Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]: team membership flaps constantly after release 6.4.0 apparently due to #2420 #2470

Open
1 task done
JCY-Alchemy opened this issue Nov 23, 2024 · 7 comments · May be fixed by #2481
Open
1 task done

[BUG]: team membership flaps constantly after release 6.4.0 apparently due to #2420 #2470

JCY-Alchemy opened this issue Nov 23, 2024 · 7 comments · May be fixed by #2481
Labels
Status: Triage This is being looked at and prioritized Type: Bug Something isn't working as documented

Comments

@JCY-Alchemy
Copy link

JCY-Alchemy commented Nov 23, 2024
edited
Loading

Expected Behavior

  • teams that are referenced by name in github_repository_collaborators should be recognized in plans and applys, or changed implicitly to ID if necessary
  • teams that are repo collaborators should not flap with every plan

Actual Behavior

  • plan detects a need to update team(s) as collaborator(s) because it's comparing team name to ID number (formerly didn't do that)
  • terraform apply with the plan succeeds
  • subsequent plan detects a need to update team(s) as collaborator(s) due to name/ID number issue

Terraform Version

Terraform v1.8.3
on darwin_arm64

  • provider registry.terraform.io/hashicorp/aws v5.66.0
  • provider registry.terraform.io/integrations/github v6.4.0
  • The github provider that introduces the issue is 6.4.0 (acquired due to constraint version = "~> 6.2" in the provider)
  • Pinning version 6.3.1 (last release before 6.4.0) resolves the issue

See #2420 for the change that seems to drive this.

Affected Resource(s)

  • github_repository_collaborators

Terraform Configuration Files

### problem caused by this (auto upgrade to 6.4.0 via the version constraint)
terraform {
  required_version = "~> 1.7"
  required_providers {
    github = {
      source  = "integrations/github"
      version = "~> 6.2"
    }
  }
}

### problem not experienced (pinned to immediate previous release 6.3.1)
terraform {
  required_version = "~> 1.7"
  required_providers {
    github = {
      source  = "integrations/github"
      version = "6.3.1"
    }
  }
}

### we define collaborators like this:
collaborators = {
  users = {
    user_name_1 = "admin"
  }
  teams = {
    team_name_1 = "pull"
    team_name_2 = "pull"
  }
}

### we pass collaborators to a repo-configuring module like this:
variables.tf:
...
variable "collaborators" {
  type        = map(map(string))
  default     = { users = {}, teams = {} }
}

### we unpack user/team collaborators into github_repository_collaborators like this in the module

module.tf:
...
resource "github_repository_collaborators" "my_repo_collab" {
  repository = local.repo_name

  dynamic "user" {
    for_each = local.collaborators_users
    content {
      permission = user.value
      username   = user.key
    }
  }
  dynamic "team" {
    for_each = local.collaborators_teams

    content {
      permission = team.value
      team_id    = team.key
    }
  }
}

Steps to Reproduce

notes

  • If I replace the team name with the team id number in source code, the problem goes away, but our source has the names of teams, not their ID numbers
  • We do not define users and teams in terraform, so those objects are not available. We only have the names.

configure

  • use github provider version 6.4.0

plan

terraform plan

  # module.repo_REPO_NAME.github_repository_collaborators.my_repo_collab will be updated in-place
~ resource "github_repository_collaborators" "my_repo_collab" {
        id             = "REPO_NAME"
        # (2 unchanged attributes hidden)

      - team {
          - permission = "admin" -> null
          - team_id    = "4444444" -> null
        }
      - team {
          - permission = "pull" -> null
          - team_id    = "8888888" -> null
        }
      - team {
          - permission = "push" -> null
          - team_id    = "5555555" -> null
        }
      - team {
          - permission = "push" -> null
          - team_id    = "7777777" -> null
        }
      + team {
          + permission = "admin"
          + team_id    = "name-of-team-1"
        }
      + team {
          + permission = "pull"
          + team_id    = "name-of-team-2"
        }
      + team {
          + permission = "push"
          + team_id    = "name-of-team-3"
        }
      + team {
          + permission = "push"
          + team_id    = "name-of-team-4"
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

