gitlab_group_service_account_access_token detects resources as deleted when service account has many access tokens

Bug Report

When a service account has more than 20 tokens, this resource starts detecting the tokens as being deleted outside of Terraform/OpenTofu.

With fix: user dedicated API to handle Group service... (!2793 - merged), the provider now uses the API to list tokens of a service account but doesn't handle pagination. The API itself sorts ascending (oldest tokens first), so once you reach the 20 tokens on the service account, those tokens will not be on the first page, so the provider treats them as having been deleted.

Relevant Terraform Configuration

Example config: (full config located at https://gitlab.com/gitlab-community/meta/-/blob/main/tofu/states/provider_tokens/main.tf?ref_type=heads)

resource "gitlab_group_service_account_access_token" "mirror_setup_readonly_token" {
  group   = data.gitlab_group.top_level_group.id
  user_id = local.main_service_account_id
  name    = "Mirror setup token (readonly)"

  scopes = ["read_api"]

  rotation_configuration = {
    rotate_before_days = 14
    expiration_days    = 30
  }
}

Relevant Terraform Command

gitlab-tofu plan

Relevant Log Output

Note: Objects have changed outside of OpenTofu
OpenTofu detected the following changes made outside of OpenTofu since the
last "tofu apply" which may have affected this plan:
  # gitlab_group_service_account_access_token.mirror_setup_readonly_token has been deleted
  - resource "gitlab_group_service_account_access_token" "mirror_setup_readonly_token" {
        id                            = "60717473:20710701:18846917"
        name                          = "Mirror setup token (readonly)"
      - token                         = (sensitive value) -> null
        # (9 unchanged attributes hidden)
    }

[...]

OpenTofu will perform the following actions:
  # gitlab_group_service_account_access_token.mirror_setup_readonly_token will be created
  + resource "gitlab_group_service_account_access_token" "mirror_setup_readonly_token" {
      + active                        = (known after apply)
      + created_at                    = (known after apply)
      + expires_at                    = (known after apply)
      + group                         = "60717473"
      + id                            = (known after apply)
      + name                          = "Mirror setup token (readonly)"
      + revoked                       = (known after apply)
      + rotation_configuration        = {
          + expiration_days    = 30
          + rotate_before_days = 14
        }
      + scopes                        = [
          + "read_api",
        ]
      + token                         = (sensitive value)
      + user_id                       = 20710701
      + validate_past_expiration_date = (known after apply)
    }

Additional Details

• GitLab Terraform Provider Version: 18.8.0
• GitLab Instance Version: 18.9.0-pre f6fa59bbe8b (gitlab.com)
• Terraform Version: gitlab-opentofu:3.7.0-opentofu1.10.6-alpine
• License Tier: Ultimate (OSS)

Implementation Details

• When reading access tokens to identify pre-existing tokens, ensure pagination is properly handled to identify that the token exist
• Add a new test that creates a new access token in the first step. In the second step, us a PreConfig() step plus the TestClient to create an additional 30 access tokens (to ensure Pagination happens). Re-run the same configuration in the second step, and validate that the token is not destroyed and re-created.