fix: Handle out-of-band deletion of policy attachment

Mohamed Othmanrequested to merge
gitlab-community/gitlab-org/terraform-provider-gitlab:fix-group-security-policy-attachment into main

Description

Fixes a state drift issue in the gitlab_group_security_policy_attachment resource where out-of-band deletions were not being correctly detected by Terraform.

Why was this needed?

If a security policy project was unassigned from a group via the GitLab UI or API (bypassing Terraform), the Read operation wasn't properly clearing the orphaned resource from the state file. Because the state still held the old data, Terraform did not realize it needed to recreate the attachment during the next terraform apply.

What are the relevant changes?

  • Resource (Read function): Added a guard clause to check if response.Data.Group.SecurityPolicyProject or its ID is nil or empty. If so, it calls resp.State.RemoveResource(ctx) to drop the resource from state and log a warning.
  • Acceptance Tests: Added TestAcc_GitlabGroupSecurityPolicyAttachment_RecreateOnExternalDelete. This test uses a PreConfig hook to execute a GraphQL mutation that unassigns the policy project out-of-band, validating that Terraform successfully catches the drift and recreates the resource.

Closes: #6727 (closed)

Merge request reports