Skip to content

[BUG]: Unable to use github_enterprise_organization due to change in token authorization #2697

New issue
New issue
Open
Open
[BUG]: Unable to use github_enterprise_organization due to change in token authorization#2697
Labels
Status: TriageThis is being looked at and prioritizedType: BugSomething isn't working as documented
@vegardx

Description

@vegardx
vegardx
opened on Jul 8, 2025

Expected Behavior

Previously you could use the github_enterprise_organization resource with a PAT as long as it was owned by a user with the user type Enterprise Admin and the token was authorized with at least one GitHub Organization in the enterprise. This has recently changed, effectively making it impossible to use this resource with any kind of token, without doing a manual step of authorizing the token and a two-pass terraform apply.

I think it's safe to assume that the way this functioned was a bug on GitHub side, as you shouldn't be allowed to use a PAT towards the organization APIs unless it has been authorized. This was also mentioned in the code itself for the resource:

terraform-provider-github/github/resource_github_enterprise_organization.go

Lines 108 to 110 in 9fceeda

//NOTE: There is some odd behavior here when using an EMU with SSO. If the user token has been granted permission to
//ANY ORG in the enterprise, then this works, provided that our token has sufficient permission. If the user token
//has not been added to any orgs, then this will fail.

Things are obviously changing on the GitHub-side, and they've recently introduced a preview program for Enterprise APIs. This includes API scope to (amongst others) the ability to use the GraphQL mutation for createEnterpriseOrganization with a installation access token from an Enterprise App. But since this resource also uses the REST API for the description part you're between a rock and a hard place, a PAT from an Enterprise Admin doesn't work and a installation access token from an Enterprise App doesn't work.

I think the best solution would be to remove the description and display name part from this resource, so that you can use Enterprise Apps for managing GitHub Enterprise Organizations. The description and display name fields are required to create the organization, and those can be later set using the github_organization_settings resource.

In the preview program there's also ability to install GitHub Apps to Enterprise Organizations, meaning that you can first create the org, install an app to manage it, and use that app to set the rest of the configuration. This is a little iffy due to the way Terraform works with providers and how providers are initialized. But it's a starting point at least.

Announcement of public preview: https://github.blog/changelog/2025-07-01-enterprise-level-access-for-github-apps-and-installation-automation-apis/

Actual Behavior

The Enterprise Organization is created using only the GraphQL APIs which now supports installation access tokens from Enterprise Apps.

Terraform Version

Terraform v1.8.5
on darwin_arm64
terraform-provider-github v6.6.0

Affected Resource(s)

  • github_enterprise_organization

Terraform Configuration Files



Steps to Reproduce


No response


Debug Output




Panic Output




Code of Conduct


    

  •  I agree to follow this project's Code of Conduct
    • 

Metadata
Metadata
Assignees
No one assigned
    Labels
    Status: TriageThis is being looked at and prioritizedType: BugSomething isn't working as documented
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions