your setups are different. Terraform configuration to reproduce the problemCreate a tree with three files:
The content of the files is: ./main.tf provider "github" {
token = "REDACTED"
organization = "REDACTED"
}
module "a" {
source = "./module1"
}
module "b" {
source = "./module2"
} ./module1/main.tf terraform {
required_providers {
github = {
source = "hashicorp/github"
version = "4.4.0"
}
}
} ./module2/main.tf terraform {
required_providers {
github = {
source = "integrations/github"
version = "4.5.1"
}
}
}
resource "github_team" "test" {
name = "Test2"
} Output
ExplanationThere are two different providers with the name The reason why environment variables work is that the terraform providers are run by Unfortunately (for diagnosing this issue), the github provider supports not providing a token. It runs in anonymous mode, and can only perform actions that unauthenticated users can perform. That is why the error message says |
Would there be any harm in first checking if the user is func checkOrganization(meta interface{}) error {
if meta.(*Owner).name == "" {
return fmt.Errorf("This resource can only be used in the context of an organization, %q (an empty string) represents an unauthenticated or anonymous provider. The most likely cause for this is a misconfiguration of the provider instance, please recheck your configuration.", meta.(*Owner).name)
}
if !meta.(*Owner).IsOrganization {
return fmt.Errorf("This resource can only be used in the context of an organization, %q is a user.", meta.(*Owner).name)
}
return nil
} If this makes sense I can open a pull request. I figured this might not be so simple as this might be used in places where it's fine to make some org calls unauthenticated such as listing public repositories. Perhaps it's safe to move inside the other however I suspect there is probably a better place to put these auth type validations separate from if its an org question. |
@majormoses, absolutely, that error message needs improving in the unauthenticated case! I'm not a maintainer, but I'm sure a pull request would be welcome. You're right that we might want to check for authentication in more places than just in
I don't think the new error message needs to mention the empty string or show the value of
|
@tibbes apologies for delay. Given we've applied the env workaround in production states as well it's going to be hard for me to be forensic about what was happening in our states at the time, but it was indeed part of an upgrade involving terraform version upgrades themselves as well as the provider. I had set up a similar test case based on our environment and been unable to replicate the issue, presumably because this was "new" and thus both modules were using an identical provider. So this is all a very wishy washy finger in the air way to say I believe your example is correct and that this "heterogenous module conflict" or whatever we're calling it is most likely the underlying culprit that we experienced. Based on this, I can go back into our production states/CI and attempt to remove the workaround - will report back on success/fail in this regard if useful. |
Terraform Version
(there are two copies of the provider listed, as I use modules to wrap many resources. see #696)
Affected Resource(s)
github_team
Terraform Configuration Files
I define my github org and my github token in the provider config...
Expected Behavior
I'd expect it to create the github team
Actual Behavior
The github team can't be created, as the provider doesn't know about the org.
Steps to Reproduce
terraform apply
Important Factoids
if I set the token and the org as env vars
GITHUB_TOKEN
andGITHUB_ORGANIZATION
everything worksReferences
Pretty sure #655 is the same or similar.
The text was updated successfully, but these errors were encountered: