Merge pull request #28 from xMoelletschi/10-variables

feat: add support for gitlab_project_variable and gitlab_group_variable

Author: xMoelletschi

README.md

@@ -82,6 +82,7 @@ terraform/
 ├── project_membership.tf   # generated: variable with project → shared groups
 ├── group_labels.tf         # generated: variable with group → labels
 ├── project_labels.tf       # generated: variable with project → labels
+├── ci_variables.tf         # generated: group and project CI/CD variables
 ├── pipeline_schedules.tf   # generated: variable with project → pipeline schedules
 ├── hooks.tf                # generated: project and group webhooks
 └── ...
@@ -104,10 +105,19 @@ terraform/
 - ✅ GitLab Project Labels ([`gitlab_project_label`](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/project_label))
 - ✅ GitLab Pipeline Schedules ([`gitlab_pipeline_schedule`](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/pipeline_schedule))
 - ✅ GitLab Pipeline Schedule Variables ([`gitlab_pipeline_schedule_variable`](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/pipeline_schedule_variable))
+- ✅ GitLab Group Variables ([`gitlab_group_variable`](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/group_variable)) *
+- ✅ GitLab Project Variables ([`gitlab_project_variable`](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/project_variable)) *
 - ✅ GitLab Project Hooks ([`gitlab_project_hook`](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/project_hook))
 - ✅ GitLab Group Hooks ([`gitlab_group_hook`](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/group_hook)) *(requires Premium/Ultimate)*
 - 🚧 More resources coming soon
 
+> **\* CI/CD Variable Filtering:** Masked variables and file-type variables are automatically skipped.
+> Masked variables are excluded because the GitLab API returns redacted values (`[MASKED]`), which would produce invalid Terraform state.
+> File-type variables are excluded because they typically contain sensitive data such as SSH private keys or certificates.
+>
+> **Important:** If you store secrets (SSH keys, API tokens, etc.) as `env_var`-type CI/CD variables, they will be written to `.tf` files in plaintext.
+> To prevent this, store sensitive values as **file-type** variables — this is also [GitLab's recommended approach](https://docs.gitlab.com/ci/variables/#use-file-type-cicd-variables) for multi-line secrets like SSH keys, since they cannot be masked.
+
 ## Contributing
 
 Contributions are welcome! Please:

internal/gitlab/client.go

@@ -23,6 +23,8 @@ type Resources struct {
 	PipelineSchedules PipelineSchedules
 	ProjectHooks      ProjectHooks
 	GroupHooks        GroupHooks
+	ProjectVariables  ProjectVariables
+	GroupVariables    GroupVariables
 }
 
 func NewClientFromAPI(api *gl.Client, group string) *Client {
@@ -84,6 +86,22 @@ func (c *Client) FetchAll(ctx context.Context, skipSet skip.Set) (*Resources, er
 		slog.Info("fetched pipeline schedules", "count", len(pipelineSchedules))
 	}
 
+	var projectVariables ProjectVariables
+	var groupVariables GroupVariables
+	if !skipSet.Has("variables") {
+		groupVariables, err = c.ListGroupVariables(ctx, groups)
+		if err != nil {
+			return nil, fmt.Errorf("listing group variables: %w", err)
+		}
+		slog.Info("fetched group variables", "count", len(groupVariables))
+
+		projectVariables, err = c.ListProjectVariables(ctx, projects)
+		if err != nil {
+			return nil, fmt.Errorf("listing project variables: %w", err)
+		}
+		slog.Info("fetched project variables", "count", len(projectVariables))
+	}
+
 	var projectHooks ProjectHooks
 	var groupHooks GroupHooks
 	if !skipSet.Has("hooks") {
@@ -109,5 +127,7 @@ func (c *Client) FetchAll(ctx context.Context, skipSet skip.Set) (*Resources, er
 		PipelineSchedules: pipelineSchedules,
 		ProjectHooks:      projectHooks,
 		GroupHooks:        groupHooks,
+		ProjectVariables:  projectVariables,
+		GroupVariables:    groupVariables,
 	}, nil
 }

