Docs Home
GitLab v8.11.0 published on Friday, Apr 18, 2025 by Pulumi
gitlab.ProjectJobTokenScopes
Explore with Pulumi AI
The gitlab.ProjectJobTokenScopes resource allows to manage the CI/CD Job Token scopes in a project.
Any project or group not within the defined set of target_project_ids or target_group_ids, respectively, will be removed,
which allows this resource to be used as an explicit deny.
Conflicts with the use of
gitlab.ProjectJobTokenScopewhen used on the same project. Use one or the other to ensure the desired state.
If the
enabledproperty is false, any project or group will be allowed regardless of the given allowlist attributes.
Upstream API: GitLab REST API docs
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as gitlab from "@pulumi/gitlab";
const allowedSingleProject = new gitlab.ProjectJobTokenScopes("allowed_single_project", {
project: "111",
targetProjectIds: [123],
});
const allowedMultipleProject = new gitlab.ProjectJobTokenScopes("allowed_multiple_project", {
project: "111",
targetProjectIds: [
123,
456,
789,
],
});
const allowedMultipleGroups = new gitlab.ProjectJobTokenScopes("allowed_multiple_groups", {
projectId: 111,
targetProjectIds: [],
targetGroupIds: [
321,
654,
],
});
// This will remove all job token scopes, even if added outside of TF.
const explicitDeny = new gitlab.ProjectJobTokenScopes("explicit_deny", {
project: "111",
targetProjectIds: [],
});
// This shows the explicit behavior of the enabled flag with a list of projects and groups.
const allowProjectsAndGroups = new gitlab.ProjectJobTokenScopes("allow_projects_and_groups", {
project: "111",
enabled: true,
targetProjectIds: [
123,
456,
789,
],
targetGroupIds: [
321,
654,
],
});
// This allows all projects and groups (disabling the CI Job Token scope protection)
const allowAll = new gitlab.ProjectJobTokenScopes("allow_all", {
project: "111",
enabled: false,
});
import pulumi
import pulumi_gitlab as gitlab
allowed_single_project = gitlab.ProjectJobTokenScopes("allowed_single_project",
project="111",
target_project_ids=[123])
allowed_multiple_project = gitlab.ProjectJobTokenScopes("allowed_multiple_project",
project="111",
target_project_ids=[
123,
456,
789,
])
allowed_multiple_groups = gitlab.ProjectJobTokenScopes("allowed_multiple_groups",
project_id=111,
target_project_ids=[],
target_group_ids=[
321,
654,
])
# This will remove all job token scopes, even if added outside of TF.
explicit_deny = gitlab.ProjectJobTokenScopes("explicit_deny",
project="111",
target_project_ids=[])
# This shows the explicit behavior of the enabled flag with a list of projects and groups.
allow_projects_and_groups = gitlab.ProjectJobTokenScopes("allow_projects_and_groups",
project="111",
enabled=True,
target_project_ids=[
123,
456,
789,
],
target_group_ids=[
321,
654,
])
# This allows all projects and groups (disabling the CI Job Token scope protection)
allow_all = gitlab.ProjectJobTokenScopes("allow_all",
project="111",
enabled=False)
package main
import (
"github.com/pulumi/pulumi-gitlab/sdk/v8/go/gitlab"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := gitlab.NewProjectJobTokenScopes(ctx, "allowed_single_project", &gitlab.ProjectJobTokenScopesArgs{
Project: pulumi.String("111"),
TargetProjectIds: pulumi.IntArray{
pulumi.Int(123),
},
})
if err != nil {
return err
}
_, err = gitlab.NewProjectJobTokenScopes(ctx, "allowed_multiple_project", &gitlab.ProjectJobTokenScopesArgs{
Project: pulumi.String("111"),
TargetProjectIds: pulumi.IntArray{
pulumi.Int(123),
pulumi.Int(456),
pulumi.Int(789),
},
})
if err != nil {
return err
}
_, err = gitlab.NewProjectJobTokenScopes(ctx, "allowed_multiple_groups", &gitlab.ProjectJobTokenScopesArgs{
ProjectId: pulumi.Int(111),
TargetProjectIds: pulumi.IntArray{},
TargetGroupIds: pulumi.IntArray{
pulumi.Int(321),
pulumi.Int(654),
},
})
if err != nil {
return err
}
// This will remove all job token scopes, even if added outside of TF.
_, err = gitlab.NewProjectJobTokenScopes(ctx, "explicit_deny", &gitlab.ProjectJobTokenScopesArgs{
Project: pulumi.String("111"),
TargetProjectIds: pulumi.IntArray{},
})
if err != nil {
return err
}
// This shows the explicit behavior of the enabled flag with a list of projects and groups.
_, err = gitlab.NewProjectJobTokenScopes(ctx, "allow_projects_and_groups", &gitlab.ProjectJobTokenScopesArgs{
Project: pulumi.String("111"),
Enabled: pulumi.Bool(true),
TargetProjectIds: pulumi.IntArray{
pulumi.Int(123),
pulumi.Int(456),
pulumi.Int(789),
},
TargetGroupIds: pulumi.IntArray{
pulumi.Int(321),
pulumi.Int(654),
},
})
if err != nil {
return err
}
// This allows all projects and groups (disabling the CI Job Token scope protection)
_, err = gitlab.NewProjectJobTokenScopes(ctx, "allow_all", &gitlab.ProjectJobTokenScopesArgs{
Project: pulumi.String("111"),
Enabled: pulumi.Bool(false),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using GitLab = Pulumi.GitLab;
return await Deployment.RunAsync(() =>
{
var allowedSingleProject = new GitLab.ProjectJobTokenScopes("allowed_single_project", new()
{
Project = "111",
TargetProjectIds = new[]
{
123,
},
});
var allowedMultipleProject = new GitLab.ProjectJobTokenScopes("allowed_multiple_project", new()
{
Project = "111",
TargetProjectIds = new[]
{
123,
456,
789,
},
});
var allowedMultipleGroups = new GitLab.ProjectJobTokenScopes("allowed_multiple_groups", new()
{
ProjectId = 111,
TargetProjectIds = new[] {},
TargetGroupIds = new[]
{
321,
654,
},
});
// This will remove all job token scopes, even if added outside of TF.
var explicitDeny = new GitLab.ProjectJobTokenScopes("explicit_deny", new()
{
Project = "111",
TargetProjectIds = new[] {},
});
// This shows the explicit behavior of the enabled flag with a list of projects and groups.
var allowProjectsAndGroups = new GitLab.ProjectJobTokenScopes("allow_projects_and_groups", new()
{
Project = "111",
Enabled = true,
TargetProjectIds = new[]
{
123,
456,
789,
},
TargetGroupIds = new[]
{
321,
654,
},
});
// This allows all projects and groups (disabling the CI Job Token scope protection)
var allowAll = new GitLab.ProjectJobTokenScopes("allow_all", new()
{
Project = "111",
Enabled = false,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gitlab.ProjectJobTokenScopes;
import com.pulumi.gitlab.ProjectJobTokenScopesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var allowedSingleProject = new ProjectJobTokenScopes("allowedSingleProject", ProjectJobTokenScopesArgs.builder()
.project("111")
.targetProjectIds(123)
.build());
var allowedMultipleProject = new ProjectJobTokenScopes("allowedMultipleProject", ProjectJobTokenScopesArgs.builder()
.project("111")
.targetProjectIds(
123,
456,
789)
.build());
var allowedMultipleGroups = new ProjectJobTokenScopes("allowedMultipleGroups", ProjectJobTokenScopesArgs.builder()
.projectId(111)
.targetProjectIds()
.targetGroupIds(
321,
654)
.build());
// This will remove all job token scopes, even if added outside of TF.
var explicitDeny = new ProjectJobTokenScopes("explicitDeny", ProjectJobTokenScopesArgs.builder()
.project("111")
.targetProjectIds()
.build());
// This shows the explicit behavior of the enabled flag with a list of projects and groups.
