Menu
I am trying to use Terraform to manage some GitLab (self-hosted) configuration. The Terraform GitLab provider requires a GitLab Personal Access Token to be able to make API calls to read and write the configuration. When I try to provide this token using a Terraform secret_resource Terraform is unable to let me manage the secret. When I try to import the secret, Terraform fails:
$ terraform import secret_resource.api_token "xxx"
secret_resource.api_token: Importing from ID "xxx"...
secret_resource.api_token: Import prepared!
Prepared secret_resource for import
secret_resource.api_token: Refreshing state... [id=-]
Error: GET https://gitlab.example.com./api/v4/user/api/v4/user: 404 {error: 404 Not Found}
on /path/to/providers.tf line 24, in provider "gitlab":
24: provider "gitlab" {
Here is the minimal Terraform that reproduces this behavior:
terraform {
required_version = "~> 0.13.6"
required_providers {
gitlab = {
source = "nixpkgs/gitlab"
version = "> 3.4.99"
}
secret = {
source = "nixpkgs/secret"
version = "~> 1.1"
alias = "default"
}
}
}
resource "secret_resource" "api_token" {
lifecycle {
prevent_destroy = true
}
}
provider "gitlab" {
base_url = "https://gitlab.example.com./api/v4/user"
token = secret_resource.api_token.value
}
resource "gitlab_project" "foo" {
name = "foo"
}
I've omitted the real hostname and GitLab token value. I can reliably reproduce this failure by initializing a new Terraform root module with this configuration and then trying to import the secret.
This seems like an unreasonable failure - secret_resource does not depend on the GitLab provider. If Terraform let the value be imported then it would be available and then the GitLab provider would be properly configured.
I observe this behavior with:
I would like to be able to continue to use secret_resource to manage the GitLab API token. How can I?
607
To manage the API token for an organization, go to Organization settings > API Token and use the controls under the "Organization Tokens" header. Each organization can have one valid API token at a time. Only organization owners can generate or revoke an organization's token.
You can use a GitLab CI/CD job token to authenticate with specific API endpoints: Packages: Package Registry. Container Registry (the $CI_REGISTRY_PASSWORD is $CI_JOB_TOKEN ). Container Registry API (scoped to the job's project, when the ci_job_token_scope feature flag is enabled).
I am trying to use Terraform to manage some GitLab (self-hosted) configuration. The Terraform GitLab provider requires a GitLab Personal Access Token to be able to make API calls to read and write the configuration. When I try to provide this token using a Terraform secret_resource Terraform is unable to let me manage the secret.
Terraform Cloud supports three distinct types of API tokens with varying levels of access: user, team, and organization. There are differences in access levels and generation workflows for each of these token types, which are outlined below. API tokens are displayed only once when they are created, and are obfuscated thereafter.
Neither Terraform nor GitLab encrypts the plan file by default. If your Terraform plan includes sensitive data, like passwords, access tokens, or certificates, you should encrypt plan output or modify the project visibility settings. In your Terraform project, in a .tf file like backend.tf , define the HTTP backend:
Deploy tokens cannot be used with the GitLab API. Deploy tokens can be managed by project maintainers and owners. Deploy keys allow read-only or read-write access to your repositories by importing an SSH public key into your GitLab instance. Deploy keys cannot be used with the GitLab API or the registry.
From the error message, it seems like the base_url is incorrectly configured. /api/v4/user comes up twice:
Error: GET https://gitlab.example.com./api/v4/user/api/v4/user: 404 {error: 404 Not Found}
Try setting the base_url to just the hostname, with a slash:
provider "gitlab" {
base_url = "https://gitlab.example.com/"
token = secret_resource.api_token.value
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
