github_branch_protection is not creating restriction if only a single team is provided.

[eduardohf-ciandt]

Terraform Version

Terraform v0.12.3

• provider.github v2.2.0

Affected Resource(s)

• github_branch_protection

Terraform Configuration Files

locals {
    teams = ["admin"]
}

resource "github_repository" "repo" {
  name          = var.name
  description   = var.description
  private       = true
  auto_init     = false
  has_downloads = false
  has_issues    = false
  has_projects  = false
  has_wiki      = false
}

resource "github_branch_protection" "master_branch" {
  repository     = github_repository.repo.name
  branch         = "master"
  enforce_admins = true

  required_pull_request_reviews {
    dismiss_stale_reviews = true
    required_approving_review_count = 1
  }

  restrictions {
    teams = local.teams
  }
}

Expected Behavior

GitHub Branch should show the admin team in "Restrict who can push to matching branches" session.

Actual Behavior

No team is displayed in the "Restrict who can push to matching branches" session.

Steps to Reproduce

1. terraform plan
2. terraform apply

Important Factoids

I'm running using remote runners from TFE.

If I run with more than one team the team is properly associate in the "Restrict who can push to matching branches" session".

[iniinikoski]

Hmm, I'm working on the same topic here - but seems to work here... Will post more info soon...

[mmoscher]

For me some similar issue occurred: when a repo permissions for a team and a repo branch protection depending on the same team are created in the same run, the team is not listed in the branch protection. Deleting the protection and adding it (using terraform) again, works.

The official documentation states:
teams: (Optional) The list of team slugs with push access. Always use slug of the team, not its name. Each team already has to have access to the repository.

Thus I could image that their exists some kind of race-condition, because the team seems not to have the appropriate permissions during creation of the branch protection.

Maybe an depends_on could fix this.

[goloroden]

We have the same problem as @mmoscher, but with Terraform 0.12.16:

If you assign a repository to a team, and want to use that team for branch protection, the assignment works, but the team is not set for branch protection (it actually is set in the state file, but not on GitHub).

If you then unset the team for branch protection, apply, re-set it, and apply again, it's there.

So yes, our impression is as well that there is a race condition. We have not yet tried to fix this with depends_on, but of course it would be way nicer if the GitHub provider would solve this internally.

PS: Meanwhile we have tried it, and a depends_on seems to work as a workaround.

[github-actions]

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!

[github-actions]

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!