Failed setting visibility=internal on a newly created repo from template

[damir-dezeljin]

Hi there,

Terraform Version

1.0.5

Affected Resource(s)

• github_repository

Terraform Configuration Files

# create github repository for the domain under domain team
resource "github_repository" "domain" {
  name = lower("${var.domain}-domain")

  visibility = "internal"

  template {
    owner      = "our-enterprise-org-id"
    repository = "tf-domain-template"
  }
}

Debug Output

Gist: https://gist.github.com/damir-dezeljin/e9de28e11aa7de8d7a60fc2e123794f6

NOTE: I removed the sensible parts from the logs. Still, I think the logs shows what's the actual issue. Let me recap it here:

• We're using TF to create a GitHub repo out of a template.
• The template repo visibility is set to Internal.
• The newly created repo visibility should be Internal as well.
• The repo gets created, but it remains Private and the visibility setup phase fails with error 422.

Panic Output

n/a

Expected Behavior

I'd expect a new repo with visibility Internal being created.

Actual Behavior

The terraform apply fails with error code 422 on visibility change step.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. Set org policy to prevent users from changing repos visibility.
2. Create a template repo with visibility Internal
3. Use the provided TF code for creating a new repo with visibility Internal out of the template one.
4. Use a GitHub App identity with scopes listed below.
5. Run terraform apply.

Important Factoids

• We're running TF with GitHub Apps credentials with following scopes:
  • Repository access: All repositories
  • Repository permissions:
    • Administration: r/w
    • Contents: r/w
    • Metadata: ro
    • Secrets: r/w
  • Organization permissions:
    • Members: r/w
    • Administration: r/w
• Our Enterprise has an Org.Policy set that prevents users from creating Public repos, as well only Org.Owners are allowed to change repos visibility.

References

n/a

[erzz]

Basically a me too post - but just to add that I get the same result from the same TF config using 1.0.7 too

[parviste-fortum]

The issue seems to be due to a limitation in the Github API which only supports public and private creation from a template: https://docs.github.com/en/rest/reference/repos#create-a-repository-using-a-template

Of course, it might be nice if terraform would give and error or at least warning when trying to set visibility to internal, instead of sillently ignoring it:

terraform-provider-github/github/resource_github_repository.go

Lines 329 to 330 in 98dddd2

	if visibility == "private" || visibility == "internal" {
	isPrivate = true

[parviste-fortum]

Seems like the Github GraphQL API does support creating internal repos from templates: https://docs.github.com/en/graphql/reference/input-objects#clonetemplaterepositoryinput

[JafoFett]

Hoping there is a way to create 'internal' repo's from template repo using Terraform...is there a workaround for the API limitation? Or a flat out no go?

[github-actions]

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!

[damir-dezeljin]

How can I set the Status: Pinned label? I think this is quite a serious flow for Enterprise Cloud customers requiring no repository is set to Public and therefore setting an Org policy for that, but on the other hand wanting all terraformed repositories being accessible to all employees.

I'd appreciate a feedback from GitHub on the matter.

[kfcampbell]

@damir-dezeljin apologies, the SDK team is spread pretty thin at the moment. We've got a little bit of content here about our prioritization process, but realistically, the best way to address this problem is to submit a PR following our contributing guidelines to this project. We appreciate all contributions!