Merge branch 'gitlabhq:main' into main

Author: Moon1706

docs/resources/project.md

@@ -20,11 +20,11 @@ The `gitlab_project` resource allows to manage the lifecycle of a project.
 
 A project can either be created in a group or user namespace.
 
--> **Default Branch Protection Workaround** Projects are created with default branch protection. 
-Since this default branch protection is not currently managed via Terraform, to workaround this limitation, 
+-> **Default Branch Protection Workaround** Projects are created with default branch protection.
+Since this default branch protection is not currently managed via Terraform, to workaround this limitation,
 you can remove the default branch protection via the API and create your desired Terraform managed branch protection.
-In the `gitlab_project` resource, define a `local-exec` provisioner which invokes 
-the `/projects/:id/protected_branches/:name` API via curl to delete the branch protection on the default 
+In the `gitlab_project` resource, define a `local-exec` provisioner which invokes
+the `/projects/:id/protected_branches/:name` API via curl to delete the branch protection on the default
 branch using a `DELETE` request. Then define the desired branch protection using the `gitlab_branch_protection` resource.
 
 **Upstream API**: [GitLab REST API docs](https://docs.gitlab.com/ce/api/projects.html)

internal/provider/resource_gitlab_project.go

@@ -645,11 +645,11 @@ var _ = registerResource("gitlab_project", func() *schema.Resource {
 
 A project can either be created in a group or user namespace.
 
--> **Default Branch Protection Workaround** Projects are created with default branch protection. 
-Since this default branch protection is not currently managed via Terraform, to workaround this limitation, 
+-> **Default Branch Protection Workaround** Projects are created with default branch protection.
+Since this default branch protection is not currently managed via Terraform, to workaround this limitation,
 you can remove the default branch protection via the API and create your desired Terraform managed branch protection.
-In the ` + "`gitlab_project`" + ` resource, define a ` + "`local-exec`" + ` provisioner which invokes 
-the ` + "`/projects/:id/protected_branches/:name`" + ` API via curl to delete the branch protection on the default 
+In the ` + "`gitlab_project`" + ` resource, define a ` + "`local-exec`" + ` provisioner which invokes
+the ` + "`/projects/:id/protected_branches/:name`" + ` API via curl to delete the branch protection on the default
 branch using a ` + "`DELETE`" + ` request. Then define the desired branch protection using the ` + "`gitlab_branch_protection`" + ` resource.
 
 **Upstream API**: [GitLab REST API docs](https://docs.gitlab.com/ce/api/projects.html)`,
@@ -1018,66 +1018,73 @@ func resourceGitlabProjectCreate(ctx context.Context, d *schema.ResourceData, me
 		}
 	}
 
-	// default_branch cannot always be set during creation.
-	// If the branch does not exist, the update will fail, so we also create it here.
-	// See: https://gitlab.com/gitlab-org/gitlab/-/issues/333426
-	// This logic may be removed when the above issue is resolved.
-	if v, ok := d.GetOk("default_branch"); ok && project.DefaultBranch != "" && project.DefaultBranch != v.(string) {
-		oldDefaultBranch := project.DefaultBranch
-		newDefaultBranch := v.(string)
+	// see: https://gitlab.com/gitlab-org/gitlab/-/issues/333426
+	noDefaultBranchAPISupport, err := isGitLabVersionLessThan(ctx, client, "14.10")()
+	if err != nil {
+		return diag.Errorf("unable to get information if `default_branch` handling is supported in the GitLab instance: %v", err)
+	}
+
+	if noDefaultBranchAPISupport {
+		// default_branch cannot always be set during creation.
+		// If the branch does not exist, the update will fail, so we also create it here.
+		// This logic may be removed when the above issue is resolved.
+		if v, ok := d.GetOk("default_branch"); ok && project.DefaultBranch != "" && project.DefaultBranch != v.(string) {
+			oldDefaultBranch := project.DefaultBranch
+			newDefaultBranch := v.(string)
+
+			log.Printf("[DEBUG] create branch %q for project %q", newDefaultBranch, d.Id())
+			_, _, err := client.Branches.CreateBranch(project.ID, &gitlab.CreateBranchOptions{
+				Branch: gitlab.String(newDefaultBranch),
+				Ref:    gitlab.String(oldDefaultBranch),
+			}, gitlab.WithContext(ctx))
+			if err != nil {
+				return diag.Errorf("Failed to create branch %q for project %q: %s", newDefaultBranch, d.Id(), err)
+			}
 
