fix: inconsistent result on token rotation

Duo Developerrequested to merge
duo/bugfix/6689-fix-inconsistent-result-service-account-token into main

Relates to issue #6689 (closed)

Changes

This MR fixes the "inconsistent result after apply" error for the gitlab_group_service_account_access_token resource by implementing proper default value handling for the validate_past_expiration_date field.

Root Cause

The issue occurred because the validate_past_expiration_date field was being set to false during Create/Update operations, but the plan expected it to be null when not explicitly configured. This created a mismatch between the planned value (null) and the actual value set into state (false), causing Terraform to report an inconsistency error.

Implementation Details

File: internal/provider/resource_gitlab_group_service_account_access_token.go

  1. Added schema-level default (line 151):

    • Added Default: booldefault.StaticBool(false) to the validate_past_expiration_date attribute
    • Ensures Terraform's plan correctly reflects the default value as false instead of null

  2. Added ModifyPlan default handling (lines 305-311):

    • Implemented logic to set validate_past_expiration_date to false when it's null in the plan
    • Ensures the default is applied during the plan phase, preventing plan/apply mismatches

  3. Removed manual defaults:

    • Removed manual default setting from Create function (previously line 656)
    • Removed manual default setting from Update function (previously line 754)
    • The schema default now handles this automatically

  4. Added required import:

    • Added "github.com/hashicorp/terraform-plugin-framework/resource/schema/booldefault" to support schema-level defaults

Expected Outcome

  • The plan will correctly show validate_past_expiration_date = false instead of null
  • The apply operation will not produce an "inconsistent result" error
  • Token rotation will work correctly without plan/apply mismatches
  • Existing tests should continue to pass, as they already expect the default behavior of false

The implementation follows the same pattern used in other resources like gitlab_group_deploy_token and gitlab_project_deploy_token, ensuring consistency across the codebase.

Edited by Duo Developer

Merge request reports