From 0622eb70856e7092f76b0b2fe15e65e95097f0d3 Mon Sep 17 00:00:00 2001
From: Anton <171003811+Anton0C@users.noreply.github.com>
Date: Fri, 18 Jul 2025 11:13:09 +0200
Subject: [PATCH] Allow to use tokens to authenticate requests from external
 managed projects

---
 main.tf | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 79edd61..283881e 100644
--- a/main.tf
+++ b/main.tf
@@ -870,6 +870,21 @@ resource "gitlab_project_issue" "this" {
   weight                                  = lookup(each.value.issue, "weight", null)
 }
 
+locals {
+  # Extract projects for job_token_scopes
+  all_gitlab_projects = flatten([
+    for project in var.gitlab_projects : [
+      for scope in lookup(project.settings, "job_token_scopes", []) : scope.target_project_id
+    ] if lookup(project.settings, "job_token_scopes", []) != []
+  ])
+}
+
+# Some projects are managed outside of this module, collect them here
+data "gitlab_project" "external_managed" {
+  for_each = toset(local.all_gitlab_projects)
+  path_with_namespace = each.value
+}
+
 resource "gitlab_project_job_token_scope" "this" {
   for_each = merge([
     for project in var.gitlab_projects : {
@@ -884,7 +899,11 @@ resource "gitlab_project_job_token_scope" "this" {
 
   # Use the correct project ID
   project           = gitlab_project.this["${each.value.project_namespace}/${each.value.project_name}"].id
-  target_project_id = gitlab_project.this[each.value.job_token_scope.target_project_id].id
+  target_project_id = (
+    contains(keys(gitlab_project.this), each.value.job_token_scope.target_project_id) ?
+    gitlab_project.this[each.value.job_token_scope.target_project_id].id :
+    data.gitlab_project.external_managed[each.value.job_token_scope.target_project_id].id
+  )
 }
 
 resource "gitlab_project_label" "this" {