-		log.Printf("[DEBUG] create branch %q for project %q", newDefaultBranch, d.Id())
-		_, _, err := client.Branches.CreateBranch(project.ID, &gitlab.CreateBranchOptions{
-			Branch: gitlab.String(newDefaultBranch),
-			Ref:    gitlab.String(oldDefaultBranch),
-		}, gitlab.WithContext(ctx))
-		if err != nil {
-			return diag.Errorf("Failed to create branch %q for project %q: %s", newDefaultBranch, d.Id(), err)
-		}
+			log.Printf("[DEBUG] set new default branch to %q for project %q", newDefaultBranch, d.Id())
+			_, _, err = client.Projects.EditProject(project.ID, &gitlab.EditProjectOptions{
+				DefaultBranch: gitlab.String(newDefaultBranch),
+			}, gitlab.WithContext(ctx))
+			if err != nil {
+				return diag.Errorf("Failed to set default branch to %q for project %q: %s", newDefaultBranch, d.Id(), err)
+			}
 
-		log.Printf("[DEBUG] set new default branch to %q for project %q", newDefaultBranch, d.Id())
-		_, _, err = client.Projects.EditProject(project.ID, &gitlab.EditProjectOptions{
-			DefaultBranch: gitlab.String(newDefaultBranch),
-		}, gitlab.WithContext(ctx))
-		if err != nil {
-			return diag.Errorf("Failed to set default branch to %q for project %q: %s", newDefaultBranch, d.Id(), err)
-		}
+			log.Printf("[DEBUG] protect new default branch %q for project %q", newDefaultBranch, d.Id())
+			_, _, err = client.ProtectedBranches.ProtectRepositoryBranches(project.ID, &gitlab.ProtectRepositoryBranchesOptions{
+				Name: gitlab.String(newDefaultBranch),
+			}, gitlab.WithContext(ctx))
+			if err != nil {
+				return diag.Errorf("Failed to protect default branch %q for project %q: %s", newDefaultBranch, d.Id(), err)
+			}
 
-		log.Printf("[DEBUG] protect new default branch %q for project %q", newDefaultBranch, d.Id())
-		_, _, err = client.ProtectedBranches.ProtectRepositoryBranches(project.ID, &gitlab.ProtectRepositoryBranchesOptions{
-			Name: gitlab.String(newDefaultBranch),
-		}, gitlab.WithContext(ctx))
-		if err != nil {
-			return diag.Errorf("Failed to protect default branch %q for project %q: %s", newDefaultBranch, d.Id(), err)
-		}
+			log.Printf("[DEBUG] check for protection on old default branch %q for project %q", oldDefaultBranch, d.Id())
+			branch, _, err := client.ProtectedBranches.GetProtectedBranch(project.ID, oldDefaultBranch, gitlab.WithContext(ctx))
+			if err != nil && !is404(err) {
+				return diag.Errorf("Failed to check for protected default branch %q for project %q: %v", oldDefaultBranch, d.Id(), err)
+			}
+			if branch == nil {
+				log.Printf("[DEBUG] Default protected branch %q for project %q does not exist", oldDefaultBranch, d.Id())
+			} else {
+				log.Printf("[DEBUG] unprotect old default branch %q for project %q", oldDefaultBranch, d.Id())
+				_, err = client.ProtectedBranches.UnprotectRepositoryBranches(project.ID, oldDefaultBranch, gitlab.WithContext(ctx))
+				if err != nil {
+					return diag.Errorf("Failed to unprotect undesired default branch %q for project %q: %v", oldDefaultBranch, d.Id(), err)
+				}
+			}
 
