[BUG]: github_repository_ruleset can create bypass_actors but cannot delete

[Trikenstein]

Expected Behavior

Using Terraform provider integrations/github version 6.2.1

A github_repository_ruleset resource has been created with a bypass_actors attribute. Later on, the bypass_actors attribute is removed. The Terraform plan confirm the deletion:

# module.CITest.github_repository_ruleset.protection-on-default will be updated in-place
~ resource "github_repository_ruleset" "protection-on-default" {
     id          = "791751"
    name        = "Protections (Default Branch)"
    # (6 unchanged attributes hidden)

    - bypass_actors {
        - actor_id    = 123456789 -> null
        - actor_type  = "Team" -> null
        - bypass_mode = "always" -> null
      }
}

The Terraform apply confirm modification successful

module.CITest.github_repository_ruleset.protection-on-default: Modifications complete after 2s [id=791751]

Using Github UI on the "CITest" repo, Settings, Rules/Ruleset. Select the ruleset. The bypasser still exists.

Actual Behavior

Terraform apply was not able to delete the bypass_actors attribute. And yet the output showed the operation as successful. Re-running a Terraform plan shows the same "updated in-place" shown above. Which means the terraform apply did not change the github_repository_ruleset to remove the existing value in bypass_actors.

The workaround is to use Github UI to delete the bypasser manually.

Terraform Version

Terraform v1.8.3
on linux_amd64
+ provider registry.terraform.io/hashicorp/azurerm v3.103.1
+ provider registry.terraform.io/integrations/github v6.2.1

Affected Resource(s)

• github_repository_ruleset, in particular the bypass_actors attribute

Terraform Configuration Files

resource "github_repository_ruleset" "protection-on-default" {
  name        = "Protections (Default Branch)"
  repository  = github_repository.repository.name
  target      = "branch"
  enforcement = "active"

  conditions {
    ref_name {
      include = ["~DEFAULT_BRANCH"]
      exclude = []
    }
  }

  rules {
    deletion                = true
    required_linear_history = true
    non_fast_forward        = true
  }

  bypass_actors {
    # actor_id get your team id by
    # curl -sSL -H "Authorization: Bearer $MY_GH_PAT" https://api.github.com/orgs/Tracktrace-NGTT/teams/myteam-name
    actor_id    = 123456789 
    actor_type  = "Team"
    bypass_mode = "always"
  }
}

Steps to Reproduce

• 1st run : terraform apply the above code (
• Verify in Github UI, Settings, Rules/Ruleset, that the bypass_actors was created correctly
• 2nd run: comment out the bypass_actors block, then apply
• check using Github UI (or rerun terraform plan) to confirm the bug (that bypass_actors was not deleted)

Debug Output

No response

Panic Output

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[o-sama]

I'm aware of this issue but the limitation actually lies in the go-github client, last I checked was a few months ago and the issue still existed. I'll check in the next few days and if it's been fixed I'll make the change to fix this here.

[lewismiddleton]

I'm aware of this issue but the limitation actually lies in the go-github client, last I checked was a few months ago and the issue still existed. I'll check in the next few days and if it's been fixed I'll make the change to fix this here.

I think this is the related issue: google/go-github#3137

Seems like a PR got put up which got an approval with a few small comments. Then the PR author hasn't responded in a month. I'll give a bump on that PR.

[lewismiddleton]

google/go-github#3174 has now merged and was released as part of v63.

This issue (#2269) will probably depend on #2224 which will fix the breaking changes in v63 and bump the provider.

[matijs]

Duplicate of #2179 ?

[camerondavison]

It does look to be a duplicate. maybe we should close this one in favor of the other one.