TF detects gitlab_group_service_account resource has been deleted, while this is not true

Random gitlab_group_service_account resource are marked as deleted by Terraform while this is NOT the case.

This behavior started when using 18.5.0

As asked here: data.gitlab_users return null users instead of empty list for not exists user after v18.4.0 (#6634 (closed)) · Issue · gitlab-org/terraform-provider-gitlab, I created a new issue.

At October 17, 2025 at 5:38:47 PM UTC we had the following outcome of the tf apply :

Initializing provider plugins...
- Finding hashicorp/aws versions matching "~> 6.0"...
- Finding hashicorp/local versions matching "~> 2.5.1"...
- Finding gitlabhq/gitlab versions matching ">= 18.0.0"...
- Installing hashicorp/aws v6.17.0...
- Installed hashicorp/aws v6.17.0 (signed by HashiCorp)
- Installing hashicorp/local v2.5.3...
- Installed hashicorp/local v2.5.3 (signed by HashiCorp)
- Installing gitlabhq/gitlab v18.5.0...
- Installed gitlabhq/gitlab v18.5.0 (self-signed, key ID 0D47B7AB85F63F65)

...........

No changes. Your infrastructure matches the configuration.

Our first occurrence happened on October 17, 2025 at 6:39:33 PM UTC, some time into the day of the release of 18.5. This is the tf apply output:

Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:
  # module.release_approver_sa["team"].gitlab_group_service_account.this has been deleted
  - resource "gitlab_group_service_account" "this" {
        id                 = "1111111:22222222"
      - name               = "Team Release Approver SA" -> null
      - service_account_id = "22222222" -> null
      - username           = "team-release-approver-sa" -> null
        # (2 unchanged attributes hidden)
    }
Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.
─────────────────────────────────────────────────────────────────────────────
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
-/+ destroy and then create replacement
Terraform will perform the following actions:

  # module.release_approver_sa["team"].gitlab_group_service_account.this will be created
  + resource "gitlab_group_service_account" "this" {
      + email              = (known after apply)
      + group              = "1111111"
      + id                 = (known after apply)
      + name               = "Team Release Approver SA"
      + service_account_id = (known after apply)
      + username           = "team-release-approver-sa"
    }

This will fail because the Group Service Account in question is not removed nor changed in any way:

│ Error: GitLab API error occurred

│   with module.release_approver_sa["team"].gitlab_group_service_account.this,
│   on modules/service-account/main.tf line 19, in resource "gitlab_group_service_account" "this":
│   19: resource "gitlab_group_service_account" "this" {

│ Unable to create service account: POST
│ https://gitlab.com/api/v4/groups/1111111/service_accounts: 400 {message:
│ 400 Bad request - Username has already been taken}

This error is thrown with each consecutive tf apply . Our pipeline runs hourly (do not ask why 🙈) but it is needed. Over time more of these gitlab_group_service_account resources are being seemingly randomly "removed" from state. The next one happens at October 19, 2025 at 2:38:09 PM, since this was during the weekend nobody noticed.

We initially fixed it by importing the impacted gitlab_group_service_account's again into state.

After 6 runs/7 hours the next gitlab_group_service_account was flagged as missing by tf (October 21, 2025 at 2:39:54 PM). before we noticed it was happening again a couple more gitlab_group_service_account disappeared from state.

What does not make it easier, is that the tf plan shows does not such these Objects have changed outside of Terraform remark, it only happens on Apply.

We fixed this again by importing the impacted gitlab_group_service_account's BUT also pinned our provider version to ~> 18.4.0. We did this 4 days ago and all things are running smooth again. No missing/disapearing gitlab_group_service_account resources any more.

FYI, we are managing around 130 gitlab_group_service_account resources with tf so this has quite some impact.

Additional Details

  • GitLab Terraform Provider Version: 18.5.0
  • Terraform Version: 1.13.4
  • License Tier: Premium
Edited by 🤖 GitLab Bot 🤖