Skip to content

fix(enterprise_organization): prevent taint when PAT not yet authorized#3025

Closed
ericpardee wants to merge 1 commit intointegrations:mainfrom
ericpardee:fix/enterprise-org-pat-auth-taint
Closed

fix(enterprise_organization): prevent taint when PAT not yet authorized#3025
ericpardee wants to merge 1 commit intointegrations:mainfrom
ericpardee:fix/enterprise-org-pat-auth-taint

Conversation

@ericpardee
Copy link
Copy Markdown
Contributor

@ericpardee ericpardee commented Dec 27, 2025

Resolves #1914

Before the change?

When creating a github_enterprise_organization in an EMU environment, REST API calls fail with SAML enforcement errors until the PAT is authorized for the new org. This affects setting description/display_name during create (and any subsequent updates). The error caused Terraform to taint the resource, leading to destroy+recreate on the next apply.

After the change?

SAML enforcement errors during create/update are now caught and handled gracefully:

  • On create: clears description/display_name from state so it reflects reality
  • On update: resets fields to previous values so state stays accurate
  • Returns success instead of error to prevent tainting
  • Logs a warning instructing the user to authorize the PAT and re-apply

Next plan will show drift and retry after PAT authorization.

Pull request checklist

  • Schema migrations have been created if needed (example)
  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

  • Yes
  • No

fix(enterprise_organization): prevent taint when PAT not yet authorized
b92800a 
When a github_enterprise_organization is created in an EMU environment,
subsequent resources may fail because the PAT hasn't been authorized for
the new org yet. When the user then authorizes the PAT and re-runs apply,
the Read operation was incorrectly removing the org from state (because
GraphQL returned "Could not resolve to a node"), causing Terraform to
mark it as tainted and destroy+recreate it.

This fix verifies via REST API whether the org actually exists before
removing it from state. If the org exists but GraphQL can't access it,
we now return a helpful error instead of silently removing from state.

Fixes integrations#1914
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Dec 27, 2025

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

@github-actions github-actions Bot added the Type: Bug Something isn't working as documented label Dec 27, 2025
@ericpardee
Copy link
Copy Markdown
Contributor Author

ericpardee commented Dec 27, 2025

Tested manually in EMU environment:

  • terraform apply → org created, SAML error on description/display_name
  • Verified org not tainted, state cleared
  • Authorized PAT
  • terraform plan → no taint, shows drift for description/display_name
  • terraform apply → fields set successfully

@ericpardee ericpardee closed this Dec 27, 2025
@ericpardee ericpardee deleted the fix/enterprise-org-pat-auth-taint branch December 27, 2025 02:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Type: Bug Something isn't working as documented

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG]: Approving PAT taints github_enterprise_organization

1 participant

@ericpardee