pulumi refresh without GH credentials deletes resources from the state.

[ringods]

Hello!

• Vote on this issue by adding a 👍 reaction
• To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already)

Issue details

I am using the Github provider to manage our complete Github organization, similarly to your blog article. I started with a working Github Actions setup with preview on pull request and up on merge on main.

Following the proper CI setup, I started configuring Dependabot using the .github/dependabot.yml file. This creates pull requests when it finds newer package versions you are using in your setup. When Dependabot executed, it indeed created the PRs, but the Actions run linked to it failed. After some searching, here was my answer why it failed:

https://github.blog/changelog/2021-11-30-github-actions-workflows-triggered-by-dependabot-receive-dependabot-secrets/

I had refresh: true in my Github Actions configuration. The refresh reported this for 2 resource types:

-   github:index:TeamMembership <redacted> deleted
-   github:index:Repository     <redacted> deleted

as well as (correct) connection errors:

<redacted> (github:index:Membership)
error: refreshing urn:pulumi:prod::githubng::github:index/membership:Membership::<redacted>: This resource can only be used in the context of an organization, "" is a user.
<redacted> (github:index/repository:Repository$github:index/branchProtection:BranchProtection)
error: refreshing urn:pulumi:prod::githubng::github:index/repository:Repository$github:index/branchProtection:BranchProtection::.github_protect_main: non-200 OK status code: 401 Unauthorized body: "{\"message\":\"This endpoint requires you to be authenticated.\",\"documentation_url\":\"https://docs.github.com/graphql/guides/forming-calls-with-graphql#authenticating-with-graphql\"}"
<redacted> (github:index/repository:Repository$github:index/teamRepository:TeamRepository)
error: refreshing urn:pulumi:prod::githubng::github:index/repository:Repository$github:index/teamRepository:TeamRepository::.<redacted>: This resource can only be used in the context of an organization, "" is a user.

The error message is only clear for BranchProtection resources that these are authentication errors. Other resources like Membership and TeamRepository return the confusing This resource can only be used in the context of an organization message while the github:owner is properly set.

Steps to reproduce

1. Start with a working pulumi project using the Github provider and some resources
2. Unset the Github credentials (GITHUB_TOKEN) in your setup
3. Run pulumi refresh

Expected: Only see authentication errors being reported
Actual: See a mix of authentication errors and resource deletions being reported.

References:

• Misleading error message when GITHUB_TOKEN not set integrations/terraform-provider-github#598
• Authorization fixes: vNext proposal integrations/terraform-provider-github#980

[guineveresaenger]

Hi @ringods - thank you for filing this.

Could you clarify a few things for me:

1. Did any resources actually get deleted, or did pulumi refresh only say that they did?

2. Do you see any resource deletion attempts in your Pulumi console?

My hunch is you're running into two separate issues:

1. the upstream misleading error message
2. Dependabot not correctly checking out your Pulumi program, which results in your Pulumi stack thinking it's trying to remove resources (similar to if you were to delete the code that created the resources in the stack).

[guineveresaenger]

Update: I had some time to look at this further and could duplicate some of this behavior with a similar setup.

I believe that what you're seeing is inherited behavior from upstream as well:
https://github.com/integrations/terraform-provider-github/blob/main/github/resource_github_team_membership.go#L113 - meaning, if the GitHub response is StatusNotFound (the default response for all permission errors on the GitHub API), the resource gets deleted from the state in a refresh.

Your TeamMembership and Repository resources were deleted from your Stack, but not from GitHub itself, correct?

[ringods]

@guineveresaenger correct. Some resources were removed from the state during pulumi refresh, not from Github luckily. But having these removed from my state makes my state actually corrupt.

Have a talk with @pierskarsenbarg. I filed a support ticket for this as well and he looked at that ticket for me. His investigation also lead to #203.

[t0yv0]

Some more digging here, indeed appears not solvable without patching the upstream code.

https://github.com/integrations/terraform-provider-github/blob/eb1b7d9265d6e75b42d92ff822295835a15b2c6c/github/resource_github_repository.go#L596

When performing a read it's consulting owner := meta.(*Owner).name which in the case of anonymous client is empty string "". And then it's trying to lookup a repo https://github.com//myrepo which results in 404.

What it could be looking at instead is the actual owner name that's passed in:

	owner = strings.Split(d.Get("full_name").(string), "/")[0]

That's just for the Repository resource though; a comprehensive fix would have to look at all resources carefully.

What we also could consider doing is just enforcing that the provider is always configured, refusing to proceed without a valid GITHUB_TOKEN, we could do this at Pulumi level via PreConfigureCallback. It appears that the upstream provider is intentional about allowing an anonymous client to proceed without auth but the experience around accidental deletions is universally terrible. Are there important use cases we'd lose if the Pulumi provider forced the client to be authenticated?

[t0yv0]

Upstream PR with a possible fix direction: integrations/terraform-provider-github#1750

[mikhailshilkov]

Closing this as done since the upstream PR was accepted