Moving subgroup deletes underlying projects
Terraform Version
Terraform v0.14.6
+ provider registry.terraform.io/gitlabhq/gitlab v3.4.0Affected Resource(s)
- gitlab_group
- gitlab_project
If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.
Terraform Configuration Files
resource "gitlab_group" "ansible_roles" {
name = "ansible-roles"
path = "ansible-roles"
description = "Ansible roles"
parent_id = gitlab_group.ace.id # <---- this is what I updated
subgroup_creation_level = "owner"
project_creation_level = "maintainer"
request_access_enabled = true
}
resource "gitlab_project" "ansible_roles" {
for_each = local.ansible_roles
name = each.key
description = each.value
default_branch = "master"
namespace_id = gitlab_group.ansible_roles.id
visibility_level = "internal"
initialize_with_readme = true
approvals_before_merge = 0
only_allow_merge_if_pipeline_succeeds = false
only_allow_merge_if_all_discussions_are_resolved = false
remove_source_branch_after_merge = true
container_registry_enabled = false
issues_enabled = true
merge_requests_enabled = true
packages_enabled = true
pipelines_enabled = true
shared_runners_enabled = false
snippets_enabled = true
wiki_enabled = false
lifecycle {
# guard against accidental destruction of this repository
prevent_destroy = true
}
}Plan output
Terraform will perform the following actions:
# gitlab_group.ansible_roles must be replaced
-/+ resource "gitlab_group" "ansible_roles" {
~ full_name = "old_path / ansible-roles" -> (known after apply)
~ full_path = "old_path/ansible-roles" -> (known after apply)
~ id = "3589" -> (known after apply)
name = "ansible-roles"
~ parent_id = 2147 -> 6994 # forces replacement
~ runners_token = (sensitive value)
~ visibility_level = "internal" -> (known after apply)
~ web_url = "https://..{redacted}...ansible-roles" -> (known after apply)
# (12 unchanged attributes hidden)
}
# gitlab_project.ansible_roles["base"] will be updated in-place
~ resource "gitlab_project" "ansible_roles" {
id = "4088"
name = "base"
~ namespace_id = 3589 -> (known after apply)
tags = []
# (29 unchanged attributes hidden)
}
....
# repeat for other ansible role projectsExpected Behavior
- Subgroup would relocated its new parent group
- Projects would follow
or at the very least there would be an error indicating that Terraform couldn't destroy my projects given prevent=destroy.
Actual Behavior
- Subgroup was destroyed and recreated under new parent group (normal)
- All projects appear to have been deleted
Apply Output
gitlab_group.ansible_roles: Destroying... [id=3589]
gitlab_group.ansible_roles: Still destroying... [id=3589, 10s elapsed]
gitlab_group.ansible_roles: Still destroying... [id=3589, 20s elapsed]
gitlab_group.ansible_roles: Destruction complete after 26s
gitlab_group.ansible_roles: Creating...
gitlab_group.ansible_roles: Creation complete after 1s [id=7048]
gitlab_project.ansible_roles["base"]: Modifying... [id=4088]
gitlab_project.ansible_roles["vault"]: Modifying... [id=4359]
....
# repeat for remaining ansible role projects
Error: PUT https://..{redacted}../api/v4/projects/4359/transfer: 404 {message: 404 Project Not Found}
on projects.tf line 126, in resource "gitlab_project" "ansible_roles":
126: resource "gitlab_project" "ansible_roles" {
Error: PUT https://..{redacted}../api/v4/projects/4088/transfer: 404 {message: 404 Project Not Found}
on projects.tf line 126, in resource "gitlab_project" "ansible_roles":
126: resource "gitlab_project" "ansible_roles" {
...
# repeat for remaining ansible role projectsSteps to Reproduce
- Change subgroup parent id
terraform apply
Important Factoids
Pretty severe given:
- moving a group (destroy/recreate) deletes all projects despite no indication from plan that this is what will happen
- destructive action bypasses lifecycle destruction prevention
Edited by Timo Furrer