-
Notifications
You must be signed in to change notification settings - Fork 697
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
github_organizations_settings requires write permissions at plan time #1322
Comments
I gave your PR a 👍🏻, thanks for catching this. |
Thank you @avgalani! I've updated the provider today and your change works as expected. It's especially useful for creating terraform plans within CI/CD and displaying them in a PR. I'm sorry for asking in a closed issue, but would it be technically possible to use read-only permissions for other |
@dn0 do you mind opening another issue to track that? |
@kfcampbell I just wanted to ask whether it's even technically possible because I have a feeling that it might be a limitation of the GH API... |
OK, so the documentation clearly explains it:
I was trying to use a token with |
Ahh, got it, thanks for the link! |
At plan time, the
github_organization_settings
resource requires"organization_administration": "write"
permissions to the Github API, which doesn't meet the Principle of least privilege (it should only need read-only permissions to the API for computing a plan).This issue seems to be originating from this line of code, where the provider does a PATCH request (instead of a GET) when refreshing the organization settings. There's a PR opened at #1321 aiming to fix this issue.
Terraform Version
Affected Resource(s)
Please list the resources as a list, for example:
Terraform Configuration Files
Debug Output
https://gist.github.com/avgalani/401b2a5e4afc0ec9f13204eecffc8070
Expected Behavior
The github-terraform-provider should only do GET requests at plan time.
Actual Behavior
When using the
github_organization_settings
resource, the provider does a PATCH request when producing the plan (see the debug output linked in the gist above), thus requiring write permissions to the organizations API, breaking the principle of least privilege.Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform plan
The text was updated successfully, but these errors were encountered: