Support Multiple Compliance Frameworks in gitlab_project_compliance_framework Resource

Summary

The gitlab_project_compliance_framework resource in the GitLab Terraform Provider does not support applying multiple compliance frameworks to a single project, despite GitLab documentation indicating that up to 20 compliance frameworks can be associated per project. This limitation is impacting users who need to assign more than one compliance framework to a project.

Problem Description

Currently, the gitlab_project_compliance_framework resource calls the projectSetComplianceFramework mutation in the GitLab GraphQL API, which only allows a single compliance framework to be assigned to a project at a time. Each apply operation overwrites any previously set frameworks, meaning only the last framework in the configuration remains. This behavior contradicts documentation suggesting support for multiple frameworks and creates limitations for customers who need to enforce multiple compliance standards on a project.

Proposed Solution

To enable multiple compliance frameworks per project, the GitLab Terraform Provider should be updated to use the projectUpdateComplianceFrameworks mutation. This mutation is designed to support setting multiple compliance frameworks for a project, resolving the overwriting issue caused by projectSetComplianceFramework.

Impact

This limitation affects customers requiring multiple compliance frameworks to meet various standards on a single project, as they are currently unable to apply more than one framework. This functionality is essential for customers who rely on Terraform to manage compliance at scale, and the inability to apply multiple frameworks reduces the provider’s utility in such scenarios.

Steps to Reproduce

1. Configure the gitlab_project_compliance_framework resource with multiple frameworks using a for_each loop or similar method in Terraform.
2. Apply the configuration.
3. Observe that only the last compliance framework specified in the configuration is applied, as previous frameworks are overwritten.

Workaround

There is currently no effective workaround within Terraform. Users may have to apply compliance frameworks manually or wait for the Terraform provider to support the projectUpdateComplianceFrameworks mutation.

Relevant Documentation

• GitLab GraphQL API Documentation (reference to the current mutation used)

Priority/Severity

High - affects compliance automation for customers managing projects at scale.

Additional Information

Supporting multiple compliance frameworks aligns the Terraform provider functionality with GitLab's compliance documentation and customer expectations. The fix would allow organizations to automate compliance with greater flexibility, reducing the need for manual interventions and workarounds.