-		log.Printf("[DEBUG] check for protection on old default branch %q for project %q", oldDefaultBranch, d.Id())
-		branch, _, err := client.ProtectedBranches.GetProtectedBranch(project.ID, oldDefaultBranch, gitlab.WithContext(ctx))
-		if err != nil && !is404(err) {
-			return diag.Errorf("Failed to check for protected default branch %q for project %q: %v", oldDefaultBranch, d.Id(), err)
-		}
-		if branch == nil {
-			log.Printf("[DEBUG] Default protected branch %q for project %q does not exist", oldDefaultBranch, d.Id())
-		} else {
-			log.Printf("[DEBUG] unprotect old default branch %q for project %q", oldDefaultBranch, d.Id())
-			_, err = client.ProtectedBranches.UnprotectRepositoryBranches(project.ID, oldDefaultBranch, gitlab.WithContext(ctx))
+			log.Printf("[DEBUG] delete old default branch %q for project %q", oldDefaultBranch, d.Id())
+			_, err = client.Branches.DeleteBranch(project.ID, oldDefaultBranch, gitlab.WithContext(ctx))
 			if err != nil {
-				return diag.Errorf("Failed to unprotect undesired default branch %q for project %q: %v", oldDefaultBranch, d.Id(), err)
+				return diag.Errorf("Failed to clean up undesired default branch %q for project %q: %s", oldDefaultBranch, d.Id(), err)
 			}
 		}
-
-		log.Printf("[DEBUG] delete old default branch %q for project %q", oldDefaultBranch, d.Id())
-		_, err = client.Branches.DeleteBranch(project.ID, oldDefaultBranch, gitlab.WithContext(ctx))
-		if err != nil {
-			return diag.Errorf("Failed to clean up undesired default branch %q for project %q: %s", oldDefaultBranch, d.Id(), err)
-		}
 	}
 
 	// If the project is assigned to a group namespace and the group has *default branch protection*
 	// disabled (`default_branch_protection = 0`) then we don't have to wait for one.
 	waitForDefaultBranchProtection, err := expectDefaultBranchProtection(ctx, client, project)
 	if err != nil {
-		return diag.Errorf("Failed to fetch group the project %d is owned by: %+v", project.ID, err)
+		return diag.Errorf("Failed to discover if branch protection is enabled by default or not for project %d: %+v", project.ID, err)
 	}
 
 	if waitForDefaultBranchProtection {
@@ -1759,6 +1766,7 @@ func namespaceOrPathChanged(ctx context.Context, d *schema.ResourceDiff, meta in
 }
 
 func expectDefaultBranchProtection(ctx context.Context, client *gitlab.Client, project *gitlab.Project) (bool, error) {
+	// If the project is part of a group it may have default branch protection disabled for its projects
 	if project.Namespace.Kind == "group" {
 		group, _, err := client.Groups.GetGroup(project.Namespace.ID, nil, gitlab.WithContext(ctx))
 		if err != nil {
@@ -1768,7 +1776,11 @@ func expectDefaultBranchProtection(ctx context.Context, client *gitlab.Client, p
 		return group.DefaultBranchProtection != 0, nil
 	}
 
-	// projects which are not assigned to a group can't have a "no branch protection" default,
-	// thus, we always expect a default branch protection.
-	return true, nil
+	// // If the project is not part of a group it may have default branch protection disabled because of the instance-wide application settings
+	settings, _, err := client.Settings.GetSettings(nil, gitlab.WithContext(ctx))
+	if err != nil {
+		return false, err
+	}
+
+	return settings.DefaultBranchProtection != 0, nil
 }

internal/provider/resource_gitlab_project_test.go

@@ -844,6 +844,13 @@ resource "gitlab_project" "foo" {
 					},
 				),
 			},
+			// Verify Import
+			{
+				ResourceName:            "gitlab_project.foo",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"initialize_with_readme"},
+			},
 		},
 	})
 }
@@ -883,6 +890,99 @@ func TestAccGitlabProject_CreateProjectInUserNamespace(t *testing.T) {
 	})
 }
 
