How to prevent a resource from being created again (time_rotating)

emawata · August 1, 2023, 5:21pm

Hi everyone, I’m using gitlab resources in Terraform and I have a problem.
The gitlab_group_access_token resource requires you to specify an expiration date for the token.

I tried to use the time_rotating resource because I thought I would only recreate the gitlab_group_access_token when I met a certain declared date but it is not.

Here my code:

resource "time_rotating" "gitlab_group_access_token" {
  rotation_days = 365
}
resource "time_static" "future_date" {
  depends_on = [time_rotating.gitlab_group_access_token]
  rfc3339 = formatdate("YYYY-MM-DD'T'hh:mm:ssZ", timeadd(timestamp(), "8760h"))
}
#Tokens
resource "gitlab_group_access_token" "kiu_pdf_argocd_token" {
  depends_on = [time_rotating.gitlab_group_access_token]

  group        = gitlab_group.kiu_pdf.id
  name         = "ArgoCD access token"
  expires_at   = substr(time_static.future_date.rfc3339, 0, 10)
  access_level = "developer"

  scopes = ["read_repository"]

}

resource "gitlab_group_access_token" "kiu_pdf_ci_token" {
  depends_on = [time_rotating.gitlab_group_access_token]

  group        = gitlab_group.kiu_pdf.id
  name         = "Gitlab CI access token"
  expires_at   = substr(time_static.future_date.rfc3339, 0, 10)
  access_level = "developer"

  scopes = ["read_repository", "write_repository"]

}
`

First I try to get the current date using the resource time_static and with the function substr I try to modify it to work in the gitlab resource.

I just need to update the tokens every 365 days but I don’t know the cleanest way to do it since every time I make a plan I try to recreate the resources and I don’t need to recreate them.

  `# gitlab_group_access_token.kiu_pdf_argocd_token must be replaced
-/+ resource "gitlab_group_access_token" "kiu_pdf_argocd_token" {
      ~ active       = true -> (known after apply)
      ~ created_at   = "2023-08-01T15:08:06Z" -> (known after apply)
      ~ expires_at   = "2024-07-31" # forces replacement -> (known after apply) # forces replacement
      ~ id           = "531:103" -> (known after apply)
        name         = "ArgoCD access token"
      ~ revoked      = false -> (known after apply)
      ~ token        = (sensitive value)
      ~ user_id      = 130 -> (known after apply)
        # (3 unchanged attributes hidden)
    }

  # gitlab_group_access_token.kiu_pdf_ci_token must be replaced
-/+ resource "gitlab_group_access_token" "kiu_pdf_ci_token" {
      ~ active       = true -> (known after apply)
      ~ created_at   = "2023-08-01T15:08:06Z" -> (known after apply)
      ~ expires_at   = "2024-07-31" # forces replacement -> (known after apply) # forces replacement
      ~ id           = "531:104" -> (known after apply)
        name         = "Gitlab CI access token"
      ~ revoked      = false -> (known after apply)
      ~ token        = (sensitive value)
      ~ user_id      = 131 -> (known after apply)
        # (3 unchanged attributes hidden)
    }`

Any helps?