ProjectJobTokenScope gives POST error: id is invalid

[SimplicityApks]

What happened?

Adding a ProjectJobTokenScope does not work. It could be not encoding the id properly

output of pulumi up:

Updating (prod):                                                                                                                                                                                                                                                                                                                                                         
     Type                                  Name                Status                  Info                                                                                                                                                                                                                                                                              
     pulumi:pulumi:Stack                   customer-prod       **failed**              1 error                                                                                                                                                                                                                                                                           
 +   └─ gitlab:index:ProjectJobTokenScope  urnname  **creating failed**     1 error                                                                                       

Diagnostics:
  pulumi:pulumi:Stack (customer-prod):
    error: update failed

  gitlab:index:ProjectJobTokenScope (urnname):
    error: GitLab API error occurred: Unable to add the target project to CI/CD Job Token inbound allowlist: POST https://gitlaburl.domain/api/v4/projects/mynamespace/myproject/job_token_scope/allowlist: 400 {error: id is invalid}

Additionally, I haven't yet found a way to turn on the limit token access allowlist itself. So this has it manually turned on in the UI. Note I also tried before to add the project in the UI, but that should not make a difference I suppose.

Example

code:

new gitlab.ProjectJobTokenScope(
      "urnname",
      {
        targetProjectId: 36,
        project: "mynamespace/myproject",
      },
      { provider: gitlabProvider }
    );

pulumi preview detail shows

        gitlab:index/projectJobTokenScope:ProjectJobTokenScope: (create)                                                                                                                                                                                                                                                                                                   
        [urn=urn:pulumi:prod::customer::gitlab:index/projectJobTokenScope:ProjectJobTokenScope::urnname]                                                                                                                                                                                                                                                      
        [provider=urn:pulumi:prod::customer::pulumi:providers:gitlab::gitlab::683c86b5-4a31-4078-b9ed-e6def5f1cb42]                                                                                                                                                                                                                                                      
        project        : "mynamespace/myproject"                                                                                                                                                                                                                                                                                                                      
        targetProjectId: 36                                                                                                                                                                                                                                                                                                                                              

Output of pulumi about

CLI
Version 3.115.2
Go Version go1.22.2
Go Compiler gc

Plugins
KIND NAME VERSION
language nodejs unknown

Host
OS debian
Version 11.9
Arch x86_64

This project is written in nodejs: executable='/home/user/.nvm/versions/node/v20.12.2/bin/node' version='v20.12.2'

Current Stack: organization/customer/prod

pulumi gitlab is running in version:
"node_modules/@pulumi/gitlab": {
"version": "6.9.0",
"resolved": "https://registry.npmjs.org/@pulumi/gitlab/-/gitlab-6.9.0.tgz",
"integrity": "sha512-307WjG9haMRzDBE69MPTolGmev95wh7TkyRaIrG0FMS7JUqr0JtWSX/kui5dlklJTY7AJTeao+KFs1x6NmC1XA==",
"dependencies": {
"@pulumi/pulumi": "^3.0.0",
"builtin-modules": "3.0.0",
"read-package-tree": "^5.2.1",
"resolve": "^1.7.1"
}
},

Additional context

We have our own gitlab server, both projects share a group. All other settings (e.g. adding ProjectVariables) via the same provider works fine.

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[guineveresaenger]

Hi @SimplicityApks - thank you for filing this issue. We'll take a look as soon as we can.

In the meantime, it will help us help you faster if you could provide us with a fully self-contained, minimal Pulumi program that reproduces the issue you're seeing (sensitive data removed)? From reading your issue, I understand there's a manual setting that needs to be tweaked in the UI; please provide those steps as well.

[SimplicityApks]

Thanks for looking into this. It is really simple to reproduce actually:

Requirements:

• custom gitlab server. Could be reproducible with gitlab.com, not sure
• a gitlab project to add the jobtokenscope to. for us that is a private gitlab project in an internal subgroup, but I have tested it also with other private projects ("mynamespace/myproject").
• a target project that should have access. For us that is a similar private project in a different subgroup. E.g. project id 36

import * as gitlab from "@pulumi/gitlab";
const gitlabProvider = new gitlab.Provider("gitlab", {
          token: gitlabCredentials,
          baseUrl: "https://gitlaburl.domain",
        });

new gitlab.ProjectJobTokenScope(
      "urnname",
      {
        targetProjectId: 36,
        project: "mynamespace/myproject",
      },
      { provider: gitlabProvider }
    );

Run pulumi up. -> it errors out with the above error.

For the setting I was refeerring to above, it is this one:

in https://gitlaburl.domain/mynamespace/myproject/-/settings/ci_cd

You can add projects with access regardless of that toggle in the UI, and the toggle I believe is off by default. But gitlab recommends turning that on, haven't found a pulumi way of doing that ;)

(sorry I don'- have much time to give you a complete one-click example, but I hope that gives more clarity)

[VenelinMartinov]

Hey @SimplicityApks thanks for the details here.

I've had a go at this and it looks like the the ProjectJobTokenScope is expecting the ID of the project and not its path. Can you try specifying that and see if resolves your issue? The following program worked fine for me

import * as pulumi from "@pulumi/pulumi";
import * as gitlab from "@pulumi/gitlab";

// Create the first GitLab project
const project1 = new gitlab.Project("myproject", {
    name: "myproject",
});

// Create the second GitLab project
const project2 = new gitlab.Project("myproject1", {
    name: "myproject1",
});

// Create a ProjectJobTokenScope linking the two projects
const projectJobTokenScope = new gitlab.ProjectJobTokenScope("projectJobTokenScope", {
    project: project1.id,
    targetProjectId: project2.id.apply(id => parseInt(id)),
});

on the other hand, specifying the path with the namespace does not seem to do it and yields the same error you got:

import * as pulumi from "@pulumi/pulumi";
import * as gitlab from "@pulumi/gitlab";

// Create the first GitLab project
const project1 = new gitlab.Project("myproject", {
    name: "myproject",
});

// Create the second GitLab project
const project2 = new gitlab.Project("myproject1", {
    name: "myproject1",
});

// Create a ProjectJobTokenScope linking the two projects
const projectJobTokenScope = new gitlab.ProjectJobTokenScope("projectJobTokenScope", {
    project: project1.pathWithNamespace, // ERROR: 400 {error: id is invalid}
    targetProjectId: project2.id.apply(id => parseInt(id)),
});

[VenelinMartinov]

Raised https://gitlab.com/gitlab-org/terraform-provider-gitlab/-/issues/6313 upstream for the issue with ProjectJobTokenScope not accepting the path - the docs suggest this should be fine.