internal/gitlab/variables.go

@@ -0,0 +1,111 @@
+package gitlab
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+
+	gl "gitlab.com/gitlab-org/api/client-go"
+)
+
+// ProjectVariables maps project IDs to their CI/CD variables.
+type ProjectVariables = map[int64][]*gl.ProjectVariable
+
+// GroupVariables maps group IDs to their CI/CD variables.
+type GroupVariables = map[int64][]*gl.GroupVariable
+
+func (c *Client) ListProjectVariables(ctx context.Context, projects []*gl.Project) (ProjectVariables, error) {
+	result := make(ProjectVariables, len(projects))
+
+	for _, p := range projects {
+		if p == nil {
+			continue
+		}
+		slog.Debug("fetching project variables", "project", p.PathWithNamespace)
+		opts := &gl.ListProjectVariablesOptions{
+			ListOptions: gl.ListOptions{
+				Page:    1,
+				PerPage: 100,
+			},
+		}
+		var vars []*gl.ProjectVariable
+		for {
+			page, resp, err := c.api.ProjectVariables.ListVariables(p.ID, opts, gl.WithContext(ctx))
+			if err != nil {
+				return nil, fmt.Errorf("listing variables for project %d: %w", p.ID, err)
+			}
+			for _, v := range page {
+				if v.Masked {
+					slog.Warn("skipping masked variable", "key", v.Key, "project", p.PathWithNamespace)
+					continue
+				}
+				if v.Hidden {
+					slog.Warn("skipping hidden variable", "key", v.Key, "project", p.PathWithNamespace)
+					continue
+				}
+				if v.VariableType == gl.FileVariableType {
+					slog.Warn("skipping file variable", "key", v.Key, "project", p.PathWithNamespace)
+					continue
+				}
+				vars = append(vars, v)
+			}
+			if resp.NextPage == 0 {
+				break
+			}
+			opts.Page = resp.NextPage
+		}
+		if len(vars) > 0 {
+			result[p.ID] = vars
+		}
+	}
+
+	return result, nil
+}
+
+func (c *Client) ListGroupVariables(ctx context.Context, groups []*gl.Group) (GroupVariables, error) {
+	result := make(GroupVariables, len(groups))
+
+	for _, g := range groups {
+		if g == nil {
+			continue
+		}
+		slog.Debug("fetching group variables", "group", g.FullPath)
+		opts := &gl.ListGroupVariablesOptions{
+			ListOptions: gl.ListOptions{
+				Page:    1,
+				PerPage: 100,
+			},
+		}
+		var vars []*gl.GroupVariable
+		for {
+			page, resp, err := c.api.GroupVariables.ListVariables(g.ID, opts, gl.WithContext(ctx))
+			if err != nil {
+				return nil, fmt.Errorf("listing variables for group %d: %w", g.ID, err)
+			}
+			for _, v := range page {
+				if v.Masked {
+					slog.Warn("skipping masked variable", "key", v.Key, "group", g.FullPath)
+					continue
+				}
+				if v.Hidden {
+					slog.Warn("skipping hidden variable", "key", v.Key, "group", g.FullPath)
+					continue
+				}
+				if v.VariableType == gl.FileVariableType {
+					slog.Warn("skipping file variable", "key", v.Key, "group", g.FullPath)
+					continue
+				}
+				vars = append(vars, v)
+			}
+			if resp.NextPage == 0 {
+				break
+			}
+			opts.Page = resp.NextPage
+		}
+		if len(vars) > 0 {
+			result[g.ID] = vars
+		}
+	}
+
+	return result, nil
+}

internal/terraform/import.go

@@ -121,6 +121,40 @@ func GenerateImportCommands(resources *gitlab.Resources, existingResources map[s
 		}
 	}
 
+	if !skipSet.Has("variables") {
+		for _, g := range resources.Groups {
+			if g == nil {
+				continue
+			}
+			for _, v := range resources.GroupVariables[g.ID] {
+				name := groupVariableResourceName(g, v)
+				key := "gitlab_group_variable." + name
+				if !existingResources[key] {
+					cmds = append(cmds, ImportCommand{
+						Address: key,
+						ID:      fmt.Sprintf("%d:%s:%s", g.ID, v.Key, v.EnvironmentScope),
+					})
+				}
+			}
+		}
+
+		for _, p := range resources.Projects {
+			if p == nil {
+				continue
+			}
+			for _, v := range resources.ProjectVariables[p.ID] {
+				name := projectVariableResourceName(p, v)
+				key := "gitlab_project_variable." + name
+				if !existingResources[key] {
+					cmds = append(cmds, ImportCommand{
+						Address: key,
+						ID:      fmt.Sprintf("%d:%s:%s", p.ID, v.Key, v.EnvironmentScope),
+					})
+				}
+			}
+		}
+	}
+
 	if !skipSet.Has("hooks") {
 		for _, g := range resources.Groups {
 			if g == nil {

internal/terraform/import_test.go

@@ -490,6 +490,107 @@ func TestGenerateImportCommandsSkipHooks(t *testing.T) {
 	}
 }
 
