fix: detect credential changes in project mirror URL

Duo Developerrequested to merge
duo/bugfix/6403-project-mirror-credential-diff into main

Relates to issue #6403 (closed)

Changes

This MR fixes the credential diff detection issue in the gitlab_project_push_mirror resource where changes to only the username/password in the mirror URL were not being detected by Terraform.

Modified Files

1. internal/provider/resource_gitlab_project_push_mirror.go

  • Lines 26-31: Added ResourceWithModifyPlan interface assertion to ensure ModifyPlan is recognized by Terraform framework
  • Lines 88-147: Completely rewrote the ModifyPlan logic:
    • Detects if URLs contain credentials (url.User != nil)
    • When credentials are present: Compares URLs WITHOUT redaction, allowing credential-only changes to be detected
    • When credentials are present: Adds deprecation warning about embedding credentials in URLs
    • When NO credentials are present: Uses existing redaction logic for backward compatibility
    • Properly marks URL for replacement when differences are detected

2. internal/provider/resource_gitlab_project_push_mirror_test.go

Added three comprehensive test cases:

  • TestAccGitlabProjectMirror_credentialChange (Lines 488-530): Tests that changing credentials in URL triggers resource replacement
  • TestAccGitlabProjectMirror_credentialChangeWarning (Lines 531-561): Verifies deprecation warning is emitted when credentials are embedded in URLs
  • TestAccGitlabProjectMirror_urlChangeWithoutCredentials (Lines 562-618): Ensures backward compatibility for URLs without credentials

Key Features

  1. Credential Change Detection: Resource now properly detects when only username/password in the URL are modified, triggering resource replacement
  2. Deprecation Warning: Users are warned when embedding credentials in URLs with guidance toward future best practices
  3. Backward Compatibility: URLs without credentials continue to work exactly as before
  4. Comprehensive Test Coverage: Three new tests cover credential changes, warning emission, and backward compatibility

Testing

Before merging, run:

make reviewable

For acceptance testing:

unset GITLAB_TOKEN && make testacc-up
unset GITLAB_TOKEN && make testacc RUN=TestAccGitlabProjectMirror_credentialChange
unset GITLAB_TOKEN && make testacc RUN=TestAccGitlabProjectMirror_credentialChangeWarning
unset GITLAB_TOKEN && make testacc RUN=TestAccGitlabProjectMirror_urlChangeWithoutCredentials
unset GITLAB_TOKEN && make testacc-down
Edited by Duo Developer

Merge request reports