gitlab_project_access_token revoked tokens are took into account in the comparision while using recreate: state_change

[benjaminver]

Summary

When a project (or group) access token is checked to determine if it needs to be recreated, revoked tokens are took into account which lead to strange behavior.

Issue Type

Bug Report

Component Name

gitlab_project_access_token
gitlab_group_access_token

Ansible Version

$ ansible --version

Community.general Version

Collection Version

---

community.general 10.6.0

Configuration

$ ansible-config dump --only-changed

OS / Environment

OS: Fedora 41

Steps to Reproduce

- name: Create gitlab project access token
  hosts: localhost
  connection: local
    - name: "Change (recreate) existing token if its actual state is different than desired state"
      community.general.gitlab_project_access_token:
        api_url: "https://{{ gitlab_host }}"
        api_token: "{{ gitlab_admin_token }}"
        project: "app-{{ project_name }}"
        name: "cicd_push_token"
        expires_at: "2025-12-30" 
        access_level: "developer"
        scopes:
          - api
        recreate: state_change 
        state: present
      register: app_access_token

    - name: "Change (recreate) existing token if its actual state is different than desired state"
      community.general.gitlab_project_access_token:
        api_url: "https://{{ gitlab_host }}"
        api_token: "{{ gitlab_admin_token }}"
        project: "app-{{ project_name }}"
        name: "cicd_push_token"
        expires_at: "2025-12-31" #increment the expiration date
        access_level: "developer"
        scopes:
          - api
        recreate: state_change 
        state: present
      register: app_access_token

    - name: "Change (recreate) existing token if its actual state is different than desired state"
      community.general.gitlab_project_access_token:
        api_url: "https://{{ gitlab_host }}"
        api_token: "{{ gitlab_admin_token }}"
        project: "app-{{ project_name }}"
        name: "cicd_push_token"
        expires_at: "2025-12-31" #same date as before, it should not detect any change
        access_level: "developer"
        scopes:
          - api
        recreate: state_change 
        state: present
      register: app_access_token

This will create a first access token

Then the first access token will be revoked

Then a new access token will be created in addition to the existing one which has not changed because the comparison is done also on revoked tokens

Expected Results

I'm expecting only 1 access token instead of several ones if i'm running several times the playbook.

Actual Results

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• plugins/modules/gitlab_group_access_token.py
• plugins/modules/gitlab_project_access_token.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @Lunik @Shaps @lgatellier @marwatk @metanovii @nejch @pixslx @scodeman @sh0shin @suukit @waheedi @zanssa
click here for bot help