gitlab_project_protected_environment: Provider does not handle group_inheritance_type from response, causing state mismatch error

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Description

When managing protected environments with group-based deploy access levels, the GitLab API accepts the group_inheritance_type field in requests but the provider does not handle it from responses. This causes Terraform to fail with a state correlation error.

Terraform and Provider Versions

  • Terraform Version: 1.13.5
  • GitLab Provider Version: 18.7.0
  • GitLab Version: 18.7.1-ee Ultimate

Affected Resource

gitlab_project_protected_environment

Configuration 

resource "gitlab_project_protected_environment" "rules" { 
  project = var.project_id
  environment = "test"
  deploy_access_levels { 
    group_id = 8473 
    group_inheritance_type = 0 
  } 
}

Expected Behavior

Terraform should successfully create/update the protected environment and correlate the planned state with the actual state returned by the API.

Actual Behavior

Terraform fails with the following error

Error: Provider produced inconsistent result after apply
When applying changes to module.structure.module.groups["xxxx"].module.self.module.projects["xxxx"].module.environments["test"].gitlab_project_protected_environment.rules, 
provider "provider["registry.terraform.io/gitlabhq/gitlab"]" produced an 
unexpected new value: .deploy_access_levels_attribute: planned set element cty.ObjectVal(map[string]cty.Value{"access_level":cty.NullVal(cty.String), "access_level_description":cty.UnknownVal(cty.String), 
"group_id":cty.NumberIntVal(8473), 
"group_inheritance_type":cty.NumberIntVal(0), 
"id":cty.UnknownVal(cty.Number), 
"user_id":cty.NullVal(cty.Number)}) 
does not correlate with any element in actual.
This is a bug in the provider, which should be reported in the provider's own issue tracker.

Root Cause Analysis

  1. The provider sends group_inheritance_type to the GitLab API during create/update operations
  2. The GitLab API accepts the field without error
  3. When reading back the resource, the API response include the group_inheritance_type field
  4. Terraform cannot correlate the planned object (with group_inheritance_type) to the actual returned object

Steps to Reproduce

  1. Create a gitlab_project_protected_environment resource with deploy_access_levels containing group_id and group_inheritance_type
  2. Run terraform apply
  3. Observe the state correlation error

API Verification

Testing the GitLab API directly:

# GET request to retrieve protected environment curl --header "PRIVATE-TOKEN: <token>" \ "https://gitlab.example.com/api/v4/projects/:id/protected_environments/test" 

"name": "test",
  "deploy_access_levels": [
    {
      "id": xxxx,
      "access_level": null,
      "access_level_description": "xxxxxx",
      "user_id": null,
      "group_id": 8473,
      "group_inheritance_type": 0
    }
  ],
  "required_approval_count": 0,
  "approval_rules": []
}

The response's deploy_access_levels array include the group_inheritance_type field.

Tested Solutions

No combination of the resource attributes worked

Edited by 🤖 GitLab Bot 🤖