admin_mode scope for gitlab_personal_access_token
After upgrading to 15.8 an additional scope admin_mode was added to personal access tokens. Since we don't have this scope in our token configuration, Terraform tries to fix it, which leads to recreating tokens with obvious revocation of old ones.
-/+ resource "gitlab_personal_access_token" "dev_bot" {
~ active = true -> (known after apply)
~ created_at = "2023-02-15T20:16:43Z" -> (known after apply)
~ id = "71:447" -> (known after apply)
name = "SOURCEGRAPH_API_TOKEN"
~ revoked = false -> (known after apply)
~ scopes = [ # forces replacement
- "admin_mode",
# (1 unchanged element hidden)
]
~ token = (sensitive value)
# (1 unchanged attribute hidden)
}If I try to fix it by adding a new scope to configuration, Terraform fails because it's unknown scope.
╷
│ Error: expected scopes.0 to be one of [api read_user read_api read_repository write_repository read_registry write_registry sudo], got admin_mode
│
│ with gitlab_personal_access_token.test1,
│ on devbot.tf line 25, in resource "gitlab_personal_access_token" "test1":
│ 25: scopes = ["api", "admin_mode"]
│
╵Gitlab version - 15.8.1-ee
Terraform provider version - 15.8
Terraform version - v1.1.8
Workaround
Use this workaround until the admin_mode_for_api feature flag is removed and this provider supports the admin_mode feature flag.
Current workaround is to set lifecycle to ignore these changes.
lifecycle {
ignore_changes = [scopes]
}Implementation Details
This can only be reliably done when the admin_mode_for_api feature flag is removed again and the behavior becomes the default. See #1411 (comment 1284276957)
However, the scope can already be added.
- Add new
admin_modescope tovalidPersonalAccessTokenScopes - Add test here
- Don't forget to run
make reviewableto update the markdown docs