[BUG]: Repository 'security_and_analysis' settings are being sent even if they are unset, unchanged, or part of 'lifecycle.ignore_changes'

[fushi]

Expected Behavior

If the 'security_and_analysis' block is either unset, unchanged, or ignored by Terraform by using the ignore_changes list in the lifecycle block of a github_repository, then terraform apply should not send that block to the GitHub API.

Actual Behavior

The block above is sent to the GitHub API, which causes an issue even if it isn't a change.

This becomes an issue if/when the repository has an enterprise policy that prevents modifying the advanced security enablement:

│ Error: PATCH https://api.github.com/repos/$ORG_REDACTED/$REPO_REDACTED: 422 An enterprise policy prevented modifying advanced security enablement. Contact your enterprise owner for details. [] │ │ with github_repository.all['$REPO_REDACTED'], │ on main.tf line 1, in resource "github_repository" "all": │ 1: resource "github_repository" "all" {

Terraform Version

Terraform v1.8.2
on darwin_arm64

• provider registry.terraform.io/hashicorp/aws v5.48.0
• provider registry.terraform.io/integrations/github v6.2.1

Affected Resource(s)

github_repository

Terraform Configuration Files

resource "github_repository" "all" {
  for_each = var.REPOSITORIES
  
  name                  = each.key
  description           = each.value.description

    lifecycle {
    ignore_changes = [
      # Cannot control these: "An enterprise policy prevented modifying advanced security enablement."
      security_and_analysis
    ]
  }

Steps to Reproduce

No response

Debug Output

2024-05-03T16:11:08.912-0700 [ERROR] provider.terraform-provider-github_v6.2.1: Response contains error diagnostic: @caller=github.com/hashicorp/terraform-plugin-go@v0.22.0/tfprotov5/internal/diag/diagnostics.go:58 tf_req_id=b55abc6e-0f96-7365-adb8-1979a52d852e tf_rpc=ApplyResourceChange tf_resource_type=github_repository @module=sdk.proto diagnostic_detail="" diagnostic_severity=ERROR diagnostic_summary="PATCH https://api.github.com/repos/$ORG_REDACTED/$REPO_REDACTED: 422 An enterprise policy prevented modifying advanced security enablement. Contact your enterprise owner for details. []" tf_proto_version=5.4 tf_provider_addr=provider timestamp=2024-05-03T16:11:08.912-0700

Panic Output

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[fushi]

curl -L \ -X PATCH \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer $GH_TOKEN" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/$ORG/$REPO \ -d '{"security_and_analysis":{"advanced_security":{"status":"enabled"}}}'

This is the equivalent cURL, and if an enterprise policy prohibits setting this, it will fail with a HTTP 422 even if the "new" setting matches the extant setting

[mukta-puri]

We are also seeing this issue when destroying a github_repository resource with archive_on_destroy set to true.

[chrisharrison]

We are seeing this issue arise when running a terraform apply that requires modification to the repositories. Weirdly, running the apply again seems to bypass the issue.

[fushi]

We are seeing this issue arise when running a terraform apply that requires modification to the repositories. Weirdly, running the apply again seems to bypass the issue.

If the resource (repository) is up to date, no change is sent, so it won't complain. It only complains when the repository itself is updated, because it tacks on the extra bit.

[fushi]

There is a PR that will fix this issue, and it has been available for over 5 weeks without any input from the maintainers.

[fushi]

Fixed by #2397