Dynamic blocks in github_team_members doesn't work as expected

[anhdle14]

Terraform version

• v1.1.5
• provider.github = v4.20.0

Affected Resource(s)

• github_team_members

Terraform Configuration Files

# terraform.tfvars
teams = {
  "TeamName" = {
    description = "A team"
    privacy     = "closed"
    parent      = null
    members = {
      "User1" = "maintainer"
      "User2" = "member"
    }
  }
}

# main.tf
data "github_team" "parent" {
  for_each = { for v in distinct(compact([for k, v in var.teams : v.parent == null ? "" : v.parent])) : v => "" }

  slug = each.key
}

resource "github_team" "this" {
  for_each = var.teams

  name           = each.key
  parent_team_id = each.value.parent == null ? null : data.github_team.parent[each.value.parent].id
  description    = each.value.description
  privacy        = each.value.privacy

  create_default_maintainer = false
}

resource "github_team_members" "this" {
  for_each = var.teams


  team_id = github_team.this[each.key].id

  dynamic "members" {
    for_each = each.value.members
    iterator = member

    content {
      username = member.key
      role     = member.value
    }
  }
}

Debug Output

Please note:

• The members_count is not the actual output of the given HCL configuration file.
• The id and named have been censored

github_team.this["Team"]: Refreshing state... [id=8888888]
github_team_members.this["Team"]: Refreshing state... [id=8888888]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply":

  # github_team.this["Team"] has changed
  ~ resource "github_team" "this" {
      ~ etag                      = ""
        id                        = "8888888"
      ~ members_count             = 2 -> 4
        name                      = "Team"
        # (5 unchanged attributes hidden)
    }

  # github_team_members.this["Team"] has changed
  ~ resource "github_team_members" "this" {
        id      = "8888888"
        # (2 unchanged attributes hidden)

      + members {
          + role     = "maintainer"
          + username = "User1"
        }
      + members {
          + role     = "maintainer"
          + username = "User2"
        }
      - members {
          - role     = "member" -> null
          - username = "User1" -> null
        }
      - members {
          - role     = "member" -> null
          - username = "User2" -> null
        }
        # (2 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # github_team_members.this["Team"] will be updated in-place
  ~ resource "github_team_members" "this" {
        id      = "8888888"
        # (2 unchanged attributes hidden)

      - members {
          - role     = "maintainer" -> null
          - username = "User1" -> null
        }
      - members {
          - role     = "maintainer" -> null
          - username = "User2" -> null
        }
      + members {
          + role     = "member"
          + username = "User1"
        }
      + members {
          + role     = "member"
          + username = "User2"
        }
        # (2 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Warning: Resource targeting is in effect

You are creating a plan with the -target option, which means that the result of this plan may not represent all of the changes requested by the current configuration.

The -target option is not for routine use, and is provided only for exceptional situations such as recovering from errors or mistakes, or when Terraform specifically suggests to use it as part of an error message.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

Panic Output

N/A

Expected Behavior

The dynamic blocks should create correct user with correct role.

Actual Behavior

The dynamic blocks should create correct user with the same role at one run (e.g., 1st run all maintainer, 2nd run all members)

Steps to Reproduce

1. terraform init
2. terraform apply

Important Factoids

Nothing I can think of.

References

N/A

[kaefferlein]

same for me.
I'd really appreciate some response on that issue.

We have a huge github team, which contains all members of our org. approx. 900 members.
all of them are being removed from the team and added again which is not what I expected from this resource tbh.

[pascal-hofmann]

I think at least the behavior described by @kaefferlein is caused by missing pagination. See #1092

[pascal-hofmann]

I think at least the behavior described by @kaefferlein is caused by missing pagination. See #1092

[carocad]

A couple of (unexpected) things that I noticed after using github_team_members resource:

• Organization owners get implicit maintainer role by github. In the diff above that seems to be the case as the maintainer role is being removed in favour of member. Would be good to put this on the docs as it is very counter intuitive.
• parent teams seem to require listing all members of all child teams in their "members". I would label that as a bug but I don't know if this is a bug on github or on the provider itself.
• I am not 100% sure but it seems that the members block is case sensitive on the username. This is hard to pinpoint due to the 2 points above and due to the issue in fix: use pagination to fetch all team members #1092 which make the whole setup very hard to debug.

Hope it helps

[limoges]

We were migrating to github_team_members from github_team_membership expecting to speed up our plans by reducing the number of calls to the API, unfortunately, the resource keeps deleteing/creating team members which forced us to revert. This is the same problem reported by @kaefferlein.

[github-actions]

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!

[anhdle14]

Still not been addressed by GitHub.

[hikerspath]

Any update on this?

[github-actions]

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!