github_organizations_settings requires write permissions at plan time

[avgalani]

At plan time, the github_organization_settings resource requires "organization_administration": "write" permissions to the Github API, which doesn't meet the Principle of least privilege (it should only need read-only permissions to the API for computing a plan).
This issue seems to be originating from this line of code, where the provider does a PATCH request (instead of a GET) when refreshing the organization settings. There's a PR opened at #1321 aiming to fix this issue.

Terraform Version

Terraform v1.3.2
on darwin_amd64

Affected Resource(s)

Please list the resources as a list, for example:

• github_organization_settings

Terraform Configuration Files

terraform {
  required_providers {
    github = {
      source  = "integrations/github"
      version = "~> 5.3"
    }
  }
}

provider "github" {
  owner = "TMNL-test"
}

resource "github_organization_settings" "this" {
  billing_email                                                = "alex@cloudcitizen.eu"
  location                                                     = "Netherlands"
  name                                                         = "TMNL-Test"
  has_organization_projects                                    = true
  has_repository_projects                                      = true
  default_repository_permission                                = "read"
  members_can_create_repositories                              = false
  members_can_create_public_repositories                       = false
  members_can_create_private_repositories                      = false
  members_can_create_internal_repositories                     = false
  members_can_create_pages                                     = false
  members_can_create_public_pages                              = false
  members_can_create_private_pages                             = false
  members_can_fork_private_repositories                        = false
  advanced_security_enabled_for_new_repositories               = false
  dependabot_alerts_enabled_for_new_repositories               = false
  dependabot_security_updates_enabled_for_new_repositories     = false
  dependency_graph_enabled_for_new_repositories                = false
  secret_scanning_enabled_for_new_repositories                 = false
  secret_scanning_push_protection_enabled_for_new_repositories = false
}

Debug Output

https://gist.github.com/avgalani/401b2a5e4afc0ec9f13204eecffc8070

Expected Behavior

The github-terraform-provider should only do GET requests at plan time.

Actual Behavior

When using the github_organization_settings resource, the provider does a PATCH request when producing the plan (see the debug output linked in the gist above), thus requiring write permissions to the organizations API, breaking the principle of least privilege.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform plan

[kuhlman-labs]

I gave your PR a 👍🏻, thanks for catching this.

[dn0]

Thank you @avgalani! I've updated the provider today and your change works as expected. It's especially useful for creating terraform plans within CI/CD and displaying them in a PR.

I'm sorry for asking in a closed issue, but would it be technically possible to use read-only permissions for other github_*organization_* resources? (eg. github_actions_organization_permissions has currently the same problem and requires write scopes...)

[kfcampbell]

@dn0 do you mind opening another issue to track that?

[dn0]

@kfcampbell I just wanted to ask whether it's even technically possible because I have a feeling that it might be a limitation of the GH API...

[dn0]

OK, so the documentation clearly explains it:

You must authenticate using an access token with the admin:org scope to use this endpoint. GitHub Apps must have the administration organization permission to use this API.

I was trying to use a token with read:org scope, but apparently it requires admin:org 😞
I'm sorry for wasting your time.

[kfcampbell]

Ahh, got it, thanks for the link!