### apply

terraform apply
module.repo_REPO_NAME.github_repository_collaborators.my_repo_collab: Modifying... [id=REPO_NAME]
module.repo_REPO_NAME.github_repository_collaborators.my_repo_collab: Modifications complete after 3s [id=REPO_NAME]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

### plan again
terraform plan

(same plan is generated as above)

Debug Output

No response

Panic Output

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@JCY-Alchemy JCY-Alchemy added Status: Triage This is being looked at and prioritized Type: Bug Something isn't working as documented labels Nov 23, 2024
@JCY-Alchemy JCY-Alchemy changed the title [BUG]: team membership flaps constantly after release 3.40 apparently due to #2420 [BUG]: team membership flaps constantly after release 6.4.0 apparently due to #2420 Nov 23, 2024
@al-lac
Copy link

al-lac commented Nov 26, 2024

I have the exact same issue.

@robinbowes
Copy link

Another "me too" comment.

@tiagoasousa
Copy link

+1

@stevehipwell
Copy link
Contributor

PR #2420 fixed the consistency model as the provider currently uses team ID internally for all team resources. You can stop the churn by using a github_team data source to lookup your team ID and you will be using fewer API requests than the old resource used to make prior to #2420.

@robinbowes
Copy link

Take a look at the hoops I've had to jump through to convert team slugs into ids for a bunch of repos defined in human-curated json files, and tell me again how great it is that the provider uses fewer API requests:

locals {
  repo_files    = fileset(path.module, "repository_data/*.json")
  raw_repo_data = [for f in local.repo_files : jsondecode(file(f))]

  repo_data = [
    for repo in local.raw_repo_data : {
      for k, v in repo : k =>
      k == "collaborators" ?
      {
        for k2, v2 in v : k2 =>
        k2 == "teams" ? [
          for block in v2 : {
            for k4, v4 in block : k4 =>
            k4 == "slug" ? local.team_ids[v4] : v4
          }
        ]
        : v2
      }
      : v
    }
  ]

  # Get the set of github team slugs used by all repositories
  team_slugs = toset(
    flatten( # W: local.teams is declared but not used
      [
        for name, repo in local.raw_repo_data : [
          for team in lookup(repo.collaborators, "teams", []) :
          team.slug
        ]
      ]
    )
  )

  team_ids = {
    for team in data.github_team.this : team.slug => team.id
  }
}

data "github_team" "this" {
  for_each = local.team_slugs
  slug     = each.value
}

@JCY-Alchemy
Copy link
Author

JCY-Alchemy commented Nov 28, 2024
edited
Loading

Concur with the above.

I see what we /could/ do, but if you look at the example in the other comment, we're effectively asked to implement all the logic that should be in a provider, on top of the provider in the resource definition. At the topmost abstraction, the resource definition layer (our terraform code) lookups of foundational references should be invisible... and the contested provider code clearly shows this behavior (but flipped from invisibly looking up one thing to invisibly looking up some other thing instead)

@stevehipwell
Copy link
Contributor

@robinbowes @JCY-Alchemy I've just re-checked my notes and this is a defect as I'd intended to not churn on slugs. There are no automated acceptance tests here (I'm working on it) and I don't work at GitHub so don't have easy access to test infrastructure. I've got a PR open to work on this resource so I'll figure out why this isn't working and add a fix.

FYI the reason the number of API call matter is that prior to the refactor this resource was unusable at anything approaching scale.

@stevehipwell stevehipwell linked a pull request Nov 28, 2024 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Triage This is being looked at and prioritized Type: Bug Something isn't working as documented
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Updated repo collaborators to support ignoring teams stevehipwell/terraform-provider-github
5 participants
@robinbowes @tiagoasousa @stevehipwell @al-lac @JCY-Alchemy