github_branch_default *always* returns 422 Visibility is already private. [] on deletion #620
Description
I've found an issue that seems to crop up on repo deletion.
The issue appears to be with private repos that have a `` resource set.
Terraform Version
This issue is reproducible on the latest versions. (as of today; 2020-12-04)
❯ terraform version --json
{
"terraform_version": "0.14.0",
"terraform_revision": "",
"provider_selections": {
"registry.terraform.io/hashicorp/aws": "3.19.0",
"registry.terraform.io/hashicorp/github": "4.1.0"
},
"terraform_outdated": false
}Affected Resource(s)
- github_branch_default
Terraform Configuration Files
Here is a simple test-case that is identical to the test case I used to find/document this bug. I have stripped out org/personal information and substituted generic tokens in place:
terraform {
backend "s3" {
# omitted...
}
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3"
}
github = {
source = "hashicorp/github"
version = "~> 4"
}
}
}
provider "github" {
token = var.GITHUB_TOKEN
organization = var.GITHUB_ORGANIZATION
}
resource "github_repository" "myOrg_testing" {
name = "gh-issue-test"
visibility = "private"
has_issues = true
has_projects = false
has_wiki = false
is_template = false
allow_merge_commit = true
allow_squash_merge = true
allow_rebase_merge = true
delete_branch_on_merge = false
has_downloads = false
auto_init = false
archived = false
vulnerability_alerts = true
gitignore_template = ""
license_template = ""
}
# See: https://github.com/terraform-providers/terraform-provider-github/blob/master/website/docs/r/branch_default.html.markdown
resource "github_branch_default" "myOrg_testing" {
repository = github_repository.myOrg_testing.name
branch = "MyNonMainDefaultBranch"
}
resource "github_branch_protection" "myOrg_testing" {
repository_id = github_repository.myOrg_testing.node_id
pattern = "MyNonMainDefaultBranch"
enforce_admins = false
}
#####
# Access Control
#####
resource "github_team_repository" "testing-ops-team-access" {
team_id = github_team.ops.id
repository = github_repository.myOrg_testing.name
permission = "admin"
}
# Rest of org
resource "github_team_repository" "testing-developers-team-access" {
team_id = github_team.developers.id
repository = github_repository.myOrg_testing.name
permission = "push"
}Debug Output
Please provide a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.
Here is a short version:
❯ terraform destroy --target=github_branch_default.myOrg_testing
github_branch_default.myOrg_testing: Refreshing state... [id=gh-issue-test]
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
- destroy
Terraform will perform the following actions:
# github_branch_default.myOrg_testing will be destroyed
- resource "github_branch_default" "myOrg_testing" {
- branch = "MyNonMainDefaultBranch" -> null
- id = "gh-issue-test" -> null
- repository = "gh-issue-test" -> null
}
Plan: 0 to add, 0 to change, 1 to destroy.
Warning: Resource targeting is in effect
You are creating a plan with the -target option...<snip>
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
github_branch_default.myOrg_testing: Destroying... [id=gh-issue-test]
Warning: Applied changes may be incomplete
The plan was created with the -target option in effect...<snip>
Note that the -target option is not suitable for routine use...<snip>
Error: PATCH https://api.github.com/repos/myOrg/gh-issue-test: 422 Visibility is already private. []
Note: I get the same result if I comment out only the github_branch_default resource and then run a normal terraform apply. I just used --target to hone which resource caused the error.
I am more than happy to provide the full TF_LOG=TRACE output, but it's 3K lines long with the --target flag. I've included the relevant bits below:
2020-12-04T09:34:24.880-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: -----------------------------------------------------
2020-12-04T09:34:24.880-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: 2020/12/04 09:34:24 [TRACE] Acquiring lock for GitHub API request (%!q(<nil>))
2020-12-04T09:34:25.306-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: 2020/12/04 09:34:25 [TRACE] Releasing lock for GitHub API request (%!q(<nil>))
2020-12-04T09:34:25.306-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: 2020/12/04 09:34:25 [DEBUG] Github API Response Details:
2020-12-04T09:34:25.306-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: ---[ RESPONSE ]--------------------------------------
2020-12-04T09:34:25.306-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: HTTP/1.1 422 Unprocessable Entity
2020-12-04T09:34:25.306-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: Content-Length: 93
2020-12-04T09:34:25.306-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: Access-Control-Allow-Origin: *
2020-12-04T09:34:25.306-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, Deprecation, Sunset
2020-12-04T09:34:25.306-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: Content-Security-Policy: default-src 'none'
2020-12-04T09:34:25.306-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: Content-Type: application/json; charset=utf-8
2020-12-04T09:34:25.306-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: Date: Fri, 04 Dec 2020 17:34:25 GMT
2020-12-04T09:34:25.306-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
2020-12-04T09:34:25.306-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: Server: GitHub.com
2020-12-04T09:34:25.306-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: Status: 422 Unprocessable Entity
2020-12-04T09:34:25.306-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
2020-12-04T09:34:25.306-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: Vary: Accept-Encoding, Accept, X-Requested-With
2020-12-04T09:34:25.306-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: X-Accepted-Oauth-Scopes:
