security_and_analysis segment not applying properly

[halversonea]

I believe I've found a bug in the provider registry.terraform.io/integrations/github.
I'm able to create repos successfully with the following code:

resource "github_repository" "code_store" {
  name        = var.repository_name
  description = var.repository_description
  auto_init   = true
  allow_squash_merge = true
  allow_merge_commit = false
  allow_rebase_merge = false
  delete_branch_on_merge = true
}

But then when I try to update them in any way I get the following error:

Error: PATCH https://github.office.COMPANY_NAME.com/api/v3/repos/OWNER_NAME/repo-test-eric1a: 422 Secret Scanning is always enabled for public repos []

So I tried including the following security_and_analysis segment:

resource "github_repository" "code_store" {
  name        = var.repository_name
  description = var.repository_description
  auto_init   = true
  allow_squash_merge = true
  allow_merge_commit = false
  allow_rebase_merge = false
  delete_branch_on_merge = true

  security_and_analysis {
    advanced_security {
      status = "enabled"
    }

    secret_scanning {
      status = "enabled"
    }

    secret_scanning_push_protection {
      status = "enabled"
    }
  }
}

But this results in the following error:

Error: PATCH https://github.office.COMPANY_NAME.com/api/v3/repos/OWNER_NAME/repo-test-eric3a: 422 Enabling advanced security is restricted by a policy []

So I attempted to force-disable the extra security settings:

resource "github_repository" "code_store" {
  name        = var.repository_name
  description = var.repository_description
  auto_init   = true
  allow_squash_merge = true
  allow_merge_commit = false
  allow_rebase_merge = false
  delete_branch_on_merge = true

  security_and_analysis {
    advanced_security {
      status = "disabled"
    }

    secret_scanning {
      status = "disabled"
    }

    secret_scanning_push_protection {
      status = "disabled"
    }
  }
}

But this again gives the following error:

Error: PATCH https://github.office.COMPANY_NAME.com/api/v3/repos/OWNER_NAME/repo-test-eric1a: 422 Secret Scanning is always enabled for public repos []

All of these attempts were done fresh with a destroy cleaning up everything before attempting the create again and this is when creating a public repo.

I'm using Terraform v1.3.7 and provider registry.terraform.io/integrations/github v5.14.0 though I was getting the same errors on earlier versions of both terraform and the github provider.

Any suggestions would be greatly appreciated.

[halversonea]

For anyone else facing this issue - I suspect that some part of my company's GitHub Enterprise configuration conflicts with some changes GitHub made to security scanning behavior last year. I believe this is still an issue that needs to be addressed but I was able to move forward by ignoring changes to security_and_analysis.

resource "github_repository" "code_store" {
  name        = var.repository_name
  description = var.repository_description
  auto_init   = true
  allow_squash_merge = true
  allow_merge_commit = false
  allow_rebase_merge = false
  delete_branch_on_merge = true

  lifecycle {
    ignore_changes = [
      security_and_analysis,
    ]
  } 
}

[kfcampbell]

@halversonea this should be resolved by #1489, which I'll release shortly. Please reopen this issue if it persists after the latest release!

[halversonea]

I'm still getting the same error when trying to make a change in 5.15.0:

422 Secret Scanning is always enabled for public repos []

Strangely my workaround with the ignore lifecycle that worked once has also stopped working in 5.14.0 and 5.15.0, not sure why it would be inconsistent.

Editing to add:
I don't have permissions to re-open this issue. If I see it's still closed after a while I'll re-submit.

[fgeronimo-panther]

We also ran into issues on 5.15.0 and our workaround was to declare a dynamic block that states when repo visibility is private, set status for advanced security and if public repo, send nothing. Variables advanced security/secret_scanning/secret_scanning_push_protection are set to enabled by default.

security_and_analysis {
    dynamic "advanced_security" {
      for_each = (var.visibility == "private") ? [1] : []
      content {
        status = var.advanced_security
      }
    }
    secret_scanning {
      status = var.secret_scanning
    }
    secret_scanning_push_protection {
      status = var.secret_scanning_push_protection
    }
  }

[halversonea]

@fgeronimo-panther Can you share what settings you're using for public repos? Every combination we've tried has an issue. I thought we had it fixed with that lifecycle rule but that has also failed except for that one initial success.

[dion-gionet]

@halversonea Have you tried removing the advanced_security block from the security_and_analysis block since the latest update? This works on our end for public repos.

security_and_analysis {
    secret_scanning {
      status = "enabled"
    }

    secret_scanning_push_protection {
      status = "enabled"
    }
  }