+func TestGenerateImportCommandsNewGroupVariable(t *testing.T) {
+	resources := &gitlab.Resources{
+		Groups: []*gl.Group{
+			{ID: 10, Path: "my-group", FullPath: "my-group"},
+		},
+		GroupVariables: map[int64][]*gl.GroupVariable{
+			10: {
+				{Key: "API_URL", EnvironmentScope: "*"},
+				{Key: "DB_HOST", EnvironmentScope: "production"},
+			},
+		},
+	}
+
+	existing := map[string]bool{
+		"gitlab_group.my_group": true,
+	}
+
+	cmds := GenerateImportCommands(resources, existing, "my-group", nil)
+
+	if len(cmds) != 2 {
+		t.Fatalf("expected 2 commands, got %d", len(cmds))
+	}
+	if cmds[0].Address != "gitlab_group_variable.my_group_api_url" {
+		t.Errorf("address = %q, want %q", cmds[0].Address, "gitlab_group_variable.my_group_api_url")
+	}
+	if cmds[0].ID != "10:API_URL:*" {
+		t.Errorf("id = %q, want %q", cmds[0].ID, "10:API_URL:*")
+	}
+	if cmds[1].Address != "gitlab_group_variable.my_group_db_host_production" {
+		t.Errorf("address = %q, want %q", cmds[1].Address, "gitlab_group_variable.my_group_db_host_production")
+	}
+	if cmds[1].ID != "10:DB_HOST:production" {
+		t.Errorf("id = %q, want %q", cmds[1].ID, "10:DB_HOST:production")
+	}
+}
+
+func TestGenerateImportCommandsNewProjectVariable(t *testing.T) {
+	resources := &gitlab.Resources{
+		Projects: []*gl.Project{
+			{
+				ID:   1,
+				Path: "my-project",
+				Namespace: &gl.ProjectNamespace{
+					FullPath: "parent",
+				},
+			},
+		},
+		ProjectVariables: map[int64][]*gl.ProjectVariable{
+			1: {
+				{Key: "SECRET_KEY", EnvironmentScope: "*"},
+			},
+		},
+	}
+
+	existing := map[string]bool{
+		"gitlab_project.parent_my_project": true,
+	}
+
+	cmds := GenerateImportCommands(resources, existing, "parent", nil)
+
+	if len(cmds) != 1 {
+		t.Fatalf("expected 1 command, got %d", len(cmds))
+	}
+	if cmds[0].Address != "gitlab_project_variable.parent_my_project_secret_key" {
+		t.Errorf("address = %q, want %q", cmds[0].Address, "gitlab_project_variable.parent_my_project_secret_key")
+	}
+	if cmds[0].ID != "1:SECRET_KEY:*" {
+		t.Errorf("id = %q, want %q", cmds[0].ID, "1:SECRET_KEY:*")
+	}
+}
+
+func TestGenerateImportCommandsSkipVariables(t *testing.T) {
+	resources := &gitlab.Resources{
+		Groups: []*gl.Group{
+			{ID: 10, Path: "grp", FullPath: "grp"},
+		},
+		Projects: []*gl.Project{
+			{
+				ID:   1,
+				Path: "proj",
+				Namespace: &gl.ProjectNamespace{FullPath: "grp"},
+			},
+		},
+		GroupVariables: map[int64][]*gl.GroupVariable{
+			10: {{Key: "VAR1", EnvironmentScope: "*"}},
+		},
+		ProjectVariables: map[int64][]*gl.ProjectVariable{
+			1: {{Key: "VAR2", EnvironmentScope: "*"}},
+		},
+	}
+
+	skipSet := skip.Set{"variables": true}
+	cmds := GenerateImportCommands(resources, nil, "grp", skipSet)
+
+	for _, cmd := range cmds {
+		if strings.Contains(cmd.Address, "_variable.") {
+			t.Errorf("should not generate variable import when skipped: %s", cmd.Address)
+		}
+	}
+}
+
 func TestGenerateImportCommandsSkipPipelineSchedules(t *testing.T) {
 	resources := &gitlab.Resources{
 		Groups: []*gl.Group{

internal/terraform/testdata/group_variables.tf

@@ -0,0 +1,19 @@
+resource "gitlab_group_variable" "my_group_api_url" {
+  group         = gitlab_group.my_group.id
+  key           = "API_URL"
+  value         = "https://api.example.com"
+  variable_type = "env_var"
+  protected     = false
+  raw           = true
+  description   = "API base URL"
+}
+
+resource "gitlab_group_variable" "my_group_db_host_production" {
+  group             = gitlab_group.my_group.id
+  key               = "DB_HOST"
+  value             = "db.example.com"
+  variable_type     = "env_var"
+  protected         = true
+  raw               = false
+  environment_scope = "production"
+}

internal/terraform/testdata/project_variables.tf

@@ -0,0 +1,9 @@
+resource "gitlab_project_variable" "my_group_my_project_secret_key" {
+  project       = gitlab_project.my_group_my_project.id
+  key           = "SECRET_KEY"
+  value         = "abc123"
+  variable_type = "env_var"
+  protected     = false
+  raw           = false
+  description   = "Secret key"
+}