Support for project/group access token rotation

GitLab 16.0 introduced API endpoints for project access token rotation and group access token rotation. GitLab 16.6 added support for the expires_at parameter.

I think it would be great if the GitLab Terraform provider supported token rotation as well. When the token is rotated, the associated bot user remains the same.

How about the following resource extension based on the example in the docs (same for group access tokens)?

 resource "gitlab_project_access_token" "example" {
   project      = "25"
   name         = "Example project access token"
   expires_at   = "2020-03-14"
   access_level = "reporter"

   scopes = ["api"]
+  rotate = true # or `false` (default)
 }

Here, a new optional boolean-type resource argument rotate is added, which is not stored in the Terraform state because it's simply a behavior switch in case the resource gets updated.

When false (default), the behavior is as it is now.
When true and the token has not expired yet, changing the value of expires_at rotates the token instead of deleting it and creating a new one. If the token has expired already or the token does not exist yet, behavior is identical to rotate = false.

Edited Dec 15, 2023 by Sigurd Spieckermann