Github Action terraform plan execution gets 403 Resource not accessible by integration

[morgan-monzingo]

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Terraform Version

1.2.1

Affected Resource(s)

• github_action_secret

Terraform Configuration Files

resource "github_actions_secret" "static_web_app_api_token" {
  repository = data.github_repository.static_site_repository.name
  secret_name = "AZURE_STATIC_WEB_APP_API_TOKEN
  plaintext_value = azurerm.static_site.static_site.api_key
}

Expected Behavior

I want to run a terraform plan on a configuration that includes the github_action_secret in a Github Action on a Pull request.
The plan will show if the secret is being updated, if it is not being updated then it will show no changes.

Actual Behavior

When the terraform plan executes I get a 403 "Resource not accessible by integration".

Important Factoids

I do NOT have a Github app setup to run this. I am running the Github Action using the provided GITHUB_TOKEN to authenticate with the provider. This secret is a part of the repo running the Github Action.

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:

• Replaying the changes in #1162 without the binary #1234

[botheaj]

I worked around this issue by creating a Personal Access Token and setting the environment variable for GITHUB_TOKEN to the name of my secret:

    - name: Terraform Plan
      run: terraform plan
      env:
        GITHUB_TOKEN: ${{ secrets.PAT }}  

[kfcampbell]

@morgan-monzingo what are the scopes you're requesting for the token? By default, the Actions-generated token only comes with some permissions to the repo it runs on.

[ZsoltPath]

I've bumped into the same issue. The debug revealed that the problem is deeper than any resource.

2023-12-12T13:55:53.623Z [DEBUG] provider.terraform-provider-github_v5.42.0: ---[ REQUEST ]---------------------------------------
2023-12-12T13:55:53.623Z [DEBUG] provider.terraform-provider-github_v5.42.0: GET /user HTTP/1.1
2023-12-12T13:55:53.623Z [DEBUG] provider.terraform-provider-github_v5.42.0: Host: api.github.com
2023-12-12T13:55:53.623Z [DEBUG] provider.terraform-provider-github_v5.42.0: User-Agent: go-github/v55.0.0
2023-12-12T13:55:53.623Z [DEBUG] provider.terraform-provider-github_v5.42.0: Accept: application/vnd.github.v3+json,application/vnd.github.stone-crop-preview+json
2023-12-12T13:55:53.623Z [DEBUG] provider.terraform-provider-github_v5.42.0: X-Github-Api-Version: 2022-11-28
2023-12-12T13:55:53.623Z [DEBUG] provider.terraform-provider-github_v5.42.0: Accept-Encoding: gzip
2023-12-12T13:55:53.623Z [DEBUG] provider.terraform-provider-github_v5.42.0: 
2023-12-12T13:55:53.623Z [DEBUG] provider.terraform-provider-github_v5.42.0: 
2023-12-12T13:55:53.623Z [DEBUG] provider.terraform-provider-github_v5.42.0: -----------------------------------------------------
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: 2023/12/12 13:55:53 [DEBUG] GitHub API Response Details:
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: ---[ RESPONSE ]--------------------------------------
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: HTTP/2.0 403 Forbidden
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: Access-Control-Allow-Origin: *
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: Content-Security-Policy: default-src 'none'
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: Content-Type: application/json; charset=utf-8
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: Date: Tue, 12 Dec 2023 13:55:53 GMT
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: Server: GitHub.com
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: Vary: Accept-Encoding, Accept, X-Requested-With
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: X-Content-Type-Options: nosniff
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: X-Frame-Options: deny
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: X-Github-Api-Version-Selected: 2022-11-28
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: X-Github-Media-Type: github.v3; format=json, github.stone-crop-preview; format=json
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: X-Github-Request-Id: C553:220C7C:392C2:39AF6:65786669
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: X-Ratelimit-Limit: 15000
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: X-Ratelimit-Remaining: 14999
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: X-Ratelimit-Reset: 1702392953
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: X-Ratelimit-Resource: core
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: X-Ratelimit-Used: 1
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: X-Xss-Protection: 0
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: 
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: {
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0:  "message": "Resource not accessible by integration",
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0:  "documentation_url": "https://docs.github.com/rest/users/users#get-the-authenticated-user"
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: }
2023-12-12T13:55:53.787Z [DEBUG] provider.terraform-provider-github_v5.42.0: -----------------------------------------------------

Practically the GET /user call isn't supported via App integration authentication.
Exactly as the provider's documentation says:

Some API operations may not be available when using a GitHub App installation configuration. For more information, refer to the list of supported endpoints.

And I'm sure not using any user related resource. Just using a simple data source like

data "github_repository" "synchro_crm_plugins" {
  full_name = "rbs-path/xxxxxxx"
}

It's on

Terraform v1.5.2
on darwin_arm64
+ provider registry.terraform.io/integrations/github v5.42.0

[ZsoltPath]

Actually, adding the owner parameter to the provider solved the problem.

provider "github" {
  owner = "rbs-path"
  app_auth {
    # `GITHUB_APP_ID`
    # `GITHUB_APP_INSTALLATION_ID`
    # `GITHUB_APP_PEM_FILE`
  }
}

I think it's worth mentioning in the documentation.

[kfcampbell]

@ZsoltPath do you have any interest in opening up a PR to add that fact to the docs?