Adding org owner as a team member causes new resource required on every apply

[thomasbrezinski]

Terraform Version

Terraform v0.11.6
+ provider.github v1.0.0

Affected Resource(s)

github_team_membership

Terraform Configuration Files

resource "github_team" "example-team" {
  name        = "example-team"
  description = "example-team"
  privacy     = "closed"
}

resource "github_team_membership" "team_membership" {
  team_id  = "${github_team.example-team.id}"
  username = "thomasbrezinski" // I am an owner of the org the team belongs to
  role     = "member"
}

Debug Output

Please provider a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

Expected Behavior

Adding an org owner to a github team with the member role should either fail or the provider should be smart enough to know that the user will always have the maintainer role and not show a change to be applied each run.

Actual Behavior

Every terraform apply shows a need to recreate the team membership.

-/+ github_team_membership.team_membership (new resource required)
      id:       "2716164:thomasbrezinski" => <computed> (forces new resource)
      role:     "maintainer" => "member" (forces new resource)
      team_id:  "2716164" => "2716164"
      username: "thomasbrezinski" => "thomasbrezinski"

Steps to Reproduce

1. terraform apply

[majormoses]

Interesting I have not seen this happen and I am also an (Owner|Maintainer) for several orgs but do not seen this happen. Can you replicate using a fresh state? I have not upgraded to the latest but mine is not super old:

$ terraform --version
Terraform v0.11.4
+ provider.github v1.0.0

Can you try replicating with the same version?

[thomasbrezinski]

It's pretty easy to reproduce with the included stack file.

$ terraform apply

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  + github_team.example-team
      id:          <computed>
      description: "example-team"
      name:        "example-team"
      privacy:     "closed"

  + github_team_membership.team_membership
      id:          <computed>
      role:        "member"
      team_id:     "${github_team.example-team.id}"
      username:    "thomasbrezinski"


Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

github_team.example-team: Creating...
  description: "" => "example-team"
  name:        "" => "example-team"
  privacy:     "" => "closed"
github_team.example-team: Creation complete after 1s (ID: 2745924)
github_team_membership.team_membership: Creating...
  role:     "" => "member"
  team_id:  "" => "2745924"
  username: "" => "thomasbrezinski"
github_team_membership.team_membership: Creation complete after 0s (ID: 2745924:thomasbrezinski)

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
$ terraform apply
github_team.example-team: Refreshing state... (ID: 2745924)
github_team_membership.team_membership: Refreshing state... (ID: 2745924:thomasbrezinski)

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

-/+ github_team_membership.team_membership (new resource required)
      id:       "2745924:thomasbrezinski" => <computed> (forces new resource)
      role:     "maintainer" => "member" (forces new resource)
      team_id:  "2745924" => "2745924"
      username: "thomasbrezinski" => "thomasbrezinski"


Plan: 1 to add, 0 to change, 1 to destroy.

to reiterate, this mimics the behavior of the GitHub API which allows you to add an org owner as a team member even though an org owner always have the maintainer role on a team.

[majormoses]

I was able to replicate this

[radeksimko]

Reproduced, thanks for the report.

I'm going to investigate further and see how/if we can fix this.

[radeksimko]

PR pending review: https://github.com/terraform-providers/terraform-provider-github/pull/137

It looks like historically GitHub might not have had an API for updating the membership level, or the SDK may have been missing support. Either way the PR is making the field updatable.

@thomasbrezinski the output you should see after we merge and release the patched version is something like this:

~ github_team_membership.team_membership
      role:     "maintainer" => "member"

So you'll still see diff, but the action is going to be a lot less destructive. I believe this diff is justified as it reflects the reality. The definition of the membership in your config is effectively role = "member" (because that's default value). If you wish to see no diff you can update the config to role = "maintainer" - which will then reflect the state of the membership as it is.