Update github_organization_settings to only need RO permissions at plan time #1321
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR aims to fix #1322.
As part of #1125, a new resource was added that allows the manipulation of Github Organization Settings.
In our setup, we mint Github tokens with read-only permissions in the CI for every terraform plan (which occurs
on:pull_request
) and we mint tokens with read-write permissions only on runs occuring on the main branch (after merging)However, we found that at plan time, the
github_organization_settings
resource requires"organization_administration": "write"
permissions, which doesn't meet the Principle of least privilege.We've verified that the provider still works correctly with the changes proposed in this PR by building the provider locally & validating against it. We've also run all existing tests for this resource & they still pass as well.
The Organizations.Get method returns the same object as the Organizations.Edit method, however using the Get method meets least privilege criteria on terraform plan time.
I would love to provide any more information if required or produce changes deemed necessary by the maintainers of the provider to get this change in.
Thank you!