Branch protection not updating

[tbalasavage]

Terraform Version

Terraform v0.13.5
provider registry.terraform.io/hashicorp/github v4.1.0

Affected Resource(s)

Please list the resources as a list, for example:

• github_branch_protection

Terraform Configuration Files

provider "github" {
  token        = var.github_token
  organization = "MyOrg"
  version      = "~> 4.1.0"
}
...
resource "github_branch_protection" "develop_protection" {
  repository_id  = github_repository.repo.node_id
  pattern        = "develop"
  enforce_admins = true

  required_status_checks {
    strict = true
  }

  required_pull_request_reviews {
    dismiss_stale_reviews = true
  }

  push_restrictions = [data.github_team.1.node_id, data.github_team.2.node_id]
}

Expected Behavior

The branch protection for develop should have been updated to have push restrictions to the teams identified as well as have status checks set.

Actual Behavior

No push restrictions were added and no status checks are required but they were identified to at least have been attempted and were marked as successfully updated.

  # github_branch_protection.develop_protection will be updated in-place
  ~ resource "github_branch_protection" "develop_protection" {
        enforce_admins         = true
        id                     = "id="
        pattern                = "develop"
      ~ push_restrictions      = [
          + "id1=",
          + "id2=",
        ]
        repository_id          = "id="
        require_signed_commits = false

        required_pull_request_reviews {
            dismiss_stale_reviews           = true
            dismissal_restrictions          = []
            require_code_owner_reviews      = false
            required_approving_review_count = 1
        }

      + required_status_checks {
          + strict = true
        }
    }

Steps to Reproduce

1. terraform apply

Important Factoids

Nothing in particular

[jcudit]

Seems related to https://github.com/terraform-providers/terraform-provider-github/issues/572 and possibly fixed by https://github.com/terraform-providers/terraform-provider-github/pull/614.

[wendtek]

It appears #614 will not fix this issue. I can confirm the above behavior where it's not just a diff suppression issue, but actually not applying the expected status check. According to the docs, it should be turning on the setting requiring the branch be up to date.

strict: (Optional) Require branches to be up to date before merging. Defaults to false.

[tbalasavage]

Today I found that in order for those contexts to be applied, the groups that you're attempting to add must be in the repository permission list. Once I added the resource block below, the group was able to actually be applied to the context list in GH.

resource "github_team_repository" "repo_permission" {
  for_each   = var.repos
  team_id    = data.github_team.team1.id
  repository = each.key
  permission = "push"
}

This is also true in the UI because if that group isn't listed in the repo collaboration list, then they don't show up in the search.

Regardless, it would be helpful if TF didn't appear to continually re-add those groups, or say that the addition was successful, but could somehow provide some type of error as to what happened.

[felipem1210]

@tbalasavage thank you you saved my day

[github-actions]

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!