Provider does not URL-encode some characters in mirror URLs
The provider does not properly URL-encode some characters in repository mirror URLs, which makes it impossible to use GitLab's default naming scheme for deploy tokens (which contains +, e.g. gitlab+deploy-token-123) when configuring mirroring via Terraform.
The characters where URL-encoding differs from what the git command-line does are +, &, $, =, and possibly others. The current behavior may be OK for some of these, but for + it certainly is not.
Reproducing the issue
Create the following Terraform in an empty directory and fill in the environment-specific values:
terraform {
required_providers {
gitlab = {
source = "gitlabhq/gitlab"
version = "~> 18.1.0"
}
}
}
provider "gitlab" {
token = # Redacted; replace for your environment
base_url = # Redacted; replace for your environment
}
resource "gitlab_project" "test" {
name = "Mirror test"
path = "mirror-test"
namespace_id = 123 # Replace for your environment
visibility_level = "internal"
mirror = true
import_url = "https://doesnt-matter.not-real/group/project.git"
import_url_username = "A a1!@:$&+#\\=%2B%20" # NOTE: double backslash is a Terraform escape
import_url_password = "A a1!@:$&+#\\=%2B%20"
}Then run TF_LOG=trace terraform apply and approve the changes. Find the log entry for the POST request and unwrap the URL—you will have to JSON-decode the body string and then the URL string to get the raw string. The log entry looks like:
2025-07-18T20:51:14.075-0500 [DEBUG] provider.terraform-provider-gitlab_v18.1.1: Sending HTTP Request: Authorization=[redacted] Content-Length=241 tf_http_req_body="{\"import_url\":\"https://A%20a1%21%40%3A$\u0026+%23%5C=%252B%2520:A%20a1%21%40%3A$\u0026+%23%5C=%252B%2520@doesnt-matter.not-real/group/project.git\",\"mirror\":true,\"name\":\"Mirror test\",\"namespace_id\":123,\"path\":\"mirror-test\",\"visibility\":\"internal\"}" tf_http_req_method=POST @caller=github.com/hashicorp/terraform-plugin-sdk/v2@v2.37.0/helper/logging/logging_http_transport.go:160 Content-Type=application/json new_logger_warning="This log was generated by a subsystem logger that wasn't created before being used. Use tflog.NewSubsystem to create this logger before it is used." tf_http_req_uri=/api/v4/projects tf_http_trans_id=a34d0b8a-9513-8ac5-07d7-4a9333a74dd9 @module=gitlab.GitLab Host=[redacted] tf_http_op_type=request tf_http_req_version=HTTP/1.1 Accept=application/json User-Agent="Terraform/1.12.0 (+https://www.terraform.io) Terraform-Plugin-SDK/2.37.0 terraform-provider-gitlab/18.1.1" Accept-Encoding=gzip timestamp=2025-07-18T20:51:14.074-0500
For comparison, run Git with a made-up URL (use an actual GitLab server so that it gets far enough to try authentication). See the URL that it prints in the password prompt:
$ git clone https://existing.gitlab.server/group/project.git
Cloning into 'project'...
Username for 'https://existing.gitlab.server': A a1!@:$&+#\=%2B%20
Password for 'https://A%20a1%21%40%3A%24%26%2B%23%5C%3D%252B%2520@existing.web.server': This comparison shows that the Terraform provider leaves several characters unencoded (spaces added for clarity):
A%20a1%21%40%3A $ & + %23%5C = %252B%2520 <-- Terraform Provider (twice json-decoded from logs)
A%20a1%21%40%3A%24%26%2B%23%5C%3D%252B%2520 <-- Git command lineThis issue occurred in production, and I confirmed through the Rails console that the encrypted mirror username did in fact include a where it should have been +. (I don't understand how it got far enough to insert those credentials, since all my tests failed immediately with an authentication error and didn't create the project or establish mirroring. But this is still a provider issue regardless.)