var allowProjectsAndGroups = new ProjectJobTokenScopes("allowProjectsAndGroups", ProjectJobTokenScopesArgs.builder()
.project("111")
.enabled(true)
.targetProjectIds(
123,
456,
789)
.targetGroupIds(
321,
654)
.build());
// This allows all projects and groups (disabling the CI Job Token scope protection)
var allowAll = new ProjectJobTokenScopes("allowAll", ProjectJobTokenScopesArgs.builder()
.project("111")
.enabled(false)
.build());
}
}
resources:
allowedSingleProject:
type: gitlab:ProjectJobTokenScopes
name: allowed_single_project
properties:
project: '111'
targetProjectIds:
- 123
allowedMultipleProject:
type: gitlab:ProjectJobTokenScopes
name: allowed_multiple_project
properties:
project: '111'
targetProjectIds:
- 123
- 456
- 789
allowedMultipleGroups:
type: gitlab:ProjectJobTokenScopes
name: allowed_multiple_groups
properties:
projectId: 111
targetProjectIds: []
targetGroupIds:
- 321
- 654
# This will remove all job token scopes, even if added outside of TF.
explicitDeny:
type: gitlab:ProjectJobTokenScopes
name: explicit_deny
properties:
project: '111'
targetProjectIds: []
# This shows the explicit behavior of the enabled flag with a list of projects and groups.
allowProjectsAndGroups:
type: gitlab:ProjectJobTokenScopes
name: allow_projects_and_groups
properties:
project: '111'
enabled: true
targetProjectIds:
- 123
- 456
- 789
targetGroupIds:
- 321
- 654
# This allows all projects and groups (disabling the CI Job Token scope protection)
allowAll:
type: gitlab:ProjectJobTokenScopes
name: allow_all
properties:
project: '111'
enabled: false
Create ProjectJobTokenScopes Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ProjectJobTokenScopes(name: string, args?: ProjectJobTokenScopesArgs, opts?: CustomResourceOptions);@overload
def ProjectJobTokenScopes(resource_name: str,
args: Optional[ProjectJobTokenScopesArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def ProjectJobTokenScopes(resource_name: str,
opts: Optional[ResourceOptions] = None,
enabled: Optional[bool] = None,
project: Optional[str] = None,
project_id: Optional[int] = None,
target_group_ids: Optional[Sequence[int]] = None,
target_project_ids: Optional[Sequence[int]] = None)func NewProjectJobTokenScopes(ctx *Context, name string, args *ProjectJobTokenScopesArgs, opts ...ResourceOption) (*ProjectJobTokenScopes, error)public ProjectJobTokenScopes(string name, ProjectJobTokenScopesArgs? args = null, CustomResourceOptions? opts = null)
public ProjectJobTokenScopes(String name, ProjectJobTokenScopesArgs args)
public ProjectJobTokenScopes(String name, ProjectJobTokenScopesArgs args, CustomResourceOptions options)
type: gitlab:ProjectJobTokenScopes
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ProjectJobTokenScopesArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ProjectJobTokenScopesArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ProjectJobTokenScopesArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ProjectJobTokenScopesArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ProjectJobTokenScopesArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var projectJobTokenScopesResource = new GitLab.ProjectJobTokenScopes("projectJobTokenScopesResource", new()
{
Enabled = false,
Project = "string",
TargetGroupIds = new[]
{
0,
},
TargetProjectIds = new[]
{
0,
},
});
example, err := gitlab.NewProjectJobTokenScopes(ctx, "projectJobTokenScopesResource", &gitlab.ProjectJobTokenScopesArgs{
Enabled: pulumi.Bool(false),
Project: pulumi.String("string"),
TargetGroupIds: pulumi.IntArray{
pulumi.Int(0),
},
TargetProjectIds: pulumi.IntArray{
pulumi.Int(0),
},
})
var projectJobTokenScopesResource = new ProjectJobTokenScopes("projectJobTokenScopesResource", ProjectJobTokenScopesArgs.builder()
.enabled(false)
.project("string")
.targetGroupIds(0)
.targetProjectIds(0)
.build());
project_job_token_scopes_resource = gitlab.ProjectJobTokenScopes("projectJobTokenScopesResource",
enabled=False,
project="string",
target_group_ids=[0],
target_project_ids=[0])
const projectJobTokenScopesResource = new gitlab.ProjectJobTokenScopes("projectJobTokenScopesResource", {
enabled: false,
project: "string",
targetGroupIds: [0],
targetProjectIds: [0],
});
type: gitlab:ProjectJobTokenScopes
properties:
enabled: false
project: string
targetGroupIds:
- 0
targetProjectIds:
- 0
ProjectJobTokenScopes Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The ProjectJobTokenScopes resource accepts the following input properties:
- Enabled bool
- Enable the given inbound allowlist. If false, will allow any project or group regardless of the values in
target_project_idsortarget_group_ids. Deleting the associatedgitlab.ProjectJobTokenScopesresource will resetEnabledon the group totrue. - Project string
- The ID or full path of the project.
