vulnerability_alerts set to true does not enable "Dependabot security updates"

[blt]

Terraform Version

terraform -v
Terraform v0.12.25
+ provider.github v3.1.0
+ provider.google v3.33.0
+ provider.google-beta v3.33.0
+ provider.random v2.3.1
+ provider.template v2.2.0

Your version of Terraform is out of date! The latest version
is 0.13.5. You can update by downloading from https://www.terraform.io/downloads.html

Affected Resource(s)

Please list the resources as a list, for example:

• github_repository

Terraform Configuration Files

resource "github_repository" "repo" {
  name        = var.repo_name
  description = var.repo_description
  visibility  = "private"

  has_issues    = false
  has_projects  = false
  has_wiki      = false
  has_downloads = false

  delete_branch_on_merge = true
  allow_merge_commit     = false
  is_template            = var.template
  vulnerability_alerts   = true

  auto_init      = var.repo_auto_init
  default_branch = var.repo_default_branch 

  dynamic "template" {
    for_each = var.repo_template != "" ? [1] : []
    content {
      repository = var.repo_template
      owner      = "goodwatercap"
    }
  }
}

Expected Behavior

When flagging vulnerability_alerts to true we expect the following to be enabled:

• Dependency graph
• Dependabot alerts
• Dependabot security updates

Actual Behavior

When flagged vulnerability_alerts to true and only the following were enabled:

• Dependency graph
• Dependabot alerts

Steps to Reproduce

1. Flag a github_repository with vulnerability_alerts to true.
2. terraform apply
3. Confirm at https://github.com/ORG/REPO/settings/security_analysis that "Dependabot security udpates" is not enabled.

Important Factoids

Nothing unusual.

References

None.

[SanderKnape]

I just ran into this issue as well, though what I'm seeing is slightly different from what blt is reporting.

Creating a new repository with vulnerability_alerts: true will only enable Dependabot security updates. The other two options are not enabled.

Running Terraform again will show vulnerability_alerts = false -> true. After applying this, all three options are enabled.

What makes it more interesting is that we enabled these settings on the organization level. So I would expect these settings to be enabled regardless from what I specify in Terraform (see screenshot below).

I'm testing this with private repositories.

[gionn]

What makes it more interesting is that we enabled these settings on the organization level. So I would expect these settings to be enabled regardless from what I specify in Terraform (see screenshot below).

the option states for new repositories, so it serve as a default value for new repositories and not an override for the existing ones.

[SanderKnape]

Correct. I'm testing this on a newly-created repository through this Terraform provider. So I expect the setting to be enabled.

[jspiro]

I am seeing the same. If you re-apply it will correct the bug-induced drift. Not ideal, but at least eventually consistent.

[kfcampbell]

I've looked at this a tiny bit and I believe that setting is applied by this API. There's a helper function to set that vendored into this project, but it's currently unreferenced. I haven't tested calling that yet.

Perhaps it'd be appropriate to add this as a new feature with its own syntax, separate from vulnerability_alerts? I wonder how/if that'd conflict with organization settings to enable it by default.

[charmingnewt]

Hey @kfcampbell - I was poking around this one and it seems there's a missing "Check if automated security fixes are enabled for a repository" API, analogous to this one for vulnerability alerts. Any thoughts on that? I'm looking to contribute here (and also to google/go-github) but hit a wall on the GitHub API. Thanks.

[kfcampbell]

@will-bluem-olo that's a great question. The GET 404s, which is too bad. I've asked internally about it and I'll post again here if I learn something useful.

[charmingnewt]

Hi @kfcampbell - not sure if you ever found anything interesting here, but we'd still be interested in this functionality if it could be added to the API.

[kfcampbell]

Ahh thanks for reminding me! I did not hear anything back, and just bumped the question again.

[kfcampbell]

Alright, there's an internal issue created to track this and the team seems receptive. I'm uncertain of the priority but it seems low at this point. 🤞 🤞 🤞 they jump on it!

[bahag-klickst]

@kfcampbell
Any news on this

[kfcampbell]

@bahag-klickst I unfortunately do not have any updates.

[GMZwinge]

With the latest Terraform 1.6.6 and GitHub provider 5.43.0, a terraform apply -refresh-only doesn't seem to update the field vulnerability_alerts in the .tfstate file with the state in the UI.

[coriolinus]

@kfcampbell any progress to report? My team would also appreciate a fix for this.

[kfcampbell]

I wish I had an update, sorry! You might consider asking your GitHub rep (if you're an enterprise customer) or posting here asking for API coverage.

[thomaslagies]

Any updates on this so far?

[lkiii]

There is a separate resource to enable security. It needs to be combination of vulnerability_alerts = true and

resource "github_repository_dependabot_security_updates" "repo_security" {
  repository = github_repository.repo.id
  enabled    = true
}