Only administrators can create internal repositories from templates in organizations that restrict changing repository visibility

[pmjacinto]

Terraform Version

Terraform v1.0.1
on darwin_amd64

Affected Resource(s)

• github_repository

Terraform Configuration Files

resource "github_repository" "instance" {
  name                 = "test-repo"
  visibility             = "internal"
  template {
    owner      = "my-org"
    repository = "my-template-repo"
  }
}

Debug Output

 Error: PATCH https://api.github.com/repos/<org>/<repo_name>: 422 Visibility can't be changed by this user. []

   with module.internal_repos.github_repository.test_repo,
   on internal-repos/test-repo.tf line 1, in resource "github_repository" "instance":
    1: resource "github_repository" "instance" {

Panic Output

N/A

Expected Behavior

Creating an internal repo from a template should create the repo as internal instead of creating it as private and later changing it to internal.

This will make it possible to use the provider without admin privileges when the organization restricts changing the visibility of a repo to admins.

Actual Behavior

Repo create uses the REST V3 /repos/{template_owner}/{template_repo}/generate API method which does not support a visibility field.

Steps to Reproduce

1. terraform apply

Important Factoids

The equivalent method in the GraphQL API supports setting visibility to internal.

Ref: cloneTemplateRepository mutation.

References

• Only administrators can create internal repositories in organizations that restrict changing repository visibility to administrators #788 addresses this issue for repos not created through a template
• App Auth can't create 'Internal' repos #832 highlights that this is also a problem when using App authentication
• resource_github_repository - creating repo from template

[martinb3]

I've been seeing this on some internal organizations where we can no longer create repos from templates, via Terraform, that I think tracks back to this bug. I've been able to reproduce the error with a curl, if I omit private: true but including private: true against the /generate endpoint of a template repo works just fine (for a repo that should be private from the start). I'm also able to create internal/private-visible repos from the UI just fine.

Doesn't work

➜  ~ curl -X POST https://api.github.com/repos/hashicorp/a-template-repo/generate \
  -d '{"owner": "hashicorp", "name": "msmith-test01"}' \
  -H 'Accept: application/vnd.github.baptiste-preview+json' -H 'Content-Type: application/json' \
  -H "Authorization: token $TOKEN"

Works

➜  ~ curl -X POST https://api.github.com/repos/hashicorp/a-template-repo/generate \
  -d '{"owner": "hashicorp", "private": true, "name": "msmith-test01"}' \
  -H 'Accept: application/vnd.github.baptiste-preview+json' -H 'Content-Type: application/json' \
  -H "Authorization: token $TOKEN"

[christophermancini]

Yes please, we are encountering this issue continuously, having to manually create repos then import them.

[github-actions]

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!