- Project
Id int - The ID of the project.
- Target
Group List<int>Ids - A set of group IDs that are in the CI/CD job token inbound allowlist.
- Target
Project List<int>Ids - A set of project IDs that are in the CI/CD job token inbound allowlist.
- Enabled bool
- Enable the given inbound allowlist. If false, will allow any project or group regardless of the values in
target_project_idsortarget_group_ids. Deleting the associatedgitlab.ProjectJobTokenScopesresource will resetEnabledon the group totrue. - Project string
- The ID or full path of the project.
- Project
Id int - The ID of the project.
- Target
Group []intIds - A set of group IDs that are in the CI/CD job token inbound allowlist.
- Target
Project []intIds - A set of project IDs that are in the CI/CD job token inbound allowlist.
- enabled Boolean
- Enable the given inbound allowlist. If false, will allow any project or group regardless of the values in
target_project_idsortarget_group_ids. Deleting the associatedgitlab.ProjectJobTokenScopesresource will resetEnabledon the group totrue. - project String
- The ID or full path of the project.
- project
Id Integer - The ID of the project.
- target
Group List<Integer>Ids - A set of group IDs that are in the CI/CD job token inbound allowlist.
- target
Project List<Integer>Ids - A set of project IDs that are in the CI/CD job token inbound allowlist.
- enabled boolean
- Enable the given inbound allowlist. If false, will allow any project or group regardless of the values in
target_project_idsortarget_group_ids. Deleting the associatedgitlab.ProjectJobTokenScopesresource will resetEnabledon the group totrue. - project string
- The ID or full path of the project.
- project
Id number - The ID of the project.
- target
Group number[]Ids - A set of group IDs that are in the CI/CD job token inbound allowlist.
- target
Project number[]Ids - A set of project IDs that are in the CI/CD job token inbound allowlist.
- enabled bool
- Enable the given inbound allowlist. If false, will allow any project or group regardless of the values in
target_project_idsortarget_group_ids. Deleting the associatedgitlab.ProjectJobTokenScopesresource will resetEnabledon the group totrue. - project str
- The ID or full path of the project.
- project_
id int - The ID of the project.
- target_
group_ Sequence[int]ids - A set of group IDs that are in the CI/CD job token inbound allowlist.
- target_
project_ Sequence[int]ids - A set of project IDs that are in the CI/CD job token inbound allowlist.
- enabled Boolean
- Enable the given inbound allowlist. If false, will allow any project or group regardless of the values in
target_project_idsortarget_group_ids. Deleting the associatedgitlab.ProjectJobTokenScopesresource will resetEnabledon the group totrue. - project String
- The ID or full path of the project.
- project
Id Number - The ID of the project.
- target
Group List<Number>Ids - A set of group IDs that are in the CI/CD job token inbound allowlist.
- target
Project List<Number>Ids - A set of project IDs that are in the CI/CD job token inbound allowlist.
