Service Account Token config validation failing to convert scopes attribute in some circumstances
Bug Report
The ValidateConfig function in gitlab_service_account_access_token.go tries to prevent users defining a token with the self_rotate scope with setting an expiry on the token.
If the scopes are not available until post-apply, this function fails as the scopes attribute is unknown.
Relevant Terraform Configuration
# main.tf
resource "gitlab_group_service_account" "service_account" {
group = 1234
name = "test_service_account"
username = "test_service_account"
}
resource "gitlab_group_service_account_access_token" "service_account_token" {
group = 1234
user_id = gitlab_group_service_account.service_account.service_account_id
name = "test"
scopes = module.config.scopes
rotation_configuration = {
rotate_before_days = 30
expiration_days = 365
}
}
module "config" {
source = "git::https://gitlab.com/config.git?ref=main"
}
# config locals.tf
locals {
scopes = ["api"]
}Relevant Terraform Command
terraform planRelevant Log Output
These are the debug logs of the `terraform` command output:
2025-06-20T12:00:17.821+0100 [INFO] Terraform version: 1.12.1
2025-06-20T12:00:17.821+0100 [INFO] Go runtime version: go1.24.2
2025-06-20T12:00:17.821+0100 [INFO] CLI args: []string{"/opt/homebrew/Cellar/tfenv/3.0.0/versions/1.12.1/terraform", "plan"}
2025-06-20T12:00:17.823+0100 [INFO] CLI command args: []string{"plan"}
2025-06-20T12:00:17.840+0100 [INFO] backend/local: starting Plan operation
2025-06-20T12:00:17.842+0100 [INFO] provider: configuring client automatic mTLS
2025-06-20T12:00:17.860+0100 [INFO] provider.terraform-provider-gitlab_v18.1.0: configuring server automatic mTLS: timestamp="2025-06-20T12:00:17.860+0100"
2025-06-20T12:00:17.888+0100 [INFO] provider: plugin process exited: plugin=.terraform/providers/registry.terraform.io/gitlabhq/gitlab/18.1.0/darwin_arm64/terraform-provider-gitlab_v18.1.0 id=81501
2025-06-20T12:00:17.890+0100 [INFO] provider: configuring client automatic mTLS
2025-06-20T12:00:17.904+0100 [INFO] provider.terraform-provider-gitlab_v18.1.0: configuring server automatic mTLS: timestamp="2025-06-20T12:00:17.903+0100"
2025-06-20T12:00:17.921+0100 [ERROR] provider.terraform-provider-gitlab_v18.1.0: Response contains error diagnostic: tf_proto_version=6.9 tf_provider_addr=registry.terraform.io/gitlabhq/gitlab tf_req_id=87d31845-f14f-073e-30a1-55ac8fec47e2
diagnostic_detail=
| An unexpected error was encountered trying to build a value. This is always an error in the provider. Please report the following to the provider developer:
|
| Received unknown value, however the target type cannot handle unknown values. Use the corresponding `types` package type or a custom type that handles unknown values.
|
| Path: scopes
| Target Type: []basetypes.StringValue
| Suggested Type: basetypes.SetValue
diagnostic_severity=ERROR diagnostic_summary="Value Conversion Error" tf_resource_type=gitlab_group_service_account_access_token tf_rpc=ValidateResourceConfig @caller=github.com/hashicorp/terraform-plugin-go@v0.28.0/tfprotov6/internal/diag/diagnostics.go:58 @module=sdk.proto diagnostic_attribute="AttributeName(\"scopes\")" timestamp="2025-06-20T12:00:17.921+0100"
2025-06-20T12:00:17.921+0100 [ERROR] vertex "gitlab_group_service_account_access_token.service_account_token" error: Value Conversion Error
╷
│ Error: Value Conversion Error
│
│ with gitlab_group_service_account_access_token.service_account_token,
│ on gitlab_group_service_account.tf line 11, in resource "gitlab_group_service_account_access_token" "service_account_token":
│ 11: scopes = module.config.access_tokens[0].scopes
│
│ An unexpected error was encountered trying to build a value. This is always an error in the provider. Please report the following to the provider developer:
│
│ Received unknown value, however the target type cannot handle unknown values. Use the corresponding `types` package type or a custom type that handles unknown values.
│
│ Path: scopes
│ Target Type: []basetypes.StringValue
│ Suggested Type: basetypes.SetValue
╵
2025-06-20T12:00:17.924+0100 [INFO] provider: plugin process exited: plugin=.terraform/providers/registry.terraform.io/gitlabhq/gitlab/18.1.0/darwin_arm64/terraform-provider-gitlab_v18.1.0 id=81502Additional Details
- GitLab Terraform Provider Version:
18.1.0 - GitLab Instance Version:
18.1.0 - Terraform Version:
1.12.1