[BUG]: github_actions_organization_secret does not respect lifecycle.ignore_changes #2614
Description
Expected Behavior
- The first terraform plan+apply should create a organization-level secret with a default value and ignore_changes = [plaintext_value, encrypted_value] in the lifecycle block.
- Once that is done, any changes to the secret content should be ignored as both plaintext_value and encrypted_value are in the ignore block.
- Following terraform plan+apply steps should say "No changes. Your infrastructure matches the configuration."
Actual Behavior
- The initial terraform plan and apply create an organization-level secret with a default value.
- This secret is then manually edited through the GitHub UI.
-Subsequent terraform plan and apply operations create a new resource (rather than not doing anything), effectively overwriting the secret with the original default value.
This behaviour has already been reported here: #749.
From what I understand, this behaviour could be because once a secret is set in GitHub, its value can't be retrieved—making it impossible for Terraform to reconcile the current state. However, one would expect the ignore_changes block to prevent this from being an issue.
It's possible that this provider is handling secret versioning differently—maybe not using an ID/SECRET_NAME at all. If neither GitHub or this provider is versioning secrets using an ID, the only other mechanism that comes to mind is the updated_at timestamp.
Interestingly, updated_at cannot be ignored via the provider. This means that even when the secret's content hasn't changed in the UI, clicking "Save Changes" (while doing nothing else) still updates the updated_at field—causing Terraform to recreate the resource as described above. This potentially proves that the resource state is tracked on this timestamp. (this is not strictly/only terraform providers fault, as GitHub should not be updating updated_at value if nothing changed)
Given that, is a potential fix reintroducing support for ignoring the updated_at field? And then trying to raise issue with GitHub regarding updated_at value being changed when there is no change done?
Terraform Version
Terraform v1.11.3
on darwin_arm64
- provider registry.terraform.io/integrations/github v6.2.1
Affected Resource(s)
- github_actions_organization_secret
Terraform Configuration Files
terraform {
required_providers {
github = {
source = "integrations/github"
version = "6.2.1"
}
}
}
provider "github" {
owner = "hindsightifyi"
token = "github_pat_REDACTED"
}
resource "github_actions_organization_secret" "test_organization_level_secret" {
secret_name = "TEST_ORGANIZATION_LEVEL_SECRET"
visibility = "private"
plaintext_value = "{}" # Placeholder value, will be updated via GitHub UI
lifecycle {
ignore_changes = [plaintext_value, encrypted_value] # Populate via GitHub UI and dont track with terraform
}
}Steps to Reproduce
- Create a organization-level secret with a default value and ignore_changes = [plaintext_value, encrypted_value] in the lifecycle block
- Change the variable content in the github ui (or just dont change anything and click "Save Changes")
- Run a terraform plan and it will show that it is going to create a new resource
Debug Output
ivica.matic@GNUK-LAPT803212s-MacBook-Pro test-github-terraform-provider % terraform apply -auto-approve
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# github_actions_organization_secret.test_organization_level_secret will be created
+ resource "github_actions_organization_secret" "test_organization_level_secret" {
+ created_at = (known after apply)
+ id = (known after apply)
+ plaintext_value = (sensitive value)
+ secret_name = "TEST_ORGANIZATION_LEVEL_SECRET"
+ updated_at = (known after apply)
+ visibility = "private"
}
Plan: 1 to add, 0 to change, 0 to destroy.
github_actions_organization_secret.test_organization_level_secret: Creating...
github_actions_organization_secret.test_organization_level_secret: Creation complete after 2s [id=TEST_ORGANIZATION_LEVEL_SECRET]
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
ivica.matic@GNUK-LAPT803212s-MacBook-Pro test-github-terraform-provider % terraform plan
github_actions_organization_secret.test_organization_level_secret: Refreshing state... [id=TEST_ORGANIZATION_LEVEL_SECRET]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# github_actions_organization_secret.test_organization_level_secret will be created
+ resource "github_actions_organization_secret" "test_organization_level_secret" {
+ created_at = (known after apply)
+ id = (known after apply)
+ plaintext_value = (sensitive value)
+ secret_name = "TEST_ORGANIZATION_LEVEL_SECRET"
+ updated_at = (known after apply)
+ visibility = "private"
}
Plan: 1 to add, 0 to change, 0 to destroy.
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
ivica.matic@GNUK-LAPT803212s-MacBook-Pro test-github-terraform-provider %Panic Output
Code of Conduct
- I agree to follow this project's Code of Conduct