Outputs
All input properties are implicitly available as output properties. Additionally, the ProjectJobTokenScopes resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing ProjectJobTokenScopes Resource
Get an existing ProjectJobTokenScopes resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ProjectJobTokenScopesState, opts?: CustomResourceOptions): ProjectJobTokenScopes@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
enabled: Optional[bool] = None,
project: Optional[str] = None,
project_id: Optional[int] = None,
target_group_ids: Optional[Sequence[int]] = None,
target_project_ids: Optional[Sequence[int]] = None) -> ProjectJobTokenScopesfunc GetProjectJobTokenScopes(ctx *Context, name string, id IDInput, state *ProjectJobTokenScopesState, opts ...ResourceOption) (*ProjectJobTokenScopes, error)public static ProjectJobTokenScopes Get(string name, Input<string> id, ProjectJobTokenScopesState? state, CustomResourceOptions? opts = null)public static ProjectJobTokenScopes get(String name, Output<String> id, ProjectJobTokenScopesState state, CustomResourceOptions options)resources: _: type: gitlab:ProjectJobTokenScopes get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Enabled bool
- Enable the given inbound allowlist. If false, will allow any project or group regardless of the values in
target_project_idsortarget_group_ids. Deleting the associatedgitlab.ProjectJobTokenScopesresource will resetEnabledon the group totrue. - Project string
- The ID or full path of the project.
- Project
Id int - The ID of the project.
- Target
Group List<int>Ids - A set of group IDs that are in the CI/CD job token inbound allowlist.
- Target
Project List<int>Ids - A set of project IDs that are in the CI/CD job token inbound allowlist.
- Enabled bool
- Enable the given inbound allowlist. If false, will allow any project or group regardless of the values in
target_project_idsortarget_group_ids. Deleting the associatedgitlab.ProjectJobTokenScopesresource will resetEnabledon the group totrue. - Project string
- The ID or full path of the project.
- Project
Id int - The ID of the project.
- Target
Group []intIds - A set of group IDs that are in the CI/CD job token inbound allowlist.
- Target
Project []intIds - A set of project IDs that are in the CI/CD job token inbound allowlist.
- enabled Boolean
- Enable the given inbound allowlist. If false, will allow any project or group regardless of the values in
target_project_idsortarget_group_ids. Deleting the associatedgitlab.ProjectJobTokenScopesresource will resetEnabledon the group totrue. - project String
- The ID or full path of the project.
- project
Id Integer - The ID of the project.
- target
Group List<Integer>Ids - A set of group IDs that are in the CI/CD job token inbound allowlist.
- target
Project List<Integer>Ids - A set of project IDs that are in the CI/CD job token inbound allowlist.
- enabled boolean
- Enable the given inbound allowlist. If false, will allow any project or group regardless of the values in
target_project_idsortarget_group_ids. Deleting the associatedgitlab.ProjectJobTokenScopesresource will resetEnabledon the group totrue. - project string
- The ID or full path of the project.
- project
Id number - The ID of the project.
- target
Group number[]Ids - A set of group IDs that are in the CI/CD job token inbound allowlist.
- target
Project number[]Ids - A set of project IDs that are in the CI/CD job token inbound allowlist.
- enabled bool
- Enable the given inbound allowlist. If false, will allow any project or group regardless of the values in
target_project_idsortarget_group_ids. Deleting the associatedgitlab.ProjectJobTokenScopesresource will resetEnabledon the group totrue. - project str
- The ID or full path of the project.
- project_
id int - The ID of the project.
- target_
group_ Sequence[int]ids - A set of group IDs that are in the CI/CD job token inbound allowlist.
- target_
project_ Sequence[int]ids - A set of project IDs that are in the CI/CD job token inbound allowlist.
- enabled Boolean
- Enable the given inbound allowlist. If false, will allow any project or group regardless of the values in
target_project_idsortarget_group_ids. Deleting the associatedgitlab.ProjectJobTokenScopesresource will resetEnabledon the group totrue. - project String
- The ID or full path of the project.
- project
Id Number - The ID of the project.
- target
Group List<Number>Ids - A set of group IDs that are in the CI/CD job token inbound allowlist.
- target
Project List<Number>Ids - A set of project IDs that are in the CI/CD job token inbound allowlist.
Import
Starting in Terraform v1.5.0 you can use an import block to import gitlab_project_job_token_scopes. For example:
terraform
import {
to = gitlab_project_job_token_scopes.example
id = “see CLI command below for ID”
}
Import using the CLI is supported using the following syntax:
GitLab project job token scopes can be imported using an id made up of just the project_id
$ pulumi import gitlab:index/projectJobTokenScopes:ProjectJobTokenScopes bar 123
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- GitLab pulumi/pulumi-gitlab
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
gitlabTerraform Provider.