tf-module-gitlab

Terraform module to simplify gitlab setup of groups and projects.

Working with gitlab.com

On GitLab.com (SaaS), users generally cannot create new top-level groups via the API unless they are on a specific paid plan or have verified their account with a credit card. Even with a full api scope Personal Access Token (PAT), GitLab returns a 403 if:

• Namespace Restriction: You are trying to create a group at the root level (/api/v4/groups) rather than as a subgroup under an existing organization you own.
• Token Permissions: Your PAT has the read_api scope but not the api (write) scope.
• Account Verification: Your GitLab account hasn't been verified for CI/CD or resource creation.

import {
  to = module.gitlab.gitlab_group.groups["clawfinger-test"]
  id = 128938890
}

Inputs

Name	Description	Type	Default	Required
repositories	List of repositories. The list is written in a "generic" way, so we can use it for gitlab, github, ..... Each entry contains description: (String)Description of the repo avatar: (String) File name of the avatar, assoumes it's in a subfolder resources archived: (Boolean) if repo is marked as archived. free_tier: (Boolean) if repo is marked as free-tier, then we ignore features related to licensed versions only. access_level: (Object) object that contains access level default_branch: (String) Name of the default branch (main if not specified) protected_branches: (List of Strings) A list of branch names that should be automatically protected upon repository creation e.g. ["main", "master", "production"] topics: (List of Strings) A list of tags (topics) to apply to the repository. Access Config access_level Object contains a list of string. Valid values are disabled, private, enabled. overall: If specific setting below no specified, this setting is taken analytics: Set the analytics access level. builds: Set the builds access level. container_registry: Set visibility of container registry, for this project environments: Set the environments access level feature_flags: Set the feature flags access level forking: Set the forking access level. infrastructure: Set the infrastructure access level issues: Enable issue tracking for the project merge_requests: Set the merge requests access level monitor: Set the monitor access level. packages: Enable packages repository for the project pages: Enable pages access control. releases: Set the releases access level. repository: Set the repository access level. requirements: Set the requirements access level snippets: Set the snippets access level. security_and_compliance: visibility_level: Set to public to create a public project. Valid values are private, internal, public. wiki: Set the wiki access level **Pipeline config ci_config ci_config_path (String) Custom Path to CI config file. ci_default_git_depth (Number) Default number of revisions for shallow cloning. ci_delete_pipelines_in_seconds (Number) Pipelines older than the configured time are deleted. ci_forward_deployment_enabled (Boolean) When a new deployment job starts, skip older deployment jobs that are still pending. ci_id_token_sub_claim_components (List of String) Fields included in the sub claim of the ID Token. Accepts an array starting with project_path. The array might also include ref_type and ref. Defaults to ["project_path", "ref_type", "ref"]. Introduced in GitLab 17.10. ci_pipeline_variables_minimum_override_role (String) The minimum role required to set variables when running pipelines and jobs. Introduced in GitLab 17.1. Valid values are developer, maintainer, owner, no_one_allowed ci_restrict_pipeline_cancellation_role (String) The role required to cancel a pipeline or job. Premium and Ultimate only. Valid values are developer, maintainer, no one ci_separated_caches (Boolean) Use separate caches for protected branches. restrict_user_defined_variables (Boolean) Allow only users with the Maintainer role to pass user-defined variables when triggering a pipeline. SCM Mirrors mirrors**<br/><br/>A list of external SCM sources to pull from.<br/><ul><br/> <li><b>enabled</b>: If set to true, the mirror will actively synchronize. Defaults to true.</li><br/> <li><b>scm_type</b>: Name of the remote scm e.g. github<br/> <li><b>url</b>: The full authenticated URL of the remote repository.</li><br/> <li><b>keep_divergent_refs</b>: If true, mirroring will not overwrite local changes that have diverged from the source.</li><br/> <li><b>only_protected_branches</b>: If true, only branches protected in the source will be synchronized.</li><br/></ul><br/><br/><br/>**approval_rules**<br/><br/>Map of approval rule configurations.<br/><ul><br/><li><b>project</b>: (Required) The name or id of the project.</li><br/><li><b>approvals_before_merge_required</b>: (Required) Number of approvals needed.</li><br/><li><b>users</b>: (Optional) List of GitLab usernames to resolve to IDs.</li><br/><li><b>groups</b>: (Optional) List of GitLab group paths to resolve to IDs.</li><br/><li><b>allow_force_push</b>: (Optional) Wether allow forced push</li><br/><li><b>rule_type</b>: (String) String, defaults toregular. The type of rule. any_approveris a pre-configured default rule withapprovals_requiredat0. Valid values are regular, any_approver, report_approver</li><br/><li><b>applies_to_all_protected_branches<b>: (Boolean) Whether the rule is applied to all protected branches. If set to 'true', the value of protected_branch_ids is ignored. Default is false?. push_access_level: (String) Access levels allowed to merge. Valid values are: no one, developer, maintainer, admin. push_access_level: (String) Access levels allowed to push. Valid values are: no one, developer, maintainer, admin. unprotect_access_level: (String) Access levels allowed to unprotect. Valid values are: no one, developer, maintainer, admin. Remarks public_jobs will be set according to builds access level	map(object({ name = optional(string) description = string free_tier = optional(bool, true) group_name = optional(string) avatar = optional(string) archived = optional(bool, false) import_url = optional(string) default_branch = optional(string) topics = list(string) access_level = object({ overall = optional(string, null) analytics = optional(string, null) builds = optional(string, null) container_registry = optional(string, null) environments = optional(string, null) feature_flags = optional(string, null) forking = optional(string, null) infrastructure = optional(string, null) issues = optional(string, null) merge_requests = optional(string, null) monitor = optional(string, null) packages = optional(string, null) pages = optional(string, null) releases = optional(string, null) repository = optional(string, null) requirements = optional(string, null) snippets = optional(string, null) security_and_compliance = optional(string, null) visibility_level = optional(string, null) wiki = optional(string, null) }) approval_rules = map(object({ applies_to_all_protected_branches = optional(bool, false) approvals_required = optional(number, 0) users = optional(list(string), []) groups = optional(list(string), []) protected_branches = optional(list(string), ["main"]) allow_force_push = optional(bool, false) rule_type = optional(string, null) push_access_level = optional(string, "maintainer") merge_access_level = optional(string, "developer") unprotect_access_level = optional(string, "maintainer") })) ci_config = optional(object({ ci_config_path = optional(string) ci_default_git_depth = optional(number, 20) ci_delete_pipelines_in_seconds = optional(number, 31536000) ci_forward_deployment_enabled = optional(bool, true) ci_restrict_pipeline_cancellation_role = optional(string, "maintainer") ci_pipeline_variables_minimum_override_role = optional(string, "no_one_allowed") ci_separated_caches = optional(bool, true) restrict_user_defined_variables = optional(bool, true) })) # Mirroring configuration to pull from external SCMs mirrors = optional(list(object({ enabled = optional(bool, true) scm_type = string url = string keep_divergent_refs = optional(bool, false) only_protected_branches = optional(bool, true) })), []) labels = optional(map(object({ name = string description = string color = string })), {}) } ))	n/a	yes
groups	List of repositories. The list is written in a "generic" way, so we can use it for gitlab, github, ..... Each entry contains description: (String) Description of the repo avatar: (String) File name of the avatar, assoumes it's in a subfolder resources visibility_level: (String) Set to public to create a public project. Valid values are private, internal, public. auto_devops_enabled: (Boolean) Default to Auto DevOps pipeline for all projects within this group. emails_enabled: (Boolean) Enable email notifications. default_branch: (String) Initial Default branch name. extra_shared_runners_minutes_limit: (Number) Additional CI/CD minutes for this group. two_factor_grace_period: (Number) Time before Two-factor authentication is enforced (in hours). ip_restriction_ranges: (List of String) A list of IP addresses or subnet masks to restrict group access. Will be concatenated together into a comma separated string. Only allowed on top level groups. lfs_enabled: (Boolean) Enable/disable Large File Storage (LFS) for the projects in this group. membership_lock: (Boolean) Users cannot be added to projects in this group. mentions_disabled: (Boolean) Disable the capability of a group from getting mentioned. path: (String) Override path. This might be necessary to avoid duplication. Default is the keyname of the the group element parent_name: "key" of the parent group from the group map prevent_forking_outside_group: (Boolean) When enabled, users can not fork projects from this group to external namespaces. request_access_enabled: (Boolean) Allow users to request member access. require_two_factor_authentication: (Boolean) Require all users in this group to setup Two-factor authentication. share_with_group_lock: (Boolean) Prevent sharing a project with another group within this group. project_creation_level: (String) Determine if developers can create projects in the group. Valid values are: noone, owner, maintainer, developer. subgroup_creation_level: String) Allowed to create subgroups. Valid values are: owner, maintainer. wiki_access_level: (String) The group's wiki access level. Only available on Premium and Ultimate plans. Valid values are disabled, private, enabled. default_branch_protection_defaults: (Block List, Max: 1) The default branch protection defaults	map(object({ name = optional(string) description = string avatar = optional(string) visibility_level = string auto_devops_enabled = optional(bool, false) emails_enabled = optional(bool, false) default_branch = optional(string, "main") extra_shared_runners_minutes_limit = optional(number, 0) two_factor_grace_period = optional(number, 24) require_two_factor_authentication = optional(bool, true) ip_restriction_ranges = optional(list(string), []) lfs_enabled = optional(bool, true) membership_lock = optional(bool, true) mentions_disabled = optional(bool, false) path = optional(string) parent_name = optional(string, null) prevent_forking_outside_group = optional(bool, false) request_access_enabled = optional(bool, false) share_with_group_lock = optional(bool, true) project_creation_level = optional(string, "owner") subgroup_creation_level = optional(string, "owner") wiki_access_level = optional(string, "private") default_branch_protection_defaults = optional(object({ allow_force_push = bool allowed_to_merge = list(string) # developer, maintainer, no one. allowed_to_push = list(string) # developer, maintainer, no one. developer_can_initial_push = bool }), { allow_force_push = true allowed_to_merge = ["maintainer"] allowed_to_push = ["maintainer"] developer_can_initial_push = true }) labels = optional(map(object({ description = string color = string })), {}) }))	n/a	yes

Outputs

Name	Description
groups	n/a
group_labels	n/a
branch_protection_rules	n/a
protected_branches	n/a

Resources

Name	Type
gitlab_branch_protection.managed	resource
gitlab_group.groups	resource
gitlab_group_label.labels	resource
gitlab_project.repositories	resource
gitlab_project_approval_rule.rules	resource
gitlab_project_mirror.mirrors	resource
gitlab_group.resolved	data source
gitlab_groups.groups	data source
gitlab_project_protected_branches.existing	data source
gitlab_user.resolved	data source