[BUG]: create_before_destroy support for github_repository_collaborators resource

[jchancellor-ms]

Expected Behavior

github_repository_collaborators should create new teams and permissions prior to removing existing users/permissions. When bootstrapping a new repo, it is created with the creator user as admin. We want to remove any single user permissioning and replace it with only teams. However, if we use the github_repository_collaborators resource, it will remove the user prior creating the teams configurations which fails because the user creating the teams permissions doesn't have access to create the teams.

Typically this would be resolved by setting the create_before_destroy = true lifecycle configuration to allow the team permissions to be created prior to removing the user permissions. However, implementing this doesn't change the behavior.

Actual Behavior

Using provider version 6.3. User account is deleted and teams fail to permission with error message '403 You must have administrative rights on this repository.'

Example code:

resource "github_repository_collaborators" "some_repo_collaborators" {
  repository = github_repository.this.name

  dynamic team {
    for_each = local.team_map

    content {
        permission = team.value.permission
        team_id = team.value.name
    }
  }

  depends_on = [ github_team.new_teams, github_team_membership.default_owner ]
  lifecycle {
    create_before_destroy = true
  }
}

Terraform Version

1.9.2

Affected Resource(s)

github_repository_collaborators

Terraform Configuration Files

resource "github_team" "new_teams" {
  for_each = {for k,v in local.team_map : k => v if v.type == "new"}

  name        = each.value.name
  description = each.value.description
  create_default_maintainer = true
  privacy     = "closed"
}

resource "github_repository_collaborators" "some_repo_collaborators" {
  repository = github_repository.this.name

  dynamic team {
    for_each = local.team_map

    content {
        permission = team.value.permission
        team_id = team.value.name
    }
  }

  depends_on = [ github_team.new_teams, github_team_membership.default_owner ]
  lifecycle {
    create_before_destroy = true
  }
}

resource "github_team_membership" "default_owner" {
  team_id  = github_team.new_teams["module_owners"].id
  role     = "maintainer" #check if we want to have a default owner in the future?
  username = var.owner_gh_alias
}

Steps to Reproduce

No response

Debug Output

PUT https://api.github.com/orgs/Azure/teams/teamname/repos/Azure/terraform-azurerm-avm-res-test-repo4: 403 You must have administrative rights on this repository. []
│
│   with github_repository_collaborators.some_repo_collaborators,
│   on main.github_teams.tf line 39, in resource "github_repository_collaborators" "some_repo_collaborators":
│   39: resource "github_repository_collaborators" "some_repo_collaborators" {

Panic Output

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[stevehipwell]

@jchancellor-ms I don't think this issue is related to create_before_destroy as it's not the resource that's causing the issue here it's the attributes. I've spotted two related defects; firstly users are processed before teams despite them being more restrictive (this is causing your issue), and secondly teams are being removed before the new ones are added.