+func TestAccGitlabProject_InstanceBranchProtectionDisabled(t *testing.T) {
+	rInt := acctest.RandInt()
+
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: providerFactories,
+		CheckDestroy:      testAccCheckGitlabProjectDestroy,
+		Steps: []resource.TestStep{
+			{
+				PreConfig: func() {
+					settings, _, err := testGitlabClient.Settings.GetSettings()
+					if err != nil {
+						t.Fatalf("failed to get settings: %v", err)
+					}
+					t.Cleanup(func() {
+						if _, _, err := testGitlabClient.Settings.UpdateSettings(&gitlab.UpdateSettingsOptions{DefaultBranchProtection: gitlab.Int(settings.DefaultBranchProtection)}); err != nil {
+							t.Fatalf("failed to update instance-wide default branch protection setting to default: %v", err)
+						}
+					})
+
+					if _, _, err := testGitlabClient.Settings.UpdateSettings(&gitlab.UpdateSettingsOptions{DefaultBranchProtection: gitlab.Int(0)}); err != nil {
+						t.Fatalf("failed to update instance-wide default branch protection setting: %v", err)
+					}
+				},
+				Config: ` `, // requires a space for empty config
+			},
+			// Without explicit default branch
+			{
+				Config: fmt.Sprintf(`
+					resource "gitlab_project" "foo" {
+						name                   = "foo-%d"
+						description            = "Terraform acceptance tests"
+						visibility_level       = "public"
+						initialize_with_readme = true
+					}
+				`, rInt),
+			},
+			// Verify Import
+			{
+				ResourceName:            "gitlab_project.foo",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"initialize_with_readme"},
+			},
+			// Force a destroy for the project so that it can be recreated as the same resource
+			{
+				Config: ` `, // requires a space for empty config
+			},
+			// With explicit default branch set to instance-wide default
+			{
+				Config: fmt.Sprintf(`
+					resource "gitlab_project" "foo" {
+						name                   = "foo-%d"
+						description            = "Terraform acceptance tests"
+						visibility_level       = "public"
+						default_branch         = "main"
+						initialize_with_readme = true
+					}
+				`, rInt),
+			},
+			// Verify Import
+			{
+				ResourceName:            "gitlab_project.foo",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"initialize_with_readme"},
+			},
+			// Force a destroy for the project so that it can be recreated as the same resource
+			{
+				Config: ` `, // requires a space for empty config
+			},
+			// With custom default branch
+			{
+				Config: fmt.Sprintf(`
+					resource "gitlab_project" "foo" {
+						name                   = "foo-%d-custom-default-branch"
+						description            = "Terraform acceptance tests"
+						visibility_level       = "public"
+						default_branch         = "foobar-non-default-branch"
+						initialize_with_readme = true
+					}
+				`, rInt),
+			},
+			// Verify Import
+			{
+				ResourceName:            "gitlab_project.foo",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"initialize_with_readme"},
+			},
+		},
+	})
+}
+
 type testAccGitlabProjectMirroredExpectedAttributes struct {
 	Mirror                           bool
 	MirrorTriggerBuilds              bool

scripts/gitlab.rb

@@ -8,4 +8,13 @@
 registry_nginx['ssl_certificate']     = "/etc/gitlab/ssl/gitlab-registry.pem"
 registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab-registry.key"
 
-gitlab_rails['initial_shared_runners_registration_token'] = "ACCTEST1234567890123_RUNNER_REG_TOKEN"
+gitlab_rails['initial_shared_runners_registration_token'] = "ACCTEST1234567890123_RUNNER_REG_TOKEN"
+
+# This setting is required to disable caching for application settings
+# which is required to test different scenarios in the acceptance tests.
+# see https://gitlab.com/gitlab-org/gitlab/-/issues/364812#note_986366898
+# see https://github.com/gitlabhq/terraform-provider-gitlab/pull/1128
+gitlab_rails['application_settings_cache_seconds'] = 0
+gitlab_rails['env'] = {
+    'IN_MEMORY_APPLICATION_SETTINGS' => 'false'
+}