Reducing project_access_token expiration_days not working

Bug Report

Trying to reduce the expiration date of a project access token, using rotation_configuration.expiration_days, does not work. Terraform detects the changes, says it made the changes, however, the real expiration date of the token (in the gitlab UI) stays the same:

Terraform will perform the following actions:

  # gitlab_project_access_token.prtesttoken will be updated in-place
  ~ resource "gitlab_project_access_token" "prtesttoken" {
      ~ active                 = true -> (known after apply)
      ~ created_at             = "2025-06-30 09:43:59.34 +0000 UTC" -> (known after apply)
      ~ id                     = "myproject:xxxxx" -> (known after apply)
        name                   = "testtoken"
      ~ revoked                = false -> (known after apply)
      ~ rotation_configuration = {
          ~ expiration_days    = 90 -> 60
            # (1 unchanged attribute hidden)
        }
      ~ token                  = (sensitive value)
      ~ user_id                = xxxxxx -> (known after apply)
        # (5 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

gitlab_project_access_token.prtesttoken: Modifying... [id=myproject:xxxxx]
gitlab_project_access_token.prtesttoken: Modifications complete after 1s [id=myproject:xxxxx]

Relevant Terraform Configuration

First run, to create the token:

resource "gitlab_project_access_token" "prtesttoken" {
  project      = "myproject"
  name         = "testtoken"
  access_level = "maintainer"
  rotation_configuration = {
    expiration_days    = 90
    rotate_before_days = 15
  }

  scopes = ["read_api", "read_repository"]
}

It is successfully created in gitlab, with the correct expiration set 3 months from now.

Second run, to update the token:

resource "gitlab_project_access_token" "prtesttoken" {
  project      = "myproject"
  name         = "testtoken"
  access_level = "maintainer"
  rotation_configuration = {
    expiration_days    = 60
    rotate_before_days = 15
  }

  scopes = ["read_api", "read_repository"]
}

Terraform says it applied changes, but the expiration date of the token in the UI does not change, and is still set in 3 months instead of 2.

Relevant Terraform Command

terraform apply

Relevant Log Output

Debug log do not seem relevant to me, but if needed, I can add them.

These are the debug logs of the `terraform` command output:

Additional Details

  • GitLab Terraform Provider Version: v18.1.1
  • GitLab Instance Version: gitlab.com
  • Terraform Version: v1.8.5