2020-12-04T09:34:25.307-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: X-Content-Type-Options: nosniff
2020-12-04T09:34:25.307-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: X-Frame-Options: deny
2020-12-04T09:34:25.307-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: X-Github-Media-Type: github.baptiste-preview; format=json, github.nebula-preview; format=json
2020-12-04T09:34:25.307-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: X-Github-Request-Id: E775:1715:749DA3:8FD7A3:5FCA7320
2020-12-04T09:34:25.307-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: X-Oauth-Scopes: admin:org, delete_repo, repo
2020-12-04T09:34:25.307-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: X-Ratelimit-Limit: 5000
2020-12-04T09:34:25.307-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: X-Ratelimit-Remaining: 4997
2020-12-04T09:34:25.307-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: X-Ratelimit-Reset: 1607106864
2020-12-04T09:34:25.307-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: X-Ratelimit-Used: 3
2020-12-04T09:34:25.307-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: X-Xss-Protection: 1; mode=block
2020-12-04T09:34:25.307-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4:
2020-12-04T09:34:25.307-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: {
2020-12-04T09:34:25.307-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: "message": "Visibility is already private.",
2020-12-04T09:34:25.307-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: "documentation_url": "https://github.com/pricing"
2020-12-04T09:34:25.307-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: }
2020-12-04T09:34:25.307-0800 [DEBUG] plugin.terraform-provider-github_v4.1.0_x4: -----------------------------------------------------
2020/12/04 09:34:25 [DEBUG] github_branch_default.myOrg_testing: apply errored, but we're indicating that via the Error pointer rather than returning it: PATCH https://api.github.com/repos/myOrg/gh-issue-test: 422 Visibility is already private. []
2020/12/04 09:34:25 [TRACE] EvalWriteState: writing current state object for github_branch_default.myOrg_testing
2020/12/04 09:34:25 [TRACE] vertex "github_branch_default.myOrg_testing (destroy)": visit complete
2020/12/04 09:34:25 [TRACE] dag/walk: upstream of "provider[\"registry.terraform.io/hashicorp/github\"] (close)" errored, so skipping
2020/12/04 09:34:25 [TRACE] dag/walk: upstream of "meta.count-boundary (EachMode fixup)" errored, so skipping
2020/12/04 09:34:25 [TRACE] dag/walk: upstream of "root" errored, so skipping
Panic Output
No panic produced.
Expected Behavior
I would expect the default branch configuration to be deleted w/o the 422 API error.
Actual Behavior
I get this error returned from GH API:
Error: PATCH https://api.github.com/repos/myOrg/gh-issue-test: 422 Visibility is already private. []
Steps to Reproduce
- (see
note2below) comment out thegithub_branch_defaultresource in the above 'test case' configuration. - run
tf applyagainst the config and observe that 4 resources are created, one of which is the repo. - un-comment out the
github_branch_defaultresource in the above 'test-case' config. - use either the web UI or
git checkout -b && git pushto make the branch calledMyNonMainDefaultBranchin the new repo - run
tf applyagainst the config and observe that one new resource will be created - determine that the repo and associated resources created in the test config must now be deleted
- comment out all the resources in the above test case
- run
tf applyagainst the config and observe that 5 resources will be destroyed - observe that some resources have been deleted:
- github_team_repository.testing-ops-team-access: Destruction complete after 0s
- github_team_repository.testing-developers-team-access: Destruction complete after 2s
- github_branch_protection.myOrg_testing: Destruction complete after 3s
- (see
note1below). Manually remove thegithub_branch_defaultresource from the state file - run
tf applyagainst the config and observe that the remaining resource (thegithub_repository.myOrg_testing) will be destroyed
Note1:: If, instead of manually removing the github_branch_default resource from the state file as in step 10, you leave ONLY the github_repository resource un-commented, terraform will still only destroy the github_branch_default.myOrg_testing resource. This tells me that the dependency resolution is logically correct but inefficient/un-optimized; the deletion of the github_branch_default does not matter if the github_repository is to be deleted. Deleting the repo necessarily deletes the default branch config.
Note2: Failure to comment out the github_branch_default resource in step 1 will result in an error:
Error: PATCH https://api.github.com/repos/myOrg/gh-issue-test: 422 Validation Failed [{Resource:Repository Field:default_branch Code:invalid Message:Cannot update default branch for an empty repository. Please init the repository and push first.}]
Important Factoids
I can reproduce this behavior with the token that was allocated specifically for our automated Terraform ci/cd pipeline and with my personal token which has 'Owner' level permissions attached to it.
The workaround is to:
-
comment out / delete the
github_branch_defaultresource from the*.tffile(s). -
manually remove the
github_branch_defaultresource from the state file:terraform state rm github_branch_default.myOrg_testing:
Removed github_branch_default.myOrg_testing
Successfully removed 1 resource instance(s).
- re-run
terraform applyand let it observe that thegithub_repositoryis missing and thus should be deleted. Deleting the repo necessarily deletes the repos' default branch config.
References
These issues seem related:
https://github.com/terraform-providers/terraform-provider-github/issues/580