Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vulnerability_alerts set to true does not enable "Dependabot security updates" #588

Open
blt opened this issue Nov 5, 2020 · 16 comments · May be fixed by #2297
Open

vulnerability_alerts set to true does not enable "Dependabot security updates" #588

blt opened this issue Nov 5, 2020 · 16 comments · May be fixed by #2297
Labels
r/repository Status: Needs info Full requirements are not yet known, so implementation should not be started Type: Bug Something isn't working as documented

Comments

@blt
Copy link

blt commented Nov 5, 2020
edited
Loading

Terraform Version

terraform -v
Terraform v0.12.25
+ provider.github v3.1.0
+ provider.google v3.33.0
+ provider.google-beta v3.33.0
+ provider.random v2.3.1
+ provider.template v2.2.0

Your version of Terraform is out of date! The latest version
is 0.13.5. You can update by downloading from https://www.terraform.io/downloads.html

Affected Resource(s)

Please list the resources as a list, for example:

  • github_repository

Terraform Configuration Files

resource "github_repository" "repo" {
  name        = var.repo_name
  description = var.repo_description
  visibility  = "private"

  has_issues    = false
  has_projects  = false
  has_wiki      = false
  has_downloads = false

  delete_branch_on_merge = true
  allow_merge_commit     = false
  is_template            = var.template
  vulnerability_alerts   = true

  auto_init      = var.repo_auto_init
  default_branch = var.repo_default_branch 

  dynamic "template" {
    for_each = var.repo_template != "" ? [1] : []
    content {
      repository = var.repo_template
      owner      = "goodwatercap"
    }
  }
}

Expected Behavior

When flagging vulnerability_alerts to true we expect the following to be enabled:

  • Dependency graph
  • Dependabot alerts
  • Dependabot security updates

Actual Behavior

When flagged vulnerability_alerts to true and only the following were enabled:

  • Dependency graph
  • Dependabot alerts

Steps to Reproduce

  1. Flag a github_repository with vulnerability_alerts to true.
  2. terraform apply
  3. Confirm at https://github.com/ORG/REPO/settings/security_analysis that "Dependabot security udpates" is not enabled.

Important Factoids

Nothing unusual.

References

None.
@sa-spag sa-spag mentioned this issue Nov 6, 2020
Closed
@jcudit jcudit added Type: Bug Something isn't working as documented r/repository labels Nov 24, 2020
@SanderKnape
Copy link

I just ran into this issue as well, though what I'm seeing is slightly different from what blt is reporting.

Creating a new repository with vulnerability_alerts: true will only enable Dependabot security updates. The other two options are not enabled.

Running Terraform again will show vulnerability_alerts = false -> true. After applying this, all three options are enabled.

What makes it more interesting is that we enabled these settings on the organization level. So I would expect these settings to be enabled regardless from what I specify in Terraform (see screenshot below).

I'm testing this with private repositories.

image

@gionn
Copy link

gionn commented Mar 8, 2021

What makes it more interesting is that we enabled these settings on the organization level. So I would expect these settings to be enabled regardless from what I specify in Terraform (see screenshot below).

the option states for new repositories, so it serve as a default value for new repositories and not an override for the existing ones.

@SanderKnape
Copy link

Correct. I'm testing this on a newly-created repository through this Terraform provider. So I expect the setting to be enabled.

@jspiro
Copy link
Contributor

jspiro commented Mar 18, 2021

I am seeing the same. If you re-apply it will correct the bug-induced drift. Not ideal, but at least eventually consistent.

@ppferrari ppferrari mentioned this issue Apr 26, 2021
Closed
@kfcampbell
Copy link
Member

I've looked at this a tiny bit and I believe that setting is applied by this API. There's a helper function to set that vendored into this project, but it's currently unreferenced. I haven't tested calling that yet.

Perhaps it'd be appropriate to add this as a new feature with its own syntax, separate from vulnerability_alerts? I wonder how/if that'd conflict with organization settings to enable it by default.

@charmingnewt
Copy link

Hey @kfcampbell - I was poking around this one and it seems there's a missing "Check if automated security fixes are enabled for a repository" API, analogous to this one for vulnerability alerts. Any thoughts on that? I'm looking to contribute here (and also to google/go-github) but hit a wall on the GitHub API. Thanks.

@kfcampbell
Copy link
Member

@will-bluem-olo that's a great question. The GET 404s, which is too bad. I've asked internally about it and I'll post again here if I learn something useful.

@charmingnewt
Copy link

Hi @kfcampbell - not sure if you ever found anything interesting here, but we'd still be interested in this functionality if it could be added to the API.

@kfcampbell
Copy link
Member

Ahh thanks for reminding me! I did not hear anything back, and just bumped the question again.

@nickfloyd nickfloyd added the Status: Needs info Full requirements are not yet known, so implementation should not be started label Nov 1, 2022
@kfcampbell
Copy link
Member

Alright, there's an internal issue created to track this and the team seems receptive. I'm uncertain of the priority but it seems low at this point. 🤞 🤞 🤞 they jump on it!

@bahag-klickst
Copy link

@kfcampbell
Any news on this

@kfcampbell
Copy link
Member

@bahag-klickst I unfortunately do not have any updates.

@jboursier-mwb jboursier-mwb mentioned this issue May 17, 2023
Closed
@GMZwinge
Copy link

With the latest Terraform 1.6.6 and GitHub provider 5.43.0, a terraform apply -refresh-only doesn't seem to update the field vulnerability_alerts in the .tfstate file with the state in the UI.

@coriolinus
Copy link

@kfcampbell any progress to report? My team would also appreciate a fix for this.

@kfcampbell
Copy link
Member

I wish I had an update, sorry! You might consider asking your GitHub rep (if you're an enterprise customer) or posting here asking for API coverage.

@thomaslagies
Copy link

Any updates on this so far?

@voanhduy1512 voanhduy1512 linked a pull request Jun 26, 2024 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
r/repository Status: Needs info Full requirements are not yet known, so implementation should not be started Type: Bug Something isn't working as documented
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add automated_security_fixes for github_repository voanhduy1512/terraform-provider-github