[BUG] data github_repository: Owner not being respected when authenticated user belongs to a different organization

[devinnasar]

Use Case/Problem

We are scaffolding alerts in New Relic where the best source of truth for some required data are yaml files stored within this repository: https://github.com/newrelic/entity-definitions. We are attempting to use the terraform github provider to pull this data directly from where New Relic commits it, and then consume it into our own Terraform via yamldecode(). Our Github service user for terraform processes belongs to our company's Github Enterprise organization. The repository we need to read from belongs to New Relic's organization. Currently the provider will not retrieve the data when authenticated with our service user's token. I believe that this is due to the provider searching within our company's GHE tenant for the target repository.

Scenario

Github provider is passed a token parameter from a user belonging to organization 'xcompany'.
Github provider is passed a base_url of ghe.xcompany.com
Github provider is passed an owner parameter of 'newrelic'
Terraform is trying to use a github_repository or github_repository_file data source targeting a repository belonging to organization 'newrelic'

Terraform configuration

provider.tf

provider "github" {
  token = "ghp_xxxxx" # user belongs to X Company
  base_url = "https://ghe.xcompany.com/"
  owner = "newrelic" # the repo we want to read data from is a public repo belonging to newrelic
}

data.tf

data "github_repository" "entity_definitions"{
  full_name = "newrelic/entity-definitions"
}

data "github_repository_file" "infra_awslambdafunction_golden_metrics" {
  repository = data.github_repository.entity_definitions.full_name
  file = "definitions/infra-awslambdafunction/golden_metrics.yml" # https://github.com/newrelic/entity-definitions/blob/main/definitions/infra-awslambdafunction/golden_metrics.yml
}

outputs.tf

output "gh_repo" {
  value = yamldecode(data.github_repository.entity_definitions)
}

output "gh_infra_awslambdafunction_golden_metrics" {
  value = data.github_repository_file.infra_awslambdafunction_golden_metrics
}

terraform plan ...

Changes to Outputs:
  + module_gh_repo = {
    + allow_auto_merge            = null
    + allow_merge_commit          = null
    + allow_rebase_merge          = null
    + allow_squash_merge          = null
    + archived                    = null
    + default_branch              = null
    + description                 = null
    + fork                        = null
    + full_name                   = null
    + git_clone_url               = null
    + has_discussions             = null
    + has_downloads               = null
    + has_issues                  = null
    + has_projects                = null
    + has_wiki                    = null
    + homepage_url                = null
    + html_url                    = null
    + http_clone_url              = null
    + id                          = null
    + is_template                 = null
    + merge_commit_message        = null
    + merge_commit_title          = null
    + name                        = null
    + node_id                     = null
    + pages                       = null
    + private                     = null
    + repo_id                     = null
    + squash_merge_commit_message = null
    + squash_merge_commit_title   = null
    + ssh_clone_url               = null
    + svn_url                     = null
    + template                    = null
    + topics                      = null
    + visibility                  = null
  }
  + gh_infra_awslambdafunction_golden_metrics = {
    + branch         = null
    + commit_author  = null
    + commit_email   = null
    + commit_message = null
    + commit_sha     = null
    + content        = null
    + file           = null
    + id             = null
    + ref            = null
    + repository     = null
    + sha            = null
  }

I've tried:

• Skipping looking up the repo and passing "newrelic/entity-definitions" directly to data.github_repository_file.infra_awslambdafunction_golden_metrics
• Removing owner from provider.tf and specifying the full_name of the repository
• Removing authentication data entirely from provider. This DOES work, however I immediately hit the 60 requests/hour for unauthenticated requests

[drichelson]

I came across this issue when trying to create a repo in an org I own. The only way I was able to get the repo to be created in the correct org was to use the GITHUB_OWNER env var when running terraform apply. I have tried various incantations of both fine-grained PATs and regular PATs including ones attached to the org. I kept getting a 403:

 Error: POST https://api.github.com/user/repos: 403 Resource not accessible by personal access token []